Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Numerous "Account Unknown S-1-5-21-....." suddenly have appeared


  • This topic is locked This topic is locked
24 replies to this topic

#1 Off_the_deep_end

Off_the_deep_end

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 18 May 2017 - 07:16 PM

Hello, 

 

I have some sort of craziness going on in my computer... unfortunately it is not a good crazy either. I have an Asus laptop that is running Windows 7 SP1 64 bit system. I use Bitdefender Total Security 2017 and Malwarebytes (Premium) version 3.0.6 for my security. I do not go to any crazy websites, do my very best to be as safe as I can on this computer as well as all my other computers and devices. But this particular computer is the one I use for my business and I fear that this problem has either attacked or is trying to attack my Quickbooks Pro 2014. Because of that I have not opened my QB Pro 2014 for a while now because I am choosing to err on the side of caution because the world can and will end if I lose any of my business info. I am sure you can understand where I am coming from there. 

 

I believe that my Bitdefender and also Malwarebytes have been affected because neither one of them have had anything to say about catching anything in a while. When I perform scans on them I can see that the scans are not being conducted like they have been in the past. I will try my best to explain that one.... Usually when they do scans you will see them going through the files so fast that you will be able to read the beginning part of the file path while the other part is just flying so fast that you can not read it. For instance 

 

C:/windows/system32/zzzzzzzzzzzzzzzz  The "Z" in that example representing the part that is flying so fast you can not read it. 

 

Now when I run scans on either on of the programs the file paths are not anywhere near normal. They run slower and are erratic at best. I have not seen it scan any of the important file paths that it should do normally. The file paths I see now are random things like 

 

C:/colleen/printer/document/zzzzzzzzzz

C:/HPsupport/document/zzzzz               (Mind you this is on my Asus laptop) 

 

There were a bunch of random file paths like above then of course when they are done scanning I get the everything is great and you are good. 

 

Also I have had a bunch of other weird and odd behavior come from this computer. I had pulled up my task manager I had a process running that I had never seen before that was called Net group packet filter driver and the file path for it was something I had never seen before either. 

 

\??\C:\windows\system32\drivers\npf.sys

 

My question regarding that -- is that something legit or no? 

 

I also have been getting these error messages that will pop up when I turn on the computer--

 

C:\Windows\Temp\bd_F7A6.tmp\ctdfF834.tmp

This file does not have a program associated with it for performing this action. 

Please install a program or, if one is already installed, create an association

in the default programs control panel. 

 

Followed by--

 

C:\Users\Colleen\appdata\local\temp\RarSFX0 folder is not accessible

 

 

 

 

I have also had a lot of my files move or just be gone all together. I have also had some of them turn up in other folders with different file extensions. I have downloaded and ran the FRST tool. The 2 logs are attached below. Thank you so very much for being here and helping me out. 

 

Attached File  FRST.txt   58.55KB   8 downloads

Attached File  Addition.txt   35.31KB   4 downloads

 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,927 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:03 AM

