Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with bot sysWOW64


  • Please log in to reply
14 replies to this topic

#1 builderboy

builderboy

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 14 June 2015 - 08:32 PM

Hi,

 

My system had been sluggish, and I noted that a lot of CPU cycles were consumed with multiple iterations of svchost.exe.  I received an email from my service provider, suggesting that I had a bot, and to try using mbam.  I did, but it did not remedy the problem.  I did note that mbam initially gave several notices about active files in sysWOW64 folder.

 

I verified that the folder is there, and cannot be manually removed.

 

I have a Windows 7 Pro 64 machine, a Dell.  I can also add that I am having the dickens of a time trying to find the key to boot into safe mode (Dell says its F8, but that hasn't worked)

 

Please let me know what I need to do.

 

humbly yours,

Tony



BC AdBot (Login to Remove)

 


#2 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:07 AM

Posted 15 June 2015 - 09:03 AM

Hello,

 

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:

§  Flush DNS

§  Report IE Proxy Settings

§  Reset IE Proxy Settings

§  Report FF Proxy Settings

§  Reset FF Proxy Settings

§  List content of Hosts

§  List IP configuration

§  List Winsock Entries

§  List last 10 Event Viewer log

§  List Installed Programs

§  List Devices

§  List Users, Partitions and Memory size.

§  List Minidump Files

§  List Restore Points

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

 

------

We need MBAM report so:

 

§  Open MBAM once more.

§  Click on the History tab > Application Logs.

§  Double click on the Scan Log which shows the Date and time of the scan just performed.

§  Click 'Export'.

§  Click 'Copy to Clipboard'

§  Paste the contents of the clipboard into your reply.


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#3 builderboy

builderboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 15 June 2015 - 06:35 PM

Thanks for the quick reply.  Here is the contents of the Results.txt file from MiniToolBox:

 

MiniToolBox by Farbar  Version: 11-05-2015 01
Ran by Tony (administrator) on 15-06-2015 at 19:32:48
Running from "C:\Users\Tony\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Model: OptiPlex 3010 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

#
127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com
127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com
127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com
127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com
127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com
127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net

========================= IP Configuration: ================================

Realtek PCIe GBE Family Controller = Local Area Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : Tony-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : A4-1F-72-80-B0-48
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:192:8200:6df6:68c8:4c44:1f54:d3bb(Preferred)
   IPv6 Address. . . . . . . . . . . : 2601:192:8200:6df6:a61f:72ff:fe80:b048(Preferred)
   Lease Obtained. . . . . . . . . . : Monday, June 15, 2015 7:27:49 PM
   Lease Expires . . . . . . . . . . : Monday, June 15, 2015 7:33:50 PM
   Temporary IPv6 Address. . . . . . : 2601:192:8200:6df6:3092:9743:dcd7:36d3(Preferred)
   Link-local IPv6 Address . . . . . : fe80::68c8:4c44:1f54:d3bb%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.0.4(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, June 15, 2015 7:27:49 PM
   Lease Expires . . . . . . . . . . : Monday, June 22, 2015 7:27:49 PM
   Default Gateway . . . . . . . . . : fe80::5a23:8cff:fe70:cd81%11
                                       10.0.0.1
   DHCP Server . . . . . . . . . . . : 10.0.0.1
   DHCPv6 IAID . . . . . . . . . . . : 245636978
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-5D-71-18-A4-1F-72-80-B0-48
   DNS Servers . . . . . . . . . . . : 2001:558:feed::1
                                       2001:558:feed::2
                                       75.75.75.75
                                       75.75.76.76
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{333A9FAE-3203-4D85-9EAC-FCA979FC33E5}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  cdns01.comcast.net
Address:  2001:558:feed::1

Name:    google.com
Addresses:  2607:f8b0:4006:80c::1004
      216.58.219.206


Pinging google.com [2607:f8b0:4006:80a::1007] with 32 bytes of data:
Request timed out.
Reply from 2607:f8b0:4006:80a::1007: time=34ms

Ping statistics for 2607:f8b0:4006:80a::1007:
    Packets: Sent = 2, Received = 1, Lost = 1 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 34ms, Maximum = 34ms, Average = 34ms
Server:  cdns01.comcast.net
Address:  2001:558:feed::1

Name:    yahoo.com
Addresses:  98.139.183.24
      206.190.36.45
      98.138.253.109


Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=89ms TTL=52
Reply from 206.190.36.45: bytes=32 time=89ms TTL=52

Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 89ms, Maximum = 89ms, Average = 89ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 11...a4 1f 72 80 b0 48 ......Realtek PCIe GBE Family Controller
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.0.1         10.0.0.4     10
         10.0.0.0    255.255.255.0         On-link          10.0.0.4    266
         10.0.0.4  255.255.255.255         On-link          10.0.0.4    266
       10.0.0.255  255.255.255.255         On-link          10.0.0.4    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link          10.0.0.4    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link          10.0.0.4    266
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 11    266 ::/0                     fe80::5a23:8cff:fe70:cd81
  1    306 ::1/128                  On-link
 11     18 2601:192:8200:6df6::/64  On-link
 11    266 2601:192:8200:6df6::/64  fe80::5a23:8cff:fe70:cd81
 11    266 2601:192:8200:6df6:3092:9743:dcd7:36d3/128
                                    On-link
 11    266 2601:192:8200:6df6:68c8:4c44:1f54:d3bb/128
                                    On-link
 11    266 2601:192:8200:6df6:a61f:72ff:fe80:b048/128
                                    On-link
 11    266 fe80::/64                On-link
 11    266 fe80::68c8:4c44:1f54:d3bb/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145648] (Microsoft Corp.)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145648] (Microsoft Corp.)
Catalog5 09 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171760] (Microsoft Corp.)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171760] (Microsoft Corp.)
x64-Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [193824] (Apple Inc.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (06/15/2015 07:29:36 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/14/2015 09:40:29 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/14/2015 09:33:56 PM) (Source: Bonjour Service) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong

Error: (06/14/2015 09:28:46 PM) (Source: Bonjour Service) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong

Error: (06/14/2015 09:23:31 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/14/2015 09:18:00 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/14/2015 09:13:46 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/14/2015 09:12:36 PM) (Source: Bonjour Service) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong

Error: (06/14/2015 09:01:26 PM) (Source: Bonjour Service) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong

Error: (06/14/2015 08:56:46 PM) (Source: Bonjour Service) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong


System errors:
=============
Error: (06/15/2015 07:30:02 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Intel® Rapid Storage Technology service to connect.

Error: (06/15/2015 07:30:00 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.

Error: (06/15/2015 07:27:52 PM) (Source: Service Control Manager) (User: )
Description: The Conexant SmartAudio service service failed to start due to the following error:
%%2

Error: (06/14/2015 09:39:01 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:
%%1068

Error: (06/14/2015 09:39:00 PM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (06/14/2015 09:39:00 PM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (06/14/2015 09:38:55 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (06/14/2015 09:38:55 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (06/14/2015 09:38:53 PM) (Source: DCOM) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (06/14/2015 09:38:47 PM) (Source: DCOM) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}


Microsoft Office Sessions:
=========================
Error: (06/15/2015 07:29:36 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/14/2015 09:40:29 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/14/2015 09:33:56 PM) (Source: Bonjour Service)(User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong

Error: (06/14/2015 09:28:46 PM) (Source: Bonjour Service)(User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong

Error: (06/14/2015 09:23:31 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/14/2015 09:18:00 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/14/2015 09:13:46 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/14/2015 09:12:36 PM) (Source: Bonjour Service)(User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong

Error: (06/14/2015 09:01:26 PM) (Source: Bonjour Service)(User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong

Error: (06/14/2015 08:56:46 PM) (Source: Bonjour Service)(User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong


CodeIntegrity Errors:
===================================
  Date: 2014-06-14 09:06:08.173
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Common Files\mcafee\vscore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-06-14 09:06:08.173
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Common Files\mcafee\vscore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-06-14 09:05:41.603
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Common Files\mcafee\vscore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-06-12 03:26:54.888
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Common Files\mcafee\vscore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-06-12 03:24:08.763
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Common Files\mcafee\vscore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-05-19 18:57:44.732
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Common Files\mcafee\vscore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-05-19 18:57:44.728
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Common Files\mcafee\vscore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-05-19 18:57:26.431
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Common Files\mcafee\vscore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.


