Sequoia33 Posted May 25, 2018 ID:1246138 Share Posted May 25, 2018 (edited) My security was turned off and I could not re-start it. I was unable to go on-line. My Chrome icon disappeared. So, I scanned with: Malwarebytes Avast ADWCleaner Junkware Removal Tool TDSKiller Rogue Killer ComboFix FRST64 Edited May 26, 2018 by Sequoia33 Link to post Share on other sites More sharing options...
Staff Malwarebytes Posted May 25, 2018 Staff ID:1246139 Share Posted May 25, 2018 ***This is an automated reply*** Hi, Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!! Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact a Moderator or Administrator to let them know. First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details: Spoiler Malwarebytes can detect and remove most malware with no further actions required for free. If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below. Open Malwarebytes for Windows To the left, click Scan > Scan Types. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available. Click Start Scan Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool: Spoiler Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult. Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens click Yes to the disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually. Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply. Before submitting your reply, be sure to enable "Notify me of replies" like so: Click "Reveal Hidden Contents" below for details on how to add attachments to your post.Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. Spoiler To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button. Please Note the Following: One of our expert helpers will give you one-on-one assistance when one becomes available. Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine. Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here. Troubleshooting Tips FAQ - Malwarebytes won't run or failed to resolve my issues Groups authorized to help with Malware Removal for Windows logs Link to post Share on other sites More sharing options...
Sequoia33 Posted May 26, 2018 Author ID:1246151 Share Posted May 26, 2018 (edited) MB Threat scan was the first and last scan in the sequence while I was in panic mode. Here is the final scan (below). The only scan that detected anything at all, other than FRST64, was ComboFix, which removed many MBs of files. Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/25/18 Scan Time: 5:13 PM Log File: 95e753b6-6079-11e8-9441-0025b3c889fc.json Administrator: Yes -Software Information- Version: 3.4.4.2398 Components Version: 1.0.322 Update Package Version: 1.0.5252 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: workhorse-PC\work horse -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 229491 Threats Detected: 0 (No malicious items detected) Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 7 min, 2 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Warn PUM: Warn -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end) In the original post I had to delete the FRST64 logs as they opened in MY DOCUMENTS. They should be OK now: Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 16.05.2018 01 Ran by work horse (administrator) on WORKHORSE-PC (25-05-2018 16:16:20) Running from C:\Users\work horse\Desktop Loaded Profiles: work horse (Available Profiles: work horse) Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: Chrome) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe ( ) C:\Windows\System32\lxeccoms.exe (Microsoft Corporation) C:\Windows\System32\snmptrap.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe (Intel Corporation) C:\Windows\System32\igfxsrvc.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [242904 2018-05-14] (AVAST Software) HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1 HKLM\...\Policies\Explorer: [HideSCAHealth] 1 HKLM\...\Policies\Explorer: [NoDevMgrUpdate] 0 HKLM\...\Policies\Explorer: [NoSetTaskbar] 0 HKLM\...\Policies\Explorer: [NoDeletePrinter] 0 HKLM\...\Policies\Explorer: [NoDFSTab] 0 HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0 HKLM\...\Policies\Explorer: [NoEncryptOnMove] 0 HKLM\...\Policies\Explorer: [NoRunasInstallPrompt] 0 HKLM\...\Policies\Explorer: [NoResolveSearch] 0 HKLM\...\Policies\Explorer: [NoHardwareTab] 0 HKLM\...\Policies\Explorer: [NoStartMenuSubFolders] 0 HKLM\...\Policies\Explorer: [NoInstrumentation] 0 HKLM\...\Policies\Explorer: [NoRecentDocsHistory] 1 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION HKU\S-1-5-19\...\Policies\system: [DisableCMD] 0 HKU\S-1-5-19\...\Policies\system: [NoDispAppearancePage] 0 HKU\S-1-5-19\...\Policies\system: [NoDispBackgroundPage] 0 HKU\S-1-5-19\...\Policies\system: [NoDispSettingsPage] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoViewOnDrive] 0 HKU\S-1-5-19\...