Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Compromised with Keylogger - Check required please


  • This topic is locked This topic is locked
13 replies to this topic

#1 DiverDan

DiverDan

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 08 November 2018 - 09:21 AM

Hello,

 

Sadly I have been victim of ID fraud (online banking) which it appears to have come from a keylogger on my pc which McAfee picked up - my previous AV (Avast) didn't and when I became aware, I switched out AV.

 

I have run a number of scans etc which say it is now clean (Mcafee, MWB etc), but I am understandably skeptical now on if there is anything else hidden on the machine itself and I find myself back to the same issues.

 

Can anyone offer any advice and checks, the last thing I want to do is to lose any data via a reformat of the SSD or go through all the issues again with the consequences of it happening again, if the pc is not fit to use.

 

Thanks in advance

 

Dan

 

 



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:07:48 PM

Posted 08 November 2018 - 05:48 PM

Hello Dan and welcome to the Bleeping Computer forum.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

 

I have been victim of ID fraud (online banking) which it appears to have come from a keylogger on my pc which McAfee picked up

Can you tell me what alerted you to a keylogger if Avast didn’t pick it up.

===================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/7/8/10, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.

Thanks

Nina

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 DiverDan

DiverDan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 09 November 2018 - 03:11 AM

Hi Nina,

 

Thanks for the assistance. Report per the below.

 

The bank fraud team advised me that the attack took place using online credentials (only use this pc) which they believe were harvested from a keylogger. They traced the log in IP to another part of the country.

 

RogueKiller Anti-Malware V13.0.8.0 [Nov  6 2018] (Free) by Adlice Software
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits
Started in : Normal mode
User : Admin [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Standard Scan, Scan -- Date : 2018/11/09 07:56:22 (Duration : 00:11:45)
Switches : -refid 3
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> XX - Software
  [PUP.DriverTalent (Potentially Malicious)] HKEY_LOCAL_MACHINE\Software\OSTotoSoft -- N/A -> Found
  [PUP.DriverTalent (Potentially Malicious)] HKEY_USERS\S-1-5-21-2235111928-2204133208-3526899875-1000\Software\OSTotoSoft -- N/A -> Found
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[PUP.DriverTalent (Potentially Malicious)] (folder) OSTotoSoft -- C:\Program Files\OSTotoSoft -> Found
[PUP.DriverTalent (Potentially Malicious)] (folder) OSTotoSoft -- C:\Program Files\OSTotoSoft -> Found
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> Chrome Config
  [PUM.SearchPage (Potentially Malicious)] default_search_provider_data.template_url_data.url (C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences


#4 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:07:48 PM

Posted 09 November 2018 - 05:05 AM

There a few instructions and scans in this post so take your time and reply as you can.


Can you tell me if you intentionally installed Driver Talent.

Apart from that, there is an entry that needs to be dealt with.

Run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7/8/10: right-click the program and select Run as Administrator'
  • click on Start Scan
  • when the scan is finished remove this:


    [PUM.SearchPage (Potentially Malicious)] default_search_provider_data.template_url_data.url (C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

This will not get rid of that permanently so please click on this link and follow the instruction to permanently resolve this.

Run RogueKiller again and send the new log.

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

Logs to include with next post:

New RogueKiller log
AdwCleaner log
Frst.txt
Addition.txt


Thanks

Nina


Edited by satchfan, 09 November 2018 - 05:07 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 DiverDan

DiverDan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 09 November 2018 - 06:36 AM

Hi Nina.

 

DriverTalent was recommended when I had a rebuild of my pc and needed to fetch drivers, I wasnt made aware it was malicious.

 

New RK report attached.

 

Other results below:

 

# -------------------------------
# Malwarebytes AdwCleaner 7.2.4.0
# -------------------------------
# Build:    09-25-2018
# Database: 2018-11-05.1 (Cloud)
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    11-09-2018
# Duration: 00:00:03
# OS:       Windows 7 Ultimate
# Cleaned:  3
# Failed:   0
 
 
***** [ Services ] *****
 
No malicious services cleaned.
 
***** [ Folders ] *****
 
Deleted       C:\Program Files\OSTotoSoft
 
***** [ Files ] *****
 
No malicious files cleaned.
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
No malicious tasks cleaned.
 
***** [ Registry ] *****
 
Deleted       HKCU\Software\OSTotoSoft
Deleted       HKLM\Software\OSTotoSoft
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries cleaned.
 
***** [ Chromium URLs ] *****
 
No malicious Chromium URLs cleaned.
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries cleaned.
 
***** [ Firefox URLs ] *****
 
No malicious Firefox URLs cleaned.
 
 
*************************
 
[+] Delete Tracing Keys
[+] Reset Winsock
 
*************************
 
AdwCleaner[S00].txt - [1366 octets] - [08/10/2018 20:27:18]
AdwCleaner[C00].txt - [1494 octets] - [08/10/2018 20:29:36]
AdwCleaner[S01].txt - [1375 octets] - [08/10/2018 20:31:17]
AdwCleaner[C01].txt - [1561 octets] - [08/10/2018 20:31:33]
AdwCleaner[S02].txt - [1607 octets] - [09/11/2018 11:23:59]
 
