lucaslyh

Hi Aura, thanks for taking the time to check back with me. I scanned daily and have yet to detect anything as of now. Should be clean. Thank you for all the technical support!

Thank for the exception Aura, i will do so daily, keep you posted.

Hi Aura, As requested, attached are the new logs. FRST.txt Addition.txt

Hi Aura, So i did as asked. There was a ghokswa registry that appeared. seems like some pretty nasty firewall disabler. Could a rootkit be lying around? malwarebytes caa 260517.txt

Ah, i went ahead with the removal using malwarebytes. Wasnt expecting to post another log. Thanks for all the assistance Aura, you saved me from reformatting as a last ditch resort. May i contact you again in the future if it ever returns?

Hi Aura, apologies for the delayed reply, did not have a chance to use the computer much recently. Attached is the new log. Seems like there are still residue. Malwarebytes CAA 240517.txt

Hey Aura, thanks for clearing my doubts. attached are the scan logs for malwarebytes. It seems that there are still some leftovers. malwarebytes CAA 220517.txt

Hi Aura, As instructed , attached are the logs of JRT and Adwarecleaner. Earlier on, there is a zipfile that was asked to be uploaded, should i delete that as well? And something i just realised, when i open google chrome, the google URL seem to have an additional "index" that seem to be random whenever i start up chrome. Attached as screen shotted. JRT CAA 210517.txt AdwCleaner[C2] CAA 210517.txt

