Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Possible unresolved Malware infection

This is a discussion on Possible unresolved Malware infection within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello. I was prompted to begin a new thread in this category because there might be a possibility that my


 
 
Thread Tools Search this Thread
Old 09-27-2015, 10:14 AM   #1
Registered Member
 
Join Date: Nov 2006
Location: North Carolina
Posts: 24
OS: Windows Vista



Hello.
I was prompted to begin a new thread in this category because there might be a possibility that my laptop might still be infected with malware.

As I explained in my other thread "Need Drivers for Multimedia Video Controller and PCI Devices", I have taken my laptop to the repair shop to rid it of what I thought might be malware.

Whatever it was was preventing MalwareBytes from reinstalling, as well as a nonfunctional Live Protection prior to uninstalling and trying to reinstall.

The repair shop fixed the problem but left my laptop in a jumbles. I have been trying to put my desktop back together again as well as get other things and programs rearranged back to my liking. Some things I've kept, others not.

But it was pointed out to me that in order to be safe, you experts might want to take a second look at my laptop to be sure it is clean.

Therefore, here are the DDS logs you request. I hope you can determine if I have any issues. Thank you.
Attached Files
File Type: txt attach.txt (11.1 KB, 51 views)
File Type: txt dds.txt (13.1 KB, 48 views)
SwimmSpace9 is offline  
Sponsored Links
Advertisement
 
Old 09-28-2015, 12:31 AM   #2
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello SwimmSpace9,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Now, let's get started, shall we?

Please do the below intructions:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Double-click to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
__________________
tekir06 is offline  
Old 09-28-2015, 08:59 PM   #3
Registered Member
 
Join Date: Nov 2006
Location: North Carolina
Posts: 24
OS: Windows Vista



Hello and thank you for the reply. I will try and keep up with you. I keep a busy schedule and not much time for much. I can subscribe to this thread if you wish, but it will make little difference as to when I can reply. All I can tell you is that I will try and check my computer once a day before bedtime. Please let me know if this is OK for you.

OK. Well, for starters, I am having trouble downloading Farber Recovery Scan Tool. My Trend Micro antivirus program keeps regarding it as a suspicious file. I tell Trend Micro to add it to the Trusted List but it keeps turning Farber off and not letting it stay open whenever I try to open it..

What should I do next?
SwimmSpace9 is offline  
Sponsored Links
Advertisement
 
Old 09-28-2015, 11:16 PM   #4
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello SwimmSpace9,
Quote:
Hello and thank you for the reply. I will try and keep up with you. I keep a busy schedule and not much time for much. I can subscribe to this thread if you wish, but it will make little difference as to when I can reply. All I can tell you is that I will try and check my computer once a day before bedtime. Please let me know if this is OK for you.
Ok. No problem.
Quote:
OK. Well, for starters, I am having trouble downloading Farber Recovery Scan Tool. My Trend Micro antivirus program keeps regarding it as a suspicious file. I tell Trend Micro to add it to the Trusted List but it keeps turning Farber off and not letting it stay open whenever I try to open it..
Some security software may give a warning message. But it is not suspicious or harmful. We are using all the time. You disable the trend micro. Then you try to re-download Farbar Recovery Scan Tool. You can benefit from the link below.


https://www.techsupportforum.com/foru...ns-490111.html
__________________
tekir06 is offline  
Old 09-30-2015, 05:50 PM   #5
Registered Member
 
Join Date: Nov 2006
Location: North Carolina
Posts: 24
OS: Windows Vista



Hello.

Just wanted to let you know I am trying to perform the actions you ask. I didn't respond last night because it was late and when I tried to execute some of the actions, my laptop froze up having too many windows open and I had to do a restart. I was too tired to think so I went to bed.

Tonight, I am trying to get going again but the same things are happening....

It is a 7 year old laptop and it is just getting slower and slower to function. I had to do a restart again as it froze up while trying to get to the "How to disable your security applications" link you provided to me.

After the restart, the laptop is working. But slowly. It is as if the laptop needs to 'wake up' and find a 'pathway' it needs to take to perform a designated operation.

It can take up to one minute each for each mouse click to execute. I am wondering if this has to do with all the scripts and advertising on webpages these days. That my old laptop can no longer load all of that information and advertising quickly.

Anyway, I just wanted to let you know I am still trying to stay with you. But this laptop is soooo slow, that I can only do just so much in one night before bedtime.

