Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing trojan that uses load32.exe


  • Please log in to reply
34 replies to this topic

#1 saymes

saymes

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 11 March 2015 - 01:47 PM

Hi guys. Need some help cleaning this computer. Ive been able to remove all the other malware except this one. Here are my FRST info. Thanks for your help.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-03-2015 01
Ran by RDT (administrator) on RDT1-PC on 11-03-2015 13:30:26
Running from C:\Users\RDT\Desktop\Desktop
Loaded Profiles: RDT (Available profiles: RDT & UpdatusUser)
Platform: Microsoft® Windows Vista™ Business  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser not detected!)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
() C:\ProgramData\NTKernel\nt32.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Windows\System32\Locator.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Software 2000 Limited) C:\Windows\System32\spool\drivers\w32x86\3\HP1006MC.EXE
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Microsoft Corporation) C:\Windows\System32\wermgr.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NT Kernel Service] => C:\NTKernel\nt32.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows"
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\CurrentVersion\Windows: [Load] C:\ProgramData\NTKernel\nt32.exe <===== ATTENTION
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\MountPoints2: {136e413e-9af0-11dd-9fd1-00219b3328ad} - F:\autorun.exe
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\MountPoints2: {456ca68c-876f-11df-ad93-00219b3328ad} - F:\RECYCLER\k-1-3542-4232123213-7676767-8888886\root.exe
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\MountPoints2: {6ce66feb-4d33-11df-9522-00219b3328ad} - "G:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\MountPoints2: {a970802c-f11b-11dd-ac92-00219b3328ad} - F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ine32.exe
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\MountPoints2: {fc7715a5-f50f-11dd-81ef-00219b3328ad} - G:\LaunchU3.exe -a
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\MountPoints2: {fd430521-6aed-11dd-9f99-00219b3328ad} - G:\LaunchU3.exe -a
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\Winlogon: [Shell] C:\ProgramData\load32.exe [196608 2014-03-07] () <==== ATTENTION
IFEO\AvastSvc.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\AvastUI.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avcenter.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avconfig.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avgcsrvx.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avgidsagent.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avgnt.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avgrsx.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avguard.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avgui.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avgwdsvc.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avp.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avscan.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\bdagent.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\ccuac.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\ComboFix.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\egui.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\hijackthis.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\instup.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\keyscrambler.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\mbam.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\mbamgui.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\mbampt.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\mbamscheduler.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\mbamservice.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\rstrui.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\spybotsd.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\wireshark.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\zlclient.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
InternetURL: C:\Users\RDT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url -> 0

