Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked HOSTS file


  • This topic is locked This topic is locked
6 replies to this topic

#1 hermanocleas

hermanocleas

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 29 January 2015 - 11:39 AM

Attached File  Addition.txt   25.54KB   7 downloads

 

Greetings,

 

I recently ran Malwarebytes on a PC after noticing unusual slowness behavior in IE11. It picked up around 20 items, 5 of which it cannot resolve - those being the HOST file hijack registry entries. I ran a Hijackthis scan and can see the "01" Hosts file entries however, not sure if those are all I need to clean out. 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-01-2015
Ran by ADMINuser (administrator) on 8ZBHXV1 on 29-01-2015 10:44:35
Running from C:\Users\ADMINuser.DOMAIN\Desktop
Loaded Profiles: ADMINuser (Available profiles: JustinW & TonyI & ADMINuser & ZabdielLH & ADMINuser)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Webroot) C:\Program Files (x86)\Webroot\WRSA.exe
(Webroot) C:\Program Files (x86)\Webroot\WRSA.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Trend Micro Inc.) C:\Users\ADMINuser.DOMAIN\Desktop\HijackThis.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [564352 2011-12-15] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [310912 2011-06-24] (Conexant Systems, Inc.)
HKLM\...\Run: [ADPINIT] => C:\ProgramData\Bluezone\ADPInit.exe [1166068 2013-12-13] (ADP Dealer Services)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41360 2014-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840592 2014-12-03] (Adobe Systems Inc.)
HKLM-x32\...\Run: [WRSVC] => C:\Program Files (x86)\Webroot\WRSA.exe [773320 2014-12-10] (Webroot)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM\...\Winlogon: [Userinit] C:\Windows\System32\KUsrInit.exe,
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-471295695-1943499188-740312968-500\...\RunOnce: [Adobe Speed Launcher] => 1422481022
HKU\S-1-5-21-471295695-1943499188-740312968-500\...\Policies\system: [SetVisualStyle]
HKU\S-1-5-21-471295695-1943499188-740312968-500\...\Policies\Explorer: [HideSCAHealth] 1

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-471295695-1943499188-740312968-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-471295695-1943499188-740312968-500\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-471295695-1943499188-740312968-500 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-471295695-1943499188-740312968-500 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM-x32 {00906302-0F14-442C-B39C-275F61BC25BC} http://206.93.48.97/apps/autoTools/sda/common/atSdaCfg.CAB
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.10 192.168.1.9