########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C02].txt ##########
 
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 08.11.2018
Ran by Admin (administrator) on ADMIN-PC (09-11-2018 11:28:54)
Running from C:\Users\Admin\Desktop\Bleeping Info
Loaded Profiles: Admin (Available Profiles: Admin)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser not detected!)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(McAfee, Inc.) C:\Program Files\McAfee\WebAdvisor\servicehost.exe
(McAfee, LLC) C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\PEF\CORE\PEFService.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe
(Microsoft) C:\Program Files\Common Files\Sage\Central\AutoUpdateClient\Sage.Central.AutoUpdateManager.Service.exe
(McAfee, LLC) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\ModuleCore\ProtectedModuleHost.exe
(McAfee, Inc.) C:\Program Files\McAfee\WebAdvisor\uihost.exe
(Sage UK Limited) C:\Program Files\Common Files\Sage\Shared\AutoUpdateManager\v2\Sage.Central.AutoUpdateManager.Service.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\TeamViewer_Service.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe
(McAfee, LLC) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE
(Siber Systems) C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\CSP\3.0.127.0\McCSPServiceHost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
(McAfee, LLC) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\VSCore_18_9\mcapexe.exe
(McAfee, Inc.) C:\Program Files\McAfee\MfeAV\MfeAVSvc.exe
(McAfee LLC.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(McAfee, Inc.) C:\Program Files\McAfee\WebAdvisor\browserhost.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Siber Systems Inc.) C:\Program Files\Siber Systems\AI RoboForm\Chrome\rf-chrome-nm-host.exe
(McAfee, Inc.) C:\Program Files\McAfee\WebAdvisor\browserhost.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [NvBackend] => C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe [1793736 2015-02-19] (NVIDIA Corporation)
HKLM\...\Run: [HP KEYBOARDg] => C:\Program Files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE [701592 2009-07-23] (Hewlett-Packard)
HKU\S-1-5-21-2235111928-2204133208-3526899875-1000\...\Run: [RoboForm] => C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [110376 2017-11-19] (Siber Systems)
HKU\S-1-5-21-2235111928-2204133208-3526899875-1000\...\Run: [CCleaner Smart Cleaning] => C:\Program Files\CCleaner\CCleaner.exe [13769584 2018-09-19] (Piriform Ltd)
HKU\S-1-5-21-2235111928-2204133208-3526899875-1000\...\MountPoints2: {4cf19619-329c-11e8-9b81-001e8c765f76} - E:\TotalLock.exe
HKU\S-1-5-21-2235111928-2204133208-3526899875-1000\...\MountPoints2: {bcfc0d0c-50d0-11e7-9c2c-001e8c765f76} - E:\DTVP_Launcher.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: 127.0.0.1 activate.adobe.com 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{2B5C90E6-8A3F-440B-86A0-A9F8D8E5EC91}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2235111928-2204133208-3526899875-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2235111928-2204133208-3526899875-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/en-gb/?ocid=iehp
BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll [2016-02-23] (CANON INC.)
BHO: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2017-11-19] (Siber Systems Inc.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2017-05-25] (Google Inc.)
BHO: McAfee WebAdvisor -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> C:\Program Files\McAfee\WebAdvisor\win32\IEPlugin.dll [2018-09-28] (McAfee, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2018-05-15] (Microsoft Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2017-05-25] (Google Inc.)
Toolbar: HKLM - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2017-11-19] (Siber Systems Inc.)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2016-02-23] (CANON INC.)
Toolbar: HKU\S-1-5-21-2235111928-2204133208-3526899875-1000 -> Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2016-02-23] (CANON INC.)
Toolbar: HKU\S-1-5-21-2235111928-2204133208-3526899875-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2017-05-25] (Google Inc.)
Toolbar: HKU\S-1-5-21-2235111928-2204133208-3526899875-1000 -> &RoboForm Toolbar - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2017-11-19] (Siber Systems Inc.)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2018-03-14] (Microsoft Corporation)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll [2018-09-28] (McAfee, Inc.)
 