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=8
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?ilc=8
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
SearchScopes: HKU\.DEFAULT -> DefaultScope {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\.DEFAULT -> {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-19 -> DefaultScope {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-19 -> {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-20 -> DefaultScope {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-20 -> {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-21-3710888214-2014860481-4120613462-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2009-10-22] (Hewlett-Packard Co.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files\Windows Live\Companion\companioncore.dll [2012-03-08] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-04-15] (Oracle Corporation)
BHO: SingleInstance Class -> {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -> C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll No File
BHO: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2009-10-22] (Hewlett-Packard Co.)
Toolbar: HKU\S-1-5-21-3710888214-2014860481-4120613462-1000 -> No Name - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -  No File
Toolbar: HKU\S-1-5-21-3710888214-2014860481-4120613462-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-3710888214-2014860481-4120613462-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} http://games.ca.zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_70.dll [2014-02-21] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll No File
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Web Player\npdivx32.dll [2009-05-12] (DivX,Inc.)
FF Plugin: @java.com/DTPlugin,version=10.17.2 -> C:\Windows\system32\npDeployJava1.dll [2013-04-15] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll No File
FF Plugin: @java.com/JavaPlugin,version=10.17.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-04-15] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-01-18] (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-01-18] (NVIDIA Corporation)
FF Plugin: @pack.google.com/Google Updater;version=13 -> C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll No File
FF Plugin: @pages.tvunetworks.com/WebPlayer -> C:\Program Files\TVUPlayer\npTVUAx.dll No File
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-08-06]
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-03-22]
FF HKLM\...\Firefox\Extensions: [ClickPotatoLite@ClickPotatoLite.com] - C:\Program Files\ClickPotatoLite\bin\11.0.19.0\firefox\extensions
FF HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 Agent; C:\Windows\VPDAgent.exe [192512 2013-11-14] (Two Pilots) [File not signed]
S4 atchksrv; C:\Program Files\Intel\AMT\atchksrv.exe [176128 2007-05-23] (Intel Corporation) [File not signed]
S4 GoToAssist; C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe [13160 2010-11-16] (Citrix Online, a division of Citrix Systems, Inc.)
R3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [217088 2007-06-04] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [131072 2007-06-04] (Hewlett-Packard Co.) [File not signed]
S4 LMS; C:\Program Files\Intel\AMT\LMS.exe [102400 2007-05-23] (Intel) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] () [File not signed]
R2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)
S4 Neat Startup Service; C:\Program Files\Neat\exec\NeatStartupService.exe [5632 2014-01-03] (The Neat Company) [File not signed]
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [280288 2013-10-23] () [File not signed]
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
S4 stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [69632 2007-07-11] (MicroVision Development, Inc.) [File not signed]
S4 UNS; C:\Program Files\Intel\AMT\UNS.exe [2514944 2007-05-23] (Intel) [File not signed]
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)
S3 gusvc; "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" [X]
S3 iPod Service; "C:\Program Files\iPod\bin\iPodService.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 DLABMFSM; C:\Windows\System32\Drivers\DLABMFSM.SYS [37360 2007-07-23] (Roxio)
R2 DLABOIOM; C:\Windows\System32\Drivers\DLABOIOM.SYS [32848 2007-07-23] (Roxio)
R2 DLADResM; C:\Windows\System32\Drivers\DLADResM.SYS [9104 2007-07-23] (Roxio)
R2 DLAIFS_M; C:\Windows\System32\Drivers\DLAIFS_M.SYS [108752 2007-07-23] (Roxio)
R2 DLAOPIOM; C:\Windows\System32\Drivers\DLAOPIOM.SYS [27216 2007-07-23] (Roxio)
R2 DLAPoolM; C:\Windows\System32\Drivers\DLAPoolM.SYS [16304 2007-07-23] (Roxio)
R2 DLAUDFAM; C:\Windows\System32\Drivers\DLAUDFAM.SYS [93552 2007-07-23] (Roxio)
R2 DLAUDF_M; C:\Windows\System32\Drivers\DLAUDF_M.SYS [98448 2007-07-23] (Roxio)
S3 FlyUsb; C:\Windows\System32\DRIVERS\FlyUsb.sys [19456 2009-11-10] (LeapFrog) [File not signed]
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [40448 2009-08-28] (Apple, Inc.) [File not signed]
S2 eamonm; system32\DRIVERS\eamonm.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-11 13:28 - 2015-03-11 13:30 - 00000000 ____D () C:\FRST
2015-03-09 15:30 - 2015-03-09 15:30 - 00000000 ___HD () C:\ProgramData\NTKernel
2015-03-09 09:54 - 2015-03-09 09:56 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-03-09 09:43 - 2015-03-09 09:53 - 00000000 ____D () C:\DnLoaded
2015-03-09 08:42 - 2015-03-09 08:42 - 00000000 ___HD () C:\ProgramData\BadNTKernel
2015-03-06 15:00 - 2015-03-06 15:00 - 00000000 ____D () C:\Windows\Temp45376B88-83CD-44F3-2071-01F31245727E-Signatures
2015-03-05 15:00 - 2015-03-05 15:00 - 00000000 ____D () C:\Windows\Temp3BB01A77-093B-05B9-42AD-D1FF724406F4-Signatures
2015-03-02 15:00 - 2015-03-02 15:00 - 00000000 ____D () C:\Windows\Temp7F3462A6-0BB6-9D89-8DC3-FBEAF89851EE-Signatures
2015-02-28 15:00 - 2015-02-28 15:00 - 00000000 ____D () C:\Windows\TempDFD8859E-9E6C-1B43-88CD-D3C701B226F4-Signatures
2015-02-19 20:46 - 2015-02-19 20:46 - 00000000 ____D () C:\Windows\Temp068E9C28-0D1D-9CAE-12EE-92D930AD20BB-Signatures
2015-02-19 13:28 - 2015-02-19 13:28 - 00000881 _____ () C:\Users\Public\Desktop\KeyFinder.lnk
2015-02-19 13:28 - 2015-02-19 13:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeyFinder
2015-02-19 13:27 - 2015-02-19 13:28 - 00000000 ____D () C:\Program Files\Magical Jelly Bean
2015-02-17 14:18 - 2015-02-17 14:18 - 00000000 ____D () C:\ProgramData\Lavasoft
2015-02-17 12:20 - 2015-02-17 12:21 - 00000013 _____ () C:\New Text Document.txt
2015-02-16 17:54 - 2015-02-16 17:54 - 00000000 ____D () C:\Windows\TempC68807B3-C2F8-385D-A674-E336DEFE0BB9-Signatures
2015-02-16 17:10 - 2015-02-16 17:11 - 00000000 ____D () C:\Windows\Temp163E0DF1-ABAC-EE17-5E92-AC628D194380-Signatures
2015-02-16 16:02 - 2015-02-16 16:02 - 00000000 ____D () C:\Windows\Temp0AA6DE62-5F0C-216E-4602-A6BEE892E296-Signatures
2015-02-16 15:38 - 2015-03-11 13:26 - 00002453 _____ () C:\Windows\setupact.log
2015-02-16 15:38 - 2015-02-16 15:38 - 00000000 _____ () C:\Windows\setuperr.log
2015-02-16 15:37 - 2015-02-27 17:16 - 00000000 ___HD () C:\bADNTKernel