\Policies\Explorer: [DisableLocalMachineRun] 0 HKU\S-1-5-19\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0 HKU\S-1-5-19\...\Policies\Explorer: [DisableCurrentUserRun] 0 HKU\S-1-5-19\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoViewContextMenu] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoShellSearchButton] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoFind] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoFile] 0 HKU\S-1-5-19\...\Policies\Explorer: [HideClock] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoTrayContextMenu] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoTrayItemsDisplay] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoSetFolders] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoDevMgrUpdate] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoSetTaskbar] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoDeletePrinter] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoDFSTab] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoChangeStartMenu] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoLogoff] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoWindowsUpdate] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoEncryptOnMove] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoRunasInstallPrompt] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoResolveSearch] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoSaveSettings] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoHardwareTab] 0 HKU\S-1-5-19\...\Policies\Explorer: [NoStartMenuSubFolders] 0 HKU\S-1-5-20\...\Policies\system: [DisableCMD] 0 HKU\S-1-5-20\...\Policies\system: [NoDispAppearancePage] 0 HKU\S-1-5-20\...\Policies\system: [NoDispBackgroundPage] 0 HKU\S-1-5-20\...\Policies\system: [NoDispSettingsPage] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoViewOnDrive] 0 HKU\S-1-5-20\...\Policies\Explorer: [DisableLocalMachineRun] 0 HKU\S-1-5-20\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0 HKU\S-1-5-20\...\Policies\Explorer: [DisableCurrentUserRun] 0 HKU\S-1-5-20\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoViewContextMenu] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoShellSearchButton] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoFind] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoFile] 0 HKU\S-1-5-20\...\Policies\Explorer: [HideClock] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoTrayContextMenu] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoTrayItemsDisplay] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoSetFolders] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoDevMgrUpdate] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoSetTaskbar] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoDeletePrinter] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoDFSTab] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoChangeStartMenu] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoLogoff] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoWindowsUpdate] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoEncryptOnMove] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoRunasInstallPrompt] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoResolveSearch] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoSaveSettings] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoHardwareTab] 0 HKU\S-1-5-20\...\Policies\Explorer: [NoStartMenuSubFolders] 0 HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\Policies\Explorer: [HideSCABattery] 1 HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\Policies\Explorer: [HideSCANetwork] 1 HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\Policies\Explorer: [HideSCAVolume] 1 HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\Policies\Explorer: [TaskbarNoNotification] 1 HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\Policies\Explorer: [NoDevMgrUpdate] 0 HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\Policies\Explorer: [NoSetTaskbar] 0 HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\Policies\Explorer: [NoDeletePrinter] 0 HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\Policies\Explorer: [NoDFSTab] 0 HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\Policies\Explorer: [NoChangeStartMenu] 0 HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\Policies\Explorer: [NoEncryptOnMove] 0 HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\Policies\Explorer: [NoRunasInstallPrompt] 0 HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\Policies\Explorer: [NoResolveSearch] 0 HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\Policies\Explorer: [NoHardwareTab] 0 HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\Policies\Explorer: [NoStartMenuSubFolders] 0 HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\Policies\Explorer: [NolowDiskSpaceChecks] 1 HKU\S-1-5-18\...\Policies\Explorer: [DisableLocalMachineRun] 0 HKU\S-1-5-18\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0 HKU\S-1-5-18\...\Policies\Explorer: [DisableCurrentUserRun] 0 HKU\S-1-5-18\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoShellSearchButton] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoFile] 0 HKU\S-1-5-18\...\Policies\Explorer: [HideClock] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoTrayItemsDisplay] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoSetFolders] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoDevMgrUpdate] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoSetTaskbar] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoDeletePrinter] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoDFSTab] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoChangeStartMenu] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoLogoff] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoEncryptOnMove] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoRunasInstallPrompt] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoResolveSearch] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoSaveSettings] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoHardwareTab] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoStartMenuSubFolders] 0 GroupPolicy\User: Restriction ? <==== ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62 Tcpip\..\Interfaces\{A30157EC-C570-4269-AD57-EC49495A2400}: [DhcpNameServer] 209.18.47.61 209.18.47.62 Tcpip\..\Interfaces\{B6C16AFE-B8F4-4385-AA18-0F1E73AC3B4B}: [DhcpNameServer] 192.168.224.1 Internet Explorer: ================== HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome HKU\S-1-5-21-2561101334-532984164-2244958137-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-2561101334-532984164-2244958137-1000 -> DefaultScope {D961C8E7-BDBC-4C26-87A6-D820A2D6FE0D} URL = hxxps://www.google.com/search?q={searchTerms} SearchScopes: HKU\S-1-5-21-2561101334-532984164-2244958137-1000 -> {D961C8E7-BDBC-4C26-87A6-D820A2D6FE0D} URL = hxxps://www.google.com/search?q={searchTerms} BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.) BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.) FireFox: ======== FF Plugin: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll [2017-08-11] (Tracker Software Products (Canada) Ltd.) FF Plugin: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll [2017-08-11] (Tracker Software Products (Canada) Ltd.) FF Plugin-x32: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll [2017-08-11] (Tracker Software Products (Canada) Ltd.) FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File] FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File] FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-16] (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-16] (Google Inc.) FF Plugin-x32: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll [2017-08-11] (Tracker Software Products (Canada) Ltd.) FF Plugin HKU\S-1-5-21-2561101334-532984164-2244958137-1000: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll [2017-08-11] (Tracker Software Products (Canada) Ltd.) Chrome: ======= CHR DefaultProfile: Default CHR Profile: C:\Users\work horse\AppData\Local\Google\Chrome\User Data\Default [2018-05-25] CHR Extension: (Google Drive) - C:\Users\work horse\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-09-29] CHR Extension: (YouTube) - C:\Users\work horse\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-09-29] CHR Extension: (Avira Browser Safety) - C:\Users\work horse\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2018-05-25] CHR Extension: (Webroot Filtering Extension) - C:\Users\work horse\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjeghcllfecehndceplomkocgfbklffd [2018-05-16] CHR Extension: (Chrome Web Store Payments) - C:\Users\work horse\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-04] CHR Extension: (Gmail) - C:\Users\work horse\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-09-29] CHR Extension: (Chrome Media Router) - C:\Users\work horse\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-05-17] CHR Profile: C:\Users\work horse\AppData\Local\Google\Chrome\User Data\System Profile [2018-05-25] CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [kjeghcllfecehndceplomkocgfbklffd] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [okfhiodnpcnnnpgbjbhfebjnbagmfhab] - C:\ProgramData\WRData\pkg\lpchrome.crx <not found> ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7620096 2018-05-14] (AVAST Software) R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [317280 2018-05-14] (AVAST Software) R2 lxec_device; C:\Windows\system32\lxeccoms.exe [1052328 2010-04-14] ( ) R2 lxec_device; C:\Windows\SysWOW64\lxeccoms.exe [598696 2010-04-14] ( ) R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6440736 2018-03-03] (Malwarebytes) S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation) ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S1 Amfilter; C:\Windows\System32\DRIVERS\Amfltx64.sys [12288 1999-12-31] ((Standard mouse types)) [File not signed] S3 Amps2prt; C:\Windows\System32\DRIVERS\Amps2x64.sys [21504 1999-12-31] ((Standard mouse types)) [File not signed] S3 Amusbprt; C:\Windows\System32\DRIVERS\Amusbx64.sys [17920 1999-12-31] (A4Tech Co.,Ltd.) [File not signed] R1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [196640 2018-05-14] (AVAST Software) R1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdrivera.sys [227504 2018-03-05] (AVAST Software) R0 aswbidsh; C:\Windows\System32\drivers\aswbidsha.sys [199440 2018-03-05] (AVAST Software) R0 aswblog; C:\Windows\System32\drivers\aswbloga.sys [343752 2018-03-05] (AVAST Software) R0 aswbuniv; C:\Windows\System32\drivers\aswbuniva.sys [57680 2018-03-05] (AVAST Software) S3 aswHwid; C:\Windows\System32\drivers\aswHwid.sys [46968 2018-05-14] (AVAST Software) R2 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [159120 2018-05-14] (AVAST Software) R1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [111360 2018-05-14] (AVAST Software) R0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [85968 2018-05-14] (AVAST Software) R1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [1027720 2018-05-14] (AVAST Software) R1 aswSP; C:\Windows\System32\drivers\aswSP.sys [460520 2018-05-14] (AVAST Software) R2 aswStm; C:\Windows\System32\drivers\aswStm.sys [205976 2018-05-14] (AVAST Software) R0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [381552 2018-05-14] (AVAST Software) R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [76200 2018-01-18] () R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [27552 2017-06-29] (REALiX(tm)) R0 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193248 2018-05-25] (Malwarebytes) R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [109800 2018-05-25] (Malwarebytes) R3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [45960 2018-05-25] (Malwarebytes) R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253664 2018-05-25] (Malwarebytes) R3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [92280 2018-05-25] (Malwarebytes) S4 RTL8192su; C:\Windows\System32\DRIVERS\RTL8192su.sys [676864 2010-01-06] (Realtek Semiconductor Corporation ) [File not signed] S3 semav6msr64; C:\Windows\system32\drivers\semav6msr64.sys [21984 2016-10-18] () U1 aswbdisk; no ImagePath S3 catchme; \??\C:\ComboFix\catchme.sys [X] S3 cpuz143; \??\C:\Windows\temp\cpuz143\cpuz143_x64.sys [X] S4 IUFileFilter; \??\C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win7_amd64\IUFileFilter.sys [X] U0 SR; no ImagePath U2 srservice; no ImagePath ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2018-05-25 16:16 - 2018-05-25 16:17 - 000018435 _____ C:\Users\work horse\Desktop\FRST.txt 2018-05-25 16:00 - 2018-05-25 16:00 - 000002224 _____ C:\Users\work horse\Desktop\GOOGLE.lnk 2018-05-25 15:56 - 2018-05-25 15:56 - 000019260 _____ C:\Users\work horse\Documents\ComboFixScan.txt 2018-05-25 15:41 - 2018-05-25 15:41 - 000045960 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys 2018-05-25 15:35 - 2018-05-25 15:35 - 000019260 _____ C:\ComboFix.txt 2018-05-25 15:24 - 2018-05-25 15:41 - 000253664 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys 2018-05-25 15:24 - 2018-05-25 15:41 - 000109800 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys 2018-05-25 15:24 - 2018-05-25 15:41 - 000092280 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys 2018-05-25 15:24 - 2018-05-25 15:24 - 000193248 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys 2018-05-25 15:14 - 2018-05-25 15:35 - 000000000 ____D C:\ComboFix 2018-05-25 15:11 - 2018-05-25 15:58 - 000000000 ____D C:\Qoobox 2018-05-25 14:54 - 2018-05-25 14:58 - 000000000 ____D C:\AdwCleaner 2018-05-25 11:53 - 2018-05-25 16:16 - 000000000 ____D C:\FRST 2018-05-25 11:52 - 2018-05-25 11:52 - 002413056 _____ (Farbar) C:\Users\work horse\Desktop\FRST64.exe 2018-05-24 07:50 - 2018-05-24 08:23 - 000000000 ____D C:\ProgramData\RogueKiller 2018-05-14 16:19 - 2018-05-14 16:19 - 000376536 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe 2018-05-13 19:34 - 2018-05-13 19:34 - 000002178 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth Pro.lnk ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2018-05-25 16:01 - 2009-07-13 20:20 - 000000000 ____D C:\Windows\inf 2018-05-25 15:49 - 2017-10-16 19:40 - 000004168 _____ C:\Windows\System32\Tasks\Avast Emergency Update 2018-05-25 15:40 - 2009-07-13 22:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT 2018-05-25 15:25 - 2009-07-13 19:34 - 000000215 _____ C:\Windows\system.ini 2018-05-24 07:51 - 2017-10-09 12:40 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys 2018-05-17 09:45 - 2014-06-18 16:43 - 000000000 ____D C:\ProgramData\Lx_cats 2018-05-16 18:31 - 2017-11-15 20:25 - 000003332 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA 2018-05-16 18:31 - 2017-11-15 20:25 - 000003204 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore1d2d48e95e5d717 2018-05-15 11:35 - 2016-09-08 22:47 - 000002224 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk 2018-05-14 16:19 - 2017-11-09 15:40 - 000196640 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArPot.sys 2018-05-14 16:19 - 2017-10-17 07:53 - 000460520 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys 2018-05-14 16:19 - 2017-10-17 07:53 - 000381552 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys 2018-05-14 16:19 - 2017-10-17 07:53 - 000205976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys 2018-05-14 16:19 - 2017-10-17 07:53 - 000159120 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys 2018-05-14 16:19 - 2017-10-17 07:53 - 000111360 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys 2018-05-14 16:19 - 2017-10-17 07:53 - 000085968 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys 2018-05-14 16:19 - 2017-10-17 07:53 - 000046968 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys 2018-05-14 16:18 - 2017-10-17 07:53 - 001027720 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys 2018-05-13 19:33 - 2014-03-16 20:05 - 000000000 ____D C:\Program Files\Google 2018-05-13 19:33 - 2014-03-16 11:59 - 000000000 ____D C:\Program Files (x86)\Google 2018-05-08 11:53 - 2018-04-05 12:46 - 000004324 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater 2018-05-08 11:53 - 2017-10-11 18:35 - 000804864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2018-05-08 11:53 - 2017-10-11 18:35 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2018-05-08 11:53 - 2017-10-11 18:35 - 000004494 _____ C:\Windows\System32\Tasks\Adobe Flash Player PPAPI Notifier 2018-05-08 11:53 - 2014-03-11 08:17 - 000000000 ____D C:\Windows\SysWOW64\Macromed 2018-05-08 11:53 - 2014-03-11 08:16 - 000000000 ____D C:\Windows\system32\Macromed 2018-04-28 15:07 - 2017-10-23 11:22 - 000000000 ____D C:\Users\work horse\Documents\Letters ==================== Files in the root of some directories ======= 2014-03-23 09:43 - 2014-03-23 09:43 - 000019634 _____ () C:\Users\work horse\AppData\Roaming\UserTile.png 2014-03-14 18:34 - 2018-02-12 19:38 - 000007628 _____ () C:\Users\work horse\AppData\Local\resmon.resmoncfg ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2018-05-18 20:10 ==================== End of FRST.txt ============================ Additional scan result of Farbar Recovery Scan Tool (x64) Version: 16.05.2018 01 Ran by work horse (25-05-2018 13:55:47) Running from C:\Users\work horse\Desktop Windows 7 Professional Service Pack 1 (X64) (2014-02-18 01:00:18) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-2561101334-532984164-2244958137-500 - Administrator - Disabled) Guest (S-1-5-21-2561101334-532984164-2244958137-501 - Limited - Disabled) work horse (S-1-5-21-2561101334-532984164-2244958137-1000 - Administrator - Enabled) => C:\Users\work horse ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF} AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B} AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96} AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 29.0.0.112 - Adobe Systems Incorporated) Adobe Flash Player 29 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 29.0.0.171 - Adobe Systems Incorporated) Adobe Flash Player 29 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 29.0.0.171 - Adobe Systems Incorporated) Avast Free Antivirus (HKLM-x32\...\Avast Antivirus) (Version: 18.4.2338 - AVAST Software) CCleaner (HKLM\...\CCleaner) (Version: 5.36 - Piriform) Google Chrome (HKLM-x32\...\Google Chrome) (Version: 66.0.3359.181 - Google Inc.) Google Earth Pro (HKLM\...\{D9EF644E-2FAE-493B-8180-5617CC774C4F}) (Version: 7.3.1.4507 - Google) Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.17 - Google Inc.) Hidden Hewlett-Packard ACLM.NET v1.2.2.3 (HKLM-x32\...\{6F340107-F9AA-47C6-B54C-C3A19F11553F}) (Version: 1.00.0000 - Hewlett-Packard Company) Hidden Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation) Intel(R) Network Connections 16.8.45.1 (HKLM\...\PROSetDX) (Version: 16.8.45.1 - Intel) Lexmark Pro800-Pro900 Series (HKLM\...\Lexmark Pro800-Pro900 Series) (Version: - Lexmark International, Inc.) Logitech SetPoint 6.67 (HKLM\...\sp6) (Version: 6.67.83 - Logitech) Malwarebytes version 3.4.4.2398 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.4.4.2398 - Malwarebytes) Microsoft .NET Framework 4.7 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02053 - Microsoft Corporation) Microsoft Office Converter Pack (HKLM-x32\...\{6EECB283-E65F-40EF-86D3-D51BF02A8D43}) (Version: 11.0.0.0 - Microsoft Corporation - Office Resource Kit Group) Microsoft Office Word Viewer 2003 (HKLM-x32\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation) PDF-Viewer (HKLM\...\{A278382D-4F1B-4D47-9885-8523F7261E8D}_is1) (Version: 2.5.322.7 - Tracker Software Products Ltd) Speccy (HKLM\...\Speccy) (Version: 1.28 - Piriform) Wager Pro (HKLM-x32\...\{26462BEE-27A8-CE72-C1BC-A017F4FEAE1D}) (Version: 1.7.5 - Churchill Downs Technology Initiatives Company) Hidden Wager Pro (HKLM-x32\...\com.twinspires.tspro.air) (Version: v1.7.5 - Churchill Downs Technology Initiatives Company) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-05-14] (AVAST Software) ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-05-14] (AVAST Software) ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-05-14] (AVAST Software) ContextMenuHandlers1: [UAContextMenu] -> {A9B8E64D-3F7E-4D32-8FC9-E391DEE67D75} => -> No File ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-05-14] (AVAST Software) ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-03] (Malwarebytes) ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2009-09-23] (Intel Corporation) ContextMenuHandlers5: [UAContextMenu] -> {A9B8E64D-3F7E-4D32-8FC9-E391DEE67D75} => -> No File ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-05-14] (AVAST Software) ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-03] (Malwarebytes) FolderExtensions: [] -> {F6BF8414-962C-40FE-90F1-B80A7E72DB9A} => ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {1CB05AD6-2A21-403F-BFAD-54391BDE67FD} - System32\Tasks\{DC0A6FDC-2BD9-4A29-8AF5-0A0BA1369456} => C:\Program Files (x86)\Auslogics\Disk Defrag\DiskDefrag.exe Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION Task: {3BE4993A-ADAB-4957-ABBF-E2ED3C5DCC0F} - System32\Tasks\Microsoft\Windows\PLA\System\{DB159C10-80D2-4C41-B78A-C6E2D8D1931D}_System Diagnostics => Command(1): C:\Windows\system32\rundll32.exe -> C:\Windows\system32\pla.dll,PlaHost "system\System Diagnostics" "$(Arg0)" Task: {3BE4993A-ADAB-4957-ABBF-E2ED3C5DCC0F} - System32\Tasks\Microsoft\Windows\PLA\System\{DB159C10-80D2-4C41-B78A-C6E2D8D1931D}_System Diagnostics => Command(2): C:\Windows\system32\schtasks.exe -> /delete /f /tn "\Microsoft\Windows\PLA\System\{DB159C10-80D2-4C41-B78A-C6E2D8D1931D}_System Diagnostics" Task: {61C0BA83-EB2F-4882-81FD-B00CF00DE39C} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_29_0_0_171_pepper.exe [2018-05-08] (Adobe Systems Incorporated) Task: {6B4538C8-A0E4-4E0E-B705-13AC07FBA5CE} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-09-08] (Google Inc.) Task: {6E9B310F-3DD0-4603-A5B3-66237226F163} - System32\Tasks\GoogleUpdateTaskMachineCore1d2d48e95e5d717 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-09-08] (Google Inc.) Task: {7AB4AD87-7B58-42DB-884E-5466EFC61082} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2017-10-18] (Piriform Ltd) Task: {8F79663D-8EA9-4D8A-BCA2-65BDF14414E0} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2018-05-14] (AVAST Software) Task: {990B5B49-782F-418A-99AD-FE09185D4EFA} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-09-27] (Adobe Systems Incorporated) Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION Task: {B398302D-644A-42C3-AAB0-E4A2F1DDDB42} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe [2018-04-14] (AVAST Software) Task: {BC986259-CE13-47DA-846B-3787BD1DE975} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2018-05-08] (Adobe Systems Incorporated) Task: {C72AACB7-65CE-41A3-ABB0-098AFC4ED820} - System32\Tasks\TrackerAutoUpdate => C:\Program Files\Tracker Software\Update\TrackerUpdate.exe [2017-08-11] (Tracker Software Products (Canada) Ltd.) Task: {CB0C844C-3FA0-4901-838F-38D58B66A7CD} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2017-10-18] (Piriform Ltd) Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1d20a5d78704667.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\TrackerAutoUpdate.job => C:\Program Files\Tracker Software\Update\TrackerUpdate.exe-CheckUpdate(Tracker Software Products (Canada) Ltd.Kee ==================== Shortcuts & WMI ======================== (The entries could be listed to be restored or removed.) ==================== Loaded Modules (Whitelisted) ============== 2014-06-18 16:32 - 2009-11-04 13:18 - 000189440 _____ () C:\Windows\system32\spool\PRTPROCS\x64\lxecdrpp.dll 2017-06-13 07:07 - 2018-03-01 10:31 - 002488608 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll 2017-06-13 07:07 - 2018-02-05 14:44 - 002299168 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll 2018-05-14 16:18 - 2018-05-14 16:18 - 000736984 _____ () c:\Program Files\AVAST Software\Avast\x64\vaarclient.dll 2018-05-14 16:18 - 2018-05-14 16:18 - 001069784 _____ () C:\Program Files\AVAST Software\Avast\x64\ffl2.dll 2018-05-14 16:18 - 2018-05-14 16:18 - 000598232 _____ () c:\Program Files\AVAST Software\Avast\x64\StreamBack.dll 2018-05-14 16:18 - 2018-05-14 16:18 - 000482520 _____ () C:\Program Files\AVAST Software\Avast\streamback.dll 2018-05-25 11:20 - 2018-05-25 11:20 - 005786256 _____ () C:\Program Files\AVAST Software\Avast\defs\18052504\algo.dll 2018-05-14 16:18 - 2018-05-14 16:18 - 000889048 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll 2018-05-14 16:19 - 2018-05-14 16:19 - 000924888 _____ () C:\Program Files\AVAST Software\Avast\anen.dll 2018-05-14 16:18 - 2018-05-14 16:18 - 000982744 _____ () C:\Program Files\AVAST Software\Avast\shepherdsync.dll 2018-05-14 16:18 - 2018-05-14 16:18 - 000519896 _____ () C:\Program Files\AVAST Software\Avast\gui_cache.dll 2018-03-05 08:45 - 2018-03-05 08:45 - 067126928 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRkrn => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRSVC => ""="Service" ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) HKU\.DEFAULT\Software\Classes\exefile: "%1" %* <==== ATTENTION HKU\.DEFAULT\Software\Classes\.exe: exefile => "%1" %* <==== ATTENTION HKU\S-1-5-21-2561101334-532984164-2244958137-1000\Software\Classes\exefile: "%1" %* <==== ATTENTION ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com There are 7936 more sites. IE trusted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\ed.gov -> hxxps://www.myeddebt.ed.gov IE trusted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\google.com -> hxxps://www.google.com IE trusted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\live.com -> hxxps://bay169.mail.live.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\007guard.com -> install.007guard.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\008i.com -> 008i.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\008k.com -> www.008k.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\00hq.com -> www.00hq.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\010402.com -> 010402.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\0scan.com -> www.0scan.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\1-2005-search.com -> www.1-2005-search.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\1000gratisproben.com -> www.1000gratisproben.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\1001namen.com -> www.1001namen.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\100888290cs.com -> mir.100888290cs.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\100sexlinks.com -> www.100sexlinks.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\10sek.com -> www.10sek.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\12-26.net -> user1.12-26.net IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\12-27.net -> user1.12-27.net IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\123fporn.info -> www.123fporn.info IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\123moviedownload.com -> www.123moviedownload.com IE restricted site: HKU\S-1-5-21-2561101334-532984164-2244958137-1000\...\123simsen.com -> www.123simsen.com There are 7934 more sites. ==================== Hosts content: =============================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 19:34 - 2017-09-28 09:57 - 000000027 _____ C:\Windows\system32\Drivers\etc\hosts 127.0.0.1 localhost ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-2561101334-532984164-2244958137-1000\Control Panel\Desktop\\Wallpaper -> DNS Servers: 209.18.47.61 - 209.18.47.62 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: ) (EnableLUA: 0) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == MSCONFIG\Services: AviraUpdaterService => 2 MSCONFIG\Services: gupdate => 3 MSCONFIG\Services: gupdatem => 3 MSCONFIG\Services: MBAMScheduler => 2 MSCONFIG\Services: wuauserv => 2 MSCONFIG\startupreg: EzPrint => "C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\ezprint.exe" MSCONFIG\startupreg: HotKeysCmds => C:\Windows\system32\hkcmd.exe MSCONFIG\startupreg: IgfxTray => C:\Windows\system32\igfxtray.exe MSCONFIG\startupreg: lxecmon.exe => "C:\Program Files (x86)\Lexmark Pro800-Pro900 Series\lxecmon.exe" MSCONFIG\startupreg: Persistence => C:\Windows\system32\igfxpers.exe ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe FirewallRules: [{6BC4DFA7-D1F5-453D-8812-7493FD37F012}] => (Block) LPort=445 FirewallRules: [{AF8AA981-B00E-4121-8D75-D33D39C92191}] => (Block) LPort=445 FirewallRules: [ScanManagement-RCWS-Out-TCP] => (Allow) %SystemRoot%\System32\mmc.exe FirewallRules: [ScanManagement-WSD-Out-TCP] => (Allow) %SystemRoot%\System32\mmc.exe FirewallRules: [{104722FA-6143-4137-B407-CDDE08FA05FB}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ==================== Restore Points ========================= 21-05-2018 18:47:13 mmm ==================== Faulty Device Manager Devices ============= Name: Compatible Mouse Filter Driver Description: Compatible Mouse Filter Driver Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1} Manufacturer: Service: Amfilter Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. Name: PCI Simple Communications Controller Description: PCI Simple Communications Controller Class Guid: Manufacturer: Service: Problem: : The drivers for this device are not installed. (Code 28) Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard. Name: PS/2 Mouse Description: PS/2 Mouse Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318} Manufacturer: Logitech Service: i8042prt Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. Name: PS/2 Keyboard Description: PS/2 Keyboard Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318} Manufacturer: Logitech Service: i8042prt Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. ==================== Event log errors: ========================= Application errors: ================== System errors: ============= ==================== Memory info =========================== Processor: Pentium(R) Dual-Core CPU E5300 @ 2.60GHz Percentage of memory in use: 26% Total physical RAM: 4015.3 MB Available physical RAM: 2942.26 MB Total Virtual: 8028.48 MB Available Virtual: 7049.18 MB ==================== Drives ================================ Drive ? () (Fixed) (Total:149.05 GB) (Free:122.69 GB) NTFS ==>[drive with boot components (obtained from BCD)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7/8/10) (Size: 149.1 GB) (Disk ID: 3B2B3B2B) Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS) ==================== End of Addition.txt ============================ FRST_25-05-2018 16.18.58.txt FRST_25-05-2018 16.18.58.txt Edited May 26, 2018 by Sequoia33 Link to post Share on other sites More sharing options...
nasdaq Posted May 26, 2018 ID:1246209 Share Posted May 26, 2018 Hello, Welcome to Malwarebytes. I'm nasdaq and will be helping you. If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed. === Your logs are clean of malware. Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from. The location is listed in the 3rd line of the FRST.txt log you have submitted. Run FRST and click Fix only once and wait. The tool will create a log (Fixlog.txt) please post it to your reply. === Reset Chrome... Open Google Chrome, click on menu icon or the 3 vertical dots located right side top of the google chrome. Click "Settings" then "Show advanced settings" at the bottom of the screen. Click "Reset browser settings" button. Restart Chrome. <<<>>> Please post the Fixlog.txt and let me know of any issues pending. fixlist.txt Link to post Share on other sites More sharing options...
Sequoia33 Posted May 26, 2018 Author ID:1246224 Share Posted May 26, 2018 Thank you, nasdaq. Great to hear that the system is clean. I forgot to mention that, several days prior to my "event," AVAST had blocked a connection to "JS:ScriptPE-inf." In addition to the MB Protection and Ransomware buttons being turned off, and all Avast behavior shields turned off, the MB protection history was erased. Thanks again, and here is the Fixit log. (Google settings have been reset.) Fixlog.txt Link to post Share on other sites More sharing options...
nasdaq Posted May 26, 2018 ID:1246234 Share Posted May 26, 2018 Hi, Looking good. Let me know in a day or two if all is well. Link to post Share on other sites More sharing options...
Sequoia33 Posted May 27, 2018 Author ID:1246350 Share Posted May 27, 2018 Hi nasdaq, All is well, but I have one final question. While ComboFix was on my system, AVAST detected one of its files - CregC.dat - as infected with an IDP.Generic threat. Don't know if this was actually a ComboFix file or something that its scan detected on my machine. Just need to know if I should delete it from my AVAST Virus Chest or add it back. Thanks. Link to post Share on other sites More sharing options...
nasdaq Posted May 28, 2018 ID:1246443 Share Posted May 28, 2018 (edited) Hi, You can delete it. Not required. If all is well. To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/ https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/ Simple and easy ways to keep your computer safe and secure on the Internet. === Edited May 28, 2018 by nasdaq Link to post Share on other sites More sharing options...
Sequoia33 Posted May 28, 2018 Author ID:1246503 Share Posted May 28, 2018 Hi nasdaq, OK, will delete. Thanks for the links. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 6, 2018 Root Admin ID:1248252 Share Posted June 6, 2018 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts