Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Almost done removing malware remotely from Grandfathers computer


  • This topic is locked This topic is locked
12 replies to this topic

#1 afextwin

afextwin

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 18 June 2015 - 10:00 AM

Now I need some expert help. DISM crashed 2 days ago, a lot of his windows store apps were missing after that, and to install new apps I had to recreate a folder (AUWinstaller or something) in his %windir% to get his Mahjong game back. He had conduit, fake drivers and a mess of other things. Before I run DISM again, I want to check that I didn't miss any potential malware. Thanks in advance.

 

[RKILL]

 

Rkill 2.7.0 by Lawrence Abrams (Grinler)
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 06/18/2015 10:33:02 AM in x64 mode.
Windows Version: Windows 8.1 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * Browser [Missing Service]
 * workfolderssvc [Missing Service]
 * mrxsmb10 [Missing Service]
 * srv [Missing Service]
 
Searching for Missing Digital Signatures: 
 
 * C:\WINDOWS\System32\ddraw.dll : 594,944 : 10/28/2014 09:07 PM : 1ef3ecb69096f349385d4c5d3dc11593 [NoSig]
 +-> C:\WINDOWS\SysWOW64\ddraw.dll : 544,256 : 10/28/2014 08:52 PM : 61bca28e43eee246c9213a89a18d28e8 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\amd64_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.3.9600.16384_none_f5c402f793f84531\ddraw.dll : 106,557 : 03/06/2015 07:42 PM : 5c9e15f04d280b05e8940caf0ef5fb23 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\amd64_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.3.9600.17415_none_f6109dd393beb1b9\ddraw.dll : 594,944 : 10/28/2014 09:07 PM : 1ef3ecb69096f349385d4c5d3dc11593 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.3.9600.16384_none_99a56773db9ad3fb\ddraw.dll : 103,217 : 03/06/2015 09:15 PM : e62cd31ccfa043ca90b48dabdbc6056b [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.3.9600.17415_none_99f2024fdb614083\ddraw.dll : 544,256 : 10/28/2014 08:52 PM : 61bca28e43eee246c9213a89a18d28e8 [Pos Repl]
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 06/18/2015 10:36:51 AM
Execution time: 0 hours(s), 3 minute(s), and 49 seconds(s)
 
[FRST]
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-06-2015
Ran by Buddy2013 (administrator) on BUD on 18-06-2015 10:49:01
Running from C:\Users\Buddy2013\Downloads
Loaded Profiles: Buddy2013 (Available Profiles: Buddy2013)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\afwServ.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Desktop.exe
() C:\Users\Buddy2013\Downloads\AdwCleaner.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Garmin Ltd. or its subsidiaries) C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [ASUSQuickGesture(x86)] => C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x86\QuickGesture.exe [20352 2012-09-11] (ASUSTeK Computer Inc.)
HKLM\...\Run: [ASUSTPLoader(x64)] => C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe [169856 2012-09-11] (AsusTek)
HKLM\...\Run: [ASUSQuickGesture(x64)] => C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe [22400 2012-09-11] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [40336 2015-04-29] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HDAudDeck] => C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [5264016 2012-08-16] (VIA)
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [91432 2012-03-28] (CyberLink Corp.)
HKLM-x32\...\Run: [ASUSWebStorage] => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.9.120\AsusWSPanel.exe [3417984 2012-08-27] (ASUS Cloud Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5515496 2015-05-30] (Avast Software s.r.o.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1244661046-506875474-1074071550-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8322328 2015-05-08] (Piriform Ltd)
HKU\S-1-5-21-1244661046-506875474-1074071550-1001\...\Run: [WinPatrol] => C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe [1163264 2015-03-30] (Ruiware LLC)
HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1403224 2015-04-23] (Garmin Ltd. or its subsidiaries)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AsusVibeLauncher.lnk [2012-10-16]
ShortcutTarget: AsusVibeLauncher.lnk -> C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe (ASUSTeK Computer Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk [2014-07-22]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-05-30] (Avast Software s.r.o.)
ShellIconOverlayIdentifiers: [AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7190} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.9.120\ASUSWSShellExt64.dll [2012-03-13] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D808} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.9.120\ASUSWSShellExt64.dll [2012-03-13] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4D} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.9.120\ASUSWSShellExt64.dll [2012-03-13] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Buddy2013\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2013-09-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Buddy2013\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2013-09-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Buddy2013\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2013-09-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Buddy2013\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll [2013-09-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Buddy2013\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll [2013-09-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Buddy2013\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll [2013-09-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Buddy2013\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll [2013-09-10] (Dropbox, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/?fr=hp-avast&type=agc511
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = https://search.yahoo.com/yhs/search?type=agc511&hspart=avast&hsimp=yhs-001&p={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-1244661046-506875474-1074071550-1001\Software\Microsoft\Internet Explorer\Main,Search Page = https://search.yahoo.com/yhs/search?type=agc511&hspart=avast&hsimp=yhs-001&p={searchTerms}
HKU\S-1-5-21-1244661046-506875474-1074071550-1001\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/?fr=hp-avast&type=agc511
HKU\S-1-5-21-1244661046-506875474-1074071550-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.yahoo.com/?fr=hp-avast&type=agc511
SearchScopes: HKLM-x32 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo.com/yhs/search?type=agc511&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1244661046-506875474-1074071550-1001 -> SuggestionsURL_JSON http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
BHO: ASUS Browser Extension x64 -> {78234974-0C4B-4111-BDEB-D9A104418772} -> C:\Program Files (x86)\ASUS\ASUS Smart Gesture\install\x64\BrowserExtension64.dll [2012-09-11] (ASUSTeK Computer Inc.)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-03-27] (Avast Software s.r.o.)
BHO-x32: ASUS Browser Extension x86 -> {78234974-0C4B-4111-BDEB-D9A104418771} -> C:\Program Files (x86)\ASUS\ASUS Smart Gesture\install\x86\BrowserExtension.dll [2012-09-11] (ASUSTeK Computer Inc.)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-03-27] (Avast Software s.r.o.)
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKU\S-1-5-21-1244661046-506875474-1074071550-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
 