=========================== Installed Programs ============================

7-Zip 9.22 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0922-000001000000}) (Version: 9.22.00.0 - Igor Pavlov)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.5.1.17730 - Adobe Systems Inc.)
Adobe Community Help (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.4.980 - Adobe Systems Incorporated.)
Adobe Flash Player 17 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 17.0.0.188 - Adobe Systems Incorporated)
Adobe Flash Player 17 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 17.0.0.188 - Adobe Systems Incorporated)
Adobe Photoshop CS5.1 (HKLM-x32\...\{9158FF30-78D7-40EF-B83E-451AC5334640}) (Version: 12.1 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.11) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.11 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{F2A7CE36-57BF-5C86-952D-90DBF3746D82}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Bonjour (HKLM\...\{B91110FB-33B4-468B-90C2-4D5E8AE3FAE1}) (Version: 2.0.2.0 - Apple Inc.)
Bonjour Print Services (HKLM\...\{0DA20600-6130-443B-9D4B-F30520315FA6}) (Version: 2.0.2.0 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.06 - Piriform)
CDisplay 1.8 (HKLM-x32\...\CDisplay_is1) (Version:  - dvd8n)
CDisplayEx 1.10.18 (HKLM\...\CDisplayEx_is1) (Version:  - cdisplayex.com)
Comic Collector Live (HKLM-x32\...\{9211177A-A4B0-4F10-B304-4753E2B61CEA}) (Version: 3.10.320 - MidTen Media)
Conexant Audio Filter Agent (HKLM\...\cAudioFilterAgent) (Version: 1.7.36.0 - Conexant Systems)
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.50.5.51 - Conexant)
Conexant SmartAudio (HKLM\...\SAII) (Version: 6.0.109.0 - Conexant Systems)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Dead Island (HKLM-x32\...\Steam App 91310) (Version:  - Techland)
Dell Command | Update (HKLM-x32\...\{EC542D5D-B608-4145-A8F7-749C02BE6D94}) (Version: 2.0.0 - Dell Inc.)
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
Dell System Detect (HKCU\...\73f463568823ebbe) (Version: 6.0.0.18 - Dell)
Doom 3 (HKLM-x32\...\{EEFB15EB-FE8B-47DF-A496-1C4D1420294A}) (Version: 1.2 - Activision) Hidden
Doom 3 (HKLM-x32\...\{FB6908C2-2138-4D6E-9CAF-11D7AE6C3909}) (Version: 1.2 - Activision) Hidden
Doom 3 (HKLM-x32\...\InstallShield_{EEFB15EB-FE8B-47DF-A496-1C4D1420294A}) (Version: 1.2 - Activision)
DOOM 3: Resurrection of Evil (HKLM-x32\...\{04347DFD-87B6-4E30-B14D-5DF2888AD8F5}) (Version: 1.0 - Activision) Hidden
DOOM 3: Resurrection of Evil (HKLM-x32\...\InstallShield_{04347DFD-87B6-4E30-B14D-5DF2888AD8F5}) (Version: 1.0 - Activision)
DOOM II: Hell on Earth (HKLM-x32\...\Steam App 2300) (Version:  - id Software)
Dropbox (HKCU\...\Dropbox) (Version: 3.4.6 - Dropbox, Inc.)
Fallout: New Vegas (HKLM-x32\...\Steam App 22380) (Version:  - Obsidian Entertainment)
FileZilla Client 3.10.3 (HKLM-x32\...\FileZilla Client) (Version: 3.10.3 - Tim Kosse)
Final DOOM (HKLM-x32\...\Steam App 2290) (Version:  - id Software)
Gauntlet™  (HKLM-x32\...\Steam App 258970) (Version:  - Arrowhead Game Studios)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.14.1724 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.7.1.1000 - Intel Corporation)
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.36 - Irfan Skiljan)
Junk Mail filter update (HKLM-x32\...\{400C31E4-796F-4E86-8FDC-C3C4FACC6847}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Left 4 Dead 2 (HKLM-x32\...\Steam App 550) (Version:  - Valve)
Malwarebytes Anti-Malware version 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
Master Levels for DOOM II (HKLM-x32\...\Steam App 9160) (Version:  - id Software)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft Office Professional 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Movie Maker (HKLM-x32\...\{5BABDA39-61CF-41EE-992D-4054B6649A9B}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{ED6C77F9-4D7E-447C-9EC0-9A212D075535}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Mozilla Firefox 38.0.5 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 38.0.5 (x86 en-US)) (Version: 38.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0 - Mozilla)
NVIDIA PhysX (HKLM-x32\...\{8B922CF8-8A6C-41CE-A858-F1755D7F5D29}) (Version: 9.12.1031 - NVIDIA Corporation)
PDF Settings CS5 (HKLM-x32\...\{A78FE97A-C0C8-49CE-89D0-EDD524A17392}) (Version: 10.0 - Adobe Systems Incorporated) Hidden
Portal 2 (HKLM-x32\...\Steam App 620) (Version:  - Valve)
Quake (HKLM-x32\...\Steam App 2310) (Version:  - id Software)
Quake II (HKLM-x32\...\Steam App 2320) (Version:  - id Software)
Quake II: Ground Zero (HKLM-x32\...\Steam App 2340) (Version:  - Rogue Entertainment)
Quake II: The Reckoning (HKLM-x32\...\Steam App 2330) (Version:  - Xatrix Entertainment)
Quake III Arena (HKLM-x32\...\Steam App 2200) (Version:  - id Software)
Quake III: Team Arena (HKLM-x32\...\Steam App 2350) (Version:  - id Software)
Quake Mission Pack 1: Scourge of Armagon (HKLM-x32\...\Steam App 9040) (Version:  - Ritual Entertainment)
Quake Mission Pack 2: Dissolution of Eternity (HKLM-x32\...\Steam App 9030) (Version:  - Rogue Entertainment)
Raptr (HKLM-x32\...\Raptr) (Version:  - )
Realtek Ethernet Controller All-In-One Windows Driver (HKLM-x32\...\{F7E7F0CB-AA41-4D5A-B6F2-8E6738EB063F}) (Version: 1.12.0019 - Realtek)
Rise of the Triad (HKLM-x32\...\Steam App 217140) (Version:  - Interceptor Entertainment)
ScanExpress A3 USB 1200 Pro (HKLM-x32\...\{4E705434-4BCE-49B0-91E5-6D48C824EC00}) (Version: 1.0 - mustek) Hidden
ScanExpress A3 USB 1200 Pro (HKLM-x32\...\InstallShield_{4E705434-4BCE-49B0-91E5-6D48C824EC00}) (Version: 1.0 - mustek)
Serious Sam HD: The First Encounter (HKLM-x32\...\Steam App 41000) (Version:  - Croteam)
Serious Sam HD: The Second Encounter (HKLM-x32\...\Steam App 41010) (Version:  - Croteam)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
The Apogee Throwback Pack (HKLM-x32\...\Steam App 238050) (Version:  - Interceptor Entertainment)
The Ultimate DOOM (HKLM-x32\...\Steam App 2280) (Version:  - id Software)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
WD My Cloud (HKLM\...\{BDB0A166-050E-4C36-8F89-3304DBDE3018}) (Version: 1.0.5.40 - Western Digital Technologies, Inc.)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
Windows Media Player Firefox Plugin (HKLM-x32\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)
Wolfenstein: The New Order (HKLM-x32\...\Steam App 201810) (Version:  - Machine Games)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 39%
Total physical RAM: 8162.09 MB
Available physical RAM: 4968.66 MB
Total Pagefile: 16322.38 MB
Available Pagefile: 13148.44 MB
Total Virtual: 4095.88 MB
Available Virtual: 3975.33 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:930.74 GB) (Free:753.8 GB) NTFS
2 Drive d: (lesson2014FINB) (CDROM) (Total:3.51 GB) (Free:0 GB) UDF
3 Drive e: (WD SmartWare) (CDROM) (Total:0.6 GB) (Free:0 GB) UDF
4 Drive f: (My Book) (Fixed) (Total:930.86 GB) (Free:278.95 GB) NTFS
5 Drive g: (Iomega HDD) (Fixed) (Total:465.76 GB) (Free:146.98 GB) NTFS

========================= Users: ========================================

User accounts for \\TONY-PC

Administrator            Guest                    Tony                     

========================= Minidump Files ==================================

No minidump file found

========================= Restore Points ==================================

12-06-2015 11:26:39 Windows Backup
12-06-2015 11:29:32 Windows Update
13-06-2015 07:00:14 Windows Update
14-06-2015 23:00:23 Windows Backup

**** End of log ****

  I will follow with the MBam report.



#4 builderboy

builderboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 15 June 2015 - 06:39 PM

Here is the MBAM scan history report:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/13/2015
Scan Time: 11:40:33 AM
Logfile:
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.06.13.04
Rootkit Database: v2015.06.02.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Tony

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 348590
Time Elapsed: 8 min, 2 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
Trojan.Vawtrak, HKLM\SOFTWARE\CLASSES\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}, Quarantined, [61d79a202e5c43f3c953b4801ceaec14],
Trojan.Vawtrak, HKU\S-1-5-21-448949016-1538312053-3673910422-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}, Quarantined, [61d79a202e5c43f3c953b4801ceaec14],

Registry Values: 3
Rootkit.Fileless.MTGen, HKU\S-1-5-21-448949016-1538312053-3673910422-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^ec9ded35, Quarantined, [db5db703fc8e8aac9a26394d1beae31d],
Rootkit.Fileless.MTGen, HKU\S-1-5-21-448949016-1538312053-3673910422-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^721eea5d, Quarantined, [90a8b604f49638fe5b65dcaada2b04fc],
Trojan.Agent.Gen, HKU\S-1-5-21-448949016-1538312053-3673910422-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|MSConfig, "C:\Users\Tony\udajbamr.exe", Quarantined, [330529911a709d996e426dea84814ab6]

Registry Data: 0
(No malicious items detected)

Folders: 1
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}, Delete-on-Reboot, [d7612f8b4347a4921261944e7291b34d],

Files: 6
Trojan.Vawtrak, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\brdgcfg.dll, Delete-on-Reboot, [61d79a202e5c43f3c953b4801ceaec14],
PUP.Optional.APNToolBar.A, C:\Users\Tony\Downloads\SFInstaller_SFFZ_filezilla_8706467_.exe, Quarantined, [31076555880263d3ea4e0d589969956b],
PUP.Optional.Installrex, C:\Users\Tony\Downloads\Download.exe, Quarantined, [999fc2f8008aff37a3142a81f0119f61],
Adware.DomaIQ, C:\Users\Tony\Downloads\winrar.exe, Quarantined, [ed4b803a73176fc7ec8d283ca561b24e],
Trojan.Agent.Gen, C:\Users\Tony\udajbamr.exe, Quarantined, [330529911a709d996e426dea84814ab6],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a, Delete-on-Reboot, [d7612f8b4347a4921261944e7291b34d],

Physical Sectors: 0
(No malicious items detected)


(end)



#5 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:07 AM

Posted 16 June 2015 - 02:50 AM

Yes, you are/were infected. Please, follow next steps, I will try to help.

 

Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit (MBAR) to your desktop.

  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"


NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes Anti-Malware icon in the system tray and click on Exit.

 

----

 

ESET Online Scanner

§  Click here to download the installer for ESET Online Scanner and save it to your Desktop.

§  Disable all your antivirus and antimalware software - see how to do that here.

§  Right click on esetsmartinstaller_enu.exe and select Run as Administrator.

§  Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.

§  Select Enable detection of potentially unwanted applications.

§  Click Advanced Settings, then place a checkmark in the following:

o    Remove found threats

o    Scan archives

o    Scan for potentially unsafe applications

o    Enable Anti-Stealth technology

§  Click Start to begin scanning.

§  ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.

§  When the scan is done, click List threats (only available if ESET Online Scanner found something).

§  Click Export, then save the file to your desktop.

§  Click Back, then Finish to exit ESET Online Scanner.


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#6 builderboy

builderboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 16 June 2015 - 08:34 PM

contents of mbar-log-2015-06-16 (21-17-21).txt:

 

Malwarebytes Anti-Rootkit BETA 1.09.1.1004
www.malwarebytes.org

Database version:
  main:    v2015.06.16.06
  rootkit: v2015.06.15.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17843
Tony :: TONY-PC [administrator]

6/16/2015 9:17:21 PM
mbar-log-2015-06-16 (21-17-21).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 340178
Time elapsed: 7 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

 

contents of system-log.txt:

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.1.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.17843

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 2.893000 GHz
Memory total: 8558567424, free: 5196881920