FireFox:
========
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files\McAfee\WebAdvisor\e10ssaffplg.xpi
FF Extension: (McAfee® WebAdvisor) - C:\Program Files\McAfee\WebAdvisor\e10ssaffplg.xpi [2018-11-08]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_31_0_0_122.dll [2018-10-09] ()
FF Plugin: @canon.com/EPPEX -> C:\Program Files\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2017-10-17] (CANON INC.)
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2018-09-28] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-02-04] (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-02-03] (NVIDIA Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-17] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-17] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2018-09-20] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR DefaultSearchURL: Default -> hxxps://www.bleepingcomputer.com/forums/t/686318/pc-compromised-with-keylogger-check-required-please/
CHR Profile: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default [2018-11-09]
CHR Extension: (Adobe Acrobat) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-05-26]
CHR Extension: (McAfee® WebAdvisor) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2018-10-24]
CHR Extension: (McAfee® Web Boost) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\klekeajafkkpokaofllcadenjdckhinm [2018-10-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-26]
CHR Extension: (Chrome Media Router) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-10-25]
CHR Extension: (RoboForm Password Manager) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnlccmojcmeohlpggmfnbbiapkmbliob [2018-10-30]
CHR HKLM\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [klekeajafkkpokaofllcadenjdckhinm] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [pnlccmojcmeohlpggmfnbbiapkmbliob] - C:\Program Files\Siber Systems\AI RoboForm\Chrome\rf-chrome.crx [2017-05-25]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 LightScribeService; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2010-07-21] (Hewlett-Packard Company) [File not signed]
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [5073376 2018-09-19] (Malwarebytes)
R2 McAfee WebAdvisor; C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe [531744 2018-09-28] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\Common Files\McAfee\VSCore_18_9\McApExe.exe [596544 2018-10-05] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\3.0.127.0\\McCSPServiceHost.exe [1586104 2018-06-29] (McAfee, Inc.)
S3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [329584 2018-08-27] (McAfee, LLC)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe [532336 2018-08-27] (McAfee, LLC)
R3 mfevtp; C:\Windows\system32\mfevtps.exe [477048 2018-08-27] (McAfee, LLC)
R2 ModuleCoreService; C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe [1342352 2018-09-25] (McAfee, Inc.)
R2 NvNetworkService; C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe [1720608 2014-07-25] (NVIDIA Corporation)
R2 PEFService; C:\Program Files\Common Files\McAfee\PEF\CORE\PEFService.exe [1042768 2018-07-25] (McAfee, Inc.)
R2 Sage AutoUpdate Manager Service; C:\Program Files\Common Files\Sage\Central\AutoUpdateClient\Sage.Central.AutoUpdateManager.Service.exe [8192 2015-08-24] (Microsoft) [File not signed]
R2 Sage AutoUpdate Manager Service v2; C:\Program Files\Common Files\Sage\Shared\AutoUpdateManager\v2\Sage.Central.AutoUpdateManager.Service.exe [8192 2017-10-12] (Sage UK Limited) [File not signed]
R2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [10803440 2017-12-18] (TeamViewer GmbH)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72720 2018-10-04] (McAfee, LLC)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [187448 2018-10-03] (McAfee, Inc.)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [229568 2018-11-09] (Malwarebytes)
R3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [391184 2018-10-04] (McAfee, LLC)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [289296 2018-10-04] (McAfee, LLC)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [400192 2018-10-04] (McAfee, LLC)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [749888 2018-10-04] (McAfee, LLC)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [436528 2018-10-02] (McAfee LLC.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [92456 2018-10-02] (McAfee LLC.)
R3 mfeplk; C:\Windows\System32\drivers\mfeplk.sys [100672 2018-10-04] (McAfee, LLC)
R3 mfesapsn; C:\Program Files\McAfee\WebAdvisor\mfesapsn.sys [89304 2018-09-28] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [210240 2018-10-04] (McAfee, LLC)
R3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [1549000 2013-11-21] (Ralink Technology Corp.)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad32v.sys [34080 2014-03-31] (NVIDIA Corporation)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-11-09 11:28 - 2018-11-09 11:28 - 000000000 ____D C:\FRST
2018-11-09 11:26 - 2018-11-09 11:28 - 000000000 ____D C:\Users\Admin\Desktop\Bleeping Info
2018-11-09 11:25 - 2018-11-09 11:25 - 000229568 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-11-09 11:22 - 2018-11-09 11:23 - 007592144 _____ (Malwarebytes) C:\Users\Admin\Desktop\adwcleaner_7.2.4.0 (1).exe
2018-11-09 07:55 - 2018-11-09 08:48 - 000000000 ____D C:\ProgramData\RogueKiller
2018-11-09 07:55 - 2018-11-09 07:55 - 000000965 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2018-11-09 07:55 - 2018-11-09 07:55 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2018-11-09 07:55 - 2018-11-09 07:55 - 000000000 ____D C:\Program Files\RogueKiller
2018-11-09 07:07 - 2018-11-09 07:07 - 028936544 _____ (Adlice Software ) C:\Users\Admin\Downloads\RogueKiller_setup_ref3.exe
2018-11-01 15:26 - 2018-11-01 15:26 - 000000000 ____D C:\Users\Admin\AppData\Local\Adobe
2018-11-01 15:20 - 2018-11-01 15:20 - 000111448 _____ C:\Users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2018-11-01 15:09 - 2018-11-01 15:10 - 000000000 ____D C:\Users\Admin\Documents\New folder
2018-11-01 15:09 - 2018-11-01 15:09 - 000000000 ____D C:\Users\Admin\Downloads\FBHIP
2018-10-25 04:20 - 2018-10-25 04:20 - 000167025 _____ C:\Users\Admin\Documents\Messenger.pdf
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-11-09 11:25 - 2017-05-25 19:55 - 000000000 ____D C:\ProgramData\NVIDIA
2018-11-09 11:25 - 2009-07-14 04:53 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-11-09 11:12 - 2009-07-14 04:34 - 000013712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-11-09 11:12 - 2009-07-14 04:34 - 000013712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-11-09 11:09 - 2017-05-25 19:37 - 000782470 _____ C:\Windows\system32\PerfStringBackup.INI
2018-11-09 11:09 - 2009-07-14 02:37 - 000000000 ____D C:\Windows\inf
2018-11-08 15:18 - 2018-09-28 22:12 - 000000000 ____D C:\ProgramData\McAfee
2018-11-01 15:26 - 2018-10-09 18:53 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Adobe
2018-11-01 14:44 - 2018-09-28 22:19 - 000000000 ____D C:\Program Files\McAfee
2018-11-01 14:44 - 2009-07-14 04:53 - 000032608 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2018-11-01 14:21 - 2018-09-28 22:12 - 000000000 ____D C:\Program Files\Common Files\McAfee
2018-10-29 18:34 - 2017-05-25 19:58 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2018-10-29 17:30 - 2018-10-08 20:22 - 000129248 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae.sys
2018-10-24 19:37 - 2017-05-25 19:49 - 000002130 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-10-12 07:56 - 2009-07-14 04:33 - 003788336 _____ C:\Windows\system32\FNTCACHE.DAT
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2018-11-08 15:09
 
