Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Defender shuts itself off. Possible malware?


  • Please log in to reply
15 replies to this topic

#1 RisingManes

RisingManes

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Puerto Rico
  • Local time:01:56 PM

Posted 17 May 2017 - 05:08 PM

Cheers, and thank you for your time.

 

I'm making this thread because I noticed my Windows Defender shuts itself off, and I would like to get to the bottom of this.

 

I started to notice this yesterday after downloading a midi file in a web site I won't disclose right away, using Opera. "One" file inexplicably became 20 with no real explanation beyond "poorly programmed site" or "malicious software". The former is a possibility only because while 20 midi files were downloaded, they were all of different sizes, correlating to what I saw on that page.

 

MalwareBytes did not detect anything, and I had not used any torrent software in a long while.

 

Worth noting is that I uninstalled Avast a while back due to disk issues (I may address this at a later date).

 

I'd like opinions and solutions. 


Edited by hamluis, 17 May 2017 - 05:12 PM.
Moved from W10 Spt to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:03:26 AM

Posted 17 May 2017 - 05:33 PM

Windows defender shutting off can be caused by multiple reasons.

 

Can you go ahead and run a HitmanPro Scan for me and save and post the log

 

Now we'll be doing an eset online scan

 

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Note: Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
 

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
       icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • On ESET: Click the Back button, then the Finish button.

Post both these logs and I'll take a look at them


they call me te java mayster


#3 RisingManes

RisingManes
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Puerto Rico
  • Local time:01:56 PM

Posted 17 May 2017 - 10:19 PM

I have the log files... was there a spoiler tag in this forum? I'd like to use it to keep this post tidy, but oh well.

 

Exhibit A: HitmanPro log.

 

HitmanPro 3.7.20.286
www.hitmanpro.com

   Computer name . . . . : MANES-MEMENTO
   Windows . . . . . . . : 10.0.0.15063.X64/4
   User name . . . . . . : MANES-MEMENTO\Ileres
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2017-05-17 18:55:26
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 17m 11s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 228

   Objects scanned . . . : 2,797,446
   Files scanned . . . . : 207,527
   Remnants scanned  . . : 1,056,797 files / 1,533,122 keys

Suspicious files ____________________________________________________________

   C:\Users\Ileres\Documents\New folder\IntenseRO\IntenseROV3.exe
      Size . . . . . . . : 4,531,200 bytes
      Age  . . . . . . . : 396.1 days (2016-04-16 16:51:45)
      Entropy  . . . . . : 6.6
      SHA-256  . . . . . : FB2992058C44DEE1C49E1F8790999F0359C7445BE4ED35A3A1EAB1A01BC5C4BF
      Fuzzy  . . . . . . : 28.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         The .rsrc (resources) section in this program is set to executable. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.

   C:\Users\Ileres\Downloads\Games\Reborn15\gif.dll
      Size . . . . . . . : 32,768 bytes
      Age  . . . . . . . : 266.2 days (2016-08-24 13:45:15)
      Entropy  . . . . . : 5.7
      SHA-256  . . . . . : C388F705424AC6EFE60F9BBA0D6F83F0D9A7F4D8E37513BB51587D3721F25221
      Fuzzy  . . . . . . : 25.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.

   C:\Users\Ileres\Downloads\Games\Reborn15\rubyscreen.dll
      Size . . . . . . . : 28,160 bytes
      Age  . . . . . . . : 266.2 days (2016-08-24 13:45:28)
      Entropy  . . . . . : 5.6
      SHA-256  . . . . . : 777055E7400B49941CC083F86343C8BB5C8C067021B32435809E87E4BEBE3807
      Fuzzy  . . . . . . : 25.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.

   C:\WINDOWS\SysWOW64\GameMon.des
      Size . . . . . . . : 3,916,368 bytes
      Age  . . . . . . . : 470.4 days (2016-02-02 10:27:53)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : C2FA0CBBF038F74F8A30F86E289C09D488A36285BF6BBD45CD44C855F6696B1B
      Product  . . . . . : nProtect Game Monitor
      Publisher  . . . . : INCA Internet Co., Ltd.
      Description  . . . : nProtect Game Monitor Rev 2368
      Version  . . . . . : 2016.1.10.1
      RSA Key Size . . . : 2048
      Service  . . . . . : npggsvc
      LanguageID . . . . : 1042
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 25.0
         The file name extension of this program is not common.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         Starts automatically as a service during system bootup.
         Program is code signed with a valid Authenticode certificate.
      Startup
         HKLM\SYSTEM\CurrentControlSet\Services\npggsvc\


Potential Unwanted Programs _________________________________________________

   HKLM\SOFTWARE\WOW6432Node\Auslogics\Google Analytics Package\ (TweakBit)

Cookies _____________________________________________________________________

   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:107300789.log.optimizely.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:1131552301.log.optimizely.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:122.2o7.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:123709308.log.optimizely.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:1389989609.log.optimizely.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:1425218314.log.optimizely.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:2500080215.log.optimizely.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:2926210385.log.optimizely.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:2o7.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:308705246.log.optimizely.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:318635154.log.optimizely.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:335305610.log.optimizely.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:335736224.log.optimizely.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:4766072562.log.optimizely.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:526710254.log.optimizely.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:6739031.log.optimizely.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:9718688.log.optimizely.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:abmr.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:acuityplatform.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.360yield.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:adadvisor.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:adaptv.advertising.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:adbrn.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:addthis.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:adhigh.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:adingo.jp
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:adnxs.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:adobe.demdex.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:adobe.tt.omtrdc.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.kiosked.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.linkedin.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.servebom.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.stickyadstv.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:adscale.de
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:adsrvr.org
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtech.de
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtechjp.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtechus.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:agkn.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:amazoncustomerservice.d2.sc.omtrdc.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:api.taboola.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:atlanticmedia.122.2o7.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:bayer.d2.sc.omtrdc.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:bidswitch.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:bizrate.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:bluekai.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:bose.demdex.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:contextweb.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:ctnsnet.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:cxense.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:demandmedia.trc.taboola.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:demdex.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:dmtracker.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:dmtry.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:domdex.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:dotomi.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:dpclk.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:dpm.demdex.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:dynamicyield.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:emjcd.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:engine.adzerk.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:everesttech.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:go.flx1.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:go.sonobi.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:googleadservices.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:gssprt.jp
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:gwallet.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:hearstmagazines.112.2o7.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:ib.mookie1.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:idgenterprise.d1.sc.omtrdc.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:igodigital.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:ih.adscale.de
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:imrworldwide.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:in.getclicky.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:kau.li
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:krxd.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:linksynergy.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:mathtag.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:medhelpinternational.112.2o7.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:mediaplex.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:ml314.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:mmstat.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:mookie1.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:mtvn.demdex.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:nexac.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:omtrdc.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:openx.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:outbrain.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:owneriq.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:paypal.d1.sc.omtrdc.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:pcworldcommunication.d2.sc.omtrdc.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:pixel.rubiconproject.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:po.st
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:pool.admedo.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:pubmatic.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:rd.linksynergy.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:rfihub.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:rlcdn.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:rodale.d1.sc.omtrdc.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:rubiconproject.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:s7.addthis.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:scorecardresearch.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:scripps.demdex.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:sitescout.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:skimresources.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:smartadserver.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:statcounter.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:stats.paypal.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:swid.switchads.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:sxp.smartclip.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:taboola.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:tap.rubiconproject.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:tidaltv.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:trc.taboola.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:tremorhub.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:tubemogul.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:u3s.mathtag.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:univide.com
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:w55c.net
   C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.googleadservices.com
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\09ZNRWAG.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\0AY7K29S.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\2M78TR4R.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\3CDNMYT9.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\3JV59U4S.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\50KG4T3H.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\5KKGS67L.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\5TKTJ6GZ.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\779BJT2N.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\886QV8NT.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\A3P3P8KS.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\BCVYSI1S.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\C9DRI1JF.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\D0NAN0GT.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\EC9Y22IP.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\F0TFI9K3.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\FSJHJTE9.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\GKOKOXQ4.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\Low\N45ZANJQ.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\NBMOGQS7.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\NS7GCGOR.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\NTE8ZE5X.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\PR9HZD0M.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\RLH4QC5S.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\S2ZOVJA8.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\TV9C0X12.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\UR51TA0L.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\UW0640EX.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\X41S0IS2.cookie
   C:\Users\Ileres\AppData\Local\Microsoft\Windows\INetCookies\ZMKWMG8W.cookie
   C:\Users\Ileres\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\9F8GGG5G.cookie
   C:\Users\Ileres\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\4Q9C3BV4.cookie
   C:\Users\Ileres\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\7YOU2Z2W.cookie
   C:\Users\Ileres\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\YI33KQ6D.cookie
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:254a.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:554924358.log.optimizely.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:acuityplatform.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:ad.360yield.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:adaptv.advertising.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:addthis.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:adfarm1.adition.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:adform.net
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:adgrx.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:adhigh.net
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:adnxs.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:ads.creative-serving.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:ads.servebom.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:ads.stickyadstv.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:adsrvr.org
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:adsymptotic.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:advertising.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:adzerk.net
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:agkn.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:angsrvr.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:bidswitch.net
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:bluekai.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:casalemedia.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:chango.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:contextweb.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:ctnsnet.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:demdex.net
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:dotomi.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:doubleclick.net
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:dpm.demdex.net
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:dynamicyield.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:engine.adzerk.net
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:everesttech.net
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:eyeviewads.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:gwallet.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:krxd.net
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:match.adsby.bidtheatre.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:mathtag.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:media6degrees.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:mookie1.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:openx.net
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:pcworldcommunication.d2.sc.omtrdc.net
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:po.st
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:pubmatic.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:revsci.net
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:rfihub.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:rlcdn.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:rubiconproject.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:rvty.net
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:scorecardresearch.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:simpli.fi
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:sitescout.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:taboola.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:tapad.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:tidaltv.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:trc.taboola.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:tribalfusion.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:tubemogul.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:turn.com
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:w55c.net
   C:\Users\Ileres\AppData\Roaming\Mozilla\Firefox\Profiles\dc3vez6v.default-1448050716086\cookies.sqlite:wtp101.com
 

 

Exhibit B: Eset Log.

 

C:\Users\Ileres\Downloads\ccsetup517.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Ileres\Downloads\spsetup128.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Ileres\Downloads\spsetup129 (1).exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Ileres\Downloads\spsetup129.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Ileres\Downloads\uTorrent.exe    a variant of Win32/OpenCandy.A potentially unsafe application
 



#4 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:03:26 AM

Posted 18 May 2017 - 09:20 PM

Eset is just showing a couple of PUP's

 

Do you recognize the File "IntenseROV3.exe" and a game called Reborn15?

 

For now we'll be running a program called Zemana AntiMalware.

 

Run this program and post the log here.

 

After that please run an AdwCleaner scan

 

Please download Adwcleaner by Xplode here

 

Now run the file, and you should have a screen with something like this

adwcleaner-start.jpg

 

Please click Scan  and then when finished Post the scan log (it will pop up after scan)

 

NOTE Please do not clean the items yet


they call me te java mayster


#5 RisingManes

RisingManes
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Puerto Rico
  • Local time:01:56 PM

Posted 18 May 2017 - 09:32 PM

I do, in fact, recognize the two. IntenseRO is a Ragnarok Online client for a private server; Reborn15 corresponds to a fangame.

 

I don't recognize the other files.



#6 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:03:26 AM

Posted 19 May 2017 - 12:24 AM

That's fine, can you post the logs for me please


they call me te java mayster


#7 RisingManes

RisingManes
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Puerto Rico
  • Local time:01:56 PM

Posted 19 May 2017 - 01:31 PM

How do I find the Zemana logs?



#8 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:03:26 AM

Posted 19 May 2017 - 09:25 PM

How do I find the Zemana logs?

Was anything detected?


they call me te java mayster


#9 RisingManes

RisingManes
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Puerto Rico
  • Local time:01:56 PM

Posted 19 May 2017 - 09:28 PM

There was something found----it was SBSE, a Starbound mod that has long since discontinued. It appears to have been in the wrong folder, however, so I had no qualms about moving it to Quarantine.

 

# AdwCleaner v6.047 - Logfile created 19/05/2017 at 22:31:03
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-05-19.1 [Server]
# Operating System : Windows 10 Pro  (X64)
# Username : Ileres - MANES-MEMENTO
# Running from : C:\Users\Ileres\AppData\Local\Temp\scoped_dir8476_6506\adwcleaner_6.047.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
Folder Found:  C:\ProgramData\Auslogics
Folder Found:  C:\ProgramData\Application Data\Auslogics
Folder Found:  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
Folder Found:  C:\Program Files (x86)\Auslogics
 
 
***** [ Files ] *****
 
File Found:  C:\END
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
Task Found:  DriverEasy Scheduled Scan
 
 
***** [ Registry ] *****
 
Key Found:  HKU\S-1-5-21-3451967320-1596040250-1753558186-1000\Software\Link64
Key Found:  HKCU\Software\Link64
Key Found:  HKLM\SOFTWARE\Auslogics
Key Found:  [x64] HKCU\Software\Link64
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found:  [C:\Users\Ileres\AppData\Local\Google\Chrome\User Data\Default\Web data] - check point software technologies ltd
 
[!] You may need to disable the Chrome synchronization from your Google account in order to fully remove the malicious preferences. Please consult this Google help: https://support.google.com/chrome/answer/3097271?hl=en [!]
 
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [1903 Bytes] - [19/05/2017 22:31:03]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1976 Bytes] ##########

Edited by RisingManes, 19 May 2017 - 09:31 PM.


#10 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:03:26 AM

Posted 20 May 2017 - 06:23 PM

I can't really see any malware on your system. Is Windows Defender still shutting off? How is your computer running?


they call me te java mayster


#11 RisingManes

RisingManes
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Puerto Rico
  • Local time:01:56 PM

Posted 20 May 2017 - 06:36 PM

Nope, all clear now. Disk usage is inexplicably high still, but beyond that, everything seems to be in working order.

 

EDIT: Nevermind, still shutting off.

dc178e8f3e29d78755165670127a8161.png


Edited by RisingManes, 20 May 2017 - 06:37 PM.


#12 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:03:26 AM

Posted 20 May 2017 - 09:40 PM

Are you still not running an antivirus? I've had this issue occur when my antivirus was actually turning off Windows Defender. So if you aren't, and don't want to. Make sure ALL components of the AntiVirus are uninstalled.

 

High disk usage can also be caused by the amount of programs on your pc that are running. So I suggest Uninstalling the things that you DON'T need through control panel. Also try disabling startup items that you do not want through taskmanager.


they call me te java mayster


#13 RisingManes

RisingManes
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Puerto Rico
  • Local time:01:56 PM

Posted 20 May 2017 - 10:30 PM

I have long since uninstalled Avast.

 

And my programs don't use that much disk space, but it's still somehow at 100%. This seems more like a tech issue.



#14 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:03:26 AM

Posted 20 May 2017 - 10:39 PM

I have long since uninstalled Avast.

 

Did you use the uninstaller or just uninstall it through control panel? 


they call me te java mayster


#15 RisingManes

RisingManes
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Puerto Rico
  • Local time:01:56 PM

Posted 21 May 2017 - 01:17 AM

Might've been through the uninstaller. Can't remember.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users