Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I need to double check if i've been hacked.


  • This topic is locked This topic is locked
17 replies to this topic

#1 HumbleArk

HumbleArk

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 28 March 2017 - 12:00 AM

I was at twitch.tv watching a stream when I noticed somebody posted an image in the chat. This picture was a blurred out image of somebodies face that was way bigger than standard chat images. I rarely use facebook so I have a small friends list on there. And I recognized that image in the chat as being very similar to my friends profile picture. Other friends of mine agree that it looks just like him. Here is a picture for comparison.  https://postimg.org/image/8gk5y687h/ My friends face is edited in next to the blurred picture. It's completely identical even to the tree that is next to the face.

 

I can't find anything on it even being possible for somebody being able to post an image directly to twitch chat like this. Moderators have told me that shouldn't be possible. I'm going over the replay of the stream tomorrow to see if I can find this image in the chat replay and see if I can hover my mouse over it to see if there is a command listed for posting it. All the chat images have this. I don't remember seeing any command posted when I checked it before though. 

If that actually is a picture of my friend, then they had to have known that I was watching twitch at that very moment. And I wonder because of this if it was possible that they were in my computer in real time watching me watch twitch or something. That's probably extremely unrealistic but because of how little I know about computers everything seems possible to me at this point. 

If this doesn't sound very convincing and you think I might be jumping the gun here then just let me know. I'd be more relieved than anything else to hear that. 

I don't know if this helps but this is also a hand me down computer. So i'm not really sure what kind of stuff is on this. 
I'm heading off to bed now as I posted this very late. I'll be available to start working on this with you guys in 8-9 hours.

Thanks in advance for the help. 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:22 PM

Posted 28 March 2017 - 08:39 AM

HumbleArk:

:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum. My name is Phil. May I address you by your first name?

I will be assisting you with your computer issues. I will endeavor to respond within a reasonable time, normally 48 hours after your last post.

I will need some time to review your FRST logs. That could take a day or two.

PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues. It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.

Thank you and have a great day.

Regards,
-Phil

Graduate of the Bleeping Computer Malware Removal Study Hall


#3 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:22 PM

Posted 28 March 2017 - 12:17 PM

HumbleArk:

Thank you for your patience while I analyzed your FRST logs. I am not seeing any evidence of serious malware, so far, and I have no reason to believe that your computer has been hacked.

In future, I would ask that you copy and paste all scan and fix logs that I request into your posts, rather than attaching them. This makes it easier, and faster, for me to analyze them. Thank you for your anticipated cooperation.

.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

].

OK, let's get started ...

.


:step1: The logs show that Amazon Assistant is installed on your computer. This program is considered a PUP. Personally I would not have it on my computer. For more information, see this link. If you wish to uninstall this program, please see this link for instructions. Please let me know whether you kept, or uninstalled, this program.

Similarly, you might want to consider uninstalling eBay Worldwide, unless you are a frequent eBay shopper. Please let me know whether you decide to keep it or uninstalled it.

.


:step2: In going over your logs I noticed that you have BitTorrent.exe in your Downloads folder. Please consider the following advice to reduce the possibility of being infected when surfing the web.

2017-03-12 12:24 - 2017-03-12 12:24 - 02241224 _____ (BitTorrent Inc.) C:\Users\natha\Downloads\BitTorrent.exe

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you use P2P programs, you will get infected.
I would recommend that you do not keep thel BitTorrent.exe file, however that choice is up to you.
If you wish to keep it, please do not install it until your computer is cleaned.


.


:step3: Please run a FRST "Fix" for me.

Copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the Desktop.

NOTE: It is important that both files, FRST64.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

CreateRestorePoint:
CloseProcesses:

S3 MBAMFarflt; \??\C:\Windows\system32\drivers\farflt.sys [X]
S0 MBAMSwissArmy; system32\drivers\MBAMSwissArmy.sys [X]
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
  • Right click FRST64.exe, and select "Run as Administrator".
  • Then press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop (Fixlog.txt). Please copy and paste the contents into your reply.

.

Please note that your computer is very low on free hard disk space. Your computer is seriously under-powered to handle Windows 10 Home x64, and with its limited RAM and free space on Drive C:, it will be very slow.

