Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Gamarue.A!plock


  • Please log in to reply
7 replies to this topic

#1 Nildrem

Nildrem

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 08 August 2015 - 10:28 AM

Hey there, hoping for some help from somebody smarter than myself with this as i have been trying for days now.

 

2-3 days ago MSE found a file it didn't like, so i had MSE delete it and restarted but the problem came back right away. I did this 3 times and MSE said all was well, but the next day i noticed i can no longer open MSE at all. It still shows up in the task manager but when opened the GUI will show and then vanish. It will launch in safe mode, but scans dont show anything. I had malwarebytes running during this and it didnt notice anything. i have used hitman and avira, both of which found things to remove but still MSE wont open.



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:25 AM

Posted 08 August 2015 - 11:39 AM

Hello,

Gamarue is a family of worms that spreads via removable flash drives and exploit kits.

It has a backdoor functionality that can compromises the infected machine and allows hackers to attack your PC. It can be cleaned, but there is no telling whether the machine is trustworthy again - the only way to be sure is to reformat the PC.

That said, I can assist you in cleaning the machine.

Let me know what you decide to do.

Regards,
Alex

#3 Nildrem

Nildrem
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 08 August 2015 - 05:11 PM

i would like to try to clean it



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:25 AM

Posted 09 August 2015 - 12:50 AM

Hello there,

Please run these to get some information on your computer.

MiniToolbox by Farbar

Avast users please disable your antivirus before downloading!
Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (choose Errors only)
  • List Users, Partitions and Memory size.
  • List Minidump Files
  • List Restore Points
Click Go and post the result (MTB.txt). A copy of Result.txt will be saved in the same directory the tool is run.

===

Security Check by screen317
  • Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt. Please copy and paste the contents of the log in your next reply.

Regards,
Alex

#5 Nildrem

Nildrem
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 11 August 2015 - 11:04 AM

 Results of screen317's Security Check version 1.006  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 60  
 Java version 32-bit out of Date!
 Adobe Flash Player 18.0.0.209  
 Adobe Reader XI  
 Mozilla Firefox (39.0.3)
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Avira Antivir avgnt.exe
 Avira Antivir avguard.exe
 Avira Antivirus sched.exe  
 Avira Antivirus avshadow.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 

 

========================================================================

MiniToolBox by Farbar  Version: 25-07-2015 01
Ran by JK (administrator) on 11-08-2015 at 11:56:00
Running from "C:\Users\JK\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Model: NY703AA-ABL e9230f Manufacturer: HP-Pavilion
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1 nwnauth.kr.infogrames.com
127.0.0.1 nwmaster.bioware.com
127.0.0.1 nwnauth.kr.infogrames.com

========================= IP Configuration: ================================

Realtek PCIe GBE Family Controller = Local Area Connection (Connected)
Qualcomm Atheros 802.11 a/b/g/n Dualband Wireless Network Module = Wireless Network Connection (Hardware not present)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled taskoffload=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : JK-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 90-E6-BA-95-4E-73
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8dab:6eb5:9cd8:8f16%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : August-09-15 1:59:24 PM
   Lease Expires . . . . . . . . . . : August-16-15 1:59:24 PM
   Default Gateway . . . . . . . . . : fe80::86c9:b2ff:fe5d:7cac%10
                                       192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Server:  UnKnown
Address:  192.168.0.1

Name:    google.com
Addresses:  2607:f8b0:400b:806::100e
      173.194.43.68
      173.194.43.72
      173.194.43.67
      173.194.43.66
      173.194.43.70
      173.194.43.65
      173.194.43.73
      173.194.43.64
      173.194.43.71
      173.194.43.78
      173.194.43.69


Pinging google.com [173.194.43.69] with 32 bytes of data:
Reply from 173.194.43.69: bytes=32 time=25ms TTL=57
Reply from 173.194.43.69: bytes=32 time=8ms TTL=57

Ping statistics for 173.194.43.69:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 25ms, Average = 16ms
Server:  UnKnown
Address:  192.168.0.1

Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
      2001:4998:c:a06::2:4008
      2001:4998:58:c02::a9
      98.139.183.24
      206.190.36.45
      98.138.253.109


Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Reply from 98.138.253.109: bytes=32 time=71ms TTL=49
Reply from 98.138.253.109: bytes=32 time=71ms TTL=49

Ping statistics for 98.138.253.109:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 71ms, Maximum = 71ms, Average = 71ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 10...90 e6 ba 95 4e 73 ......Realtek PCIe GBE Family Controller
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.100     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link     192.168.0.100    276
    192.168.0.100  255.255.255.255         On-link     192.168.0.100    276
    192.168.0.255  255.255.255.255         On-link     192.168.0.100    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.0.100    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.0.100    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 10    276 ::/0                     fe80::86c9:b2ff:fe5d:7cac
  1    306 ::1/128                  On-link
 10    276 fe80::/64                On-link
 10    276 fe80::8dab:6eb5:9cd8:8f16/128
                                    On-link
  1    306 ff00::/8                 On-link
 10    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
 If Metric Network Destination      Gateway
  0 4294967295 2620:9b::/96             On-link
  0   9000 ::/0                     2620:9b::1900:1
===========================================================================
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/11/2015 10:08:36 AM) (Source: Customer Experience Improvement Program) (User: )
Description: 90080108

Error: (08/11/2015 12:37:33 AM) (Source: Application Error) (User: )
Description: Faulting application name: rundll32.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc637
Faulting module name: Flash32_18_0_0_209.ocx, version: 18.0.0.209, time stamp: 0x55a1edba
Exception code: 0xc0000005
Fault offset: 0x00206ddd
Faulting process id: 0x1748
Faulting application start time: 0xrundll32.exe0
Faulting application path: rundll32.exe1
Faulting module path: rundll32.exe2
Report Id: rundll32.exe3

Error: (08/10/2015 06:48:06 PM) (Source: Application Error) (User: )
Description: Faulting application name: rundll32.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc637
Faulting module name: Flash32_18_0_0_209.ocx, version: 18.0.0.209, time stamp: 0x55a1edba
Exception code: 0xc0000005
Fault offset: 0x006c12da
Faulting process id: 0x1090
Faulting application start time: 0xrundll32.exe0
Faulting application path: rundll32.exe1
Faulting module path: rundll32.exe2
Report Id: rundll32.exe3

Error: (08/10/2015 03:55:42 PM) (Source: Customer Experience Improvement Program) (User: )
Description: 80004005

Error: (08/10/2015 07:25:18 AM) (Source: Application Error) (User: )
Description: Faulting application name: rundll32.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc637
Faulting module name: mshtml.dll, version: 11.0.9600.17842, time stamp: 0x5565cf99
Exception code: 0xc00000fd
Fault offset: 0x004dd4ec
Faulting process id: 0x1444
Faulting application start time: 0xrundll32.exe0
Faulting application path: rundll32.exe1
Faulting module path: rundll32.exe2
Report Id: rundll32.exe3

Error: (08/10/2015 01:18:08 AM) (Source: Application Error) (User: )
Description: Faulting application name: rundll32.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc637
Faulting module name: Flash32_18_0_0_209.ocx, version: 18.0.0.209, time stamp: 0x55a1edba
Exception code: 0xc0000005
Fault offset: 0x00206ddd
Faulting process id: 0x1424
Faulting application start time: 0xrundll32.exe0
Faulting application path: rundll32.exe1
Faulting module path: rundll32.exe2
Report Id: rundll32.exe3

Error: (08/09/2015 08:13:00 PM) (Source: Customer Experience Improvement Program) (User: )
Description: 80004005

Error: (08/09/2015 02:48:20 AM) (Source: Application Error) (User: )
Description: Faulting application name: rundll32.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc637
Faulting module name: Flash32_18_0_0_209.ocx, version: 18.0.0.209, time stamp: 0x55a1edba
Exception code: 0xc0000005
Fault offset: 0x006c12da
Faulting process id: 0xdb8
Faulting application start time: 0xrundll32.exe0
Faulting application path: rundll32.exe1
Faulting module path: rundll32.exe2
Report Id: rundll32.exe3

