Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ninja rdsrv redirect.


  • Please log in to reply
9 replies to this topic

#1 shival

shival

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 05 April 2015 - 07:23 AM

 

Gave computer to parents and something changed of course. The computer seems a bit slower and lags a lot. But the biggest problem is redirecting to rdsrv.com. What is funny - I have malwarebytes installed and it blocks those pop-ups BUT it scans arent finding anything. Dr web cure it, rkill, tdsskiller, adwcleaner - nothing.
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by zero (administrator) on JEDEN on 05-04-2015 13:59:00
Running from C:\Users\zero\Downloads
Loaded Profiles: zero (Available profiles: zero)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Polski (Polska)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Malwarebytes Corporation) D:\Programy\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) D:\Programy\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) D:\Programy\Malwarebytes Anti-Malware\mbam.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Pixart Imaging Inc) C:\Windows\System32\TiltWheelMouse.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MouseDriver] => C:\Windows\system32\TiltWheelMouse.exe [241152 2012-12-19] (Pixart Imaging Inc)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2460488 2014-09-17] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoRecentDocsNetHood] 1
HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-1505910237-804880841-1545532571-1000\...\Policies\Explorer: [NoRecentDocsNetHood] 1
HKU\S-1-5-21-1505910237-804880841-1545532571-1000\...\MountPoints2: {4428e3c0-0d51-11e4-a5a2-806e6f6e6963} - H:\setup.exe
HKU\S-1-5-21-1505910237-804880841-1545532571-1000\...\MountPoints2: {f86b4672-17fa-11e4-830c-002354d92c72} - I:\LGAutoRun.exe
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2014-07-14] (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-1505910237-804880841-1545532571-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2015-01-18] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2015-01-18] (Oracle Corporation)
Tcpip\Parameters: [DhcpNameServer] 104.236.121.25 8.8.8.8
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll [2015-02-05] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-05] ()
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2015-01-18] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2015-01-18] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2014-07-02] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2014-07-02] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1505910237-804880841-1545532571-1000: vsee.com/VSeeDetection -> C:\Users\zero\AppData\Roaming\VSeeInstall\npVSeeDetection.dll [2014-07-16] (VSee Lab)
 
