Jump to content

e071460

Honorary Members
 View Profile  See their activity

  • Posts

    27

  • Joined

  • Last visited

Reputation

0 Neutral

Recent Profile Visitors

1,351 profile views
  1. e071460
    Aura, Thank you so much for all of your help and expertise. I will be using my computer enough this weekend to (hopefully) make sure everything is working correctly. I'll reply here Monday, regardless. -Kirk
  2. e071460
    Fix result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018 Ran by Kirk (05-04-2018 18:33:48) Run:2 Running from C:\Users\Kirk\Desktop Loaded Profiles: Kirk (Available Profiles: Kirk) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: HKLM\ DisallowedCertificates: 22BBE981F0694D246CC1472ED2B021DC8540A22F (U) HKLM\ DisallowedCertificates: 929BF3196896994C0A201DF4A5B71F603FEFBF2E (U) HKLM\ DisallowedCertificates: 99C494ECE4FC093EEE13C4D65B1B1E01B9B5D434 (U) HKLM\ DisallowedCertificates: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 (U) HKLM\ DisallowedCertificates: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 (U) HKLM\ DisallowedCertificates: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13 (U) HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\ DisallowedCertificates: 22BBE981F0694D246CC1472ED2B021DC8540A22F (U) HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\ DisallowedCertificates: 929BF3196896994C0A201DF4A5B71F603FEFBF2E (U) HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\...\Run: [Zoom] => [X] CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION S4 norcidb; System32\drivers\csomrlaz.sys [X] Task: {08D6D218-8D21-4CB2-BCC1-0E7515A8F0DE} - System32\Tasks\gasprayers_pedallingsprayers_pedalling => C:\Program Files (x86)\Carnage\Hours.exe Task: {0C8213AF-C19C-40EF-ACB6-52295B683212} - System32\Tasks\gafives paulingfives pauling => C:\Program Files (x86)\Carnage\protectionists.exe Task: {317F54E5-2C4F-4436-BDCA-1447F012C87B} - System32\Tasks\fives pauling => C:\Program Files (x86)\Carnage\protectionists.exe Task: {397C4ABD-5329-4CCC-9430-D8C8334CB540} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION Task: {4C6E65F9-F4BA-4329-B09F-F82DBEC355DE} - System32\Tasks\qOtWce1YgHfQ => qotwce1yghfq.exe <==== ATTENTION Task: {59C82708-83D5-4D5F-9027-62C7D9BBBA0D} - System32\Tasks\plastics => C:\Program Files (x86)\Lockyer\Hours.exe Task: {8C0E6499-AF06-465C-85FA-7F8E88326D83} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION Task: {97C83A09-647C-47EC-99D4-6FC66797AA08} - System32\Tasks\gamantras-motherlandmantras-motherland => C:\Program Files (x86)\chuckling\protectionists.exe Task: {A42DE373-DCFF-4A51-93DA-32BD79571B02} - System32\Tasks\gaplasticsplastics => C:\Program Files (x86)\Lockyer\Hours.exe Task: {E14A3946-358C-4B0A-AC5E-7DDE55367FDD} - System32\Tasks\romanians => C:\Program Files (x86)\prediction\prediction.exe Task: {E2113A92-D558-4FD9-9992-3348D215A3F4} - System32\Tasks\{8561D4B0-A410-4F66-8C9C-1E452E2656DD} => C:\Windows\system32\pcalua.exe -a D:\Setup\Intel\Graphics\win64_154010.4300.exe -d D:\Setup\Intel\Graphics Task: {E878FB51-2C73-4151-B481-C96508721FC4} - System32\Tasks\garomaniansromanians => C:\Program Files (x86)\prediction\prediction.exe Task: {ED5A34BE-4D91-4BFE-BBAF-EAF739E60886} - System32\Tasks\mantras-motherland => C:\Program Files (x86)\chuckling\protectionists.exe Task: {FF4D86BC-EC33-45C3-A019-110E391CFEF0} - System32\Tasks\sprayers_pedalling => C:\Program Files (x86)\Carnage\Hours.exe HKLM\...\StartupApproved\Run: => "arnottarnott" HKLM\...\StartupApproved\Run: => "arnott" HKLM\...\StartupApproved\Run: => "arnottandretti" HKLM\...\StartupApproved\Run32: => "guiltlessguiltless" HKLM\...\StartupApproved\Run32: => "guiltless" HKLM\...\StartupApproved\Run32: => "guiltlessbutlers" HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\...\StartupApproved\StartupFolder: => "ng.lnk" HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\...\StartupApproved\StartupFolder: => "ngng.lnk" HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\...\StartupApproved\Run: => "construed" HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\...\StartupApproved\Run: => "plucking" HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\...\StartupApproved\Run: => "andrettiandretti" HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\...\StartupApproved\Run: => "andretti" HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\...\StartupApproved\Run: => "butlersbutlers" HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\...