Error: (08/09/2015 01:14:01 AM) (Source: Customer Experience Improvement Program) (User: )
Description: 90080108

Error: (08/08/2015 03:54:30 PM) (Source: Application Error) (User: )
Description: Faulting application name: rundll32.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc637
Faulting module name: mshtml.dll, version: 11.0.9600.17842, time stamp: 0x5565cf99
Exception code: 0xc00000fd
Fault offset: 0x004dd4ec
Faulting process id: 0xd5c
Faulting application start time: 0xrundll32.exe0
Faulting application path: rundll32.exe1
Faulting module path: rundll32.exe2
Report Id: rundll32.exe3


System errors:
=============
Error: (08/11/2015 08:02:31 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (08/11/2015 07:19:05 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80240020: Upgrade to Windows 10 Home.

Error: (08/11/2015 04:10:55 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (08/10/2015 01:39:00 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80240020: Upgrade to Windows 10 Home.

Error: (08/10/2015 12:59:52 PM) (Source: Service Control Manager) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:
%%-2140993535

Error: (08/10/2015 12:59:52 PM) (Source: Service Control Manager) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error:
%%-2140993535

Error: (08/10/2015 12:59:52 PM) (Source: Service Control Manager) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:
%%-2140993535

Error: (08/10/2015 12:59:52 PM) (Source: Service Control Manager) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error:
%%-2140993535

Error: (08/10/2015 12:59:52 PM) (Source: PNRPSvc) (User: )
Description: 0x80630801

Error: (08/10/2015 12:59:52 PM) (Source: PNRPSvc) (User: )
Description: 0x80630801


Microsoft Office Sessions:
=========================
Error: (08/11/2015 10:08:36 AM) (Source: Customer Experience Improvement Program)(User: )
Description: 90080108

Error: (08/11/2015 12:37:33 AM) (Source: Application Error)(User: )
Description: rundll32.exe6.1.7600.163854a5bc637Flash32_18_0_0_209.ocx18.0.0.20955a1edbac000000500206ddd174801d0d3e7a73bb6eaC:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\Macromed\Flash\Flash32_18_0_0_209.ocxae8960e6-3fe2-11e5-8971-90e6ba954e73

Error: (08/10/2015 06:48:06 PM) (Source: Application Error)(User: )
Description: rundll32.exe6.1.7600.163854a5bc637Flash32_18_0_0_209.ocx18.0.0.20955a1edbac0000005006c12da109001d0d3b95b72a4f4C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\Macromed\Flash\Flash32_18_0_0_209.ocxdcc3f09e-3fb1-11e5-8971-90e6ba954e73

Error: (08/10/2015 03:55:42 PM) (Source: Customer Experience Improvement Program)(User: )
Description: 80004005

Error: (08/10/2015 07:25:18 AM) (Source: Application Error)(User: )
Description: rundll32.exe6.1.7600.163854a5bc637mshtml.dll11.0.9600.178425565cf99c00000fd004dd4ec144401d0d35977772eb0C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\mshtml.dll79febad0-3f52-11e5-8971-90e6ba954e73

Error: (08/10/2015 01:18:08 AM) (Source: Application Error)(User: )
Description: rundll32.exe6.1.7600.163854a5bc637Flash32_18_0_0_209.ocx18.0.0.20955a1edbac000000500206ddd142401d0d32873f317dfC:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\Macromed\Flash\Flash32_18_0_0_209.ocx2f0b9d16-3f1f-11e5-8971-90e6ba954e73

Error: (08/09/2015 08:13:00 PM) (Source: Customer Experience Improvement Program)(User: )
Description: 80004005

