Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Help (Windows 7)


  • Please log in to reply
6 replies to this topic

#1 ruthannereid

ruthannereid

  • Members
  • 4 posts
  • ONLINE
  •  

Posted 18 November 2018 - 12:01 PM

Hello! My aunt's computer went without updates for eight years, so naturally, it was full of viruses. 30, last count.

 

I've run all the updates, as well as every decent virus program I know. I THINK it's clean now, but I can't be sure, and so I really need help from you knowledgeable folks! (And my apologies if this is in the wrong forum - I'm new here!)

 

Here is the log. Please let me know if I need to take any more steps to protect my aunt's computer! Thank you. :)

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 11:50:44 AM, on 11/18/2018
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.19178)
 
FIREFOX: 63.0.1 (x86 en-US)
Boot mode: Normal
 
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\DWRCST.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
D:\Program Files\Dell\Reader 2.0\DellBtrEvent.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Users\JBrooks\AppData\Roaming\Dashlane\Dashlane.exe
C:\Users\JBrooks\AppData\Roaming\Dashlane\DashlanePlugin.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Users\JBrooks\Downloads\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=COSP&ptag=D050117-AA1FD30A82A&form=CONMHP&conlogo=CT3335665
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Dashlane BHO - {42D79B50-CC4A-4A8E-860F-BE674AF053A2} - C:\Users\JBrooks\AppData\Roaming\Dashlane\ie\Dashlanei.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Dashlane Toolbar - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Users\JBrooks\AppData\Roaming\Dashlane\ie\KWIEBar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [DellControlPoint] "C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe"
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [USCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [DellBtrEvent] D:\Program Files\Dell\Reader 2.0\DellBtrEvent.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [DameWare MRC Agent] C:\Windows\system32\DWRCST.exe
O4 - HKCU\..\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
O4 - HKCU\..\Run: [com.apple.dav.bookmarks.daemon] C:\Program Files\Common Files\Apple\Internet Services\BookmarkDAV_client.exe
O4 - HKCU\..\Run: [GoogleChromeAutoLaunch_9F5B0A873DA1EC6D3DB20024A92598C7] "C:\Users\JBrooks\AppData\Local\Chromium\Application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session
O4 - HKCU\..\Run: [Web Companion] C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize 
O4 - HKCU\..\Run: [Dashlane] "C:\Users\JBrooks\AppData\Roaming\Dashlane\Dashlane.exe" autoLaunchAtStartup
O4 - HKCU\..\Run: [DashlanePlugin] "C:\Users\JBrooks\AppData\Roaming\Dashlane\DashlanePlugin.exe" ws
O4 - Startup: Skyscape SmartUpdate.lnk = C:\Program Files\Common Files\Skyscape\SmartUpdate.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell ControlPoint System Manager.lnk = C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
O4 - Global Startup: TdmNotify.lnk = C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @c:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @c:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://*.webcompanion.com
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.4.cab
O16 - DPF: {707DCF60-DBEB-4ACA-84C8-367041894585} (Centricity Web ViewApp Control 3.0 SPa09) - https://bscrpacs.bsnedc.org/ami/install/amiviewer.cab
O16 - DPF: {8B9D77B2-39C0-4674-AF42-BBD50FF71781} (Centricity Web ViewApp Control 3.0 SPa10) - https://bscrpacs.bsnedc.org/ami/install/amiviewer.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wor.local
O17 - HKLM\Software\..\Telephony: DomainName = wor.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wor.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wor.local
O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_111ae7bb7f222578\aestsrv.exe
O23 - Service: %1!s! Update Service (avg) (avg) - AVG Technologies - C:\Program Files\AVG\Browser\Update\AVGBrowserUpdate.exe
O23 - Service: %1!s! Update Service (avgm) (avgm) - AVG Technologies - C:\Program Files\AVG\Browser\Update\AVGBrowserUpdate.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: Dell ControlPoint Button Service (buttonsvc32) - Dell Inc. - c:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
O23 - Service: Credential Vault Host Control Service - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
O23 - Service: Credential Vault Host Storage - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
O23 - Service: Dell ControlPoint System Manager (dcpsysmgrsvc) - Dell Inc. - c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM, Inc. - D:\Program Files\Dell\Reader 2.0\DVMExportService.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\Windows\system32\DWRCS.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GenericMount Helper Service - Unknown owner - C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\GenericMountHelper.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Oasis2Service (Intel® Device Advisor) - Digital Delivery Networks, Inc. - C:\Program Files\DDNi\Oasis2Service (Intel Device Advisor)\Oasis2Service.exe
O23 - Service: PC SP Validator (PCValidator) - AppVerifierService - C:\ProgramData\PCValidator\PCValidatorService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_111ae7bb7f222578\STacSV.exe
O23 - Service: SymSnapService - Unknown owner - C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe (file missing)
O23 - Service: NTRU TSS v1.2.1.29 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
 