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-11 13:27 - 2006-11-02 06:33 - 00865912 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-11 13:26 - 2008-01-20 21:39 - 01107302 _____ () C:\Windows\WindowsUpdate.log
2015-03-11 13:26 - 2006-11-02 06:23 - 00000254 _____ () C:\Windows\win.ini
2015-03-09 15:37 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-03-09 15:30 - 2006-11-02 08:47 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-09 15:30 - 2006-11-02 08:47 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-08 17:37 - 2011-07-06 08:18 - 00000000 ____D () C:\Users\RDT\AppData\Local\CrashDumps
2015-03-06 15:01 - 2011-03-18 10:44 - 00002148 _____ () C:\Windows\epplauncher.mif
2015-03-06 15:01 - 2011-03-18 10:43 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2015-02-27 20:17 - 2008-10-27 08:14 - 00031744 _____ () C:\Users\RDT\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-02-16 17:38 - 2013-06-12 17:47 - 00000000 ____D () C:\Windows\pss
2015-02-16 17:14 - 2011-01-07 12:43 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-02-16 16:36 - 2006-11-02 09:00 - 01129284 _____ () C:\Windows\PFRO.log
2015-02-16 16:14 - 2008-10-18 08:41 - 00000000 ____D () C:\Program Files\Java
2015-02-16 16:14 - 2008-10-18 08:40 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-02-16 16:11 - 2010-03-30 10:38 - 00000000 ____D () C:\ProgramData\Yahoo!
2015-02-16 16:11 - 2010-03-30 10:33 - 00000000 ____D () C:\Program Files\Yahoo!
2015-02-16 15:58 - 2008-08-13 15:09 - 00009268 _____ () C:\Users\RDT\AppData\Local\d3d9caps.dat

==================== Files in the root of some directories =======

2008-10-04 08:38 - 2008-10-04 09:02 - 0004343 _____ () C:\Users\RDT\AppData\Roaming\Comma Separated Values (DOS).NOT
2008-08-13 15:09 - 2015-02-16 15:58 - 0009268 _____ () C:\Users\RDT\AppData\Local\d3d9caps.dat
2008-10-27 08:14 - 2015-02-27 20:17 - 0031744 _____ () C:\Users\RDT\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-03-07 08:56 - 2014-03-07 08:56 - 0196608 __RSH () C:\ProgramData\badload32.exe
2009-09-17 09:15 - 2014-07-24 08:42 - 0003484 _____ () C:\ProgramData\hpzinstall.log
2014-03-07 08:56 - 2014-03-07 08:56 - 0196608 __RSH () C:\ProgramData\load32.exe

Files to move or delete:
====================
C:\ProgramData\badload32.exe
C:\ProgramData\load32.exe
C:\ProgramData\NTKernel
C:\Users\RDT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url


Some content of TEMP:
====================
C:\Users\RDT\AppData\Local\Temp\ose00000.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-09 15:36

==================== End Of Log ============================

 

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:00 AM

Posted 11 March 2015 - 02:36 PM

Please download this attached and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 saymes

saymes
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 11 March 2015 - 02:47 PM

Thank you, JS. That was fast. FAQ says 5 days :) Be back in a few.



#4 saymes

saymes
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 11 March 2015 - 03:02 PM

Fixlog is here:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-03-2015 01
Ran by RDT at 2015-03-11 15:49:48 Run:1
Running from C:\Users\RDT\Desktop\Desktop
Loaded Profiles: RDT (Available profiles: RDT & UpdatusUser)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Start
HKLM\...\Run: [NT Kernel Service] => C:\NTKernel\nt32.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows"
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\CurrentVersion\Windows: [Load] C:\ProgramData\NTKernel\nt32.exe <===== ATTENTION
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\MountPoints2: {136e413e-9af0-11dd-9fd1-00219b3328ad} - F:\autorun.exe
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\MountPoints2: {456ca68c-876f-11df-ad93-00219b3328ad} - F:\RECYCLER\k-1-3542-4232123213-7676767-8888886\root.exe
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\MountPoints2: {6ce66feb-4d33-11df-9522-00219b3328ad} - "G:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\MountPoints2: {a970802c-f11b-11dd-ac92-00219b3328ad} - F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ine32.exe
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\MountPoints2: {fc7715a5-f50f-11dd-81ef-00219b3328ad} - G:\LaunchU3.exe -a
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\MountPoints2: {fd430521-6aed-11dd-9f99-00219b3328ad} - G:\LaunchU3.exe -a
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\Winlogon: [Shell] C:\ProgramData\load32.exe [196608 2014-03-07] () <==== ATTENTION
IFEO\AvastSvc.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\AvastUI.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avcenter.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avconfig.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avgcsrvx.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avgidsagent.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avgnt.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avgrsx.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avguard.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avgui.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avgwdsvc.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avp.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\avscan.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\bdagent.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\ccuac.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\ComboFix.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\egui.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\hijackthis.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\instup.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\keyscrambler.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\mbam.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\mbamgui.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\mbampt.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\mbamscheduler.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\mbamservice.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\rstrui.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\spybotsd.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\wireshark.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
IFEO\zlclient.exe: [Debugger] C:\Users\RDT\Documents\315load32.exe
InternetURL: C:\Users\RDT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url -> 0
SearchScopes: HKU\S-1-5-21-3710888214-2014860481-4120613462-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
Toolbar: HKU\S-1-5-21-3710888214-2014860481-4120613462-1000 -> No Name - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -  No File
Toolbar: HKU\S-1-5-21-3710888214-2014860481-4120613462-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-3710888214-2014860481-4120613462-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
C:\ProgramData\NTKernel
C:\Windows\Temp45376B88-83CD-44F3-2071-01F31245727E-Signatures
C:\Windows\Temp3BB01A77-093B-05B9-42AD-D1FF724406F4-Signatures
C:\Windows\Temp7F3462A6-0BB6-9D89-8DC3-FBEAF89851EE-Signatures
C:\Windows\TempDFD8859E-9E6C-1B43-88CD-D3C701B226F4-Signatures
C:\Windows\Temp068E9C28-0D1D-9CAE-12EE-92D930AD20BB-Signature
C:\Windows\TempC68807B3-C2F8-385D-A674-E336DEFE0BB9-Signatures
C:\Windows\Temp163E0DF1-ABAC-EE17-5E92-AC628D194380-Signatures
C:\Windows\Temp0AA6DE62-5F0C-216E-4602-A6BEE892E296-Signatures
C:\ProgramData\badload32.exe
C:\ProgramData\load32.exe
C:\ProgramData\NTKernel
C:\Users\RDT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url
Task: {4F45446B-3BCB-4F5D-BC3D-E3A506791C78} - \RunAsStdUser Task No Task File <==== ATTENTION
End
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\NT Kernel Service => value deleted successfully.
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => Value was restored successfully.
"HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{136e413e-9af0-11dd-9fd1-00219b3328ad}" => Key deleted successfully.
HKCR\CLSID\{136e413e-9af0-11dd-9fd1-00219b3328ad} => Key not found.
"HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{456ca68c-876f-11df-ad93-00219b3328ad}" => Key deleted successfully.
HKCR\CLSID\{456ca68c-876f-11df-ad93-00219b3328ad} => Key not found.
"HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6ce66feb-4d33-11df-9522-00219b3328ad}" => Key deleted successfully.
HKCR\CLSID\{6ce66feb-4d33-11df-9522-00219b3328ad} => Key not found.
"HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a970802c-f11b-11dd-ac92-00219b3328ad}" => Key deleted successfully.
HKCR\CLSID\{a970802c-f11b-11dd-ac92-00219b3328ad} => Key not found.
"HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fc7715a5-f50f-11dd-81ef-00219b3328ad}" => Key deleted successfully.
HKCR\CLSID\{fc7715a5-f50f-11dd-81ef-00219b3328ad} => Key not found.
"HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fd430521-6aed-11dd-9f99-00219b3328ad}" => Key deleted successfully.
HKCR\CLSID\{fd430521-6aed-11dd-9f99-00219b3328ad} => Key not found.
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastSvc.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastUI.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avcenter.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avconfig.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgcsrvx.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgidsagent.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgnt.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgrsx.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avguard.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgui.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgwdsvc.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avscan.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ccuac.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ComboFix.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\hijackthis.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\instup.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\keyscrambler.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbam.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamgui.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbampt.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamscheduler.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamservice.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\rstrui.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\spybotsd.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wireshark.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\zlclient.exe" => Key Deleted successfully.
"C:\Users\RDT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url" => Could not move.
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => Key deleted successfully.
HKCR\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670} => Key not found.
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} => value deleted successfully.
HKCR\CLSID\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} => Key not found.
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => value deleted successfully.
HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Key not found.

"C:\ProgramData\NTKernel" directory move:

Could not move "C:\ProgramData\NTKernel" directory. => Scheduled to move on reboot.

C:\Windows\Temp45376B88-83CD-44F3-2071-01F31245727E-Signatures => Moved successfully.
C:\Windows\Temp3BB01A77-093B-05B9-42AD-D1FF724406F4-Signatures => Moved successfully.
C:\Windows\Temp7F3462A6-0BB6-9D89-8DC3-FBEAF89851EE-Signatures => Moved successfully.
C:\Windows\TempDFD8859E-9E6C-1B43-88CD-D3C701B226F4-Signatures => Moved successfully.
"C:\Windows\Temp068E9C28-0D1D-9CAE-12EE-92D930AD20BB-Signature" => File/Directory not found.
C:\Windows\TempC68807B3-C2F8-385D-A674-E336DEFE0BB9-Signatures => Moved successfully.
C:\Windows\Temp163E0DF1-ABAC-EE17-5E92-AC628D194380-Signatures => Moved successfully.
C:\Windows\Temp0AA6DE62-5F0C-216E-4602-A6BEE892E296-Signatures => Moved successfully.
C:\ProgramData\badload32.exe => Moved successfully.
Could not move "C:\ProgramData\load32.exe" => Scheduled to move on reboot.

"C:\ProgramData\NTKernel" directory move:

Could not move "C:\ProgramData\NTKernel" directory. => Scheduled to move on reboot.

Could not move "C:\Users\RDT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url" => Scheduled to move on reboot.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4F45446B-3BCB-4F5D-BC3D-E3A506791C78}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4F45446B-3BCB-4F5D-BC3D-E3A506791C78}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RunAsStdUser Task" => Key deleted successfully.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-03-11 15:51:33)<=

C:\ProgramData\NTKernel => Is moved successfully.
C:\ProgramData\load32.exe => Is moved successfully.
C:\ProgramData\NTKernel => Is moved successfully.
C:\Users\RDT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url => Is moved successfully.