Error: (08/09/2015 02:48:20 AM) (Source: Application Error)(User: )
Description: rundll32.exe6.1.7600.163854a5bc637Flash32_18_0_0_209.ocx18.0.0.20955a1edbac0000005006c12dadb801d0d26b5f95ef42C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\Macromed\Flash\Flash32_18_0_0_209.ocx9ee2a171-3e62-11e5-8971-90e6ba954e73

Error: (08/09/2015 01:14:01 AM) (Source: Customer Experience Improvement Program)(User: )
Description: 90080108

Error: (08/08/2015 03:54:30 PM) (Source: Application Error)(User: )
Description: rundll32.exe6.1.7600.163854a5bc637mshtml.dll11.0.9600.178425565cf99c00000fd004dd4ecd5c01d0d211583f1e3eC:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\mshtml.dll47f7b3a0-3e07-11e5-8971-90e6ba954e73


CodeIntegrity Errors:
===================================
  Date: 2015-07-09 22:12:58.966
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Malwarebytes Anti-Malware\mbampt.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-07-09 22:12:58.911
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Malwarebytes Anti-Malware\mbampt.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-07-04 15:23:01.525
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\RivaTuner\RivaTuner64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-07-04 15:23:01.494
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\RivaTuner\RivaTuner64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-07-04 15:23:00.121
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\RivaTuner\RivaTuner64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-07-04 15:23:00.090
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\RivaTuner\RivaTuner64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-07-04 15:22:59.045
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\RivaTuner\RivaTuner64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-07-04 15:22:59.014
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\RivaTuner\RivaTuner64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-07-04 15:22:57.982
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\RivaTuner\RivaTuner64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-07-04 15:22:57.951
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\RivaTuner\RivaTuner64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