Downloaded database version: v2015.06.16.06
Downloaded database version: v2015.06.15.01
Downloaded database version: v2015.06.15.01
=======================================
Initializing...
------------ Kernel report ------------
     06/16/2015 21:17:14
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\DRIVERS\iaStorA.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\DRIVERS\iaStorF.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\TeeDriverx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\AtihdW76.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\CHDRT64.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\wdcsam64.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\udfs.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\drivers\usbscan.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_iaStorA.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\??\C:\Windows\system32\drivers\mwac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\lpk.dll
\Windows\System32\shell32.dll
\Windows\System32\msctf.dll
\Windows\System32\kernel32.dll
\Windows\System32\nsi.dll
\Windows\System32\oleaut32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\sechost.dll
\Windows\System32\clbcatq.dll
\Windows\System32\ws2_32.dll
\Windows\System32\difxapi.dll
\Windows\System32\imm32.dll
\Windows\System32\usp10.dll
\Windows\System32\advapi32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\gdi32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\urlmon.dll
\Windows\System32\ole32.dll
\Windows\System32\wininet.dll
\Windows\System32\setupapi.dll
\Windows\System32\Wldap32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\user32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\normaliz.dll
\Windows\System32\psapi.dll
\Windows\System32\iertutil.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\userenv.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\comctl32.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\crypt32.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\devobj.dll
\Windows\System32\wintrust.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\KernelBase.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\profapi.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!

Scan started
Database versions:
  main:    v2015.06.16.06
  rootkit: v2015.06.15.01

<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: E913ADC7

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 80262

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 81920  Numsec = 1536000
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1617920  Numsec = 1951903744

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa800abae790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800a9dab90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800abae790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800a9ddc50, DeviceName: Unknown, DriverName: \Driver\iaStorF\
DevicePointer: 0xfffffa800a9d5b60, DeviceName: \Device\00000068\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 2AE3F

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 1952149504

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 999501594624 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 512
Drive: 2, DevicePointer: 0xfffffa800abcc790, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800aa3db90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800abcc790, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800aa34c50, DeviceName: Unknown, DriverName: \Driver\iaStorF\
DevicePointer: 0xfffffa800aa3ab60, DeviceName: \Device\0000006c\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: ACF4E4F8

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 976768002
    Partition file system is NTFS
    Partition is not bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Done!
File "c:\programdata\microsoft\windows defender\scans\mpcache-7d731de449214a4251b80fd10faf87a9f05ff37c.bin.ve1" is compressed (flags = 1)
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-81920-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-2-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-2-0-63-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-2-r.mbam...
Removal finished
 



#7 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:07 AM

Posted 17 June 2015 - 03:40 AM

Hi,

 

do you have eset scan results? Or results are fine?


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#8 builderboy

builderboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 17 June 2015 - 04:15 AM

contents of ESET scan (infections found):

 

C:\Users\All Users\InstallMate\{D3435EC3-C0F8-41D0-A33B-88DA08A07C35}\Custom.dll    Win32/InstalleRex.M potentially unwanted application    
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe.vir    a variant of Win32/Conduit.SearchProtect.H potentially unwanted application    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SearchProtect\Main\bin\SPTool.dll.vir    a variant of Win32/Conduit.SearchProtect.H potentially unwanted application    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SearchProtect\Main\bin\uninstall.exe.vir    a variant of Win32/ClientConnect.A potentially unwanted application    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SearchProtect\SearchProtect\bin\cltmng.exe.vir    a variant of Win32/Conduit.SearchProtect.I potentially unwanted application    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SearchProtect\SearchProtect\bin\SPTool64.exe.vir    a variant of Win32/ClientConnect.A potentially unwanted application    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC32.dll.vir    a variant of Win32/Conduit.SearchProtect.H potentially unwanted application    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC32Loader.dll.vir    a variant of Win32/ClientConnect.A potentially unwanted application    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC64.dll.vir    a variant of Win32/ClientConnect.A potentially unwanted application    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC64Loader.dll.vir    a variant of Win32/ClientConnect.A potentially unwanted application    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SearchProtect\UI\bin\cltmngui.exe.vir    a variant of Win32/Conduit.SearchProtect.Y potentially unwanted application    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Tony\AppData\Local\Temp\hotspot shield\html\scripts\AskToolbar.js.vir    Win32/Bundled.Toolbar.Ask.L potentially unsafe application    cleaned by deleting - quarantined
C:\ProgramData\InstallMate\{D3435EC3-C0F8-41D0-A33B-88DA08A07C35}\Custom.dll    Win32/InstalleRex.M potentially unwanted application    cleaned by deleting - quarantined
C:\Users\Tony\Downloads\cbsidlm-tr1_13-Comic_Collector_Live-SEO-10739241.exe    Win32/DownloadAdmin.G potentially unwanted application    deleted - quarantined
C:\Users\Tony\Downloads\ccsetup506(1).exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined
C:\Users\Tony\Downloads\ccsetup506.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined
 



#9 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:07 AM

Posted 17 June 2015 - 04:52 AM

Hi, can you tell us something about MBAM notifications and syswow64 folder, and about that e-mail from your provider? 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#10 builderboy

builderboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 18 June 2015 - 07:06 PM

I will copy sections of the email (it contains graphic elements, and I suppose I could copy its source, but I think that elements will be sufficient for you to see):

 

Constant Guard® Alert
MALICIOUS SOFTWARE DETECTED

Constant Guard® by XFINITY® has identified one or more of your devices that may be infected with a bot.

We strongly recommend that you click on the button below to remove malicious software from your device and help protect your identity

 

 

they then directed me to a tool, which was an online diagnostic which showed "Multi_CriminalFinancial_SearchHijackerModule", and said:

Alternate names:     Win32/Mashigoom, Win32:Rootkit-gen
Threat behavior description:
This threat was detected using Damballa Labs clustering and machine learning systems. The criminals behind this operator are using a C&C type infrastructure to perform search hijacking and click fraud. This appears to be both a type of module that can be loaded into various rootkits known as TDSS/TDL, Pihar, and ZeroAccess, and also malware known as Mashigoom (as labeled by Microsoft). Mashigoom performs click fraud behavior in a different way than the rootkit module but it uses the same infrastructure and domains. The traffic that we have observed coming from Mashigoom as been non-http based traffic. Types of behavior seen by the rootkit module associated with this threat look like the following:

baddomain.com/s/1055/5005/1342920306578_19032171070833/
baddomain.com/c/1057/5051/1343974469058_20603509467767/
baddomain.com/i/1055/5005/1342920306578_19032171070833/
baddomain.com/Y2x8MS42fDMxNWZlOTA1MWQ4NDAyZDAyNTk3ZDNmYzk2ZDNiZmU3fDMwOQ==
baddomain.com/j/js1

 

It then recommended downloading and runing mbam, which I did.  While it ran, mbam identified a bunch of things, many stemming from the directory syswow64, some identified as trojan.vawtrak (which mbam seemed to handle), and brdgcfg.dll.   After mbam was run, my system was still sluggish.  I googled syswow64, which turned up a lot of forum messages about it being a malware issue, with recommendations about how to remove it.  Foolishly, I attempted to delete it, found that it could not be deleted because it contained active process files.  I attempted to boot to safe mode and shift-delete it, but was denied access, as the directory was created by "TrustedSource", and could only be deleted by that user (not even administrative-level users could delete it).

 

That is the limits of my knowledge.  I hope this helps.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:07 PM

Posted 18 June 2015 - 07:59 PM

...Constant Guard® Alert
MALICIOUS SOFTWARE DETECTED
Constant Guard® by XFINITY® has identified one or more of your devices that may be infected with a bot.

The keyword here is "may".

 

There have been numerous reports over the years in regards to Comcast Constant Guard notices of finding bots. Even if you don't use Constant Guard, Comcast has Constant Guard monitoring traffic. In fact, if you do a Google Search, you will receive millions of similar reports.

This is what Comcast's Help and Support provides to their customers.

Find Out if Your Computer is Infected with a Bot

How we identify infected computers

Comcast identifies infected computers in several ways. First, we gather data from reputable Internet research groups that specialize in bot identification. This data includes a list of Internet Protocol (IP) addresses that are either infected or belong to bot command and control channels. Second, we look for malicious behavior such as spam, denial of service attacks and repeated connections requests to known command and control channels. We then aggregate this data to confirm whether one or more of your computers has been infected.

Our technique does not detect bots based on the online activities, protocols or applications you use.

No anti-virus software detects 100% of viruses, so you may still receive the Constant Guard Service Notice even if you’ve run your own scan. The problem could be also caused by other parties (e.g. friends or family members) who’ve connected their computers or IP-enabled devices to your network in the past. Have them scan their computers or other IP-enabled devices for possible infections.

Additionally, if you have a wireless access point that is not password-protected, other people with infected computers may have connected to your network. Password-protect your wireless access point to prevent unauthorized access to your network.

For more information or help with removing a bot, please visit xfinity.com/bothelp.

Constant Guard - Bot Removal Help
Instructions for Comcast Help Forums
Am I Botted?

If you don't find anything, please read these topics.

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 builderboy

builderboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 18 June 2015 - 08:08 PM

Thank you for all the assistance you have given me so far.

 

So I understand your point with Comcast's non-definitive "may" statement, but mbam did find and clear the vawtrak trojan, and, at your last request, I did run ESET after mbam had cleared the machine.  And ESET did find several additional things to be cleaned.  Is there anything else I should do at this juncture?

 

thanks again,

Tony



#13 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:07 PM

Posted 18 June 2015 - 08:18 PM

Download and run wipe  and system ninja,

 

https://privacyroot.com/software/www/en/wipe.php

https://singularlabs.com/software/system-ninja/

 

Then.....

 

Go ahead and install ccleaner Now that you have the program installed go ahead and run the cleaner function.

https://www.piriform.com/ccleaner/download
kwLN4uv.png


Now that you have cleaned out some temp files, lets go ahead and disable all of the items starting up with your machine except your antivirus. To do this you will need to click on tools then start up select each item then disable.

GjWwvEu.png

Now that you have disabled those un-needed start ups lets go into the settings, we will have Ccleaner run when your machine boots, so that you will never have to worry about cleaning temp files again.

To do this:

  • Hit options.
  • Settings.
  • Place a tick to run Ccleaner when the computer starts.


Lxioao1.png

Now go to the advanced tab, and select close program after cleaning, now run the cleaner again this will close Ccleaner.

SnqZ2JW.png

 

Reboot your machine and then follow the  instructions below.

 

Step 1: eScanAV.

 

Disable your antivirus prior to this scan.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Download the eScanAV Anti-Virus Toolkit (MWAV)
http://www.escanav.com/english/content/products/downloadlink/downloadcounter.asp?pcode=MWAV&src=english_dwn&type=alter

 

Source

http://www.escanav.com/english/content/products/downloadlink/downloadproduct.asp?pcode=MWAV
Save the file to your desktop.
Right click run as administrator.
A new icon will appear on your desktop.
Right click run as administrator on new icon.
Click on the update tab.
ZCDJtZN.png
Once you have updated the program, make sure the settings are the same as the picture below.
7DUFn5c.png
Once you have made sure the settings match the picture, hit the Scan & Clean button.
Upon scan completion, click View Log.
ApSVXsQ.png
Copy and paste entire log into your next reply.

