Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

False Antivirus Bitmefender can't close process


  • This topic is locked This topic is locked
16 replies to this topic

#1 DWLooney

DWLooney

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 04 January 2014 - 11:48 PM

Hi, I have this program called bitmefender in task manager that I can't close out of, and is using up all of the available cpu, and ram

Thanks!



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:14 PM

Posted 05 January 2014 - 10:27 AM

Hello DWLooney

This appears to be a new item, let's see if we can get it

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
    Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



    Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  • .
    .
    .
    ADW Cleaner

    Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
    <-insert any special instructions here for what to uncheck OR remove this line if there are none->
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • .
    .
    .

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.
  • [/list] [/list]


    >>>>

    Download RogueKiller from one of the following links and save it to your desktop:
  • Link 1
  • Link 2
  • Close all programs and disconnect any USB or external drives before running the tool.
  • Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything!
  • Copy and paste the report that opens into your next reply.
  • The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex)
  • The highest number of [X], is the most recent Scan
  • [/list] [/list]

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 DWLooney

DWLooney
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 06 January 2014 - 01:06 AM

Hi boopme,

Here is result of RKILL: The irinboa.exe is only found in Processes; are self replicating; grow in size and eventually consume all resources. RKILL removes them temporarily and allows me to use my PC for a few minutes.

 

Rkill 2.6.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/05/2014 09:46:20 PM in x64 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

  C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe (PID: 3436) [UP-HEUR]
  C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe (PID: 3500) [UP-HEUR]
  C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe (PID: 5176) [UP-HEUR]
  C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe (PID: 1884) [UP-HEUR]
  C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe (PID: 5108) [UP-HEUR]
  C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe (PID: 3168) [UP-HEUR]
  C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe (PID: 1260) [UP-HEUR]

7 proccesses terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * Windows Management Instrumentation (Winmgmt) is not Running.
   Startup Type set to: Automatic

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)

 * Winmgmt => C:\PROGRA~3\1jba2wl.pss [Incorrect ServiceDLL]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost
  ::1             localhost

Program finished at: 01/05/2014 09:46:36 PM
Execution time: 0 hours(s), 0 minute(s), and 16 seconds(s)



#4 DWLooney

DWLooney
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 06 January 2014 - 01:08 AM

MiniToolBox by Farbar  Version: 18-12-2013
Ran by Administrator2 (administrator) on 05-01-2014 at 16:38:12
Running from "C:\Users\Administrator2\AppData\Local\Temp\Temporary Internet Files\Content.IE5\50P8PDH7"
Windows Vista ™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

::1             localhost

127.0.0.1       localhost

========================= IP Configuration: ================================

 

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled

popd
# End of IPv4 configuration

 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : HP-15
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel® Wireless WiFi Link 4965AGN
   Physical Address. . . . . . . . . : 00-1F-3B-5D-20-FF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::7d50:1bbd:3e30:8cb8%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, January 05, 2014 2:08:15 PM
   Lease Expires . . . . . . . . . . : Monday, January 06, 2014 2:08:14 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 369106747
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0F-B3-42-47-00-1E-68-5C-F3-07
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{5BFFF8B8-426F-4503-8EB1-81F6C58DCA54}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{04B8D4CB-A835-4570-A68A-565138A1B901}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 18:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  192.168.1.1

Name:    google.com
Addresses:  2607:f8b0:4010:801::1005
   74.125.239.40
   74.125.239.33
   74.125.239.38
   74.125.239.32
   74.125.239.39
   74.125.239.41
   74.125.239.37
   74.125.239.36
   74.125.239.35
   74.125.239.46
   74.125.239.34

 

Pinging google.com [74.125.239.39] with 32 bytes of data:

Reply from 74.125.239.39: bytes=32 time=38ms TTL=55

Reply from 74.125.239.39: bytes=32 time=32ms TTL=55

 

Ping statistics for 74.125.239.39:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 32ms, Maximum = 38ms, Average = 35ms

Server:  UnKnown
Address:  192.168.1.1

Name:    yahoo.com
Addresses:  98.139.183.24
   98.138.253.109
   206.190.36.45

 

Pinging yahoo.com [206.190.36.45] with 32 bytes of data:

Reply from 206.190.36.45: bytes=32 time=135ms TTL=49

Reply from 206.190.36.45: bytes=32 time=70ms TTL=49

 

Ping statistics for 206.190.36.45:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 70ms, Maximum = 135ms, Average = 102ms

 

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

 

Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
 12 ...00 1f 3b 5d 20 ff ...... Intel® Wireless WiFi Link 4965AGN
  1 ........................... Software Loopback Interface 1
 16 ...00 00 00 00 00 00 00 e0  isatap.{5BFFF8B8-426F-4503-8EB1-81F6C58DCA54}
 14 ...00 00 00 00 00 00 00 e0  Microsoft 6to4 Adapter #2
 15 ...00 00 00 00 00 00 00 e0  isatap.{04B8D4CB-A835-4570-A68A-565138A1B901}
 13 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.2     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link       192.168.1.2    281
      192.168.1.2  255.255.255.255         On-link       192.168.1.2    281
    192.168.1.255  255.255.255.255         On-link       192.168.1.2    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.1.2    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.1.2    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 12    281 fe80::/64                On-link
 12    281 fe80::7d50:1bbd:3e30:8cb8/128
                                    On-link
  1    306 ff00::/8                 On-link
 12    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [61440] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [62976] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [78848] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [78848] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [27648] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [193824] (Apple Inc.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/05/2014 01:08:55 AM) (Source: Application Hang) (User: )
Description: The program msiexec.exe version 4.5.6002.18005 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 1068
Start Time: 01cf09f41ef88d7a
Termination Time: 0