Once you have run the FRST "fixlist.txt" script, we will run some standard anti-malware scans to further check your computer.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#4 HumbleArk

HumbleArk
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 28 March 2017 - 03:56 PM

Hey good to meet you and thanks for taking the time to help me. I apologize for having taken so long to respond to this. From now on I will monitor this thread closely. Here is the copy and paste you requested.

I've uninstalled ebay worldwide and amazon assistant.


Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by natha (28-03-2017 16:40:46) Run:1
Running from C:\Users\natha\Downloads
Loaded Profiles: natha (Available Profiles: natha)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
 
S3 MBAMFarflt; \??\C:\Windows\system32\drivers\farflt.sys [X]
S0 MBAMSwissArmy; system32\drivers\MBAMSwissArmy.sys [X]
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
*****************
 
Error: (0) Failed to create a restore point.
Processes closed successfully.
HKLM\System\CurrentControlSet\Services\MBAMFarflt => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\MBAMSwissArmy => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\wfpcapture => key removed successfully
wfpcapture => service removed successfully
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 28-03-2017 16:42:16)
 
 
Result of scheduled keys to remove after reboot:
 
HKLM\System\CurrentControlSet\Services\MBAMFarflt => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\MBAMSwissArmy => key could not remove, key could be protected
 
==== End of Fixlog 16:42:17 ====



I agree with your suggestion on bittorrent. I will remove that for good. 

Edited by HumbleArk, 28 March 2017 - 04:07 PM.


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:22 PM

Posted 29 March 2017 - 03:45 AM

HumbleArk:

Thank you for your post and update. Let's run some more standard anti-malware scans to see if anything might be lurking in your computer.

.

:step1: ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were detected.

Don't forget to re-enable your antivirus when finished!

.

:step2: Please run a Malwarebytes Anti-Malware scan for me.

  • Please download Malwarebytes to your Desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • Then click Finish.
  • Next, please go to "Settings", "Protection", and turn on "Scan for rootkits", if it is not "On."
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If an update of the definitions is available, it will be downloaded and installed before the scan commences.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • The Scan log is available through History ->Application logs. Please copy and paste the contents of the log into your next reply.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#6 HumbleArk

HumbleArk
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 29 March 2017 - 12:34 PM

I just want to mention that I am here so you feel you can exchange quickly with me if you're on anytime soon. Some stuff came up that I had to attend to which is why i'm so late getting back. I am running the scans now and will edit them in here. 

I cannot find an option to uninstall amazon assistant. It's not showing up when I search for it. Ebay worldwide was uninstalled. Earlier I mentioned they were uninstalled just because I thought there wouldn't be any issue uninstalling them so I went ahead and said that anyway. That was my mistake. 


My friends have an alternative explanation that they'd like to run by you. They wonder if an image from my facebook bled into the twitch chat as I was tabbing over. Thing is I remember that the image indefinitely stayed in the chat though and i'm not sure I remember tabbing over from that when this happened. My brother wants to do a hard restart on this computer to erase information from the previous owner since they requested it. They're saying that would clear up any malware issues if there are any. Do you want me to stay and see if any hacking or something fishy happened for this image business to have occurred? Or are you convinced of their explanation? 


Edited by HumbleArk, 29 March 2017 - 12:44 PM.


#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:22 PM

Posted 29 March 2017 - 02:35 PM

HumbleArk:
 
Thank you for your post.  I understand that you can't sit waiting for a response from me.  That is not an issue.  The "general" rule of thumb is to reply with 48 hours.  After three days, you will get a "bump" notice from me, if I have not heard from you and you have not posted to tell me how long you will be away, and the reason for your absence.  So, you are in very good shape.  You are responding within 24 hours! :thumbup2:
 
I try to respond daily, but, like you, "real life" does get in the way sometimes, so I always let my users know if I am not going to be able to respond within 24 hours, even though "the rules" say that I am permitted 48 hours to respond.  Bleeping Computer is dedicated to providing a very high level of service to the users who come here with issues.  That is one of the reasons why I chose to study here and, when I graduated from the Bleeping Computer Malware Removal Study Hall, to enthusiastically continue to work here as a volunteer (and proud of it!).
 