==================== End of FRST.txt ============================
 
 
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 08.11.2018
Ran by Admin (09-11-2018 11:29:21)
Running from C:\Users\Admin\Desktop\Bleeping Info
Microsoft Windows 7 Ultimate  Service Pack 1 (X86) (2017-05-25 19:35:14)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Admin (S-1-5-21-2235111928-2204133208-3526899875-1000 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-2235111928-2204133208-3526899875-500 - Administrator - Disabled)
Guest (S-1-5-21-2235111928-2204133208-3526899875-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2235111928-2204133208-3526899875-1002 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: McAfee VirusScan (Enabled - Up to date) {8BCDACFA-D264-3528-5EF8-E94FD0BC1FBC}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: McAfee VirusScan (Enabled - Up to date) {30AC4D1E-F45E-3AA6-6448-D23DAB3B5501}
FW: McAfee Firewall (Enabled) {B3F62DDF-980B-3470-75A7-407A2E6F58C7}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat Reader DC (HKLM\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 19.008.20080 - Adobe Systems Incorporated)
Adobe Flash Player 31 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 31.0.0.122 - Adobe Systems Incorporated)
Adobe Flash Player 31 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 31.0.0.122 - Adobe Systems Incorporated)
ASUS Product Register Program (HKLM\...\{C87D79F6-F813-4812-B7A9-CCCAAB8B1188}) (Version: 1.0.026 - ASUSTek Computer Inc.)
Canon Easy-WebPrint EX (HKLM\...\Easy-WebPrint EX) (Version: 1.7.0.0 - Canon Inc.)
Canon MP Navigator EX 4.0 (HKLM\...\MP Navigator EX 4.0) (Version:  - )
Canon MP495 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP495_series) (Version:  - Canon Inc.)
Canon My Image Garden (HKLM\...\Canon My Image Garden) (Version: 3.6.1 - Canon Inc.)
Canon My Image Garden Design Files (HKLM\...\Canon My Image Garden Design Files) (Version: 3.6.0 - Canon Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.47 - Piriform)
Google Chrome (HKLM\...\Google Chrome) (Version: 70.0.3538.77 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM\...\{18455581-E099-4BA8-BC6B-F34B2F06600C}) (Version: 1.0.0 - Google Inc.) Hidden
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.8231.2252 - Google Inc.)
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.17 - Google Inc.) Hidden
HP Wireless Elite Desktop (HKLM\...\HP Wireless Elite Desktop_is1) (Version: 1.2.4.7 - Hewlett-Packard)
LightScribe System Software (HKLM\...\{FD71E2F7-B9FC-4072-88DB-AC19E2464D82}) (Version: 1.18.17.1 - LightScribe)
Malwarebytes version 3.6.1.2711 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.6.1.2711 - Malwarebytes)
McAfee WebAdvisor (HKLM\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.0.8.19377 - McAfee, Inc.)
McAfee® Internet Security (HKLM\...\MSC) (Version: 16.0 R16 - McAfee, Inc.)
Microsoft .NET Framework 4.6 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.00081 - Microsoft Corporation)
Microsoft Office Standard 2013 (HKLM\...\Office15.STANDARD) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24212 (HKLM\...\{462f63a8-6347-4894-a1b3-dbfe3a4c981d}) (Version: 14.0.24212.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x86)) (Version: 10.0.50903 - Microsoft Corporation)
NVIDIA 3D Vision Controller Driver 340.50 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 340.50 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 341.44 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 341.44 - NVIDIA Corporation)
NVIDIA Graphics Driver 341.44 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 341.44 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.30.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.30.1 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.13.1220 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.1220 - NVIDIA Corporation)
NVIDIA Update 10.4.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 10.4.0 - NVIDIA Corporation)
Outils de vérification linguistique 2013 de Microsoft Office - Français (HKLM\...\{90150000-001F-040C-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
Payroll for Windows (HKLM\...\{1871BF81-07C1-45C8-B076-46F04E3378E8}) (Version: 23.02 - Sage (UK) Limited) Hidden
Payroll for Windows (HKLM\...\{90AEB775-7616-4827-A387-D320CDCFACE9}) (Version: 23.02 - Sage (UK) Limited) Hidden
Payroll for Windows (HKLM\...\{91691CC6-BF92-44B5-BD01-4BB488A6C06D}) (Version: 23.02 - Sage (UK) Limited) Hidden
Payroll for Windows (HKLM\...\{A52FD783-1121-4435-B218-9D744059FDA8}) (Version: 24.01 - Sage (UK) Limited) Hidden
Payroll for Windows (HKLM\...\{D5ACD8FE-4063-412B-8B7C-33820856D127}) (Version: 24.01 - Sage (UK) Limited) Hidden
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5910 - Realtek Semiconductor Corp.)
RoboForm 7-9-31-1 (All Users) (HKLM\...\AI RoboForm) (Version: 7-9-31-1 - Siber Systems)
RogueKiller version 13.0.8.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 13.0.8.0 - Adlice Software)
Sage 50 Accounts (HKLM\...\{984d9724-7dcd-4296-8463-cf2cceab0a15}) (Version: 23.0.3.140 - Sage (UK) Ltd.) Hidden
Sage Data Exchange (HKLM\...\{D5DF25E1-DB67-4311-BFEB-ECF806DD87FE}) (Version: 1.0.0.0 - Sage) Hidden
Sage Data Exchange Excel Connectivity Adapter (HKLM\...\{E57D18B4-C757-4AD8-B82A-323BA4C4DF6C}) (Version: 1.0.0.0 - Sage) Hidden
Sage50AccountsV23ReportDesigner (HKLM\...\{A2F33449-F0CF-452C-AB2F-6DF6FFAA6BA1}) (Version: 23.2.4.278 - Sage (UK) Ltd) Hidden
SBDDesktopUpdateInstaller (HKLM\...\{DD16B9AD-FEE2-405D-9E4C-62D44042C422}) (Version: 12.1.586.0 - SBDDesktopUpdateInstaller) Hidden
SDataConfigAddInInstaller (HKLM\...\{FE71361E-8B8F-4A1B-8D4D-B00C7A082428}) (Version: 12.1.586.0 - SDataConfigAddInInstaller) Hidden
Service Pack 1 for Microsoft Office 2013 (KB2850036) 32-Bit Edition (HKLM\...\{90150000-0012-0000-0000-0000000FF1CE}_Office15.STANDARD_{7F6C4883-A18C-459A-82C1-A2F9403F2DA6}) (Version:  - Microsoft)
TeamViewer 12 (HKLM\...\TeamViewer) (Version: 12.0.90922 - TeamViewer)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-2235111928-2204133208-3526899875-1000_Classes\CLSID\{5EB6F366-8872-46C4-A795-24D18AC3BBA6}\localserver32 -> C:\Program Files\Common Files\Sage SBD\SBDDesktop\v12\SageEventHandler.exe ()
CustomCLSID: HKU\S-1-5-21-2235111928-2204133208-3526899875-1000_Classes\CLSID\{CAC04978-60B9-404E-B5B4-3A900AE40E22}\localserver32 -> C:\Program Files\Common Files\Sage SBD\SBDDesktop\v12\SageEventHandler.exe ()
ContextMenuHandlers1: [McCtxMenuFrmWrk] -> {CCA9EFD3-29ED-430A-BA6D-E6BBFF0A60C2} => c:\Program Files\McAfee\MSC\McCtxMenuFrmWrk.dll [2018-09-28] (McAfee, Inc.)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2015-02-04] (NVIDIA Corporation)
