Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack.folderoptions won't remove.


  • Please log in to reply

#16
oPiruz

oPiruz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2016-05-23 22:51:46
-----------------------------
22:51:46.248    OS Version: Windows x64 6.2.9200 
22:51:46.248    Number of processors: 8 586 0x3C03
22:51:46.248    ComputerName: DESKTOP-O1J00JT  UserName: oPiruz
22:51:46.477    Initialize success
22:51:46.895    VM: initialized successfully
22:51:46.895    VM: Intel CPU supported 
22:51:50.129    VM: disk I/O storahci.sys
22:52:38.959    AVAST engine defs: 16052301
22:52:48.641    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000036
22:52:48.643    Disk 0 Vendor: APOTOP_SSD_S3C N0530A Size: 122104MB BusType: 11
22:52:48.644    Disk 1  \Device\Harddisk1\DR1 -> \Device\00000037
22:52:48.646    Disk 1 Vendor: TOSHIBA_DT01ACA200 MX4OABB0 Size: 1907729MB BusType: 11
22:52:48.652    Disk 0 MBR read successfully
22:52:48.654    Disk 0 MBR scan
22:52:48.659    Disk 0 unknown MBR code
22:52:48.661    Disk 0 Partition 1 00     EE            GPT           2097151 MB offset 1
22:52:48.683    Disk 0 scanning C:\WINDOWS\system32\drivers
22:52:50.608    Service scanning
22:53:00.120    Modules scanning
22:53:00.294    AVAST engine scan C:\
22:53:12.458    Disk 0 MBR has been saved successfully to "D:\Desktop\MBR.dat"
22:53:12.463    The log file has been saved successfully to "D:\Desktop\aswMBR.txt"

  • 0

Advertisements


#17
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner.  Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).  
 
# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.

  • 0

#18
oPiruz

oPiruz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
C:\Users\oPiruz\AppData\Roaming\PowerISO\Upgrade\PowerISO6-x64.exe a variant of Win32/DealPly.BX potentially unwanted application deleted
D:\$RECYCLE.BIN\S-1-5-21-761187832-1820794338-2722413759-1001\$RZ1PKYR.exe a variant of Win32/Packed.EnigmaProtector.J suspicious application cleaned by deleting

  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP

ESET found something hiding in the RECYCLE bin on D.  Merge the the last pol.reg again (the one from http://www.geekstogo...e/#entry2563384) Reboot and then see if MBAM is still finding it.


  • 0

#20
oPiruz

oPiruz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

It seems to be gone, and after looking thru the EST scan that file in recycle bin "Enigma protector" I stopped using a few months back, I was using it to protect my cheats from anti-cheats on some games I played. I'm going to wait till tomorrow to for sure say its gone as in the past it seemed fixed and after the next night it was detected again.


  • 0

#21
oPiruz

oPiruz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

Checked today and it's still there, is there anything else we can attempt?


  • 0

#22
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Download RogueKiller to your desktop
*There are download links at the bottom of the page.  Cancel the popup.
  • Quit all running programs
  • For Vista/Seven+, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe 
  • Please post the contents of the RKreport.txt in your next Reply.

    • 0

    #23
    oPiruz

    oPiruz

      Member

    • Topic Starter
    • Member
    • PipPip
    • 23 posts
    RogueKiller V12.3.0.0 (x64) [May 22 2016] (Free) by Adlice Software
     
    Operating System : Windows 10 (10.0.10586) 64 bits version
    Started in : Normal mode
    User : oPiruz [Administrator]
    Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
    Mode : Scan -- Date : 05/25/2016 10:11:10
     
    ¤¤¤ Processes : 4 ¤¤¤
    [Tr.Zeus] mbamservice.exe(2920) -- D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[x] -> Found
    [Suspicious.Path] Discord.exe(9908) -- C:\Users\oPiruz\AppData\Local\Discord\app-0.0.290\Discord.exe[x] -> Found
    [Suspicious.Path] Discord.exe(7400) -- C:\Users\oPiruz\AppData\Local\Discord\app-0.0.290\Discord.exe[x] -> Found
    [Suspicious.Path] Discord.exe(7548) -- C:\Users\oPiruz\AppData\Local\Discord\app-0.0.290\Discord.exe[x] -> Found
     
    ¤¤¤ Registry : 2 ¤¤¤
    [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-761187832-1820794338-2722413759-1001\Software\Microsoft\Windows\CurrentVersion\Run | Discord : C:\Users\oPiruz\AppData\Local\Discord\app-0.0.290\Discord.exe [7] -> Found
    [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-761187832-1820794338-2722413759-1001\Software\Microsoft\Windows\CurrentVersion\Run | Discord : C:\Users\oPiruz\AppData\Local\Discord\app-0.0.290\Discord.exe [7] -> Found
     
    ¤¤¤ Tasks : 0 ¤¤¤
     
    ¤¤¤ Files : 0 ¤¤¤
     
    ¤¤¤ Hosts File : 0 ¤¤¤
     
    ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
     
    ¤¤¤ Web browsers : 1 ¤¤¤
    [PUP][CHROME:Addon] Default : AVG Web TuneUp [chfdnecihphmhljaaejmgoiahnihplgn] -> Found
     
    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: APOTOP SSD S3C +++++
    --- User ---
    [MBR] 886e585527556946b6b32654cb6bfb72
    [BSP] 18af9c4429e0d0f29a96d757c9c67b8b : Empty|VT.Unknown MBR Code
    Partition table:
    0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 300 MB
    1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 616448 | Size: 100 MB
    2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 821248 | Size: 128 MB
    3 - Basic data partition | Offset (sectors): 1083392 | Size: 121125 MB
    4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 249147392 | Size: 450 MB
    User = LL1 ... OK
    User = LL2 ... OK
     
    +++++ PhysicalDrive1: TOSHIBA DT01ACA200 +++++
    --- User ---
    [MBR] 377337334809a62ae227016e358a8b82
    [BSP] d705637609946a6b1b5d222c67e3d0e6 : Windows Vista/7/8|VT.Unknown MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    User = LL1 ... OK
    User = LL2 ... OK
     
    +++++ PhysicalDrive2: PNY USB 2.0 FD USB Device +++++
    --- User ---
    [MBR] 38adfbd8ce3a6950ded0a544f61aa145
    [BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 2048 | Size: 15599 MB
    User = LL1 ... OK
    Error reading LL2 MBR! ([32] The request is not supported. )
     
    Discord is nothing to worry about, its a voice-chat used for gaming.

    • 0

    #24
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,031 posts
    • MVP

    Sorry for the delay.  Was on a trip and the hotel's WiFi was broken

     

    I'm wondering if one of the scheduled tasks is at fault.  They look OK but could be bad.  Search for scheduler.  It should find Task Scheduler.  Click on it and hit Enter.  Click on Task Scheduler Library  and look in the right pane.  For each task you see, right click on it and disable.  Close Task Scheduler.  Merge the last pol.reg.  Then reboot.  See if the problem comes back.  If it does then the tasks are not at fault and can be enabled the same way.

     

     

    Some time you need to step out of windows to find a culprit.  You can try running a scan from a bootable CD like AVG's Rescue Disk:

     

    http://www.geekstogo...ystem-tutorial/

     

     

     

    Another possibility if we can't find the cause would be to prevent it from making changes by going into the Registry and changing the permission so no one can write to the 3 registry keys.  These are not keys that need to change so it should work without impacting normal operations.


    • 0

    #25
    oPiruz

    oPiruz

      Member

    • Topic Starter
    • Member
    • PipPip
    • 23 posts

    After disabling those tasks it seems to be gone, but once again I'm going to wait until tomorrow morning to be safe because it seems like after every night the 3 files show back up.


    • 0

    Advertisements


    #26
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,031 posts
    • MVP

    It's also possible that some program you run may bring them back so keep track of what programs you run,


    • 0

    #27
    oPiruz

    oPiruz

      Member

    • Topic Starter
    • Member
    • PipPip
    • 23 posts

    Programs I run throughout the day are steam games, chrome, and sometimes adobe premiere/photoshop, OBS for streaming (which I dont run EVERY day), and gyazo for screenshots. Some of those I dont use everyday.


    • 0

    #28
    oPiruz

    oPiruz

      Member

    • Topic Starter
    • Member
    • PipPip
    • 23 posts

    I didn't restart my PC just to be safe, but some time inebetween 2AM and 5AM, because when I woke up at 5 I had the malware warning.


    • 0

    #29
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,031 posts
    • MVP

    Copy the next line:

    DISM /Online /Cleanup-Image /RestoreHealth

    Open an elevated command prompt as before.

     

    Right click and Paste (or Edit then Paste) and the copied line will appear.  Hit Enter.

     

    Once the prompt returnes:

    sfc  /scannow

    Does this finish without complaint?  If not copy the next two lines:

     

    findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  \windows\logs\cbs\junk.txt 
    notepad \windows\logs\cbs\junk.txt 
    

     

    Return to the elevated command prompt and paste it in as before.  If notepad does not open hit Enter.  Copy and paste the text to a Reply.


    • 0

    #30
    oPiruz

    oPiruz

      Member

    • Topic Starter
    • Member
    • PipPip
    • 23 posts

    It finished without complaint


    • 0






    Similar Topics

    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users

    As Featured On:

    Microsoft Yahoo BBC MSN PC Magazine Washington Post HP