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2012-10-23]
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 AMPAgent; C:\Program Files (x86)\Dell\KACE\AMPAgent.exe [3840128 2014-07-18] (Dell Inc.)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-28] (Intel Corporation)
S2 sprtsvc_smartagent; C:\Program Files (x86)\smartagent\bin\sprtsvc.exe [206120 2011-11-02] (SupportSoft, Inc.)
S2 SupportSoft RemoteAssist; C:\Program Files (x86)\Common Files\supportsoft\bin\ssrc.exe [329080 2011-11-02] (SupportSoft, Inc.)
S2 tgsrvc_smartagent; C:\Program Files (x86)\smartagent\bin\tgsrvc.exe [185640 2011-11-02] (SupportSoft, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 WRSVC; C:\Program Files (x86)\Webroot\WRSA.exe [773320 2014-12-10] (Webroot)
S3 F-Secure Launcher; %SystemRoot%\Launcher.exe fslaunch.ini [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 WRkrn; C:\Windows\System32\drivers\WRkrn.sys [115744 2014-12-10] (Webroot)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-29 10:44 - 2015-01-29 10:45 - 00009206 _____ () C:\Users\ADMINuser.DOMAIN\Desktop\FRST.txt
2015-01-29 10:44 - 2015-01-29 10:44 - 02130432 _____ (Farbar) C:\Users\ADMINuser.DOMAIN\Desktop\FRST64.exe
2015-01-29 10:44 - 2015-01-29 10:44 - 00000000 ____D () C:\FRST
2015-01-29 10:31 - 2015-01-29 10:31 - 00010666 _____ () C:\Users\ADMINuser.DOMAIN\Desktop\hijackthis.log
2015-01-29 10:23 - 2015-01-29 10:23 - 00388608 _____ (Trend Micro Inc.) C:\Users\ADMINuser.DOMAIN\Desktop\HijackThis.exe
2015-01-29 09:39 - 2015-01-29 09:39 - 00000000 _____ () C:\KBSERVICE.SHUTDOWN
2015-01-28 09:39 - 2015-01-28 15:48 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-28 09:37 - 2015-01-28 09:37 - 00001100 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-28 09:37 - 2015-01-28 09:37 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-28 09:37 - 2015-01-28 09:37 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-28 09:37 - 2014-11-21 06:23 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-28 09:37 - 2014-11-21 06:23 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-28 09:37 - 2014-11-21 06:23 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-28 09:32 - 2015-01-28 15:43 - 00003712 _____ () C:\Users\ADMINuser.DOMAIN\Desktop\Rkill.txt
2015-01-28 09:31 - 2015-01-28 09:32 - 20447176 _____ (Malwarebytes Corporation ) C:\Users\ADMINuser.DOMAIN\Downloads\mbam-setup.exe
2015-01-28 09:29 - 2015-01-28 09:29 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\ADMINuser.DOMAIN\Desktop\iExplore.exe
2015-01-15 13:48 - 2015-01-16 13:39 - 00000122 _____ () C:\Users\tonyi\.ewanapi_cookie
2015-01-13 12:57 - 2014-12-18 21:30 - 00265216 _____ (Microsoft Corporation) C:\Windows\system32\WebClnt.dll
2015-01-13 12:57 - 2014-12-18 21:30 - 00225792 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-13 12:57 - 2014-12-18 21:30 - 00109056 _____ (Microsoft Corporation) C:\Windows\system32\davclnt.dll
2015-01-13 12:57 - 2014-12-18 21:30 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\profprov.dll
2015-01-13 12:57 - 2014-12-18 21:03 - 00210432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WebClnt.dll
2015-01-13 12:57 - 2014-12-18 21:03 - 00087552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\davclnt.dll
2015-01-13 12:57 - 2014-12-18 19:53 - 00142336 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-13 12:57 - 2014-12-12 00:07 - 05553080 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-13 12:57 - 2014-12-12 00:07 - 00693176 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2015-01-13 12:57 - 2014-12-12 00:05 - 00617384 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2015-01-13 12:57 - 2014-12-11 23:45 - 03977656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-13 12:57 - 2014-12-11 23:45 - 03921848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-13 12:57 - 2014-12-11 11:47 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-13 12:57 - 2014-12-05 22:31 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-13 12:57 - 2014-12-05 22:31 - 00223744 _____ (Microsoft Corporation) C:\Windows\system32\ncsi.dll
2015-01-13 12:57 - 2014-12-05 22:18 - 00162304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-13 12:57 - 2014-12-05 22:18 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-13 12:57 - 2014-10-28 20:16 - 00619056 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-29 10:44 - 2014-02-18 09:14 - 00000000 ____D () C:\ProgramData\WRData
2015-01-29 09:49 - 2012-11-14 08:44 - 00000128 _____ () C:\Windows\system32\config\netlogon.ftl
2015-01-29 09:44 - 2009-07-13 23:13 - 00805496 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-29 09:39 - 2012-10-23 09:06 - 02092092 _____ () C:\Windows\WindowsUpdate.log
2015-01-29 09:39 - 2009-07-13 22:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-29 09:39 - 2009-07-13 22:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-29 09:07 - 2014-09-19 00:11 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-29 09:06 - 2014-12-16 11:05 - 00001451 _____ () C:\Users\ADMINuser.DOMAIN\Desktop\Higher Gear.lnk
2015-01-29 09:06 - 2014-12-16 11:05 - 00000074 _____ () C:\Users\ADMINuser.DOMAIN\Desktop\DOMAIN Email.url
2015-01-29 09:06 - 2014-06-17 09:25 - 00000056 _____ () C:\Users\ADMINuser.DOMAIN\Desktop\Network Shares.url
2015-01-28 15:37 - 2013-04-13 02:35 - 00000036 _____ () C:\Windows\wwwbatch.ini
2015-01-28 15:36 - 2009-07-13 23:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-28 15:36 - 2009-07-13 22:51 - 00037747 _____ () C:\Windows\setupact.log
2015-01-28 09:06 - 2010-11-20 21:47 - 00410932 _____ () C:\Windows\PFRO.log
2015-01-18 10:48 - 2014-11-26 11:04 - 00000074 _____ () C:\Users\tonyi\Desktop\DOMAIN Email.url
2015-01-18 10:48 - 2013-11-27 08:23 - 00000056 _____ () C:\Users\tonyi\Desktop\Network Shares.url
2015-01-18 10:48 - 2013-11-14 07:49 - 00000078 _____ () C:\Users\tonyi\Desktop\ClickMSDS.url
2015-01-17 12:37 - 2012-12-06 12:19 - 00072870 _____ () C:\Users\tonyi\ewa_client_1.log
2015-01-17 12:37 - 2012-11-15 11:17 - 00000000 ____D () C:\Users\tonyi
2015-01-16 15:03 - 2012-11-16 08:02 - 00001946 _____ () C:\Users\tonyi\Desktop\WAITER BOARD - Shortcut.lnk
2015-01-16 13:39 - 2012-11-17 11:38 - 00019165 _____ () C:\Users\tonyi\ewa_client_0.log
2015-01-16 01:07 - 2014-09-19 00:11 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-16 01:07 - 2012-10-23 09:09 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-16 01:07 - 2012-10-23 09:09 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-14 09:13 - 2012-11-27 11:21 - 00002820 _____ () C:\Users\tonyi\Desktop\Phone extensions DOMAIN - Shortcut.lnk
2015-01-14 09:10 - 2012-11-15 11:18 - 00000000 ____D () C:\Users\tonyi\AppData\Local\Deployment
2015-01-14 03:56 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\rescache
2015-01-14 03:03 - 2013-08-26 22:52 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 03:00 - 2013-08-26 22:52 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

Files to move or delete:
====================
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At2.job

Some content of TEMP:
====================
C:\Users\tonyi\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\tonyi\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\tonyi\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\tonyi\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\tonyi\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\tonyi\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\tonyi\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe
C:\Users\tonyi\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-01-28 16:52

==================== End Of Log ============================


Edited by hermanocleas, 29 January 2015 - 01:23 PM.


BC AdBot (Login to Remove)

 


#2 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,772 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:30 PM

Posted 29 January 2015 - 01:04 PM

Post the Addition.txt located in the same location with FRST.

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 


#3 hermanocleas

hermanocleas
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 29 January 2015 - 01:24 PM

Sorry I thought I did but apparently missed a step. Now attached.



#4 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,772 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:30 PM

Posted 30 January 2015 - 01:49 AM

  • Step #1 Fix with FRST
    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
    • Open Notepad.exe. Do not use any other text editor software;
    • Copy and Paste the contents inside the code-box to your Notepad --
      Start
      CreateRestorePoint:
      CloseProcesses:
      EmptyTemp:
      Hosts:
      Task: {02019F23-A86A-4124-B1A2-FD11753258DD} - System32\Tasks\At1 => C:\Windows\SysNative\defrag.exe <==== ATTENTION
      Task: {B84FFE85-74BB-4E4D-A9B4-2F4676D07E22} - System32\Tasks\At2 => cmd <==== ATTENTION
      Task: C:\Windows\Tasks\At1.job => C:\Windows\SysNative\defrag.exe
      Task: C:\Windows\Tasks\At2.job => ?
      HKLM-x32\...\Run: [] => [X]
      HKU\S-1-5-21-471295695-1943499188-740312968-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
      DPF: HKLM-x32 {00906302-0F14-442C-B39C-275F61BC25BC} http://206.93.48.97/apps/autoTools/sda/common/atSdaCfg.CAB
      C:\Windows\Tasks\At*.job
      End
    • Click on File > Save as...
      • Inside the File Name box type fixlist.txt;
      • From the Save as type drop down list, choose All Files
    • Save the file to your Desktop;
    • Re-run FRST.exe and click Fix;
      • Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
    • After the completion, a log will be produced;
    • Copy and Paste the contents of the log in your next reply.
 
  • Step #2 ESET Online Scanner
    Disable your security programs which includes but not limited to anti-virus, anti-malware, anti-spyware et cetera. Peruse this for additional information.
    • Download esetsmartinstaller_enu.exe by clicking here.
    • Right-click on the program and choose Run as administrator.
    • Accept their terms and condition and proceed.
    • Install Add-On/Active X if prompted.
    • From the Computer Scan Setting check the following box --
      • Enable detection for potentially unwanted programs
    • Click on Advanced Setting --
      • Uncheck the box beside Remove Found Threats;
      • Check the box beside Scan archives
      • Check the box beside Scan for potentially unsafe applications
      • Check the box beside Enable Anti-Stealth Technology
    • Click on Start and wait for the virus signature database to update.
    • The online scan will begin automatically and can take several hours.
      • Note: Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
    • After the Scan finishes --
      • If no threats were found:
        • Put a checkmark in Uninstall application on close.
        • Close the program and report that nothing was found
      • If threats were found:
        • Open the file located in C:\Program Files\ESET\ESET Online Scanner\log.txt (32-bit) or C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt (64-bit).
        • Copy and Paste contents of the log file in your next reply.
    Note: Enable your security programs afterwards.
 
  • Required Log(s):
    • FRST Fix Log
    • ESET Log
Regards,
Valinorum

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 


#5 hermanocleas

hermanocleas
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 30 January 2015 - 10:56 AM

I attempted to run frst.exe after saving the fixlist.txt as instructed but the fixing has been running now for over 3 hours... I assume that something has gone wrong?



#6 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,772 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:30 PM

Posted 31 January 2015 - 12:24 AM

Proceed to the next step. You should see a text file called fixlog.txt in the same folder where FRST.exe is located. Please, post that log.

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 


#7 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,772 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:30 PM

Posted 07 February 2015 - 04:59 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users