Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Internet Security Essnetials Infection?


  • This topic is locked This topic is locked
9 replies to this topic

#1 Carpentry

Carpentry

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 12 June 2017 - 09:58 AM

It was recommended that I post here from the "Am I Infected" section. (https://www.bleepingcomputer.com/forums/t/648901/tool-is-blocking-ie-re-directions-but-av-scans-come-out-clean/)

I was having issues with IE not working, then having an internet security tool tell me it was blocking redirection. There was also an issue with an unusually high frequency of IP's blocked by Malwarebytes alongside a few established, unknown inbound connections to SVChost

 

I saw that Internet Security Essentials was listed as Comodo software and it appeared legitimate. During the IE redirect warnings I accepted a "continue anyway" option, but it did nothing and I removed the tool- IE didn't redirect afterwards. I changed my IP address and stealth-ed my ports using my firewall and there have been no notifications from Malwarebytes these past 14 hours.

 

I ran scans with several AV and security programs while Cleaning Essentials was installed and nothing came out funky. I used BItdefender, Avast, EEMK, Super AntiSpyware, Malwarebytes. (I am only set up with 1 AV, Free Avast, Malwarebytes Premium, and Free Comodo Suite set to Fireewall only.)

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-06-2017
Ran by -- (administrator) on ---PC (12-06-2017 07:26:14)
Running from C:\Users\--\Desktop
Loaded Profiles: -- (Available Profiles: --)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser not detected!)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Intel® Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
() C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\Drivers\APOService\LogiRegistryService.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(AVAST Software s.r.o.) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
() C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Flux Software LLC) C:\Users\--\AppData\Local\FluxSoftware\Flux\flux.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Comodo Inc.) C:\Program Files (x86)\Comodo\IceDragon\icedragon.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\CompatTelRunner.exe
(Microsoft Corporation) C:\Windows\System32\CompatTelRunner.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IntelPAN] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1935120 2011-07-27] (Intel® Corporation)
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1487552 2017-04-22] (COMODO)
HKLM\...\Run: [Launch LCore] => C:\Program Files\Logitech Gaming Software\LCore.exe [15818872 2016-06-27] (Logitech Inc.)
HKLM\...\Run: [FreeFallProtection] => C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2016-07-14] ()
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2397120 2016-09-30] (NVIDIA Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7214696 2016-12-18] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2226280 2016-12-18] (Realtek Semiconductor)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [213824 2017-06-08] (AVAST Software)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [IseUI] => C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-03-15] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2155871709-899169398-2161320827-1000\...\Run: [f.lux] => C:\Users\--\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-2155871709-899169398-2161320827-1000\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-2155871709-899169398-2161320827-1000\...\Run: [Google Update] => C:\Users\--\AppData\Local\Google\Update\1.3.33.5\GoogleUpdateCore.exe [601168 2017-04-28] (Google Inc.)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [179952 2016-09-30] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [157464 2016-09-30] (NVIDIA Corporation)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-06-08] (AVAST Software)
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-06-08] (AVAST Software)
Startup: C:\Users\--\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2017-05-27]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{DDF3B741-24E9-4F6A-BFFA-93EEA0A9460D}: [DhcpNameServer] 209.18.47.61 209.18.47.62

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-18] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssv.dll [2017-06-08] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-06-08] (Oracle Corporation)

