Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SlimCleaner Plus - removed with Malwarebytes - files are now gone


  • This topic is locked This topic is locked
2 replies to this topic

#1 Christie23

Christie23

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Charlotte, NC
  • Local time:01:13 PM

Posted 08 March 2017 - 08:30 AM

Employee couldn't connect to email (Microsoft 365).  I discovered SlimCleaner Plus on my employees computer, stopped everything and ran Malwarebyte.  MB recognized 250 threats posed by SlimCleaner Plus, so I removed them.  All was well.  EMail was working.  This morning, he called me in a panic because it appears all of his files are either gone or have been hidden by the program.  I'd like to make sure all the drives are clean and try to restore his files as soon as possible as this is his operational unit. 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 05-03-2017
Ran by jody (administrator) on LAPTOP-7OJLLMHS (08-03-2017 08:16:26)
Running from C:\Users\TEMP\Downloads
Loaded Profiles: jody (Available Profiles: jody) <==== ATTENTION (Temporary Profile?)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Toshiba Corporation) C:\Program Files\TOSHIBA\Teco\TecoService.exe
(Broadcom Corporation.) C:\Windows\System32\BtwRSupportService.exe
(TOSHIBA) C:\Program Files (x86)\TOSHIBA\TOSHIBA System Driver\RMService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
() C:\Program Files (x86)\Dropbox\DropboxOEM\DropboxOEM.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
() C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Teco\TecoResident.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\System Setting\TCrdMain_Win8.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Nico Mak Computing) C:\Program Files\WinZip\FAH\FAHWindow64.exe
(WinZip Computing, S.L.) C:\Program Files\WinZip\WzPreloader.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgentUserBroker.exe
(Microsoft Corporation) C:\Windows\System32\DataExchangeHost.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
(Microsoft Corporation) C:\Windows\System32\browser_broker.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
==================== Registry (Whitelisted) ====================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [180016 2015-06-08] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\Toshiba\System Setting\TCrdMain_Win8.exe [559920 2015-10-09] (TOSHIBA Corporation)
HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [601944 2015-08-14] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SACpl.exe [1830616 2014-04-10] (Conexant Systems, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3946184 2015-12-30] (Synaptics Incorporated)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-06] (Microsoft Corporation)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM-x32\...\Run: [TSVU] => c:\Program Files\TOSHIBA\TOSHIBA Smart View Utility\TosSmartViewLauncher.exe [516976 2015-06-09] (TOSHIBA)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [205512 2017-02-10] (AVAST Software)
HKU\S-1-5-21-515636600-1590532309-3003330030-1001\...\Run: [OneDrive] => C:\Users\TEMP\AppData\Local\Microsoft\OneDrive\OneDrive.exe [1518304 2017-03-07] (Microsoft Corporation) <===== ATTENTION
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-02-10] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-02-10] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FAH.lnk [2015-10-28]
ShortcutTarget: FAH.lnk -> C:\Program Files\WinZip\FAH\FAHConsole.exe (Nico Mak Computing)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk [2016-08-13]
ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\wruninstall.exe (Webroot Software, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Preloader.lnk [2015-10-28]