Posted 20 May 2017 - 09:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Temp\scoped_dir_3636_27532\old_chrome.exe
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
SearchScopes: HKU\S-1-5-21-1359280114-1458453669-2722703307-1000 -> {8D6CD7BF-597C-4506-BE42-A5CEB0315DFE} URL = hxxps://search.yahoo.com/search?p={searchTerms}&intl=us&fr=yset_ie_syc_oracle&type=orcl_default
Toolbar: HKU\S-1-5-21-1359280114-1458453669-2722703307-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF HKLM-x32\...\Firefox\Extensions: [ffpwdman@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender\Antispam32\ffpwdman => not found
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @Bitdefender.com/PasswordManager;version=17.8 -> C:\Program Files\Bitdefender\Bitdefender\Antispam32\pmbxnp.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (MSN Homepage) - C:\Users\Colleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkcgfbgohboipdhliafmacjnhjbhmim [2015-07-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Colleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-04]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Colleen\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Chrome Media Router) - C:\Users\Colleen\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-08]
CHR HKU\S-1-5-21-1359280114-1458453669-2722703307-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fkkcgfbgohboipdhliafmacjnhjbhmim] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [aaffhmecfaelkngcbnfdkcckmillnoki] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hakdifolhalapjijoafobooafbilfakh] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [pjldcfjmnllhmgjclecdnfampinooman] - <no Path/update_url>
S3 b06bdrv; \SystemRoot\system32\drivers\bxvbda.sys [X]
S2 sxuptp; system32\DRIVERS\sxuptp.sys [X]
Task: {0BC43D82-984A-4796-816C-1D2B91CC4E46} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {0D5B4DCC-A6E6-41CC-8489-E680B6F8DDF5} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {1306F96D-6183-4B8B-8F5A-6593BCD4F50E} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {13B5272B-A68A-4645-A349-1EFBC5AC7A9E} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {29BFACBB-C10A-4C9E-AB77-633DD558214C} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {32609CF5-BA8A-432C-BE13-2DBC2555D03B} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {5AF59929-242E-46E5-B88C-25F052D5A001} - System32\Tasks\{1426549F-0E3A-40A7-9024-C73BBDD25A4B} => pcalua.exe -a C:\Users\Colleen\Downloads\JavaSetup8u45.exe -d C:\Users\Colleen\Desktop
Task: {9265F18F-A871-4707-A2BC-C46A2704C0D9} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {C1776FDF-8C87-44B2-896D-C589823B8BE4} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {D4E6AB6E-C76D-4205-A5A3-67782E4E4347} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
AlternateDataStreams: C:\Users\Colleen\Desktop\adwcleaner_6.046.exe:BDU [0]
AlternateDataStreams: C:\Users\Colleen\Desktop\FRST64.exe:BDU [0]
AlternateDataStreams: C:\Users\Colleen\Desktop\iAquaLinkWiFi.exe:BDU [0]
AlternateDataStreams: C:\Users\Colleen\Desktop\mbar-1.09.3.1001.exe:BDU [0]
C:\Windows\System32\Tasks\{1426549F-0E3A-40A7-9024-C73BBDD25A4B}
C:\Program Files (x86)\Google\Chrome\Temp\scoped_dir_3636_27532

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Please let me know what problem persists with this computer.

#3 Off_the_deep_end

Off_the_deep_end
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 21 May 2017 - 08:44 AM

Hello

 

Here are the results of the fixlist log \ report. 

 

***********************************************************************************************************************************************************************