\StartupApproved\Run: => "butlers" HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\...\StartupApproved\Run: => "andrettiarnott" HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\...\StartupApproved\Run: => "butlersguiltless" HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\...\StartupApproved\Run: => "7KMKH7ENSJAR8Y0" FirewallRules: [{9978321D-B1A3-4BB6-A047-A8C729BFB5A0}] => (Allow) C:\WINDOWS\SysWOW64\msiexec.exe FirewallRules: [{41B181FA-063B-4532-B2F9-06A7939613B9}] => (Allow) C:\WINDOWS\SysWOW64\eVWNjhzQOElxY.exe FirewallRules: [{C01FB411-1F20-46BB-8AD9-D5A993B3A4C0}] => (Allow) C:\Users\Kirk\woAEaDwII.exe C:\s378 C:\Program Files (x86)\Carnage C:\Program Files (x86)\Lockyer C:\Program Files (x86)\chuckling C:\Program Files (x86)\prediction C:\Users\Kirk\woAEaDwII.exe C:\Users\Kirk\Desktop\Shortcuts\Stаrt Tоr Browser.lnk C:\Users\Kirk\AppData\Local\wmecbal C:\Users\Kirk\AppData\Local\pcbkint C:\Users\Kirk\AppData\Local\scbxonr C:\Users\Kirk\AppData\Local\weoitvd C:\Users\Kirk\AppData\Local\rtcedmx C:\Users\Kirk\AppData\Local\exambpc C:\Users\Kirk\AppData\Local\wehtzam C:\Users\Kirk\AppData\Local\cworghv C:\Users\Kirk\AppData\Local\cocaleg C:\Users\Kirk\AppData\Local\pshgbnx C:\Users\Kirk\AppData\Local\cwivnmu C:\Users\Kirk\AppData\Local\wmcagent C:\Users\Kirk\AppData\Local\aurigsx C:\Users\Kirk\AppData\Local\msaprlb C:\Users\Kirk\AppData\Roaming\et C:\Users\Kirk\AppData\Roaming\Browsers C:\Users\Kirk\AppData\Roaming\ioaeiyynfke C:\Users\Kirk\AppData\Roaming\3czsicctrvt C:\WINDOWS\b3042111 C:\WINDOWS\1CC2DCB278C9 C:\WINDOWS\453ed8cbcbe84fc57667f3b59e4b96d5.dll C:\WINDOWS\system32\mbraszu C:\WINDOWS\system32\niozhgksvc.exe C:\WINDOWS\SysWOW64\mbraszu C:\WINDOWS\SysWOW64\eVWNjhzQOElxY.exe EmptyTemp: ***************** Processes closed successfully. Error: (0) Failed to create a restore point. "HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\22BBE981F0694D246CC1472ED2B021DC8540A22F" => removed successfully "HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\929BF3196896994C0A201DF4A5B71F603FEFBF2E" => removed successfully "HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\99C494ECE4FC093EEE13C4D65B1B1E01B9B5D434" => removed successfully "HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3" => removed successfully "HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4" => removed successfully "HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\FFAD03329B9E527A43EEC66A56F9CBB5393E6E13" => removed successfully HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => could not remove, key could be protected "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\Software\Microsoft\SystemCertificates\Disallowed\Certificates\22BBE981F0694D246CC1472ED2B021DC8540A22F" => removed successfully "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\Software\Microsoft\SystemCertificates\Disallowed\Certificates\929BF3196896994C0A201DF4A5B71F603FEFBF2E" => removed successfully "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Zoom" => removed successfully "HKLM\SOFTWARE\Policies\Google" => removed successfully "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => removed successfully "HKLM\System\CurrentControlSet\Services\norcidb" => removed successfully norcidb => service removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{08D6D218-8D21-4CB2-BCC1-0E7515A8F0DE}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{08D6D218-8D21-4CB2-BCC1-0E7515A8F0DE}" => removed successfully C:\WINDOWS\System32\Tasks\gasprayers_pedallingsprayers_pedalling => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\gasprayers_pedallingsprayers_pedalling" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0C8213AF-C19C-40EF-ACB6-52295B683212}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0C8213AF-C19C-40EF-ACB6-52295B683212}" => removed successfully C:\WINDOWS\System32\Tasks\gafives paulingfives pauling => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\gafives paulingfives pauling" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{317F54E5-2C4F-4436-BDCA-1447F012C87B}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{317F54E5-2C4F-4436-BDCA-1447F012C87B}" => removed successfully C:\WINDOWS\System32\Tasks\fives pauling => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\fives