Note: Reboot after you remove infections.

 

Step 2: Zemana

 

Run a full scan with Zemana antimalware.

http://www.zemana.us/product/zemana-antimalware/default.aspx

Install and select deep scan.

jdmyscF.jpg

Remove any infections found.

Then click on the icon in the pic below.

DOLGyto.jpg

Double click on the scan log, copy and paste here in your reply.

Note: Reboot after you remove infections.

 

 

Step 3: Junkware Removal Tool.
 
Please download Junkware Removal Tool and save it on your desktop.

Source

http://thisisudax.org/

  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Please post the JRT log.

Step 4: Adware Cleaner.
 
Please download AdwCleaner by Xplode onto your desktop.


  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.


#14 builderboy

builderboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 19 June 2015 - 06:17 AM

Here is my eScanAV log:

 

18 Jun 2015 22:04:40 [0b44] - **********************************************************
18 Jun 2015 22:04:40 [0b44] - MWAV - eScanAV AntiVirus Toolkit.
18 Jun 2015 22:04:40 [0b44] - Copyright © MicroWorld Technologies
18 Jun 2015 22:04:40 [0b44] - **********************************************************
18 Jun 2015 22:04:40 [0b44] - Source: C:\Users\Tony\Desktop\mwav.exe
18 Jun 2015 22:04:40 [0b44] - Version 14.0.189 (C:\USERS\TONY\APPDATA\LOCAL\TEMP\MEXETMP.EX~)
18 Jun 2015 22:04:40 [0b44] - Log File: C:\Users\Tony\AppData\Local\Temp\LOG\MWAV.LOG
18 Jun 2015 22:04:40 [0b44] - MWAV Registered: TRUE
18 Jun 2015 22:04:40 [0b44] - User Account: Tony (Administrator Mode)
18 Jun 2015 22:04:40 [0b44] - OS Type: Windows Workstation [InstallType: Client]
18 Jun 2015 22:04:40 [0b44] - OS: Windows 7 64-Bit [OS Install Date: 04 Jul 2013 11:00:47]
18 Jun 2015 22:04:40 [0b44] - Ver: Professional Service Pack 1 (Build 7601)
18 Jun 2015 22:04:40 [0b44] - System Up Time: 13 Minutes, 5 Seconds


18 Jun 2015 22:04:40 [0b44] - Parent Process Name : C:\Users\Tony\AppData\Local\Temp\mexe.com
18 Jun 2015 22:04:40 [0b44] - Windows Root  Folder: C:\Windows
18 Jun 2015 22:04:40 [0b44] - Windows Sys32 Folder: C:\Windows\system32
18 Jun 2015 22:04:40 [0b44] - DHCP NameServer: 75.75.75.75 75.75.76.76
18 Jun 2015 22:04:40 [0b44] - Interface0 DHCPNameServer: 75.75.75.75 75.75.76.76
18 Jun 2015 22:04:40 [0b44] - Local Fixed Drives: c:\
18 Jun 2015 22:04:40 [0b44] - MWAV Mode(A): Scan and Clean files (for viruses, adware and spyware)
18 Jun 2015 22:04:40 [0b44] - [CREATED ZIP FILE: C:\Users\Tony\AppData\Local\Temp\pinfect.zip]
18 Jun 2015 22:04:40 [0b44] - Command Line Options Given: /xsign
18 Jun 2015 22:04:41 [0b44] - Latest Date of files inside MWAV: Fri Jun 19 03:30:42 2015.
18 Jun 2015 22:04:41 [0b44] - WARNING!!! INVALID SYSTEM DATE 18-06-2015 !!!
18 Jun 2015 22:04:41 [0b44] - Loading/Creating FileScan Cache Database C:\ProgramData\MicroWorld\MWAV\ESCANDBY.MDB [Log: C:\Users\Tony\AppData\Local\Temp\LOG\ESCANDB.LOG]
18 Jun 2015 22:04:41 [0b44] - Loaded/Created FileScan Cache Database...
18 Jun 2015 22:04:41 [0b44] - Loading AV Library [DB]...
18 Jun 2015 22:04:48 [0b44] - ArchiveScan: DISABLED
18 Jun 2015 22:04:48 [0b44] - AV Library Loaded - MultiThreaded - 4 : [DB-DIRECT].
18 Jun 2015 22:04:48 [0b44] - MWAV doing self scanning...
18 Jun 2015 22:04:48 [0b44] - MWAV files are clean.
18 Jun 2015 22:04:51 [0b44] - ArchiveScan: DISABLED
18 Jun 2015 22:04:51 [0b44] - Virus Database Date: 18 Jun 2015
18 Jun 2015 22:04:51 [0b44] - Virus Database Count: 5738225
18 Jun 2015 22:04:51 [0b44] - Sign Version: 7.61120 [519872]
 