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-05-2017

Ran by Colleen (21-05-2017 05:38:37) Run:1
Running from C:\Users\Colleen\Desktop
Loaded Profiles: Colleen (Available Profiles: Colleen & Administrator)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Temp\scoped_dir_3636_27532\old_chrome.exe
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
SearchScopes: HKU\S-1-5-21-1359280114-1458453669-2722703307-1000 -> {8D6CD7BF-597C-4506-BE42-A5CEB0315DFE} URL = hxxps://search.yahoo.com/search?p={searchTerms}&intl=us&fr=yset_ie_syc_oracle&type=orcl_default
Toolbar: HKU\S-1-5-21-1359280114-1458453669-2722703307-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF HKLM-x32\...\Firefox\Extensions: [ffpwdman@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender\Antispam32\ffpwdman => not found
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @Bitdefender.com/PasswordManager;version=17.8 -> C:\Program Files\Bitdefender\Bitdefender\Antispam32\pmbxnp.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (MSN Homepage) - C:\Users\Colleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkcgfbgohboipdhliafmacjnhjbhmim [2015-07-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Colleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-04]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Colleen\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Chrome Media Router) - C:\Users\Colleen\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-08]
CHR HKU\S-1-5-21-1359280114-1458453669-2722703307-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fkkcgfbgohboipdhliafmacjnhjbhmim] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [aaffhmecfaelkngcbnfdkcckmillnoki] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hakdifolhalapjijoafobooafbilfakh] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [pjldcfjmnllhmgjclecdnfampinooman] - <no Path/update_url>
S3 b06bdrv; \SystemRoot\system32\drivers\bxvbda.sys [X]
S2 sxuptp; system32\DRIVERS\sxuptp.sys [X]
Task: {0BC43D82-984A-4796-816C-1D2B91CC4E46} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {0D5B4DCC-A6E6-41CC-8489-E680B6F8DDF5} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {1306F96D-6183-4B8B-8F5A-6593BCD4F50E} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {13B5272B-A68A-4645-A349-1EFBC5AC7A9E} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {29BFACBB-C10A-4C9E-AB77-633DD558214C} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {32609CF5-BA8A-432C-BE13-2DBC2555D03B} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {5AF59929-242E-46E5-B88C-25F052D5A001} - System32\Tasks\{1426549F-0E3A-40A7-9024-C73BBDD25A4B} => pcalua.exe -a C:\Users\Colleen\Downloads\JavaSetup8u45.exe -d C:\Users\Colleen\Desktop
Task: {9265F18F-A871-4707-A2BC-C46A2704C0D9} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {C1776FDF-8C87-44B2-896D-C589823B8BE4} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {D4E6AB6E-C76D-4205-A5A3-67782E4E4347} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
AlternateDataStreams: C:\Users\Colleen\Desktop\adwcleaner_6.046.exe:BDU [0]
AlternateDataStreams: C:\Users\Colleen\Desktop\FRST64.exe:BDU [0]
AlternateDataStreams: C:\Users\Colleen\Desktop\iAquaLinkWiFi.exe:BDU [0]
AlternateDataStreams: C:\Users\Colleen\Desktop\mbar-1.09.3.1001.exe:BDU [0]
C:\Windows\System32\Tasks\{1426549F-0E3A-40A7-9024-C73BBDD25A4B}
C:\Program Files (x86)\Google\Chrome\Temp\scoped_dir_3636_27532
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Program Files (x86)\Google\Chrome\Temp\scoped_dir_3636_27532\old_chrome.exe => No running process found
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} => key removed successfully
HKCR\CLSID\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} => key not found. 
HKU\S-1-5-21-1359280114-1458453669-2722703307-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8D6CD7BF-597C-4506-BE42-A5CEB0315DFE} => key removed successfully
HKCR\CLSID\{8D6CD7BF-597C-4506-BE42-A5CEB0315DFE} => key not found. 
HKU\S-1-5-21-1359280114-1458453669-2722703307-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found. 
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\ffpwdman@bitdefender.com => value removed successfully
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@Bitdefender.com/PasswordManager;version=17.8 => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
C:\Users\Colleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkcgfbgohboipdhliafmacjnhjbhmim => moved successfully
C:\Users\Colleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Colleen\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Colleen\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKU\S-1-5-21-1359280114-1458453669-2722703307-1000\SOFTWARE\Google\Chrome\Extensions\fkkcgfbgohboipdhliafmacjnhjbhmim => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\aaffhmecfaelkngcbnfdkcckmillnoki => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\hakdifolhalapjijoafobooafbilfakh => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pjldcfjmnllhmgjclecdnfampinooman => key removed successfully
HKLM\System\CurrentControlSet\Services\b06bdrv => key removed successfully
b06bdrv => service removed successfully
HKLM\System\CurrentControlSet\Services\sxuptp => key removed successfully
sxuptp => service removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0BC43D82-984A-4796-816C-1D2B91CC4E46} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0BC43D82-984A-4796-816C-1D2B91CC4E46} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{0D5B4DCC-A6E6-41CC-8489-E680B6F8DDF5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0D5B4DCC-A6E6-41CC-8489-E680B6F8DDF5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1306F96D-6183-4B8B-8F5A-6593BCD4F50E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1306F96D-6183-4B8B-8F5A-6593BCD4F50E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{13B5272B-A68A-4645-A349-1EFBC5AC7A9E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{13B5272B-A68A-4645-A349-1EFBC5AC7A9E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{29BFACBB-C10A-4C9E-AB77-633DD558214C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{29BFACBB-C10A-4C9E-AB77-633DD558214C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{32609CF5-BA8A-432C-BE13-2DBC2555D03B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{32609CF5-BA8A-432C-BE13-2DBC2555D03B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5AF59929-242E-46E5-B88C-25F052D5A001} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5AF59929-242E-46E5-B88C-25F052D5A001} => key removed successfully
C:\Windows\System32\Tasks\{1426549F-0E3A-40A7-9024-C73BBDD25A4B} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{1426549F-0E3A-40A7-9024-C73BBDD25A4B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9265F18F-A871-4707-A2BC-C46A2704C0D9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9265F18F-A871-4707-A2BC-C46A2704C0D9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C1776FDF-8C87-44B2-896D-C589823B8BE4} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C1776FDF-8C87-44B2-896D-C589823B8BE4} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D4E6AB6E-C76D-4205-A5A3-67782E4E4347} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D4E6AB6E-C76D-4205-A5A3-67782E4E4347} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d => key removed successfully
C:\Users\Colleen\Desktop\adwcleaner_6.046.exe => ":BDU" ADS removed successfully.
"C:\Users\Colleen\Desktop\FRST64.exe" => ":BDU" ADS not found.
C:\Users\Colleen\Desktop\iAquaLinkWiFi.exe => ":BDU" ADS removed successfully.
C:\Users\Colleen\Desktop\mbar-1.09.3.1001.exe => ":BDU" ADS removed successfully.
"C:\Windows\System32\Tasks\{1426549F-0E3A-40A7-9024-C73BBDD25A4B}" => not found.
C:\Program Files (x86)\Google\Chrome\Temp\scoped_dir_3636_27532 => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 84721084 B
Java, Flash, Steam htmlcache => 1519 B
Windows/system/drivers => 250629296 B
Edge => 0 B
Chrome => 787182349 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 46037 B
systemprofile32 => 39030 B
LocalService => 53462 B
NetworkService => 16524 B
Colleen => 217146675 B
Administrator.Colleen-PC => 41550241 B
 
