Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Infections


  • This topic is locked This topic is locked
24 replies to this topic

#1 djnorman

djnorman

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 29 September 2014 - 02:16 PM

Hi there,

 

Following work to reveal and dispose of several viruses on my PC in another part of the forum, I have been sent here to rid the poor machine of the malware affecting it! I hope you can help me out...

 

 

 

 

 

I've run DDS and here is the log:

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16575
Run by Nom at 19:47:54 on 2014-09-29
Microsoft® Windows Vista™ Business   6.0.6002.2.1252.44.1033.18.3322.1824 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Windows\VMSnap23.exe
C:\Windows\Domino.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Nom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Nom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Nom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Nom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Nom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Nom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\nom\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Asrnworks] regsvr32.exe c:\users\nom\appdata\local\asrnworks\dotfuscator.dll
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [BigDogPath323VMSnap] c:\windows\VMSnap23.exe
mRun: [BigDogPath323Domino] c:\windows\Domino.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [CDAServer] c:\program files\common files\common desktop agent\CDASrv.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{57793B72-EA22-4019-A4FC-C1DC4DB88452} : NameServer = 8.8.8.8,8.8.8.8
TCP: Interfaces\{73E23302-A2D3-4896-BF0A-0F72A15C9B88} : NameServer = 8.8.8.8,8.8.8.8
TCP: Interfaces\{73E23302-A2D3-4896-BF0A-0F72A15C9B88} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{8BD4C663-7FD8-4D02-BD64-54FFEF0BA73A} : NameServer = 8.8.8.8,8.8.8.8
TCP: Interfaces\{A37AEC29-83A1-4332-ACAF-F0E0C6CB7BEF} : NameServer = 8.8.8.8,8.8.8.8
TCP: Interfaces\{A37AEC29-83A1-4332-ACAF-F0E0C6CB7BEF} : DHCPNameServer = 192.168.22.22 192.168.22.23
TCP: Interfaces\{DD1CC496-817E-4A82-8D9C-FDE3FBA2D4A4} : NameServer = 8.8.8.8,8.8.8.8
TCP: Interfaces\{DD1CC496-817E-4A82-8D9C-FDE3FBA2D4A4} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{EC2BE945-E862-4002-A3E4-CD69F7B0D41B} : NameServer = 8.8.8.8,8.8.8.8
TCP: Interfaces\{EC2BE945-E862-4002-A3E4-CD69F7B0D41B} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{F9DE97B7-FC48-4ABE-A1BC-69941AB4FB4B} : NameServer = 8.8.8.8,8.8.8.8
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
Hosts: 5.45.77.82 www.google-analytics.com.
Hosts: 5.45.77.82 google-analytics.com.
Hosts: 5.45.77.82 connect.facebook.net.
Hosts: 193.107.16.138 www.google-analytics.com.
Hosts: 193.107.16.138 google-analytics.com.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-7-17 231800]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-5-25 176128]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2011-7-14 21504]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2013-4-10 5120]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2011-7-13 2519040]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2011-3-30 97808]
R3 RtlWlanu;Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTWlanU.sys [2013-9-17 1310864]
R3 vmfilter323;323 filter service, Normal;c:\windows\system32\drivers\vmfilter323.sys [2012-2-22 476672]
R3 ZSMC326;Vimicro USB2.0 PC Camera(VC0323);c:\windows\system32\drivers\usbvm323.sys [2012-2-22 244864]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2011-12-22 1093472]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 95920]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-8-22 288120]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2014-09-29 18:36:04 8806800 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{de5bdb55-d754-4272-b797-d0968a5734bb}\mpengine.dll
2014-09-29 00:42:12 8581864 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-09-28 20:54:56 -------- d-----w- c:\program files\ESET
2014-09-14 19:18:25 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-09-14 19:18:25 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-09-14 19:18:25 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-09-14 17:06:23 -------- d-----w- c:\programdata\Malwarebytes
2014-09-14 17:06:14 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-09-14 17:06:13 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-14 17:03:56 74456 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-14 15:31:52 -------- d-----w- c:\windows\ERUNT
2014-09-14 15:06:42 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-09-14 15:05:59 -------- d-----w- C:\AdwCleaner
2014-09-09 07:06:43 -------- d-----w- c:\users\nom\appdata\roaming\NBSoftSolutions
2014-09-09 07:06:43 -------- d-----w- c:\program files\NBSoftSolutions
.
==================== Find3M  ====================
.
2014-09-22 06:41:56 231568 ------w- c:\windows\system32\MpSigStub.exe
2014-08-23 01:03:46 297984 ----a-w- c:\windows\system32\gdi32.dll
2014-08-22 23:26:28 2054656 ----a-w- c:\windows\system32\win32k.sys
2014-08-15 14:42:27 1810432 ----a-w- c:\windows\system32\jscript9.dll
2014-08-15 14:37:03 1129472 ----a-w- c:\windows\system32\wininet.dll
2014-08-15 14:36:30 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2014-08-15 14:35:47 421376 ----a-w- c:\windows\system32\vbscript.dll
2014-08-15 14:35:34 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2014-08-15 14:34:49 11776 ----a-w- c:\windows\system32\mshta.exe
2014-08-15 14:34:47 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2014-07-25 01:35:46 875688 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2014-07-17 17:05:08 95920 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2014-07-17 17:05:08 231800 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2014-07-08 00:46:44 2048 ----a-w- c:\windows\system32\tzres.dll
 