Hi Aura, The zip file has been uploaded

Hi Aura, as requested : Fix result of Farbar Recovery Scan Tool (x64) Version: 14-05-2017 Ran by 4 yrs worth of savin (20-05-2017 13:23:18) Run:2 Running from C:\Users\4 yrs worth of savin\Downloads Loaded Profiles: 4 yrs worth of savin (Available Profiles: 4 yrs worth of savin) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: Zip: C:\Users\4 yrs worth of savin\AppData\Roaming\ytmediacenter\YoukuMediaCenter.exe;C:\Users\4 yrs worth of savin\AppData\Roaming\WinSAPSvc\WinSAP.dll;C:\ProgramData\BIT\BIT.dll;C:\Program Files (x86)\MIO\MIO.exe;C:\Program Files (x86)\MIO\loader\samsungxssdx850xevox250gb_s2r4nx0h611718l.dat;C:\Program Files (x86)\MIO\loader\samsungxssdx850xevox250gb_s2r4nx0h611718l.dat;C:\WINDOWS\SysWOW64\00;C:\WINDOWS\SysWOW64\1;C:\WINDOWS\SysWOW64\11;C:\WINDOWS\SysWOW64\1111;C:\WINDOWS\SysWOW64\1111111;C:\WINDOWS\SysWOW64\2;C:\WINDOWS\SysWOW64\22;C:\WINDOWS\SysWOW64\3333333;C:\WINDOWS\SysWOW64\44 REG: REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "YoukuMediaCenter" /f HKU\S-1-5-18\...\Run: [] => [X] IFEO\GoogleUpdate.exe: [Debugger] 324095823984.exe IFEO\GoogleUpdaterService.exe: [Debugger] 8736459873644.exe R2 WinSAPSvc; C:\Users\4 yrs worth of savin\AppData\Roaming\WinSAPSvc\WinSAP.dll [1887232 2017-05-16] (TODO: <公司名>) [File not signed] <==== ATTENTION R2 BIT; C:\ProgramData\BIT\BIT.dll [1857536 2017-05-16] (BIT) [File not signed] <==== ATTENTION S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X] S3 gkernel; \??\C:\Users\4YRSWO~1\AppData\Local\Temp\gkernel.sys [X] <==== ATTENTION CustomCLSID: HKU\S-1-5-21-4025591569-708684015-263400944-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-5CF43BE4DCED}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File Task: {2E68B6EE-307D-4A53-8054-A463633FCDB5} - \Zergilyghuzether -> No File <==== ATTENTION Task: {F53BF0C0-EAB4-47A2-A50A-73D372326FDB} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe [2017-05-16] () <==== ATTENTION HKLM\...\StartupApproved\Run32: => "YoukuMediaCenter" HKU\S-1-5-21-4025591569-708684015-263400944-1001\...\StartupApproved\Run: => "GoogleChromeAutoLaunch_2FB53CAF31E5AAE2D7FE81304405D331" FirewallRules: [{6DE24A2E-0E51-4180-A321-DD50678BD705}] => (Allow) C:\Program Files (x86)\MIO\loader\samsungxssdx850xevox250gb_s2r4nx0h611718l.dat FirewallRules: [{264A8626-96F4-4D00-A3B2-1D1E45AAC7BE}] => (Allow) C:\Program Files (x86)\MIO\loader\samsungxssdx850xevox250gb_s2r4nx0h611718l.dat C:\Program Files (x86)\{CB99B496-06CD-4210-B26B-D9E139EDC57A} C:\Program Files (x86)\{57E50B6A-C5AB-483C-9CBC-99D697B102CD} C:\Program Files (x86)\{2A617F45-AB17-4F77-B8F0-B6BB4CE8AD98} C:\Program Files (x86)\MIO C:\ProgramData\BIT C:\ProgramData\ntuser.pol C:\Users\4 yrs worth of savin\AppData\Local\CWASRE C:\Users\4 yrs worth of savin\AppData\Local\Chromium C:\Users\4 yrs worth of savin\AppData\Local\netofa C:\Users\4 yrs worth of savin\AppData\Roaming\WinSAPSvc C:\WINDOWS\SysWOW64\00 C:\WINDOWS\SysWOW64\1 C:\WINDOWS\SysWOW64\11 C:\WINDOWS\SysWOW64\1111 C:\WINDOWS\SysWOW64\1111111 C:\WINDOWS\SysWOW64\2 C:\WINDOWS\SysWOW64\22 C:\WINDOWS\SysWOW64\3333333 C:\WINDOWS\SysWOW64\44 EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. ================== Zip: =================== "C:\Users\4 yrs worth of savin\AppData\Roaming\ytmediacenter\YoukuMediaCenter.exe" -> not found C:\Users\4 yrs worth of savin\AppData\Roaming\WinSAPSvc\WinSAP.dll -> copied successfully to C:\Users\4 yrs worth of savin\Desktop\20.05.2017_13.23.25.zip C:\ProgramData\BIT\BIT.dll -> copied successfully to C:\Users\4 yrs worth of savin\Desktop\20.05.2017_13.23.25.zip C:\Program Files (x86)\MIO\MIO.exe -> copied successfully to C:\Users\4 yrs worth of savin\Desktop\20.05.2017_13.23.25.zip "C:\Program Files (x86)\MIO\loader\samsungxssdx850xevox250gb_s2r4nx0h611718l.dat" -> not found "C:\Program Files (x86)\MIO\loader\samsungxssdx850xevox250gb_s2r4nx0h611718l.dat" -> not found C:\WINDOWS\SysWOW64\00 -> copied successfully to C:\Users\4 yrs worth of savin\Desktop\20.05.2017_13.23.25.zip C:\WINDOWS\SysWOW64\1 -> copied successfully to C:\Users\4 yrs worth of savin\Desktop\20.05.2017_13.23.25.zip C:\WINDOWS\SysWOW64\11 -> copied successfully to C:\Users\4 yrs worth of savin\Desktop\20.05.2017_13.23.25.zip C:\WINDOWS\SysWOW64\1111 -> copied successfully to C:\Users\4 yrs worth of savin\Desktop\20.05.2017_13.23.25.zip C:\WINDOWS\SysWOW64\1111111 -> copied successfully to C:\Users\4 yrs worth of savin\Desktop\20.05.2017_13.23.25.zip C:\WINDOWS\SysWOW64\2 -> copied successfully to C:\Users\4 yrs worth of savin\Desktop\20.05.2017_13.23.25.zip C:\WINDOWS\SysWOW64\22 -> copied successfully to C:\Users\4 yrs worth of savin\Desktop\20.05.2017_13.23.25.zip C:\WINDOWS\SysWOW64\3333333 -> copied successfully to C:\Users\4 yrs worth of savin\Desktop\20.05.2017_13.23.25.zip C:\WINDOWS\SysWOW64\44 -> copied successfully to C:\Users\4 yrs worth of savin\Desktop\20.05.2017_13.23.25.zip =========== Zip: End =========== ========= REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "YoukuMediaCenter" /f ========= The operation completed successfully. ========= End of Reg: ========= HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\GoogleUpdate.exe => key removed successfully HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\GoogleUpdaterService.exe => key removed successfully WinSAPSvc => Unable to stop service. HKLM\System\CurrentControlSet\Services\WinSAPSvc => key removed successfully WinSAPSvc => service removed successfully BIT => Unable to stop service. HKLM\System\CurrentControlSet\Services\BIT => key removed successfully BIT => service removed successfully HKLM\System\CurrentControlSet\Services\BCM42RLY => key removed successfully BCM42RLY => service removed successfully HKLM\System\CurrentControlSet\Services\gkernel => key removed successfully gkernel => service removed successfully HKU\S-1-5-21-4025591569-708684015-263400944-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-5CF43BE4DCED} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2E68B6EE-307D-4A53-8054-A463633FCDB5} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2E68B6EE-307D-4A53-8054-A463633FCDB5} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Zergilyghuzether => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F53BF0C0-EAB4-47A2-A50A-73D372326FDB} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F53BF0C0-EAB4-47A2-A50A-73D372326FDB} => key removed successfully C:\WINDOWS\System32\Tasks\Milimili => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Milimili => key removed successfully HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32\\YoukuMediaCenter => value removed successfully HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\YoukuMediaCenter => value not found. HKU\S-1-5-21-4025591569-708684015-263400944-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\GoogleChromeAutoLaunch_2FB53CAF31E5AAE2D7FE81304405D331 => value removed successfully HKU\S-1-5-21-4025591569-708684015-263400944-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_2FB53CAF31E5AAE2D7FE81304405D331 => value not found. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6DE24A2E-0E51-4180-A321-DD50678BD705} => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{264A8626-96F4-4D00-A3B2-1D1E45AAC7BE} => value removed successfully C:\Program Files (x86)\{CB99B496-06CD-4210-B26B-D9E139EDC57A} => moved successfully C:\Program Files (x86)\{57E50B6A-C5AB-483C-9CBC-99D697B102CD} => moved successfully C:\Program Files (x86)\{2A617F45-AB17-4F77-B8F0-B6BB4CE8AD98} => moved successfully C:\Program Files (x86)\MIO => moved successfully C:\ProgramData\BIT => moved successfully C:\ProgramData\ntuser.pol => moved successfully C:\Users\4 yrs worth of savin\AppData\Local\CWASRE => moved successfully C:\Users\4 yrs worth of savin\AppData\Local\Chromium => moved successfully C:\Users\4 yrs worth of savin\AppData\Local\netofa => moved successfully C:\Users\4 yrs worth of savin\AppData\Roaming\WinSAPSvc => moved successfully C:\WINDOWS\SysWOW64\00 => moved successfully C:\WINDOWS\SysWOW64\1 => moved successfully C:\WINDOWS\SysWOW64\11 => moved successfully C:\WINDOWS\SysWOW64\1111 => moved successfully C:\WINDOWS\SysWOW64\1111111 => moved successfully C:\WINDOWS\SysWOW64\2 => moved successfully C:\WINDOWS\SysWOW64\22 => moved successfully C:\WINDOWS\SysWOW64\3333333 => moved successfully C:\WINDOWS\SysWOW64\44 => moved successfully =========== EmptyTemp: ========== BITS transfer queue => 1409968 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 272090971 B Java, Flash, Steam htmlcache => 721758983 B Windows/system/drivers => 119958385 B Edge => 6335777 B Chrome => 419147506 B Firefox => 0 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 128 B systemprofile32 => 10457303 B LocalService => 3198 B NetworkService => 954038 B 4 yrs worth of savin => 10811351912 B RecycleBin => 0 B EmptyTemp: => 11.5 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 13:24:16 ==== Fixlog.txt