FireFox:
========
FF DefaultProfile: ditobvsl.default
FF ProfilePath: C:\Users\--\AppData\Roaming\Mozilla\Firefox\Profiles\cu6b082q.default-1490221692241 [2017-06-11]
FF Extension: (Disconnect) - C:\Users\--\AppData\Roaming\Mozilla\Firefox\Profiles\cu6b082q.default-1490221692241\Extensions\2.0@disconnect.me.xpi [2017-04-04]
FF Extension: (HTTPS Everywhere) - C:\Users\--\AppData\Roaming\Mozilla\Firefox\Profiles\cu6b082q.default-1490221692241\Extensions\https-everywhere@eff.org.xpi [2017-06-06]
FF Extension: (Self-Destructing Cookies) - C:\Users\--\AppData\Roaming\Mozilla\Firefox\Profiles\cu6b082q.default-1490221692241\Extensions\jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack.xpi [2017-04-13]
FF Extension: (uBlock Origin) - C:\Users\--\AppData\Roaming\Mozilla\Firefox\Profiles\cu6b082q.default-1490221692241\Extensions\uBlock0@raymondhill.net.xpi [2017-05-14]
FF Extension: (NoScript) - C:\Users\--\AppData\Roaming\Mozilla\Firefox\Profiles\cu6b082q.default-1490221692241\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-05-30]
FF Extension: (Disable TLS Certificate Transparency) - C:\Users\--\AppData\Roaming\Mozilla\Firefox\Profiles\cu6b082q.default-1490221692241\features\{b5c396df-a541-4634-9876-a263213f91ab}\disable-cert-transparency@mozilla.org.xpi [2017-04-18]
FF Extension: (Disable Prefetch) - C:\Users\--\AppData\Roaming\Mozilla\Firefox\Profiles\cu6b082q.default-1490221692241\features\{b5c396df-a541-4634-9876-a263213f91ab}\disable-prefetch@mozilla.org.xpi [2017-04-18]
FF ProfilePath: C:\Users\--\AppData\Roaming\Comodo\IceDragon\Profiles\ditobvsl.default [2017-06-12]
FF DefaultSearchEngine: Comodo\IceDragon\Profiles\ditobvsl.default -> Yahoo! US
FF DefaultSearchEngine.US: Comodo\IceDragon\Profiles\ditobvsl.default -> Yahoo! US
FF NetworkProxy: Comodo\IceDragon\Profiles\ditobvsl.default -> gopher", ""
FF NetworkProxy: Comodo\IceDragon\Profiles\ditobvsl.default -> gopher_port", 0
FF Extension: (Disconnect) - C:\Users\--\AppData\Roaming\Comodo\IceDragon\Profiles\ditobvsl.default\Extensions\2.0@disconnect.me.xpi [2017-04-04]
FF Extension: (Firebug) - C:\Users\--\AppData\Roaming\Comodo\IceDragon\Profiles\ditobvsl.default\Extensions\firebug@software.joehewitt.com.xpi [2017-03-01]
FF Extension: (Ghostery) - C:\Users\--\AppData\Roaming\Comodo\IceDragon\Profiles\ditobvsl.default\Extensions\firefox@ghostery.com.xpi [2017-05-06]
FF Extension: (HTTPS Everywhere) - C:\Users\--\AppData\Roaming\Comodo\IceDragon\Profiles\ditobvsl.default\Extensions\https-everywhere@eff.org.xpi [2017-05-22]
FF Extension: (Self-Destructing Cookies) - C:\Users\--\AppData\Roaming\Comodo\IceDragon\Profiles\ditobvsl.default\Extensions\jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack.xpi [2017-05-01]
FF Extension: (Privacy Badger) - C:\Users\--\AppData\Roaming\Comodo\IceDragon\Profiles\ditobvsl.default\Extensions\jid1-MnnxcxisBPnSXQ@jetpack.xpi [2017-05-11]
FF Extension: (uBlock Origin) - C:\Users\--\AppData\Roaming\Comodo\IceDragon\Profiles\ditobvsl.default\Extensions\uBlock0@raymondhill.net.xpi [2017-05-15]
FF Extension: (uMatrix) - C:\Users\--\AppData\Roaming\Comodo\IceDragon\Profiles\ditobvsl.default\Extensions\uMatrix@raymondhill.net.xpi [2017-06-11]
FF Extension: (NoScript) - C:\Users\--\AppData\Roaming\Comodo\IceDragon\Profiles\ditobvsl.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-05-11]
FF Extension: (DragAndDrop) - C:\Program Files (x86)\Comodo\IceDragon\browser\features\DnD@comodo.com [2017-05-30] [not signed]
FF Extension: (COMODO SecureBox) - C:\Program Files (x86)\Comodo\IceDragon\browser\features\@csb [2017-05-30] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_25_0_0_171.dll [2017-05-10] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50906.0\npctrl.dll [2017-03-09] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_171.dll [2017-05-10] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-12-18] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-06-08] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-06-08] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50906.0\npctrl.dll [2017-03-09] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-09-30] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-09-30] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-04] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2155871709-899169398-2161320827-1000: @citrixonline.com/appdetectorplugin -> C:\Users\--\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2017-02-15] (Citrix Online)
FF Plugin HKU\S-1-5-21-2155871709-899169398-2161320827-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\--\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-2155871709-899169398-2161320827-1000: @talk.google.com/O1DPlugin -> C:\Users\--\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-2155871709-899169398-2161320827-1000: @tools.google.com/Google Update;version=3 -> C:\Users\--\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin HKU\S-1-5-21-2155871709-899169398-2161320827-1000: @tools.google.com/Google Update;version=9 -> C:\Users\--\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\--\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\--\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)