 
 
 
.
============= FINISH: 19:48:59.67 ===============
 
 
 
 
 
Hope that helps.
 

 


Edited by djnorman, 30 September 2014 - 12:38 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:26 PM

Posted 03 October 2014 - 09:10 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 djnorman

djnorman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 03 October 2014 - 01:04 PM

Hi nasdaq, and thanks for your help. 

 

I've run MBAM and the log is below. I'll move on to the next step now.

 

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 03/10/2014
Scan Time: 18:49:41
Logfile: mbam1.txt
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.10.03.05
Rootkit Database: v2014.09.19.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Nom
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 274567
Time Elapsed: 8 min, 16 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 3
Hijack.Host, C:\Windows\System32\drivers\etc\hosts, Good: (), Bad: (5.45.77.82 www.google-analytics.com.), Removal Failed,[f293e30c0477fa3cfe8a40049b6a7987]
Hijack.Host, C:\Windows\System32\drivers\etc\hosts, Good: (), Bad: (5.45.77.82 google-analytics.com.), Removal Failed,[d3b2c22d5427dc5a8503a3a10bfaac54]
Hijack.Host, C:\Windows\System32\drivers\etc\hosts, Good: (), Bad: (5.45.77.82 connect.facebook.net.), Removal Failed,[5d2809e6bbc06dc98206d56f4db8926e]
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#4 djnorman

djnorman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 03 October 2014 - 01:13 PM

Hi again.

 

I've just run adw and here is the log. Onwards....

 

 

 

# AdwCleaner v3.311 - Report created 03/10/2014 at 19:10:25
# Updated 30/09/2014 by Xplode
# Operating System : Windows Vista ™ Business Service Pack 2 (32 bits)
# Username : Nom - NOM-PC
# Running from : C:\Users\Nom\Desktop\adwcleaner_3.311.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16575
 
 
-\\ Mozilla Firefox v
 
[ File : C:\Users\Nom\AppData\Roaming\Mozilla\Firefox\Profiles\0\prefs.js ]
 
 
-\\ Google Chrome v
 
[ File : C:\Users\Nom\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Deleted [Search Provider] : hxxp://uk.ask.com/web?q={searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [1876 octets] - [14/09/2014 16:06:07]
AdwCleaner[R1].txt - [1078 octets] - [03/10/2014 19:05:53]
AdwCleaner[S0].txt - [2032 octets] - [14/09/2014 16:10:34]
AdwCleaner[S1].txt - [1003 octets] - [03/10/2014 19:10:25]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1063 octets] ##########


#5 djnorman

djnorman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 03 October 2014 - 01:24 PM

Farbar done. Here is the FRST log.

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-10-2014
Ran by Nom (administrator) on NOM-PC on 03-10-2014 19:16:19
Running from C:\Users\Nom\Desktop\farbar
Loaded Profile: Nom (Available profiles: Nom)
Platform: Microsoft® Windows Vista™ Business  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Intel Corporation) C:\Program Files\Intel\ASF Agent\ASFAgent.exe
(Intel Corporation) C:\Program Files\Intel\AMT\atchksrv.exe
(Intel) C:\Program Files\Intel\AMT\LMS.exe
(Intel) C:\Program Files\Intel\AMT\UNS.exe
(Intel Corporation) C:\Program Files\Intel\AMT\atchk.exe
() C:\Windows\VMSnap23.exe
(Vimicro) C:\Windows\Domino.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
() C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-18] (Microsoft Corporation)
HKLM\...\Run: [atchk] => C:\Program Files\Intel\AMT\atchk.exe [401408 2009-12-01] (Intel Corporation)
HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-05-24] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [BigDogPath323VMSnap] => C:\Windows\VMSnap23.exe [90112 2006-07-20] ()
HKLM\...\Run: [BigDogPath323Domino] => C:\Windows\Domino.exe [49152 2006-06-28] (Vimicro)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [SoundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1282048 2007-08-01] (Analog Devices, Inc.)
HKLM\...\Run: [CDAServer] => C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe [350072 2012-03-09] ()
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-3149735488-590609249-3770766249-1000\...\Run: [Google Update] => C:\Users\Nom\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-07-13] (Google Inc.)
HKU\S-1-5-21-3149735488-590609249-3770766249-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
HKU\S-1-5-21-3149735488-590609249-3770766249-1000\...\Run: [Asrnworks] => regsvr32.exe C:\Users\Nom\AppData\Local\Asrnworks\dotfuscator.dll <===== ATTENTION
HKU\S-1-5-21-3149735488-590609249-3770766249-1000\...\MountPoints2: {7e154bfc-aa6c-11e1-96ad-001e4fde6803} - E:\Autorun.exe
HKU\S-1-5-21-3149735488-590609249-3770766249-1000\...\MountPoints2: {7e154c07-aa6c-11e1-96ad-001e4fde6803} - F:\Autorun.exe
HKU\S-1-5-21-3149735488-590609249-3770766249-1000\...\MountPoints2: {a746a4f1-bdaa-11e1-89b7-001e4fde6803} - G:\StormF1.exe
ShellIconOverlayIdentifiers: [1CryptoProviderIcons] -> {24808826-C2BF-4269-B3BA-89D1D5F431A4} => C:\ProgramData\Microsoft\Crypto\RSA64\CryptoProvider.dll No File
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
SearchScopes: HKCU - {1916E83C-C6DC-4EC4-B2E2-D0E91CE99708} URL = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{57793B72-EA22-4019-A4FC-C1DC4DB88452}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{73E23302-A2D3-4896-BF0A-0F72A15C9B88}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{8BD4C663-7FD8-4D02-BD64-54FFEF0BA73A}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{A37AEC29-83A1-4332-ACAF-F0E0C6CB7BEF}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{DD1CC496-817E-4A82-8D9C-FDE3FBA2D4A4}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{EC2BE945-E862-4002-A3E4-CD69F7B0D41B}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{F9DE97B7-FC48-4ABE-A1BC-69941AB4FB4B}: [NameServer] 8.8.8.8,8.8.8.8
 
FireFox:
========
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 -> C:\Users\Nom\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 -> C:\Users\Nom\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-07-13]
 
