Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes Free freezes during scan


  • This topic is locked This topic is locked
7 replies to this topic

#1 Looking2Build

Looking2Build

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 PM

Posted 27 July 2018 - 02:31 AM

Greetings,

 

My nephew shares a desktop Win 7 PC with 4 other family members. He plays an online game using Google thru Firefox and seems to have infected the computer. I visit every month or two to run scans, update programs and general maintenance. This time Malwarebytes free has detected 228 items and freezes at the 04:20 mark every time, even in Safe Mode.

 

The screen shows:

 

Currently Scanning:          Heuristics Analysis

Items Scanned:                 496,262

Time Elapsed:                    00:04:20

Threats Identified:              228

 

I paused the scan after it found the 228 and most of the items started as;:

 

C:\Users\Marcello_2\AppData\Local\Google|Chrome\User Data\Default\Extensions\

eogmpgppidehapppmipeahegomlindkg\171.3557.1015.28_0\icons\19.png

                                                                                                \icons\48.png

                                                                                                \javascript\serve_ShellAus

                                                                                                \main\view_Broker.js

                                                                                                \metadata

                                                                                                \toggle

 

SuperAntiSpyware found over 30 items that I was able to delete before running MBAM.

AVG free did not find any issues.

Hitman Pro found a few and was able to delete them.

Rkill cleaned a couple of items.

It just gets stuck on MBAM. I have to go into Task Mgr to End Task.

 

This build is running Win7 Home 64-bit SP1, AND Phenom 9750 @ 2.40 GHz with 4 GB DDR2 RAM

 

What are the steps to get rid of the items?

 

Thanks.

 

Looking2Build



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:43 PM

Posted 27 July 2018 - 07:33 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

Wait for further instructions.

#3 Looking2Build

Looking2Build
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 PM

Posted 27 July 2018 - 06:03 PM

Thanks nasdaq,

 