ShortcutTarget: WinZip Preloader.lnk -> C:\Program Files\WinZip\WzPreloader.exe (WinZip Computing, S.L.)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{177b9e74-b067-484c-a20d-fbce89f10d44}: [DhcpNameServer] 40.42.1.201 40.42.1.203
Tcpip\..\Interfaces\{d3a7d7e9-1409-42d2-a265-df614a7cf75d}: [DhcpNameServer] 192.168.1.1
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?bcutc=sp-006
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-515636600-1590532309-3003330030-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
HKU\S-1-5-21-515636600-1590532309-3003330030-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?bcutc=sp-006
HKU\S-1-5-21-515636600-1590532309-3003330030-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKLM-x32 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
SearchScopes: HKLM-x32 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-515636600-1590532309-3003330030-1001 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-515636600-1590532309-3003330030-1001 -> {4CA18997-C777-4506-A060-174E0FC62096} URL =
SearchScopes: HKU\S-1-5-21-515636600-1590532309-3003330030-1001 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2016-12-28] (Microsoft Corporation)
BHO: No Name -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> No File
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2016-12-28] (Microsoft Corporation)
BHO-x32: No Name -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> No File
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-28] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-28] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-28] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-28] (Microsoft Corporation)
FireFox:
========
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-12-29]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-12-29]
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2016-12-28] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-22] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-22] (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2014-11-14] ()
Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [ngkhgikojglcgnckopipfdajaifmmnnc] - hxxp://clients2.google.com/service/update2/crx
==================== Services (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7142136 2017-02-15] (AVAST Software s.r.o.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [262736 2017-02-10] (AVAST Software)
R2 BcmBtRSupport; C:\WINDOWS\system32\BtwRSupportService.exe [2278152 2015-10-28] (Broadcom Corporation.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [3699904 2016-12-28] (Microsoft Corporation)
R3 dts_apo_service; C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe [19960 2015-05-27] ()
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [373824 2015-05-12] (WildTangent)
R2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [373752 2016-12-02] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel® Corporation)
R3 Intel® Security Assist; C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe [335872 2015-05-19] (Intel Corporation) [File not signed]
S2 isaHelperSvc; C:\Program Files (x86)\Intel\Intel® Security Assist\isaHelperService.exe [7680 2015-05-19] () [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [207648 2015-08-14] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [389896 2014-04-14] ()
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [246472 2015-12-30] (Synaptics Incorporated)
R2 TOSRMService; C:\Program Files (x86)\TOSHIBA\TOSHIBA System Driver\RMService.exe [326960 2015-06-24] (TOSHIBA)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
===================== Drivers (Whitelisted) ======================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 aswbidsdriver; C:\WINDOWS\system32\drivers\aswbidsdrivera.sys [309784 2017-02-10] (AVAST Software s.r.o.)
S3 aswbidsh; C:\WINDOWS\system32\drivers\aswbidsha.sys [189768 2017-02-10] (AVAST Software s.r.o.)
S3 aswblog; C:\WINDOWS\system32\drivers\aswbloga.sys [334600 2017-02-10] (AVAST Software s.r.o.)
S3 aswbuniv; C:\WINDOWS\system32\drivers\aswbuniva.sys [48528 2017-02-10] (AVAST Software s.r.o.)
S3 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [38296 2017-02-10] (AVAST Software)
S3 aswKbd; C:\WINDOWS\system32\drivers\aswKbd.sys [32088 2017-02-10] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [126088 2017-02-10] (AVAST Software)
S3 aswRdr; C:\WINDOWS\system32\drivers\aswRdr2.sys [100640 2017-02-10] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\drivers\aswRvrt.sys [74680 2017-02-10] (AVAST Software)
S3 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [991496 2017-02-10] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [547904 2017-02-10] (AVAST Software)
S3 aswStm; C:\WINDOWS\system32\drivers\aswStm.sys [162528 2017-02-10] (AVAST Software)
R3 aswVmm; C:\WINDOWS\system32\drivers\aswVmm.sys [337080 2017-02-10] (AVAST Software)
R3 bcbtums; C:\WINDOWS\system32\drivers\bcbtums.sys [199472 2015-10-28] (Broadcom Corporation.)
R3 BCM43XX; C:\WINDOWS\system32\DRIVERS\bcmwl63a.sys [7585280 2016-07-16] (Broadcom Corporation)
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [77408 2017-02-24] ()
R2 MBAMChameleon; C:\WINDOWS\system32\drivers\MBAMChameleon.sys [186304 2017-03-07] (Malwarebytes)
R3 MBAMFarflt; C:\WINDOWS\system32\drivers\farflt.sys [111544 2017-03-07] (Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [43968 2017-03-07] (Malwarebytes)
R0 MBAMSwissArmy; C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys [251840 2017-03-07] (Malwarebytes)
R3 MBAMWebProtection; C:\WINDOWS\system32\drivers\mwac.sys [92088 2017-03-07] (Malwarebytes)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 RSP2STOR; C:\WINDOWS\system32\DRIVERS\RtsP2Stor.sys [301784 2015-06-01] (Realtek Semiconductor Corp.)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [895256 2016-01-29] (Realtek                                            )
R2 SADP_NPF; C:\Windows\SysWOW64\drivers\sadp_npf64.sys [35344 2012-07-02] (CACE Technologies, Inc.)
R3 SmbDrvI; C:\WINDOWS\system32\DRIVERS\Smb_driver_Intel.sys [42696 2015-12-30] (Synaptics Incorporated)
S3 SWDUMon; C:\WINDOWS\system32\DRIVERS\SWDUMon.sys [13920 2017-03-07] ()
R3 Thotkey; C:\WINDOWS\System32\drivers\Thotkey.sys [45720 2015-06-13] (Toshiba Corporation)
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
U3 aswbdisk; no ImagePath
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-03-08 08:16 - 2017-03-08 08:18 - 00018144 _____ C:\Users\TEMP\Downloads\FRST.txt
2017-03-08 08:16 - 2017-03-08 08:16 - 00000000 ____D C:\FRST
2017-03-08 08:15 - 2017-03-08 08:16 - 02423808 _____ (Farbar) C:\Users\TEMP\Downloads\FRST64.exe
2017-03-08 08:14 - 2017-03-08 08:14 - 01765888 _____ (Farbar) C:\Users\TEMP\Downloads\FRST.exe
2017-03-08 08:05 - 2017-03-08 08:06 - 00000000 ____D C:\Users\TEMP\AppData\Local\MicrosoftEdge
2017-03-08 06:49 - 2017-03-08 06:49 - 00000000 ____D C:\Users\TEMP\AppData\Local\NetworkTiles
2017-03-07 16:03 - 2017-03-08 08:05 - 00004164 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{F20690C8-287F-431D-AF75-265603C0563A}
2017-03-07 16:03 - 2017-03-07 16:03 - 00000000 ____D C:\Users\TEMP\AppData\Roaming\Macromedia
2017-03-07 16:02 - 2017-03-07 16:02 - 00000000 ____D C:\Users\TEMP\AppData\Roaming\Skype