pauling" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{397C4ABD-5329-4CCC-9430-D8C8334CB540}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{397C4ABD-5329-4CCC-9430-D8C8334CB540}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\SvcRestartTask" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4C6E65F9-F4BA-4329-B09F-F82DBEC355DE}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4C6E65F9-F4BA-4329-B09F-F82DBEC355DE}" => removed successfully C:\WINDOWS\System32\Tasks\qOtWce1YgHfQ => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\qOtWce1YgHfQ" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{59C82708-83D5-4D5F-9027-62C7D9BBBA0D}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{59C82708-83D5-4D5F-9027-62C7D9BBBA0D}" => removed successfully C:\WINDOWS\System32\Tasks\plastics => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\plastics" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8C0E6499-AF06-465C-85FA-7F8E88326D83}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8C0E6499-AF06-465C-85FA-7F8E88326D83}" => removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => could not remove. Access Denied. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{97C83A09-647C-47EC-99D4-6FC66797AA08}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{97C83A09-647C-47EC-99D4-6FC66797AA08}" => removed successfully C:\WINDOWS\System32\Tasks\gamantras-motherlandmantras-motherland => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\gamantras-motherlandmantras-motherland" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A42DE373-DCFF-4A51-93DA-32BD79571B02}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A42DE373-DCFF-4A51-93DA-32BD79571B02}" => removed successfully C:\WINDOWS\System32\Tasks\gaplasticsplastics => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\gaplasticsplastics" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E14A3946-358C-4B0A-AC5E-7DDE55367FDD}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E14A3946-358C-4B0A-AC5E-7DDE55367FDD}" => removed successfully C:\WINDOWS\System32\Tasks\romanians => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\romanians" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E2113A92-D558-4FD9-9992-3348D215A3F4}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E2113A92-D558-4FD9-9992-3348D215A3F4}" => removed successfully C:\WINDOWS\System32\Tasks\{8561D4B0-A410-4F66-8C9C-1E452E2656DD} => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{8561D4B0-A410-4F66-8C9C-1E452E2656DD}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E878FB51-2C73-4151-B481-C96508721FC4}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E878FB51-2C73-4151-B481-C96508721FC4}" => removed successfully C:\WINDOWS\System32\Tasks\garomaniansromanians => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\garomaniansromanians" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{ED5A34BE-4D91-4BFE-BBAF-EAF739E60886}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ED5A34BE-4D91-4BFE-BBAF-EAF739E60886}" => removed successfully C:\WINDOWS\System32\Tasks\mantras-motherland => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\mantras-motherland" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FF4D86BC-EC33-45C3-A019-110E391CFEF0}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FF4D86BC-EC33-45C3-A019-110E391CFEF0}" => removed successfully C:\WINDOWS\System32\Tasks\sprayers_pedalling => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\sprayers_pedalling" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\arnottarnott" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\arnottarnott" => not found "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\arnott" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\arnott" => not found "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\arnottandretti" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\arnottandretti" => not found "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32\\guiltlessguiltless" => removed successfully "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\guiltlessguiltless" => not found "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32\\guiltless" => removed successfully "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\guiltless" => not found "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32\\guiltlessbutlers" => removed successfully "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\guiltlessbutlers" => not found "C:\Users\Kirk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ng.lnk" => not found "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder\\ng.lnk" => removed successfully "C:\Users\Kirk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ngng.lnk" => not