Here is the FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21.07.2018
Ran by Solo (administrator) on MANDM-PC (27-07-2018 15:44:30)
Running from C:\Users\Solo\Desktop
Loaded Profiles: MandM & Matteo & Solo & Marcello_2 & Family_2 (Available Profiles: MandM & Matteo & Solo & Marcello_2 & Family_2)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\AVGSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Mediatek Inc.) C:\Program Files (x86)\MediatekWiFi\Common\RaRegistry.exe
(Mediatek Inc.) C:\Program Files (x86)\MediatekWiFi\Common\RaRegistry64.exe
(VIA Technologies, Inc.) C:\Windows\System32\ViakaraokeSrv.exe
(Copyright 2017.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Microsoft Corporation) C:\Windows\System32\printfilterpipelinesvc.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\x64\aswidsagenta.exe
(Copyright 2017.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Antivirus\AVGUI.exe
(Mediatek Inc.) C:\Program Files (x86)\MediatekWiFi\Common\RaUI.exe
(VIA) C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(HP Inc.) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AVGUI.exe] => C:\Program Files\AVG\Antivirus\AvLaunch.exe [291568 2018-07-20] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [15775888 2017-08-09] (Copyright 2017.)
HKLM-x32\...\Run: [HDAudDeck] => C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [5199984 2011-06-20] (VIA)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3093561639-292637183-1763829858-1000\...\Run: [HP ENVY 4500 series (NET)] => "C:\Program Files\HP\HP ENVY 4500 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN3A42R0PF05X4:NW" -scfn "HP ENVY 4500 series (NET)" -AutoStart 1
HKU\S-1-5-21-3093561639-292637183-1763829858-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [8898480 2018-07-02] (SUPERAntiSpyware)
HKU\S-1-5-21-3093561639-292637183-1763829858-1001\...\MountPoints2: {8f291a69-f0b3-11e5-8dcd-806e6f6e6963} - D:\SETUP.EXE
HKU\S-1-5-21-3093561639-292637183-1763829858-1002\...\MountPoints2: {8f291a69-f0b3-11e5-8dcd-806e6f6e6963} - D:\SETUP.EXE
HKU\S-1-5-21-3093561639-292637183-1763829858-1003\...\MountPoints2: {8f291a69-f0b3-11e5-8dcd-806e6f6e6963} - D:\SETUP.EXE
HKU\S-1-5-21-3093561639-292637183-1763829858-1004\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [8898480 2018-07-02] (SUPERAntiSpyware)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Mediatek Wireless Utility.lnk [2018-07-26]
ShortcutTarget: Mediatek Wireless Utility.lnk -> C:\Program Files (x86)\MediatekWiFi\Common\RaUI.exe (Mediatek Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{93EAFA00-2569-4996-A80C-B11B7EBD6A90}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{A48B0EA1-96D4-4FCB-80E8-C1E06AE83160}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKU\S-1-5-21-3093561639-292637183-1763829858-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
HKU\S-1-5-21-3093561639-292637183-1763829858-1002\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
HKU\S-1-5-21-3093561639-292637183-1763829858-1004\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
HKU\S-1-5-21-3093561639-292637183-1763829858-1006\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKU\S-1-5-21-3093561639-292637183-1763829858-1001 -> DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL =
SearchScopes: HKU\S-1-5-21-3093561639-292637183-1763829858-1005 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: 9clt0kex.default
FF ProfilePath: C:\Users\Solo\AppData\Roaming\Mozilla\Firefox\Profiles\9clt0kex.default [2018-07-26]
FF Homepage: Mozilla\Firefox\Profiles\9clt0kex.default -> hxxps://www.yahoo.com/
FF Extension: (AdBlocker Ultimate) - C:\Users\Solo\AppData\Roaming\Mozilla\Firefox\Profiles\9clt0kex.default\Extensions\adblockultimate@adblockultimate.net.xpi [2018-01-27]
FF Extension: (Self-Destructing Cookies) - C:\Users\Solo\AppData\Roaming\Mozilla\Firefox\Profiles\9clt0kex.default\Extensions\jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack.xpi [2017-06-15] [Legacy]
FF Extension: (AdBlock) - C:\Users\Solo\AppData\Roaming\Mozilla\Firefox\Profiles\9clt0kex.default\Extensions\jid1-NIfFY2CA8fy1tg@jetpack.xpi [2018-01-27]
FF Extension: (Adblock Plus) - C:\Users\Solo\AppData\Roaming\Mozilla\Firefox\Profiles\9clt0kex.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2018-01-27]
FF Extension: (WebCompat Reporter) - C:\Program Files (x86)\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi [2018-07-20] [Legacy] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_30_0_0_134.dll [2018-07-17] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_30_0_0_134.dll [2018-07-17] ()
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.3.8\\npsitesafety.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2018-06-29] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3093561639-292637183-1763829858-1002: @nsroblox.roblox.com/launcher -> C:\Users\Matteo\AppData\Local\Roblox\Versions\version-26a546068c9d4f7a\\NPRobloxProxy.dll [2013-01-01] ( ROBLOX Corporation)
FF Plugin HKU\S-1-5-21-3093561639-292637183-1763829858-1002: @nsroblox.roblox.com/launcher64 -> C:\Users\Matteo\AppData\Local\Roblox\Versions\version-26a546068c9d4f7a\\NPRobloxProxy64.dll [2013-01-01] ( ROBLOX Corporation)
FF Plugin HKU\S-1-5-21-3093561639-292637183-1763829858-1002: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Matteo\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2017-05-18] (Unity Technologies ApS)

Chrome:
=======
CHR HKU\S-1-5-21-3093561639-292637183-1763829858-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-01-30] (SUPERAntiSpyware.com)
R2 AVG Antivirus; C:\Program Files\AVG\Antivirus\AVGSvc.exe [323512 2018-07-20] (AVG Technologies CZ, s.r.o.)
R3 avgbIDSAgent; C:\Program Files\AVG\Antivirus\x64\aswidsagenta.exe [7829784 2018-07-20] (AVG Technologies CZ, s.r.o.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [333688 2018-06-13] (HP Inc.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6541008 2018-05-09] (Malwarebytes)
R2 MediatekRegistryWriter; C:\Program Files (x86)\MediatekWiFi\Common\RaRegistry.exe [405136 2014-12-04] (Mediatek Inc.)
R2 MediatekRegistryWriter64; C:\Program Files (x86)\MediatekWiFi\Common\RaRegistry64.exe [454288 2014-12-04] (Mediatek Inc.)
R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27760 2011-06-14] (VIA Technologies, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [15775888 2017-08-09] (Copyright 2017.)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 avgArPot; C:\Windows\System32\drivers\avgArPot.sys [189544 2018-07-20] (AVG Technologies CZ, s.r.o.)
R1 avgbidsdriver; C:\Windows\System32\drivers\avgbidsdrivera.sys [222288 2018-07-20] (AVG Technologies CZ, s.r.o.)
R0 avgbidsh; C:\Windows\System32\drivers\avgbidsha.sys [194224 2018-07-20] (AVG Technologies CZ, s.r.o.)
R0 avgblog; C:\Windows\System32\drivers\avgbloga.sys [339048 2018-07-20] (AVG Technologies CZ, s.r.o.)
R0 avgbuniv; C:\Windows\System32\drivers\avgbuniva.sys [51952 2018-07-20] (AVG Technologies CZ, s.r.o.)
S3 avgHwid; C:\Windows\System32\drivers\avgHwid.sys [39352 2018-07-20] (AVG Technologies CZ, s.r.o.)
R2 avgMonFlt; C:\Windows\System32\drivers\avgMonFlt.sys [152016 2018-07-20] (AVG Technologies CZ, s.r.o.)
R1 avgRdr; C:\Windows\System32\drivers\avgRdr2.sys [104256 2018-07-20] (AVG Technologies CZ, s.r.o.)
R0 avgRvrt; C:\Windows\System32\drivers\avgRvrt.sys [78352 2018-07-20] (AVG Technologies CZ, s.r.o.)
R1 avgSnx; C:\Windows\System32\drivers\avgSnx.sys [1020112 2018-07-20] (AVG Technologies CZ, s.r.o.)
R1 avgSP; C:\Windows\System32\drivers\avgSP.sys [458024 2018-07-26] (AVG Technologies CZ, s.r.o.)
R2 avgStm; C:\Windows\System32\drivers\avgStm.sys [203544 2018-07-20] (AVG Technologies CZ, s.r.o.)
R0 avgVmm; C:\Windows\System32\drivers\avgVmm.sys [373944 2018-07-20] (AVG Technologies CZ, s.r.o.)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [152688 2018-06-19] (Malwarebytes)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [55232 2018-07-26] ()
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [191208 2018-07-26] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [114920 2018-07-27] (Malwarebytes)
R3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [48360 2018-07-27] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253664 2018-07-27] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [92792 2018-07-27] (Malwarebytes)
R3 netr28ux; C:\Windows\System32\DRIVERS\netr28ux.sys [2229392 2015-02-16] (MediaTek Inc.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2018-07-26] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2018-07-26] (Zemana Ltd.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-07-27 15:44 - 2018-07-27 15:44 - 000012881 _____ C:\Users\Solo\Desktop\FRST.txt
2018-07-27 15:42 - 2018-07-27 15:44 - 000000000 ____D C:\FRST
2018-07-27 15:41 - 2018-07-27 13:01 - 002412544 _____ (Farbar) C:\Users\Solo\Desktop\FRST64.exe
2018-07-26 18:04 - 2018-07-26 18:04 - 000000000 ____D C:\Users\Marcello_2\AppData\Roaming\AVG
2018-07-26 17:59 - 2018-07-26 18:01 - 000000000 ____D C:\Users\Marcello_2\Desktop\Virus Programs
2018-07-26 17:59 - 2018-07-26 17:59 - 000000000 ____D C:\Users\Marcello_2\AppData\Local\Zemana
2018-07-26 17:59 - 2018-07-26 17:59 - 000000000 ____D C:\Users\Marcello_2\AppData\Local\AVG
2018-07-26 17:25 - 2018-07-27 15:44 - 000045084 _____ C:\Windows\ZAM.krnl.trace
2018-07-26 17:25 - 2018-07-27 15:44 - 000014937 _____ C:\Windows\ZAM_Guard.krnl.trace
2018-07-26 17:25 - 2018-07-26 17:25 - 000203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2018-07-26 17:25 - 2018-07-26 17:25 - 000203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2018-07-26 17:25 - 2018-07-26 17:25 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2018-07-26 17:25 - 2018-07-26 17:25 - 000000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2018-07-26 17:21 - 2018-07-26 17:21 - 000000000 ____D C:\Users\Solo\AppData\Local\Zemana
2018-07-26 17:20 - 2018-07-25 22:53 - 011576808 _____ (SurfRight B.V.) C:\Users\Solo\Documents\hitmanpro_x64.exe
2018-07-26 17:18 - 2018-07-26 17:18 - 000055232 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2018-07-26 17:15 - 2018-07-26 17:15 - 000001174 _____ C:\Windows\system32\.crusader
2018-07-26 17:10 - 2018-07-26 17:10 - 000000000 ____D C:\Program Files\HitmanPro
2018-07-26 17:09 - 2018-07-26 17:16 - 000000000 ____D C:\ProgramData\HitmanPro
2018-07-26 16:54 - 2018-07-26 17:02 - 000004006 _____ C:\Users\Solo\Desktop\Rkill.txt
2018-07-26 16:54 - 2018-07-26 16:54 - 000988112 _____ (Bleeping Computer, LLC) C:\Users\Solo\Desktop\rkill64.exe
2018-07-26 16:52 - 2018-07-26 17:19 - 000269528 _____ C:\Windows\ntbtlog.txt
2018-07-26 16:49 - 2018-07-26 16:51 - 000000000 ____D C:\AdwCleaner
2018-07-26 16:44 - 2018-07-26 16:34 - 006625600 _____ (Zemana Ltd. ) C:\Users\Solo\Desktop\Zemana.AntiMalware.Setup.exe
2018-07-26 16:44 - 2018-07-25 23:02 - 001802704 _____ (Bleeping Computer, LLC) C:\Users\Solo\Desktop\rkill.exe
2018-07-26 16:43 - 2018-07-25 22:51 - 007417040 _____ (Malwarebytes) C:\Users\Solo\Desktop\adwcleaner_7.2.2.exe
2018-07-20 17:50 - 2018-07-20 17:50 - 000001034 _____ C:\Users\Public\Desktop\Revo Uninstaller.lnk
2018-07-20 17:50 - 2018-07-20 17:50 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller
2018-07-20 17:48 - 2018-07-26 17:22 - 000000328 _____ C:\Windows\Tasks\HPCeeScheduleForSolo.job
2018-07-20 17:48 - 2018-07-26 16:11 - 000003180 _____ C:\Windows\System32\Tasks\HPCeeScheduleForSolo
2018-07-20 17:47 - 2018-07-20 17:47 - 000003870 _____ C:\Windows\System32\Tasks\CCleaner Update
2018-07-20 17:47 - 2018-07-20 17:47 - 000002788 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2018-07-20 17:47 - 2018-07-20 17:47 - 000000822 _____ C:\Users\Public\Desktop\CCleaner.lnk
2018-07-20 17:47 - 2018-07-20 17:47 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2018-07-20 17:47 - 2018-07-20 17:47 - 000000000 ____D C:\Program Files\CCleaner
2018-07-20 17:45 - 2018-07-20 17:45 - 000000000 ____D C:\Users\Solo\AppData\Roaming\SUPERAntiSpyware.com
2018-07-20 17:45 - 2018-07-20 17:45 - 000000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2018-07-20 17:45 - 2018-07-20 17:45 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2018-07-20 17:45 - 2018-07-20 17:45 - 000000000 ____D C:\Program Files\SUPERAntiSpyware
2018-07-20 17:42 - 2018-07-27 15:44 - 000092792 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-07-20 17:42 - 2018-07-27 15:39 - 000114920 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-07-20 17:42 - 2018-07-27 15:39 - 000048360 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-07-20 17:42 - 2018-07-27 15:38 - 000253664 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-07-20 17:42 - 2018-07-26 17:19 - 000191208 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-07-20 17:42 - 2018-07-26 16:50 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-07-20 17:42 - 2018-07-20 17:42 - 000000000 ____D C:\Program Files\Malwarebytes
2018-07-20 17:42 - 2018-06-19 14:09 - 000152688 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae64.sys
2018-07-20 17:40 - 2018-07-20 17:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2018-07-20 17:39 - 2018-07-26 16:13 - 000458024 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgSP.sys
2018-07-20 17:39 - 2018-07-20 17:39 - 000003904 _____ C:\Windows\System32\Tasks\Antivirus Emergency Update
2018-07-20 17:39 - 2018-07-20 17:38 - 000373944 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgVmm.sys
2018-07-20 17:39 - 2018-07-20 17:38 - 000203544 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgStm.sys
2018-07-20 17:39 - 2018-07-20 17:38 - 000078352 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgRvrt.sys
2018-07-20 17:38 - 2018-07-20 17:38 - 001020112 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgSnx.sys
2018-07-20 17:38 - 2018-07-20 17:38 - 000379120 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\avgBoot.exe
2018-07-20 17:38 - 2018-07-20 17:38 - 000339048 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbloga.sys
2018-07-20 17:38 - 2018-07-20 17:38 - 000222288 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbidsdrivera.sys
2018-07-20 17:38 - 2018-07-20 17:38 - 000194224 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbidsha.sys
2018-07-20 17:38 - 2018-07-20 17:38 - 000189544 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgArPot.sys
2018-07-20 17:38 - 2018-07-20 17:38 - 000152016 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgMonFlt.sys
2018-07-20 17:38 - 2018-07-20 17:38 - 000104256 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgRdr2.sys
2018-07-20 17:38 - 2018-07-20 17:38 - 000051952 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbuniva.sys
2018-07-20 17:38 - 2018-07-20 17:38 - 000039352 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgHwid.sys
2018-07-20 17:37 - 2018-07-20 17:37 - 000000000 ____D C:\Program Files\AVG
2018-07-20 17:32 - 2018-07-20 17:32 - 000000000 ____D C:\Users\Solo\Downloads\_PC exe files

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-07-27 15:38 - 2009-07-13 22:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-07-26 18:34 - 2009-07-13 21:45 - 000021888 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-07-26 18:34 - 2009-07-13 21:45 - 000021888 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-07-26 18:05 - 2017-04-11 20:03 - 000000000 ____D C:\Users\Marcello_2\AppData\LocalLow\Mozilla
2018-07-26 17:25 - 2017-04-11 17:22 - 000000000 ____D C:\Users\Solo
2018-07-26 16:50 - 2017-04-11 18:44 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-07-26 16:50 - 2016-04-11 15:48 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mediatek Wireless
2018-07-26 16:50 - 2009-07-13 20:20 - 000000000 ____D C:\Windows\registration
2018-07-26 16:50 - 2009-07-13 20:20 - 000000000 ____D C:\Windows\inf
2018-07-26 15:54 - 2017-10-10 19:41 - 000000000 ____D C:\Users\TEMP
2018-07-26 15:54 - 2016-03-22 23:17 - 000000000 ____D C:\Users\Family
2018-07-26 15:54 - 2016-03-22 23:12 - 000000000 ____D C:\Users\Marcello
2018-07-26 15:51 - 2017-04-11 20:22 - 000000000 ____D C:\Users\Family_2
2018-07-26 15:51 - 2017-04-11 19:38 - 000000000 ____D C:\Users\Marcello_2
2018-07-26 15:51 - 2016-03-22 23:07 - 000000000 ____D C:\Users\Matteo
2018-07-26 15:51 - 2016-03-22 22:19 - 000000000 ____D C:\Users\MandM
2018-07-20 19:20 - 2017-04-11 18:45 - 000000000 ____D C:\Users\Solo\AppData\LocalLow\Mozilla
2018-07-20 17:56 - 2017-11-14 22:00 - 000000000 ____D C:\Windows\Minidump
2018-07-20 17:51 - 2016-03-22 23:38 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-07-20 17:50 - 2016-03-24 00:36 - 000000000 ____D C:\Program Files\VS Revo Group
2018-07-20 17:42 - 2016-03-23 00:15 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-07-20 17:40 - 2017-04-11 17:28 - 000000000 ____D C:\Users\Solo\AppData\Roaming\AVG
2018-07-20 17:40 - 2017-04-11 17:23 - 000000000 ____D C:\Users\Solo\AppData\Local\Avg
2018-07-20 17:36 - 2016-03-23 00:01 - 000000000 ____D C:\ProgramData\Avg
2018-07-20 17:35 - 2016-03-23 11:14 - 000000000 ____D C:\Users\Matteo\AppData\Roaming\AVG
2018-07-20 17:35 - 2016-03-23 00:25 - 000000000 ____D C:\Users\Matteo\AppData\Local\Avg
2018-07-20 17:35 - 2016-03-23 00:04 - 000000000 ____D C:\Users\MandM\AppData\Roaming\AVG
2018-07-20 17:35 - 2016-03-23 00:01 - 000000000 ____D C:\Program Files (x86)\AVG
2018-07-20 17:35 - 2016-03-23 00:00 - 000000000 ____D C:\Users\MandM\AppData\Local\Avg
2018-07-20 17:31 - 2009-07-13 22:13 - 000782250 _____ C:\Windows\system32\PerfStringBackup.INI
2018-07-20 17:15 - 2016-03-23 00:46 - 000000000 ____D C:\Users\Family\AppData\Local\Avg
2018-07-20 17:15 - 2016-03-23 00:27 - 000000000 ____D C:\Users\Marcello\AppData\Local\Avg
2018-07-17 18:59 - 2018-03-14 19:18 - 000004468 _____ C:\Windows\System32\Tasks\Adobe Flash Player NPAPI Notifier
2018-07-17 18:59 - 2016-03-23 01:12 - 000842240 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2018-07-17 18:59 - 2016-03-23 01:12 - 000175104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2018-07-17 18:59 - 2016-03-23 01:12 - 000004312 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2018-07-17 18:59 - 2016-03-23 01:12 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-07-17 18:59 - 2016-03-23 01:11 - 000000000 ____D C:\Windows\system32\Macromed
2018-07-17 18:18 - 2016-03-23 01:10 - 000004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2018-07-17 18:18 - 2016-03-23 01:10 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2018-07-17 18:04 - 2018-05-02 18:09 - 000000332 _____ C:\Windows\Tasks\HPCeeScheduleForMandM.job
2018-07-06 22:29 - 2017-04-14 09:48 - 000000000 ____D C:\Users\MandM\Documents\Spiral Moon
2018-07-06 21:48 - 2018-05-02 18:09 - 000003186 _____ C:\Windows\System32\Tasks\HPCeeScheduleForMandM

Some files in TEMP:
====================
2016-08-22 20:50 - 2016-07-20 14:01 - 000186640 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Marcello\AppData\Local\Temp\avguirn_081789987259.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-07-17 18:47

==================== End of FRST.txt ============================

 

Had a problem uploading, so I used basic uploader. Thanks for the help.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:43 PM

Posted 28 July 2018 - 06:35 AM

Hi,

Your logs are clean.

Download and run the Malwarebytes Cleanup Utility
https://support.malwarebytes.com/docs/DOC-1112

When completed restart the computer normally to reset the registry.

Reinstall the Malwarebytes.


How is it now?
===

#5 Looking2Build

Looking2Build
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 PM

Posted 31 July 2018 - 12:36 AM

I did the Cleanup Utility , reinstalled  and ran Malwarebytes and it went a little further than last time, but still gets stuck at 4:54 during the Heuristics Analysis scan.

The file currently scanning when it freezes is:

C:USERS\MANDM\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\USER PINNED\STARTMENU\ACROBAT READER DC.LNK

 

Still found 228 items.

 

Thanks.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:43 PM

Posted 31 July 2018 - 07:44 AM

Hi,

Remove the program in bold via the Control Panel > Programs > Programs and Features.
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.011.20055 - Adobe Systems Incorporated)

Restart the computer normally.

Run the MBAM program.

How is it now.

p.s.
You can reinstall the Acrobat Reader later is you need it.

#7 Looking2Build

Looking2Build
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 PM

Posted 03 August 2018 - 01:26 AM

I was hoping it would work, but it still freezes at 4:54 during the Heuristics Analysis scan.

Should I remove my nephew's account, then re-enter once we find a fix?

I plan on going back on Monday to try the next step.

 

Thanks.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:43 PM

Posted 03 August 2018 - 07:37 AM

Hi,

It's time for you to check with Malwarebytes.

Having problems using Malwarebytes? Please follow these steps:
https://forums.malwarebytes.com/topic/190532-having-problems-using-malwarebytes-please-follow-these-steps/

Follow the steps suggested on the link.

On my end both of your Farbar logs are clean.

Mention to them that you use the cleaning tool and reinstall MBAM and the problem persists.

I will leave this topic open let me know when all is well.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users