ContextMenuHandlers6: [McCtxMenuFrmWrk] -> {CCA9EFD3-29ED-430A-BA6D-E6BBFF0A60C2} => c:\Program Files\McAfee\MSC\McCtxMenuFrmWrk.dll [2018-09-28] (McAfee, Inc.)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {00E88192-9170-45B8-9900-83632979FDD2} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2017-05-25] (Google Inc.)
Task: {017718D6-57E4-4A69-856C-E1B5ED434AB8} - System32\Tasks\Open URL by RoboForm => C:\Windows\system32\rundll32.exe url.dll,FileProtocolHandler "hxxps://www.roboform.com/test-pass.html?aaa=KICMNJKJNJGMKJNMLJNJCNNMLJOMNMCNLMMJLMNMCNGMIMOMNMCNLJLJPMJMPMMMJMPMGMMMHMOJJNJICMIMCNGMCNMMOMFMHMCNPMCNIMJMPMOMFMJMCNOMCNIMJMPMOMCNNMJNPICMOMFMEKMICNJJCKFMNMLMNMPMJNHICMMJBJKJLIMJJNBJCMPKOJKIDJJNKJCMJNNICMJNDJCMKJBJJNMJCMMMFMN (the data entry has 44 more characters).
Task: {1218A125-FF49-49E1-AA5F-50345C37CEA8} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe [2018-11-01] (AVAST Software)
Task: {3A31C0EC-FD88-490C-9748-6CC12BBB6697} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe [2014-01-23] (Microsoft Corporation)
Task: {44D32DD1-2425-42C9-AAFD-F4E7ED99F90D} - System32\Tasks\Microsoft\Windows\Setup\EOSNotify => C:\Windows\system32\EOSNotify.exe [2016-06-25] (Microsoft Corporation)
Task: {5B4D880B-A4EB-459B-BFF0-8CA4E1B7B116} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2018-10-09] (Adobe Systems Incorporated)
Task: {5C348D0C-B0D6-4942-A9C1-7E648AA1C226} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2018-09-19] (Piriform Ltd)
Task: {5EC731AD-8916-4758-9898-D5BE9E54632B} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2017-05-25] (Google Inc.)
Task: {722A56D6-3927-415C-ACFE-83A6C3B9361E} - System32\Tasks\McAfee\McAfee Idle Detection Task
Task: {92D55363-1DB5-4DB0-B73C-921CB270FD67} - System32\Tasks\ASUS\ASUS Product Register Service => C:\Program Files\ASUS\APRP\aprp.exe [2014-03-25] (ASUSTek Computer Inc.)
Task: {9E9CF0A8-27C3-43B9-BA0D-EA42F5CA16C5} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-08-13] (Adobe Systems Incorporated)
Task: {A6803DD5-1DCE-46C3-A80F-2708987D6454} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-23] (Microsoft Corporation)
Task: {ACC1D99D-76FD-43AC-996E-6E6F41B49170} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2018-09-19] (Piriform Ltd)
Task: {ACFF9438-1292-454A-B9F5-AD1A86EABA7E} - System32\Tasks\McAfee Remediation (Prepare) => C:\Program Files\Common Files\AV\McAfee VirusScan\upgrade.exe [2018-09-11] (McAfee, Inc.)
Task: {C9713004-39D4-4670-881E-28482AFD0535} - System32\Tasks\Adobe Flash Player NPAPI Notifier => C:\Windows\system32\Macromed\Flash\FlashUtil32_31_0_0_122_Plugin.exe [2018-10-09] (Adobe Systems Incorporated)
Task: {CBE030FD-8510-43BA-AD4D-9D9B242AA9DA} - System32\Tasks\McAfeeLogon => C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe [2018-07-13] (McAfee, Inc.)
Task: {D894D075-936D-42FC-8224-76580200C8B0} - System32\Tasks\McAfee\DAD.Execute.Updates => C:\Program Files\Common Files\McAfee\DynamicAppDownloader\DADUpdater.exe [2018-06-06] (McAfee, Inc.)
Task: {E107EC78-EF3D-471B-A920-B4EE25E36107} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-23] (Microsoft Corporation)
Task: {F2902915-E116-4E3E-BA1D-9C941C81914B} - System32\Tasks\Run RoboForm TaskBar Icon => C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [2017-11-19] (Siber Systems)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-05-25 19:55 - 2015-02-04 02:05 - 000106640 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax.dll
2018-05-15 14:51 - 2018-05-15 14:51 - 008909512 _____ () C:\Program Files\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2018-10-08 20:22 - 2018-10-29 17:30 - 002225368 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2018-10-24 19:37 - 2018-10-23 21:45 - 004238168 _____ () C:\Program Files\Google\Chrome\Application\70.0.3538.77\libglesv2.dll
2018-10-24 19:37 - 2018-10-23 21:45 - 000096600 _____ () C:\Program Files\Google\Chrome\Application\70.0.3538.77\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ModuleCoreService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcapexe => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfemms => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeplk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeplk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ModuleCoreService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 02:04 - 2017-06-25 19:58 - 000000853 _____ C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1 activate.adobe.com 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2235111928-2204133208-3526899875-1000\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
If an entry is included in the fixlist, it will be removed.
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{1045B0CE-951F-41A8-A168-4DE256B7C3FA}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{3DE1A3BF-7B73-464C-954B-61CD22408940}] => (Allow) C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{15444D9E-2CFA-4E30-BB1E-2B53CEDF5509}] => (Allow) C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{E503340B-CC8C-4533-B8FE-DA1F11C0B4EE}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
FirewallRules: [{08299702-613C-4388-AD40-09A620316170}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
FirewallRules: [{5213B61D-24EE-405D-8D4E-7F02C5038578}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{42D58DD4-5A00-455B-8044-6708C1058569}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{8AE53B82-1013-4D21-8D1F-77CF73E5E8CA}] => (Allow) C:\Program Files\Common Files\Mcafee\MMSSHost\MMSSHost.exe
FirewallRules: [{B65BB876-04F7-42F8-891D-A236505252D2}] => (Allow) C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe
FirewallRules: [{7CDB3CB8-20CC-41BB-B80B-22AE69941D6F}] => (Allow) C:\Program Files\CCleaner\CCUpdate.exe
FirewallRules: [{B7ACD9C3-FAC2-4F3B-8EA2-8834AA6CA43C}] => (Allow) C:\Program Files\CCleaner\CCUpdate.exe
FirewallRules: [{20DDBD3A-A7CA-4277-AFBE-25253B13E038}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
08-10-2018 18:35:49 Configured ASUS GPU Tweak
08-10-2018 18:36:30 Removed ASUS Product Register Program
08-10-2018 18:45:21 Sage 50 Accounts
08-10-2018 18:50:42 Removed Sage RBS/NatWest Internet Bankline
08-10-2018 18:51:54 Configured GPUTweakStreaming
08-10-2018 18:56:35 Removed ASUS Product Register Program
18-10-2018 17:55:58 Scheduled Checkpoint
01-11-2018 15:52:42 Scheduled Checkpoint
09-11-2018 07:53:40 Scheduled Checkpoint
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (10/29/2018 06:39:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_gpsvc, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: ntdll.dll, version: 6.1.7601.19135, time stamp: 0x56a1c682
Exception code: 0xc0000374
Fault offset: 0x000c47a3
Faulting process id: 0x4ec
Faulting application start time: 0x01d46fac6e190baf
Faulting application path: C:\Windows\system32\svchost.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: fe075c6a-dba9-11e8-965a-001e8c765f76
 