=========================== Installed Programs ============================

7-Zip 9.22 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0922-000001000000}) (Version: 9.22.00.0 - Igor Pavlov)
Abyss Odyssey (HKLM-x32\...\Abyss Odyssey_is1) (Version: 1.13 - ATLUS)
Acquisition version 0.2gg (HKLM-x32\...\{53E25C0C-0305-47BB-9884-F0F202297AF4}_is1) (Version: 0.2gg - )
Adobe Digital Editions 2.0 (HKLM-x32\...\Adobe Digital Editions 2.0) (Version: 2.0 - Adobe Systems Incorporated)
Adobe Flash Player 18 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.07) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{F2A7CE36-57BF-5C86-952D-90DBF3746D82}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
AutoHotkey 1.1.19.02 (HKLM\...\AutoHotkey) (Version: 1.1.19.02 - Lexikos)
Avira (HKLM-x32\...\{a5e00a72-db4a-4f77-8874-d1265b8fcd7e}) (Version: 1.1.42.10415 - Avira Operations GmbH & Co. KG)
Avira (HKLM-x32\...\{B4A68153-E9A2-4BC1-96C3-BEE5F56E788D}) (Version: 1.1.42.10415 - Avira Operations GmbH & Co. KG) Hidden
Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.12.408 - Avira Operations GmbH & Co. KG)
Avira Browser Safety (HKLM-x32\...\{9E10EA90-5E97-43B7-A246-FC7B4F5E9493}) (Version: 1.4.5.509 - Avira Operations GmbH & Co KG)
Bastion (HKLM-x32\...\1423058311_is1) (Version: 2.0.0.6 - GOG.com)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
calibre (HKLM-x32\...\{C727544A-23E0-41A8-9901-2353CE3FE62A}) (Version: 2.14.0 - Kovid Goyal)
CCleaner (HKLM\...\CCleaner) (Version: 4.02 - Piriform)
Combined Community Codec Pack 2014-07-13 (HKLM-x32\...\Combined Community Codec Pack_is1) (Version: 2014.07.13.0 - CCCP Project)
CopyTrans Control Center Uninstall Only (HKCU\...\CopyTrans Suite) (Version: 3.01 - WindSolutions)
DAEMON Tools Lite (HKLM-x32\...\DAEMON Tools Lite) (Version: 4.49.1.0356 - Disc Soft Ltd)
Dark Souls II ver. 1.07.0 (HKLM-x32\...\{41117111-22WS-33NM-44T5-66JH8S9876UY}_is1) (Version: 1.07.0 - FromSoftware, Inc)
Diablo III (HKLM-x32\...\Diablo III) (Version:  - Blizzard Entertainment)
DirectX for Managed Code Update (Summer 2004) (HKLM-x32\...\{E9E34215-82EF-4909-BE2F-F581F0DC9062}) (Version: 9.02.2904 - Microsoft) Hidden
DivX Setup (HKLM-x32\...\DivX Setup) (Version: 2.6.1.22 - DivX, LLC)
Google Drive (HKLM-x32\...\{6EA8B94E-D869-4D96-88DF-5E1ECE1D6876}) (Version: 1.23.9648.8824 - Google, Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.28.1 - Google Inc.) Hidden
Grim Dawn (HKLM-x32\...\Steam App 219990) (Version:  - Crate Entertainment)
GSafe (HKLM-x32\...\GSafe) (Version: 2.0.0 - GENCO LABS LLC)
Hearthstone (HKLM-x32\...\Hearthstone) (Version:  - Blizzard Entertainment)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.242 - SurfRight B.V.)
HP Odometer (HKLM-x32\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard)
HP Support Information (HKLM-x32\...\{B9A03B7B-E0FF-4FB3-BA83-762E58A1B0AA}) (Version: 10.1.0002 - Hewlett-Packard)
Java 7 Update 60 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F06417060FF}) (Version: 7.0.600 - Oracle)
Java 7 Update 60 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217060FF}) (Version: 7.0.600 - Oracle)
LBOTS Top mouse Driver (HKLM-x32\...\{F1A273BD-6A9E-41D8-A111-5E56ACD286F8}) (Version: 1.0 - Togran)
lytinsub (HKLM-x32\...\{0b76895c-84f4-452c-6d3e-ffcd4107fc75}) (Version: 1.0.0 - impesup)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Matroska Pack (HKLM-x32\...\Matroska Pack) (Version:  - )
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.3.188.0 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.8.204.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x64 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x86 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 3.1 (HKLM-x32\...\{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}) (Version: 3.1.10527.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 (HKLM-x32\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 Refresh (HKLM-x32\...\{D69C8EDE-BBC5-436B-8E0E-C5A6D311CF4F}) (Version: 4.0.30901.0 - Microsoft Corporation)