2017-03-07 16:01 - 2017-03-07 16:03 - 00002371 _____ C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-03-07 16:01 - 2017-03-07 16:03 - 00000000 ___RD C:\Users\TEMP\OneDrive
2017-03-07 15:58 - 2017-03-07 16:10 - 00000000 ____D C:\Users\TEMP\AppData\Roaming\DropboxOEM
2017-03-07 15:58 - 2017-03-07 15:58 - 00000000 ____D C:\Users\TEMP\AppData\Local\DropboxOEM
2017-03-07 15:53 - 2017-03-07 15:53 - 00000000 ____D C:\Users\TEMP\AppData\Roaming\AVAST Software
2017-03-07 15:53 - 2017-03-07 15:53 - 00000000 ____D C:\Users\TEMP\AppData\Local\CEF
2017-03-07 15:52 - 2017-03-07 15:52 - 00000000 ____D C:\Users\TEMP\AppData\Local\Toshiba
2017-03-07 15:51 - 2017-03-07 15:52 - 00000000 ____D C:\Users\TEMP\AppData\LocalLow\LastPass
2017-03-07 15:49 - 2017-03-07 15:50 - 00000000 ____D C:\Users\TEMP\AppData\Local\Packages
2017-03-07 15:49 - 2017-03-07 15:49 - 00000000 ____D C:\Users\TEMP\AppData\Local\VirtualStore
2017-03-07 15:49 - 2017-03-07 15:49 - 00000000 ____D C:\Users\TEMP\AppData\Local\Google
2017-03-07 15:48 - 2017-03-07 15:50 - 00000000 ____D C:\Users\TEMP\AppData\Local\ConnectedDevicesPlatform
2017-03-07 15:48 - 2017-03-07 15:48 - 00000020 ___SH C:\Users\TEMP\ntuser.ini
2017-03-07 15:48 - 2017-03-07 15:48 - 00000000 _SHDL C:\Users\TEMP\My Documents
2017-03-07 15:48 - 2017-03-07 15:48 - 00000000 _SHDL C:\Users\TEMP\Documents\My Videos
2017-03-07 15:48 - 2017-03-07 15:48 - 00000000 _SHDL C:\Users\TEMP\Documents\My Pictures
2017-03-07 15:48 - 2017-03-07 15:48 - 00000000 _SHDL C:\Users\TEMP\Documents\My Music
2017-03-07 15:48 - 2017-03-07 15:48 - 00000000 ____D C:\Users\TEMP\AppData\Roaming\Adobe
2017-03-07 15:48 - 2017-03-07 15:48 - 00000000 ____D C:\Users\TEMP\AppData\Local\TileDataLayer
2017-03-07 15:48 - 2017-03-07 15:48 - 00000000 ____D C:\ProgramData\SWCUTemp
2017-03-07 15:47 - 2017-03-07 16:01 - 00000000 ____D C:\Users\TEMP
2017-03-07 15:23 - 2017-03-07 15:46 - 00186304 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMChameleon.sys
2017-03-07 15:23 - 2017-03-07 15:46 - 00111544 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2017-03-07 15:23 - 2017-03-07 15:46 - 00092088 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2017-03-07 15:22 - 2017-03-07 15:46 - 00251840 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-03-07 15:22 - 2017-03-07 15:46 - 00043968 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-03-07 15:22 - 2017-03-07 15:22 - 00001923 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-03-07 15:22 - 2017-03-07 15:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-03-07 15:22 - 2017-03-07 15:22 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-03-07 15:22 - 2017-03-07 15:22 - 00000000 ____D C:\Program Files\Malwarebytes
2017-03-07 15:22 - 2017-02-24 06:23 - 00077408 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-03-07 13:31 - 2017-03-07 15:21 - 57131432 _____ (Malwarebytes ) C:\Users\jody\Downloads\mb3-setup-consumer-3.0.6.1469-1075.exe
2017-03-07 13:27 - 2017-03-07 13:27 - 00000000 ____D C:\Users\jody\AppData\Local\lptmp2031522198
2017-03-07 13:27 - 2017-03-07 13:27 - 00000000 ____D C:\Users\jody\AppData\Local\lptmp1233417896
2017-03-06 11:43 - 2017-03-06 12:03 - 1444242432 _____ C:\Users\jody\Documents\JSmithBackUp.pst
2017-03-05 22:00 - 2017-03-05 22:04 - 00000000 ____D C:\Users\jody\Desktop\2016
2017-03-03 10:53 - 2017-03-07 12:46 - 00046080 _____ C:\Users\jody\Desktop\march 6.xls
2017-03-03 05:44 - 2017-03-03 05:45 - 10996891 _____ C:\Users\jody\Downloads\HKC145 START PACAKGE.PDF
2017-03-03 05:42 - 2017-03-03 05:43 - 11353128 _____ C:\Users\jody\Downloads\HKC143 START PACKAGE.PDF
2017-03-03 05:39 - 2017-03-03 05:39 - 11014866 _____ C:\Users\jody\Downloads\HKC153 START PACKAGE.PDF
2017-03-03 05:36 - 2017-03-03 05:36 - 10902523 _____ C:\Users\jody\Downloads\HKC86 START PACKAGE.PDF