found "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder\\ngng.lnk" => removed successfully "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\construed" => removed successfully "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\construed" => not found "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\plucking" => removed successfully "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\plucking" => not found "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\andrettiandretti" => removed successfully "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\andrettiandretti" => not found "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\andretti" => removed successfully "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\andretti" => not found "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\butlersbutlers" => removed successfully "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\butlersbutlers" => not found "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\butlers" => removed successfully "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\butlers" => not found "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\andrettiarnott" => removed successfully "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\andrettiarnott" => not found "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\butlersguiltless" => removed successfully "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\butlersguiltless" => not found "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\7KMKH7ENSJAR8Y0" => removed successfully "HKU\S-1-5-21-1455037117-1166860649-3638800114-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\7KMKH7ENSJAR8Y0" => not found "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9978321D-B1A3-4BB6-A047-A8C729BFB5A0}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{41B181FA-063B-4532-B2F9-06A7939613B9}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C01FB411-1F20-46BB-8AD9-D5A993B3A4C0}" => removed successfully C:\s378 => moved successfully "C:\Program Files (x86)\Carnage" => not found "C:\Program Files (x86)\Lockyer" => not found "C:\Program Files (x86)\chuckling" => not found "C:\Program Files (x86)\prediction" => not found C:\Users\Kirk\woAEaDwII.exe => moved successfully C:\Users\Kirk\Desktop\Shortcuts\Stаrt Tоr Browser.lnk => moved successfully C:\Users\Kirk\AppData\Local\wmecbal => moved successfully C:\Users\Kirk\AppData\Local\pcbkint => moved successfully C:\Users\Kirk\AppData\Local\scbxonr => moved successfully C:\Users\Kirk\AppData\Local\weoitvd => moved successfully C:\Users\Kirk\AppData\Local\rtcedmx => moved successfully C:\Users\Kirk\AppData\Local\exambpc => moved successfully C:\Users\Kirk\AppData\Local\wehtzam => moved successfully C:\Users\Kirk\AppData\Local\cworghv => moved successfully C:\Users\Kirk\AppData\Local\cocaleg => moved successfully C:\Users\Kirk\AppData\Local\pshgbnx => moved successfully C:\Users\Kirk\AppData\Local\cwivnmu => moved successfully C:\Users\Kirk\AppData\Local\wmcagent => moved successfully C:\Users\Kirk\AppData\Local\aurigsx => moved successfully C:\Users\Kirk\AppData\Local\msaprlb => moved successfully C:\Users\Kirk\AppData\Roaming\et => moved successfully "C:\Users\Kirk\AppData\Roaming\Browsers" => not found C:\Users\Kirk\AppData\Roaming\ioaeiyynfke => moved successfully C:\Users\Kirk\AppData\Roaming\3czsicctrvt => moved successfully C:\WINDOWS\b3042111 => moved successfully C:\WINDOWS\1CC2DCB278C9 => moved successfully C:\WINDOWS\453ed8cbcbe84fc57667f3b59e4b96d5.dll => moved successfully C:\WINDOWS\system32\mbraszu => moved successfully C:\WINDOWS\system32\niozhgksvc.exe => moved successfully C:\WINDOWS\SysWOW64\mbraszu => moved successfully C:\WINDOWS\SysWOW64\eVWNjhzQOElxY.exe => moved successfully =========== EmptyTemp: ========== BITS transfer queue => 8413184 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 18211071 B Java, Flash, Steam htmlcache => 142877 B Windows/system/drivers => 2591818 B Edge => 1326623 B Chrome => 0 B Firefox => 415358086 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 0 B LocalService => 2462 B NetworkService => 627790 B Kirk => 34527866 B RecycleBin => 120532 B EmptyTemp: => 459 MB temporary data Removed. ================================ Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 05-04-2018 18:40:46) Result of scheduled keys to remove after reboot: "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" => removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => could not remove. Access Denied. ==== End of Fixlog 18:40:46 ==== Fixlog_04052018.txt