Morrowind (HKLM-x32\...\{C325F588-D6B1-4A7F-B6A2-914C75DDA348}) (Version:  - )
Mozilla Firefox 39.0.3 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 39.0.3 (x86 en-US)) (Version: 39.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 39.0 - Mozilla)
MSI Afterburner 4.1.1 (HKLM-x32\...\Afterburner) (Version: 4.1.1 - MSI Co., LTD)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Nexus Mod Manager (HKLM\...\6af12c54-643b-4752-87d0-8335503010de_is1) (Version: 0.55.8 - Black Tree Gaming)
NVIDIA PhysX (HKLM-x32\...\{80407BA7-7763-4395-AB98-5233F1B34E65}) (Version: 9.13.1220 - NVIDIA Corporation)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
Path of Exile (HKLM-x32\...\{90A4562F-D4A1-4B65-906D-41F236CF6902}) (Version: 1.3.0.38517 - Grinding Gear Games)
PCSX2 - Playstation 2 Emulator (HKLM-x32\...\pcsx2-r5350) (Version:  - )
PoESkillTree - The Awakening (HKLM-x32\...\{B5012C21-ECA4-41AF-ABD1-F549D019B7A9}_is1) (Version: 2.2.1 - PoESkillTree Team)
PowerRecover (HKLM-x32\...\{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}) (Version: 5.5.1923 - CyberLink Corp.) Hidden
qBittorrent 3.2.3 (HKLM-x32\...\qBittorrent) (Version: 3.2.3 - The qBittorrent project)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6196 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7601.30130 - Realtek Semiconductor Corp.)
Rogue Legacy (HKLM-x32\...\GOGPACKROGUELEGACY_is1) (Version: 2.2.0.10 - GOG.com)
Shovel Knight (HKLM-x32\...\1207664823_is1) (Version: 2.1.0.7 - GOG.com)
Sid Meier's Civilization 5 (HKLM-x32\...\Sid Meier's Civilization 5_R.G. Mechanics_is1) (Version:  - R.G. Mechanics, Panky)
Skype™ 7.0 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
Starbound (HKLM-x32\...\Steam App 211820) (Version:  - )
Steam (HKLM-x32\...\Steam) (Version:  - Valve Corporation)
System Requirements Lab CYRI (HKLM-x32\...\{F3FCB08B-E752-444D-86A0-0634A4F3B23D}) (Version: 6.0.8.0 - Husdawg, LLC)
The Elder Scrolls III Morrowind GOTY version 0.0.0.9 (HKLM-x32\...\The Elder Scrolls III Morrowind GOTY_is1) (Version: 0.0.0.9 - WaLMaRT)
The Incredible Adventures of Van Helsing (HKLM-x32\...\The Incredible Adventures of Van Helsing_R.G. Mechanics_is1) (Version:  - R.G. Mechanics, markfiter)
The Incredible Adventures of Van Helsing II (HKLM-x32\...\The Incredible Adventures of Van Helsing II_R.G.~1CF9EF12_is1) (Version:  - R.G. Mechanics, markfiter)
The Incredible Adventures of Van Helsing III (HKLM-x32\...\The Incredible Adventures of Van Helsing III_R.G~A9E776BA_is1) (Version:  - R.G. Mechanics, markfiter)
TSEV Skyrim LE (HKLM-x32\...\TSEV Skyrim LE_is1) (Version: 2.0.0.0 - )
Unlocker 1.9.2 (HKLM\...\Unlocker) (Version: 1.9.2 - Cedrick Collomb)
VBA (2627.01) (HKLM-x32\...\{5545EEE1-FA36-4F76-B6BE-5696E7F4E2D6}) (Version: 6.03.00.9402 - Microsoft Corporation) Hidden
VC80CRTRedist - 8.0.50727.6195 (HKLM-x32\...\{933B4015-4618-4716-A828-5289FC03165F}) (Version: 1.2.0 - DivX, Inc) Hidden
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
Winamp (HKLM-x32\...\Winamp) (Version: 5.63  - Nullsoft, Inc)
Winamp Detector Plug-in (HKCU\...\Winamp Detect) (Version: 1.0.0.1 - Nullsoft, Inc)
WinRAR 5.01 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.01.0 - win.rar GmbH)
Wolfenstein (HKLM-x32\...\{F9B37992-968C-4264-8449-489032FC28DE}) (Version: 1.0 - Activision) Hidden
Ys VI - The Ark of Napishtim (HKLM-x32\...\1429178878_is1) (Version: 2.0.0.1 - GOG.com)
ZoneAlarm LTD Toolbar (HKLM\...\ZoneAlarm LTD Toolbar) (Version:  - Check Point Software Technologies)