Chrome: 
=======
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Nom\AppData\Local\Google\Chrome\Application\37.0.2062.124\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Nom\AppData\Local\Google\Chrome\Application\37.0.2062.124\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\Nom\AppData\Local\Google\Chrome\Application\37.0.2062.124\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Users\Nom\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll No File
CHR Plugin: (Foxit Reader Plugin for Mozilla) - C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR CustomProfile: C:\Users\Nom\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Folder View Host) - C:\Users\Nom\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla [2014-08-25]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Nom\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-08-28]
CHR Extension: (YouTube) - C:\Users\Nom\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2011-12-20]
CHR Extension: (Google Search) - C:\Users\Nom\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-12-20]
CHR Extension: (Google Wallet) - C:\Users\Nom\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-01]
CHR Extension: (Gmail) - C:\Users\Nom\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011-12-20]
CHR StartMenuInternet: Google Chrome - C:\Users\Nom\AppData\Local\Google\Chrome\Application\chrome.exe
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ASFAgent; C:\Program Files\Intel\ASF Agent\ASFAgent.exe [133968 2007-01-23] (Intel Corporation)
R2 atchksrv; C:\Program Files\Intel\AMT\atchksrv.exe [176128 2009-12-01] (Intel Corporation) [File not signed]
R2 LMS; C:\Program Files\Intel\AMT\LMS.exe [102400 2009-12-01] (Intel) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
R2 UNS; C:\Program Files\Intel\AMT\UNS.exe [2519040 2009-12-01] (Intel) [File not signed]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 AtiHDAudioService; C:\Windows\System32\drivers\AtihdLH3.sys [97808 2011-03-30] (Advanced Micro Devices)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-10-03] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
S3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [1093472 2010-12-28] (Ralink Technology Corp.)
R3 RtlWlanu; C:\Windows\System32\DRIVERS\rtwlanu.sys [1310864 2013-03-06] (Realtek Semiconductor Corporation                           )
R2 SSPORT; C:\Windows\system32\Drivers\SSPORT.sys [5120 2013-04-10] (Samsung Electronics) [File not signed]
R3 vmfilter323; C:\Windows\System32\drivers\vmfilter323.sys [476672 2006-08-08] (Vimicro Corporation) [File not signed]
R3 ZSMC326; C:\Windows\System32\Drivers\usbvm323.sys [244864 2006-08-21] (Vimicro Corporation) [File not signed]
S3 athur; system32\DRIVERS\athur.sys [X]
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 RTL8187; system32\DRIVERS\wg111v2.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-03 19:16 - 2014-10-03 19:16 - 00000000 ____D () C:\FRST
2014-10-03 19:14 - 2014-10-03 19:16 - 00000000 ____D () C:\Users\Nom\Desktop\farbar
2014-10-03 19:05 - 2014-10-03 19:05 - 01375089 _____ () C:\Users\Nom\Desktop\adwcleaner_3.311.exe
2014-10-03 19:00 - 2014-10-03 19:00 - 00001492 _____ () C:\Users\Nom\Desktop\mbam1.txt
2014-10-03 18:48 - 2014-10-03 18:48 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-03 18:47 - 2014-10-03 18:47 - 00000899 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-03 18:47 - 2014-10-03 18:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-03 18:47 - 2014-10-03 18:47 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-10-03 18:47 - 2014-05-12 07:26 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-10-03 18:47 - 2014-05-12 07:25 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-03 18:47 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-10-03 18:43 - 2014-10-03 18:44 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Nom\Desktop\mbam-setup-2.0.2.1012.exe
2014-09-29 20:22 - 2014-09-29 20:22 - 00000218 _____ () C:\Users\Nom\AppData\Local\recently-used.xbel
2014-09-29 19:50 - 2014-09-29 19:50 - 00005166 _____ () C:\Users\Nom\Desktop\attach.txt
2014-09-29 19:50 - 2014-09-29 19:48 - 00010294 _____ () C:\Users\Nom\Desktop\dds.txt
2014-09-29 19:45 - 2014-09-29 19:45 - 00688992 ____R (Swearware) C:\Users\Nom\Desktop\dds.com
2014-09-29 01:40 - 2014-09-29 01:40 - 00001711 _____ () C:\Users\Nom\Desktop\onlinescan2.txt
2014-09-28 21:54 - 2014-09-28 21:54 - 00000000 ____D () C:\Program Files\ESET
2014-09-14 22:55 - 2014-09-14 22:55 - 00000718 _____ () C:\Users\Nom\Desktop\first eset scan.txt
2014-09-14 21:56 - 2014-09-14 21:56 - 00001386 _____ () C:\Users\Nom\Desktop\step 3.txt
2014-09-14 21:43 - 2014-09-14 21:43 - 02347384 _____ (ESET) C:\Users\Nom\Desktop\esetsmartinstaller_enu.exe
2014-09-14 21:18 - 2014-09-14 21:18 - 00001867 _____ () C:\Users\Nom\Desktop\mbam.txt
2014-09-14 18:06 - 2014-09-14 20:18 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-14 18:06 - 2014-09-14 20:05 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-09-14 18:03 - 2014-09-29 19:44 - 00000000 ____D () C:\Users\Nom\Downloads\Anti virus stuff
2014-09-14 18:01 - 2014-09-14 18:02 - 14349744 _____ (Malwarebytes Corp.) C:\Users\Nom\Desktop\mbar-1.07.0.1012.exe
2014-09-14 16:43 - 2014-09-14 16:43 - 00002667 _____ () C:\Users\Nom\Desktop\flushresults.txt
2014-09-14 16:35 - 2014-09-14 16:35 - 00001180 _____ () C:\Users\Nom\Desktop\JRT.txt
2014-09-14 16:31 - 2014-09-14 16:31 - 00000000 ____D () C:\Windows\ERUNT
2014-09-14 16:06 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\system32\sqlite3.dll
2014-09-14 16:05 - 2014-10-03 19:10 - 00000000 ____D () C:\AdwCleaner
2014-09-14 16:03 - 2014-09-14 16:03 - 01016261 _____ (Thisisu) C:\Users\Nom\Desktop\JRT.exe
2014-09-14 07:22 - 2014-09-14 07:22 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\Nom\Desktop\tdsskiller.exe
2014-09-13 10:39 - 2014-09-13 10:40 - 00000000 ____D () C:\Users\Nom\Documents\bug screenshots