I am not familiar with the term "hard restart".  I googled it and it appears to be used in relation to HP computers.  I think your brother might be referring to a Windows 10 reset.  For sure, that would remove virtually all malware from your computer, and if the "Remove Everything" option were to be selected, then the previous owner would be quite happy because all of his apps and data would be deleted as a part of that "reset" process.
 
I don't use "Twitch", so I can't speak to the hypothesis being put forward by your friends.  It does seem to be a reasonable possibility.
 
I can write another FRST "fixlist.txt" script to remove the remnants of Amazon Assistant that FRST detected, if you so wish.
 
This is YOUR computer, and I am here to help you.
 
If you want to continue to work with me, then we will use the anti-malware scanning/cleaning tools I have recommended already, and then probably a couple more, just to ensure that your computer is clean from malware.
 
A Windows 10 reset is drastic step, which will entail you spending hours installing your programs and copying your data.  You would want to do a full system image of your computer before doing that, so that if the reset "goes south", you can go back, and you also have a copy of all of your data back to the computer.  Now, of course, your data might contain malware, so simply copying it back would just reinfect the "reset" Windows 10 image.
 
FRST is the best malware scanning/cleaning tool that we have currently, but it does not detect everything; hence my request that we run some additional scans, which target different classes of malware.  In your case, FRST did not anything significant, that it did not deal with.  You can see that your FRST fixlist.txt script was very brief!  The two that it couldn't deal with are components of Malwarebytes Anti-Malware and therefore completely harmless to your computer.
 
Personally, if this were my computer, I would not resort to a Windows 10 reset, at this point in time.  I have NO reason to believe, at this time, that your computer is seriously infected with malware.  Almost all malware that is detected by the various malware scanning/cleaning tools that we use here, can be successfully removed ... and our tools are being updated constantly to identify, and deal with, emerging malware threats.  I would, if I was you, do the scans and see what turns up.
 
If some serious rootkit or backdoor Trojan that were to be detected in subsequent scans with other anti-malware scanners that somehow escaped detection by FRST, and that cannot be eliminated by our existing arsenal of anti-malware tools, then I would be the FIRST to recommend to you that the simplest, and best, approach, would be to start again with a clean computer, via reset, with all of the hours of work that such a process entails.
 
So, in conclusion, I am here to help you.  It is your computer, your decision.  If you want to continue with the scans, which I recommend, then I am prepared to work with you until you are satisfied that:
  • Your computer is not infected;
  • The malware on your computer has been removed and it is clean and safe to use; or,
  • It makes sense, based on the malware identified, to undertake a Windows 10 reset.
If you decide that you want to continue, please run the scans that I previously requested, and copy and paste the results into your next reply.
 
If you decide that you want to do a Windows 10 reset, then please let me know, and I will conclude your topic.
 
Thank you and have a great day.
 
Regards,
-Phil

Edited by garioch7, 29 March 2017 - 02:36 PM.

Graduate of the Bleeping Computer Malware Removal Study Hall


#8 HumbleArk

HumbleArk
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 29 March 2017 - 09:33 PM

I think I was mistaken to say i'd edit in the other post with the scan since that won't notify you of a recent reply from me. So I won't do that from here on and to make up for that i'll post all the logs and everything you've asked for already in here so you can be notified.
Yes I think i'll go ahead with the scans and everything and work with you until we're sure everything is ok. With my brother that was my fault in the miscommunication there over what my brother was doing. Did not use the correct term. He wanted to wipe the hard drive and reinstall windows 10. 

Here is the website if that will help you understand that situation better. twitch.tv 

The FRST amazon fix script sounds like a good idea. Lets do that. 

Malware bytes wanted to install to the folder that was already there from a previous uninstalled one and I got some sort of error pop up that I had to click on ignore to continue the set up. I'm not sure if it matters since it still ran fine and did the scan regardless of this but thought i'd bring it up anyway. 

Had trouble finding the logs from malware bytes by those specifications but I think this is it. I've got them attached to the post. 
 