==== End of Fixlog 15:51:33 ====



#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:00 AM

Posted 11 March 2015 - 07:34 PM

How is it doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 saymes

saymes
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 11 March 2015 - 09:42 PM

I still can't install MalwareBytes. Certain Windows services are still not being run, can't run System Restore, Windows Update, Windows Defender etc. The trojan is no longer loading automatically, according to Rkill.



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:00 AM

Posted 12 March 2015 - 08:28 AM

Re-scan with FRST and post a new FRST.txt log

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

 


Edited by JSntgRvr, 12 March 2015 - 08:29 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 saymes

saymes
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 12 March 2015 - 09:16 AM

New FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-03-2015 01
Ran by RDT (administrator) on RDT1-PC on 12-03-2015 09:57:35
Running from C:\Users\RDT\Desktop\Desktop
Loaded Profiles: RDT (Available profiles: RDT & UpdatusUser)
Platform: Microsoft® Windows Vista™ Business  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser not detected!)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Windows\System32\Locator.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Software 2000 Limited) C:\Windows\System32\spool\drivers\w32x86\3\HP1006MC.EXE
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Microsoft Corporation) C:\Windows\System32\wermgr.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=8
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?ilc=8
HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
SearchScopes: HKU\.DEFAULT -> DefaultScope {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\.DEFAULT -> {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-19 -> DefaultScope {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-19 -> {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-20 -> DefaultScope {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-20 -> {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
BHO: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2009-10-22] (Hewlett-Packard Co.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files\Windows Live\Companion\companioncore.dll [2012-03-08] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-04-15] (Oracle Corporation)
BHO: SingleInstance Class -> {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -> C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll No File
BHO: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2009-10-22] (Hewlett-Packard Co.)
DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} http://games.ca.zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_70.dll [2014-02-21] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll No File
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Web Player\npdivx32.dll [2009-05-12] (DivX,Inc.)
FF Plugin: @java.com/DTPlugin,version=10.17.2 -> C:\Windows\system32\npDeployJava1.dll [2013-04-15] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll No File
FF Plugin: @java.com/JavaPlugin,version=10.17.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-04-15] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-01-18] (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-01-18] (NVIDIA Corporation)
FF Plugin: @pack.google.com/Google Updater;version=13 -> C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll No File
FF Plugin: @pages.tvunetworks.com/WebPlayer -> C:\Program Files\TVUPlayer\npTVUAx.dll No File
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-08-06]
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-03-22]
FF HKLM\...\Firefox\Extensions: [ClickPotatoLite@ClickPotatoLite.com] - C:\Program Files\ClickPotatoLite\bin\11.0.19.0\firefox\extensions
FF HKU\S-1-5-21-3710888214-2014860481-4120613462-1000\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 Agent; C:\Windows\VPDAgent.exe [192512 2013-11-14] (Two Pilots) [File not signed]
S4 atchksrv; C:\Program Files\Intel\AMT\atchksrv.exe [176128 2007-05-23] (Intel Corporation) [File not signed]
S4 GoToAssist; C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe [13160 2010-11-16] (Citrix Online, a division of Citrix Systems, Inc.)
R3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [217088 2007-06-04] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [131072 2007-06-04] (Hewlett-Packard Co.) [File not signed]
S4 LMS; C:\Program Files\Intel\AMT\LMS.exe [102400 2007-05-23] (Intel) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] () [File not signed]
R2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)
S4 Neat Startup Service; C:\Program Files\Neat\exec\NeatStartupService.exe [5632 2014-01-03] (The Neat Company) [File not signed]
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [280288 2013-10-23] () [File not signed]
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
S4 stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [69632 2007-07-11] (MicroVision Development, Inc.) [File not signed]
S4 UNS; C:\Program Files\Intel\AMT\UNS.exe [2514944 2007-05-23] (Intel) [File not signed]
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)
S3 gusvc; "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" [X]
S3 iPod Service; "C:\Program Files\iPod\bin\iPodService.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 DLABMFSM; C:\Windows\System32\Drivers\DLABMFSM.SYS [37360 2007-07-23] (Roxio)
R2 DLABOIOM; C:\Windows\System32\Drivers\DLABOIOM.SYS [32848 2007-07-23] (Roxio)
R2 DLADResM; C:\Windows\System32\Drivers\DLADResM.SYS [9104 2007-07-23] (Roxio)
R2 DLAIFS_M; C:\Windows\System32\Drivers\DLAIFS_M.SYS [108752 2007-07-23] (Roxio)
R2 DLAOPIOM; C:\Windows\System32\Drivers\DLAOPIOM.SYS [27216 2007-07-23] (Roxio)
R2 DLAPoolM; C:\Windows\System32\Drivers\DLAPoolM.SYS [16304 2007-07-23] (Roxio)
R2 DLAUDFAM; C:\Windows\System32\Drivers\DLAUDFAM.SYS [93552 2007-07-23] (Roxio)
R2 DLAUDF_M; C:\Windows\System32\Drivers\DLAUDF_M.SYS [98448 2007-07-23] (Roxio)
S3 FlyUsb; C:\Windows\System32\DRIVERS\FlyUsb.sys [19456 2009-11-10] (LeapFrog) [File not signed]
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [40448 2009-08-28] (Apple, Inc.) [File not signed]
S2 eamonm; system32\DRIVERS\eamonm.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-11 13:28 - 2015-03-12 09:57 - 00000000 ____D () C:\FRST
2015-03-09 09:54 - 2015-03-09 09:56 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-03-09 09:43 - 2015-03-09 09:53 - 00000000 ____D () C:\DnLoaded
2015-03-09 08:42 - 2015-03-09 08:42 - 00000000 ___HD () C:\ProgramData\BadNTKernel
2015-02-19 20:46 - 2015-02-19 20:46 - 00000000 ____D () C:\Windows\Temp068E9C28-0D1D-9CAE-12EE-92D930AD20BB-Signatures
2015-02-19 13:28 - 2015-02-19 13:28 - 00000881 _____ () C:\Users\Public\Desktop\KeyFinder.lnk
2015-02-19 13:28 - 2015-02-19 13:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeyFinder
2015-02-19 13:27 - 2015-02-19 13:28 - 00000000 ____D () C:\Program Files\Magical Jelly Bean
2015-02-17 14:18 - 2015-02-17 14:18 - 00000000 ____D () C:\ProgramData\Lavasoft
2015-02-17 12:20 - 2015-02-17 12:21 - 00000013 _____ () C:\New Text Document.txt
2015-02-16 15:38 - 2015-03-11 13:26 - 00002453 _____ () C:\Windows\setupact.log
2015-02-16 15:38 - 2015-02-16 15:38 - 00000000 _____ () C:\Windows\setuperr.log
2015-02-16 15:37 - 2015-02-27 17:16 - 00000000 ___HD () C:\bADNTKernel

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-12 09:57 - 2006-11-02 06:23 - 00000254 _____ () C:\Windows\win.ini
2015-03-12 09:54 - 2008-01-20 21:39 - 01130988 _____ () C:\Windows\WindowsUpdate.log
2015-03-11 15:59 - 2006-11-02 06:33 - 00865912 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-11 15:51 - 2006-11-02 08:47 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-11 15:51 - 2006-11-02 08:47 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-11 15:50 - 2006-11-02 09:00 - 01129634 _____ () C:\Windows\PFRO.log
2015-03-09 15:37 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-03-08 17:37 - 2011-07-06 08:18 - 00000000 ____D () C:\Users\RDT\AppData\Local\CrashDumps
2015-03-06 15:01 - 2011-03-18 10:44 - 00002148 _____ () C:\Windows\epplauncher.mif
2015-03-06 15:01 - 2011-03-18 10:43 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2015-02-27 20:17 - 2008-10-27 08:14 - 00031744 _____ () C:\Users\RDT\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-02-16 17:38 - 2013-06-12 17:47 - 00000000 ____D () C:\Windows\pss
2015-02-16 17:14 - 2011-01-07 12:43 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-02-16 16:14 - 2008-10-18 08:41 - 00000000 ____D () C:\Program Files\Java
2015-02-16 16:14 - 2008-10-18 08:40 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-02-16 16:11 - 2010-03-30 10:38 - 00000000 ____D () C:\ProgramData\Yahoo!
2015-02-16 16:11 - 2010-03-30 10:33 - 00000000 ____D () C:\Program Files\Yahoo!
2015-02-16 15:58 - 2008-08-13 15:09 - 00009268 _____ () C:\Users\RDT\AppData\Local\d3d9caps.dat