Chrome:
=======
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/yhs/search?p={searchTerms}&hspart=comodo&hsimp=yhs-ccs&type=default
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Profile: C:\Users\--\AppData\Local\Google\Chrome\User Data\Default [2017-06-11]
CHR Extension: (Google Slides) - C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-01-12]
CHR Extension: (Google Docs) - C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-01-12]
CHR Extension: (YouTube) - C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-05-29]
CHR Extension: (Adblock Plus) - C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2017-03-21]
CHR Extension: (Google Sheets) - C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-05-29]
CHR Extension: (Google Docs Offline) - C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-05-29]
CHR Extension: (Yahoo Partner) - C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcjjaajflhellmcfcecojihhmdbjmmlm [2016-10-11]
CHR Extension: (Chrome Web Store Payments) - C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-08]
CHR Extension: (Gmail) - C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-05-29]
CHR Extension: (Chrome Media Router) - C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-17]
CHR HKU\S-1-5-21-2155871709-899169398-2161320827-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hcjjaajflhellmcfcecojihhmdbjmmlm] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2155871709-899169398-2161320827-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mbckjcfnjmoiinpgddefodcighgikkgn] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-03-02] (Apple Inc.)
R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7346208 2017-06-08] (AVAST Software s.r.o.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [263304 2017-06-08] (AVAST Software)
R2 CmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [10512032 2017-04-22] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2876096 2017-04-22] (COMODO)
R2 IceDragonUpdater; C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe [4295328 2017-05-24] ()
R2 LogiRegistryService; C:\Program Files\Logitech Gaming Software\Drivers\APOService\LogiRegistryService.exe [193656 2016-06-27] (Logitech Inc.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-07-27] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 aswbidsdriver; C:\Windows\system32\drivers\aswbidsdrivera.sys [311808 2017-06-08] (AVAST Software s.r.o.)
R0 aswbidsh; C:\Windows\system32\drivers\aswbidsha.sys [190256 2017-06-08] (AVAST Software s.r.o.)
R0 aswblog; C:\Windows\system32\drivers\aswbloga.sys [334576 2017-06-08] (AVAST Software s.r.o.)
R0 aswbuniv; C:\Windows\system32\drivers\aswbuniva.sys [49016 2017-06-08] (AVAST Software s.r.o.)
S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [38296 2017-06-08] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [128648 2017-06-08] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [101152 2017-06-08] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\drivers\aswRvrt.sys [75704 2017-06-08] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1007160 2017-06-08] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [569192 2017-06-08] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [158880 2017-06-08] (AVAST Software)
R0 aswVmm; C:\Windows\system32\drivers\aswVmm.sys [339696 2017-06-08] (AVAST Software)
S3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [878072 2016-09-20] (BitDefender)
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [31664 2017-03-28] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [848736 2017-03-28] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [57504 2017-03-28] (COMODO)
R1 epp; C:\EEK\bin64\epp.sys [116944 2016-06-30] (Emsisoft Ltd)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77440 2017-06-07] ()
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [119392 2017-03-28] (COMODO)
R2 LGCoreTemp; C:\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\lgcoretemp.sys [14184 2015-06-21] (Logitech)
R3 LGJoyXlCore; C:\Windows\System32\drivers\LGJoyXlCore.sys [85160 2016-06-27] (Logitech Inc.)
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [186304 2017-06-07] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [111544 2017-06-12] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [43968 2017-06-12] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [251832 2017-06-12] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [82720 2017-06-12] (Malwarebytes)
R1 nvkflt; C:\Windows\System32\DRIVERS\nvkflt.sys [307768 2016-09-30] (NVIDIA Corporation)
S3 PSKMAD; C:\Windows\System32\DRIVERS\PSKMAD.sys [50320 2016-08-05] (Panda Security, S.L.)
U1 aswbdisk; no ImagePath
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
S3 X6va062; \??\C:\Windows\SysWOW64\Drivers\X6va062 [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-12 07:18 - 2017-06-12 07:18 - 00000000 ____D C:\ProgramData\SWCUTemp
2017-06-11 23:44 - 2017-06-11 23:44 - 00000000 ____D C:\Windows\System32\Tasks\Apple
2017-06-11 23:37 - 2017-06-11 23:37 - 00080929 _____ C:\Users\--\Desktop\Addition.txt
2017-06-11 23:36 - 2017-06-12 07:26 - 00022726 _____ C:\Users\--\Desktop\FRST.txt
2017-06-11 20:57 - 2017-06-11 20:57 - 00000000 ___DL C:\Users\--\AppData\LocalLow\PlayReady
2017-06-11 16:52 - 2017-06-11 16:52 - 00132272 _____ C:\Users\--\Desktop\hosts.zip
2017-06-11 16:10 - 2017-04-27 15:50 - 03550208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_47.dll
2017-06-11 16:10 - 2017-04-17 08:37 - 03165184 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2017-06-11 16:10 - 2017-04-17 08:37 - 00192512 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2017-06-11 16:10 - 2017-04-17 08:37 - 00098816 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2017-06-11 16:10 - 2017-04-17 08:35 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2017-06-11 16:10 - 2017-04-17 08:23 - 02651136 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2017-06-11 16:10 - 2017-04-17 08:22 - 00709120 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2017-06-11 16:10 - 2017-04-17 08:21 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2017-06-11 16:10 - 2017-04-17 08:21 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2017-06-11 16:10 - 2017-04-17 08:21 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2017-06-11 16:10 - 2017-04-17 08:21 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2017-06-11 16:10 - 2017-04-17 08:21 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2017-06-11 16:10 - 2017-04-17 08:12 - 00174080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2017-06-11 16:10 - 2017-04-17 08:01 - 00573440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2017-06-11 16:10 - 2017-04-17 08:01 - 00093696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2017-06-11 16:10 - 2017-04-17 08:01 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2017-06-11 16:10 - 2017-04-17 08:01 - 00030208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2017-06-11 16:10 - 2017-04-12 06:05 - 04296704 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_47.dll
2017-06-11 14:54 - 2017-05-03 08:34 - 00094952 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2017-06-11 14:54 - 2017-05-03 08:29 - 01206272 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2017-06-11 14:54 - 2017-05-03 06:05 - 01555968 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2017-06-11 14:54 - 2017-05-03 06:05 - 00620544 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2017-06-11 14:54 - 2017-05-03 06:05 - 00535552 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2017-06-11 14:54 - 2017-05-03 06:05 - 00325632 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2017-06-11 14:54 - 2017-05-03 06:05 - 00311296 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2017-06-11 14:54 - 2017-05-03 06:05 - 00217088 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2017-06-11 14:54 - 2017-05-03 06:05 - 00127488 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2017-06-11 14:54 - 2017-03-22 19:06 - 01691136 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2017-06-11 14:44 - 2017-06-11 14:44 - 00000000 ____D C:\SecurityCheck
2017-06-11 14:38 - 2017-06-11 14:38 - 00001912 _____ C:\Users\--\Desktop\JRT.txt
2017-06-11 09:51 - 2017-06-11 09:51 - 01663672 _____ (Malwarebytes) C:\Users\--\Downloads\JRT.exe
2017-06-11 09:51 - 2017-06-11 09:51 - 00513726 _____ (glax24 (safezone.cc)) C:\Users\--\Desktop\SecurityCheck.exe
2017-06-11 09:47 - 2017-06-11 09:47 - 04110280 _____ C:\Users\--\Downloads\AdwCleaner.exe
2017-06-09 13:29 - 2017-06-09 13:29 - 00892416 _____ (Farbar) C:\Users\--\Downloads\MiniToolBox.exe
2017-06-08 13:09 - 2017-06-08 13:09 - 00001922 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2017-06-08 13:09 - 2017-06-08 13:09 - 00000000 ____D C:\Users\--\AppData\Roaming\AVAST Software
