Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unbelievably Virulent Infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 LarryBeans

LarryBeans

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 28 October 2015 - 07:54 PM

I recently got an infection that killed my internet connection.  I did system restore, but it did not help.  I put in the factory restore disc and it refused to read it.  I went to the recovery drive and tried to use PC Restore in safe mode and out.  The virus killed that too.  I now have a useless computer with vista on it.  Please help.

 

 



BC AdBot (Login to Remove)

 


#2 LarryBeans

LarryBeans
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 29 October 2015 - 05:57 PM

No takers?  I think this must be a new virus.

\



#3 LarryBeans

LarryBeans
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 31 October 2015 - 09:57 AM

I have not posted the log required because this virus seems to hide in ordinary files.  I do not want to transfer any files from my infected computer, which cannot access the internet, to another computer because this may result in the clean computer becoming infected. 

 

Please advise next step.

 

I would be grateful to know simply how I get PC Restore to work.

 

Thank you for any help.

 

Larry



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:13 PM

Posted 01 November 2015 - 09:18 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Using a working computer Download this tool to a CD.
Copy the file to the Desktop of the compromised computer and run it.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Post the logs for my review.

Wait for further instructions.

#5 LarryBeans

LarryBeans
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 01 November 2015 - 02:32 PM

Hello Nasdaq,

 

I am pleased to meet you, and appreciate your responding to my posts.  The title of this thread should be "Unbelievably Stupid Computer User," for I am back on the internet after resetting my modum!  Wow.

 

Here are the logs.

 

Thanks again,

 

Larry

 

 

-----------------------------------------------------------------------

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:31-10-2015
Ran by Sam (administrator) on SAM-PC (01-11-2015 14:05:42)
Running from C:\Users\Sam\Desktop
Loaded Profiles: Sam (Available Profiles: Sam)
Platform: Microsoft® Windows Vista™ Home Basic  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 7 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
() C:\Windows\System32\WLTRYSVC.EXE
(Dell Inc.) C:\Windows\System32\BCMWLTRY.EXE
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Andrea Electronics Corporation) C:\Windows\System32\AERTSrv.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Creative Technology Ltd.) C:\Windows\OEM13Mon.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dell Inc.) C:\Windows\System32\WLTRAY.EXE
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [ECenter] => C:\Dell\E-Center\EULALauncher.exe [17920 2008-02-28] ( )
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [159744 2008-02-22] (Alps Electric Co., Ltd.)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4907008 2008-02-22] (Realtek Semiconductor)
HKLM\...\Run: [OEM13Mon.exe] => C:\Windows\OEM13Mon.exe [36864 2008-07-17] (Creative Technology Ltd.)
HKLM\...\Run: [DELL Webcam Manager] => C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe [118784 2007-07-27] (Creative Technology Ltd.)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\Windows\system32\WLTRAY.exe [3444736 2008-05-16] (Dell Inc.)
HKLM\...\Run: [dscactivate] => C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [16384 2008-03-11] ( )
HKLM\...\Run: [PDVDDXSrv] => C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [128296 2008-02-26] (CyberLink Corp.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [6111824 2015-09-01] (AVAST Software)
HKLM\...\Run: [BrStsMon00] => C:\Program Files\Browny02\Brother\BrStMonW.exe [2678784 2011-10-18] (Brother Industries, Ltd.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [919008 2012-07-27] (Adobe Systems Incorporated)
HKU\S-1-5-21-4111722262-3164843452-1930944961-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5529880 2015-03-13] (Piriform Ltd)
HKU\S-1-5-21-4111722262-3164843452-1930944961-1000\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\system32\Macromed\Flash\FlashUtil32_19_0_0_185_Plugin.exe [1156296 2015-09-26] (Adobe Systems Incorporated)
HKU\S-1-5-21-4111722262-3164843452-1930944961-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [10240 2006-11-02] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2015-08-12] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk [2008-08-29]
ShortcutTarget: QuickSet.lnk -> C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{2DA924EF-F900-4796-B406-2A417CB00551}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-4111722262-3164843452-1930944961-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?gws_rd=ssl
HKU\S-1-5-21-4111722262-3164843452-1930944961-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080830
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-07-27] (Adobe Systems Incorporated)
BHO: SSVHelper Class -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22] (Sun Microsystems, Inc.)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-08-12] (AVAST Software)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO: No Name -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} -> No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-11-28] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\sf3roxkk.default
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Wikipedia (en)
FF Homepage: hxxps://www.google.com/?gws_rd=ssl
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-09-26] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2012-07-27] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-10-28] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-02-10] [not signed]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-08-12]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-08-12]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AERTFilters; C:\Windows\system32\AERTSrv.exe [77824 2008-02-22] (Andrea Electronics Corporation)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-08-12] (AVAST Software)
S3 BrYNSvc; C:\Program Files\Browny02\BrYNSvc.exe [249856 2011-11-15] (Brother Industries, Ltd.) [File not signed]
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S3 stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [69632 2007-07-11] (MicroVision Development, Inc.) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)
R2 wltrysvc; C:\Windows\System32\bcmwltry.exe [2506752 2008-05-16] (Dell Inc.) [File not signed]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24016 2015-08-12] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [76000 2015-08-12] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr.sys [55200 2015-08-12] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49776 2015-08-12] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [788784 2015-08-12] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [433264 2015-08-12] (AVAST Software)
R3 aswStmXP; C:\Windows\system32\drivers\aswStmXP.sys [161472 2015-08-12] (AVAST Software)
S3 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [57888 2015-08-12] (AVAST Software)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [208664 2015-08-12] (AVAST Software)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-06-18] (Malwarebytes Corporation)
R3 OEM13Vfx; C:\Windows\System32\DRIVERS\OEM13Vfx.sys [7424 2008-07-17] (EyePower Games Pte. Ltd.)
R3 OEM13Vid; C:\Windows\System32\DRIVERS\OEM13Vid.sys [235840 2008-07-17] (Creative Technology Ltd.)
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-01 14:05 - 2015-11-01 14:07 - 00011588 _____ C:\Users\Sam\Desktop\FRST.txt
2015-11-01 14:05 - 2015-11-01 14:05 - 00000000 ____D C:\FRST
2015-11-01 14:04 - 2015-11-01 14:04 - 01701888 _____ (Farbar) C:\Users\Sam\Desktop\FRST.exe
2015-11-01 14:03 - 2015-11-01 14:03 - 00090336 _____ C:\Users\Sam\AppData\Local\GDIPFONTCACHEV1.DAT
2015-10-28 19:26 - 2015-10-28 19:26 - 00001831 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2015-10-28 19:26 - 2015-08-12 04:56 - 00433264 _____ (AVAST Software) C:\Windows\system32\Drivers\aswCE23.tmp
2015-10-28 19:26 - 2015-08-12 04:56 - 00313472 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2015-10-28 19:26 - 2015-08-12 04:56 - 00208664 _____ (AVAST Software) C:\Windows\system32\Drivers\aswCE72.tmp
2015-10-28 19:26 - 2015-08-12 04:56 - 00161472 _____ (AVAST Software) C:\Windows\system32\Drivers\aswCE83.tmp
2015-10-28 19:26 - 2015-08-12 04:56 - 00076000 _____ (AVAST Software) C:\Windows\system32\Drivers\aswCD47.tmp
2015-10-28 19:26 - 2015-08-12 04:56 - 00057888 _____ (AVAST Software) C:\Windows\system32\Drivers\aswCEA3.tmp
2015-10-28 19:26 - 2015-08-12 04:56 - 00055200 _____ (AVAST Software) C:\Windows\system32\Drivers\aswCB71.tmp
2015-10-28 19:26 - 2015-08-12 04:56 - 00049776 _____ (AVAST Software) C:\Windows\system32\Drivers\aswCD86.tmp
2015-10-28 19:26 - 2015-08-12 04:56 - 00024016 _____ (AVAST Software) C:\Windows\system32\Drivers\aswCBDF.tmp
2015-10-28 19:26 - 2015-08-12 04:55 - 00788784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswC825.tmp
2015-10-19 07:33 - 2015-10-25 07:32 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-10-18 12:13 - 2015-10-19 07:43 - 00000000 ____D C:\Users\Sam\Desktop\2015 Spain

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-01 14:05 - 2008-08-29 17:39 - 01506275 _____ C:\Windows\WindowsUpdate.log
2015-11-01 13:59 - 2006-11-02 07:45 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-11-01 13:59 - 2006-11-02 07:45 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-28 20:04 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\system32\LogFiles
2015-10-28 19:31 - 2006-11-02 05:33 - 00703388 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-28 19:27 - 2014-12-25 11:35 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-10-28 19:23 - 2014-12-25 11:16 - 00000000 ____D C:\Users\Sam
2015-10-28 19:23 - 2006-11-02 07:58 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-28 19:23 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\system32\Msdtc
2015-10-28 19:22 - 2014-12-25 11:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2015-10-28 19:22 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\system32\spool
2015-10-28 19:22 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\registration
2015-10-28 19:22 - 2006-11-02 05:22 - 34078720 _____ C:\Windows\system32\config\components_previous
2015-10-28 19:22 - 2006-11-02 05:22 - 32505856 _____ C:\Windows\system32\config\software_previous
2015-10-28 19:22 - 2006-11-02 05:22 - 26476544 _____ C:\Windows\system32\config\system_previous
2015-10-28 19:22 - 2006-11-02 05:22 - 00262144 _____ C:\Windows\system32\config\security_previous
2015-10-28 19:22 - 2006-11-02 05:22 - 00262144 _____ C:\Windows\system32\config\sam_previous
2015-10-28 19:22 - 2006-11-02 05:22 - 00262144 _____ C:\Windows\system32\config\default_previous
2015-10-25 12:03 - 2014-12-25 16:25 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-10-25 08:07 - 2006-11-02 07:58 - 00027256 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-10-25 06:47 - 2015-09-20 06:29 - 00000000 ___RD C:\Users\Sam\Desktop\Computer Tradeout
2015-10-20 07:26 - 2014-12-26 06:48 - 00000000 ____D C:\Windows\system32\MRT
2015-10-20 02:01 - 2006-11-02 05:24 - 141105520 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2015-10-19 07:43 - 2014-12-25 11:29 - 00027648 _____ C:\Users\Sam\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-10-02 14:49 - 2014-12-25 11:26 - 00000000 ____D C:\Users\Sam\Desktop\Mr. Igoe
2015-10-02 01:37 - 2015-01-14 14:26 - 00002613 _____ C:\Users\Sam\Desktop\Microsoft Word 2010.lnk

==================== Files in the root of some directories =======

2014-12-28 08:50 - 2015-01-05 11:09 - 0000368 _____ () C:\Users\Sam\AppData\Roaming\wklnhst.dat
2014-12-25 11:29 - 2015-10-19 07:43 - 0027648 _____ () C:\Users\Sam\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-03-22 06:26 - 2015-03-29 13:08 - 0000451 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-10-28 19:53

==================== End of FRST.txt ============================

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:13 PM

Posted 02 November 2015 - 08:20 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: No Name -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} -> No File
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-08-12]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-08-12]
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Let me check this.

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#7 LarryBeans

LarryBeans
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 02 November 2015 - 07:50 PM

Hey, Nasdaq.

 

Here are the logs.  The computer does seem to be running clearer and quicker, but the fan still comes on and my DVD drive will not read my reinstallation disc from the factory. 

 

----------------

Fixlog

---------------

 

Fix result of Farbar Recovery Scan Tool (x86) Version:31-10-2015
Ran by Sam (2015-11-02 19:22:28) Run:1
Running from C:\Users\Sam\Desktop
Loaded Profiles: Sam (Available Profiles: Sam)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: No Name -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} -> No File
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-08-12]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-08-12]
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

End
*****************

Restore point was successfully created.
Processes closed successfully.
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully.
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}" => key removed successfully.
HKCR\CLSID\{CA6319C0-31B7-401E-A518-A07C3DB8F777} => key not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck" => key removed successfully.
Could not move "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx" => Scheduled to move on reboot.
"HKLM\SOFTWARE\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => key removed successfully.
Could not move "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Scheduled to move on reboot.
BCM42RLY => service removed successfully.
IpInIp => service removed successfully.
NwlnkFlt => service removed successfully.
NwlnkFwd => service removed successfully.
EmptyTemp: => 127.9 MB temporary data Removed.

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-11-02 19:27:14)

"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx" => Could not move
"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Could not move

==== End of Fixlog 19:27:14 ====

 

 

 

 

------------------------------------------------------------------

Checkup

--------------------------------------------------------------------

 

 Results of screen317's Security Check version 1.009  
 Windows Vista Service Pack 1 x86 (UAC is enabled)  
 Out of date service pack!!
 Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 CCleaner     
 Java™ 6 Update 5  
 Java version 32-bit out of Date!
 Adobe Flash Player     19.0.0.185  
 Adobe Reader 10.1.4 Adobe Reader out of Date!  
 Mozilla Firefox (41.0.2)
````````Process Check: objlist.exe by Laurent````````  
 Windows Defender MSASCui.exe
 Windows Defender MSASCui.exe   
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast avastui.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 4 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:13 PM

Posted 03 November 2015 - 08:41 AM


The computer does seem to be running clearer and quicker, but the fan still comes on and my DVD drive will not read my reinstallation disc from the factory.

Try this for now.
Insert the CD in the drive.
Makes sure you eject the CD using the control center.
Restart the computer normally.
Is the problem persisting?

What is the error message?
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java™ 6 Update 5
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
<<<>>>

Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

Flash test site:
http://www.adobe.com/software/flash/about/
Install the new version or if you have the latest close the windows.

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine

#9 LarryBeans

LarryBeans
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 03 November 2015 - 06:45 PM

Nasdaq,

 

I have made the updates.

 

I am not sure what control center is.

 

When I insert the cd and go to computer and try to open it, the computer asks if I want to format this blank disc.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:13 PM

Posted 04 November 2015 - 11:01 AM

As far as you know is the disk empty?

If not try a blank disk, if asked to format do it.

Eject the CD with the control.
This control is normally seen on the bottom task bar as a arrow pointing up.
click it find the icon from the CD, right click on it and select to the disconnect option.
Not sure what the message may be.

#11 LarryBeans

LarryBeans
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 10 November 2015 - 05:42 AM

Nasdaq,

 

I think the computer is reinfected, for it keeps crashing our modem like maybe it is sending information out.  Is there any way to check again?  Sorry.

 

Larry



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:13 PM

Posted 10 November 2015 - 10:20 AM

Run the Farbar tool and post a fresh FRST log.

When running the tool make sure that the Addition.txt box is checked.
This will create a new Addition.txt file. attach if for my review.

How to:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:13 PM

Posted 16 November 2015 - 09:47 AM

Are you still with me?

#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:13 PM

Posted 22 November 2015 - 08:08 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users