--
End of file - 15178 bytes
 


BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,921 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:41 AM

Posted 18 November 2018 - 06:57 PM

Hello ruthannereid and welcome to the Bleeping Computer forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Run HijackThis

  • open HijackThis and click Do a system scan only.
  • place a check mark next to the following entries:

    O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
    O4 - HKCU\..\Run: [GoogleChromeAutoLaunch_9F5B0A873DA1EC6D3DB20024A92598C7] "C:\Users\JBrooks\AppData\Local\Chromium\Application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session
    O4 - HKCU\..\Run: [Web Companion] C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize
    O4 - Global Startup: Bluetooth.lnk = ?
    O15 - Trusted Zone: http://*.webcompanion.com
    O23 - Service: %1!s! Update Service (avg) (avg) - AVG Technologies - C:\Program Files\AVG\Browser\Update\AVGBrowserUpdate.exe
    O23 - Service: %1!s! Update Service (avgm) (avgm) - AVG Technologies - C:\Program Files\AVG\Browser\Update\AVGBrowserUpdate.exe
    O23 - Service: PC SP Validator (PCValidator) - AppVerifierService - C:\ProgramData\PCValidator\PCValidatorService.exe
    O23 - Service: SymSnapService - Unknown owner - C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe (file missing)

     

  • close all windows except for HijackThis and click Fix checked.

================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

Logs to include with next post:

HJT fix log
AdwCleaner log
Frst.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 ruthannereid

ruthannereid
  • Topic Starter

  • Members
  • 4 posts
  • ONLINE
  •  

Posted Yesterday, 09:54 PM

Thank you SO MUCH, Satchfan! These were clear instructions, and I think I followed them right. I am deeply overwhelmed by the amount of information these logs pulled, and so grateful that you know what you're doing.
 
Here are my various logs. Thank you!

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,921 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:41 AM

Posted Today, 10:55 AM

Thank you for the logs.

Please uninstall Sophos Virus Removal Tool via Control Panel > Programs and Features

================================================

You need to move Farbar Recovery Scan Tool to your desktop otherwise fixes will not work.

  • go to your Downloads folder and locate FRST, (C:\Users\Administrator.WORL01\Downloads)
  • right click and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

================================================

Run Farbar Recovery Scan Tool

Open notepad (Start >All Programs > Accessories > Notepad). Please copy the entire contents of the code box below and paste it into Notepad.