2017-02-15 13:04 - 2017-03-05 21:57 - 00000000 ____D C:\Users\jody\Desktop\Feb 2017
2017-02-15 13:03 - 2017-03-05 22:02 - 00000000 ____D C:\Users\jody\Desktop\closing
2017-02-15 13:02 - 2017-02-27 08:24 - 00000000 ____D C:\Users\jody\Desktop\jan 2017
2017-02-10 11:15 - 2017-02-28 06:34 - 00004268 _____ C:\WINDOWS\System32\Tasks\Avast Emergency Update
2017-02-10 11:15 - 2017-02-10 11:14 - 00398408 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2017-02-10 11:15 - 2017-02-10 11:07 - 00334600 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbloga.sys
2017-02-10 11:15 - 2017-02-10 11:07 - 00309784 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbidsdrivera.sys
2017-02-10 11:15 - 2017-02-10 11:07 - 00189768 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbidsha.sys
2017-02-10 11:15 - 2017-02-10 11:07 - 00048528 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbuniva.sys
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-03-08 08:10 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2017-03-08 08:03 - 2016-08-10 06:37 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-03-07 16:12 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-03-07 16:10 - 2016-07-16 06:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-07 16:05 - 2016-12-29 09:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-03-07 16:03 - 2016-12-29 11:12 - 00003288 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
2017-03-07 16:03 - 2016-12-29 09:33 - 00001215 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2017-03-07 16:03 - 2016-12-29 09:33 - 00001215 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-03-07 15:49 - 2015-10-28 20:27 - 00000000 __RHD C:\Users\Public\AccountPictures
2017-03-07 15:48 - 2016-08-10 06:40 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-03-07 15:48 - 2015-12-30 14:50 - 00000000 __SHD C:\Users\jody\IntelGraphicsProfiles
2017-03-07 15:45 - 2016-08-10 07:03 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-03-07 15:45 - 2016-07-16 01:04 - 00786432 _____ C:\WINDOWS\system32\config\BBI
2017-03-07 15:45 - 2016-07-10 20:05 - 00000000 ____D C:\Users\jody\AppData\Local\SlimWare Utilities Inc
2017-03-07 15:14 - 2015-12-30 17:25 - 01388432 _____ C:\Users\Public\VOIP.dat
2017-03-07 13:27 - 2016-08-13 20:59 - 00000000 ____D C:\Users\jody\AppData\Local\lptmp
2017-03-07 13:27 - 2016-08-13 20:58 - 00000000 ____D C:\ProgramData\WRData
2017-03-07 13:25 - 2016-12-29 10:41 - 00004022 _____ C:\WINDOWS\System32\Tasks\SafeZone scheduled Autoupdate 1483026059
2017-03-07 13:25 - 2016-12-29 10:41 - 00001099 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2017-03-07 13:10 - 2016-07-10 20:05 - 00013920 _____ C:\WINDOWS\system32\Drivers\SWDUMon.sys
2017-03-07 13:08 - 2015-10-28 21:37 - 00000000 ____D C:\Program Files (x86)\McAfee
2017-03-07 13:07 - 2016-01-03 18:21 - 00000000 ____D C:\Program Files\Common Files\AV
2017-03-07 13:04 - 2016-07-16 06:47 - 00000000 ___HD C:\WINDOWS\ELAMBKUP
2017-03-07 13:04 - 2016-07-16 01:04 - 00032768 _____ C:\WINDOWS\system32\config\ELAM
2017-03-07 13:03 - 2016-07-16 06:45 - 00000000 ____D C:\WINDOWS\INF
2017-03-07 13:01 - 2015-10-30 01:28 - 00000000 ____D C:\Users\Default.migrated
2017-03-07 12:55 - 2015-12-30 14:50 - 00000000 ____D C:\Users\jody\AppData\Local\Host App Service
2017-03-07 12:53 - 2015-12-30 14:56 - 00002371 _____ C:\Users\jody\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-03-07 12:53 - 2015-12-30 14:56 - 00000000 ___RD C:\Users\jody\OneDrive
2017-03-06 11:50 - 2015-12-31 11:20 - 00000000 ____D C:\Users\jody\Documents\Outlook Files
2017-03-05 22:14 - 2016-07-17 12:43 - 00000000 ____D C:\Users\jody\Desktop\3