========================= Devices: ================================

Name: USB Mass Storage Device
Description: USB Mass Storage Device
Class Guid: {36fc9e60-c465-11cf-8056-444553540000}
Manufacturer: Compatible USB storage device
Service: USBSTOR
Device ID: USB\VID_1949&PID_0004\905F220144770RLJ
Problem: : Windows cannot use this hardware device because it has been prepared for safe removal, but it has not been removed from the computer. (Code 47)
Resolution: Unplug the device, and then plug it in again. Alternately, restart the computer to make the device available.

Name: Qualcomm Atheros 802.11 a/b/g/n Dualband Wireless Network Module
Description: Qualcomm Atheros 802.11 a/b/g/n Dualband Wireless Network Module
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Qualcomm Atheros Communications Inc.
Service: athr
Device ID: PCI\VEN_168C&DEV_002A&SUBSYS_1000168C&REV_01\4&2509FA68&0&00E1
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Device ID: ROOT\*TEREDO\0000
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


========================= Memory info: ===================================

Percentage of memory in use: 26%
Total physical RAM: 8191.18 MB
Available physical RAM: 6002.05 MB
Total Virtual: 16380.57 MB
Available Virtual: 13268.52 MB

========================= Partitions: =====================================

1 Drive c: (HP) (Fixed) (Total:918.62 GB) (Free:546.21 GB) NTFS
2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:12.79 GB) (Free:2.29 GB) NTFS

========================= Users: ========================================

User accounts for \\JK-PC

Administrator            Guest                    JK                       

========================= Minidump Files ==================================

No minidump file found

========================= Restore Points ==================================


**** End of log ****
 



#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:25 AM

Posted 11 August 2015 - 11:35 AM

Hi there,

You are running two antivirus programs - Avira and MSE. Please uninstall one, and let me know which one you kept.

Do you recognize this?

lytinsub (HKLM-x32\...\{0b76895c-84f4-452c-6d3e-ffcd4107fc75}) (Version: 1.0.0 - impesup)

After that please run this.

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When update is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning.
  • When the scan is completed click Quarantine selected objects. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop and post the contents in your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
===

Kaspersky Virus Removal Tool

4n7CEPj.jpgPlease download Kaspersky Virus Removal Tool from here.
  • Right click on NfpAe5Z.jpg and select Run as Administrator.
  • Read the EULA, then select Accept.
  • Wait for Kaspersky Virus Removal Tool to initialize.
  • In the main screen, select Change parameters, place a checkmark in System drive, then click OK.
  • Click Start scan.
  • Wait for Kaspersky Virus Removal Tool to complete scanning.
  • When the scan is finished, select Neutralize all for all detected objects.
  • Close Kaspersky Virus Removal Tool when done.
Let me know if it found anything.

Regards,
Alex

#7 Nildrem

Nildrem
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 11 August 2015 - 04:16 PM

I Uninstalled Avira, Kaspersky detected 2 objects of which one was nonthreatening and the other was something called zbot i think, i can find out more if you like. I don't recognize whatever the HKLM-x32 thing is, important or not?

 

Emsisoft Emergency Kit - Version 10.0
Last update: 11/08/2015 12:52:00 PM
User account: JK-PC\JK

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    11/08/2015 12:58:50 PM
Value: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT -> 022FF376     detected: Trojan.Win32.Injector (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT -> B789483D     detected: Trojan.Win32.Injector (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT -> C6CE1332     detected: Trojan.Win32.Injector (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\SDP     detected: Application.Win32.InstallAd (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A43DE495-3D00-47D4-9D2C-303115707939}     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\DOWNTANGO     detected: Application.InstallAd (A)
C:\Windows\SysWOW64\shutdownb.dll     detected: Gen:Variant.Graftor.239403 (B)

Scanned    71874
Found    7

Scan end:    11/08/2015 1:04:58 PM
Scan time:    0:06:08

C:\Windows\SysWOW64\shutdownb.dll    Quarantined Gen:Variant.Graftor.239403 (B)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\DOWNTANGO    Quarantined Application.InstallAd (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A43DE495-3D00-47D4-9D2C-303115707939}    Quarantined Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\SDP    Quarantined Application.Win32.InstallAd (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT -> C6CE1332    Quarantined Trojan.Win32.Injector (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT -> B789483D    Quarantined Trojan.Win32.Injector (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT -> 022FF376    Quarantined Trojan.Win32.Injector (A)

Quarantined    7
 



#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:25 AM

Posted 11 August 2015 - 04:47 PM

Hi there,

The program above is a PUP - please uninstall it from Programs and Features.

Zbot is a serious infection... It is known to download other malware in addition to stealing information entered on that machine - Change all your passwords ASAP on a clean machine!

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Regards,
Alex




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users