2014-09-13 10:27 - 2014-09-13 10:27 - 00509440 _____ (Tech Support Guy System) C:\Users\Nom\Desktop\SysInfo.exe
2014-09-12 14:26 - 2014-09-12 14:27 - 00000000 ____D () C:\Users\Nom\Desktop\BMW
2014-09-11 03:19 - 2014-08-15 15:51 - 12363264 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-09-11 03:19 - 2014-08-15 15:42 - 09739776 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-09-11 03:19 - 2014-08-15 15:42 - 01810432 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-09-11 03:19 - 2014-08-15 15:37 - 01137664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-09-11 03:19 - 2014-08-15 15:37 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-09-11 03:19 - 2014-08-15 15:36 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-09-11 03:19 - 2014-08-15 15:35 - 01802240 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-09-11 03:19 - 2014-08-15 15:35 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-09-11 03:19 - 2014-08-15 15:35 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-09-11 03:19 - 2014-08-15 15:35 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-09-11 03:19 - 2014-08-15 15:35 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-09-11 03:19 - 2014-08-15 15:35 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-09-11 03:19 - 2014-08-15 15:35 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-09-11 03:19 - 2014-08-15 15:35 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-09-11 03:19 - 2014-08-15 15:35 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-09-11 03:19 - 2014-08-15 15:35 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2014-09-11 03:19 - 2014-08-15 15:34 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-09-11 03:19 - 2014-08-15 15:34 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-09-11 03:19 - 2014-08-15 15:34 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-09-11 03:19 - 2014-08-15 15:34 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2014-09-11 03:19 - 2014-08-15 15:34 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2014-09-09 08:08 - 2014-09-09 08:08 - 00000898 _____ () C:\Users\Nom\Desktop\EU3 Stats.exe - Shortcut.lnk
2014-09-09 08:06 - 2014-09-09 08:06 - 00000000 ____D () C:\Users\Nom\AppData\Roaming\NBSoftSolutions
2014-09-09 08:06 - 2014-09-09 08:06 - 00000000 ____D () C:\Users\Nom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NBSoftSolutions
2014-09-09 08:06 - 2014-09-09 08:06 - 00000000 ____D () C:\Program Files\NBSoftSolutions
2014-09-09 08:05 - 2014-09-09 08:05 - 01490086 _____ () C:\Users\Nom\Downloads\EU3 Stats Setup(4.02).zip
2014-09-07 22:06 - 2014-09-08 07:18 - 00000000 ____D () C:\Users\Nom\Documents\BCKLWN stuff
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-03 19:16 - 2006-11-02 13:52 - 01401056 _____ () C:\Windows\WindowsUpdate.log
2014-10-03 19:11 - 2011-07-15 00:08 - 00000876 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-03 19:11 - 2006-11-02 14:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-03 19:11 - 2006-11-02 14:00 - 00063016 _____ () C:\Windows\PFRO.log
2014-10-03 19:11 - 2006-11-02 13:47 - 00004128 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-03 19:11 - 2006-11-02 13:47 - 00004128 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-03 19:10 - 2006-11-02 14:01 - 00032646 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-10-03 18:57 - 2011-07-15 00:08 - 00000880 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-03 18:46 - 2011-07-13 23:02 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3149735488-590609249-3770766249-1000UA.job
2014-10-03 16:45 - 2006-11-02 11:33 - 00759582 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-03 00:20 - 2011-07-16 18:41 - 00000000 ____D () C:\Program Files\Steam
2014-10-02 22:58 - 2013-11-29 17:44 - 00000000 ____D () C:\Users\Nom\Desktop\Jobs
2014-10-02 22:47 - 2011-07-13 23:02 - 00000848 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3149735488-590609249-3770766249-1000Core.job
2014-09-29 20:50 - 2011-07-13 20:18 - 00058280 _____ () C:\Users\Nom\AppData\Local\GDIPFONTCACHEV1.DAT
2014-09-29 20:40 - 2006-11-02 12:18 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-09-29 20:34 - 2006-11-02 13:47 - 00268424 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-09-29 20:01 - 2014-08-25 15:05 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-09-29 19:59 - 2012-04-26 20:08 - 00000000 ____D () C:\Program Files\Microsoft Office
2014-09-29 19:59 - 2011-07-14 09:12 - 00000000 ____D () C:\Program Files\Microsoft.NET
2014-09-29 19:59 - 2006-11-02 12:18 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2014-09-29 18:27 - 2012-05-27 08:13 - 00000000 ____D () C:\Users\Nom\Downloads\Torrents
2014-09-28 23:06 - 2011-07-13 23:04 - 00002032 _____ () C:\Users\Nom\Desktop\Google Chrome.lnk
2014-09-28 23:02 - 2014-08-25 14:39 - 00000000 ____D () C:\Users\Nom\AppData\Local\Asrnworks
2014-09-22 07:41 - 2011-07-13 20:59 - 00231568 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-09-17 06:10 - 2006-11-02 13:52 - 00018062 _____ () C:\Windows\setupact.log
2014-09-15 00:25 - 2012-06-24 07:06 - 00000000 ____D () C:\Users\Nom\Documents\stuff to keep
2014-09-15 00:02 - 2011-07-14 00:50 - 00010752 _____ () C:\Users\Nom\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-09-15 00:01 - 2013-04-01 09:40 - 00000000 ____D () C:\Users\Nom\Desktop\Kristina CV
2014-09-14 20:52 - 2006-11-02 12:18 - 00000000 __RSD () C:\Windows\Media
2014-09-11 03:17 - 2013-07-14 22:15 - 00000000 ____D () C:\Windows\system32\MRT
2014-09-11 03:09 - 2006-11-02 11:24 - 98758480 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2014-09-11 03:08 - 2012-04-26 23:20 - 00001826 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2014-09-11 03:08 - 2011-07-13 20:53 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-09-11 03:08 - 2011-07-13 20:52 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-09-07 08:47 - 2012-04-26 20:00 - 00000000 ____D () C:\Users\Nom\Desktop\Rent
2014-09-06 13:12 - 2014-08-25 16:44 - 00000000 ____D () C:\Users\Nom\Downloads\New Folder
 