18 Jun 2015 22:05:40 [0b44] - **********************************************************
18 Jun 2015 22:05:40 [0b44] - MWAV - eScanAV AntiVirus Toolkit.
18 Jun 2015 22:05:40 [0b44] - Copyright © MicroWorld Technologies
18 Jun 2015 22:05:40 [0b44] -
18 Jun 2015 22:05:40 [0b44] - Support: support@escanav.com
18 Jun 2015 22:05:40 [0b44] - Web: http://www.escanav.com
18 Jun 2015 22:05:40 [0b44] - **********************************************************
18 Jun 2015 22:05:40 [0b44] - Version 14.0.189[DB] (C:\USERS\TONY\APPDATA\LOCAL\TEMP\MEXETMP.EX~)
18 Jun 2015 22:05:40 [0b44] - Log File: C:\Users\Tony\AppData\Local\Temp\LOG\MWAV.LOG
18 Jun 2015 22:05:40 [0b44] - User Account: Tony (Administrator Mode)
18 Jun 2015 22:05:40 [0b44] - Parent Process Name : C:\Users\Tony\AppData\Local\Temp\mexe.com
18 Jun 2015 22:05:40 [0b44] - Windows Root  Folder: C:\Windows
18 Jun 2015 22:05:40 [0b44] - Windows Sys32 Folder: C:\Windows\system32
18 Jun 2015 22:05:40 [0b44] - OS: Windows 7 64-Bit [OS Install Date: 04 Jul 2013 11:00:47]
18 Jun 2015 22:05:40 [0b44] - Ver: Professional Service Pack 1 (Build 7601)
18 Jun 2015 22:05:40 [0b44] - Latest Date of files inside MWAV: Fri Jun 19 03:30:42 2015.
18 Jun 2015 22:05:40 [0b44] - Priority: NORMAL
18 Jun 2015 22:05:40 [0b44] - WARNING!!! INVALID SYSTEM DATE 18-06-2015 !!!

 

I will now reboot, and run the Zemana and JRT. Thanks again



#15 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:10:07 PM

Posted 19 June 2015 - 11:01 AM

To expand a bit on what Quietman said (thank you Quietman for the links)

The keyword here is "may".


The following is the canned speech I use when someone reports receiving a Constant Guard notice from Comcast:

I will assume you checked using Am I Botted? which gave you the names of the detected bots.

Then again, there may be NO bot.

Did you receive an email from Comcast about this? (You said you did)

Unless they changed the wording of the notice, it says
 

Constant Guard from XFINITY identified that one or more of your computers may be infected with a bot.


That does not necessarily mean there is one.

Do you have a network set up? If so, it could be on any of the computers that connect to your network. Then again, as stated above, there may be no bot on any of them.

No, they will not be able to tell you which computer "MAY" have a bot if you call Comcast.

And in the Comcast help forum, where there are NUMEROUS posts about this you could be told by an employee (if one happens to stumble upon your post) that they observed signs of likely malware infection. If questioned they will then say you "likely" have a bot.

The notice is tied to your MODEM which is why if there is a network you don't know which computer MAY have a bot.

From cc_adame Comcast National Engineering in the Comcast help forum
 

The notice is tied to your modem

http://forums.comcast.com/t5/Security-and-Anti-Virus/constant-guard-alert-bot/m-p/1466883/highlight/true#M89772


Something using your cable modem is exhibiting the behaviour of a bot.

http://forums.comcast.com/t5/Security-and-Anti-Virus/constant-guard-alert-bot/m-p/1466891/highlight/true#M89773


we're only alerting you because we are seeing activity from *something* behind your modem that is bot traffic. We can't tell you which device it is because that would require us to do Deep Packet Inspection, which nobody wants - we care about your privacy, and will not do that.

I recommend you contact CSA, who can further assist you with figuring out which device behind your modem is infected and can remove the notice.

Normal business hours (6:00 am to 2:00 am EST, 7 days a week) 888-565-4329http://forums.comcast.com/t5/Security-and-Anti-Virus/constant-guard-alert-bot/m-p/1467167/highlight/true#M89784


First aid following a botnet notice is to run a full scan with your AV software. If that comes up clean, try the free version of Malwarebytes Anti-Malware.

Wait 24 hours and then check Am I Botted? again. (if you get curious you can check before then)

At this point in time don't panic and don't worry about it to much. If Am I Botted does keeps saying you are THEN you can do whatever it takes to determine whether it's fact or fiction. The malware removal folks here at Bleeping Computer will be glad to help you.
 

1) going to the amibotted does not rescan it just reports that they saw activity in the last 24-26 hours.
2) Comcast clears the you are botted message after a few hours so it you wait 27-30 hours the website will say you do not have a bot until the magical bot activity is seen again.

http://forums.comcast.com/t5/Security-and-Anti-Virus/constant-guard-alert-bot/m-p/1559963/highlight/true#M91304


They used to have a so-called self-help guide. This was totally useless and did not do anything to help you determine IF there was a bot and on which computer. The procedures did not show any infections/malware. It wanted you to download and install the Constant Guard Protection Suite, which includes Norton Security. (*side note* Comcast no longer has the Constant Guard Protection Suite. They do still offer Norton free to customers)

I got one of those you may be botted emails in February of 2013. I did scan 2 of the 4 computers on my network and scans came up clean. After that I decided to wait the 24 hours and check again. When I did Am I Botted said all clear.

You can download and install Trend Micro RUBotted. This is a beta but works just fine.
If you want to try it http://free.antivirus.com/us/rubotted/index.html


While this is an older topic it still contains good advice http://forums.comcast.com/t5/Security-and-Anti-Virus/What-do-I-do-if-I-receive-a-BOT-notification/m-p/1082387/thread-id/83716/message-uid/1082387

Bottom line is to run those scans. Even though it may turn out to be nothing, there could also be some truth to it.

And when in doubt, you can start a topic in Am I Infected? and someone will help you determine if your system is infected.

There is a possibility that infection exists on your computer. It may or may not be the one Comcast is telling you about.

Edited by Queen-Evie, 19 June 2015 - 11:07 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users