Attached Files


Edited by HumbleArk, 30 March 2017 - 08:36 AM.


#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:22 PM

Posted 30 March 2017 - 01:16 PM

HumbleArk:
 
Thank you for the ESET and MBAM logs.  In future, please copy and paste them into your replies.  That makes it faster for me to analyze the results.

I am going to deal with the remnants of Amazon Assistant for you, and also run some more standard anti-malware scans.
 
.
 
:step1: Let's remove the remnants of Amazon Assistant.

Please copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the folder: C:\Users\natha\Downloads.

NOTE: It is important that both files, FRST64.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

CreateRestorePoint:
CloseProcesses:

() C:\Program Files (x86)\Amazon\Amazon Assistant\amazonAssistantService.exe
R2 Amazon Assistant Service; C:\Program Files (x86)\Amazon\Amazon Assistant\amazonAssistantService.exe [102064 2017-02-28] ()
C:\Program Files (x86)\Amazon
  • Right click FRST64.exe, and select "Run as Administrator".
  • Then press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log in the folder: C:\Users\natha\Downloads (Fixlog.txt). Please copy and paste it into your reply.

.


:step2: Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait for it to complete the update.
  • Click on I Agree button.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

.


:step3: Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please copy and paste the contents of JRT.txt into your next message.

.


Thank you and have a great day.

Regards,
-Phil
 


Graduate of the Bleeping Computer Malware Removal Study Hall


#10 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:22 PM

Posted 02 April 2017 - 06:21 AM

HumbleArk:

 
Are you still there?  Do you still require assistance?  It has been three days since I last posted to you.
 
According to Forum policy, topics must be concluded after five days of non-response from the Topic Starter.
 
If I have not heard from you in another two days, I will conclude your topic.  You can always reopen it by sending a Personal Message to a Moderator.
 
Thank you and have a great day.
 
Regards,
-Phil

Graduate of the Bleeping Computer Malware Removal Study Hall


#11 HumbleArk

HumbleArk
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 03 April 2017 - 09:09 AM

Yes i'm still here. I apologize for not getting back to you sooner. Things kept coming up. I'll try to respond much more frequently after this. 

There was a game a friend of mine wanted me to download. The download link itself was harmless. However my computer is so slow that it didn't load the real download link for like 20 seconds. And by that time I had clicked a fake download link on the page right before I had turned on the antivirus protection again. 
So now i've got this browser redirect scareware that needs cleaning up unfortunately. I apologize for that. 

I've included scans of this with malware bytes and the adware and junkremoval scans are after I got this scareware. The scareware was still here after I restarted from a malware bytes scan.

This computer has a broken monitor so I don't t think I can use safemode since all I have is an external monitor
 

Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.2 (03.10.2017)
Operating System: Windows 10 Home x64 
Ran by natha (Administrator) on Mon 04/03/2017 at  9:57:52.41
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 2 
 
Successfully deleted: C:\Users\natha\AppData\Roaming\Mozilla\Firefox\Profiles\OU1Ura9o.default\extensions\safesearchplus2@avira.com\data\search.xml (File) 
Successfully deleted: C:\Windows\wininit.ini (File) 
 
 
 
Registry: 3 
 
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E502D5A5-8F10-4BD3-A3A3-02D3A9C9C010} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 04/03/2017 at 10:01:36.76
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 3/31/17
Scan Time: 6:12 PM
Logfile: Malwarebytes.txt
Administrator: Yes
 
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.75
Update Package Version: 1.0.1639
License: Free
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: LAPTOP-I52C26HB\natha
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 372270
Time Elapsed: 31 min, 36 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 2
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [133], [-1],0.0.0
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [133], [383418],1.0.1639
 