Error: (10/24/2018 08:06:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamservice.exe, version: 3.2.0.704, time stamp: 0x5b9acc47
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000056
Faulting process id: 0xb50
Faulting application start time: 0x01d46bd37f123d47
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
Faulting module path: unknown
Report Id: 3d34407b-d7c8-11e8-8d0c-001e8c765f76
 
Error: (10/24/2018 07:38:28 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamservice.exe, version: 3.2.0.704, time stamp: 0x5b9acc47
Faulting module name: SelfProtectionSdk.dll, version: 3.0.0.360, time stamp: 0x5b995b6a
Exception code: 0x40000015
Fault offset: 0x001201ef
Faulting process id: 0xb48
Faulting application start time: 0x01d46bd01e32d467
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
Faulting module path: C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
Report Id: 60df3d19-d7c4-11e8-9c7b-001e8c765f76
 
Error: (10/24/2018 07:38:22 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamservice.exe, version: 3.2.0.704, time stamp: 0x5b9acc47
Faulting module name: ntdll.dll, version: 6.1.7601.19135, time stamp: 0x56a1c682
Exception code: 0xc0000005
Fault offset: 0x00032228
Faulting process id: 0xb48
Faulting application start time: 0x01d46bd01e32d467
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 5d9958b9-d7c4-11e8-9c7b-001e8c765f76
 
Error: (10/18/2018 06:11:05 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamservice.exe, version: 3.2.0.704, time stamp: 0x5b9acc47
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0074006c
Faulting process id: 0xb4c
Faulting application start time: 0x01d4670434e29f48
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
Faulting module path: unknown
Report Id: 2d68a32c-d301-11e8-bc0f-001e8c765f76
 
Error: (10/18/2018 06:11:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamservice.exe, version: 3.2.0.704, time stamp: 0x5b9acc47
Faulting module name: ntdll.dll, version: 6.1.7601.19135, time stamp: 0x56a1c682
Exception code: 0xc0000005
Fault offset: 0x00032228
Faulting process id: 0xb4c
Faulting application start time: 0x01d4670434e29f48
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 2a2c444c-d301-11e8-bc0f-001e8c765f76
 
Error: (10/12/2018 08:01:43 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamservice.exe, version: 3.2.0.704, time stamp: 0x5b9acc47
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0xc68
Faulting application start time: 0x01d462011ffa1899
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
Faulting module path: unknown
Report Id: 0e529ab1-cdf5-11e8-bbf4-aca2131bc69e
 
Error: (10/12/2018 08:01:37 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamservice.exe, version: 3.2.0.704, time stamp: 0x5b9acc47
Faulting module name: ntdll.dll, version: 6.1.7601.19135, time stamp: 0x56a1c682
Exception code: 0xc0000005
Fault offset: 0x00032228
Faulting process id: 0xc68
Faulting application start time: 0x01d462011ffa1899
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 0aa8bc85-cdf5-11e8-bbf4-aca2131bc69e
 
 
System errors:
=============
Error: (11/09/2018 11:24:12 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
 
Error: (11/09/2018 11:24:12 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The McAfee WebAdvisor service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1 milliseconds: Restart the service.
 
Error: (11/09/2018 11:24:12 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Sage AutoUpdate Manager Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (11/09/2018 11:24:12 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Sage AutoUpdate Manager Service v2 service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (11/09/2018 11:24:12 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The LightScribeService Direct Disc Labeling Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (11/09/2018 11:24:12 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Network Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (11/09/2018 11:24:12 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Adobe Acrobat Update Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (11/09/2018 11:24:12 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Display Driver Service service terminated unexpectedly.  It has done this 1 time(s).
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
Percentage of memory in use: 55%
Total physical RAM: 3071.29 MB
Available physical RAM: 1372.65 MB
Total Virtual: 6140.89 MB
Available Virtual: 4304.96 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:232.79 GB) (Free:133.67 GB) NTFS
 
\\?\Volume{623d95ec-4180-11e7-82c4-806e6f6e6963}\ (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: BEE89A09)
 
========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 232.9 GB) (Disk ID: 5F117B47)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=232.8 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================
 
 
 
 
Thanks again.
 
Dan
 
 
 

 

 

 

 

Attached Files



#6 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:07:48 PM

Posted 09 November 2018 - 06:50 AM

Thanks. I'll look at the logs as soon as I can.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:07:48 PM

Posted 09 November 2018 - 08:22 AM

Disable Team Viewer

Team Viewer is on the machine and is running. When set to run at startup, if another person has the password they can gain access to your machine. Although it’s not malware, it does have the potential for misuse depending on how the program is installed.

Unless this is running intentionally, I think it is wise to disable Team Viewer from starting at boot up, this way nothing can be captured and sent through remote connections.

  • open TeamViewer and when the window opens, from the ‘Extras’ menu, choose Options
  • remove the checkmark next to ‘Start TeamViewer with Windows’ and then click OK.

================================================

Windows Firewall

You should not have Windows Firewall on when you have another firewall enabled.

  • open Windows Firewall by clicking Start, Control Panel, and then click Windows Firewall
  • on the left, click Turn Windows Firewall on or off. If you are prompted for an administrator password or confirmation, type the password or provide confirmation
  • click Off (not recommended) , and then OK.

================================================

OK let's tidy up what was found but you need to make sure FRST is directly on your desktop otherwise fixes will not work.

  • go to C:\Users\Admin\Desktop\Bleeping Info folder and locate FRST
  • right click and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

================================================

Run Farbar Recovery Scan Tool

Open notepad (Start >All Programs > Accessories > Notepad). Please copy the entire contents of the code box below and paste it into Notepad.

CloseProcesses:
HKU\S-1-5-21-2235111928-2204133208-3526899875-1000\...\MountPoints2: {4cf19619-329c-11e8-9b81-001e8c765f76} - E:\TotalLock.exe
HKU\S-1-5-21-2235111928-2204133208-3526899875-1000\...\MountPoints2: {bcfc0d0c-50d0-11e7-9c2c-001e8c765f76} - E:\DTVP_Launcher.exe
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {017718D6-57E4-4A69-856C-E1B5ED434AB8} - System32\Tasks\Open URL by RoboForm => C:\Windows\system32\rundll32.exe url.dll,FileProtocolHandler "hxxps://www.roboform.com/test-pass.html?aaa=KICMNJKJNJGMKJNMLJNJCNNMLJOMNMCNLMMJLMNMCNGMIMOMNMCNLJLJPMJMPMMMJMPMGMMMHMOJJNJICMIMCNGMCNMMOMFMHMCNPMCNIMJMPMOMFMJMCNOMCNIMJMPMOMCNNMJNPICMOMFMEKMICNJJCKFMNMLMNMPMJNHICMMJBJKJLIMJJNBJCMPKOJKIDJJNKJCMJNNICMJNDJCMKJBJJNMJCMMMFMN (the data entry has 44 more characters).
Task: {1218A125-FF49-49E1-AA5F-50345C37CEA8} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe [2018-11-01] (AVAST Software)
Task: {92D55363-1DB5-4DB0-B73C-921CB270FD67} - System32\Tasks\ASUS\ASUS Product Register Service => C:\Program Files\ASUS\APRP\aprp.exe [2014-03-25] (ASUSTek Computer Inc.)
C:\Program Files\Common Files\Avast Software
Hosts:
EmptyTemp:

NOTE: this script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST then click Fix just once and wait
  • it will create a log (Fixlog.txt); please post it to your reply.

Thanks

Nina

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#8 DiverDan

DiverDan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 09 November 2018 - 08:53 AM

Hi Nina,

 

Couple of updates if this helps....

 

Windows firewall - said this was being controlled by Mcafee so there wasnt an option to switch off, so I assume this is ok as Mcafee is my paid AV/FW solution.

 

Teamviewer - the option for automatic startup was already unchecked. Have checked Msconfig as it does not appear as a startup program.

 

Log details below.

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 08.11.2018
Ran by Admin (09-11-2018 13:47:20) Run:1
Running from C:\Users\Admin\Desktop
Loaded Profiles: Admin (Available Profiles: Admin)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
CloseProcesses:
HKU\S-1-5-21-2235111928-2204133208-3526899875-1000\...\MountPoints2: {4cf19619-329c-11e8-9b81-001e8c765f76} - E:\TotalLock.exe
HKU\S-1-5-21-2235111928-2204133208-3526899875-1000\...\MountPoints2: {bcfc0d0c-50d0-11e7-9c2c-001e8c765f76} - E:\DTVP_Launcher.exe
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {017718D6-57E4-4A69-856C-E1B5ED434AB8} - System32\Tasks\Open URL by RoboForm => C:\Windows\system32\rundll32.exe url.dll,FileProtocolHandler "hxxps://www.roboform.com/test-pass.html?aaa=KICMNJKJNJGMKJNMLJNJCNNMLJOMNMCNLMMJLMNMCNGMIMOMNMCNLJLJPMJMPMMMJMPMGMMMHMOJJNJICMIMCNGMCNMMOMFMHMCNPMCNIMJMPMOMFMJMCNOMCNIMJMPMOMCNNMJNPICMOMFMEKMICNJJCKFMNMLMNMPMJNHICMMJBJKJLIMJJNBJCMPKOJKIDJJNKJCMJNNICMJNDJCMKJBJJNMJCMMMFMN (the data entry has 44 more characters).
Task: {1218A125-FF49-49E1-AA5F-50345C37CEA8} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe [2018-11-01] (AVAST Software)
Task: {92D55363-1DB5-4DB0-B73C-921CB270FD67} - System32\Tasks\ASUS\ASUS Product Register Service => C:\Program Files\ASUS\APRP\aprp.exe [2014-03-25] (ASUSTek Computer Inc.)
C:\Program Files\Common Files\Avast Software
Hosts:
EmptyTemp:
*****************
 
Processes closed successfully.
HKU\S-1-5-21-2235111928-2204133208-3526899875-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4cf19619-329c-11e8-9b81-001e8c765f76} => removed successfully.
HKLM\Software\Classes\CLSID\{4cf19619-329c-11e8-9b81-001e8c765f76} => not found
HKU\S-1-5-21-2235111928-2204133208-3526899875-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bcfc0d0c-50d0-11e7-9c2c-001e8c765f76} => removed successfully.
HKLM\Software\Classes\CLSID\{bcfc0d0c-50d0-11e7-9c2c-001e8c765f76} => not found
HKLM\System\CurrentControlSet\Services\Synth3dVsc => removed successfully.
Synth3dVsc => service removed successfully.
HKLM\System\CurrentControlSet\Services\tsusbhub => removed successfully.
tsusbhub => service removed successfully.
HKLM\System\CurrentControlSet\Services\VGPU => removed successfully.
VGPU => service removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{017718D6-57E4-4A69-856C-E1B5ED434AB8}" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{017718D6-57E4-4A69-856C-E1B5ED434AB8}" => removed successfully.
C:\Windows\System32\Tasks\Open URL by RoboForm => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Open URL by RoboForm" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{1218A125-FF49-49E1-AA5F-50345C37CEA8}" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1218A125-FF49-49E1-AA5F-50345C37CEA8}" => removed successfully.
C:\Windows\System32\Tasks\Avast Software\Overseer => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Avast Software\Overseer" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{92D55363-1DB5-4DB0-B73C-921CB270FD67}" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{92D55363-1DB5-4DB0-B73C-921CB270FD67}" => removed successfully.
C:\Windows\System32\Tasks\ASUS\ASUS Product Register Service => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASUS\ASUS Product Register Service" => removed successfully.
C:\Program Files\Common Files\Avast Software => moved successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 72584721 B
Java, Flash, Steam htmlcache => 1462 B
Windows/system/drivers => 2326408 B
Edge => 0 B
Chrome => 364777264 B
Firefox => 961906647 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 231470 B
LocalService => 132244 B
NetworkService => 67484 B
Admin => 19244678 B
 
RecycleBin => 28947200 B
EmptyTemp: => 1.4 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 13:48:00 ====


#9 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:07:48 PM

Posted 09 November 2018 - 10:26 AM

Thanks for the information.

Let’s run a couple of final scans including an online scan to be sure all is well and, if those are clear, I’ll send instructions to tidy up.


Run Zemana AntiMalware

Download Zemana AntiMalware:

  • open the program and without changing any options, press Scan
  • after the scan is finished, if threats are detected press Next to remove them

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.

  • open Zemana AntiMalware again and locate the report
  • please paste the contents into your reply.

===================================================

Run ESET Online Scan

Note: This may take a long time so please be patient.

IMPORTANT Please make sure you uncheck the box next to Remove found threats. Eset will detect anything that looks even slightly suspicious, which could include legitimate program files. If you do not uncheck the box, Eset will automatically remove all suspicious files which could leave some of your software inoperable.

Note: You can use Internet Explorer, FireFox or Chrome for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

  • click the Run Eset online Scanner button
  • for alternate browsers only: (Microsoft Internet Explorer users can skip these steps)


    o    click on esetinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    o    double click on the Eset installer icon on your desktop.
     

  • check Yes, I accept the Terms of Use
  • click the Start button
  • accept any security warnings from your browser
  • check Enable detection of potentially unwanted applications
  • click Advanced settings and select the following:


    o    scan archives
    o    scan for potentially unsafe applications
    o    enable Anti-Stealth technology


    Note: Do not check Remove found threats
     

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • when the scan completes, push List of found threats
  • push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.


    Note - if ESET doesn't find any threats, no report will be created.
     

  • push the back button.
  • push Finish

When the scan is complete:

If no threats were found:


o    put a checkmark in "Uninstall application on close"
o    close program
o    report to me that nothing was found.
 

If threats were found:


o    click on "list of threats found"
o    click on "export to text file" and save it as ESET results and save to the desktop
o    click on back
o    put a checkmark in "Uninstall application on close"
o    click on finish
o    close program
o    copy and paste the report here
 

Please post the Zemana log

Nina


Edited by satchfan, 09 November 2018 - 10:27 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#10 DiverDan

DiverDan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 09 November 2018 - 12:48 PM

Report below. Eset reported no threats found so no report.
 
Zemana AntiMalware 2.74.2.150 (Installed)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2018/11/9
Operating System       : Windows 7 32-bit
Processor              : 4X Intel® Core™2 Quad CPU  Q6600 @ 2.40GHz
BIOS Mode              : Legacy
CUID                   : 1263B9B2A71E618BBEACBD
Scan Type              : System Scan
Duration               : 1m 38s
Scanned Objects        : 56726
Detected Objects       : 1
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2
 
Detected Objects
-------------------------------------------------------
 
thunder network
Status             : Scanned
Object             : NE->c:\users\public\thunder network
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/Thunder Network.B!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
 
 
Cleaning Result
-------------------------------------------------------
Cleaned               : 1
Reported as safe      : 0
Failed                : 0


#11 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:07:48 PM

Posted 09 November 2018 - 05:20 PM

Hi Dan

 

That all looks fine and I've seen no suspicious activity in your logs.

 

If you're happy, let me know and I'll send instructions to tidy up.

 

Nina


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#12 DiverDan

DiverDan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 10 November 2018 - 07:39 AM

Thats great if you could please.

 

Dan



#13 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:07:48 PM

Posted 10 November 2018 - 07:50 AM

It seems that your computer is fine so let’s get rid of what you don’t need.

Uninstall AdwCleaner

  • open adwcleaner.exe
  • click on Settings
  • click on the Application tab and scroll down to the bottom
  • click on Remove.

===================================================

Download & run Delfix

  • download Delfix from here to remove many of the tools we've used during the cleaning process.
  • ensure “Remove disinfection tools” is checked.

Also place a checkmark next to:


o    Create registry backup
o    Purge system restore

  • click the Run button.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Recommended programs

SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

======================

Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly.

======================

Unchecky

Be careful when downloading free software. Many free programs come bundled with adware, many of which cause redirects/popups and verge on being malware. There is a program that automatically “unckecks” the boxes you may not notice when downloading programs.

Download and install Unchecky .

======================

Download and install CryptoPrevent

Crypto Ransomware Warning

There are particularly nasty 'Ransomware' infections out there at the moment that encrypt your files and the only way possible to get them 'de-crypted' is to pay a ransome. You can read more about this here.

  • download CryptoPrevent
  • save the file to your Desktop and then open the program by clicking Run when prompted from your browser or by going to the desktop where the file was saved and double-clicking.
  • accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This will launch the program once you click Finish
  • you will get a prompt asking if you purchased a Product Key for Automatic Updates. Click No
  • you will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to
  • click OK to continue and select your protection level. Go ahead and click OK
  • click the Apply button to set Default protection
  • you may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.

You will now be protected.

Note: The free version doesn't provide automatic updates but should be updated often, (at least weekly), as this infection has serious consequences. To update it manually, open the program, select the 'Updates' menu then select Check for Updates to see if there are any available.

I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Nina

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:07:48 PM

Posted 13 November 2018 - 04:45 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users