Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93116 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

I opened a PDF, how can i tell if I am infected? [Solved]

Started by joelk01 , Oct 28 2019 10:00 PM
pdf email

  • This topic is locked This topic is locked
27 replies to this topic

#16 joelk01

joelk01

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 31 October 2019 - 10:44 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 30-10-2019 01
Ran by Hannah (31-10-2019 12:34:30) Run:1
Running from C:\Users\Hannah\Desktop
Loaded Profiles: Hannah (Available Profiles: Hannah & Hannah_2 & Administrator)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CloseProcesses:
HKLM-x32\...\Run: [AvastUI.exe] => "C:\Program Files\AVAST Software\Avast\AvLaunch.exe" /gui
HKU\S-1-5-21-1382215785-360157019-2900194103-1000\...\Policies\Explorer: []
HKU\S-1-5-21-1382215785-360157019-2900194103-1000\...\MountPoints2: {456bbdd8-f01b-11df-ba68-842b2bb11e8e} - O:\LaunchU3.exe -a
HKU\S-1-5-21-1382215785-360157019-2900194103-1000\...\MountPoints2: {ca5b9f59-e6d4-11e3-bdf6-842b2bb11e8e} - D:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-1382215785-360157019-2900194103-1000\...\MountPoints2: {ca5b9f6e-e6d4-11e3-bdf6-842b2bb11e8e} - D:\VZW_Software_upgrade_assistant.exe
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-11-04]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-11-04]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)
Task: {2F16EBEA-64BA-4C0E-95A2-8321FCB8D759} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\AVAST Software\Overseer\overseer.exe [1873288 2019-09-18] (AVAST Software s.r.o. -> AVAST Software)
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1382215785-360157019-2900194103-1003Core.job => C:\Users\Hannah_2\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1382215785-360157019-2900194103-1003UA.job => C:\Users\Hannah_2\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\iMeshNAG.job => C:\Users\Hannah_2\AppData\Local\Temp\iMesh_setup.exe <==== ATTENTION
Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File
Winsock: Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File
Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File
Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File
SearchScopes: HKLM -> DefaultScope {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {CB741BA7-1390-49FA-9C90-90AC21CF194E} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {47CA27CB-238A-4CC7-9E39-E332D0A82333} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1382215785-360157019-2900194103-1000 -> DefaultScope {47E70B16-857D-1F50-ADFB-8839257B41A4} URL = hxxp://www.bing.com/search?FORM=SK2CDF&PC=SK2C&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1382215785-360157019-2900194103-1000 -> {47CA27CB-238A-4CC7-9E39-E332D0A82333} URL =
SearchScopes: HKU\S-1-5-21-1382215785-360157019-2900194103-1000 -> {47E70B16-857D-1F50-ADFB-8839257B41A4} URL = hxxp://www.bing.com/search?FORM=SK2CDF&PC=SK2C&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1382215785-360157019-2900194103-1000 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11913&l=dis&prt=NGC&chn=1122&geo=US&ver=22.16.2.22&locale=en_US&guid=3E36490B-F01A-11DF-A373-842B2BB11E8E&doi=2016-09-01&gct=kwd&qsrc=2869
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.19.8.65\Exts\Chrome.crx <not found>
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-1382215785-360157019-2900194103-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bmkckgpgekmanipelfidlhmkfcjicion] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.19.8.65\Exts\Chrome.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
S2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [X]
U3 aswbdisk; no ImagePath
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\SDSDefs\20160704.008\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\SDSDefs\20160704.008\EX64.SYS [X]
(x86)\Norton Security Suite\Engine\22.19.8.65\buShell.dll [2019-09-11] (Symantec Corporation -> Symantec Corporation)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers4: [MSSE] -> {0365FE2C-F183-4091-AC82-BFC39FB75C49} =>  -> No File
ContextMenuHandlers4: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} =>  -> No File
ContextMenuHandlers6: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File
FirewallRules: [{C2A5FDC4-7E62-41FD-B01F-FCFB8B3AC1F5}] => (Allow) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe No File
FirewallRules: [{33DEFE95-A7BF-4582-ACE6-37D82FE56241}] => (Allow) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe No File
FirewallRules: [{8C0C4CC1-1B2E-4333-9E9C-09B2AF20506D}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II.exe No File
FirewallRules: [{6BDFCEEE-ECD3-4B7D-8C9E-0C113E23456B}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II.exe No File
FirewallRules: [{E16583E2-BEE3-4F02-88AD-201D9614A0C8}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.1040\Agent.exe No File
FirewallRules: [{6E6FF841-4961-4554-BE90-6E2E369B519D}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.1040\Agent.exe No File
FirewallRules: [{3F469F37-D174-45F0-9E42-4717C63280F6}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II Public Test.exe No File
FirewallRules: [{6E59DC4C-C249-46B8-B2FF-0201D0B4C0BA}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II Public Test.exe No File
FirewallRules: [{F4BFDAFD-1ABE-49C9-9BDB-4CDF8C34A0FB}] => (Allow) C:\Users\Hannah\AppData\Local\Temp\7zS6E4.tmp\SymNRT.exe No File
FirewallRules: [{8ED5D293-4218-4986-AFA7-28D6450279D9}] => (Allow) C:\Users\Hannah\AppData\Local\Temp\7zS6E4.tmp\SymNRT.exe No File
FirewallRules: [TCP Query User{879DC76F-73B0-4A44-BD18-E842928ABEEF}C:\users\hannah\appdata\local\akamai\netsession_win.exe] => (Block) C:\users\hannah\appdata\local\akamai\netsession_win.exe No File
FirewallRules: [UDP Query User{80D8891B-A686-40A2-A3AC-5B465245BDAC}C:\users\hannah\appdata\local\akamai\netsession_win.exe] => (Block) C:\users\hannah\appdata\local\akamai\netsession_win.exe No File
FirewallRules: [TCP Query User{FDE20CE5-3BDD-4200-9475-50EB3BE2F501}C:\users\hannah\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\hannah\appdata\local\akamai\netsession_win.exe No File
FirewallRules: [UDP Query User{D8D81E04-C33E-4E16-AA6B-E2CEA5DAE313}C:\users\hannah\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\hannah\appdata\local\akamai\netsession_win.exe No File
FirewallRules: [{9D10765C-2F57-4C11-9E65-9D504B12CBB6}] => (Allow) C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe No File
FirewallRules: [{86FFCF53-13DF-4B39-A50F-EFB489F69649}] => (Allow) C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe No File
FirewallRules: [{2F13E9C5-0BF4-461B-912A-9B07CBF340D2}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe No File
FirewallRules: [{82FDF3A4-B598-4688-B314-1115F2B402BF}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe No File
FirewallRules: [{FE629B9E-FBD9-4376-BA2E-B3F9C806AFD3}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File
FirewallRules: [{2A6CA5E2-C5BE-4BE7-8A58-36D14C37B157}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File
FirewallRules: [{720B95F5-BE2A-4900-BF12-B8E232210540}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Sid Meier's Civilization V\Launcher.exe No File
FirewallRules: [{B463BE71-96BD-4883-A853-ECEEBCC8D685}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Sid Meier's Civilization V\Launcher.exe No File
FirewallRules: [{2FEEF1F0-37C8-4C49-BC51-04D24DC2BC21}] => (Allow) C:\Users\Hannah\AppData\Roaming\Zoom\bin\airhost.exe No File
C:\Program Files\AVAST Software
C:\Program Files\Common Files\AVAST Software
C:\Users\Hannah_2\AppData\Local\Temp\iMesh_setup.exe
C:\Users\Hannah\AppData\Roaming\ARCompanion.log
C:\Users\Hannah\AppData\Roaming\WB.CFG
C:\Users\Hannah\AppData\Local\4d0003c32636a4c5e9cb90650df69609
C:\Users\Hannah\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
C:\Users\Hannah\AppData\Local\keyfile3.drm
C:\Users\Hannah\AppData\Local\resmon.resmoncfg
cmd: netsh winsock reset catalog
EmptyTemp:
*****************
 
Processes closed successfully.
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AvastUI.exe" => removed successfully
"HKU\S-1-5-21-1382215785-360157019-2900194103-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\" => removed successfully
HKU\S-1-5-21-1382215785-360157019-2900194103-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{456bbdd8-f01b-11df-ba68-842b2bb11e8e} => removed successfully
HKU\S-1-5-21-1382215785-360157019-2900194103-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ca5b9f59-e6d4-11e3-bdf6-842b2bb11e8e} => removed successfully
HKU\S-1-5-21-1382215785-360157019-2900194103-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ca5b9f6e-e6d4-11e3-bdf6-842b2bb11e8e} => removed successfully
"C:\Program Files\Dell\DellDock\DellDock.exe" => not found
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk => moved successfully
"C:\Program Files\Dell\DellDock\DellDock.exe" => not found
"C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk" => not found
"C:\Program Files\Dell\DellDock\DellDock.exe" => not found
"C:\Program Files\Dell\DellDock\DellDock.exe" => not found
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{2F16EBEA-64BA-4C0E-95A2-8321FCB8D759}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F16EBEA-64BA-4C0E-95A2-8321FCB8D759}" => removed successfully
C:\Windows\System32\Tasks\Avast Software\Overseer => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Avast Software\Overseer" => removed successfully
C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1382215785-360157019-2900194103-1003Core.job => moved successfully
C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1382215785-360157019-2900194103-1003UA.job => moved successfully
C:\Windows\Tasks\iMeshNAG.job => moved successfully
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000008 => removed successfully
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000009 => removed successfully
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000008 => removed successfully
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000009 => removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CB741BA7-1390-49FA-9C90-90AC21CF194E} => removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{47CA27CB-238A-4CC7-9E39-E332D0A82333} => removed successfully
"HKU\S-1-5-21-1382215785-360157019-2900194103-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully
HKU\S-1-5-21-1382215785-360157019-2900194103-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{47CA27CB-238A-4CC7-9E39-E332D0A82333} => removed successfully
HKU\S-1-5-21-1382215785-360157019-2900194103-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{47E70B16-857D-1F50-ADFB-8839257B41A4} => removed successfully
HKU\S-1-5-21-1382215785-360157019-2900194103-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => removed successfully
HKLM\SOFTWARE\Google\Chrome\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe => removed successfully
HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif => removed successfully
HKU\S-1-5-21-1382215785-360157019-2900194103-1000\SOFTWARE\Google\Chrome\Extensions\bmkckgpgekmanipelfidlhmkfcjicion => removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe => removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif => removed successfully
HKLM\System\CurrentControlSet\Services\DockLoginService => removed successfully
DockLoginService => service removed successfully
HKLM\System\CurrentControlSet\Services\aswbdisk => removed successfully
aswbdisk => service removed successfully
HKLM\System\CurrentControlSet\Services\BCM42RLY => removed successfully
BCM42RLY => service removed successfully
HKLM\System\CurrentControlSet\Services\NAVENG => could not remove. Access Denied.
HKLM\System\CurrentControlSet\Services\NAVEX15 => could not remove. Access Denied.
(x86)\Norton Security Suite\Engine\22.19.8.65\buShell.dll [2019-09-11] (Symantec Corporation -> Symantec Corporation) => Error: No automatic fix found for this entry.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => removed successfully
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\MSSE => removed successfully
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\Offline Files => removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\ACE => removed successfully
HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000} => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\Offline Files => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C2A5FDC4-7E62-41FD-B01F-FCFB8B3AC1F5}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{33DEFE95-A7BF-4582-ACE6-37D82FE56241}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8C0C4CC1-1B2E-4333-9E9C-09B2AF20506D}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6BDFCEEE-ECD3-4B7D-8C9E-0C113E23456B}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E16583E2-BEE3-4F02-88AD-201D9614A0C8}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6E6FF841-4961-4554-BE90-6E2E369B519D}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3F469F37-D174-45F0-9E42-4717C63280F6}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6E59DC4C-C249-46B8-B2FF-0201D0B4C0BA}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F4BFDAFD-1ABE-49C9-9BDB-4CDF8C34A0FB}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8ED5D293-4218-4986-AFA7-28D6450279D9}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{879DC76F-73B0-4A44-BD18-E842928ABEEF}C:\users\hannah\appdata\local\akamai\netsession_win.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{80D8891B-A686-40A2-A3AC-5B465245BDAC}C:\users\hannah\appdata\local\akamai\netsession_win.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{FDE20CE5-3BDD-4200-9475-50EB3BE2F501}C:\users\hannah\appdata\local\akamai\netsession_win.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{D8D81E04-C33E-4E16-AA6B-E2CEA5DAE313}C:\users\hannah\appdata\local\akamai\netsession_win.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9D10765C-2F57-4C11-9E65-9D504B12CBB6}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{86FFCF53-13DF-4B39-A50F-EFB489F69649}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2F13E9C5-0BF4-461B-912A-9B07CBF340D2}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{82FDF3A4-B598-4688-B314-1115F2B402BF}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FE629B9E-FBD9-4376-BA2E-B3F9C806AFD3}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2A6CA5E2-C5BE-4BE7-8A58-36D14C37B157}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{720B95F5-BE2A-4900-BF12-B8E232210540}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B463BE71-96BD-4883-A853-ECEEBCC8D685}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2FEEF1F0-37C8-4C49-BC51-04D24DC2BC21}" => removed successfully
C:\Program Files\AVAST Software => moved successfully
C:\Program Files\Common Files\AVAST Software => moved successfully
"C:\Users\Hannah_2\AppData\Local\Temp\iMesh_setup.exe" => not found
C:\Users\Hannah\AppData\Roaming\ARCompanion.log => moved successfully
C:\Users\Hannah\AppData\Roaming\WB.CFG => moved successfully
C:\Users\Hannah\AppData\Local\4d0003c32636a4c5e9cb90650df69609 => moved successfully
C:\Users\Hannah\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => moved successfully
C:\Users\Hannah\AppData\Local\keyfile3.drm => moved successfully
C:\Users\Hannah\AppData\Local\resmon.resmoncfg => moved successfully
 
========= netsh winsock reset catalog =========
 
Initialization Function InitHelperDll in NSHHTTP.DLL failed to start with error code 11003
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 13768156 B
Java, Flash, Steam htmlcache => 10180131 B
Windows/system/drivers => 8261436 B
Edge => 0 B
Chrome => 535364006 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 100883 B
systemprofile32 => 168506 B
LocalService => 300750 B
NetworkService => 366978 B
Hannah => 117733988 B
Hannah_2 => 118860432 B
Administrator => 118873253 B
 
RecycleBin => 28021689 B
EmptyTemp: => 915.9 MB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 31-10-2019 12:35:51)
 
 
Result of scheduled keys to remove after reboot:
 
HKLM\System\CurrentControlSet\Services\NAVENG => could not remove. Access Denied.
HKLM\System\CurrentControlSet\Services\NAVEX15 => could not remove. Access Denied.
 
==== End of Fixlog 12:35:51 ====

    Advertisements

Register to Remove

#17 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 31 October 2019 - 05:09 PM

I overlooked a couple of things with the last fix so please run it again.

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

CloseProcesses:
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ShellIconOverlayIdentifiers: [OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security Suite\Engine\22.19.8.65\buShell.dll [2019-09-11] (Symantec Corporation -> Symantec Corporation)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
C:\Users\Hannah_2\AppData\Local\Temp\iMesh_setup.exe
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

===================================================

Run Malwarebytes

Please try to run Malwarebytes again following the previous instructions.

If it still fails, try running it in Safe mode.

Logs to include with next post:

fixlist.txt
Mbam.txt

Satchfan

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#18 joelk01

joelk01

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 31 October 2019 - 06:03 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 30-10-2019 01
Ran by Hannah (31-10-2019 19:49:34) Run:2
Running from C:\Users\Hannah\Desktop
Loaded Profiles: Hannah (Available Profiles: Hannah & Hannah_2 & Administrator)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CloseProcesses:
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ShellIconOverlayIdentifiers: [OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security Suite\Engine\22.19.8.65\buShell.dll [2019-09-11] (Symantec Corporation -> Symantec Corporation)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
C:\Users\Hannah_2\AppData\Local\Temp\iMesh_setup.exe
EmptyTemp:
*****************
 
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\OverlayProtected => not found
HKLM\Software\Classes\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148} => could not remove. Access Denied.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => not found
"C:\Users\Hannah_2\AppData\Local\Temp\iMesh_setup.exe" => not found
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 12582912 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 4207304 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 122938650 B
Edge => 0 B
Chrome => 20743346 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 0 B
systemprofile32 => 128 B
LocalService => 128 B
NetworkService => 128 B
Hannah => 67208 B
Hannah_2 => 67208 B
Administrator => 67208 B
 
RecycleBin => 0 B
EmptyTemp: => 153.2 MB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 31-10-2019 19:50:43)
 
 
Result of scheduled keys to remove after reboot:
 
HKLM\Software\Classes\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148} => could not remove. Access Denied.
 
==== End of Fixlog 19:50:43 ====
 
Malwarebytes finished this time:
 
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 10/31/19
Scan Time: 7:57 PM
Log File: 438dc808-fc3a-11e9-83af-842b2bb11e8e.json
 
-Software Information-
Version: 3.8.3.2965
Components Version: 1.0.613
Update Package Version: 1.0.13131
License: Expired
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Hannah-PC\Hannah
 
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 332668
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 3 min, 50 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
WMI: 0
(No malicious items detected)
 
 
(end)

#19 joelk01

joelk01

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 01 November 2019 - 01:16 PM

Thank you

#20 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 01 November 2019 - 03:35 PM

Your computer seems to be fine but let’s run one more scan.

Run Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).

  • after extraction, double-click on the new Start Emsisoft Emergency Kit icon on your desktop
  • the first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates: click Yes so that it downloads the latest database updates
  • when update the is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning
  • when the scan has completed click Quarantine selected objects. Note, this option is only available if malicious objects were detected during the scan
  • when the threats have been quarantined, click the View report button in the lower-right corner and the scan log will open in Notepad
  • please save the Notepad log on your desktop and post the contents in your next reply
  • when you close Emsisoft Emergency Kit it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

Satchfan

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#21 joelk01

joelk01

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 01 November 2019 - 04:18 PM

Thank you for all your help.  Have you seen evidence that my computer was attacked/infected?

 

Here is the Emsisoft log:

 

Emsisoft Emergency Kit - Version 2019.10
Last update: 11/1/2019 6:14:32 PM
User account: Hannah-PC\Hannah
Computer name: HANNAH-PC
OS version: Windows 7x64 Service Pack 1
 
Scan settings:
 
Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files
 
Detect PUPs: On
Scan archives: Off
Scan mail archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: Off
 
Scan start: 11/1/2019 6:15:14 PM
 
Scanned 19821
Found 0
 
Scan end: 11/1/2019 6:16:31 PM
Scan time: 0:01:17

#22 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 01 November 2019 - 05:00 PM

Have you seen evidence that my computer was attacked/infected?

No. :thumbup:

 

Your computer appears to be clean so let’s tidy up what we’ve used and I’ll supply a few recommendations.

===================================================

Run KpRm

Download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • when the tool opens, ensure all boxes are checked, and select Run.
  • once completed, click OK.
  • a log will open in Notepad titled kprm-(date).txt.
  • please copy and paste its contents in your next reply.

===================================================

Update installed programs

Your versions of Java and Adobe Reader are out-of-date and need to be removed and updated.

Having the latest updates and removing old versions ensures there are no security vulnerabilities in your system.

To remove them:

  • click Start, Control Panel, Programs and Features.
  • click on each of these programs, one at a time, name and then on Uninstall:


Java 8 Update 151
Adobe Flash Player 10
Adobe Reader 9.5.1

 

If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Go here and download the latest version of Flash Player.

Note: Before you hit the Download now button, uncheck the Chrome offer if it’s not something you want.

NEXT

Visit Adobe and download the latest version of Acrobat Reader.

NEXT

Install the latest version of Java:

Java

NOTE – when you install Java, before clicking on Install, be sure to Uncheck “Install the Ask Toolbar and make Ask my default search provider”

Even though I just had you get the latest version of Java, there is a vulnerability with regards to Java and web browsers. Therefore, we recommend to disable java in web browsers.

More information can be found here.

===================================================

Recommended programs

SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

======================

Update and run Malwarebytes. This really is an excellent program that you should update and run on a regular basis, probably weekly.

======================

It’s important to keep programs up to date so that malware doesn't exploit any old security flaws.

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated.

======================

Unchecky

Be careful when downloading free software. Many free programs come bundled with adware, many of which cause redirects/popups and verge on being malware. There is a program that automatically “unckecks” the boxes you may not notice when downloading programs.

Download and install Unchecky .

======================

Download and install CryptoPrevent

Crypto Ransomware Warning

There are particularly nasty “Ransomware” infections out there at the moment that encrypt your files and the only way possible to get them “de-crypted” is to pay a ransome. You can read more about this here.

  • download CryptoPrevent
  • save the file to your Desktop and then open the program by clicking Run when prompted from your browser or by going to the desktop where the file was saved and double-clicking.
  • accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This will launch the program once you click Finish
  • you will get a prompt asking if you purchased a Product Key for Automatic Updates. Click No
  • you will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to
  • click OK to continue and select your protection level. Go ahead and click OK.
  • click the Apply button to set Default protection
  • you may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.

You are now protected.

Note: The free version doesn't provide automatic updates but should be updated often, (at least weekly), as this infection has serious consequences. To update it manually, open the program, select the “Updates” menu then select Check for Updates to see if there are any available.

===================================================

I also recommend that you read the following:

Best Practices for Safe Computing - Prevention of Malware Infection by miekiemoes

Simple and easy ways to keep your computer safe and secure on the Internet  by Lawrence Abrams

I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Satchfan


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#23 joelk01

joelk01

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 01 November 2019 - 07:00 PM

# Run at 11/1/2019 8:58:38 PM
# KpRm (Kernel-panik) version 1.17
# Run by Hannah from C:\Users\Hannah\Desktop
# Computer Name: HANNAH-PC
# OS: Windows 7 X64 (7601) Service Pack 1
# Number of passes: 1
 
- Checked options -
 
    ~ Registry Backup
    ~ Delete Tools
    ~ Restore System Settings
    ~ UAC Restore
    ~ Delete Restore Points
    ~ Create Restore Point
 
- Create Registry Backup -
 
    ~ [OK] Hive C:\Windows\System32\config\SOFTWARE backed up
    ~ [OK] Hive C:\Users\Hannah\NTUSER.dat backed up
 
  [OK] Registry Backup: C:\KPRM\backup\2019-11-01-20-58-08
 
- Remove Tools -
 
 
  ## AdwCleaner
     [OK] C:\Users\Hannah\Desktop\adwcleaner_7.4.2.exe deleted (1)
     [OK] C:\AdwCleaner deleted (1)
 
  ## AswMBR
     [OK] C:\Users\Hannah\Desktop\MBR.dat deleted (1)
 
  ## Emisoft Emergency Kit
     [OK] C:\Users\Hannah\Desktop\EmsisoftEmergencyKit.exe deleted (1)
     [OK] C:\EEK deleted (1)
 
  ## FRST
     [OK] C:\Users\Hannah\Desktop\Addition.txt deleted (1)
     [OK] C:\Users\Hannah\Desktop\Fixlog.txt deleted (1)
     [OK] C:\Users\Hannah\Desktop\FRST-OlderVersion deleted (1)
     [OK] C:\Users\Hannah\Desktop\FRST.txt deleted (1)
     [OK] C:\Users\Hannah\Desktop\FRST64 (1).exe deleted (1)
     [OK] C:\FRST deleted (1)
 
  ## JavaRa
     [OK] C:\Users\Hannah\Desktop\JavaRa deleted (1)
     [OK] C:\Users\Hannah\Desktop\JavaRa-1.16-16-12-11 deleted (1)
 
  ## OTL
     [OK] C:\Users\Hannah\Desktop\otl.exe deleted (1)
 
  ## RogueKiller
     [OK] C:\Users\Hannah\Desktop\RogueKiller_setup_ref3 (1).exe deleted (1)
     [OK] C:\Users\Hannah\Desktop\RogueKiller_setup_ref3.exe deleted (1)
 
  ## SecurityCheck
     [OK] C:\Users\Hannah\Desktop\SecurityCheck.exe deleted (1)
 
  ## TFC
     [OK] C:\Users\Hannah\Desktop\TFC.exe deleted (1)
 
- Restore System Settings -
 
  [OK] Flush DNS
  [OK] Reset WinSock
  [OK] Hide Hidden file.
  [OK] Show Extensions for known file types
  [OK] Hide protected operating system files
 
- Restore UAC -
 
  [OK] Set ConsentPromptBehaviorAdmin with default (5) value
  [OK] Set ConsentPromptBehaviorUser with default (3) value
  [OK] Set EnableInstallerDetection with default (0) value
  [OK] Set EnableLUA with default (1) value
  [OK] Set EnableSecureUIAPaths with default (1) value
  [OK] Set EnableUIADesktopToggle with default (0) value
  [OK] Set EnableVirtualization with default (1) value
  [OK] Set FilterAdministratorToken with default (0) value
  [OK] Set PromptOnSecureDesktop with default (1) value
  [OK] Set ValidateAdminCodeSignatures with default (0) value
 
- Clear Restore Points -
 
    ~ [OK] RP named Scheduled Checkpoint created at 10/30/2019 03:32:19 deleted
 
  [OK] All system restore points have been successfully deleted
 
- Create Restore Point -
 
  [OK] System Restore Point created
 
- Display System Restore Point -
 
    ~ [I] RP named KpRm created at 11/02/2019 00:59:15 found
 
-- KPRM finished in 55.91s --

#24 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 02 November 2019 - 03:25 AM

:thumbup:


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#25 joelk01

joelk01

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 02 November 2019 - 07:28 AM

The original email and pdf file I opened were phony.

Was my system compromised between the time I opened that file and when we completed the processes that we did here?

Thank you again.

    Advertisements

Register to Remove

#26 joelk01

joelk01

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 02 November 2019 - 11:01 AM

Looks like CryptoPrevent deleted their free version.  


#27 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 02 November 2019 - 05:13 PM

Was my system compromised between the time I opened that file and when we completed the processes that we did here?

No

 

Looks like CryptoPrevent deleted their free version

Apologies, they did.

 

The paid version of Malwarebytes however, will do a good job of keeping you protected from pretty much anything that your antivirus misses. Go to the Malwarebytes website which supplys all the information: I would suggest that you subscribe to the Premium version which is a cheap price to pay for the protection it gives.

 

Satchfan


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#28 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 03 November 2019 - 03:41 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

Also tagged with one or more of these keywords: pdf, email

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·