Registry Value: 8
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\IPHLPSVC\PARAMETERS\PROXYMGR\{7EE18AB9-2CF0-498A-8650-E87C52F2E9F0}|AUTOCONFIGURL, Quarantined, [133], [383419],1.0.1639
Hijack.AutoConfigURL.PrxySvrRST, HKU\S-1-5-21-2177810639-1224741293-440217331-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AUTOCONFIGURL, Quarantined, [133], [-1],0.0.0
Hijack.AutoConfigURL.PrxySvrRST, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [133], [-1],0.0.0
Hijack.AutoConfigURL.PrxySvrRST, HKU\S-1-5-21-2177810639-1224741293-440217331-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [133], [-1],0.0.0
Hijack.AutoConfigURL.PrxySvrRST, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [133], [-1],0.0.0
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [133], [-1],0.0.0
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [133], [-1],0.0.0
Hijack.AutoConfigURL.PrxySvrRST, HKU\S-1-5-21-2177810639-1224741293-440217331-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AUTOCONFIGURL, Quarantined, [133], [383416],1.0.1639
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)
 
 
 
 
 
 
 
# AdwCleaner v6.045 - Logfile created 01/04/2017 at 07:17:43
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-03-31.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : natha - LAPTOP-I52C26HB
# Running from : C:\Users\natha\Desktop\AdwCleaner.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
Folder Found:  C:\Program Files\DriverSetupUtility
Folder Found:  C:\ProgramData\DriverSetupUtility
Folder Found:  C:\ProgramData\Application Data\DriverSetupUtility
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
Shortcut infected:  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk ( hxxps://launchpage.org/?uid=98rCI5rLvFYf0KZT%2BTZGFIU6r%2FL1RqkprnblC%2BmSgVdNsb188pqJr8q2JVtWIvf0smK7 )
Shortcut infected:  C:\Users\natha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Tor Browser.lnk ( hxxps://launchpage.org/?uid=98rCI5rLvFYf0KZT%2BTZGFIU6r%2FL1RqkprnblC%2BmSgVdNsb188pqJr8q2JVtWIvf0smK7 )
Shortcut infected:  C:\Users\natha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk ( hxxps://launchpage.org/?uid=98rCI5rLvFYf0KZT%2BTZGFIU6r%2FL1RqkprnblC%2BmSgVdNsb188pqJr8q2JVtWI
Shortcut infected:  C:\Users\natha\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk ( hxxps://launchpage.org/?uid=98rCI5rLvFYf0KZT%2BTZGFIU6r%2FL1RqkprnblC%2BmSgVdNsb188pqJr8q2JVtWIvf0smK7 )
Shortcut infected:  C:\Users\natha\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk ( hxxps://launchpage.org/?uid=98rCI5rLvFYf0KZT%2BTZGFIU6r%2FL1RqkprnblC%2BmSgVdNsb188pqJr8
 