RecycleBin => 161300047 B
EmptyTemp: => 1.4 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 05:41:18 ====
 
********************************************************************************************************************************************************************************************
 
I was also prompted to reboot which I did. When I did this I got the following error window \ message window that said as follows---
 
 

C:\Windows\TEMP\bd_A350.tmp\uwwA360.tmp

This file does not have a program associated with it for performing this action. 

Please install a program or, if one is already installed, create an association

in the default programs control panel.

 

I do realize that the file path has both numbers 350 & 360 in it. This is not a typo but is exactly what the message said. (I just thought it was odd so thought I would mention it).

 

When I opened Chrome back up to get back to this page here I was told that Chrome had been shut down and would I like it to restore the pages. I clicked the X to close out that window. I took a screen shot of what  Chrome had opened up to because it is not a page that I have had open. 

 

Attached File  chrome opened to this.PNG   467.07KB   0 downloads   

 

I then navigated back to this page to get to the download for RougeKiller. 

 

Did a right click and selected run as admin

 

The little window popped up I selected run

 

It gave me an error message that said this:

 

Setup was unable to create the directory

"C:\Users\Colleen\AppData\local\Temp\is-JSB89.tmp".

Error 5: Access is denied

 

I am logged on as the admin so I clicked on it once again without doing right click and selecting run as admin. I got the same message as above. The only thing that was different was the very ending part which was as follows:

 

is-ENM2S.tmp

 

I then came here to report the situation. I will now take this computer back offline and set it aside and wait further instructions from you. 

 

Thank you so much for your help. 

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,927 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:03 AM

Posted 22 May 2017 - 07:07 AM


When I opened Chrome back up to get back to this page here I was told that Chrome had been shut down and would I like it to restore the pages. I clicked the X to close out that window. I took a screen shot of what Chrome had opened up to because it is not a page that I have had open.