Thanks.
SwimmSpace9 is offline  
Old 09-30-2015, 07:11 PM   #6
Registered Member
 
Join Date: Nov 2006
Location: North Carolina
Posts: 24
OS: Windows Vista



Ok. I'm trying to print out the link you gave me: "How to disable your security applications." But what is happening is the laptop is freezing up and I can't do anything but a forced shutdown.

When I try to come back through all the webpages and mouse clicks to get to that page ( about 5 webpages are open at this point), and try again to print, everything freezes up every time. The mouse pointer is stuck, too. I have to do a forced shut off of the power button on the computer.

I wanted to print out that information because it is a lot of good information.

I am stuck right now. I can't get around this problem to continue with your instructions.

Any ideas on what I should do next?
SwimmSpace9 is offline  
Old 09-30-2015, 08:01 PM   #7
Registered Member
 
Join Date: Nov 2006
Location: North Carolina
Posts: 24
OS: Windows Vista



OK, round two.

I managed to print out the information using Microsoft Word.

Then I proceeded to disable Trend Micro antivirus, download Farber Recovery Scan Tool and run a scan.

Here are the results attached.

I hope they attached. I hit the upload button. Did you get them? Did I do it right? Do I need to do something different?

Thanks. I hope this is right.
Attached Files
File Type: txt Addition.txt (30.4 KB, 43 views)
File Type: txt FRST.txt (28.6 KB, 41 views)
SwimmSpace9 is offline  
Old 10-01-2015, 11:32 PM   #8
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello SwimmSpace9,

Thanks for the logs. Everything's okay. No problem. Let's move on. Please do the below steps.

STEP 1

We need to uninstall some programs.

Press the Windows Key + R on your keyboard at the same time. Type appwiz.cpl and click OK.
Search there for each entry mentioned below, right-click the entry and click Uninstall one at a time

The list of program to uninstall:

DriverToolkit version 8.5.0.0 >>>>> READ

===============================================

STEP 2

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST.exe

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.
Code:
CreateRestorePoint:
Task: {69FCFFE1-247D-4DBF-9D0C-9540C3D7B502} - System32\Tasks\DriverToolkit Autorun
Task: C:\Windows\Tasks\DriverToolkit Autorun.job => C:\Program Files\DriverToolkit\DriverToolkit.exe
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-443181598-604131603-1978781513-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
2015-09-30 21:58 - 2015-07-26 21:32 - 00000346 _____ C:\Windows\Tasks\DriverToolkit Autorun.job
EmptyTemp:
Double-click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 10-02-2015, 07:02 PM   #9
Registered Member
 
Join Date: Nov 2006
Location: North Carolina
Posts: 24
OS: Windows Vista



Hello and thanks for the reply.

I have started to follow your instructions and I got confused at the point where you say:

"Save it as fixlist.txt next to FRST.exe

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work."

Well, do you mean the same folder? Right now, I have FRST.exe in my Downloads folder...and I made a Shortcut for it on the desktop.

I know you previously said to save it to my desktop. Well, that was confusing to me, too. When you say save it to my desktop, do you mean that the desktop should be the only location where the FRST.exe exists?

Right now, FRST.exe exists in two locations: on the desktop as a shortcut, and in the Downloads folder.

I have always done things that way-where the original file exists in a folder-and the desktop is merely a shortcut way of accessing things.

I presumed that was the way you wanted me to do it.

But now you say put the fixlist.txt next to FRST.exe and I don't know where you want me to put it.

Put it in the Downloads folder? Or put it on the desktop? Or both places?

I got as far as copying the codebox into Notepad and labeling it fixlist.txt then I did put that, (fixlist.txt), in the Downloads folder. But I have not yet made a shortcut of it for the desktop. Do I need to make a shortcut for it to the desktop?

That's as far as I got before I became confused.

Can you clear up my confusion? Thanks.
SwimmSpace9 is offline  
Old 10-02-2015, 07:08 PM   #10
Registered Member
 
Join Date: Nov 2006
Location: North Carolina
Posts: 24
OS: Windows Vista



I have also uninstalled DriverToolKit. May I ask why I need to uninstall it? I paid $40 for it for a lifetime license-good for 3 computers.

Is there something wrong with DriverToolKit?

Thanks.
SwimmSpace9 is offline  
Old 10-03-2015, 02:50 PM   #11
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello SwimmSpace9,

Quote from my first message:
Quote:
Please download to and run all requested tools from your Desktop.
Quote from your FRST log:
Quote:
Running from C:\Users\Owner\Downloads
Quote:
Or put it on the desktop?
Please do. Then doing the above instructions.