CloseProcesses:
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File
CHR Extension: (BookTrakr Button) - C:\Users\Administrator.WORL01\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbmkamekendpknpegnimhdicdncljkje [2018-11-19] [UpdateUrl: hxxps://www.booktrakr.com/uploads/downloads/firefox-updates.json] <==== ATTENTION
CHR HKLM\...\Chrome\Extension: [nladljmabboanhihfkjacnnkgjhnokhj] - hxxps://clients2.google.com/service/update2/crx
S3 GenericMount Helper Service; "C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\GenericMountHelper.exe" [X]
S4 SymSnapService; "C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe" [X]
S3 GenericMount; C:\Windows\System32\DRIVERS\GenericMount.sys [57840 2010-02-12] (Symantec Corporation)
S3 CtAudDrv; \??\C:\Windows\system32\Drivers\CtAudDrv.sys [X]
S3 CtClsFlt; system32\DRIVERS\CtClsFlt.sys [X]
S1 jmldfknu; \??\C:\Windows\system32\drivers\jmldfknu.sys [X]
S3 KAPFA; \??\C:\Windows\system32\drivers\KAPFA.SYS [X]
S1 kkjoqqeq; \??\C:\Windows\system32\drivers\kkjoqqeq.sys [X]
U2 V2iMount; no ImagePath
2018-11-18 11:06 - 2018-11-18 11:06 - 000000000 ____D C:\Users\JBrooks\AppData\Local\CEF
2018-11-18 11:05 - 2018-11-18 12:06 - 000000000 ____D C:\Users\JBrooks\AppData\Local\Avg
2018-11-18 11:00 - 2018-11-18 11:00 - 000000000 ____D C:\Program Files\Common Files\AVG
2018-11-18 10:59 - 2018-11-18 12:06 - 000000000 ____D C:\Program Files\AVG
2018-11-18 10:59 - 2018-11-18 12:06 - 000000000 ____D C:\Program Files\AVG
2018-11-18 10:03 - 2018-11-18 12:06 - 000000000 ____D C:\ProgramData\AVG
2018-11-18 09:36 - 2018-11-18 09:36 - 000000000 ____D C:\ProgramData\Bitdefender
2018-11-18 09:28 - 2018-11-18 09:28 - 000000000 ____D C:\Users\JBrooks\AppData\Roaming\QuickScan
2018-11-18 09:26 - 2018-11-18 09:26 - 000166952 _____ C:\Windows\Minidump\111818-26785-01.dmp
2018-11-18 09:24 - 2018-11-18 09:24 - 000041497 _____ C:\ProgramData\agent.1542551081.bdinstall.bin
2018-11-18 09:24 - 2018-11-18 09:24 - 000000000 ____D C:\ProgramData\Bitdefender Agent
2018-11-17 23:59 - 2018-11-17 23:59 - 000572722 _____ C:\Users\JBrooks\AppData\Local\census.cache
2018-11-17 23:57 - 2018-11-17 23:57 - 000256700 _____ C:\Users\JBrooks\AppData\Local\ars.cache
2018-11-17 23:17 - 2018-11-17 23:17 - 000000036 _____ C:\Users\JBrooks\AppData\Local\housecall.guid.cache
2018-11-17 23:17 - 2017-10-17 11:40 - 000326288 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2018-11-17 20:39 - 2018-11-17 20:39 - 000000000 ____D C:\ProgramData\Sophos
2018-11-17 20:09 - 2018-11-17 20:09 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
2018-11-17 20:09 - 2018-11-17 20:09 - 000000000 ____D C:\Program Files\Sophos
2018-11-17 19:17 - 2018-11-19 20:34 - 000000000 ____D C:\Program Files\Common Files\AV
2018-11-17 19:03 - 2018-11-17 19:03 - 000000000 ____D C:\ProgramData\Kaspersky Lab Setup Files
2018-11-17 11:20 - 2018-11-17 11:20 - 000000000 ____D C:\Users\JBrooks\AppData\Local\ESET
2018-11-17 11:19 - 2018-11-17 11:19 - 006981240 _____ (ESET spol. s r.o.) C:\Users\JBrooks\Downloads\esetonlinescanner_enu.exe
2018-11-17 11:09 - 2018-11-17 11:09 - 216392354 _____ C:\Users\JBrooks\Documents\pre_fix.reg
2018-11-19 09:09 - 2010-05-29 13:42 - 000000000 _____ C:\Users\JBrooks\AppData\Local\WavXMapDrive.bat
2018-11-17 20:03 - 2012-10-17 22:45 - 000000000 ____D C:\ProgramData\Kaspersky Lab
2018-11-17 20:03 - 2012-10-17 22:45 - 000000000 ____D C:\Program Files\Kaspersky Lab
2018-11-07 12:21 - 2010-05-29 07:12 - 000000000 ____D C:\ProgramData\Symantec
2018-11-07 12:21 - 2010-05-29 07:12 - 000000000 ____D C:\Program Files\Symantec
2010-05-29 07:35 - 2010-02-10 12:13 - 004856661 _____ () C:\Users\administrator\AppData\Local\Temp\CCPlayerSetup.exe
2010-05-29 07:30 - 2009-10-20 09:20 - 000006144 _____ (McKesson) C:\Users\administrator\AppData\Local\Temp\ChangeMSIProductCode.exe
