Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Symantec detects Trojan.Gen.2 but cannot "remove the risk"


  • This topic is locked This topic is locked
7 replies to this topic

#1 bmorescience

bmorescience

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 01 December 2014 - 04:15 PM

Symantec has reported a couple of files infected with Trojan.Gen.2, but gives a notification that the "risk was partially removed" and the action was "Partial (Non Critical Failure). When it detects the virus, it also attempts and fails to delete the internet browser temp file cache. SymHelp and Malwarebytes did nothing to detect or fix the problem. 

 

Noticeable problems: sometimes the computer restarts spontaneously, but I haven't noticed any problems other than that. 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.7601.18631
Run by Microscope at 15:49:42 on 2014-12-01
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3326.1809 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Intel\Services\IPT\jhi_service.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\Smc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
C:\Program Files\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
C:\Program Files\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\CCM\CcmExec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\CCM\RemCtrl\CmRcService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\CCM\SCNotification.exe
c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\SymCorpUI.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\SmcGui.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - c:\program files\microsoft office\office15\OCHelper.dll
BHO: Symantec Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\symantec\symantec endpoint protection\12.1.4013.4013.105\bin\ips\IPSBHO.dll
BHO: Adobe Acrobat Create PDF Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\wcieactivex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - c:\program files\microsoft office\office15\GROOVEEX.DLL
BHO: Adobe Acrobat Create PDF from Selection: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\wcieactivex\AcroIEFavClient.dll
TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\wcieactivex\AcroIEFavClient.dll
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [Adobe Creative Cloud] "c:\program files\adobe\adobe creative cloud\acc\Creative Cloud.exe" --showwindow=false --onOSstartup=true
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 11.0\acrobat\Acrotray.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office15\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - c:\program files\microsoft office\office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office15\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1344369671843
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
TCP: NameServer = 10.90.100.5 10.90.100.15
TCP: Interfaces\{469310CB-8503-45C8-96F4-651F6B3B4AC4} : DHCPNameServer = 10.90.100.5 10.90.100.15
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office15\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - c:\program files\microsoft office\office15\MSOSB.DLL
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\36.0.1985.125\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\SymDS.sys [2014-9-17 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\SymEFA.sys [2014-9-17 935512]
R1 BHDrvx86;BHDrvx86;c:\programdata\symantec\symantec endpoint protection\12.1.4013.4013.105\data\definitions\bashdefs\20141119.011\BHDrvx86.sys [2014-11-20 1137368]
R1 ccSettings_{974A0163-23BB-4C9D-A3C2-611667F7A450};Symantec Endpoint Protection 12.1.4013.4013.105 Settings Manager;c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\ccSetx86.sys [2014-9-17 134744]
R1 IDSVix86;IDSVix86;c:\programdata\symantec\symantec endpoint protection\12.1.4013.4013.105\data\definitions\ipsdefs\20141128.011\IDSVIX86.SYS [2014-12-1 395992]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\Ironx86.sys [2014-9-17 175192]
R1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\symnets.sys [2014-9-17 341080]
R2 CmRcService;Configuration Manager Remote Control;c:\windows\ccm\remctrl\CmRcService.exe [2012-11-21 470112]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\intel\services\ipt\jhi_service.exe [2011-9-28 212944]
R2 SepMasterService;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\12.1.4013.4013.105\bin\ccSvcHst.exe [2014-9-17 144368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2014-10-20 111408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-11-21 23256]
R3 qcamdrv;QImaging FireWire Camera;c:\windows\system32\drivers\qcamdrv.sys [2012-11-30 23656]
R3 t1394bus;t1394bus;c:\windows\system32\drivers\t1394bus.sys [2010-6-18 131944]
S1 SMR430;Symantec SMR Utility Service 4.3.0;c:\windows\system32\drivers\SMR430.SYS [2014-12-1 104120]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-11-21 968504]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-5 62464]
S3 lpasvc;Microsoft Policy Platform Local Authority;c:\program files\microsoft policy platform\policyHost.exe [2012-8-2 48744]
S3 lppsvc;Microsoft Policy Platform Processor;c:\program files\microsoft policy platform\policyHost.exe [2012-8-2 48744]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-11-21 51928]
S3 MEI;Intel® Management Engine Interface ;c:\windows\system32\drivers\HECI.sys [2010-10-20 41088]
S3 Smcinst;Symantec Auto-upgrade Agent;"c:\program files\symantec\symantec endpoint protection\12.1.2015.2015.105\smclu\setup\smcinst.exe" --> c:\program files\symantec\symantec endpoint protection\12.1.2015.2015.105\smclu\setup\smcinst.exe [?]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SyDvCtrl;SyDvCtrl;c:\program files\symantec\symantec endpoint protection\12.1.4013.4013.105\bin\SyDvCtrl32.sys [2014-9-17 28576]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-5 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2011-4-5 27264]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-5-2 1343400]
S4 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-11-21 1871160]
.
=============== Created Last 30 ================
.
2014-12-01 19:49:15 104120 ----a-w- c:\windows\system32\drivers\SMR430.SYS
2014-11-21 21:13:08 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-21 21:12:45 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-21 21:12:45 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-21 21:12:45 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-21 21:12:45 -------- d-----w- c:\programdata\Malwarebytes
2014-11-21 21:12:45 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-11-20 16:38:22 550912 ----a-w- c:\windows\system32\kerberos.dll
2014-11-20 16:38:22 186880 ----a-w- c:\windows\system32\pku2u.dll
.
==================== Find3M  ====================
.
2014-11-14 17:30:09 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-11-14 17:30:09 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-11-05 17:50:47 254464 ----a-w- c:\windows\system32\generaltel.dll
2014-11-05 17:50:28 203776 ----a-w- c:\windows\system32\aepdu.dll
2014-11-05 17:47:40 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-10-25 15:46:09 981504 ----a-w- c:\windows\system32\wininet.dll
2014-10-25 15:43:59 50176 ----a-w- c:\windows\system32\mshta.exe
2014-10-25 15:43:48 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2014-10-25 15:43:07 1466368 ----a-w- c:\windows\system32\inetcpl.cpl
2014-10-25 12:39:39 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2014-10-25 01:32:37 67584 ----a-w- c:\windows\system32\packager.dll
2014-10-18 01:33:18 571904 ----a-w- c:\windows\system32\oleaut32.dll
2014-10-14 01:56:19 136632 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-10-14 01:50:50 523776 ----a-w- c:\windows\system32\termsrv.dll
2014-10-14 01:50:41 2363904 ----a-w- c:\windows\system32\msi.dll
2014-10-14 01:50:39 1059840 ----a-w- c:\windows\system32\lsasrv.dll
2014-10-14 01:47:30 146432 ----a-w- c:\windows\system32\msaudite.dll
2014-10-14 01:46:02 681984 ----a-w- c:\windows\system32\adtschema.dll
2014-10-10 00:45:54 2379264 ----a-w- c:\windows\system32\win32k.sys
2014-10-03 01:44:42 442880 ----a-w- c:\windows\system32\AUDIOKSE.dll
2014-10-03 01:44:31 275968 ----a-w- c:\windows\system32\EncDump.dll
2014-10-03 01:44:26 475136 ----a-w- c:\windows\system32\audiosrv.dll
2014-10-03 01:44:26 374784 ----a-w- c:\windows\system32\AudioEng.dll
2014-10-03 01:44:26 195584 ----a-w- c:\windows\system32\AudioSes.dll
2014-09-25 01:40:50 519680 ----a-w- c:\windows\system32\qdvd.dll
2014-09-19 09:23:55 172032 ----a-w- c:\windows\system32\wdigest.dll
2014-09-19 09:23:52 65536 ----a-w- c:\windows\system32\TSpkg.dll
2014-09-19 09:23:49 248832 ----a-w- c:\windows\system32\schannel.dll
2014-09-19 09:23:46 221184 ----a-w- c:\windows\system32\ncrypt.dll
2014-09-19 09:23:45 259584 ----a-w- c:\windows\system32\msv1_0.dll
2014-09-19 09:23:36 17408 ----a-w- c:\windows\system32\credssp.dll
2014-09-17 17:36:44 420752 ----a-w- c:\windows\system32\SymVPN.dll
2014-09-17 17:36:44 361360 ----a-w- c:\windows\system32\sysfer.dll
2014-09-17 17:36:44 33264 ----a-w- c:\windows\system32\drivers\WGX.SYS
2014-09-17 17:36:44 136080 ----a-w- c:\windows\system32\FwsVpn.dll
2014-09-17 17:36:44 126440 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2014-09-17 17:36:44 11152 ----a-w- c:\windows\system32\sysferThunk.dll
2014-09-17 17:34:34 142936 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2014-09-17 17:29:14 603224 ----a-w- c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\srtsp.sys
2014-09-17 17:29:14 341080 ----a-w- c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\symnets.sys
2014-09-17 17:29:14 32344 ----a-w- c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\srtspx.sys
2014-09-17 17:29:13 935512 ----a-w- c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\SymEFA.sys
2014-09-17 17:29:13 367704 ----a-w- c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\SymDS.sys
2014-09-17 17:29:13 175192 ----a-w- c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\Ironx86.sys
2014-09-17 17:29:13 134744 ----a-w- c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\ccSetx86.sys
2014-09-17 17:29:12 72880 ----a-w- c:\windows\system32\drivers\Teefer.sys
2014-09-09 21:47:10 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-04 05:04:15 372736 ----a-w- c:\windows\system32\rastls.dll
.
============= FINISH: 15:50:12.42 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:14 AM

Posted 06 December 2014 - 10:11 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 bmorescience

bmorescience
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 08 December 2014 - 11:46 AM

Hi nasdaq, thanks for your help. Here is the Adwcleaner log:

 

# AdwCleaner v4.104 - Report created 08/12/2014 at 11:17:27
# Updated 05/12/2014 by Xplode
# Database : 2014-12-08.1 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : Microscope - SOMTKINGBURY
# Running from : C:\Users\Microscope\Downloads\adwcleaner_4.104.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Users\Microscope\AppData\Roaming\ap_logs
Folder Deleted : C:\Users\Microscope\AppData\Roaming\VOPackage
File Deleted : C:\Users\Microscope\AppData\Roaming\Mozilla\Firefox\Profiles\eohjff24.default\user.js
 
***** [ Scheduled Tasks ] *****
 
Task Deleted : APSnotifierPP1
Task Deleted : APSnotifierPP2
Task Deleted : APSnotifierPP3
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.7601.18631
 
 
-\\ Mozilla Firefox v
 
 
-\\ Google Chrome v36.0.1985.125
 
 
*************************
 
AdwCleaner[R0].txt - [1184 octets] - [08/12/2014 11:06:42]
AdwCleaner[S0].txt - [1119 octets] - [08/12/2014 11:17:27]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1179 octets] ##########
 
 
Here is the FRST.txt:
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-12-2014 01
Ran by Microscope (administrator) on SOMTKINGBURY on 08-12-2014 11:29:03
Running from C:\Users\Microscope\Downloads
Loaded Profile: Microscope (Available profiles: Microscope & Pitadmin)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Program Files\Intel\Services\IPT\jhi_service.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\VS7Debug\MDM.EXE
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\Smc.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
(Macrovision Corporation) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
(Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
() C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\CCM\CcmExec.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\CCM\RemCtrl\CmRcService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Policy Platform\policyHost.exe
(Microsoft Corporation) C:\Windows\CCM\SCNotification.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Farbar) C:\Users\Microscope\Downloads\FRST (1).exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [39792 2007-10-10] (Adobe Systems Incorporated)
HKLM\...\Run: [ISUSPM Startup] => C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [221184 2004-07-27] (InstallShield Software Corporation)
HKLM\...\Run: [ISUSScheduler] => C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [79136 2008-10-24] (Macrovision Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe Creative Cloud] => C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2694040 2014-07-22] (Adobe Systems Incorporated)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [Acrobat Assistant 8.0] => C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3477640 2012-09-23] (Adobe Systems Inc.)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKLM\...\Command Processor:  <======= ATTENTION
HKU\S-1-5-21-3763356076-1919147837-3931081854-1006\...\Run: [ISUSPM Startup] => C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [221184 2004-07-27] (InstallShield Software Corporation)
HKU\S-1-5-21-3763356076-1919147837-3931081854-1006\...\Run: [ISUSScheduler] => C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [79136 2008-10-24] (Macrovision Corporation)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-3763356076-1919147837-3931081854-1006\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3763356076-1919147837-3931081854-1006\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Symantec Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\bin\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Adobe Acrobat Create PDF Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
Tcpip\Parameters: [DhcpNameServer] 10.90.100.5 10.90.100.15
 
FireFox:
========
FF ProfilePath: C:\Users\Microscope\AppData\Roaming\Mozilla\Firefox\Profiles\eohjff24.default
FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=1.2.22 -> C:\Program Files\Intel\Services\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files\Intel\Services\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Acrobat -> C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMeetingJoinPluginOC.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL (Microsoft Corporation)
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\IPSFF
FF Extension: Symantec Vulnerability Protection - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\IPSFF [2014-09-17]
FF HKLM\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2014-09-03]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
 
Chrome: 
=======
CHR Profile: C:\Users\Microscope\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Docs) - C:\Users\Microscope\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-14]
CHR Extension: (Google Drive) - C:\Users\Microscope\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-14]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Microscope\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-08-14]
CHR Extension: (YouTube) - C:\Users\Microscope\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-14]
CHR Extension: (Google Search) - C:\Users\Microscope\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-14]
CHR Extension: (Adobe Acrobat - Create PDF) - C:\Users\Microscope\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2014-09-17]
CHR Extension: (Google Wallet) - C:\Users\Microscope\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-14]
CHR Extension: (Gmail) - C:\Users\Microscope\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-14]
CHR HKLM\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2012-09-23]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 CcmExec; C:\Windows\CCM\CcmExec.exe [1092272 2013-08-31] (Microsoft Corporation)
R2 CmRcService; C:\Windows\CCM\RemCtrl\CmRcService.exe [470112 2012-11-21] (Microsoft Corporation)
R2 jhi_service; C:\Program Files\Intel\Services\IPT\jhi_service.exe [212944 2011-09-28] (Intel Corporation)
R3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48744 2012-08-02] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48744 2012-08-02] (Microsoft Corporation)
S4 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)
R2 SepMasterService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe [144368 2014-09-17] (Symantec Corporation)
R3 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\Smc.exe [1746576 2014-09-17] (Symantec Corporation)
S3 smstsmgr; C:\Windows\CCM\TSManager.exe [275632 2013-08-31] (Microsoft Corporation)
S3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\snac.exe [288656 2014-09-17] (Symantec Corporation)
S3 Smcinst; "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\SmcLU\Setup\smcinst.exe" [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 akshasp; C:\Windows\System32\DRIVERS\akshasp.sys [327168 2006-11-22] (Aladdin Knowledge Systems Ltd.)
R3 aksusb; C:\Windows\System32\DRIVERS\aksusb.sys [100096 2006-11-22] (Aladdin Knowledge Systems Ltd.)
R1 BHDrvx86; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20141119.011\BHDrvx86.sys [1137368 2014-10-20] (Symantec Corporation)
R1 ccSettings_{974A0163-23BB-4C9D-A3C2-611667F7A450}; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\ccSetx86.sys [134744 2014-09-17] (Symantec Corporation)
S3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [358224 2012-08-11] (Intel Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-09-17] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-10-02] (Symantec Corporation)
R2 Hardlock; C:\Windows\system32\drivers\hardlock.sys [693760 2006-11-22] (Aladdin Knowledge Systems Ltd.)
R2 Haspnt; C:\Windows\system32\drivers\Haspnt.sys [47616 2014-08-19] (Aladdin Knowledge Systems) [File not signed]
R1 IDSVix86; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20141128.011\IDSvix86.sys [395992 2014-10-24] (Symantec Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-10-01] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-10-01] (Malwarebytes Corporation)
S3 MEI; C:\Windows\system32\drivers\HECI.sys [41088 2010-10-20] (Intel Corporation)
R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20141201.001\NAVENG.SYS [95704 2014-10-02] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20141201.001\NAVEX15.SYS [1636696 2014-10-02] (Symantec Corporation)
R3 prepdrvr; C:\Windows\System32\DRIVERS\prepdrv.sys [20840 2012-11-21] (Microsoft Corporation)
R3 qcamdrv; C:\Windows\System32\drivers\qcamdrv.sys [23656 2012-11-30] (QImaging, Inc.)
R1 SRTSP; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SRTSP.SYS [603224 2014-09-17] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SRTSPX.SYS [32344 2014-09-17] (Symantec Corporation)
S3 SyDvCtrl; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\SyDvCtrl32.sys [28576 2014-09-17] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMDS.SYS [367704 2014-09-17] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMEFA.SYS [935512 2014-09-17] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142936 2014-09-17] (Symantec Corporation)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\Ironx86.SYS [175192 2014-09-17] (Symantec Corporation)
R1 SYMNETS; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMNETS.SYS [341080 2014-09-17] (Symantec Corporation)
R1 SysPlant; C:\Windows\System32\Drivers\SysPlant.sys [126440 2014-09-17] (Symantec Corporation)
R3 t1394bus; C:\Windows\System32\DRIVERS\t1394bus.sys [131944 2010-06-18] ()
R1 Teefer2; C:\Windows\System32\DRIVERS\Teefer.sys [72880 2014-09-17] (Symantec Corporation)
R3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [165376 2009-09-22] (Microsoft Corporation)
R1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [55040 2009-09-22] (Microsoft Corporation)
R3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2009-09-22] (Microsoft Corporation)
R1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [295936 2009-12-31] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-12-08 11:29 - 2014-12-08 11:29 - 00017237 _____ () C:\Users\Microscope\Downloads\FRST.txt
2014-12-08 11:28 - 2014-12-08 11:29 - 00000000 ____D () C:\FRST
2014-12-08 11:28 - 2014-12-08 11:28 - 01111040 _____ (Farbar) C:\Users\Microscope\Downloads\FRST (1).exe
2014-12-08 11:25 - 2014-12-08 11:25 - 01111040 _____ (Farbar) C:\Users\Microscope\Downloads\frst.exe
2014-12-08 11:06 - 2014-12-08 11:17 - 00000000 ____D () C:\AdwCleaner
2014-12-08 11:06 - 2014-12-08 11:06 - 02153472 _____ () C:\Users\Microscope\Downloads\adwcleaner_4.104.exe
2014-12-08 11:06 - 2014-12-08 11:06 - 00000055 _____ () C:\AdwCleanerDebug.txt
2014-12-01 15:50 - 2014-12-01 15:50 - 00015981 _____ () C:\Users\Microscope\Desktop\dds.txt
2014-12-01 15:50 - 2014-12-01 15:50 - 00014640 _____ () C:\Users\Microscope\Desktop\attach.txt
2014-12-01 15:49 - 2014-12-01 15:49 - 00688992 ____R (Swearware) C:\Users\Microscope\Downloads\dds (1).com
2014-12-01 15:48 - 2014-12-01 15:48 - 00688992 _____ (Swearware) C:\Users\Microscope\Downloads\dds.com
2014-12-01 14:33 - 2014-12-01 14:33 - 07218856 _____ (Symantec Corporation) C:\Users\Microscope\Downloads\SymHelp (2).exe
2014-11-25 13:32 - 2014-11-25 13:33 - 07218856 _____ (Symantec Corporation) C:\Users\Microscope\Downloads\SymHelp.exe
2014-11-25 13:32 - 2014-11-25 13:32 - 07218856 _____ (Symantec Corporation) C:\Users\Microscope\Downloads\SymHelp (1).exe
2014-11-21 16:13 - 2014-11-25 13:33 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-21 16:12 - 2014-11-21 16:12 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-11-21 16:12 - 2014-11-21 16:12 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-11-21 16:12 - 2014-11-21 16:12 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-11-21 16:12 - 2014-10-01 11:11 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-11-21 16:12 - 2014-10-01 11:11 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-11-21 16:12 - 2014-10-01 11:11 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-11-21 16:07 - 2014-11-21 16:07 - 19828376 _____ (Malwarebytes Corporation ) C:\Users\Microscope\Downloads\mbam-setup-2.0.3.1025.exe
2014-11-20 11:38 - 2014-11-10 21:44 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-20 11:38 - 2014-11-10 21:44 - 00186880 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll
2014-11-18 13:31 - 2014-11-18 13:31 - 00585104 _____ () C:\Windows\Minidump\111814-31278-01.dmp
2014-11-13 17:04 - 2014-11-13 17:04 - 02886440 _____ () C:\Users\Microscope\Desktop\50000.tif
2014-11-13 17:03 - 2014-11-13 17:03 - 02886440 _____ () C:\Users\Microscope\Desktop\5000.tif
2014-11-13 17:03 - 2014-11-13 17:03 - 02886440 _____ () C:\Users\Microscope\Desktop\500.tif
2014-11-13 17:02 - 2014-11-13 17:02 - 02886440 _____ () C:\Users\Microscope\Desktop\No primary.tif
2014-11-13 12:39 - 2014-11-13 12:39 - 00595752 _____ () C:\Windows\Minidump\111314-34491-01.dmp
2014-11-13 11:54 - 2014-11-05 12:50 - 00254464 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-11-13 11:54 - 2014-11-05 12:50 - 00203776 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-11-13 11:54 - 2014-11-05 12:47 - 00302592 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-11-13 11:54 - 2014-10-25 10:46 - 00981504 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-13 11:54 - 2014-10-25 10:45 - 11019264 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-13 11:54 - 2014-10-25 10:45 - 06026240 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-13 11:54 - 2014-10-25 10:45 - 02086912 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-13 11:54 - 2014-10-25 10:45 - 01267712 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-13 11:54 - 2014-10-25 10:45 - 00627712 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-13 11:54 - 2014-10-25 10:45 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-11-13 11:54 - 2014-10-25 10:45 - 00132096 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-11-13 11:54 - 2014-10-25 10:45 - 00067584 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-13 11:54 - 2014-10-25 10:45 - 00064512 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2014-11-13 11:54 - 2014-10-25 10:45 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-13 11:54 - 2014-10-25 10:44 - 00345600 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-13 11:54 - 2014-10-25 10:44 - 00216064 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-13 11:54 - 2014-10-25 10:43 - 01466368 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-13 11:54 - 2014-10-25 10:43 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-11-13 11:54 - 2014-10-25 10:43 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2014-11-13 11:54 - 2014-10-25 10:43 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2014-11-13 11:54 - 2014-10-25 07:39 - 01638912 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-13 11:54 - 2014-10-24 20:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-13 11:54 - 2014-10-17 20:33 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-13 11:54 - 2014-10-13 20:56 - 00136632 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-11-13 11:54 - 2014-10-13 20:50 - 02363904 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-11-13 11:54 - 2014-10-13 20:50 - 01059840 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-13 11:54 - 2014-10-13 20:50 - 00523776 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-11-13 11:54 - 2014-10-13 20:47 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-13 11:54 - 2014-10-13 20:46 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-13 11:54 - 2014-10-09 19:45 - 02379264 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-13 11:54 - 2014-10-02 20:44 - 00475136 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-13 11:54 - 2014-10-02 20:44 - 00442880 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-13 11:54 - 2014-10-02 20:44 - 00374784 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2014-11-13 11:54 - 2014-10-02 20:44 - 00275968 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-13 11:54 - 2014-10-02 20:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2014-11-13 11:54 - 2014-09-19 04:23 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-11-13 11:54 - 2014-09-19 04:23 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-13 11:54 - 2014-09-19 04:23 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-11-13 11:54 - 2014-09-19 04:23 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-11-13 11:54 - 2014-09-19 04:23 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-11-13 11:54 - 2014-09-19 04:23 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-11-13 11:54 - 2014-08-21 01:26 - 01237504 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-11-13 11:54 - 2014-08-21 01:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-11-13 11:54 - 2014-08-11 20:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-12-08 11:27 - 2009-07-13 23:34 - 00026352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-08 11:27 - 2009-07-13 23:34 - 00026352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-08 11:24 - 2014-08-14 18:03 - 01427942 _____ () C:\Windows\WindowsUpdate.log
2014-12-08 11:24 - 2013-05-02 16:09 - 00783834 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-12-08 11:22 - 2013-05-14 15:52 - 00000570 _____ () C:\Windows\SMSCFG.ini
2014-12-08 11:20 - 2013-05-14 18:24 - 00002224 _____ () C:\Windows\system32\config\netlogon.ftl
2014-12-08 11:19 - 2013-05-02 14:15 - 00756762 _____ () C:\Windows\PFRO.log
2014-12-08 11:19 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-08 11:19 - 2009-07-13 23:39 - 00348292 _____ () C:\Windows\setupact.log
2014-12-08 11:14 - 2014-08-14 16:11 - 00000000 ____D () C:\Users\Microscope\AppData\Local\Adobe
2014-12-01 16:30 - 2013-05-03 06:55 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-01 14:37 - 2013-05-14 18:26 - 00026772 __RSH () C:\ProgramData\ntuser.pol
2014-12-01 14:14 - 2013-05-02 14:00 - 00000000 ____D () C:\ProgramData\Symantec
2014-12-01 12:43 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\rescache
2014-11-25 14:35 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-11-25 12:53 - 2014-08-15 07:32 - 00111912 _____ () C:\Users\Microscope\AppData\Local\GDIPFONTCACHEV1.DAT
2014-11-25 12:32 - 2014-08-14 15:51 - 00000000 ____D () C:\QCapturePro60
2014-11-25 12:10 - 2008-04-07 12:04 - 00002034 _____ () C:\Users\Microscope\AppData\Roaming\IPBENG32.DAT
2014-11-25 12:09 - 2009-07-13 23:33 - 00431488 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-25 12:06 - 2014-08-15 13:08 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-11-21 16:48 - 2013-05-15 13:07 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2014-11-21 16:47 - 2013-05-02 14:05 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-11-21 16:41 - 2009-07-13 21:04 - 00000478 _____ () C:\Windows\win.ini
2014-11-21 16:28 - 2014-08-15 08:53 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-21 16:22 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Web
2014-11-18 13:31 - 2014-09-02 11:42 - 00000000 ____D () C:\Windows\Minidump
2014-11-18 13:31 - 2014-09-02 11:41 - 453054002 _____ () C:\Windows\MEMORY.DMP
2014-11-14 12:30 - 2013-05-03 06:55 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-11-14 12:30 - 2013-05-03 06:55 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-11-13 17:07 - 2014-08-14 15:48 - 00000000 ____D () C:\Users\Microscope
 
Some content of TEMP:
====================
C:\Users\Microscope\AppData\Local\Temp\Quarantine.exe
C:\Users\Microscope\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-11-25 15:57
 
==================== End Of Log ============================

 

 

 

The computer seems to be running OK but I shut it down shortly after my first post and haven't touched it since so I don't have much to report there. 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:14 AM

Posted 08 December 2014 - 02:28 PM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

HKLM\...\Run: [] => [X]
HKLM\...\Command Processor:  <======= ATTENTION
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
CHR Extension: (Google Wallet) - C:\Users\Microscope\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-14]
S3 Smcinst; "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\SmcLU\Setup\smcinst.exe" [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#5 bmorescience

bmorescience
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 08 December 2014 - 04:21 PM

Fixlog.txt: 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 07-12-2014 01
Ran by Microscope at 2014-12-08 15:03:37 Run:1
Running from C:\Users\Microscope\Downloads
Loaded Profile: Microscope (Available profiles: Microscope & Pitadmin)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
start
 
HKLM\...\Run: [] => [X]
HKLM\...\Command Processor:  <======= ATTENTION
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
CHR Extension: (Google Wallet) - C:\Users\Microscope\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-14]
S3 Smcinst; "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\SmcLU\Setup\smcinst.exe" [X]
 
End
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\Software\Microsoft\Command Processor\\AutoRun => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => value deleted successfully.
"HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}" => Key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} => not found.
C:\Users\Microscope\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => Moved successfully.
Smcinst => Service deleted successfully.
 
==== End of Fixlog ====
 
 
Checkup.txt:
 

Results of screen317's Security Check version 0.99.91  
 Windows 7 Service Pack 1 x86 (UAC is disabled!)  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Symantec Endpoint Protection   
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 2.0.3.1025  
 Adobe Reader 8  
 Adobe Reader XI  
 Google Chrome 35.0.1916.153 Google Chrome out of date!  
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 
 
 
 
Thanks for all your help! It seems like the problem is fixed. The only hint I originally had of a problem was the Symantec scan log. I ran a full scan after doing the Security Check and it came back clean, no risks found. Is there anything else I should do? 


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:14 AM

Posted 09 December 2014 - 08:47 AM

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#7 bmorescience

bmorescience
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 09 December 2014 - 11:18 AM

Thanks for all your help!



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:14 AM

Posted 09 December 2014 - 02:15 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users