2017-03-03 05:59 - 2015-12-30 19:50 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-03-03 05:54 - 2015-12-30 19:50 - 138020592 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-03-03 05:53 - 2016-07-16 06:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-02-26 22:54 - 2016-08-10 06:45 - 00000000 ____D C:\Users\jody
2017-02-20 07:22 - 2016-12-29 10:28 - 00000000 ____D C:\ProgramData\AVAST Software
2017-02-14 08:56 - 2015-12-30 14:50 - 00000000 ____D C:\Users\jody\AppData\Local\Packages
2017-02-13 07:25 - 2016-05-17 09:10 - 00485032 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2017-02-10 11:15 - 2016-12-29 10:31 - 00337080 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswvmm.sys
2017-02-10 11:14 - 2016-12-29 10:31 - 00547904 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2017-02-10 11:14 - 2016-12-29 10:31 - 00337080 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswvmm.sys.148674334526504
2017-02-10 11:14 - 2016-12-29 10:31 - 00162528 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStm.sys
2017-02-10 11:14 - 2016-12-29 10:31 - 00126088 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2017-02-10 11:14 - 2016-12-29 10:31 - 00100640 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr2.sys
2017-02-10 11:14 - 2016-12-29 10:31 - 00074680 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2017-02-10 11:14 - 2016-12-29 10:31 - 00038296 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2017-02-10 11:10 - 2016-12-29 10:31 - 00991496 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2017-02-10 11:09 - 2016-12-29 10:40 - 00032088 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswKbd.sys
2017-02-07 11:40 - 2016-01-03 18:20 - 00002283 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-02-07 11:40 - 2016-01-03 18:20 - 00002271 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-02-06 14:48 - 2016-07-16 06:49 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-02-06 14:48 - 2016-07-16 06:49 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
==================== Files in the root of some directories =======
2016-05-15 20:33 - 2016-05-15 20:33 - 6748160 _____ () C:\Program Files (x86)\GUT781B.tmp
2016-08-13 21:00 - 2016-08-13 21:00 - 12964920 _____ (Webroot Software, Inc.) C:\Program Files (x86)\Common Files\wruninstall.exe
2016-01-03 18:17 - 2016-01-03 18:17 - 0000057 _____ () C:\ProgramData\Ament.ini
Files to move or delete:
====================
C:\Users\TEMP\AppData\Local\Microsoft\OneDrive\OneDrive.exe
C:\Users\Public\VOIP.dat

Some files in TEMP:
====================
2015-11-18 18:15 - 2015-11-18 18:15 - 43338880 _____ () C:\Users\jody\AppData\Local\Temp\Firefox Setup 42.0-2-Toshiba-001-US.exe
2016-09-25 19:27 - 2016-09-25 19:29 - 150623768 _____ () C:\Users\jody\AppData\Local\Temp\HPInstaller.exe
2016-09-25 19:23 - 2016-09-25 19:24 - 58523704 _____ (SweetLabs,Inc.) C:\Users\jody\AppData\Local\Temp\octD9DA.tmp.exe
2017-03-07 15:49 - 2017-03-07 15:50 - 38131144 _____ (SweetLabs,Inc.) C:\Users\TEMP\AppData\Local\Temp\oct2E12.tmp.exe
==================== Bamital & volsnap ======================
(There is no automatic fix for files that do not pass verification.)
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2017-02-15 19:01
==================== End of FRST.txt ============================

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:13 PM

Posted 09 March 2017 - 09:31 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Also if possible please run the Farbar tool again in an Administrator account.

I also need to see the Addition.txt file that was created by running the Farbar tool.

Wait for further instructions.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:13 PM

Posted 15 March 2017 - 07:42 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users