Error: (01/05/2014 00:38:10 AM) (Source: Windows Search Service) (User: )
Description: Notifications for the volume k:\ are not active.

Context: Windows Application

Details:
 The device is not ready.   (0x80070015)

Error: (01/04/2014 11:30:57 PM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 9.0.8112.16526 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: cdc
Start Time: 01cf09e7ef82c1c2
Termination Time: 326

Error: (01/04/2014 11:10:51 PM) (Source: Application Error) (User: )
Description: Faulting application irinboa.exe, version 2.0.43591.47452, time stamp 0x5287b82d, faulting module mshtml.dll, version 9.0.8112.16526, time stamp 0x528558ea, exception code 0xc0000005, fault offset 0x001d8bf8,
process id 0x1068, application start time 0xirinboa.exe0.

Error: (01/04/2014 10:11:25 PM) (Source: Application Error) (User: )
Description: Faulting application irinboa.exe, version 2.0.43591.47452, time stamp 0x5287b82d, faulting module mshtml.dll, version 9.0.8112.16526, time stamp 0x528558ea, exception code 0xc0000005, fault offset 0x001d8bf8,
process id 0x228, application start time 0xirinboa.exe0.

Error: (01/04/2014 10:04:28 PM) (Source: Application Error) (User: )
Description: Faulting application irinboa.exe, version 2.0.43591.47452, time stamp 0x5287b82d, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x01f2824c,
process id 0x1c78, application start time 0xirinboa.exe0.

Error: (01/04/2014 09:36:57 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 9.0.8112.16526, time stamp 0x52855173, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x9a000006,
process id 0x8cc, application start time 0xiexplore.exe0.

Error: (01/04/2014 08:51:01 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\ADMINISTRATOR2\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\USERS\ADMINISTRATOR2\APPDATA\ROAMING\MICROSOFT\WINDOWS\PRIVACIE\LOW> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog

Details:
 A device attached to the system is not functioning.   (0x8007001f)

Error: (01/04/2014 08:51:01 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\ADMINISTRATOR2\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\USERS\ADMINISTRATOR2\APPDATA\ROAMING\MICROSOFT\WINDOWS\PRIVACIE\LOW> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog

Details:
 A device attached to the system is not functioning.   (0x8007001f)

Error: (01/04/2014 08:51:01 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\ADMINISTRATOR2\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\USERS\ADMINISTRATOR2\APPDATA\ROAMING\MICROSOFT\WINDOWS\PRIVACIE> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog

Details:
 A device attached to the system is not functioning.   (0x8007001f)

System errors:
=============
Error: (01/05/2014 02:08:12 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.33.100 for the Network Card with network address 001F3B5D20FF has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (01/05/2014 02:06:19 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.4 for the Network Card with network address 001F3B5D20FF has been denied by the DHCP server 192.168.33.1 (The DHCP Server sent a DHCPNACK message).

Error: (01/05/2014 02:04:38 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.4 for the Network Card with network address 001F3B5D20FF has been denied by the DHCP server 192.168.33.1 (The DHCP Server sent a DHCPNACK message).

Error: (01/05/2014 00:46:44 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.33.100 for the Network Card with network address 001F3B5D20FF has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (01/05/2014 11:54:38 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.165.1204.0

 Update Source: %NT AUTHORITY59

 Update Stage: 4.4.0304.00

 Source Path: 4.4.0304.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\SYSTEM

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (01/05/2014 07:55:11 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.165.1204.0

 Update Source: %NT AUTHORITY59

 Update Stage: 4.4.0304.00

 Source Path: 4.4.0304.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\SYSTEM

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (01/05/2014 06:03:44 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.165.1204.0

 Update Source: %NT AUTHORITY59

 Update Stage: 4.4.0304.00

 Source Path: 4.4.0304.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\SYSTEM

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (01/05/2014 03:54:14 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.165.1204.0

 Update Source: %NT AUTHORITY59

 Update Stage: 4.4.0304.00

 Source Path: 4.4.0304.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\SYSTEM

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (01/05/2014 00:39:35 AM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001F3B5D20FF.  The following error occurred:
%%121. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Error: (01/05/2014 00:36:37 AM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.2 for the Network Card with network address 001F3B5D20FF has been denied by the DHCP server 192.168.33.1 (The DHCP Server sent a DHCPNACK message).