FireFox:
========
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-15] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-04-29] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-08-04]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
 
Chrome: 
=======
CHR Profile: C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-06-10]
CHR Extension: (Google Docs) - C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-06-10]
CHR Extension: (Google Drive) - C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-06-10]
CHR Extension: (YouTube) - C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-06-10]
CHR Extension: (Google Search) - C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-06-10]
CHR Extension: (Avast SafePrice) - C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2014-09-02]
CHR Extension: (Google Sheets) - C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-06-10]
CHR Extension: (Avast Online Security) - C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-06-07]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Google Wallet) - C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-30]
CHR Extension: (Gmail) - C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-06-10]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx [2014-09-02]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-03-27]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 ASUS InstantOn; C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnSrv.exe [277120 2012-04-13] (ASUS)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [343336 2015-05-30] (Avast Software s.r.o.)
R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [107448 2015-05-30] (Avast Software s.r.o.)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-28] (Microsoft Corporation)
R2 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [713736 2015-04-23] (Garmin Ltd. or its subsidiaries)
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-04-14] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
S2 Net Driver HPZ12; C:\Windows\System32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
S2 Pml Driver HPZ12; C:\Windows\System32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5495056 2015-06-01] (TeamViewer GmbH)
S2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27792 2012-08-14] (VIA Technologies, Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29168 2015-05-30] ()
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [28144 2015-05-30] (Avast Software s.r.o.)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [89944 2015-05-30] (Avast Software s.r.o.)
R0 aswNdisFlt; C:\Windows\System32\DRIVERS\aswNdisFlt.sys [449896 2015-05-30] (Avast Software s.r.o.)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-05-30] (Avast Software s.r.o.)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65736 2015-05-30] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1047320 2015-05-30] (Avast Software s.r.o.)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [442264 2015-05-30] (Avast Software s.r.o.)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [137288 2015-05-30] (Avast Software s.r.o.)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [272248 2015-05-30] ()
R3 ATP; C:\Windows\System32\drivers\AsusTP.sys [56704 2012-09-11] (ASUS Corporation)
R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [14992 2012-08-01] ( )
R1 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [107736 2015-04-14] (Malwarebytes Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [136408 2015-06-16] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-04-14] (Malwarebytes Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 

Attached Files


Edited by afextwin, 18 June 2015 - 02:32 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:00 PM

Posted 21 June 2015 - 08:50 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CreateRestorePoint:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-1244661046-506875474-1074071550-1001 -> URL http://search.conduit.com/Results.aspx?ctid=CT3325805&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=5&UP=SPE9467CE8-8F59-42B8-A6AB-33E82451CA61&q={searchTerms}&SSPV=
SearchScopes: HKU\S-1-5-21-1244661046-506875474-1074071550-1001 -> SuggestionsURL_JSON http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKU\S-1-5-21-1244661046-506875474-1074071550-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
CHR Extension: (Avast SafePrice) - C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2014-09-02]
CHR Extension: (Avast Online Security) - C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-06-07]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx [2014-09-02]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-03-27]

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

#3 afextwin

afextwin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 22 June 2015 - 09:46 AM

Fix result of Farbar Recovery Scan Tool (x64) Version:13-06-2015
Ran by Buddy2013 at 2015-06-22 10:35:47 Run:1
Running from C:\Users\Buddy2013\Downloads
Loaded Profiles: Buddy2013 (Available Profiles: Buddy2013)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
 
start
 
CreateRestorePoint:
CloseProcesses:
 
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-1244661046-506875474-1074071550-1001 -> SuggestionsURL_JSON http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKU\S-1-5-21-1244661046-506875474-1074071550-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
CHR Extension: (Avast SafePrice) - C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2014-09-02]
CHR Extension: (Avast Online Security) - C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-06-07]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx [2014-09-02]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-03-27]
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKU\S-1-5-21-1244661046-506875474-1074071550-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\URL => value removed successfully
HKU\S-1-5-21-1244661046-506875474-1074071550-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\SuggestionsURL_JSON => value removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => value removed successfully
HKCR\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => key not found. 
HKU\S-1-5-21-1244661046-506875474-1074071550-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found. 
C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck => moved successfully.
C:\Users\Buddy2013\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki => moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck" => key removed successfully
Could not move "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx" => Scheduled to move on reboot.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => key removed successfully
Could not move "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Scheduled to move on reboot.
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-06-22 10:41:11)<=
 
"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx" => Could not move
"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Could not move
 
==== End of Fixlog 10:41:11 ====


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:00 PM

Posted 22 June 2015 - 12:42 PM

How is the computer running now?

#5 afextwin

afextwin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 22 June 2015 - 05:22 PM

It's a little slow (slower than before I started removing malware), but I believe that is because AVAST is scanning 24/7 and Disk usage is at 100% for the first 15-20 minutes of turning on the computer (even from sleep mode) whereas before I started, avast was set to ignore the c: drive and about 45 different file extensions.

 

I'd like to run DISM again to clear up the errors(?) stated by RKILL. Also, the bad direct draw dll gave me some concern - at first I thought it was from the stupid ASUS presentation app, but the app is removed and the .dll errors were still present last i ran RKILL.

 

I haven't spoke with gramps since I posted the log, I'll check in tonight.

 

Quick question - I can never find the cbs log files, do I need to create one before running DISM or is there a switch/parameter I need to use to enable logging?


Edited by afextwin, 22 June 2015 - 05:23 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:00 PM

Posted 23 June 2015 - 07:04 AM

I can never find the cbs log files, do I need to create one before running DISM

I'm not familiar with this tool.

You need to run this tool to get a CBS.LOG

Check the integrity of the operating system files.
How to run sfc /Scannow
http://support.microsoft.com/kb/929833
===

You may want to run this to make sure all the important services are set.

Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click on Repairs
  • Click Repairs - Open Repairs in the bottom right corner
  • Click the Unselect All button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Restart the computer normally.

    How is the computer running now?

    =======================


#7 afextwin

afextwin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 23 June 2015 - 12:58 PM

EDIT: Running sfc /scannow , will update post with cbs.log when done.

 

The log file is basically worthless, 26 & 27 generated a ton of errors including access denied & file not found. Yes I ran the app as admin.

 

[_Windows_Repair_Log.txt]

 

Tweaking.com - Windows Repair v3.2.2
--------------------------------------------------------------------------------
 
System Variables
--------------------------------------------------------------------------------
OS: Windows 8.1
OS Architecture: 64-bit
OS Version: 6.3.9600
OS Service Pack: 
Computer Name: BUD
Windows Drive: C:\
Windows Path: C:\WINDOWS
Program Files: C:\Program Files
Program Files (x86): C:\Program Files (x86)
Current Profile: C:\Users\Buddy2013
Current Profile SID: S-1-5-21-1244661046-506875474-1074071550-1001
Current Profile Classes: S-1-5-21-1244661046-506875474-1074071550-1001_Classes
Profiles Location: C:\Users
Profiles Location 2: C:\WINDOWS\ServiceProfiles
Local Settings AppData: C:\Users\Buddy2013\AppData\Local
--------------------------------------------------------------------------------
 
System Information
--------------------------------------------------------------------------------
System Up Time: 0 Days 00:19:09
 
Process Count: 93
Commit Total: 2.37 GB
Commit Limit: 7.89 GB
Commit Peak: 2.37 GB
Handle Count: 32121
Kernel Total: 503.14 MB
Kernel Paged: 391.24 MB
Kernel Non Paged: 111.89 MB
System Cache: 2.03 GB
Thread Count: 1057
--------------------------------------------------------------------------------
 
Memory Before Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 3.89 GB
Memory Used: 1.90 GB(48.9449%)
Memory Avail.: 1.98 GB
--------------------------------------------------------------------------------
 
Cleaning Memory Before Starting Repairs...
 
Memory After Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 3.89 GB
Memory Used: 1.90 GB(48.934%)
Memory Avail.: 1.98 GB
--------------------------------------------------------------------------------
 
Starting Repairs...
   Started at (6/23/2015 1:38:17 PM)
 
Setting Any Missing 'InstallDate' From Uninstall Sections Before Running Repair...
Total Missing 'InstallDate' Fixed: 48
 
01 - Reset Registry Permissions
   Restore Windows 8 Default Registry Permissions
   Start (6/23/2015 1:38:29 PM)
 
 
Decompressing & Updating Windows Permission File hkud.txt
Done,  0.33 seconds.
 
 
Decompressing & Updating Windows Permission File hkcu.txt
Done,  0.38 seconds.
 
 
Decompressing & Updating Windows Permission File hkcr.txt
Done,  2.21 seconds.
 
 
Decompressing & Updating Windows Permission File hklm.txt
Done,  4.3 seconds.
 
   Running Repair Under System Account
   Running Repair Under Current User Account
   Done (6/23/2015 1:50:59 PM)
 
03 - Reset Service Permissions
   Start (6/23/2015 1:50:59 PM)
 
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (6/23/2015 1:52:35 PM)
 
26 - Restore Important Windows Services
   Start (6/23/2015 1:52:35 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (6/23/2015 1:53:22 PM)
 
27 - Set Windows Services To Default Startup
   Start (6/23/2015 1:53:22 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (6/23/2015 1:53:46 PM)
 
Cleaning up empty logs...
 
All Selected Repairs Done.
   Done at (6/23/2015 1:53:46 PM)
   Total Repair Time: 00:15:32
 
 
...YOU MUST RESTART YOUR SYSTEM...

Edited by afextwin, 23 June 2015 - 01:06 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:00 PM

Posted 23 June 2015 - 01:03 PM

26 - Restore Important Windows Services
Start (6/23/2015 1:52:35 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (6/23/2015 1:53:22 PM)

27 - Set Windows Services To Default Startup
Start (6/23/2015 1:53:22 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (6/23/2015 1:53:46 PM)


Looks like something was corrected.

#9 afextwin

afextwin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 23 June 2015 - 02:10 PM

Yes. 26/27 show as passing, but while the administrative prompt was up i watched many missing file, missing service, access denied requests scroll by. If you say it's ok I belive you, it was just kind of scary to watch.

 

I ran sfc /scannow and the log file is almost 2MB. I have now attached the file.

 

Latest RKILL Log shows an improvement in that 1 less service is missing (browser).

 

Rkill 2.7.0 by Lawrence Abrams (Grinler)
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 06/23/2015 03:25:04 PM in x64 mode.
Windows Version: Windows 8.1 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * workfolderssvc [Missing Service]
 * mrxsmb10 [Missing Service]
 * srv [Missing Service]
 
Searching for Missing Digital Signatures: 
 
 * C:\WINDOWS\System32\ddraw.dll : 594,944 : 10/28/2014 09:07 PM : 1ef3ecb69096f349385d4c5d3dc11593 [NoSig]
 +-> C:\WINDOWS\SysWOW64\ddraw.dll : 544,256 : 10/28/2014 08:52 PM : 61bca28e43eee246c9213a89a18d28e8 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\amd64_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.3.9600.16384_none_f5c402f793f84531\ddraw.dll : 106,557 : 03/06/2015 07:42 PM : 5c9e15f04d280b05e8940caf0ef5fb23 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\amd64_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.3.9600.17415_none_f6109dd393beb1b9\ddraw.dll : 594,944 : 10/28/2014 09:07 PM : 1ef3ecb69096f349385d4c5d3dc11593 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.3.9600.16384_none_99a56773db9ad3fb\ddraw.dll : 103,217 : 03/06/2015 09:15 PM : e62cd31ccfa043ca90b48dabdbc6056b [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.3.9600.17415_none_99f2024fdb614083\ddraw.dll : 544,256 : 10/28/2014 08:52 PM : 61bca28e43eee246c9213a89a18d28e8 [Pos Repl]
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 06/23/2015 03:29:09 PM
Execution time: 0 hours(s), 4 minute(s), and 4 seconds(s)
 
DISM /Online /Cleanup-Image /RestoreHealth is running right now.

Attached Files

  • Attached File  CBS.log   1.68MB   1 downloads

Edited by afextwin, 23 June 2015 - 03:34 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:00 PM

Posted 24 June 2015 - 07:27 AM

workfolderssvc [Missing Service]
This topic discusses Work Folders, which is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices.
https://technet.microsoft.com/en-ca/library/dn265974.aspx

Is this necessary?
How is it impacting this computer?
===

https://support.microsoft.com/en-us/kb/2194664
The Mrxsmb10.sys driver specifies a logon ID the first time that a connection is established to a remote server that shares files and printers by using the SMB protocol. The logon ID and the name of the server are saved in a server entry of the SMB Redirector.

Is this necessary?
How is it impacting this computer?
===

srv [Missing Service]
Read about it.
https://support.microsoft.com/en-us/kb/241505

===
 

* C:\WINDOWS\System32\ddraw.dll : 594,944 : 10/28/2014 09:07 PM : 1ef3ecb69096f349385d4c5d3dc11593 [NoSig]

+-> C:\WINDOWS\WinSxS\amd64_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.3.9600.17415_none_f6109dd393beb1b9\ddraw.dll : 594,944 : 10/28/2014 09:07 PM : 1ef3ecb69096f349385d4c5d3dc11593 [Pos Repl]

The ddraw.dll looks the same here. However the one in the \system32 folder is identified with no signarure.
Will replace it.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CreateRestorePoint:
CloseProcesses:

Replace: C:\WINDOWS\WinSxS\amd64_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.3.9600.17415_none_f6109dd393beb1b9\ddraw.dll C:\WINDOWS\System32\ddraw.dll

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#11 afextwin

afextwin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 24 June 2015 - 11:23 AM

Fix result of Farbar Recovery Scan Tool (x64) Version:13-06-2015
Ran by Buddy2013 at 2015-06-24 12:14:40 Run:2
Running from C:\Users\Buddy2013\Downloads
Loaded Profiles: Buddy2013 (Available Profiles: Buddy2013)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
CloseProcesses:
 
Replace: C:\WINDOWS\WinSxS\amd64_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.3.9600.17415_none_f6109dd393beb1b9\ddraw.dll C:\WINDOWS\System32\ddraw.dll
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\WINDOWS\System32\ddraw.dll => moved successfully.
C:\WINDOWS\WinSxS\amd64_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.3.9600.17415_none_f6109dd393beb1b9\ddraw.dll copied successfully to C:\WINDOWS\System32\ddraw.dll
 
 
The system needed a reboot.. 
 
==== End of Fixlog 12:16:19 ====
 
Looks to be running much better - no more random reboots, no more blackscreen after logging in to windows.
 
DISM still hangs at 40%, I might have to move to a different forum as this seems non-malware related (possibly a result of the previous infection)
 
One weird thing I keep noticing, after the laptop is on for an hour or so the memory usage goes up to 2.3GB, probably just a memory leak from a poorly coded solitaire program, but still strange.
 
Thank you so much for your help nasdaq, I really appreciate it.
 
My uncle has the same infection, I'm thinking they gave it to each other via bad email links. Should I start a new topic for my uncles laptop? I believe it is the same model, only difference is Windows 7 instead of 8.1


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:00 PM

Posted 25 June 2015 - 06:24 AM

Yes please start a new topic.

Execute the the Farbar tool and post both logs.

Post the URL in you next reply and I will expedite the matter.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:00 PM

Posted 30 June 2015 - 07:34 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users