2017-06-08 13:09 - 2017-06-08 13:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2017-06-08 13:08 - 2017-06-11 16:02 - 00004172 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2017-06-08 13:08 - 2017-06-08 13:09 - 00158880 _____ (AVAST Software) C:\Windows\system32\Drivers\aswstm.sys
2017-06-08 13:08 - 2017-06-08 13:08 - 00569192 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2017-06-08 13:08 - 2017-06-08 13:08 - 00400456 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2017-06-08 13:08 - 2017-06-08 13:08 - 00339696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2017-06-08 13:08 - 2017-06-08 13:08 - 00128648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2017-06-08 13:08 - 2017-06-08 13:08 - 00101152 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2017-06-08 13:08 - 2017-06-08 13:08 - 00075704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2017-06-08 13:08 - 2017-06-08 13:08 - 00038296 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2017-06-08 13:08 - 2017-06-08 13:07 - 01007160 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2017-06-08 13:08 - 2017-06-08 13:07 - 00334576 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbloga.sys
2017-06-08 13:08 - 2017-06-08 13:07 - 00311808 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2017-06-08 13:08 - 2017-06-08 13:07 - 00190256 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbidsha.sys
2017-06-08 13:08 - 2017-06-08 13:07 - 00049016 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbuniva.sys
2017-06-08 13:04 - 2017-06-08 13:04 - 00000000 ____D C:\Program Files\AVAST Software
2017-06-08 13:02 - 2017-06-08 13:37 - 00000000 ____D C:\ProgramData\AVAST Software
2017-06-08 13:02 - 2017-06-08 13:02 - 00029155 _____ C:\ProgramData\agent.1496952126.bdinstall.bin
2017-06-08 12:50 - 2017-06-08 12:50 - 00028750 _____ C:\ProgramData\agent.1496951394.bdinstall.bin
2017-06-08 12:32 - 2017-06-08 12:32 - 00046701 _____ C:\ProgramData\agent.1496950343.bdinstall.bin
2017-06-08 12:28 - 2017-06-08 12:28 - 00029157 _____ C:\ProgramData\agent.1496950096.bdinstall.bin
2017-06-08 12:23 - 2017-06-08 12:24 - 06654960 _____ (AVAST Software) C:\Users\--\Downloads\avast_free_antivirus_setup_online_cnet2.exe
2017-06-08 12:22 - 2017-06-08 12:22 - 08465984 _____ C:\Users\--\Downloads\bitdefender_online(1).exe
2017-06-08 12:22 - 2017-06-08 12:22 - 00028751 _____ C:\ProgramData\agent.1496949750.bdinstall.bin
2017-06-08 12:19 - 2017-06-08 12:19 - 00028739 _____ C:\ProgramData\agent.1496949544.bdinstall.bin
2017-06-06 23:15 - 2017-06-06 23:15 - 00000998 _____ C:\Users\--\Desktop\Music - Shortcut.lnk
2017-06-06 20:15 - 2017-06-07 09:46 - 00186304 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-06-06 20:14 - 2017-06-12 07:19 - 00082720 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-06-06 20:14 - 2017-06-12 07:17 - 00111544 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-06-06 20:14 - 2017-06-12 07:17 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-06-06 20:14 - 2017-06-07 10:50 - 00077440 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-06-06 20:14 - 2017-06-06 20:14 - 00001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-06-06 20:14 - 2017-06-06 20:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-06-06 20:14 - 2017-06-06 20:14 - 00000000 ____D C:\Program Files\Malwarebytes
2017-06-06 19:56 - 2017-06-06 19:56 - 00290816 _____ (SUPERAntiSpyware.com) C:\Users\--\Downloads\SASUNINST64.EXE
2017-06-06 19:50 - 2017-06-06 19:52 - 30201264 _____ (SUPERAntiSpyware) C:\Users\--\Downloads\SUPERAntiSpyware(1).exe
2017-06-06 19:26 - 2017-06-07 09:48 - 00000000 ____D C:\Users\--\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2017-06-06 18:49 - 2017-06-06 18:49 - 00028739 _____ C:\ProgramData\agent.1496800161.bdinstall.bin
2017-06-06 18:48 - 2017-06-06 18:48 - 00028739 _____ C:\ProgramData\agent.1496800123.bdinstall.bin
2017-06-06 18:06 - 2017-06-06 18:06 - 00000222 _____ C:\Users\--\Desktop\Ghost in the Shell Stand Alone Complex - First Assault Online.url
2017-06-05 12:26 - 2017-06-05 12:26 - 00302964 _____ C:\Users\--\Desktop\cc_20170605_122555 (BACKUP).reg
2017-05-23 20:20 - 2017-05-23 20:20 - 00000000 ____H C:\Users\--\AppData\Local\BIT38BB.tmp
2017-05-23 20:20 - 2017-05-23 20:20 - 00000000 _____ C:\Users\--\AppData\Local\{EA3CA02A-A181-497B-BA47-146C4A0B533F}
2017-05-18 15:27 - 2017-05-18 15:34 - 00027312 _____ C:\WirelessDiagLog.csv