Hi Aura, apparently, the path leads to an empty folder which (if i recalled) was already there since OS istallation. Another thing is that when i search on chrome's searchbar after the browser hijack, it leads me to to a " choose an account " page for googledrive : https://accounts.google.com/ServiceLogin/signinchooser?service=wise&passive=1209600&continue=https%3A%2F%2Fdrive.google.com%2Fdrive%2Fsearch%3Fq%3Dfdsf&followup=https%3A%2F%2Fdrive.google.com%2Fdrive%2Fsearch%3Fq%3Dfdsf&flowName=GlifWebSignIn&flowEntry=ServiceLogin

Hi Aura, thank you for stepping up to assist me. Attached are the requested files, hope they can make it easier to help solve this issue. Side note: seems like whenever i use chrome, it closes after awhile with an error message of "C:/user not found", not sure if pointing this out makes any difference. JRT CAA 190517.txt malwarebytes CAA190517.txt AdwCleaner CAA 190517.txt

Hi, recently i detected and tried removing adware.elex & adware.ghokswa with malwarebytes, but it keeps coming back. It hijacks my browser and places weird icons on my desktop that leads to other sites (have not clicked on them, properties address, inferred so). And also ever since, google chrome has been shutting down very often, with the error message of "user not found" May i please be guided on how to properly remove it? Attached are the txt files from FRST, as well as a screenshot of malwarebyte's detection. Addition.txt FRST.txt