 
***** [ Scheduled Tasks ] *****
 
Task Found:  Software Update Application
 
 
***** [ Registry ] *****
 
Key Found:  HKLM\SOFTWARE\Classes\Amazon.AmazonAssistant.AABroker
Key Found:  HKLM\SOFTWARE\Classes\Amazon.AmazonAssistant.Messenger
Key Found:  HKLM\SOFTWARE\Classes\Amazon1ButtonBrowserHelper.Amazon1ButtonBHO
Key Found:  HKLM\SOFTWARE\Classes\Amazon1ButtonRuntime.Amazon1ButtonRuntime
Key Found:  HKLM\SOFTWARE\Classes\Amazon1ButtonRuntime.AmazonRuntimeServer
Key Found:  HKLM\SOFTWARE\Classes\AmazonAppIE.AppGateway
Key Found:  HKLM\SOFTWARE\Classes\AmazonAppIE.GadgetGateway
Key Found:  [x64] HKLM\SOFTWARE\Classes\Amazon.AmazonAssistant.AABroker
Key Found:  [x64] HKLM\SOFTWARE\Classes\Amazon.AmazonAssistant.Messenger
Key Found:  [x64] HKLM\SOFTWARE\Classes\Amazon1ButtonBrowserHelper.Amazon1ButtonBHO
Key Found:  [x64] HKLM\SOFTWARE\Classes\Amazon1ButtonRuntime.Amazon1ButtonRuntime
Key Found:  [x64] HKLM\SOFTWARE\Classes\Amazon1ButtonRuntime.AmazonRuntimeServer
Key Found:  [x64] HKLM\SOFTWARE\Classes\AmazonAppIE.AppGateway
Key Found:  [x64] HKLM\SOFTWARE\Classes\AmazonAppIE.GadgetGateway
Key Found:  HKLM\SOFTWARE\Classes\AppID\{7F46C358-270D-4791-A579-AD1DDA1A3F7B}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{BAC72C85-CEC6-4B86-AF06-FA20C259FAB8}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{6557DB6C-EFE1-45AC-92A6-FBB1554B7502}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{E4ADC61E-D06A-4E0E-8582-78C809CC8450}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{7BCA6879-A9F8-47DE-AE05-F5CE7EA3A474}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{ADF1FA2A-6EAA-4A97-A55F-3C8B92843EF5}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{EB2BEAEF-150C-4DE4-9D09-F16403C22769}
Key Found:  HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2B51C83A-465D-4EA9-9CDC-1ED95ED09AC6}
Key Found:  HKLM\SOFTWARE\Classes\Installer\Features\A38C15B2D5649AE4C9CDE19DE50DA96C
Key Found:  HKLM\SOFTWARE\Classes\Installer\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3DCCCD6BD02558446B24CF1C63EC213C
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3DCCCD6BD02558446B24CF1C63EC213C
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
Key Found:  [x64] HKLM\SOFTWARE\Classes\Installer\Features\A38C15B2D5649AE4C9CDE19DE50DA96C
Key Found:  [x64] HKLM\SOFTWARE\Classes\Installer\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
Key Found:  HKU\S-1-5-21-2177810639-1224741293-440217331-1001\Software\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}
Key Found:  HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}
Key Found:  HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}
Key Found:  HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\amazonbrowserapp.com
Key Found:  HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\analytics.app.amazonbrowserapp.com
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\amazonbrowserapp.com
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\analytics.app.amazonbrowserapp.com
Key Found:  HKLM\SOFTWARE\Classes\AppID\OverlayIcon.DLL
Key Found:  HKLM\SOFTWARE\Google\Chrome\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp
Key Found:  [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\natha\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\natha\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found:  [C:\Users\natha\AppData\Local\Google\Chrome\User Data\Profile 1\Secure Preferences ] - ipmkfpcnmccejididiaagpgchgjfajgp
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [6549 Bytes] - [01/04/2017 07:17:43]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6622 Bytes] ##########
 
 

Edited by HumbleArk, 03 April 2017 - 09:12 AM.


#12 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:22 PM

Posted 03 April 2017 - 12:59 PM

HumbleArk:
 
Thank you for your logs.  PLEASE be careful out there in cyberspace!
 
Let's have AdwCleaner remove what it detected.

Double click on AdwCleaner.exe to run the tool again. Vista/Windows 7/8/10 users right-click and select Run As Administrator

  • The tool will start to update the database, please wait for the update to complete.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • Uncheck any PUP and adware applications that you want to keep.
  • Then this time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Please copy and paste the contents of that logfile into your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

.


Please let me know if you are still having browser redirects after rebooting the computer, after the AdwCleaner "clean".

 

Thank you and have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#13 HumbleArk

HumbleArk
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 04 April 2017 - 11:04 AM

# AdwCleaner v6.045 - Logfile created 04/04/2017 at 11:18:41
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-03.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : natha - LAPTOP-I52C26HB
# Running from : C:\Users\natha\Desktop\AdwCleaner (1).exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\Program Files\DriverSetupUtility
[-] Folder deleted: C:\ProgramData\DriverSetupUtility
[#] Folder deleted on reboot: C:\ProgramData\Application Data\DriverSetupUtility
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
[-] Shortcut disinfected: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
[-] Shortcut disinfected: C:\Users\natha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Tor Browser.lnk
[-] Shortcut disinfected: C:\Users\natha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk
[-] Shortcut disinfected: C:\Users\natha\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[-] Shortcut disinfected: C:\Users\natha\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
 