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-12 07:26 - 2016-06-19 13:45 - 00000000 ____D C:\FRST
2017-06-12 07:19 - 2016-11-15 14:14 - 00000000 ____D C:\Users\--\AppData\LocalLow\Mozilla
2017-06-12 07:17 - 2017-04-25 21:46 - 00251832 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-06-12 07:17 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-06-12 07:16 - 2016-06-27 22:13 - 00000000 ____D C:\ProgramData\NVIDIA
2017-06-11 23:46 - 2017-02-04 21:46 - 00516746 _____ C:\Windows\system32\Drivers\fvstore.dat
2017-06-11 23:00 - 2016-06-19 13:44 - 02438656 _____ (Farbar) C:\Users\--\Desktop\FRST64.exe
2017-06-11 18:20 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf
2017-06-11 16:37 - 2016-06-07 06:46 - 00000000 ____D C:\Program Files (x86)\Comodo
2017-06-11 16:29 - 2009-07-13 21:45 - 00021296 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-06-11 16:29 - 2009-07-13 21:45 - 00021296 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-06-11 16:17 - 2016-05-16 08:20 - 00000000 ____D C:\Users\--\AppData\Local\ElevatedDiagnostics
2017-06-11 16:14 - 2016-01-30 18:44 - 00904736 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2017-06-11 16:14 - 2009-07-13 22:13 - 00904736 _____ C:\Windows\system32\PerfStringBackup.INI
2017-06-11 15:53 - 2016-05-22 16:41 - 00000000 ____D C:\Windows\system32\appraiser
2017-06-11 15:35 - 2016-06-07 06:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-06-11 15:35 - 2016-06-07 06:52 - 00000000 ____D C:\Program Files (x86)\Java
2017-06-11 14:23 - 2016-06-21 10:14 - 00000000 ____D C:\AdwCleaner
2017-06-10 22:51 - 2016-09-16 20:54 - 00000000 ____D C:\ProgramData\Skype
2017-06-10 20:39 - 2016-09-07 16:49 - 00000000 ____D C:\Program Files (x86)\Steam
2017-06-08 13:49 - 2016-06-07 06:53 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2017-06-08 13:17 - 2016-09-07 17:18 - 00000000 ____D C:\ProgramData\Package Cache
2017-06-08 13:10 - 2016-07-16 12:46 - 00000000 ____D C:\temp
2017-06-07 15:42 - 2016-08-26 14:07 - 00000000 ____D C:\EEK
2017-06-06 20:14 - 2016-08-04 15:53 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-06-06 19:43 - 2016-06-21 19:15 - 11584088 _____ (SurfRight B.V.) C:\Users\--\Downloads\hitmanpro_x64.exe
2017-06-06 19:39 - 2016-06-28 22:26 - 00000000 ____D C:\Users\--\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2017-06-06 17:17 - 2017-04-18 21:32 - 00000000 ____D C:\Users\--\AppData\Roaming\Anki2
2017-05-31 18:49 - 2017-03-10 14:53 - 00112119 _____ C:\Users\--\Desktop\TDEE 3.0.xlsx
2017-05-30 09:58 - 2016-10-19 21:59 - 00000000 ____D C:\ProgramData\boost_interprocess
2017-05-30 09:52 - 2016-06-07 06:46 - 00001062 _____ C:\Users\Public\Desktop\Comodo IceDragon.lnk
2017-05-27 18:36 - 2016-08-03 18:12 - 00000000 ___RD C:\Users\--\Documents\Scanned Documents
2017-05-23 16:42 - 2017-04-20 09:28 - 00000822 _____ C:\Users\Public\Desktop\CCleaner.lnk
2017-05-22 23:03 - 2016-07-17 10:19 - 00000000 ____D C:\Windows\system32\MRT
2017-05-22 23:00 - 2016-07-17 10:15 - 132223576 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-05-22 15:39 - 2009-07-13 22:08 - 00032636 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-05-18 17:59 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache
2017-05-15 20:10 - 2017-01-12 22:35 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-05-15 20:10 - 2017-01-12 22:35 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk

==================== Files in the root of some directories =======

2016-07-15 18:05 - 2016-07-16 09:58 - 0895346 _____ () C:\Users\--\AppData\Local\ars.cache
2017-05-23 20:20 - 2017-05-23 20:20 - 0000000 ____H () C:\Users\--\AppData\Local\BIT38BB.tmp
2016-07-15 18:06 - 2016-07-16 09:58 - 0780494 _____ () C:\Users\--\AppData\Local\census.cache
2016-06-21 11:43 - 2016-06-21 11:43 - 0000036 _____ () C:\Users\--\AppData\Local\housecall.guid.cache
2016-06-16 13:05 - 2016-06-16 13:05 - 0007607 _____ () C:\Users\--\AppData\Local\Resmon.ResmonCfg
2016-06-21 11:59 - 2016-07-16 09:17 - 0000010 _____ () C:\Users\--\AppData\Local\sponge.last.runtime.cache
2017-05-23 20:20 - 2017-05-23 20:20 - 0000000 _____ () C:\Users\--\AppData\Local\{EA3CA02A-A181-497B-BA47-146C4A0B533F}
2017-04-25 18:57 - 2017-04-25 18:57 - 0047255 _____ () C:\ProgramData\agent.1493171824.bdinstall.bin
2017-04-25 18:58 - 2017-04-25 18:58 - 0028739 _____ () C:\ProgramData\agent.1493171919.bdinstall.bin
2017-04-25 20:15 - 2017-04-25 20:15 - 0028738 _____ () C:\ProgramData\agent.1493176523.bdinstall.bin
2017-06-06 18:48 - 2017-06-06 18:48 - 0028739 _____ () C:\ProgramData\agent.1496800123.bdinstall.bin
2017-06-06 18:49 - 2017-06-06 18:49 - 0028739 _____ () C:\ProgramData\agent.1496800161.bdinstall.bin
2017-06-08 12:19 - 2017-06-08 12:19 - 0028739 _____ () C:\ProgramData\agent.1496949544.bdinstall.bin
2017-06-08 12:22 - 2017-06-08 12:22 - 0028751 _____ () C:\ProgramData\agent.1496949750.bdinstall.bin
2017-06-08 12:28 - 2017-06-08 12:28 - 0029157 _____ () C:\ProgramData\agent.1496950096.bdinstall.bin
2017-06-08 12:32 - 2017-06-08 12:32 - 0046701 _____ () C:\ProgramData\agent.1496950343.bdinstall.bin
2017-06-08 12:50 - 2017-06-08 12:50 - 0028750 _____ () C:\ProgramData\agent.1496951394.bdinstall.bin
2017-06-08 13:02 - 2017-06-08 13:02 - 0029155 _____ () C:\ProgramData\agent.1496952126.bdinstall.bin
2017-04-28 09:26 - 2017-04-28 09:26 - 0029369 _____ () C:\ProgramData\agent.update.1493396785.bdinstall.bin

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-06-05 09:11

==================== End of FRST.txt ============================


Edited by Carpentry, 12 June 2017 - 10:02 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:05 AM

Posted 13 June 2017 - 08:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please post the Addition.txt file created by the Farbar program.

I need to review both logs at the same time.

#3 Carpentry

Carpentry
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 13 June 2017 - 09:43 AM

Woops. Here it is.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:05 AM

Posted 13 June 2017 - 12:58 PM

Hi,

Avast and Comodo are endable.
Running both of these Antivus software at the same time will slow down your system.
Disable one of them.
I suggest you disable AVast first and test the system.
===



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-08]
CHR Extension: (Chrome Media Router) - C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-17]
CHR HKU\S-1-5-21-2155871709-899169398-2161320827-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hcjjaajflhellmcfcecojihhmdbjmmlm] - hxxps://clients2.google.com/service/update2/crx
U1 aswbdisk; no ImagePath
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
S3 X6va062; \??\C:\Windows\SysWOW64\Drivers\X6va062 [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
AlternateDataStreams: C:\Users\--:Heroes & Generals [38]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset the browsers that you use and have been compromised.

