09caija
Members-
Posts
9 -
Joined
-
Last visited
Reputation
0 Neutral-
Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 09/12/2020 Scan Time: 08:22 Log File: a103c87e-39f7-11eb-8b5e-000000000000.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1122 Update Package Version: 1.0.34095 Licence: Trial -System Information- OS: Windows 10 (Build 19041.630) CPU: x64 File System: NTFS User: System -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Scheduler Result: Completed Objects Scanned: 320229 Threats Detected: 16 Threats Quarantined: 0 Time Elapsed: 16 min, 51 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 Adware.Elex, C:\USERS\JAMES\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 205, 762512, , , , , , Adware.Elex, C:\USERS\JAMES\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 205, 762512, , , , , , PUP.Optional.ASK, C:\USERS\JAMES\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 281, 454825, , , , , , File: 13 Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, No Action By User, 205, 762512, , , , , EE9AD2DF0E9F675F59D60931099F5B58, 3F62F288281371F197656D74E014D0489FC3926F8C7341560DC268D5DC5337D6 Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb, No Action By User, 205, 762512, , , , , 8816B3577FCF3F1674418F36CA941562, 9CDCE891D0AE8E7FEF6B94BDF981B2297E408E76A57D188E9464B34A1A380238 Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000011.ldb, No Action By User, 205, 762512, , , , , 5D870BE07AEDE3BEBF354E6B39D70C32, 9995500DA94D44167A3E4245B85652E6965A56723D68230DFEFEFD3106EFE4D7 Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000012.log, No Action By User, 205, 762512, , , , , , Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000013.ldb, No Action By User, 205, 762512, , , , , 3337E2888F26E62CAEF0409DB08374D2, 08AA08BA86FBDC490BCE902D8E5C0C4752842B4E93D951AA27D555C01034EA57 Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, No Action By User, 205, 762512, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, No Action By User, 205, 762512, , , , , , Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, No Action By User, 205, 762512, , , , , 5AC81FABF7BD8B043BA5E9EA1E0647DE, 4871848181D1F02F043BBBB3D526D405CF3084890E70E7EE5D84A721A9A8AB62 Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, No Action By User, 205, 762512, , , , , 779C5F1A4F24C7CA8E169AE571ADBEB9, FF7BE14118F74227A0DD9A840B219D56020C781BC5CB9130E32779751067EDBE Adware.Elex, C:\Users\james\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, No Action By User, 205, 762512, , , , , C5C2FCCF1E12209FE427FD9FEE3089AD, C87EC5B1C6286F89D0B45379BA15E70442AA842B56E55F387C828C8DD6092B80 Adware.Elex, C:\USERS\JAMES\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 205, 762512, 1.0.34095, , ame, , 0B47E37FA158D593828E685DE3B20918, 887F8A8E182B2A0B487BC37CE2963653253718BE8950A3893E1CEEB7D79B5654 Adware.Elex, C:\USERS\JAMES\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 205, 762512, 1.0.34095, , ame, , 0B47E37FA158D593828E685DE3B20918, 887F8A8E182B2A0B487BC37CE2963653253718BE8950A3893E1CEEB7D79B5654 PUP.Optional.ASK, C:\USERS\JAMES\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 281, 454825, 1.0.34095, , ame, , 0B47E37FA158D593828E685DE3B20918, 887F8A8E182B2A0B487BC37CE2963653253718BE8950A3893E1CEEB7D79B5654 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end)
-
Hi Kevin, Fixlog attached and MSRT log below. Please note my malwarebytes autoscanned this morning and detected another 16 problems. I did not quarantine them as just in case that might interact with your fixlist.txt --------------------------------------------------------------------------------------- Microsoft Safety Scanner v1.0, (build 1.329.64.0) Started On Wed Dec 09 10:18:34 2020 ->Scan ERROR: resource process://pid:124,ProcessStart:132519820166146573 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:588,ProcessStart:132519820184481214 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:876,ProcessStart:132519820257829164 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:660,ProcessStart:132519820266271517 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:668,ProcessStart:132519820266362358 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:1004,ProcessStart:132519820267618245 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:3240,ProcessStart:132519820292625717 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:3392,ProcessStart:132519820293237688 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5024,ProcessStart:132519820318001259 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5652,ProcessStart:132519820330192170 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:6268,ProcessStart:132519820345708028 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:7240,ProcessStart:132519820351526886 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:3468,ProcessStart:132519820515601015 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:11908,ProcessStart:132519820567960380 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:14644,ProcessStart:132519821542948156 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:7240,ProcessStart:132519820351526886 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5024,ProcessStart:132519820318001259 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:3240,ProcessStart:132519820292625717 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:3468,ProcessStart:132519820515601015 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5652,ProcessStart:132519820330192170 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:11908,ProcessStart:132519820567960380 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:14644,ProcessStart:132519821542948156 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:6268,ProcessStart:132519820345708028 (code 0x00000005 (5)) ->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000021 (33)) ->Scan ERROR: resource process://pid:5652,ProcessStart:132519820330192170 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5652,ProcessStart:132519820330192170 (code 0x00000005 (5)) Quick Scan Results for C2E1E382-0817-41D4-BC8F-067D4CB2A41B: ---------------- Threat detected: VirTool:Win32/DefenderTamperingRestore regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware SigSeq: 0x0000055555C57273 Quick Scan Removal Results ---------------- Start 'remove' for regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware Operation succeeded ! Results Summary: ---------------- Found VirTool:Win32/DefenderTamperingRestore and Removed! Microsoft Safety Scanner Finished On Wed Dec 09 10:24:46 2020 Return code: 6 (0x6) Fixlog_09-12-2020 10.07.24.txt
-
Hi Kevin, Thank you for your detailed reply, and helpful instructions. This evening I have only been able to do the Malwarebytes scan with rootkits and the AdwCleaner. The log from the latter is below, and I have attached a file for the log from the Malwarebytes scan. # ------------------------------- # Malwarebytes AdwCleaner 8.0.8.0 # ------------------------------- # Build: 10-08-2020 # Database: 2020-09-29.1 (Local) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Clean # ------------------------------- # Start: 12-07-2020 # Duration: 00:00:08 # OS: Windows 10 Home # Cleaned: 35 # Failed: 1 ***** [ Services ] ***** No malicious services cleaned. ***** [ Folders ] ***** No malicious folders cleaned. ***** [ Files ] ***** No malicious files cleaned. ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** No malicious tasks cleaned. ***** [ Registry ] ***** Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe Deleted HKLM\Software\Wow6432Node\\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries cleaned. ***** [ Chromium URLs ] ***** Deleted http://searchy.easylifeapp.com/ Deleted http://websearch.searchsunmy.info/?pid=625&r=2013/12/25&hid=3732759502760476600&lg=EN&cc=GB&unqvl=45 Deleted ??????? Not Deleted WebSearch ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries cleaned. ***** [ Firefox URLs ] ***** No malicious Firefox URLs cleaned. ***** [ Hosts File Entries ] ***** No malicious hosts file entries cleaned. ***** [ Preinstalled Software ] ***** Deleted Preinstalled.HPAudioSwitch Folder C:\Program Files (x86)\HP\HPAUDIOSWITCH Deleted Preinstalled.HPAudioSwitch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E2713EE3-E1F4-4E16-AAB2-060CE808B397} Deleted Preinstalled.HPAudioSwitch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HPAudioSwitch Deleted Preinstalled.HPAudioSwitch Task C:\Windows\System32\Tasks\HPAUDIOSWITCH Deleted Preinstalled.HPCeement Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HPCeeScheduleForJames Deleted Preinstalled.HPJumpStartApps Folder C:\Program Files (x86)\HP\HP JUMPSTART APPS Deleted Preinstalled.HPJumpStartApps Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\HP JumpStart Apps Deleted Preinstalled.HPJumpStartBridge Folder C:\Program Files (x86)\HP\HP JUMPSTART BRIDGE Deleted Preinstalled.HPJumpStartLaunch Folder C:\Program Files (x86)\HP\HP JUMPSTART LAUNCH Deleted Preinstalled.HPJumpStartLaunch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{55BB70D1-45C1-42E1-A382-DE5CB6660DA1} Deleted Preinstalled.HPJumpStartLaunch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HPJumpStartLaunch Deleted Preinstalled.HPJumpStartLaunch Task C:\Windows\System32\Tasks\HPJUMPSTARTLAUNCH Deleted Preinstalled.HPRegistrationService Folder C:\Program Files (x86)\HP\HP REGISTRATION SERVICE Deleted Preinstalled.HPRegistrationService Folder C:\ProgramData\HP\HP REGISTRATION SERVICE Deleted Preinstalled.HPSupportAssistant Folder C:\HP\SUPPORT Deleted Preinstalled.HPSupportAssistant Folder C:\Program Files (x86)\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Deleted Preinstalled.HPSupportAssistant Folder C:\ProgramData\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Deleted Preinstalled.HPSupportAssistant Folder C:\Users\james\AppData\Local\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Deleted Preinstalled.HPSupportAssistant Folder C:\Users\james\AppData\Roaming\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Deleted Preinstalled.HPSupportAssistant Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} Deleted Preinstalled.HPSupportAssistant Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Classes\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Classes\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{4AAC4B07-77EF-4BCF-88DC-D24E4DE683E8} Deleted Preinstalled.HPSureConnect Folder C:\Program Files\HPCOMMRECOVERY Deleted Preinstalled.HPSureConnect Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{6468C4A5-E47E-405F-B675-A70A70983EA6} Deleted Preinstalled.HPTouchpointAnalyticsClient Folder C:\ProgramData\HP\HP TOUCHPOINT ANALYTICS CLIENT Deleted Preinstalled.HPTouchpointAnalyticsClient Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E5FB98E0-0784-44F0-8CEC-95CD4690C43F} ************************* [+] Delete Tracing Keys [+] Reset Winsock ************************* AdwCleaner[S00].txt - [5387 octets] - [07/12/2020 21:52:20] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ########## I will endeavour to do the remaining stages tomorrow! Malware Summary 20201207.txt
-
Hi, It appears that I have malware which attempts to boot on starting chrome. Fortunately my antivirus blocks it from starting up, and I downloaded Malwarebytes. It detected 19 items which it dealt with, but on restarting the computer it appears these are still present- they all seem to be hiding in the AppData and re-generating. As instructed, I have attached the FRST reports. I would be very grateful for any assistance! Addition.txt FRST.txt