Chrome: 
=======
CHR Profile: C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-10-17]
CHR Extension: (Google Docs) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-17]
CHR Extension: (Google Drive) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-17]
CHR Extension: (YouTube) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-10-17]
CHR Extension: (Google Search) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-17]
CHR Extension: (Google Sheets) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-10-17]
CHR Extension: (Auto Refresh) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifooldnmmcmlbdennkpdnlnbgbmfalko [2014-12-21]
CHR Extension: (Google Wallet) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-17]
CHR Extension: (Gmail) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-10-17]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148744 2014-09-17] (NVIDIA Corporation)
R2 MBAMScheduler; D:\Programy\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; D:\Programy\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1795912 2014-09-17] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19439944 2014-09-17] (NVIDIA Corporation)
S3 OpenVPNService; D:\Programy\OpenVPN\bin\openvpnserv.exe [37176 2014-06-05] (The OpenVPN Project)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-04-05] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19272 2014-09-17] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38048 2014-09-04] (NVIDIA Corporation)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [386680 2014-07-17] (Duplex Secure Ltd.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-03-22] ()
S3 t_mouse.sys; C:\Windows\System32\DRIVERS\t_mouse.sys [6144 2012-12-19] ()
U3 aoalfye2; C:\Windows\System32\Drivers\aoalfye2.sys [0 ] (Advanced Micro Devices) <==== ATTENTION (zero size file/folder)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-05 13:59 - 2015-04-05 13:59 - 00011343 _____ () C:\Users\zero\Downloads\FRST.txt
2015-04-05 13:58 - 2015-04-05 13:59 - 00000000 ____D () C:\FRST
2015-04-05 13:58 - 2015-04-05 13:58 - 02095616 _____ (Farbar) C:\Users\zero\Downloads\FRST64.exe
2015-04-05 13:45 - 2015-04-05 13:47 - 00002032 _____ () C:\Users\zero\Desktop\Rkill.txt
2015-04-05 13:45 - 2015-04-05 13:45 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\zero\Downloads\iExplore.exe
2015-04-05 13:42 - 2015-04-05 13:42 - 00000754 _____ () C:\Users\zero\Desktop\JRT.txt
2015-04-05 13:39 - 2015-04-05 13:39 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-JEDEN-Windows-7-Ultimate-(64-bit).dat
2015-04-05 13:39 - 2015-04-05 13:39 - 00000000 ____D () C:\RegBackup
2015-04-05 13:34 - 2015-04-05 13:34 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\zero\Downloads\tdsskiller.exe
2015-04-05 13:34 - 2015-04-05 13:34 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\zero\Downloads\tdsskiller (1).exe
2015-04-05 13:34 - 2015-04-05 13:34 - 02690981 _____ (Thisisu) C:\Users\zero\Downloads\JRT.exe
2015-04-05 13:16 - 2015-04-05 13:16 - 02208768 _____ () C:\Users\zero\Downloads\adwcleaner_4.200.exe
2015-04-04 22:04 - 2015-04-05 13:51 - 00000672 _____ () C:\Windows\setupact.log
2015-04-04 22:04 - 2015-04-04 22:05 - 00267360 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-04-04 22:04 - 2015-04-04 22:04 - 00000000 _____ () C:\Windows\setuperr.log
2015-03-26 11:10 - 2015-03-26 17:48 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\233E2A45.sys
2015-03-22 14:24 - 2015-03-22 14:29 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-03-22 14:11 - 2015-04-05 13:47 - 00000000 ____D () C:\AdwCleaner
2015-03-22 13:51 - 2015-03-22 14:23 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\4C786D75.sys
2015-03-21 14:18 - 2015-03-21 14:35 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\6CBA33DA.sys
2015-03-20 21:41 - 2015-03-20 21:41 - 00123473 _____ () C:\Users\zero\Desktop\BIZNESPLAN.odt
2015-03-17 10:27 - 2015-03-17 18:47 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\18D94A5A.sys
2015-03-16 15:30 - 2015-03-16 15:30 - 00000000 _____ () C:\Users\zero\Desktop\Nowy dokument tekstowy.txt
2015-03-10 08:00 - 2015-03-10 08:00 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\087F36FA.sys
2015-03-07 20:45 - 2015-03-07 20:50 - 163635344 _____ () C:\Users\zero\Desktop\skpfvisr.exe
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-05 13:59 - 2009-07-14 06:45 - 00014544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-05 13:59 - 2009-07-14 06:45 - 00014544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-05 13:58 - 2009-07-14 19:55 - 00740422 _____ () C:\Windows\system32\perfh015.dat
2015-04-05 13:58 - 2009-07-14 19:55 - 00155996 _____ () C:\Windows\system32\perfc015.dat
2015-04-05 13:58 - 2009-07-14 07:13 - 01670518 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-05 13:54 - 2014-07-13 20:46 - 01208575 _____ () C:\Windows\WindowsUpdate.log
2015-04-05 13:52 - 2014-07-13 21:29 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-04-05 13:51 - 2014-10-17 20:57 - 00001044 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-05 13:51 - 2014-09-29 13:49 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-04-05 13:51 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-05 13:30 - 2014-07-14 02:31 - 00000930 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-05 13:17 - 2014-10-17 20:57 - 00001048 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-04 18:13 - 2014-07-24 17:56 - 00000000 ____D () C:\Users\zero\AppData\Local\CrashDumps
2015-04-04 18:13 - 2014-07-17 03:24 - 00000000 ____D () C:\Users\zero\AppData\Roaming\DAEMON Tools Lite
2015-04-04 18:13 - 2014-07-13 23:44 - 00003630 _____ () C:\Windows\System32\Tasks\AviatorUpdateTask
2015-04-04 01:18 - 2014-10-17 20:59 - 00002189 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-21 19:42 - 2014-07-13 21:02 - 00000000 ____D () C:\Users\zero
2015-03-21 14:55 - 2014-07-30 19:06 - 00000000 ____D () C:\Users\zero\Doctor Web
2015-03-21 14:42 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-03-20 21:27 - 2014-07-14 01:15 - 00000000 ____D () C:\Users\zero\AppData\Roaming\.wtw
2015-03-16 14:50 - 2009-07-14 07:08 - 00032608 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-03-08 14:59 - 2014-10-18 12:01 - 00000000 ____D () C:\Users\zero\AppData\Roaming\TS3Client
2015-03-07 18:38 - 2015-02-14 15:19 - 00000010 _____ () C:\Users\zero\Desktop\godziny.txt
 
==================== Files in the root of some directories =======
 
2014-07-29 17:56 - 2014-07-29 17:56 - 0003584 _____ () C:\Users\zero\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-01-15 12:23 - 2015-01-15 12:23 - 0000218 _____ () C:\Users\zero\AppData\Local\recently-used.xbel
2014-12-26 17:02 - 2014-12-26 17:02 - 0003584 _____ () C:\ProgramData\wtwLicensing.db
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-04-04 17:08
 

 

==================== End Of Log ============================

 

"C:\Users\zero\Desktop\skpfvisr.exe" - this is dr web cure it 4 sure

 

 

bleeping, wat do  :bananas:  :smash: 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,453 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:09 AM

Posted 05 April 2015 - 08:23 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


ATTENTION: System Restore is disabled.