2010-05-29 07:35 - 2009-10-16 14:47 - 000016384 _____ (McKesson) C:\Users\administrator\AppData\Local\Temp\CheckOSVersion.exe
2015-06-08 10:18 - 2012-11-28 12:36 - 000005632 _____ () C:\Users\administrator\AppData\Local\Temp\CheckServiceInstalled.exe
2010-05-29 07:30 - 2010-01-27 09:42 - 000096256 _____ () C:\Users\administrator\AppData\Local\Temp\ChkClientInst.exe
2010-05-29 07:30 - 2010-01-08 10:19 - 000006144 _____ (McKesson) C:\Users\administrator\AppData\Local\Temp\CTreeInstallValidation.exe
2010-05-29 07:30 - 2010-01-29 13:45 - 000394752 _____ () C:\Users\administrator\AppData\Local\Temp\CTreeServ.exe
2010-05-29 07:30 - 2009-10-12 09:55 - 000016384 _____ (McKesson) C:\Users\administrator\AppData\Local\Temp\DeleteFolder.exe
2010-05-29 07:30 - 2009-11-03 13:44 - 000005120 _____ (McKesson) C:\Users\administrator\AppData\Local\Temp\DeleteShortCut.exe
2015-06-08 10:48 - 2011-12-12 19:24 - 000441856 _____ (McKesson :: Physician Practice Solutions) C:\Users\administrator\AppData\Local\Temp\EditLink.exe
2011-08-02 17:30 - 2011-06-03 10:59 - 000428544 _____ (McKesson :: Physician Practice Solutions) C:\Users\administrator\AppData\Local\Temp\ini2cmd.exe
2015-06-08 10:18 - 2011-10-05 09:30 - 000428544 _____ (McKesson :: Physician Practice Solutions) C:\Users\administrator\AppData\Local\Temp\ini2msi.exe
2010-05-29 07:30 - 2009-09-02 13:17 - 000210432 _____ (Orange Lamp Software Solutions) C:\Users\administrator\AppData\Local\Temp\KillProcess.dll
2010-05-29 07:30 - 2009-12-15 09:35 - 000006144 _____ (McKesson) C:\Users\administrator\AppData\Local\Temp\ModifyMSIProductCode.exe
2015-06-08 10:18 - 2012-11-29 10:45 - 000006144 _____ () C:\Users\administrator\AppData\Local\Temp\SetHKLMRegistryKeyFor64Bit.exe
2015-06-08 10:18 - 2013-10-05 14:37 - 000007680 _____ () C:\Users\administrator\AppData\Local\Temp\SetUserFolderPermissions.exe
2015-06-08 10:18 - 2013-11-14 20:56 - 000007168 _____ () C:\Users\administrator\AppData\Local\Temp\SetUserFolderPermissionsAnyDir.exe
2011-08-02 17:30 - 2011-05-25 09:40 - 000421376 _____ (McKesson :: Physician Practice Solutions) C:\Users\administrator\AppData\Local\Temp\SwapText.exe
2018-11-07 12:31 - 2013-10-01 14:28 - 000055624 _____ (Citrix Systems, Inc.) C:\Users\JBrooks\AppData\Local\Temp\ARCompanionForSession1.exe
2010-06-17 20:28 - 2010-06-17 20:28 - 002605008 _____ (Adobe Systems, Inc.) C:\Users\JBrooks\AppData\Local\Temp\FlashPlayerUpdate.exe
2010-06-28 12:12 - 2010-06-28 12:12 - 002605008 _____ (Adobe Systems, Inc.) C:\Users\JBrooks\AppData\Local\Temp\FlashPlayerUpdate01.exe
2011-07-07 17:45 - 2011-07-07 17:45 - 000000000 _____ () C:\Users\JBrooks\AppData\Local\Temp\moeh9yaq.dll
2010-10-25 12:17 - 2012-08-08 10:26 - 000467992 _____ (Google Inc.) C:\Users\JBrooks\AppData\Local\Temp\SearchWithGoogleUpdate.exe
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll -> No File
Task: {39085380-204F-406D-874E-AB5F174F0E6B} - System32\Tasks\ProfessionalPCCleaner_Start => C:\Program Files\Professional PC Cleaner\ProfessionalPCCleaner.exe
Task: {5E46201A-AFC9-413B-97EC-A2685815E2B3} - System32\Tasks\ProfessionalPCCleaner_Popup => C:\Program Files\Professional PC Cleaner\Splash.exe
Task: {8293F88D-1F39-4827-BEDF-F7E2E280A396} - System32\Tasks\AVG\Overseer => C:\Program Files\Common Files\AVG\Overseer\overseer.exe [2018-11-18] (AVG Technologies CZ, s.r.o.)
FirewallRules: [{5B36C4EF-BEA6-47B9-B54E-D6F70AEA64D1}] => (Allow) C:\Program Files\AVG\Antivirus\AvEmUpdate.exe
FirewallRules: [{2227612A-4FFE-4096-98C6-C1EF6E716B0E}] => (Allow) C:\Program Files\AVG\Antivirus\AvEmUpdate.exe
C:\Windows\System32\DRIVERS\GenericMount.sys
C:\Program Files\Professional PC Cleaner
VirusTotal: c:\windows\system32\systemmonitoring.exe
EmptyTemp:

NOTE: this script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST then click Fix just once and wait
  • it will create a log (Fixlog.txt); please post it to your reply.

================================================

Run Malwarebytes Anti-Malware

Please download and run the installer for Malwarebytes 3.0.

  • follow the prompts to install the program, (Malwarebytes 3.0 will automatically upgrade Malwarebytes Anti-Malware 2.x to Malwarebytes 3.0)
    [list]
  • run the program
  • click on the ‘Dashboard’ to make sure everything is up to date, (it is not necessary to upgrade to the premium version of MBAM)
  • click on the ‘Scan’ tab, (directly below the Dashboard tab)
  • select the Threat Scan option
  • slick the Scan Now button
  • Threat Scan will begin
  • when the scan has completed and if malware was found, click the Quarantine Selected button to allow MBAM to quarantine what was found
  • if prompted to restart the computer, close all other programs and click Yes to restart your computer
  • once you are back at your desktop, open MBAM once more
  • click on the ‘Reports’ tab
  • double-click on the most recent Scan Report
  • click on Export, then Copy to Clipboard

Please paste the contents of the clipboard into your next reply to me.

Logs to include with next post:

Fixlog.txt
Mbam log


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 ruthannereid

ruthannereid
  • Topic Starter

  • Members
  • 4 posts
  • ONLINE
  •  

Posted Today, 06:04 PM

Oh my gosh - it found 123. This computer is a digital petri dish!

Attached Files



#6 satchfan

satchfan

  • Malware Response Team
  • 2,921 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:41 AM

Posted Today, 06:24 PM

Well done. We’ve got rid of some pretty bad stuff but I’d like another look with a different tool.

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer and close all running programs before you run this scan!

Download RogueKiller to your desktop

  • for Windows Vista/7/8/10, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • click on Scan
  • if a Windows opens to explain what [PUM's] are, please read it
  • when it has finished, click on Open Report
  • click on Export Txt and save the file on your Desktop as RKreport.txt
  • copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 ruthannereid

ruthannereid
  • Topic Starter

  • Members
  • 4 posts
  • ONLINE
  •  

Posted Today, 07:25 PM

Here you go! The copy/paste from RKreport: 

 