  3. e071460
    FRST_04052018.txt Addition_04052018.txt
  4. e071460
    # AdwCleaner 7.0.8.0 - Logfile created on Thu Apr 05 02:42:39 2018 # Updated on 2018/08/02 by Malwarebytes # Running on Windows 10 Home (X64) # Mode: clean # Support: https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services deleted. ***** [ Folders ] ***** No malicious folders deleted. ***** [ Files ] ***** No malicious files deleted. ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** No malicious tasks deleted. ***** [ Registry ] ***** No malicious registry entries deleted. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries deleted. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries deleted. ************************* ::Tracing keys deleted ::Winsock settings cleared ::Additional Actions: 0 ************************* C:/AdwCleaner/AdwCleaner[C0].txt - [2456 B] - [2018/3/30 22:58:38] C:/AdwCleaner/AdwCleaner[S0].txt - [2602 B] - [2018/3/30 21:12:3] C:/AdwCleaner/AdwCleaner[S1].txt - [1080 B] - [2018/4/2 1:2:3] C:/AdwCleaner/AdwCleaner[S2].txt - [1144 B] - [2018/4/5 2:40:38] ########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt ########## RogueKiller V12.12.11.0 (x64) [Apr 3 2018] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 10 (10.0.16299) 64 bits version Started in : Normal mode User : Kirk [Administrator] Started from : C:\Users\Kirk\Desktop\RogueKiller_portable64.exe Mode : Delete -- Date : 04/04/2018 19:52:13 (Duration : 01:38:48) ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 5 ¤¤¤ [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1455037117-1166860649-3638800114-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus15.msn.com/?pc=ASTE -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome) [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1455037117-1166860649-3638800114-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus15.msn.com/?pc=ASTE -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome) [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8fe772b1-3dbc-4a65-8bf9-1c386506fdd3} | NameServer : 1.1.1.1,1.0.0.1 ([AU][AU]) -> Replaced () [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1455037117-1166860649-3638800114-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Replaced (1) [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1455037117-1166860649-3638800114-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Replaced (1) ¤¤¤ Tasks : 5 ¤¤¤ [PUP.Gen1] \ACC -- C:\Program Files\DriverSetupUtility\FUB\FUB_Send.bat -> Deleted [Suspicious.Path] \gasampans pressler millersampans pressler miller -- C:\Users\Kirk\AppData\Local\Hours.exe (pnj) -> Deleted [Suspicious.Path] \gasubpopulation_lassasubpopulation_lassa -- C:\Users\Kirk\AppData\Local\protectionists.exe (pnj) -> Deleted [Suspicious.Path] \sampans pressler miller -- C:\Users\Kirk\AppData\Local\Hours.exe (pnj) -> Deleted [Suspicious.Path] \subpopulation_lassa -- C:\Users\Kirk\AppData\Local\protectionists.exe (pnj) -> Deleted ¤¤¤ Files : 15 ¤¤¤ [PUP.Gen0][File] C:\Users\Kirk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Int?rn?t ?xpl?r?r.lnk [LNK@] C:\Users\Kirk\AppData\Roaming\Browsers\exe.erolpxei.bat -> Deleted [PUP.Gen0][File] C:\Users\Kirk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\??lium ??cku?.lnk [LNK@] C:\Users\Kirk\AppData\Roaming\Browsers\exe.emorhc.bat -> Deleted [PUP.Gen0][File] C:\Users\Kirk\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G?ogle ?hrom?.lnk [LNK@] C:\Users\Kirk\AppData\Roaming\Browsers\exe.emorhc.bat -> Deleted [PUP.Gen0][File] C:\Users\Kirk\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\G??gle ?hr?m?.lnk [LNK@] C:\Users\Kirk\AppData\Roaming\Browsers\exe.emorhc.bat -> Deleted [PUP.Gen0][File] C:\Users\Kirk\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\??zill? Fir?f??.lnk [LNK@] C:\Users\Kirk\AppData\Roaming\Browsers\exe.xoferif.bat -> Deleted [Root.Wajam][File] C:\Windows\System32\drivers\43cb8c31e1f54e08c490594c86415bf2.sys -> Deleted [PUP.uTorrentAds][File] C:\Users\Kirk\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Deleted [PUP.uTorrentAds][File] C:\Users\Kirk\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe -> Deleted [PUP.uTorrentAds][File] C:\Users\Kirk\AppData\Roaming\uTorrent\updates\3.5.0_43580\utorrentie.exe -> Deleted [PUP.uTorrentAds][File] C:\Users\Kirk\AppData\Roaming\uTorrent\updates\3.5.0_43916\utorrentie.exe -> Deleted [PUP.Gen0][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Diablo III\Di?blo III.lnk [LNK@] C:\Users\Kirk\AppData\Roaming\Browsers\exe.rehcnual iii olbaid.bat -> Deleted [PUP.Gen0][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Diablo III\Di?bl? III (1).lnk [LNK@] C:\Users\Kirk\AppData\Roaming\Browsers\exe.rehcnual iii olbaid.bat -> Deleted [PUP.Gen0][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G?ogle ?hrome.lnk [LNK@] C:\Users\Kirk\AppData\Roaming\Browsers\exe.emorhc.bat -> Deleted [PUP.Gen0][File] C:\Users\Kirk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Int?rn?t ?xpl?r?r.lnk [LNK@] C:\Users\Kirk\AppData\Roaming\Browsers\exe.erolpxei.bat -> Removed at reboot [2] [PUP.Gen0][File] C:\Users\Kirk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\??lium ??cku?.lnk [LNK@] C:\Users\Kirk\AppData\Roaming\Browsers\exe.emorhc.bat -> Removed at reboot [2] ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: HGST HTS541010A7E630 +++++ --- User --- [MBR] f3a5f0872ad661046bdc45ae99169f36 [BSP] deeadc787cc9d661c0e8b0dbe1885754 : Empty|VT.Unknown MBR Code Partition table: 0 - Basic data partition | Offset (sectors): 2048 | Size: 953868 MB User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive1: HFS128G39MNC-2300A +++++ --- User --- [MBR] e52ccea4eea3957b8af3e84de7799dc0 [BSP] 8700d68bb09e0bee7f79908416021a06 : Empty|VT.Unknown MBR Code Partition table: 0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB 1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 16 MB 2 - Basic data partition | Offset (sectors): 567296 | Size: 120889 MB 3 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 248150016 | Size: 937 MB User = LL1 ... OK User = LL2 ... OK rk_6988.tmp_04042018_2138.txt AdwCleaner[C1]_04042018_1944.txt
  5. e071460
    Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/4/18 Scan Time: 7:18 AM Log File: 1a339c5e-3813-11e8-8b33-14dda943d939.json Administrator: Yes -Software Information- Version: 3.4.5.2467 Components Version: 1.0.342 Update Package Version: 1.0.4612 License: Free -System Information- OS: Windows 10 (Build 16299.309) CPU: x64 File System: NTFS User: SURPRIZE\Kirk -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 342287 Threats Detected: 2 Threats Quarantined: 2 Time Elapsed: 7 min, 56 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 Adware.Adposhel.TskLnk, C:\USERS\KIRK\APPDATA\LOCAL\TEMP\IS-QK26C.TMP\2DEZCJKGSWK.TMP, Quarantined, [8170], [506223],1.0.4612 Adware.Adposhel.TskLnk, C:\USERS\KIRK\APPDATA\LOCAL\TEMP\IS-B2VCF.TMP\JHWGX1ZM5TD.TMP, Quarantined, [8170], [506223],1.0.4612 Physical Sector: 0 (No malicious items detected) (end) 20180404 Malwarebytes.txt
  6. e071460
    Aura, Log file attached to this message. -Kirk FRST_04032018.txt
  7. e071460
    Will do Aura. Give me a full day to complete, please. Thanks. -Kirk
  8. e071460
    Aura, Thank you for assisting me on this issue. I appreciate your time, attention and support. -Kirk aka e071460
  9. e071460
    Fix result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018 Ran by Kirk (02-04-2018 09:49:12) Run:1 Running from C:\Users\Kirk\Desktop Loaded Profiles: Kirk (Available Profiles: Kirk) Boot Mode: Normal ============================================== fixlist content: ***************** CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes CMD: bcdedit.exe /set {default} recoveryenabled yes ***************** ========= bcdedit.exe /set {bootmgr} displaybootmenu yes ========= The operation completed successfully. ========= End of CMD: ========= ========= bcdedit.exe /set {default} recoveryenabled yes ========= The operation completed successfully. ========= End of CMD: ========= ==== End of Fixlog 09:49:13 ==== Fixlog.txt
  10. e071460
    Attached are my logs. Am I infected? Can you help? 04012018 Malwarebytes Log.txt Addition.txt FRST.txt
  11. e071460
    Clearing the "Detective Threats" worked. Thanks. -Kirk
  12. e071460
    I am following these instructions and will advise. Thanks.
  13. e071460
    Malwarebytes 2.02.1012 will not update. Based on <<https://forums.malwarebytes.org/index.php?/topic/146024-diagnostic-logs/> I ran Farbar and mbam-check. The results are attached to this message. Please help. Kirk Hunt Addition.txt CheckResults.txt FRST.txt
  14. e071460
    My system appears to be running correctly now. Logs attached. -Desertcat mbar-log-2012-12-22 (15-04-32).txt system-log.txt
  15. e071460
    Running Mbar -Desertcat
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.