How To:
https://www.howtogeek.com/171924/how-to-reset-your-web-browser-to-its-default-settings/
===

Please let me know what problem persists with this computer.

#5 Carpentry

Carpentry
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 13 June 2017 - 06:03 PM

Here is the log:

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-06-2017
Ran by -- (13-06-2017 14:40:19) Run:1
Running from C:\Users\--\Desktop
Loaded Profiles: -- (Available Profiles: --)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-08]
CHR Extension: (Chrome Media Router) - C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-17]
CHR HKU\S-1-5-21-2155871709-899169398-2161320827-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hcjjaajflhellmcfcecojihhmdbjmmlm] - hxxps://clients2.google.com/service/update2/crx
U1 aswbdisk; no ImagePath
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
S3 X6va062; \??\C:\Windows\SysWOW64\Drivers\X6va062 [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
AlternateDataStreams: C:\Users\--:Heroes & Generals [38]

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\--\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKU\S-1-5-21-2155871709-899169398-2161320827-1000\SOFTWARE\Google\Chrome\Extensions\hcjjaajflhellmcfcecojihhmdbjmmlm => key removed successfully
HKLM\System\CurrentControlSet\Services\aswbdisk => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\nvvad_WaveExtensible => key removed successfully
nvvad_WaveExtensible => service removed successfully
HKLM\System\CurrentControlSet\Services\X6va062 => key removed successfully
X6va062 => service removed successfully
HKLM\System\CurrentControlSet\Services\xhunter1 => key removed successfully
xhunter1 => service removed successfully
C:\Users\-- => ":Heroes & Generals" ADS removed successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 12582912 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 12392648 B
Java, Flash, Steam htmlcache => 352531239 B
Windows/system/drivers => 338260 B
Edge => 0 B
Chrome => 600064 B
Firefox => 10088273 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 58558406 B
systemprofile32 => 529204 B
LocalService => 66228 B
NetworkService => 0 B
-- => 24559242 B
UpdatusUser => 0 B

RecycleBin => 0 B
EmptyTemp: => 450.4 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 13-06-2017 14:46:05)


Result of scheduled keys to remove after reboot:

HKLM\System\CurrentControlSet\Services\aswbdisk => key could not remove, key could be protected

==== End of Fixlog 14:46:05 ====

 

=============================================

 

Can you clarify what you mean by endable? Avast is the only active antivirus I have on atm. 

**Edit: I just noticed that I have to options to do heuristic analysis and detect shellcode injections. Might that be what is showing up as another AV?**

 

I don't see any problems. Just had my Malware protection disabled on Malwarebytes, but I was able to turn it on manually after a restart - a common issue I think.


Edited by Carpentry, 13 June 2017 - 08:34 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:05 AM

Posted 14 June 2017 - 06:50 AM


Avast and Comodo are endable.

Thalt should have been enabled. Sorry.

I see Avast and Comodo installed. Both are Enabled unless you have change the status recently.
AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AS: COMODO Advanced Protection (Enabled - Up to date) {B730BF64-C56F-6633-0EF5-9E639E46CC40}

Did you remove Comodo?

**Edit: I just noticed that I have to options to do heuristic analysis and detect shellcode injections. Might that be what is showing up as another AV?**

Is this from Avast or Comodo?

#7 Carpentry

Carpentry
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 14 June 2017 - 11:56 AM

I disabled Behavior protection from Avast, but I will remove it now.

 

I have Comodo Interet Security with the following settings : Firewall enabled,  Auto-Sandbox enabled, HIPS disabled, Virus scope disabled, Antivirus not installed. The Heuristics analysis is only for about 20 files.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:05 AM

Posted 14 June 2017 - 12:37 PM

Any remaining issues?

#9 Carpentry

Carpentry
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 14 June 2017 - 04:51 PM

No. Thank you!



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:05 AM

Posted 15 June 2017 - 07:03 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users