Jump to content

09caija

Members
  • Posts

    9
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Hi Kevin, I've done all of that and in the last two days have had no new malware discovered. Thank you for all of your help and detailed explanations- I am incredibly grateful! Best wishes, James
  2. Hi Kevin, It appears so! I will check again tomorrow and see, but thank you for all your help! James
  3. Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 09/12/2020 Scan Time: 08:22 Log File: a103c87e-39f7-11eb-8b5e-000000000000.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1122 Update Package Version: 1.0.34095 Licence: Trial -System Information- OS: Windows 10 (Build 19041.630) CPU: x64 File System: NTFS User: System -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Scheduler Result: Completed Objects Scanned: 320229 Threats Detected: 16 Threats Quarantined: 0 Time Elapsed: 16 min, 51 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 Adware.Elex, C:\USERS\JAMES\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 205, 762512, , , , , , Adware.Elex, C:\USERS\JAMES\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 205, 762512, , , , , , PUP.Optional.ASK, C:\USERS\JAMES\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 281, 454825, , , , , , File: 13 Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, No Action By User, 205, 762512, , , , , EE9AD2DF0E9F675F59D60931099F5B58, 3F62F288281371F197656D74E014D0489FC3926F8C7341560DC268D5DC5337D6 Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb, No Action By User, 205, 762512, , , , , 8816B3577FCF3F1674418F36CA941562, 9CDCE891D0AE8E7FEF6B94BDF981B2297E408E76A57D188E9464B34A1A380238 Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000011.ldb, No Action By User, 205, 762512, , , , , 5D870BE07AEDE3BEBF354E6B39D70C32, 9995500DA94D44167A3E4245B85652E6965A56723D68230DFEFEFD3106EFE4D7 Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000012.log, No Action By User, 205, 762512, , , , , , Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000013.ldb, No Action By User, 205, 762512, , , , , 3337E2888F26E62CAEF0409DB08374D2, 08AA08BA86FBDC490BCE902D8E5C0C4752842B4E93D951AA27D555C01034EA57 Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, No Action By User, 205, 762512, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, No Action By User, 205, 762512, , , , , , Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, No Action By User, 205, 762512, , , , , 5AC81FABF7BD8B043BA5E9EA1E0647DE, 4871848181D1F02F043BBBB3D526D405CF3084890E70E7EE5D84A721A9A8AB62 Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, No Action By User, 205, 762512, , , , , 779C5F1A4F24C7CA8E169AE571ADBEB9, FF7BE14118F74227A0DD9A840B219D56020C781BC5CB9130E32779751067EDBE Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, No Action By User, 205, 762512, , , , , C5C2FCCF1E12209FE427FD9FEE3089AD, C87EC5B1C6286F89D0B45379BA15E70442AA842B56E55F387C828C8DD6092B80 Adware.Elex, C:\USERS\JAMES\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 205, 762512, 1.0.34095, , ame, , 0B47E37FA158D593828E685DE3B20918, 887F8A8E182B2A0B487BC37CE2963653253718BE8950A3893E1CEEB7D79B5654 Adware.Elex, C:\USERS\JAMES\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 205, 762512, 1.0.34095, , ame, , 0B47E37FA158D593828E685DE3B20918, 887F8A8E182B2A0B487BC37CE2963653253718BE8950A3893E1CEEB7D79B5654 PUP.Optional.ASK, C:\USERS\JAMES\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 281, 454825, 1.0.34095, , ame, , 0B47E37FA158D593828E685DE3B20918, 887F8A8E182B2A0B487BC37CE2963653253718BE8950A3893E1CEEB7D79B5654 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end)
  4. Hi Kevin, Fixlog attached and MSRT log below. Please note my malwarebytes autoscanned this morning and detected another 16 problems. I did not quarantine them as just in case that might interact with your fixlist.txt --------------------------------------------------------------------------------------- Microsoft Safety Scanner v1.0, (build 1.329.64.0) Started On Wed Dec 09 10:18:34 2020 ->Scan ERROR: resource process://pid:124,ProcessStart:132519820166146573 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:588,ProcessStart:132519820184481214 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:876,ProcessStart:132519820257829164 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:660,ProcessStart:132519820266271517 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:668,ProcessStart:132519820266362358 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:1004,ProcessStart:132519820267618245 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:3240,ProcessStart:132519820292625717 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:3392,ProcessStart:132519820293237688 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5024,ProcessStart:132519820318001259 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5652,ProcessStart:132519820330192170 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:6268,ProcessStart:132519820345708028 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:7240,ProcessStart:132519820351526886 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:3468,ProcessStart:132519820515601015 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:11908,ProcessStart:132519820567960380 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:14644,ProcessStart:132519821542948156 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:7240,ProcessStart:132519820351526886 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5024,ProcessStart:132519820318001259 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:3240,ProcessStart:132519820292625717 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:3468,ProcessStart:132519820515601015 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5652,ProcessStart:132519820330192170 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:11908,ProcessStart:132519820567960380 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:14644,ProcessStart:132519821542948156 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:6268,ProcessStart:132519820345708028 (code 0x00000005 (5)) ->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000021 (33)) ->Scan ERROR: resource process://pid:5652,ProcessStart:132519820330192170 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5652,ProcessStart:132519820330192170 (code 0x00000005 (5)) Quick Scan Results for C2E1E382-0817-41D4-BC8F-067D4CB2A41B: ---------------- Threat detected: VirTool:Win32/DefenderTamperingRestore regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware SigSeq: 0x0000055555C57273 Quick Scan Removal Results ---------------- Start 'remove' for regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware Operation succeeded ! Results Summary: ---------------- Found VirTool:Win32/DefenderTamperingRestore and Removed! Microsoft Safety Scanner Finished On Wed Dec 09 10:24:46 2020 Return code: 6 (0x6) Fixlog_09-12-2020 10.07.24.txt
  5. Hi Kevin, No threats found on the Sophos Free Virus Removal Tool. FRST and additional logs attached! Cheers, James Addition_08-12-2020 21.12.44.txt FRST_08-12-2020 21.12.44.txt
  6. Hi Kevin, Thank you for your detailed reply, and helpful instructions. This evening I have only been able to do the Malwarebytes scan with rootkits and the AdwCleaner. The log from the latter is below, and I have attached a file for the log from the Malwarebytes scan. # ------------------------------- # Malwarebytes AdwCleaner 8.0.8.0 # ------------------------------- # Build: 10-08-2020 # Database: 2020-09-29.1 (Local) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Clean # ------------------------------- # Start: 12-07-2020 # Duration: 00:00:08 # OS: Windows 10 Home # Cleaned: 35 # Failed: 1 ***** [ Services ] ***** No malicious services cleaned. ***** [ Folders ] ***** No malicious folders cleaned. ***** [ Files ] ***** No malicious files cleaned. ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** No malicious tasks cleaned. ***** [ Registry ] ***** Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe Deleted HKLM\Software\Wow6432Node\\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries cleaned. ***** [ Chromium URLs ] ***** Deleted http://searchy.easylifeapp.com/ Deleted http://websearch.searchsunmy.info/?pid=625&r=2013/12/25&hid=3732759502760476600&lg=EN&cc=GB&unqvl=45 Deleted ??????? Not Deleted WebSearch ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries cleaned. ***** [ Firefox URLs ] ***** No malicious Firefox URLs cleaned. ***** [ Hosts File Entries ] ***** No malicious hosts file entries cleaned. ***** [ Preinstalled Software ] ***** Deleted Preinstalled.HPAudioSwitch Folder C:\Program Files (x86)\HP\HPAUDIOSWITCH Deleted Preinstalled.HPAudioSwitch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E2713EE3-E1F4-4E16-AAB2-060CE808B397} Deleted Preinstalled.HPAudioSwitch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HPAudioSwitch Deleted Preinstalled.HPAudioSwitch Task C:\Windows\System32\Tasks\HPAUDIOSWITCH Deleted Preinstalled.HPCeement Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HPCeeScheduleForJames Deleted Preinstalled.HPJumpStartApps Folder C:\Program Files (x86)\HP\HP JUMPSTART APPS Deleted Preinstalled.HPJumpStartApps Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\HP JumpStart Apps Deleted Preinstalled.HPJumpStartBridge Folder C:\Program Files (x86)\HP\HP JUMPSTART BRIDGE Deleted Preinstalled.HPJumpStartLaunch Folder C:\Program Files (x86)\HP\HP JUMPSTART LAUNCH Deleted Preinstalled.HPJumpStartLaunch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{55BB70D1-45C1-42E1-A382-DE5CB6660DA1} Deleted Preinstalled.HPJumpStartLaunch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HPJumpStartLaunch Deleted Preinstalled.HPJumpStartLaunch Task C:\Windows\System32\Tasks\HPJUMPSTARTLAUNCH Deleted Preinstalled.HPRegistrationService Folder C:\Program Files (x86)\HP\HP REGISTRATION SERVICE Deleted Preinstalled.HPRegistrationService Folder C:\ProgramData\HP\HP REGISTRATION SERVICE Deleted Preinstalled.HPSupportAssistant Folder C:\HP\SUPPORT Deleted Preinstalled.HPSupportAssistant Folder C:\Program Files (x86)\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Deleted Preinstalled.HPSupportAssistant Folder C:\ProgramData\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Deleted Preinstalled.HPSupportAssistant Folder C:\Users\james\AppData\Local\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Deleted Preinstalled.HPSupportAssistant Folder C:\Users\james\AppData\Roaming\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Deleted Preinstalled.HPSupportAssistant Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} Deleted Preinstalled.HPSupportAssistant Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Classes\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Classes\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{4AAC4B07-77EF-4BCF-88DC-D24E4DE683E8} Deleted Preinstalled.HPSureConnect Folder C:\Program Files\HPCOMMRECOVERY Deleted Preinstalled.HPSureConnect Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{6468C4A5-E47E-405F-B675-A70A70983EA6} Deleted Preinstalled.HPTouchpointAnalyticsClient Folder C:\ProgramData\HP\HP TOUCHPOINT ANALYTICS CLIENT Deleted Preinstalled.HPTouchpointAnalyticsClient Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E5FB98E0-0784-44F0-8CEC-95CD4690C43F} ************************* [+] Delete Tracing Keys [+] Reset Winsock ************************* AdwCleaner[S00].txt - [5387 octets] - [07/12/2020 21:52:20] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ########## I will endeavour to do the remaining stages tomorrow! Malware Summary 20201207.txt
  7. HI Kevin- hopefully these are better (bigger file sizes!) Addition_07-12-2020 13.48.05.txt FRST_07-12-2020 13.48.05.txt
  8. Hi Kevin- thank you for your swift reply. Is this the file you need? FRST_07-12-2020 08.41.00.txt
  9. Hi, It appears that I have malware which attempts to boot on starting chrome. Fortunately my antivirus blocks it from starting up, and I downloaded Malwarebytes. It detected 19 items which it dealt with, but on restarting the computer it appears these are still present- they all seem to be hiding in the AppData and re-generating. As instructed, I have attached the FRST reports. I would be very grateful for any assistance! Addition.txt FRST.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.