RogueKiller Anti-Malware V13.0.11.0 [Nov 19 2018] (Free) by Adlice Software
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits
Started in : Normal mode
User : Administrator [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Standard Scan, Scan -- Date : 2018/11/20 18:33:25 (Duration : 00:34:04)
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> O101 - Clsid
  [Suspicious.Path (Potentially Malicious)] HKEY_CLASSES_ROOT\CLSID\{40354A83-504E-4611-ACAE-3D137F6F595E} -- (Dashlane USA, Inc.) C:\Users\JBrooks\AppData\Roaming\Dashlane\ie\Dashlanei.dll -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_CLASSES_ROOT\CLSID\{42D79B50-CC4A-4A8E-860F-BE674AF053A2} -- (Dashlane USA, Inc.) C:\Users\JBrooks\AppData\Roaming\Dashlane\ie\Dashlanei.dll -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_CLASSES_ROOT\CLSID\{669695BC-A811-4A9D-8CDF-BA8C795F261C} -- (Dashlane USA, Inc.) C:\Users\JBrooks\AppData\Roaming\Dashlane\ie\KWIEBar.dll -> Found
>>>>>> O2 - Browser Helper Objects
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{42D79B50-CC4A-4A8E-860F-BE674AF053A2} -- (Dashlane USA, Inc.) C:\Users\JBrooks\AppData\Roaming\Dashlane\ie\Dashlanei.dll -> Found
>>>>>> O3 - Toolbar
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{669695BC-A811-4A9D-8CDF-BA8C795F261C} -- (Dashlane USA, Inc.) Dashlane Toolbar (C:\Users\JBrooks\AppData\Roaming\Dashlane\ie\KWIEBar.dll) -> Found
>>>>>> O87 - Firewall
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{B5ECE02C-C9C0-4E20-A433-8B39C72A46E0}C:\users\administrator\appdata\local\temp\lmir0001.tmp\lmi_rescue.exe -- v2.10|Action=Block|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\users\administrator\appdata\local\temp\lmir0001.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe| -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{0629DD49-ED46-41A0-B863-A540CD6841FE}C:\users\administrator\appdata\local\temp\lmir0001.tmp\lmi_rescue.exe -- v2.10|Action=Block|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\users\administrator\appdata\local\temp\lmir0001.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe| -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{2D223E50-E8A4-4742-9223-81D69A849B80}C:\users\administrator\appdata\local\temp\lmir0002.tmp\lmi_rescue.exe -- v2.10|Action=Block|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\users\administrator\appdata\local\temp\lmir0002.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe| -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{DB911C66-C066-446E-937A-D5C1E7E4729B}C:\users\jbrooks\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\users\jbrooks\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe|Defer=User| (C:\users\jbrooks\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe) (missing) -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{DFA00597-B3FD-41B3-8ECB-7780800DA11C}C:\users\jbrooks\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\users\jbrooks\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe|Defer=User| (C:\users\jbrooks\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe) (missing) -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{8A2D680A-D388-4148-A155-6AD436CE28B2}C:\users\administrator\appdata\local\temp\lmir0002.tmp\lmi_rescue.exe -- v2.10|Action=Block|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\users\administrator\appdata\local\temp\lmir0002.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe| -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{B4C27D15-5BCE-42B8-A92F-CB7130DB81DD} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Users\JBrooks\AppData\Local\Chromium\Application\chrome.exe|Name=Chromium (mDNS-In)|Desc=Inbound rule for Chromium to allow mDNS traffic.|EmbedCtxt=Chromium| (C:\Users\JBrooks\AppData\Local\Chromium\Application\chrome.exe) (missing) -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{966538E9-1F07-447E-83D6-FD847BB57F8E}C:\users\administrator\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe -- (LogMeIn, Inc.) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\users\administrator\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe|Defer=User| (C:\users\administrator\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe) -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{4018A58E-C58A-46E5-AB86-2D71AB00E4D0}C:\users\administrator\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe -- (LogMeIn, Inc.) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\users\administrator\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe|Defer=User| (C:\users\administrator\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe) -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{0629DD49-ED46-41A0-B863-A540CD6841FE}C:\users\administrator\appdata\local\temp\lmir0001.tmp\lmi_rescue.exe -- v2.10|Action=Block|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\users\administrator\appdata\local\temp\lmir0001.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe| -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{B5ECE02C-C9C0-4E20-A433-8B39C72A46E0}C:\users\administrator\appdata\local\temp\lmir0001.tmp\lmi_rescue.exe -- v2.10|Action=Block|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\users\administrator\appdata\local\temp\lmir0001.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe| -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{2D223E50-E8A4-4742-9223-81D69A849B80}C:\users\administrator\appdata\local\temp\lmir0002.tmp\lmi_rescue.exe -- v2.10|Action=Block|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\users\administrator\appdata\local\temp\lmir0002.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe| -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{8A2D680A-D388-4148-A155-6AD436CE28B2}C:\users\administrator\appdata\local\temp\lmir0002.tmp\lmi_rescue.exe -- v2.10|Action=Block|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\users\administrator\appdata\local\temp\lmir0002.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe| -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{DFA00597-B3FD-41B3-8ECB-7780800DA11C}C:\users\jbrooks\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\users\jbrooks\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe|Defer=User| (C:\users\jbrooks\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe) (missing) -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{DB911C66-C066-446E-937A-D5C1E7E4729B}C:\users\jbrooks\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\users\jbrooks\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe|Defer=User| (C:\users\jbrooks\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe) (missing) -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{4018A58E-C58A-46E5-AB86-2D71AB00E4D0}C:\users\administrator\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe -- (LogMeIn, Inc.) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\users\administrator\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe|Defer=User| (C:\users\administrator\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe) -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{966538E9-1F07-447E-83D6-FD847BB57F8E}C:\users\administrator\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe -- (LogMeIn, Inc.) v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\users\administrator\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe|Name=lmi_rescue.exe|Desc=lmi_rescue.exe|Defer=User| (C:\users\administrator\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe) -> Found
  [Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{B4C27D15-5BCE-42B8-A92F-CB7130DB81DD} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Users\JBrooks\AppData\Local\Chromium\Application\chrome.exe|Name=Chromium (mDNS-In)|Desc=Inbound rule for Chromium to allow mDNS traffic.|EmbedCtxt=Chromium| (C:\Users\JBrooks\AppData\Local\Chromium\Application\chrome.exe) (missing) -> Found
>>>>>> XX - Explorer Advanced
  [PUM.StartMenu (Potentially Malicious)] HKEY_USERS\S-1-5-21-206299147-2562137885-2830312504-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyGames -- 0 -> Found
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤





3 user(s) are reading this topic

1 members, 2 guests, 0 anonymous users


    ruthannereid