 
***** [ Scheduled Tasks ] *****
 
[-] Task deleted: Software Update Application
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKLM\SOFTWARE\Classes\Amazon.AmazonAssistant.AABroker
[-] Key deleted: HKLM\SOFTWARE\Classes\Amazon.AmazonAssistant.Messenger
[-] Key deleted: HKLM\SOFTWARE\Classes\Amazon1ButtonBrowserHelper.Amazon1ButtonBHO
[-] Key deleted: HKLM\SOFTWARE\Classes\Amazon1ButtonRuntime.Amazon1ButtonRuntime
[-] Key deleted: HKLM\SOFTWARE\Classes\Amazon1ButtonRuntime.AmazonRuntimeServer
[-] Key deleted: HKLM\SOFTWARE\Classes\AmazonAppIE.AppGateway
[-] Key deleted: HKLM\SOFTWARE\Classes\AmazonAppIE.GadgetGateway
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Amazon.AmazonAssistant.AABroker
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Amazon.AmazonAssistant.Messenger
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Amazon1ButtonBrowserHelper.Amazon1ButtonBHO
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Amazon1ButtonRuntime.Amazon1ButtonRuntime
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Amazon1ButtonRuntime.AmazonRuntimeServer
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\AmazonAppIE.AppGateway
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\AmazonAppIE.GadgetGateway
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{7F46C358-270D-4791-A579-AD1DDA1A3F7B}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{BAC72C85-CEC6-4B86-AF06-FA20C259FAB8}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{6557DB6C-EFE1-45AC-92A6-FBB1554B7502}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{E4ADC61E-D06A-4E0E-8582-78C809CC8450}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{7BCA6879-A9F8-47DE-AE05-F5CE7EA3A474}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{ADF1FA2A-6EAA-4A97-A55F-3C8B92843EF5}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{EB2BEAEF-150C-4DE4-9D09-F16403C22769}
[-] Key deleted: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2B51C83A-465D-4EA9-9CDC-1ED95ED09AC6}
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\Features\A38C15B2D5649AE4C9CDE19DE50DA96C
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3DCCCD6BD02558446B24CF1C63EC213C
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3DCCCD6BD02558446B24CF1C63EC213C
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Installer\Features\A38C15B2D5649AE4C9CDE19DE50DA96C
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Installer\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\amazonbrowserapp.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\analytics.app.amazonbrowserapp.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\amazonbrowserapp.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\analytics.app.amazonbrowserapp.com
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\OverlayIcon.DLL
[-] Key deleted: HKLM\SOFTWARE\Google\Chrome\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp
[-] Key deleted: [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\natha\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\natha\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com
[-] [C:\Users\natha\AppData\Local\Google\Chrome\User Data\Profile 1\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\natha\AppData\Local\Google\Chrome\User Data\Profile 1\Web data] [Search Provider] Deleted: ask.com
[-] [C:\Users\natha\AppData\Local\Google\Chrome\User Data\Profile 1] [extension] Deleted: ipmkfpcnmccejididiaagpgchgjfajgp
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [6124 Bytes] - [04/04/2017 11:18:41]
C:\AdwCleaner\AdwCleaner[S0].txt - [6777 Bytes] - [01/04/2017 07:17:43]
C:\AdwCleaner\AdwCleaner[S1].txt - [6585 Bytes] - [04/04/2017 11:15:52]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [6343 Bytes] ##########


Thanks man. This looks like it took away that scareware. So far i'm not seeing it pop up. If anything changes i'll let you know. 


#14 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:22 PM

Posted 04 April 2017 - 12:50 PM

HumbleArk:

 

Thank you for your post and the AdwCleaner log.  I am really happy to hear the news that things are looking good!   :thumbsup:

 

I will hold this topic open for another three days so you can report back, in case something happens.

 

Thank you and have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#15 HumbleArk

HumbleArk
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 04 April 2017 - 05:24 PM

Alright so i'm guessing at this point we're in the all clear about the whole hacking business and nothing is going on then. 

It's just such a strange freak accident if I ever saw one. Why would a blurred out picture of one of my friends from facebook randomly appear in a chatroom on twitch? If there is no hax involved with that then my computer must just have some really bad kinks in it or something that allow it to do weird things like this. 

Anyway i'm guessing things are ok since you're not asking for anymore scans or anything. So i'll be done from here then unless you have any additional stuff that comes to mind






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users