Some content of TEMP:
====================
C:\Users\Nom\AppData\Local\Temp\htmlayout.dll
C:\Users\Nom\AppData\Local\Temp\Quarantine.exe
C:\Users\Nom\AppData\Local\Temp\uninst1.exe
C:\Users\Nom\AppData\Local\Temp\_is7A6D.exe
C:\Users\Nom\AppData\Local\Temp\_isAED4.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-10-03 19:17
 
==================== End Of Log ============================

Attached Files



#6 djnorman

djnorman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 03 October 2014 - 01:30 PM

Oh yeah, the computer seems to be running ok, but I am still being re-directed occasionally in my browser.

 

I await further instructions.



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:26 PM

Posted 04 October 2014 - 07:40 AM


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

start
HKU\S-1-5-21-3149735488-590609249-3770766249-1000\...\Run: [Asrnworks] => regsvr32.exe C:\Users\Nom\AppData\Local\Asrnworks\dotfuscator.dll <===== ATTENTION
ShellIconOverlayIdentifiers: [1CryptoProviderIcons] -> {24808826-C2BF-4269-B3BA-89D1D5F431A4} => C:\ProgramData\Microsoft\Crypto\RSA64\CryptoProvider.dll No File
CHR Plugin: (Shockwave Flash) - C:\Users\Nom\AppData\Local\Google\Chrome\Application\37.0.2062.124\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Users\Nom\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
S3 athur; system32\DRIVERS\athur.sys [X]
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 RTL8187; system32\DRIVERS\wg111v2.sys [X]
C:\Users\Nom\AppData\Local\Temp\htmlayout.dll
C:\Users\Nom\AppData\Local\Temp\uninst1.exe
C:\Users\Nom\AppData\Local\Temp\_is7A6D.exe
C:\Users\Nom\AppData\Local\Temp\_isAED4.exe
C:\Users\Nom\AppData\Local\Asrnworks
End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

#8 djnorman

djnorman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 04 October 2014 - 11:00 AM

Hi again
 
 
I've run the fix and the fixlog is below. Moving on to Security check.
 
 
 
 
 
 
 
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 02-10-2014
Ran by Nom at 2014-10-04 16:55:09 Run:1
Running from C:\Users\Nom\Desktop\farbar
Loaded Profile: Nom (Available profiles: Nom)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
start
HKU\S-1-5-21-3149735488-590609249-3770766249-1000\...\Run: [Asrnworks] => regsvr32.exe C:\Users\Nom\AppData\Local\Asrnworks\dotfuscator.dll <===== ATTENTION
ShellIconOverlayIdentifiers: [1CryptoProviderIcons] -> {24808826-C2BF-4269-B3BA-89D1D5F431A4} => C:\ProgramData\Microsoft\Crypto\RSA64\CryptoProvider.dll No File
CHR Plugin: (Shockwave Flash) - C:\Users\Nom\AppData\Local\Google\Chrome\Application\37.0.2062.124\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Users\Nom\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
S3 athur; system32\DRIVERS\athur.sys [X]
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 RTL8187; system32\DRIVERS\wg111v2.sys [X]
C:\Users\Nom\AppData\Local\Temp\htmlayout.dll
C:\Users\Nom\AppData\Local\Temp\uninst1.exe
C:\Users\Nom\AppData\Local\Temp\_is7A6D.exe
C:\Users\Nom\AppData\Local\Temp\_isAED4.exe
C:\Users\Nom\AppData\Local\Asrnworks
End
*****************
 
HKU\S-1-5-21-3149735488-590609249-3770766249-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Asrnworks => value deleted successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\1CryptoProviderIcons]" => Key not found.
"HKCR\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}" => Key deleted successfully.
C:\Users\Nom\AppData\Local\Google\Chrome\Application\37.0.2062.124\gcswf32.dll not found.
C:\Users\Nom\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll not found.
C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll not found.
athur => Service deleted successfully.
blbdrive => Service deleted successfully.
IpInIp => Service deleted successfully.
NwlnkFlt => Service deleted successfully.
NwlnkFwd => Service deleted successfully.
RTL8187 => Service deleted successfully.
C:\Users\Nom\AppData\Local\Temp\htmlayout.dll => Moved successfully.
C:\Users\Nom\AppData\Local\Temp\uninst1.exe => Moved successfully.
C:\Users\Nom\AppData\Local\Temp\_is7A6D.exe => Moved successfully.
C:\Users\Nom\AppData\Local\Temp\_isAED4.exe => Moved successfully.
C:\Users\Nom\AppData\Local\Asrnworks => Moved successfully.
 
==== End of Fixlog ====


#9 djnorman

djnorman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 04 October 2014 - 11:14 AM

Hello once more,
 
I've run Security check, and posted the text file below.
 
Having looked around the various pages of this site for a while, I have just been re-directed to a page I did not click on. Instead of getting one of BC's tutorials, I ended up here:
 
 
 
Other than that the PC seems to be fine.
 
 
 
 
 
 
 Results of screen317's Security Check version 0.99.88  
 Windows Vista Service Pack 2 x86 (UAC is disabled!)  
 Internet Explorer 9  
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Mozilla Thunderbird (24.6.0) 
 Google Chrome 37.0.2062.120  
 Google Chrome 37.0.2062.124  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0 % 
````````````````````End of Log`````````````````````` 


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:26 PM

Posted 04 October 2014 - 01:14 PM

The security Check log is clean.
===

Click the StartBtn.gif button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

ipconfig /release

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7/8 with Elevated Privilege
http://www.bleepingcomputer.com/tutorials/windows-elevated-command-prompt/
<<<>>>

If that fails to remove the Redirects try this.
...

Reset all you Browsers or the one in which you get redirected.

Reset Chrome...
Click on "Customize and control Google Chrome":
 
p22003758.gif
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Internet Explorer:
Menu > Tools > Internet Options > General Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

How is it now?

#11 djnorman

djnorman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 04 October 2014 - 02:07 PM

Hi again.

 

Went through the process as described, for both Chrome (my main browser) and IE. I have since uninstalled Chrome and installed Firefox as new. Opened up this website, moved to the forums, found my thread, clicked on it and was redirected to here:

 

http://windows.errorhelper.com/remove.php?t202kw=Computer-Virus&k=malware&G=Virus-B

 

 

If the log is clean, what is causing this redirection?



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:26 PM

Posted 05 October 2014 - 06:37 AM

There are many ways to skin a cat.

It comes from Speedy PC a rogue program.
Do you remember running that program?

===

If using a router it may have been compromised.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

How to Secure Your Wireless Router
http://www.ehow.com/how_2253625_secure-wireless-router.html
===

If that fails to clear the issue run this tool.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
==============

Keep me posted.

#13 djnorman

djnorman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 05 October 2014 - 09:36 AM

Good morning to you.

 

I have no recollection of ever running Speedy PC - doesn't sound like the kind of thing I would do to be honest. I'm pretty selective with what I download and run. And I'm not much of one for optimizing my PC!

 

As part of the process for cleaning the viruses off my machine, I reset my router, and strengthened the password etc. It is not a common router, being a tecnicolor 582n model. Should I go through that process again?  It didn't seem to have any effect on the redirection when I first reset it.



#14 djnorman

djnorman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 05 October 2014 - 10:03 AM

I've run ComboFix. Here's the log:

 

 

 

ComboFix 14-10-04.01 - Nom 05/10/2014  15:51:04.1.2 - x86
Microsoft® Windows Vista™ Business   6.0.6002.2.1252.44.1033.18.3322.2249 [GMT 1:00]
Running from: c:\users\Nom\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\Microsoft\Crypto\RSA64\rsa64.dll
c:\windows\system32\drivers\etc\hosts.txt
.
.
(((((((((((((((((((((((((   Files Created from 2014-09-05 to 2014-10-05  )))))))))))))))))))))))))))))))
.
.
2014-10-05 14:57 . 2014-10-05 14:57    --------    d-----w-    c:\users\Nom\AppData\Local\temp
2014-10-05 14:57 . 2014-10-05 14:57    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-10-05 06:20 . 2014-09-09 01:24    8806800    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8EF8815E-7952-41E5-A591-E87CBD05026B}\mpengine.dll
2014-10-04 18:58 . 2014-10-04 18:58    --------    d-----w-    c:\users\Nom\AppData\Local\Mozilla
2014-10-04 04:23 . 2014-10-04 04:21    908840    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{74252EC3-3BBC-4E9A-BAE0-4066FDD33ECA}\gapaengine.dll
2014-10-04 04:22 . 2014-09-09 01:24    8806800    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-10-03 18:16 . 2014-10-04 15:55    --------    d-----w-    C:\FRST
2014-10-03 17:48 . 2014-10-05 06:06    110296    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-03 17:47 . 2014-10-03 17:47    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-10-03 17:47 . 2014-05-12 06:26    51928    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-10-03 17:47 . 2014-05-12 06:25    74456    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-10-03 17:47 . 2014-05-12 06:25    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-09-28 20:54 . 2014-09-28 20:54    --------    d-----w-    c:\program files\ESET
2014-09-14 17:06 . 2014-09-14 19:18    --------    d-----w-    c:\programdata\Malwarebytes
2014-09-14 17:06 . 2014-09-14 19:05    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-09-14 15:31 . 2014-09-14 15:31    --------    d-----w-    c:\windows\ERUNT
2014-09-14 15:06 . 2010-08-30 07:34    536576    ----a-w-    c:\windows\system32\sqlite3.dll
2014-09-14 15:05 . 2014-10-03 18:10    --------    d-----w-    C:\AdwCleaner
2014-09-09 07:06 . 2014-09-09 07:06    --------    d-----w-    c:\users\Nom\AppData\Roaming\NBSoftSolutions
2014-09-09 07:06 . 2014-09-09 07:06    --------    d-----w-    c:\program files\NBSoftSolutions
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-22 06:41 . 2011-07-13 19:59    231568    ------w-    c:\windows\system32\MpSigStub.exe
2014-08-23 01:03 . 2014-08-28 02:07    297984    ----a-w-    c:\windows\system32\gdi32.dll
2014-08-22 23:26 . 2014-08-28 02:07    2054656    ----a-w-    c:\windows\system32\win32k.sys
2014-07-25 01:35 . 2014-07-25 01:35    875688    ----a-w-    c:\windows\system32\msvcr120_clr0400.dll
2014-07-17 17:05 . 2014-07-17 17:05    231800    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2014-07-17 17:05 . 2012-03-20 19:44    95920    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2014-07-08 00:46 . 2014-08-15 15:47    2048    ----a-w-    c:\windows\system32\tzres.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-05-24 336384]
"BigDogPath323VMSnap"="c:\windows\VMSnap23.exe" [2006-07-20 90112]
"BigDogPath323Domino"="c:\windows\Domino.exe" [2006-06-28 49152]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 974432]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1282048]
"CDAServer"="c:\program files\Common Files\Common Desktop Agent\CDASrv.exe" [2012-03-09 350072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3149735488-590609249-3770766249-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork    REG_MULTI_SZ       PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-14 22:02]
.
2014-10-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-14 22:02]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{57793B72-EA22-4019-A4FC-C1DC4DB88452}: NameServer = 8.8.8.8,8.8.8.8
TCP: Interfaces\{73E23302-A2D3-4896-BF0A-0F72A15C9B88}: NameServer = 8.8.8.8,8.8.8.8
TCP: Interfaces\{8BD4C663-7FD8-4D02-BD64-54FFEF0BA73A}: NameServer = 8.8.8.8,8.8.8.8
TCP: Interfaces\{A37AEC29-83A1-4332-ACAF-F0E0C6CB7BEF}: NameServer = 8.8.8.8,8.8.8.8
TCP: Interfaces\{DD1CC496-817E-4A82-8D9C-FDE3FBA2D4A4}: NameServer = 8.8.8.8,8.8.8.8
TCP: Interfaces\{EC2BE945-E862-4002-A3E4-CD69F7B0D41B}: NameServer = 8.8.8.8,8.8.8.8
TCP: Interfaces\{F9DE97B7-FC48-4ABE-A1BC-69941AB4FB4B}: NameServer = 8.8.8.8,8.8.8.8
FF - ProfilePath - c:\users\Nom\AppData\Roaming\Mozilla\Firefox\Profiles\erkuillx.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{24808826-C2BF-4269-B3BA-89D1D5F431A4} - (no file)
SafeBoot-86966842.sys
SafeBoot-97187208.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-10-05 15:57
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2014-10-05  15:59:41
ComboFix-quarantined-files.txt  2014-10-05 14:59
.
Pre-Run: 124,458,106,880 bytes free
Post-Run: 125,035,765,760 bytes free
.
- - End Of File - - FE74486C803C2575ADA4704CAF391BA5
5C616939100B85E558DA92B899A0FC36
 



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:26 PM

Posted 05 October 2014 - 10:36 AM

Clean these Caches.

Clean the Java Cache. Tutorial here.
http://www.java.com/en/download/help/plugin_cache.xml
<<<>>>

Empty flash cache.
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html
<<<>>>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users