The Adblock extension is installed on your computer. It was not restored normally. Nothing to worry about.
===

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

===

#5 Off_the_deep_end

Off_the_deep_end
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 24 May 2017 - 01:19 AM

Greetings, 

 

So when I came back online to do as you have instructed I noticed that my windows update icon appeared down at the bottom of my screen saying new updates were available. I installed those and rebooted my system as it instructed me to do. Came right back here and downloaded the Rkill program- the results of that are..

 

 

(As a interesting side note that may or may not be related or relevant...   All 4 of the links that you have posted for me above did the same thing for all 4 links ---- i did a single click on them and a new tab would open and the page was blank. The address bar said about:blank) I chose the 2nd Rkill link. 

 

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)

Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 05/23/2017 10:06:44 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 
WAIT...... HOLD ON!!!   THAT ^^^^ is not the report that it gave me. I waited until it said it was done and should be able to run my security programs..... 
 
I read the log then closed it then proceeded to close (in the exact following order) Malwarebytes, Bitdefender, then Windows firewall. Next I clicked on the Zoek link in your post, saved to desktop. Clicked on run as admin. Got an error message that 
 
An unknown error occured. The program will be terminated. 
 
I then decided to just click open to see what would happen... same error message. I am now going to run another Rkill scan. I am going to just down load the .exe file and see what happens. 
 
It seems like it did the scan rather quick but I don't know... results are below---
 
Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 05/23/2017 11:14:06 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
 * TBS [Missing Service]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 05/23/2017 11:14:51 PM
Execution time: 0 hours(s), 0 minute(s), and 44 seconds(s)
 
 
I also just tried to do the Zoek program again and still a no go. I am going to go find one of my thumb drives and get on another computer and see if I can download it and then see if I can get it to run on this laptop. I will post that result in another post. 


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,927 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:03 AM

Posted 24 May 2017 - 07:24 AM

Test this.

Disable Adguard, or remove it completely for now.

Also disable Bitdefender.

Any improvement?

#7 Off_the_deep_end

Off_the_deep_end
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 25 May 2017 - 04:24 AM

Hello, 

 

I tried as you had advised and still the same thing. I noticed that in my task manager there were still things running of Malwarebytes and Bitdefender even though I had disabled them. I then decided to go into the system configurations window and turned everything off and then restarted the computer. Everything from Malwarebytes had stopped however there were still things from Bitdefender running. So then I even went as far as uninstall BD. I even went into my other admin account to check if anything was running there that should not have been. (I never use that user account on this computer but it is there.) All was okay in that account so i logged out and came back to my main user account that i do everything from. Gave it one more final try and still getting same message as before--

 

I had even closed Chrome and went into IE and tried it from there.

 

 

An unknown error occured. The program will be terminated. 

 

 

I then turned my firewall and Malwarebytes back on for now and have left Bitdefender uninstalled for now also.... unless you tell me to reinstall it I will just leave it out for now if you think that will be easier? 

 

Should I just toss the computer in the pool now and be done with it?  :killcomp:  :killcomp:  :unsure:

 

 

If it was not the computer that I am supposed to run my business from I just might have done that already!! 

 

An unknown error occured. The program will be terminated. 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,927 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:03 AM

Posted 25 May 2017 - 07:39 AM

Removed.

nasdaq

Edited by nasdaq, 25 May 2017 - 07:49 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,927 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:03 AM

Posted 25 May 2017 - 07:46 AM

The reason I asked that Bitdefender be disable it that possibly the temporary folder(s) C:\Windows\TEMP\bd_A350.tmp ( first 2 letters BD) they could be created by Bitderender. Not sure.

Bitdefender has been disabled but some remnant registry items may try to run BD and is initiating the error message.

Enable Bitdefender. Restart the computer normally. If the if a new \temp folder is created that would confirm my suspicion.

I would then used the Uninstall tool from this site.

https://www.bitdefender.com/uninstall/

Run the tool and restart the computer.

Do not re-install BD just yet let me know what are the current issues with this computer.

Also lets check for an Anti_rootkit infection. Post the log with in your next reply.

Malwarebytes Anti-Rootkit

Please download Anti-Rootkit BETA and save it to your Desktop.

https://www.malwarebytes.com/antirootkit/
  • Right-click on the icon and select Run as administrator to start the extraction of the program;
  • Click Yes to accept the security warning that may appear;
  • Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
  • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
  • Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
  • Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called [b]mbar-log-TODAY'S-DATE.txt;
  • Please copy and paste the entire content of that log in your next reply;
===

Edited by nasdaq, 25 May 2017 - 07:48 AM.


#10 Off_the_deep_end

Off_the_deep_end
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 26 May 2017 - 10:44 AM

Hello, 

 

So what I did was first i tried to reinstall BD and was promptly greeted with this--

 

 

C:\Users\Colleen\appdata\local\temp\RarSFX0 folder is not accessible

 

So then I figure I will try to run the BD uninstall link you provided. It downloaded, I click on run as admin.. get greeted with this--

 

 

C:\Users\Colleen\appdata\local\temp\BDUninstall folder is not accessible. 

 

I thought I wonder if that file is even there... so I followed the file path only to discover that as I got to 

 

 

C:\Users\Colleen\appdata\local\temp\

 

There is no BDUninstall or RarSFX0  file. 

 

What I do have though is a temp\ folder that has 24 items in it. About half of those if you open up properties and look at the security tab It will give you the message that 

 

To continue you must be an admin user with permission to view this object's security properties 

Do you want to continue?

 

I just closed out those windows.. The other half of them would show me the securities tab and that infamous "account unknown S-1-5-5-0-166353" shows up with about 4 or 5 different numbers. On the "Detais" tab one of the lines reads--- 

 

Shared with  <unknown contact> 

 

 

I took a screen shot of this crazy folder for you just in case it might be helpful. What do you think of it? Or is it not much help? 

 

 

Attached File  Capture.PNG   535.46KB   0 downloads   

 

 

I then went ahead and did the Malwarebytes anti root kit like you asked. This is the first time that when I clicked on a link you gave me that the page actually opened up rather than just going to a blank page. It downloaded and started up like it should of. The one thing that I observed was that it went back and forth between running through the file paths sporadic and random all over the place and then it would settle into a consistent scan where it would appear normal  like it was progressing and going through the file path as it should rather then all crazy and random. In the end it found nothing but I beg to differ with it. LOL The log is below for you--

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2017.05.26.03
  rootkit: v2017.04.02.01
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.18665
Colleen :: 7COLLEEN [administrator]
 
5/26/2017 12:01:25 AM
mbar-log-2017-05-26 (00-01-25).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 322674
Time elapsed: 29 minute(s), 41 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
*************************************************************************
 
I have also noticed that my computers name has changed. I noticed it when I was in my Bitdefender screen that shows me all my devices that I have BD installed on. My computer's name USED to be Colleen7  (my other computers are named colleen8 & colleen10.) but now it is reading  7Colleen. Don't know if that helps any... and I am not sure when that happened but it has happened.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,927 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:03 AM

Posted 26 May 2017 - 01:39 PM


Please download and install Revo Uninstaller (Freeware) from here.

Run Revo Uninstaller and select everything associated with Bitdefender.
Click Uninstall icon and follow the prompts
When finished choose Scan
Delete all the highlighted Registry items
Click Next
Select all the folders and files listed by Revo
Click Delete
Reboot the computer when Revo is finished.

===

Download to your Desktop the Junkware Removal Tool Download from this link.
http://www.bleepingcomputer.com/download/junkware-removal-tool/

Shutdown your antivirus to avoid any conflicts.
Right click the icon - disable for say 20 mins.
Right-mouse click JRT.exe and select Run as administrator (If using XP just double click on the icon to run it.)
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
======

Lets see what we can find in the Registry.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
S-1-5-5-0-166353
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;


#12 Off_the_deep_end

Off_the_deep_end
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 28 May 2017 - 11:14 AM

Hi, 

 

Ok so I downloaded Revo went to run as admin and got this message--

 

 

Setup is unable to create the directory

C:\Users\Colleen\appdata\local\temp\is-GCSB.tmp

Error 5: access denied

 

So I moved on to the JRT link and was greeted with--

 

Could not create folder

C:\users\colleen\appdata\local\temp\jrt

Access is denied

 

 

I then continued on to the FRST tool. I did as you instructed and the log is below. I am also going to run the FRST program with all the other crazy numbers I have written down as I came across them and will post them here in another post as well. The first one found nothing... go figure. 

 

Farbar Recovery Scan Tool (x64) Version: 24-05-2017
Ran by Colleen (27-05-2017 08:06:00)
Running from C:\Users\Colleen\Desktop
Boot Mode: Normal
 
================== Search Registry: "S-1-5-5-0-166353" ===========
 
 
====== End of Search ======
 
I am going to run this one one more time just for good measure...... 


#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,927 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:03 AM

Posted 28 May 2017 - 12:49 PM


Try this.
Turn Off UAC (User Account Control) in Control Panel
https://superuser.com/questions/83677/disabling-uac-on-windows-7

If that still gives you Access denied let me know what the PATH of the operating system looks like.

How to find the PATH
http://geekswithblogs.net/renso/archive/2009/10/21/how-to-set-the-windows-path-in-windows-7.aspx
---

Create a new profile.

https://support.microsoft.com/en-us/help/14039/windows-7-fix-corrupted-user-profile

Keep me posted as to what is working for you.

#14 Off_the_deep_end

Off_the_deep_end
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 28 May 2017 - 05:26 PM

******NOTE ABOUT THIS POST*****  
So I was working on this earlier today and thought I had posted it but for some reason it did not post so I posting it now. I have to leave for a few hours but as soon as I get back I am going to do what you have asked with the user account controls and the rest of your requests. Thank you so much for helping me with this nightmare....hopefully it will end soon. LOL.

 

One of the scans turned up a huge list of things found. But when I posted it it told me my post was to long and I needed to shorten it. So I am going to post it right after this...hoping it will all fit in one post other wise I will break it up further. 
 
 
 
So I re did the scan and it found the same nothing........ I am going to start working on the other numbers right now and hopefully find something.... 
 
Farbar Recovery Scan Tool (x64) Version: 28-05-2017
Ran by Colleen (28-05-2017 10:22:02)
Running from C:\Users\Colleen\Desktop
Boot Mode: Normal
 
================== Search Registry: "S-1-5-5-0-2738506" ===========
 
 
====== End of Search ======
 
 
************* on to the next one..

 

 

Ok, so I am going to just attach the file as it is ridiculously super long... It killed my chrome when i did a copy /paste and then it took me like 2 minutes to highlight the text that I just cut out. Just when I thought I was not gonna find anything it returned a small novel to me. YIKES!!

 

 

Attached File  1-5-21-1359280114 SearchReg.txt   415.13KB   5 downloads   

 

 

 

Farbar Recovery Scan Tool (x64) Version: 28-05-2017
Ran by Colleen (28-05-2017 11:02:13)
Running from C:\Users\Colleen\Desktop
Boot Mode: Normal
 
================== Search Registry: "S-1-5-5-0-636977" ===========
 
 
====== End of Search ======
 
*******************************
 

And I had one more final scan that found nothing... 
 

Farbar Recovery Scan Tool (x64) Version: 28-05-2017
Ran by Colleen (28-05-2017 12:19:44)
Running from C:\Users\Colleen\Desktop
Boot Mode: Normal
 
================== Search Registry: "S-1-5-5-0-474285" ===========
 
 
====== End of Search ======



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,927 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:03 AM

Posted 29 May 2017 - 07:42 AM

Unless my eyes are deceiving me nothing malicious was found on the Farbar search log.

Where are you with my other recommendations?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users