Microsoft Office Sessions:
=========================
Error: (01/05/2014 01:08:55 AM) (Source: Application Hang)(User: )
Description: msiexec.exe4.5.6002.18005106801cf09f41ef88d7a0

Error: (01/05/2014 00:38:10 AM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application

Details:
 The device is not ready.   (0x80070015)
k:\

Error: (01/04/2014 11:30:57 PM) (Source: Application Hang)(User: )
Description: iexplore.exe9.0.8112.16526cdc01cf09e7ef82c1c2326

Error: (01/04/2014 11:10:51 PM) (Source: Application Error)(User: )
Description: irinboa.exe2.0.43591.474525287b82dmshtml.dll9.0.8112.16526528558eac0000005001d8bf8106801cf09e46630a432

Error: (01/04/2014 10:11:25 PM) (Source: Application Error)(User: )
Description: irinboa.exe2.0.43591.474525287b82dmshtml.dll9.0.8112.16526528558eac0000005001d8bf822801cf09dc3fa2f11a

Error: (01/04/2014 10:04:28 PM) (Source: Application Error)(User: )
Description: irinboa.exe2.0.43591.474525287b82dunknown0.0.0.000000000c000000501f2824c1c7801cf09dbf4e974aa

Error: (01/04/2014 09:36:57 PM) (Source: Application Error)(User: )
Description: iexplore.exe9.0.8112.1652652855173unknown0.0.0.000000000c00000059a0000068cc01cf09cfff7cd4c2

Error: (01/04/2014 08:51:01 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog

Details:
 A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\ADMINISTRATOR2\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\USERS\ADMINISTRATOR2\APPDATA\ROAMING\MICROSOFT\WINDOWS\PRIVACIE\LOW

Error: (01/04/2014 08:51:01 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog

Details:
 A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\ADMINISTRATOR2\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\USERS\ADMINISTRATOR2\APPDATA\ROAMING\MICROSOFT\WINDOWS\PRIVACIE\LOW

Error: (01/04/2014 08:51:01 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog

Details:
 A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\ADMINISTRATOR2\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\USERS\ADMINISTRATOR2\APPDATA\ROAMING\MICROSOFT\WINDOWS\PRIVACIE

CodeIntegrity Errors:
===================================
  Date: 2013-12-15 00:56:46.701
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_0fbe86f737e6a8d6\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-15 00:56:46.320
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_0fbe86f737e6a8d6\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-15 00:56:46.019
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_0fbe86f737e6a8d6\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-15 00:56:45.710
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_0fbe86f737e6a8d6\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-15 00:56:45.410
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_0fbe86f737e6a8d6\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-15 00:56:45.077
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_0fbe86f737e6a8d6\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-15 00:56:44.684
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22665_none_0f8a7609380d6a12\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-15 00:56:44.316
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22665_none_0f8a7609380d6a12\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-15 00:56:44.004
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22665_none_0f8a7609380d6a12\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-12-15 00:56:43.709
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22665_none_0f8a7609380d6a12\tcpip.sys because the set of per-page image hashes could not be found on the system.

=========================== Installed Programs ============================

64 Bit HP CIO Components Installer (Version: 7.2.8)
Bonjour (Version: 2.0.2.0)
CCleaner (Version: 3.22)
Defraggler (Version: 2.16)
HP Customer Participation Program 13.0 (Version: 13.0)
HP Document Manager 2.0 (Version: 2.0)
HP Imaging Device Functions 13.0 (Version: 13.0)
HP Officejet 4500 G510n-z (Version: 13.0)
HP Photosmart Essential 2.5 (Version: 2.5)
HP QuickTouch 1.00 C3 (Version: 1.0.5)
HP Smart Web Printing 4.60 (Version: 4.60)
HP Solution Center 13.0 (Version: 13.0)
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
IS500 Directshow and Twain Plug-in Version 2.0
Logitech SetPoint 6.32 (Version: 6.32.20)
MA500 Driver Version 1.0
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft IntelliPoint 6.2 (Version: 6.20.182.0)
Microsoft IntelliType Pro 6.2 (Version: 6.20.182.0)
Microsoft Security Client (Version: 4.4.0304.0)
Microsoft Security Essentials (Version: 4.4.304.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Motorola SM56 Speakerphone Modem (Version: 6.12.25.06)
MT500 Driver Version 1.0
MySQL Server 5.5 (Version: 5.5.15)
Network64 (Version: 130.0.550.000)
OCR Software by I.R.I.S. 13.0 (Version: 13.0)
Shop for HP Supplies (Version: 13.0)
SPBBC 64bit (Version: 107.0.0.134)
SUPERAntiSpyware (Version: 5.7.1016)
Synaptics Pointing Device Driver (Version: 15.3.29.0)
System Requirements Lab CYRI (64-bit) (Version: 4.5.1.0)
Unity Web Player (Version: )
WD SmartWare (Version: 1.2.0.8)
WeatherBug Gadget (Version: 1.0.0.6)
Windows Live Family Safety (Version: 15.4.3555.0308)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Language Selector (Version: 15.4.3555.0308)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)