Turn System Restore on - Windows Help
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
U3 aoalfye2; C:\Windows\System32\Drivers\aoalfye2.sys [0 ] (Advanced Micro Devices) <==== ATTENTION (zero size file/folder)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Windows\System32\Drivers\aoalfye2.sys

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

How is the computer running now?

#3 shival

shival
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 06 April 2015 - 08:26 AM

Wow, you guys are so fast! Thanks for the response.

 

What is funny; I couldnt replicate rdsrv redirecting today even before applying the fix, it just vanished. I did it anyway, here is the log

 

ix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015

Ran by zero at 2015-04-06 14:18:07 Run:1
Running from C:\Users\zero\Downloads
Loaded Profiles: zero (Available profiles: zero)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
CloseProcesses:
 
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
U3 aoalfye2; C:\Windows\System32\Drivers\aoalfye2.sys [0 ] (Advanced Micro Devices) <==== ATTENTION (zero size file/folder)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Windows\System32\Drivers\aoalfye2.sys
 
End
*****************
 
Processes closed successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
aoalfye2 => Service not found.
EagleX64 => Service deleted successfully.
Synth3dVsc => Service deleted successfully.
tsusbhub => Service deleted successfully.
VGPU => Service deleted successfully.
"C:\Windows\System32\Drivers\aoalfye2.sys" => File/Directory not found.
 
 
The system needed a reboot. 
 
==== End of Fixlog 14:18:07 ====

Currently there are no obvious problems, hard to tell if performance is better so soon, this OS instalation is pretty old so it always can be just that.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,453 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:09 AM

Posted 06 April 2015 - 12:53 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 shival

shival
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 06 April 2015 - 02:22 PM

Sorry, now its back. Sending another farbar scan just in case;

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015

Ran by zero (administrator) on JEDEN on 06-04-2015 21:10:39
Running from C:\Users\zero\Downloads
Loaded Profiles: zero (Available profiles: zero)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Polski (Polska)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Malwarebytes Corporation) D:\Programy\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) D:\Programy\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) D:\Programy\Malwarebytes Anti-Malware\mbam.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Pixart Imaging Inc) C:\Windows\System32\TiltWheelMouse.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(K2T.eu, Kaworu) D:\Programy\wtw\wtw.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\prevhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MouseDriver] => C:\Windows\system32\TiltWheelMouse.exe [241152 2012-12-19] (Pixart Imaging Inc)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2460488 2014-09-17] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoRecentDocsNetHood] 1
HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-1505910237-804880841-1545532571-1000\...\Run: [DAEMON Tools Lite] => D:\Programy\DAEMON Tools Lite\DTLite.exe [3696912 2014-03-04] (Disc Soft Ltd)
HKU\S-1-5-21-1505910237-804880841-1545532571-1000\...\Policies\Explorer: [NoRecentDocsNetHood] 1
HKU\S-1-5-21-1505910237-804880841-1545532571-1000\...\MountPoints2: {4428e3c0-0d51-11e4-a5a2-806e6f6e6963} - H:\starsky.exe
HKU\S-1-5-21-1505910237-804880841-1545532571-1000\...\MountPoints2: {f86b4672-17fa-11e4-830c-002354d92c72} - I:\LGAutoRun.exe
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2014-07-14] (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-1505910237-804880841-1545532571-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2015-01-18] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2015-01-18] (Oracle Corporation)
Tcpip\Parameters: [DhcpNameServer] 104.236.41.61 8.8.8.8
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll [2015-02-05] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-05] ()
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2015-01-18] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2015-01-18] (Oracle Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2014-07-02] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2014-07-02] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1505910237-804880841-1545532571-1000: vsee.com/VSeeDetection -> C:\Users\zero\AppData\Roaming\VSeeInstall\npVSeeDetection.dll [2014-07-16] (VSee Lab)
 
Chrome: 
=======
CHR Profile: C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-10-17]
CHR Extension: (Google Docs) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-17]
CHR Extension: (Google Drive) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-17]
CHR Extension: (YouTube) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-10-17]
CHR Extension: (Google Search) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-17]
CHR Extension: (Google Sheets) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-10-17]
CHR Extension: (Auto Refresh) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifooldnmmcmlbdennkpdnlnbgbmfalko [2014-12-21]
CHR Extension: (Google Wallet) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-17]
CHR Extension: (Gmail) - C:\Users\zero\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-10-17]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148744 2014-09-17] (NVIDIA Corporation)
R2 MBAMScheduler; D:\Programy\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; D:\Programy\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1795912 2014-09-17] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19439944 2014-09-17] (NVIDIA Corporation)
S3 OpenVPNService; D:\Programy\OpenVPN\bin\openvpnserv.exe [37176 2014-06-05] (The OpenVPN Project)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-04-06] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19272 2014-09-17] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38048 2014-09-04] (NVIDIA Corporation)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [386680 2014-07-17] (Duplex Secure Ltd.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-03-22] ()
S3 t_mouse.sys; C:\Windows\System32\DRIVERS\t_mouse.sys [6144 2012-12-19] ()
U3 alfm084b; C:\Windows\System32\Drivers\alfm084b.sys [0 ] (Advanced Micro Devices) <==== ATTENTION (zero size file/folder)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-05 21:17 - 2015-04-05 21:17 - 00001182 _____ () C:\Users\Public\Desktop\Starsky & Hutch.lnk
2015-04-05 21:17 - 2015-04-05 21:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Empire Interactive
2015-04-05 21:15 - 2015-04-05 21:15 - 00000000 ____D () C:\Program Files (x86)\Empire Interactive
2015-04-05 21:13 - 2015-04-05 21:13 - 00001182 _____ () C:\Users\zero\AppData\Local\recently-used.xbel
2015-04-05 19:46 - 2015-04-05 19:46 - 00000618 _____ () C:\Users\Public\Desktop\Crimsonland.lnk
2015-04-05 19:46 - 2015-04-05 19:46 - 00000000 ____D () C:\Users\zero\AppData\Roaming\10tons
2015-04-05 19:46 - 2015-04-05 19:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2015-04-05 19:42 - 2015-04-05 19:42 - 00000000 ____D () C:\Users\zero\Downloads\Crimsonland 2.0.0.1 HD DRM-free
2015-04-05 19:30 - 2015-04-05 19:39 - 77842457 _____ () C:\Users\zero\Desktop\Crimsonland.Steam.Edition-ALiAS-DW-musicwog.rar
2015-04-05 19:22 - 2015-04-05 19:22 - 00058016 _____ () C:\Users\zero\AppData\Local\GDIPFONTCACHEV1.DAT
2015-04-05 13:59 - 2015-04-06 21:10 - 00011475 _____ () C:\Users\zero\Downloads\FRST.txt
2015-04-05 13:59 - 2015-04-05 13:59 - 00011434 _____ () C:\Users\zero\Downloads\Addition.txt
2015-04-05 13:58 - 2015-04-06 21:10 - 00000000 ____D () C:\FRST
2015-04-05 13:58 - 2015-04-05 13:58 - 02095616 _____ (Farbar) C:\Users\zero\Downloads\FRST64.exe
2015-04-05 13:45 - 2015-04-05 13:47 - 00002032 _____ () C:\Users\zero\Desktop\Rkill.txt
2015-04-05 13:45 - 2015-04-05 13:45 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\zero\Downloads\iExplore.exe
2015-04-05 13:42 - 2015-04-05 13:42 - 00000754 _____ () C:\Users\zero\Desktop\JRT.txt
2015-04-05 13:39 - 2015-04-05 13:39 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-JEDEN-Windows-7-Ultimate-(64-bit).dat
2015-04-05 13:39 - 2015-04-05 13:39 - 00000000 ____D () C:\RegBackup
2015-04-05 13:34 - 2015-04-05 13:34 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\zero\Downloads\tdsskiller.exe
2015-04-05 13:34 - 2015-04-05 13:34 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\zero\Downloads\tdsskiller (1).exe
2015-04-05 13:34 - 2015-04-05 13:34 - 02690981 _____ (Thisisu) C:\Users\zero\Downloads\JRT.exe
2015-04-05 13:16 - 2015-04-05 13:16 - 02208768 _____ () C:\Users\zero\Downloads\adwcleaner_4.200.exe
2015-04-04 22:04 - 2015-04-06 21:03 - 00002946 _____ () C:\Windows\setupact.log
2015-04-04 22:04 - 2015-04-04 22:05 - 00267360 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-04-04 22:04 - 2015-04-04 22:04 - 00000000 _____ () C:\Windows\setuperr.log
2015-03-26 11:10 - 2015-03-26 17:48 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\233E2A45.sys
2015-03-22 14:24 - 2015-03-22 14:29 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-03-22 14:11 - 2015-04-05 13:47 - 00000000 ____D () C:\AdwCleaner
2015-03-22 13:51 - 2015-03-22 14:23 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\4C786D75.sys
2015-03-21 14:18 - 2015-03-21 14:35 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\6CBA33DA.sys
2015-03-20 21:41 - 2015-03-20 21:41 - 00123473 _____ () C:\Users\zero\Desktop\BIZNESPLAN.odt
2015-03-17 10:27 - 2015-03-17 18:47 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\18D94A5A.sys
2015-03-16 15:30 - 2015-03-16 15:30 - 00000000 _____ () C:\Users\zero\Desktop\Nowy dokument tekstowy.txt
2015-03-10 08:00 - 2015-03-10 08:00 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\087F36FA.sys
2015-03-07 20:45 - 2015-03-07 20:50 - 163635344 _____ () C:\Users\zero\Desktop\skpfvisr.exe
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-06 21:10 - 2009-07-14 06:45 - 00014544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-06 21:10 - 2009-07-14 06:45 - 00014544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-06 21:09 - 2009-07-14 19:55 - 00740422 _____ () C:\Windows\system32\perfh015.dat
2015-04-06 21:09 - 2009-07-14 19:55 - 00155996 _____ () C:\Windows\system32\perfc015.dat
2015-04-06 21:09 - 2009-07-14 07:13 - 01670518 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-06 21:03 - 2014-10-17 20:57 - 00001044 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-06 21:03 - 2014-09-29 13:49 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-04-06 21:03 - 2014-07-13 21:29 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-04-06 21:03 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-06 16:26 - 2014-07-13 20:46 - 01222094 _____ () C:\Windows\WindowsUpdate.log
2015-04-06 16:17 - 2014-10-17 20:57 - 00001048 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-06 15:30 - 2014-07-14 02:31 - 00000930 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-05 21:21 - 2014-07-13 21:02 - 00000000 ____D () C:\Users\zero\AppData\Local\VirtualStore
2015-04-05 21:19 - 2014-09-28 20:57 - 00000000 ____D () C:\Users\zero\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2015-04-05 21:14 - 2014-07-17 03:24 - 00000000 ____D () C:\Users\zero\AppData\Roaming\DAEMON Tools Lite
2015-04-05 20:01 - 2014-07-13 21:22 - 00000000 ____D () C:\Users\zero\AppData\Roaming\deluge
2015-04-05 19:46 - 2009-07-14 07:32 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-04-04 18:13 - 2014-07-24 17:56 - 00000000 ____D () C:\Users\zero\AppData\Local\CrashDumps
2015-04-04 18:13 - 2014-07-13 23:44 - 00003630 _____ () C:\Windows\System32\Tasks\AviatorUpdateTask
2015-04-04 01:18 - 2014-10-17 20:59 - 00002189 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-21 19:42 - 2014-07-13 21:02 - 00000000 ____D () C:\Users\zero
2015-03-21 14:55 - 2014-07-30 19:06 - 00000000 ____D () C:\Users\zero\Doctor Web
2015-03-21 14:42 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-03-20 21:27 - 2014-07-14 01:15 - 00000000 ____D () C:\Users\zero\AppData\Roaming\.wtw
2015-03-16 14:50 - 2009-07-14 07:08 - 00032608 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-03-08 14:59 - 2014-10-18 12:01 - 00000000 ____D () C:\Users\zero\AppData\Roaming\TS3Client
2015-03-07 18:38 - 2015-02-14 15:19 - 00000010 _____ () C:\Users\zero\Desktop\godziny.txt
 
==================== Files in the root of some directories =======
 
2014-07-29 17:56 - 2014-07-29 17:56 - 0003584 _____ () C:\Users\zero\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-04-05 21:13 - 2015-04-05 21:13 - 0001182 _____ () C:\Users\zero\AppData\Local\recently-used.xbel
2014-12-26 17:02 - 2014-12-26 17:02 - 0003584 _____ () C:\ProgramData\wtwLicensing.db
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-04-04 17:08
 
==================== End Of Log ============================

 

I know I have not re-enabled system restore; dont worry, I have made backup, and if we kill this computer it wont be a huge loss, it needs a fresh OS soon, but I would like to postpone this whole reinstallation a few months (waiting for win10).



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,453 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:09 AM

Posted 07 April 2015 - 07:01 AM

I know I have not re-enabled system restore; dont worry, I have made backup,

It's not the backup file i'm worried about it's the operating system.
You something goes bad you may not be able to start your system.
I would enable it.
===


Tcpip\Parameters: [DhcpNameServer] 104.236.41.61 8.8.8.8

Does the IP look good for you?
http://whatismyipaddress.com/ip/104.236.41.61
===

Some think is creating this Zero byte fold.
U3 alfm084b; C:\Windows\System32\Drivers\alfm084b.sys [0 ] (Advanced Micro Devices) <==== ATTENTION (zero size file/folder)

Lets check further.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

#7 shival

shival
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 07 April 2015 - 01:10 PM

 

RogueKiller V10.5.9.0 [Apr  7 2015] od Adlice Software

 
System Operacyjny : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Uruchomiono : Tryb Normalny
Użytkownik : zero [Administrator]
Started from : C:\Users\zero\Desktop\rkill\RogueKiller (1).exe
Tryb : Usuwanie -- Data : 04/07/2015  19:54:09
 
¤¤¤ Procesy : 0 ¤¤¤
 
¤¤¤ Rejestr : 6 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 146.185.239.240 8.8.8.8 [(Unknown Country?) (XX)][-]  -> Nie wybrano
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 146.185.239.240 8.8.8.8 [(Unknown Country?) (XX)][-]  -> Nie wybrano
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 146.185.239.240 8.8.8.8 [(Unknown Country?) (XX)][-]  -> Nie wybrano
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B1F214F4-C778-44AC-92AF-05E4F3B2C9B4} | DhcpNameServer : 146.185.239.240 8.8.8.8 [(Unknown Country?) (XX)][-]  -> Nie wybrano
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B1F214F4-C778-44AC-92AF-05E4F3B2C9B4} | DhcpNameServer : 146.185.239.240 8.8.8.8 [(Unknown Country?) (XX)][-]  -> Nie wybrano
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{B1F214F4-C778-44AC-92AF-05E4F3B2C9B4} | DhcpNameServer : 146.185.239.240 8.8.8.8 [(Unknown Country?) (XX)][-]  -> Nie wybrano
 
¤¤¤ Zaplanowane zadania : 0 ¤¤¤
 
¤¤¤ Pliki : 0 ¤¤¤
 
¤¤¤ Plik Hosts : 0 ¤¤¤
 
¤¤¤ Anty-Rootkit : 0 (Driver: Niezaładowany [0xc000036b]) ¤¤¤
 
¤¤¤ Przeglądarki internetowe : 0 ¤¤¤
 
¤¤¤ Sprawdzenie MBR : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD502HI ATA Device +++++
--- User ---
[MBR] 6ee5f08ff5fdf0876104427df97483bb
[BSP] 2463887d4bc98492808f76efcdfccc69 : Windows Vista/7/8 MBR Code
Partition table:
User = LL1 ... OK
User = LL2 ... OK
 
 
============================================
RKreport_SCN_07182014_153447.log - RKreport_DEL_07182014_153551.log - RKreport_SCN_03222015_134935.log - RKreport_DEL_03222015_135032.log
RKreport_SCN_04072015_194848.log

 

The IP haves nothing to do with my geological location, ISP, etc, and I dont have static IP too.

Also I cant replicate the redirect on both computers today - why both? My sister told me that her laptop (she uses wifi, this PC uses cable from the same router) got similiar issues, but I cant check if its the same thing now. Could you tell me if it is possible the malware would be on router/upper level? Or its just coincidence and both computers got infected because of a pendrive, for example? 


Edited by shival, 07 April 2015 - 01:11 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,453 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:09 AM

Posted 08 April 2015 - 06:36 AM

Run the RogueKiller tool one more time and fix the items that are reported.

The IP will be reset.

===

Restart that computer normally.

Post a fresh FRST log for my review.

===

Yes it's possible that your router was compromised. If the problem persists continue.

Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

Keep me posted.

#9 shival

shival
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 09 April 2015 - 06:10 PM

I had to move for some time and dont have access to that computer. Can we close this topic for a week or two and come back to it later?



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,453 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:09 AM

Posted 10 April 2015 - 07:08 AM

I will leave it open.

Waiting for your reply.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users