==================== Files in the root of some directories =======

2008-10-04 08:38 - 2008-10-04 09:02 - 0004343 _____ () C:\Users\RDT\AppData\Roaming\Comma Separated Values (DOS).NOT
2008-08-13 15:09 - 2015-02-16 15:58 - 0009268 _____ () C:\Users\RDT\AppData\Local\d3d9caps.dat
2008-10-27 08:14 - 2015-02-27 20:17 - 0031744 _____ () C:\Users\RDT\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2009-09-17 09:15 - 2014-07-24 08:42 - 0003484 _____ () C:\ProgramData\hpzinstall.log

Some content of TEMP:
====================
C:\Users\RDT\AppData\Local\Temp\ose00000.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-11 15:58

==================== End Of Log ============================



#9 saymes

saymes
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 12 March 2015 - 09:28 AM

FSS log. I have the PC disconnected from the internet, let me know if you want me to connect it and rescan.

 

Farbar Service Scanner Version: 17-01-2015
Ran by RDT (administrator) on 12-03-2015 at 10:19:13
Running from "C:\Users\RDT\Desktop\Desktop"
Microsoft® Windows Vista™ Business  Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcsvc.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed


**** End of log ****



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:00 AM

Posted 12 March 2015 - 11:18 AM

All services seem running. What errors are you receiving when attempting to create a System Restore (Do not use System restore to restore to a prior date as we will going back to the issues). Are you still unable to reinstall Malwarebytes? You need an antivirus. I would recommend AVAST.
 
Please download this attached and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 saymes

saymes
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 12 March 2015 - 12:59 PM

Both System Restore and MalwareBytes are giving me Permissions errors.

#12 saymes

saymes
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 12 March 2015 - 01:04 PM

Also seeing MpCmdRun.exe encountered an error and had to close.



#13 saymes

saymes
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 12 March 2015 - 01:11 PM

Latest FixLog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-03-2015 01
Ran by RDT at 2015-03-12 14:09:07 Run:2
Running from C:\Users\RDT\Desktop\Desktop
Loaded Profiles: RDT (Available profiles: RDT & UpdatusUser)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
C:\bADNTKernel
C:\Windows\Temp068E9C28-0D1D-9CAE-12EE-92D930AD20BB-Signatures
C:\ProgramData\BadNTKernel
C:\DnLoaded
C:\Users\RDT\AppData\Roaming\Comma Separated Values (DOS).NOT
C:\Users\RDT\AppData\Local\d3d9caps.dat
C:\Users\RDT\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
C:\ProgramData\hpzinstall.log
C:\Users\RDT\AppData\Local\Temp\ose00000.exe
*****************

C:\bADNTKernel => Moved successfully.
C:\Windows\Temp068E9C28-0D1D-9CAE-12EE-92D930AD20BB-Signatures => Moved successfully.
C:\ProgramData\BadNTKernel => Moved successfully.
C:\DnLoaded => Moved successfully.
C:\Users\RDT\AppData\Roaming\Comma Separated Values (DOS).NOT => Moved successfully.
C:\Users\RDT\AppData\Local\d3d9caps.dat => Moved successfully.
C:\Users\RDT\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => Moved successfully.
C:\ProgramData\hpzinstall.log => Moved successfully.
C:\Users\RDT\AppData\Local\Temp\ose00000.exe => Moved successfully.

==== End of Fixlog 14:09:07 ====



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:00 AM

Posted 12 March 2015 - 02:13 PM

Before we touch the permissions, lets uninstall and reinstall Malwarebytes.

Please follow these steps:

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. mbam-clean.exe
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. mbam-setup.exe

Launch the program. Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that you can run a quick scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:00 AM

Posted 12 March 2015 - 02:14 PM

Don't forget to install an antivirus.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users