========================= Memory info: ===================================

Percentage of memory in use: 75%
Total physical RAM: 4085.5 MB
Available physical RAM: 988.61 MB
Total Pagefile: 8362.27 MB
Available Pagefile: 4330.82 MB
Total Virtual: 4095.88 MB
Available Virtual: 3995.96 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:285.26 GB) (Free:42.05 GB) NTFS
2 Drive d: (HP_RECOVERY) (Fixed) (Total:12.83 GB) (Free:2.44 GB) NTFS
5 Drive k: (FreeAgent GoFlex Drive) (Fixed) (Total:2794.51 GB) (Free:2247.66 GB) NTFS

========================= Users: ========================================

User accounts for \\HP-15

Administrator            Administrator2           ASPNET                  
Guest                   

**** End of log ****

Hi boopme,

Below is the result from MINIToolBox:

 



#5 DWLooney

DWLooney
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 06 January 2014 - 01:14 AM

Hi boopme,

Here is the result for Rogue Killer:

RogueKiller V8.8.0 [Dec 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Administrator2 [Admin rights]
Mode : Scan -- Date : 01/05/2014 20:19:05
| ARK || FAK || MBR |

¤¤¤ Bad processes : 4 ¤¤¤
[SUSP PATH] irinboa.exe -- C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe [-] -> KILLED [TermProc]
[SUSP PATH] irinboa.exe -- C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe [-] -> KILLED [TermProc]
[SUSP PATH] irinboa.exe -- C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe [-] -> KILLED [TermProc]
[SUSP PATH] irinboa.exe -- C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 10 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Buuxmyq (C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe [-]) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DLL][SUSP PATH] HKLM\[...]\CCSet\[...]\Parameters : ServiceDll (C:\PROGRA~3\1jba2wl.pss [x]) -> FOUND
[HJ DLL][SUSP PATH] HKLM\[...]\CS001\[...]\Parameters : ServiceDll (C:\PROGRA~3\1jba2wl.pss [x]) -> FOUND
[HJ DLL][SUSP PATH] HKLM\[...]\CS003\[...]\Parameters : ServiceDll (C:\PROGRA~3\1jba2wl.pss [x]) -> FOUND

¤¤¤ Scheduled tasks : 77 ¤¤¤
[V1][SUSP PATH] Security Center Update - 1021235219.job : C:\Users\Administrator2\AppData\Roaming\Zueqah\ricyed.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 103779496.job : C:\Users\Administrator2\AppData\Roaming\Xiicpiem\afnui.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 1080855907.job : C:\Users\Administrator2\AppData\Roaming\Atfaypw\utlour.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 1115278311.job : C:\Users\Administrator2\AppData\Roaming\Qivuid\hiqiuz.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 1180196146.job : C:\Users\Administrator2\AppData\Roaming\Bomeevm\uqnek.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 1305453054.job : C:\Users\Administrator2\AppData\Roaming\Uruppoic\wudeceo.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 146997238.job : C:\Users\Administrator2\AppData\Roaming\Nasahudo\eksycy.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 152279890.job : C:\Users\Administrator2\AppData\Roaming\Ebnoezd\voboes.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 1858613941.job : C:\Users\Administrator2\AppData\Roaming\Irzyoxcu\upixg.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 18645439.job : C:\Users\Administrator2\AppData\Roaming\Qihuceko\muupvy.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 1916191864.job : C:\Users\Administrator2\AppData\Roaming\Ekpymu\geriul.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 2161234927.job : C:\Users\Administrator2\AppData\Roaming\Epacpuih\rookt.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 2337024599.job : C:\Users\Administrator2\AppData\Roaming\Dylulyqe\hateuxq.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 236266435.job : C:\Users\Administrator2\AppData\Roaming\Ohgido\hoaho.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 2623553177.job : C:\Users\Administrator2\AppData\Roaming\Avsiso\oztaw.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 2896596852.job : C:\Users\Administrator2\AppData\Roaming\Buhoycli\fuzatyz.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 3078834368.job : C:\Users\Administrator2\AppData\Roaming\Duywapid\ibubumt.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 3119272461.job : C:\Users\Administrator2\AppData\Roaming\Sarearow\akrouru.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 3179017647.job : C:\Users\Administrator2\AppData\Roaming\Alizid\ulycedw.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 3191387841.job : C:\Users\Administrator2\AppData\Roaming\Sofayq\afeqwo.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 3316704060.job : C:\Users\Administrator2\AppData\Roaming\Abfyne\otpigo.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 3643329962.job : C:\Users\Administrator2\AppData\Roaming\Avysiw\qiziam.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 3679776771.job : C:\Users\Administrator2\AppData\Roaming\Ylivalh\omsiug.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 3690099531.job : C:\Users\Administrator2\AppData\Roaming\Heakzo\erreu.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 3752643276.job : C:\Users\Administrator2\AppData\Roaming\Duotibdo\pyahole.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 3789118622.job : C:\Users\Administrator2\AppData\Roaming\Dinakabo\soobycq.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 3822168797.job : C:\Users\Administrator2\AppData\Roaming\Fyseal\itcuy.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 3881668050.job : C:\Users\Administrator2\AppData\Roaming\Iwfiam\ydwoo.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 3903465617.job : C:\Users\Administrator2\AppData\Roaming\Osylgi\xezabu.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 3990155547.job : C:\Users\Administrator2\AppData\Roaming\Apkadyb\kyiqags.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 4016642603.job : C:\Users\Administrator2\AppData\Roaming\Cufuzeyw\ycymore.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 4018036227.job : C:\Users\Administrator2\AppData\Roaming\Zeulkuyh\uduznuo.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 407472577.job : C:\Users\Administrator2\AppData\Roaming\Coimev\avytgoa.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 4232786196.job : C:\Users\Administrator2\AppData\Roaming\Ikpygus\ocusdey.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 577179605.job : C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 627492877.job : C:\Users\Administrator2\AppData\Roaming\Edgicy\syibih.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 729765621.job : C:\Users\Administrator2\AppData\Roaming\Yduzuvde\qugeqo.exe [-] -> FOUND
[V1][SUSP PATH] Security Center Update - 874238659.job : C:\Users\Administrator2\AppData\Roaming\Wezarew\dipyibq.exe [-] -> FOUND
[V2][ROGUE ST] 4790 : wscript.exe - C:\Users\ADMINI~1\AppData\Local\Temp\launchie.vbs //B -> FOUND
[V2][SUSP PATH] Security Center Update - 1021235219 : C:\Users\Administrator2\AppData\Roaming\Zueqah\ricyed.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 103779496 : C:\Users\Administrator2\AppData\Roaming\Xiicpiem\afnui.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 1080855907 : C:\Users\Administrator2\AppData\Roaming\Atfaypw\utlour.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 1115278311 : C:\Users\Administrator2\AppData\Roaming\Qivuid\hiqiuz.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 1180196146 : C:\Users\Administrator2\AppData\Roaming\Bomeevm\uqnek.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 1305453054 : C:\Users\Administrator2\AppData\Roaming\Uruppoic\wudeceo.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 146997238 : C:\Users\Administrator2\AppData\Roaming\Nasahudo\eksycy.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 152279890 : C:\Users\Administrator2\AppData\Roaming\Ebnoezd\voboes.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 1858613941 : C:\Users\Administrator2\AppData\Roaming\Irzyoxcu\upixg.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 18645439 : C:\Users\Administrator2\AppData\Roaming\Qihuceko\muupvy.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 1916191864 : C:\Users\Administrator2\AppData\Roaming\Ekpymu\geriul.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 2161234927 : C:\Users\Administrator2\AppData\Roaming\Epacpuih\rookt.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 2337024599 : C:\Users\Administrator2\AppData\Roaming\Dylulyqe\hateuxq.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 236266435 : C:\Users\Administrator2\AppData\Roaming\Ohgido\hoaho.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 2623553177 : C:\Users\Administrator2\AppData\Roaming\Avsiso\oztaw.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 2896596852 : C:\Users\Administrator2\AppData\Roaming\Buhoycli\fuzatyz.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 3078834368 : C:\Users\Administrator2\AppData\Roaming\Duywapid\ibubumt.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 3119272461 : C:\Users\Administrator2\AppData\Roaming\Sarearow\akrouru.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 3179017647 : C:\Users\Administrator2\AppData\Roaming\Alizid\ulycedw.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 3191387841 : C:\Users\Administrator2\AppData\Roaming\Sofayq\afeqwo.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 3316704060 : C:\Users\Administrator2\AppData\Roaming\Abfyne\otpigo.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 3643329962 : C:\Users\Administrator2\AppData\Roaming\Avysiw\qiziam.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 3679776771 : C:\Users\Administrator2\AppData\Roaming\Ylivalh\omsiug.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 3690099531 : C:\Users\Administrator2\AppData\Roaming\Heakzo\erreu.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 3752643276 : C:\Users\Administrator2\AppData\Roaming\Duotibdo\pyahole.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 3789118622 : C:\Users\Administrator2\AppData\Roaming\Dinakabo\soobycq.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 3822168797 : C:\Users\Administrator2\AppData\Roaming\Fyseal\itcuy.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 3881668050 : C:\Users\Administrator2\AppData\Roaming\Iwfiam\ydwoo.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 3903465617 : C:\Users\Administrator2\AppData\Roaming\Osylgi\xezabu.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 3990155547 : C:\Users\Administrator2\AppData\Roaming\Apkadyb\kyiqags.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 4016642603 : C:\Users\Administrator2\AppData\Roaming\Cufuzeyw\ycymore.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 4018036227 : C:\Users\Administrator2\AppData\Roaming\Zeulkuyh\uduznuo.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 407472577 : C:\Users\Administrator2\AppData\Roaming\Coimev\avytgoa.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 4232786196 : C:\Users\Administrator2\AppData\Roaming\Ikpygus\ocusdey.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 577179605 : C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 627492877 : C:\Users\Administrator2\AppData\Roaming\Edgicy\syibih.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 729765621 : C:\Users\Administrator2\AppData\Roaming\Yduzuvde\qugeqo.exe [-] -> FOUND
[V2][SUSP PATH] Security Center Update - 874238659 : C:\Users\Administrator2\AppData\Roaming\Wezarew\dipyibq.exe [-] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost
::1             localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ( @ )  +++++
--- User ---
[MBR] 6c6ad7b28a39f3bb8c51c5d92a6b80ae
[BSP] afd523729e3722ee5cde6a84aaeef429 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 292103 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 598228470 | Size: 13139 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_01052014_201905.txt >>

 

 



#6 DWLooney

DWLooney
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 06 January 2014 - 01:22 AM

Hi,

Here are the results for ADWClearner (SO) - there are actually two files (RO) and (SO):

# AdwCleaner v3.016 - Report created 05/01/2014 at 17:18:27
# Updated 23/12/2013 by Xplode
# Operating System : Windows ™ Vista Home Premium Service Pack 2 (64 bits)
# Username : Administrator2 - HP-15
# Running from : C:\Users\Administrator2\AppData\Local\Temp\Temporary Internet Files\Content.IE5\0OQX9TG1\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

[!] Folder Deleted : C:\ProgramData\GameTap Web Player
[!] Folder Deleted : C:\ProgramData\ParetoLogic
[!] Folder Deleted : C:\ProgramData\Viewpoint
[!] Folder Deleted : C:\Program Files (x86)\GameTap Web Player
[!] Folder Deleted : C:\Program Files (x86)\Viewpoint
[!] Folder Deleted : C:\Users\Administrator2\AppData\Local\TempDir
[!] Folder Deleted : C:\Users\Administrator2\AppData\Roaming\DriverCure
[!] Folder Deleted : C:\Users\Administrator2\AppData\Roaming\iWin
[!] Folder Deleted : C:\Users\Administrator2\AppData\Roaming\ParetoLogic
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

***** [ Shortcuts ] *****

Shortcut Disinfected : C:\Users\Administrator2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Search.lnk
Shortcut Disinfected : C:\Users\Administrator2\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Search.lnk

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\IMsiDe1egate.Application.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{76C45B18-A29E-43EA-AAF8-AF55C2E1AE17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{96EF404C-24C7-43D0-9096-4CCC8BB7CCAC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97720195-206A-42AE-8E65-260B9BA5589F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{986F7A5A-9676-47E1-8642-F41F8C3FCF82}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B18788A4-92BD-440E-A4D1-380C36531119}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Key Deleted : HKCU\Software\ParetoLogic
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\Software\ParetoLogic
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86C0E2A3-1EDA-4F01-A43D-80DA8642813C}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1AE46C09-2AB8-4EE5-88FB-08CD0FF7F2DF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86C0E2A3-1EDA-4F01-A43D-80DA8642813C}_is1
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16526

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [Default]

-\\ Google Chrome v

[ File : C:\Users\Administrator2\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [6718 octets] - [05/01/2014 17:16:10]
AdwCleaner[S0].txt - [5894 octets] - [05/01/2014 17:18:27]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5954 octets] ##########

 

 

 

 

 



#7 DWLooney

DWLooney
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 06 January 2014 - 01:31 AM

Hi - Here is the result for ADWCleaner (RO):

 

I am still working on the ESET which I am having trouble running - (major crash after 40 minutes and 20%)

 

 

# AdwCleaner v3.016 - Report created 05/01/2014 at 17:16:10
# Updated 23/12/2013 by Xplode
# Operating System : Windows ™ Vista Home Premium Service Pack 2 (64 bits)
# Username : Administrator2 - HP-15
# Running from : C:\Users\Administrator2\AppData\Local\Temp\Temporary Internet Files\Content.IE5\0OQX9TG1\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
Folder Found C:\Program Files (x86)\GameTap Web Player
Folder Found C:\Program Files (x86)\Viewpoint
Folder Found C:\ProgramData\GameTap Web Player
Folder Found C:\ProgramData\ParetoLogic
Folder Found C:\ProgramData\Viewpoint
Folder Found C:\Users\Administrator2\AppData\Local\TempDir
Folder Found C:\Users\Administrator2\AppData\Roaming\DriverCure
Folder Found C:\Users\Administrator2\AppData\Roaming\iWin
Folder Found C:\Users\Administrator2\AppData\Roaming\ParetoLogic

***** [ Shortcuts ] *****

Shortcut Found : C:\Users\Administrator2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Search.lnk ( hxxp://feed.snapdo.com/?publisher=SnapdoGOblidoo&dpid=GOB1&co=US&userid=24fbdb4c-48bf-48f9-8535-c6201c66bdf5&searchtype=sc&installDate=23/11/2013 )
Shortcut Found : C:\Users\Administrator2\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Search.lnk ( hxxp://feed.snapdo.com/?publisher=SnapdoGOblidoo&dpid=GOB1&co=US&userid=24fbdb4c-48bf-48f9-8535-c6201c66bdf5&searchtype=sc&installDate=23/11/2013 )

***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1AE46C09-2AB8-4EE5-88FB-08CD0FF7F2DF}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86C0E2A3-1EDA-4F01-A43D-80DA8642813C}_is1
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Found : HKCU\Software\ParetoLogic
Key Found : HKCU\Software\SmartBar
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKCU\Software\Zugo
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Key Found : [x64] HKCU\Software\ParetoLogic
Key Found : [x64] HKCU\Software\SmartBar
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\Zugo
Key Found : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{76C45B18-A29E-43EA-AAF8-AF55C2E1AE17}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{96EF404C-24C7-43D0-9096-4CCC8BB7CCAC}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{97720195-206A-42AE-8E65-260B9BA5589F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{986F7A5A-9676-47E1-8642-F41F8C3FCF82}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B18788A4-92BD-440E-A4D1-380C36531119}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\IMsiDe1egate.Application.1
Key Found : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\Software\MetaStream
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86C0E2A3-1EDA-4F01-A43D-80DA8642813C}_is1
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Found : HKLM\Software\ParetoLogic
Key Found : HKLM\Software\Viewpoint
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16526

Setting Found : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [Default] - hxxp://feed.snapdo.com/?publisher=SnapdoGOblidoo&dpid=GOB1&co=US&userid=24fbdb4c-48bf-48f9-8535-c6201c66bdf5&searchtype=ds&q={searchTerms}&installDate={installDate}

-\\ Google Chrome v

[ File : C:\Users\Administrator2\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [6550 octets] - [05/01/2014 17:16:10]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [6610 octets] ##########



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:14 PM

Posted 06 January 2014 - 11:45 AM

Hi it appears you have no AV or malware tools installed...
  • Close all programs and disconnect any USB or external drives before running the tool.
  • Double-click RogueKiller.exe to run the tool again (Vista or 7 users: Right-click and select Run As Administrator).
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished", this time click the Delete button.
  • Copy and paste the report that opens into your next reply.
    • The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex)
    • The highest number of [X], is the most recent Delete

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 DWLooney

DWLooney
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 06 January 2014 - 02:17 PM

Hi - I thought that I had Security Essentials installed and set to run automatically every day but something seemed to block it.

 

Here is the result from ESET. Now I am rerunning  RogueKiller but having trouble keeping my PC running long enough without crashing.

 

 

 

C:\Users\All Users\Microsoft\Windows\DRM\2FF5.tmp Win64/Olmarik.AY trojan 
C:\Users\All Users\Microsoft\Windows\DRM\3025.tmp Win64/Olmarik.AY trojan 
C:\Users\All Users\Microsoft\Windows\DRM\99A6.tmp Win64/Olmarik.AY trojan 
C:\Users\All Users\Microsoft\Windows\DRM\99B6.tmp Win64/Olmarik.AY trojan 
C:\ProgramData\Microsoft\Windows\DRM\2FF5.tmp Win64/Olmarik.AY trojan cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Windows\DRM\3025.tmp Win64/Olmarik.AY trojan cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Windows\DRM\99A6.tmp Win64/Olmarik.AY trojan cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Windows\DRM\99B6.tmp Win64/Olmarik.AY trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Abfyne\otpigo.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Alizid\ulycedw.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Apkadyb\kyiqags.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Atfaypw\utlour.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Avsiso\oztaw.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Avysiw\qiziam.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Bomeevm\uqnek.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Buhoycli\fuzatyz.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Coimev\avytgoa.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Cufuzeyw\ycymore.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Dinakabo\soobycq.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Duotibdo\pyahole.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Duywapid\ibubumt.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Dylulyqe\hateuxq.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Ebnoezd\voboes.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Edgicy\syibih.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Ekpymu\geriul.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Epacpuih\rookt.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Fyseal\itcuy.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Heakzo\erreu.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Ikpygus\ocusdey.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Irzyoxcu\upixg.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Itesyd\uneckye.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Iwfiam\ydwoo.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Nasahudo\eksycy.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Ohgido\hoaho.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Osylgi\xezabu.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Qihuceko\muupvy.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Qivuid\hiqiuz.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Sarearow\akrouru.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Sofayq\afeqwo.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\TIhyhliyh\irinboa.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Uruppoic\wudeceo.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Wezarew\dipyibq.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Xiicpiem\afnui.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Yduzuvde\qugeqo.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Ylivalh\omsiug.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Zeulkuyh\uduznuo.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\AppData\Roaming\Zueqah\ricyed.exe Win32/Spy.Zbot.ABA trojan cleaned by deleting - quarantined
C:\Users\Administrator2\Downloads\Proactive System Password Recovery v5.5.3.694.rar a variant of Win32/PassRecovery application deleted - quarantined
C:\Users\Administrator2\Downloads\Terraria_1.0.6.exe a variant of Win32/HackTool.Crack.B application cleaned by deleting - quarantined
C:\Users\Administrator2\Saved Games\Daniel's Trip Games\Call of Duty 2\Call of Duty 2\key_generator.exe a variant of Win32/Keygen.CU application cleaned by deleting - quarantined
C:\Users\Administrator2\Saved Games\Daniel's Trip Games\Call of Duty 2  full game  MP - SP  -=AviaRa=-\Call of Duty 2 full game.exe a variant of Win32/Keygen.CU application deleted - quarantined
C:\Users\Guest\AppData\Local\Retrogamer Installer(000617e3).exe a variant of Win32/AdInstaller application deleted - quarantined
Operating memory Win32/Spy.Zbot.ABA trojan contained infected files
 



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:14 PM

Posted 06 January 2014 - 02:34 PM

Oops I see MSE is installed.

This isn't good... Do you do banking ,Financials or online shopping?
Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
Downloads/requests other files from Internet.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 DWLooney

DWLooney
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 06 January 2014 - 03:27 PM

Hi - here is the latest report from RogueKiller: I deleted the entries shown after the scan finished.  There are other options that I have not clicked on: Fix Host; Fix Proxy, Fix DNS, Fix Shortcuts

Many thanks for your help.

 

 

RogueKiller V8.8.0 [Dec 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Administrator2 [Admin rights]
Mode : Remove -- Date : 01/06/2014 12:22:11
| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤
[SUSP PATH] irinboa.exe -- C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe [-] -> KILLED [TermProc]
[SUSP PATH] irinboa.exe -- C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Buuxmyq (C:\Users\Administrator2\AppData\Roaming\Ihyhliyh\irinboa.exe [-]) -> DELETED
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DLL][SUSP PATH] HKLM\[...]\CCSet\[...]\Parameters : ServiceDll (C:\PROGRA~3\1jba2wl.pss [x]) -> REPLACED (%SystemRoot%\system32\wbem\WMIsvc.dll)
[HJ DLL][SUSP PATH] HKLM\[...]\CS001\[...]\Parameters : ServiceDll (C:\PROGRA~3\1jba2wl.pss [x]) -> REPLACED (%SystemRoot%\system32\wbem\WMIsvc.dll)
[HJ DLL][SUSP PATH] HKLM\[...]\CS003\[...]\Parameters : ServiceDll (C:\PROGRA~3\1jba2wl.pss [x]) -> REPLACED (%SystemRoot%\system32\wbem\WMIsvc.dll)

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][ROGUE ST] 4790 : wscript.exe - C:\Users\ADMINI~1\AppData\Local\Temp\launchie.vbs //B -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost
::1             localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ( @ )  +++++
--- User ---
[MBR] 6c6ad7b28a39f3bb8c51c5d92a6b80ae
[BSP] afd523729e3722ee5cde6a84aaeef429 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 292103 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 598228470 | Size: 13139 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_01062014_122211.txt >>
RKreport[0]_S_01062014_122134.txt

 

 



#12 DWLooney

DWLooney
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 06 January 2014 - 03:32 PM

Hi - Yes, I do use this machine for finance and banking.

 

Should I call my financial institutions and lock out my accounts until I can get this resolved?  I supose the best solution would be to get another PC and destroy this one.  The question I have is how to get my data files off of the infected machine without transfering the offending bots and viruses.

 

Thanks again.



#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:14 PM

Posted 07 January 2014 - 10:33 AM

Yeah it's an ugly thing.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall


See posts 9 and 12 by our quietman7 for the info on reformatting and data.

http://www.bleepingcomputer.com/forums/t/458645/pop-ups-of-ugly-face-webcam-and-unknown-chat/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Zmechanic

Zmechanic

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 07 January 2014 - 12:10 PM

Hey, 

 

I joined just to post to this. My wife got infected with this yesterday on her work computer. It actually came through email posing as a local natural gas company (Atmos Energy) saying we

had an outstanding balance. We have used that company before, so my wife was concerned since we no longer use them (previous house). Anyway, long story short and her computer

was bogged down with this. 

 

There is sensitive info on her computer so I told her to unplug the ethernet and switch computers until I could get over there. Their IT is near useless so I figured I'd be cleaning this up.

 

On the surface, it actually doesn't appear to be that hard to remove. Took me about 30 minutes or so trying a few methods. This is what I did. 

 

(Quick disclaimer, nothing I did is that high of risk, however, follow these steps at your own risk! I'd advise you don't tinker with your computer beyond your

knowledge level as that is usually where people get in trouble.)

 

1. Reboot to safe mode (Check and confirm the offending process is no longer running. It wasn't in my case)

 

2. Open Regedit, navigate to 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'. There should be a key in there pointing to an exe in the folder of 'C:\Users\*yourcurrentuser*\AppData\Roaming\*gibberishfoldername*\*gibberishfilename.exe*. Delete that key and any that look like it. I found only one.

 

3. Navigate to C:\Users\*currentuser*\AppData\Roaming\. Have to use a bit of detective work here, but it's fairly obvious which are the offending folders. They are all about the same

length of name and are all gibberish. I noticed the ones on her computer were all created in about 1 minute intervals. There were over a hundred of them. Delete them all.

 

4. Restart. The process did not come back on her computer. I was afraid, at this point, that it has/had infected a service and would regenerate. It doesn't appear to have. 

 

Another BIG note. I still do not fully trust the computer after this, though. I plan to reformat it very soon. If her IT was worth anything they could get to it faster. We'll see. 


Edited by Zmechanic, 08 January 2014 - 10:50 AM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:14 PM

Posted 07 January 2014 - 01:32 PM

That is my concern with the BOT...
Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users