=========================================================

Quote:
May I ask why I need to uninstall it?
Why do I uninstall, it says link I gave.
__________________
tekir06 is offline  
Old 10-04-2015, 11:56 AM   #12
Registered Member
 
Join Date: Nov 2006
Location: North Carolina
Posts: 24
OS: Windows Vista



Hello and thanks for the reply.

I had to disable Trend Micro antivirus again in order to run the FRST.exe.

But it ran OK. And here is the Fixlog.txt:

Fix result of Farbar Recovery Scan Tool (x86) Version:04-10-2015
Ran by Owner (2015-10-04 13:43:34) Run:1
Running from C:\Users\Owner\Desktop
Loaded Profiles: Owner (Available Profiles: Owner & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
Task: {69FCFFE1-247D-4DBF-9D0C-9540C3D7B502} - System32\Tasks\DriverToolkit Autorun
Task: C:\Windows\Tasks\DriverToolkit Autorun.job => C:\Program Files\DriverToolkit\DriverToolkit.exe
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-443181598-604131603-1978781513-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
2015-09-30 21:58 - 2015-07-26 21:32 - 00000346 _____ C:\Windows\Tasks\DriverToolkit Autorun.job
EmptyTemp:
*****************

Restore point was successfully created.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{69FCFFE1-247D-4DBF-9D0C-9540C3D7B502}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{69FCFFE1-247D-4DBF-9D0C-9540C3D7B502}" => key removed successfully.
C:\Windows\System32\Tasks\DriverToolkit Autorun => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DriverToolkit Autorun" => key removed successfully.
C:\Windows\Tasks\DriverToolkit Autorun.job => moved successfully
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully..
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully.
HKU\S-1-5-21-443181598-604131603-1978781513-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
"C:\Windows\Tasks\DriverToolkit Autorun.job" => File/Folder not found.
EmptyTemp: => 81.2 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 13:44:36 ====



I hope I did it right.

Yes, I went to the webpage link you gave me about DriverToolKit. I couldn't exactly tell, from reading over it, why it should be uninstalled. In fact, I looked at some product reviews about it and people seemed to be evenly divided. Some people liked it and some people did not. Some say it worked just fine and some say it messed up their computer.

But I have not yet seen a clear reason that it is a bad program.

Thanks. I hope this helps you.
SwimmSpace9 is offline  
Old 10-05-2015, 12:12 PM   #13
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello SwimmSpace9,

Everything is all right.

OK. I understand. No need to remove Driver Toolkit. Please do the following steps.

STEP 1

Launch Malwarebytes Anti-Malware

On the Dashboard, click the Scan Now button.
A check for database updates will be performed.
After the update check completes, a Threat Scan will begin.
When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
In most cases, a restart will be required and a prompt will be shown.
Wait for the prompt to restart the computer to appear, then click on Yes.

Posting the Malwarebytes log:

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export.
Click Text file (*.txt)
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named File Saved should appear stating "Your file has been successfully exported".
Click Ok
Attach that saved log to your next reply.

=======================================================

STEP 2

Please go HERE then click on: Run Eset Online Scanner
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on the icon install.

All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

Select the option YES, I accept the Terms of Use then click on Start buton.
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan Archives
  • Enable Anti-Stealth Technology
Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
Tick all the boxes that correspond to your external/inserted drives.
Click Start. The virus signature database will begin to download. This may take some time.
Wait for the scan to finish.
When completed, click on Finish.
When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
Save that text file to your desktop, and then copy/paste the contents in your next reply.

========================================================

I need to see in your next post:
  • MBAM Log
  • ESET Log
__________________
tekir06 is offline  
Old 10-05-2015, 06:42 PM   #14
Registered Member
 
Join Date: Nov 2006
Location: North Carolina
Posts: 24
OS: Windows Vista



Hello and thanks for the reply.
Just wanted to let you know that you gave me several tasks to perform and that it might take me several days to do it all because of my busy schedule.

Just letting you know so you don't think I have abandoned you. I'm still out here!

Thanks.
SwimmSpace9 is offline  
Old 10-06-2015, 08:44 PM   #15
Registered Member
 
Join Date: Nov 2006
Location: North Carolina
Posts: 24
OS: Windows Vista



Hello.

Here is the MBAM Log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/6/2015
Scan Time: 7:20:57 PM
Logfile: MBAMlog1.txt
Administrator: Yes

Version: 0.0.0.0000
Malware Database: v2015.10.06.06
Rootkit Database: v2015.10.06.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 355532
Time Elapsed: 31 min, 34 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


Unfortunately, I cannot get the ESET Log to export. Therefore it won't Save to a location. It won't respond to any command. I don't know why.

I thought I saw it in a file labeled 'Save files to Indexed location' as Doc 1.txt when I tried save to clipboard. It popped up as I was trying to save to downloads but disappeared and I can't find it and when that wouldn't work then I tried save to desktop. Nothing is saving anywhere.

I tried a screenshot. It won't save. It won't expand either in order for you to see a complete screenshot.

I don't know what to do to get this ESET Log to you. I'll bet it will disappear once I click it off and I'll have to run the scan again for it to come back. But if it comes back with the results and I can't export them, what then?

ESET scan seems to have taken about 2 hours and when done, I was signed out of Tech Support Forum for some reason. I am wondering if the ESET scan changed somethings on my computer? I clicked the buttons you said to un-tick or to tick before starting the scan.

Do you have any ideas on how I can get it working properly?
SwimmSpace9 is offline  
Old 10-06-2015, 08:52 PM   #16
Registered Member
 
Join Date: Nov 2006
Location: North Carolina
Posts: 24
OS: Windows Vista



The screenshot appeared on the desktop. It took this long to type the last letter to you for my slow computer to send it to desktop.

Very slow.

I am going to try here and post it to you as a screenshot. I don't see it. Let me hit Submit Reply, and see if it sends.
SwimmSpace9 is offline  
Old 10-06-2015, 08:55 PM   #17
Registered Member
 
Join Date: Nov 2006
Location: North Carolina
Posts: 24
OS: Windows Vista



Something is wrong. I don't think it will post. ESET appears to have messed up something on my computer.
SwimmSpace9 is offline  
Old 10-07-2015, 02:43 PM   #18
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello SwimmSpace9,

Ok. I understand. Thanks for the informations. Please do the following.

Please download ComboFix and Save it to your Desktop.

Important! - Please make sure you save combofix to your desktop and do not run it from your browser
Please make sure you disable your security applications before running ComboFix. Get help here
Double-click ComboFix.exe and follow the prompts to run it.
If a message window opens to install the Microsoft Windows Recovery Console, click the yes button.
Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.
Please re-enable your antivirus before posting the ComboFix.txt log.
NOTE: If you get an 'Illegal operation attempted on a Registry key which has been marked for deletion' error message, please open Task Manager and 'End Process' on explorer.exe
Next, go File > New Task(Run...) and type explorer then press 'Enter'. or just reboot the computer.
__________________
tekir06 is offline  
Old 10-08-2015, 04:58 PM   #19
Registered Member
 
Join Date: Nov 2006
Location: North Carolina
Posts: 24
OS: Windows Vista



Hello. I apologize that ESET didn't work. I was very tired that night and it finished its scan late. I may have done something wrong. Would you like me to try it again?

Meanwhile, I have run the ComboFix and here is the log for it:

ComboFix 15-10-06.01 - Owner 10/08/2015 19:03:21.1.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3006.1488 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: Trend Micro Maximum Security *Disabled/Updated* {8242D66F-41BD-4049-C2E6-E578E73B62A0}
SP: Trend Micro Maximum Security *Disabled/Updated* {3923378B-6787-4FC7-F856-DE0A9CBC281D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Owner\AppData\Local[j0003]-[p06].bmp
c:\windows\msdownld.tmp
.
.
((((((((((((((((((((((((( Files Created from 2015-09-08 to 2015-10-08 )))))))))))))))))))))))))))))))
.
.
2015-10-07 00:54 . 2015-10-07 00:54 -------- d-----w- c:\program files\ESET
2015-10-04 23:59 . 2015-10-04 23:59 -------- d-----w- c:\users\Owner\AppData\Roaming\System Healer
2015-10-04 23:54 . 2015-10-04 23:55 -------- d-----w- c:\users\Owner\AppData\Local\{E89ADEC6-CC32-B27E-A1AA-979685C26B0E}
2015-10-04 23:54 . 2015-10-04 23:54 -------- d-----w- c:\users\Owner\AppData\Local\deci
2015-10-04 23:54 . 2015-10-04 23:54 -------- d-----w- c:\users\Owner\AppData\Local\Setup22151455
2015-10-04 22:13 . 2015-10-04 22:13 -------- d-----w- c:\users\Owner\AppData\Roaming\driveridentifier
2015-09-29 03:48 . 2015-10-04 23:55 214528 ----a-w- c:\windows\RegBootClean.exe
2015-09-29 03:47 . 2015-10-04 17:47 -------- d-----w- C:\FRST
2015-09-27 03:24 . 2015-10-07 02:09 98520 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-09-27 03:24 . 2015-09-27 03:25 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2015-09-27 03:24 . 2015-06-18 12:41 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-09-27 03:24 . 2015-06-18 12:41 94936 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-09-27 03:24 . 2015-06-18 12:41 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2015-09-17 03:44 . 2015-10-08 22:53 -------- d-----w- c:\users\Owner\AppData\Local\DP_Tower
2015-09-17 03:43 . 2015-09-17 03:44 -------- d-----w- c:\users\Owner\AppData\Local\DP_Installer
2015-09-10 07:24 . 2015-08-13 14:15 304640 ----a-w- c:\windows\system32\drivers\srv.sys
2015-09-10 07:24 . 2015-08-13 14:15 102912 ----a-w- c:\windows\system32\drivers\srvnet.sys
2015-09-10 07:23 . 2015-09-02 21:26 1402368 ----a-w- c:\windows\system32\msxml6.dll
2015-09-10 07:23 . 2015-09-02 21:26 1253376 ----a-w- c:\windows\system32\msxml3.dll
2015-09-10 07:19 . 2015-07-10 14:21 2048 ----a-w- c:\windows\system32\tzres.dll
2015-09-10 07:19 . 2015-08-05 15:58 940032 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2015-09-10 07:19 . 2015-08-05 14:24 1850880 ----a-w- c:\program files\Windows Journal\Journal.exe
2015-09-10 07:19 . 2015-08-05 15:59 1220608 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2015-09-10 07:19 . 2015-08-05 15:58 985600 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2015-09-10 07:19 . 2015-08-05 15:58 967680 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2015-09-10 07:18 . 2015-09-02 21:26 34304 ----a-w- c:\windows\system32\atmlib.dll
2015-09-10 07:18 . 2015-09-02 19:55 2067456 ----a-w- c:\windows\system32\win32k.sys
2015-09-10 07:18 . 2015-09-02 19:54 297472 ----a-w- c:\windows\system32\atmfd.dll
2015-09-10 07:17 . 2015-08-05 15:59 602112 ----a-w- c:\windows\system32\schedsvc.dll
2015-09-09 23:21 . 2015-09-17 03:44 -------- d-----w- c:\programdata\TMDP_Log
2015-09-09 23:21 . 2015-09-17 03:44 -------- d-----w- c:\programdata\TMDP_Setup
2015-09-09 23:16 . 2015-09-17 03:43 -------- d-----w- c:\programdata\TMDP_Tower_Setup
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-09-21 23:49 . 2015-04-14 18:23 780488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-09-21 23:49 . 2015-04-14 18:23 142536 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-08-05 04:03 . 2015-08-05 04:03 877152 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2015-08-05 04:03 . 2015-08-05 04:03 538208 ----a-w- c:\windows\system32\msvcp120_clr0400.dll
2015-07-31 21:46 . 2015-08-13 22:39 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2015-07-31 21:46 . 2015-08-13 22:39 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2015-07-31 21:46 . 2015-08-13 22:39 189952 ----a-w- c:\windows\system32\d3d10core.dll
2015-07-31 21:46 . 2015-08-13 22:39 1029120 ----a-w- c:\windows\system32\d3d10.dll
2015-07-31 20:41 . 2015-08-13 22:39 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2015-07-31 20:40 . 2015-08-13 22:39 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2015-07-31 20:35 . 2015-08-13 22:39 682496 ----a-w- c:\windows\system32\d2d1.dll
2015-07-31 20:33 . 2015-08-13 22:39 1072640 ----a-w- c:\windows\system32\DWrite.dll
2015-07-31 20:33 . 2015-08-13 22:39 802304 ----a-w- c:\windows\system32\FntCache.dll
2015-07-31 19:27 . 2015-08-13 23:11 103120 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-07-21 20:55 . 2015-08-13 23:25 1206192 ----a-w- c:\windows\system32\ntdll.dll
2015-07-21 16:07 . 2015-08-13 23:25 56256 ----a-w- c:\windows\system32\drivers\mountmgr.sys
2015-07-21 16:07 . 2015-08-13 23:25 3605440 ----a-w- c:\windows\system32\ntkrnlpa.exe
2015-07-21 16:07 . 2015-08-13 23:25 3553216 ----a-w- c:\windows\system32\ntoskrnl.exe
2015-07-21 16:07 . 2015-08-13 23:25 140224 ----a-w- c:\windows\system32\drivers\ecache.sys
2015-07-21 16:03 . 2015-08-13 23:25 10752 ----a-w- c:\windows\system32\msmmsp.dll
2015-07-21 16:03 . 2015-08-13 23:25 564224 ----a-w- c:\windows\system32\emdmgmt.dll
2015-07-21 16:03 . 2015-08-13 23:25 49664 ----a-w- c:\windows\system32\csrsrv.dll
2015-07-20 09:20 . 2015-04-15 14:50 108032 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2015-07-20 09:19 . 2015-04-15 14:50 88992 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2015-07-20 09:18 . 2015-04-15 14:50 303744 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2015-07-18 16:03 . 2015-08-13 22:49 68608 ----a-w- c:\windows\system32\basesrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2015-09-16 6495144]
"SpybotPostWindows10UpgradeReInstall"="c:\program files\Common Files\AV\Spybot - Search and Destroy\Test.exe" [2015-07-28 1011200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-24 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-24 92704]
"Platinum"="c:\program files\Trend Micro\Titanium\plugin\Pt\PtSessionAgent.exe" [2015-05-04 1078784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2013-02-26 2416368]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2014-07-20 165976]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 21:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 14:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-10-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-04-14 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: trendmicro.com\pwm
TCP: DhcpNameServer = 192.168.2.1
Handler: tmop - {69FD7CE3-4604-4fe6-967C-49B9735CEE70} - c:\program files\Trend Micro\AMSP\module\20013\3.5.1239\2.0.1039\TmopIEPlg.dll
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\m1oo9iyp.default\
FF - prefs.js: browser.startup.homepage - about:home
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-hpqSRMon - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2015-10-08 19:10
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SynTPEnh = %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_185_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_185_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2015-10-08 19:12:18
ComboFix-quarantined-files.txt 2015-10-08 23:12
.
Pre-Run: 89,858,293,760 bytes free
Post-Run: 89,789,227,008 bytes free
.
- - End Of File - - 89A5F97E1B86D57772C9D90854B67289
5C616939100B85E558DA92B899A0FC36


I hope this helps. Thanks.
SwimmSpace9 is offline  
Old 10-09-2015, 04:05 PM   #20
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello SwimmSpace9,

Thanks for the logs. Please do the following.

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST.exe

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.
Code:
CreateRestorePoint:
c:\users\Owner\AppData\Roaming\System Healer
c:\users\Owner\AppData\Local\{E89ADEC6-CC32-B27E-A1AA-979685C26B0E}
c:\users\Owner\AppData\Local\Setup22151455
EmptyTemp:
Double-click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
United States? Malware Infection Rate More than Doubles in the First Half of 2013
United States’ Malware Infection Rate More than Doubles in the First Half of 2013 - Microsoft Security Blog - Site Home - TechNet Blogs
JMH3143 Computer Security News 0 04-02-2014 09:06 PM
Android malware still rising despite Google's security improvements
Android’s 2012 security overhaul hasn't stopped the volume of global threats targeting the mobile OS continuing to rise at an alarming rate, F-Secure’s latest mobile threat report has found. The company noticed 51,447 unique Android malware samples in the third quarter, an unexpectedly huge jump...
Glaswegian Computer Security News 0 11-05-2012 01:27 PM
Windows 7 malware infection rate soars in 2012
Windows 7's malware infection rate climbed by as much as 182% this year, Microsoft said today. But even with that dramatic increase, Windows 7 remained two to three times less likely to fall to hacker attack than the aged Windows XP. Data from Microsoft's newest twice-yearly security report...
Glaswegian Computer Security News 0 10-09-2012 01:16 PM
Cloud AV 2012 Malware Infection
Hello, About a month ago, my PC became infected with the Cloud AV 2012 virus. I use Mozilla Firefox as my browser. I started receiving alert pop-ups, and noticed a new icon in my tray. I also found that searching through Google only resulted in re-directs. Eventually, I could not use Firefox,...
jmccull1 Virus/Trojan/Spyware Help 35 03-02-2012 10:33 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 01:49 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts