Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Tidserv!inf manual removal


  • This topic is locked This topic is locked
10 replies to this topic

#1 EmlynII

EmlynII

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 04 November 2015 - 01:15 AM

Norton Anti-virus says my laptop is infected with Backdoor.Tidserv!inf and it needs to be manually removed. Any help would be appreciated.

 

Thanks.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:31-10-2015
Ran by Elizabeth (administrator) on JENSEN (03-11-2015 16:19:48)
Running from C:\Users\Elizabeth\Downloads
Loaded Profiles: Elizabeth (Available Profiles: Elizabeth)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(ArcSoft, Inc.) C:\Users\Elizabeth\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\22.5.4.24\nis.exe
() C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
() C:\Program Files\CyberLink\Shared Files\RichVideo.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Motorola Inc.) C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(CyberLink Corp.) C:\Program Files\HP\QuickPlay\QPService.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Program Files\DivX\DivX Update\DivXUpdate.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(PixArt Imaging Incorporation) C:\Windows\PixArt\Pac207\Monitor.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
(WinZip Computing, S.L.) C:\Program Files\WinZip\WZQKPICK32.EXE
() C:\Users\Elizabeth\AppData\Roaming\HP SimpleSave Application\StartHelper.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
() C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Hewlett-Packard) C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_19_0_0_185_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(RealNetworks, Inc.) C:\Program Files\real\realplayer\Update\realsched.exe
(Microsoft Corporation) C:\Windows\System32\conime.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2299176 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [SMSERIAL] => C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [634880 2007-01-17] (Motorola Inc.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7539232 2009-06-09] (Realtek Semiconductor)
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2008-12-04] (Intel Corporation)
HKLM\...\Run: [QPService] => C:\Program Files\HP\QuickPlay\QPService.exe [468264 2007-12-19] (CyberLink Corp.)
HKLM\...\Run: [QlbCtrl] => C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [202032 2007-09-19] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [OnScreenDisplay] => C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe [554320 2007-09-04] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [UCam_Menu] => C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [218408 2007-08-17] (CyberLink Corp.)
HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [HP Health Check Scheduler] => c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-06-16] (Hewlett-Packard)
HKLM\...\Run: [hpWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [480560 2007-09-13] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [WAWifiMessage] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [311296 2007-01-08] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [hpqSRMon] => [X]
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [DivXUpdate] => C:\Program Files\DivX\DivX Update\DivXUpdate.exe [1230704 2011-03-21] ()
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [40368 2011-08-30] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [TkBellExe] => C:\Program Files\real\realplayer\update\realsched.exe [296056 2012-05-27] (RealNetworks, Inc.)
HKLM\...\Run: [PAC207_Monitor] => C:\Windows\PixArt\PAC207\Monitor.exe [323584 2007-12-10] (PixArt Imaging Incorporation)
HKLM\...\Run: [MRT] => C:\Windows\system32\MRT.exe [90547776 2014-05-04] (Microsoft Corporation)
Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03] (SUPERAntiSpyware.com)
HKLM\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\S-1-5-21-1894618690-1601026263-3801400080-1000\...\Run: [LightScribe Control Panel] => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [455968 2007-08-23] (Hewlett-Packard Company)
HKU\S-1-5-21-1894618690-1601026263-3801400080-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-1894618690-1601026263-3801400080-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2403568 2010-07-15] (SUPERAntiSpyware.com)
HKU\S-1-5-21-1894618690-1601026263-3801400080-1000\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\system32\Macromed\Flash\FlashUtil32_19_0_0_185_ActiveX.exe [1156296 2015-09-22] (Adobe Systems Incorporated)
HKU\S-1-5-21-1894618690-1601026263-3801400080-1000\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\S-1-5-21-1894618690-1601026263-3801400080-1000\...\MountPoints2: {9b11ce3a-2006-11df-8fff-001e68848d38} - I:\HPLauncher.exe
HKU\S-1-5-21-1894618690-1601026263-3801400080-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [10240 2006-11-02] (Microsoft Corporation)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [77824 2008-05-13] (SuperAdBlocker.com)
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files\Norton Internet Security\Engine\22.5.4.24\buShell.dll [2015-08-27] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files\Norton Internet Security\Engine\22.5.4.24\buShell.dll [2015-08-27] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files\Norton Internet Security\Engine\22.5.4.24\buShell.dll [2015-08-27] (Symantec Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk [2008-08-20]
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk [2009-05-27]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk [2014-03-26]
ShortcutTarget: WinZip Quick Pick.lnk -> C:\Program Files\WinZip\WZQKPICK32.EXE (WinZip Computing, S.L.)
Startup: C:\Users\Elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HP SimpleSave Monitor.lnk [2012-05-07]
ShortcutTarget: HP SimpleSave Monitor.lnk -> C:\Users\Elizabeth\AppData\Roaming\HP SimpleSave Application\StartHelper.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{95DDD36D-D2B6-43C0-B685-4D71F186845B}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
HKU\S-1-5-21-1894618690-1601026263-3801400080-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://mail.yahoo.com/
HKU\S-1-5-21-1894618690-1601026263-3801400080-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {104390CA-E40C-43BF-A771-26DE9E4121CC} URL = hxxp://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
SearchScopes: HKLM -> {D5BA47E8-9799-47EE-A7B8-F142CFA6B57E} URL = hxxp://ca.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000 -> DefaultScope {D5BA47E8-9799-47EE-A7B8-F142CFA6B57E} URL = hxxp://ca.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000 -> {104390CA-E40C-43BF-A771-26DE9E4121CC} URL = hxxp://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
SearchScopes: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000 -> {D5BA47E8-9799-47EE-A7B8-F142CFA6B57E} URL = hxxp://ca.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
BHO: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2009-10-22] (Hewlett-Packard Co.)
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2011-08-30] (Adobe Systems Incorporated)
BHO: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [2012-05-27] (RealPlayer)
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Internet Security\Engine\22.5.4.24\coIEPlg.dll [2015-09-23] (Symantec Corporation)
BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton Internet Security\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll [2012-05-19] (Sun Microsystems, Inc.)
BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [2012-05-19] (Sun Microsystems, Inc.)
BHO: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2009-10-22] (Hewlett-Packard Co.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\22.5.4.24\coIEPlg.dll [2015-09-23] (Symantec Corporation)
Toolbar: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\22.5.4.24\coIEPlg.dll [2015-09-23] (Symantec Corporation)
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} hxxp://zone.msn.com/bingame/popcaploader_v10.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-06-08] (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\d2zc8g5w.default
FF Homepage: hxxp://mail.yahoo.com/
FF Session Restore: -> is enabled.
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_152.dll [2013-11-14] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [2008-11-24] (Adobe Systems, Inc.)
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll [2010-04-22] (DivX,Inc.)
FF Plugin: @divx.com/DivX Player Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll [No File]
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll [2011-05-06] (DivX, LLC.)
FF Plugin: @java.com/DTPlugin,version=1.6.0_32 -> C:\Windows\system32\npdeployJava1.dll [2012-05-19] (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll [2012-05-19] (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=15.0.4.53 -> c:\program files\real\realplayer\Netscape6\nppl3260.dll [2012-05-27] (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=15.0.4.53 -> c:\program files\real\realplayer\Netscape6\nprjplug.dll [2012-05-27] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.4.53 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [2012-05-27] (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.4.53 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll [2012-05-27] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=15.0.4.53 -> c:\program files\real\realplayer\Netscape6\nprpplugin.dll [2012-05-27] (RealPlayer)
FF Plugin: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2011-09-28] ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2011-08-30] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll [2012-05-27] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2011-04-11] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2011-04-11] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2011-04-11] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2011-04-11] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2011-04-11] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll [2011-04-11] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll [2011-04-11] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprjplug.dll [2012-05-27] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpplugin.dll [2012-05-27] (RealPlayer)
FF Extension: Microsoft .NET Framework Assistant - C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\d2zc8g5w.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi [2012-03-29] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-09-03] [not signed]
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-03-20] [not signed]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: RealPlayer Browser Record Plugin - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012-05-27] [not signed]
FF HKLM\...\Firefox\Extensions: [{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF HKLM\...\Firefox\Extensions: [{EBA722F5-038F-4CAF-9EE2-545A221628BC}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_22.5.2.15\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_22.5.2.15\coFFPlgn [2015-10-25]
FF HKU\S-1-5-21-1894618690-1601026263-3801400080-1000\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files\Norton Internet Security\Engine\22.5.4.24\Exts\Chrome.crx [2015-09-23]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx [2012-05-27]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 BackupService; C:\Users\Elizabeth\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe [83512 2010-07-01] (ArcSoft, Inc.)
S3 Com4Qlb; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe [110592 2007-03-05] (Hewlett-Packard Development Company, L.P.) [File not signed]
R2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-06-16] (Hewlett-Packard) [File not signed]
R3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-21] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [135168 2008-03-25] (Hewlett-Packard Co.) [File not signed]
R2 hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe [135168 2006-05-02] (Hewlett-Packard Development Company, L.P.) [File not signed]
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 NIS; C:\Program Files\Norton Internet Security\Engine\22.5.4.24\NIS.exe [282016 2015-09-24] (Symantec Corporation)
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
R2 QPCapSvc; C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe [271760 2007-12-19] ()
S2 QPSched; C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe [112016 2007-12-19] ()
R2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [272024 2007-01-09] ()
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 BHDrvx86; C:\Program Files\Norton Internet Security\NortonData\22.5.2.15\Definitions\BASHDefs\20151102.001\BHDrvx86.sys [1193032 2015-10-08] (Symantec Corporation)
R1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1605040.018\ccSetx86.sys [137456 2015-07-10] (Symantec Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [389456 2015-08-20] (Symantec Corporation)
S3 efipsk; C:\Users\Elizabeth\AppData\Local\Temp\efipsk.sys [15872 2011-03-16] () [File not signed]
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [122192 2015-10-15] (Symantec Corporation)
R3 HpqRemHid; C:\Windows\System32\DRIVERS\HpqRemHid.sys [7168 2007-07-11] (Hewlett-Packard Development Company, L.P.)
R1 IDSVix86; C:\Program Files\Norton Internet Security\NortonData\22.5.2.15\Definitions\IPSDefs\20151030.001\IDSvix86.sys [580344 2015-10-20] (Symantec Corporation)
S3 libusb0; C:\Windows\System32\drivers\libusb0.sys [21504 2011-11-23] (http://libusb-win32.sourceforge.net)
R0 MountMgr; C:\Windows\System32\drivers\mountmgr.sys [57400 2008-01-20] () [File not signed]
R3 NAVENG; C:\Program Files\Norton Internet Security\NortonData\22.5.2.15\Definitions\VirusDefs\20151103.001\NAVENG.SYS [104440 2015-10-27] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Norton Internet Security\NortonData\22.5.2.15\Definitions\VirusDefs\20151103.001\NAVEX15.SYS [1647216 2015-10-27] (Symantec Corporation)
S3 PAC207; C:\Windows\System32\DRIVERS\PFC027.SYS [618112 2008-02-13] (PixArt Imaging Inc.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12872 2010-02-17] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 SASENUM; C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [12872 2010-02-17] ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67656 2010-07-15] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SRTSP; C:\Windows\System32\Drivers\NIS\1605040.018\SRTSP.SYS [713960 2015-09-23] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NIS\1605040.018\SRTSPX.SYS [44792 2015-07-10] (Symantec Corporation)
R0 SymEFASI; C:\Windows\System32\drivers\NIS\1605040.018\SYMEFASI.SYS [1286896 2015-07-10] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [103152 2015-09-19] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NIS\1605040.018\Ironx86.SYS [234744 2015-07-10] (Symantec Corporation)
R1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1605040.018\SYMTDIV.SYS [358104 2015-09-23] (Symantec Corporation)
U1 eabfiltr; no ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-03 16:19 - 2015-11-03 16:20 - 00026291 _____ C:\Users\Elizabeth\Downloads\FRST.txt
2015-11-03 16:17 - 2015-11-03 16:19 - 00000000 ____D C:\FRST
2015-11-03 16:16 - 2015-11-03 16:16 - 01701888 _____ (Farbar) C:\Users\Elizabeth\Downloads\frst.exe
2015-10-14 17:15 - 2015-10-22 16:02 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Internet Security
2015-10-14 16:59 - 2015-10-15 16:11 - 00000000 ____D C:\NPE
2015-10-14 16:52 - 2015-10-14 16:52 - 03088296 _____ (Symantec Corporation) C:\Users\Elizabeth\Downloads\NPE(1).exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-03 16:14 - 2006-11-02 07:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-11-03 16:14 - 2006-11-02 07:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-11-03 15:07 - 2008-06-14 01:14 - 01226321 _____ C:\Windows\WindowsUpdate.log
2015-11-02 22:31 - 2008-08-20 17:31 - 00240640 _____ C:\Users\Elizabeth\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-10-26 20:39 - 2009-02-18 20:25 - 00000000 ____D C:\Users\Elizabeth\AppData\Roaming\Skype
2015-10-26 20:39 - 2006-11-02 05:33 - 01495948 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-25 14:32 - 2009-02-18 20:32 - 00000000 ____D C:\Users\Elizabeth\Desktop\Documents\Youcam
2015-10-25 13:47 - 2008-12-17 23:28 - 00005972 _____ C:\Users\Elizabeth\AppData\Local\d3d9caps.dat
2015-10-25 13:43 - 2008-01-20 21:47 - 00524534 _____ C:\Windows\PFRO.log
2015-10-25 13:43 - 2006-11-02 08:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-22 17:28 - 2014-03-03 19:03 - 00000000 ____D C:\Users\Elizabeth\AppData\Local\NPE
2015-10-22 16:04 - 2009-10-02 06:14 - 00000000 ____D C:\Windows\system32\Drivers\NIS
2015-10-22 16:02 - 2009-10-02 06:14 - 00002131 _____ C:\Users\Public\Desktop\Norton Internet Security.LNK
2015-10-20 15:35 - 2009-11-03 16:13 - 00000052 _____ C:\Windows\system32\DOErrors.log
2015-10-15 16:07 - 2006-11-02 08:01 - 00032566 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-10-14 17:22 - 2008-02-25 16:20 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2015-10-14 01:25 - 2008-10-14 17:35 - 00000000 ____D C:\ProgramData\Norton
2015-10-08 00:00 - 2009-10-02 22:19 - 00000000 ____D C:\Users\Elizabeth\AppData\Local\CrashDumps

==================== Files in the root of some directories =======

2012-12-26 15:56 - 2003-04-16 18:19 - 0375808 _____ () C:\Program Files\binkw32.dll
2012-12-26 15:56 - 2003-11-06 23:10 - 0569239 _____ () C:\Program Files\chitin.key
2012-12-26 15:56 - 2003-11-06 23:19 - 5384104 _____ () C:\Program Files\dialog.tlk
2012-12-26 15:56 - 2003-11-04 17:52 - 0476672 _____ (BioWare Corp.) C:\Program Files\launcher.exe
2012-12-26 15:56 - 2003-03-17 16:15 - 0370688 _____ () C:\Program Files\Mss32.dll
2012-12-26 15:56 - 2002-02-27 17:50 - 0197120 _____ () C:\Program Files\Patchw32.dll
2012-12-26 15:56 - 2003-11-05 16:11 - 0871936 _____ () C:\Program Files\swconfig.exe
2012-12-26 16:26 - 2012-12-26 16:26 - 0002626 _____ () C:\Program Files\swinfo.txt
2012-12-26 15:56 - 2003-11-06 23:37 - 5513216 _____ (BioWare Corp.) C:\Program Files\swkotor.exe
2012-12-26 15:56 - 2012-12-26 16:49 - 0002581 _____ () C:\Program Files\swkotor.ini
2012-12-26 15:56 - 2003-11-04 18:04 - 1597440 _____ (BioWare Corp.) C:\Program Files\swupdate.exe
2015-01-07 16:53 - 2015-01-07 16:53 - 0023244 _____ () C:\Users\Elizabeth\AppData\Roaming\UserTile.png
2008-08-20 18:43 - 2014-02-14 21:41 - 0013104 _____ () C:\Users\Elizabeth\AppData\Roaming\wklnhst.dat
2010-04-23 17:04 - 2010-04-23 17:06 - 0008926 ___SH () C:\Users\Elizabeth\AppData\Local\0D2HvP
2008-08-20 16:20 - 2008-08-20 16:20 - 0000000 _____ () C:\Users\Elizabeth\AppData\Local\AtStart.txt
2008-12-17 23:28 - 2015-10-25 13:47 - 0005972 _____ () C:\Users\Elizabeth\AppData\Local\d3d9caps.dat
2008-08-20 17:31 - 2015-11-02 22:31 - 0240640 _____ () C:\Users\Elizabeth\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2008-08-20 16:20 - 2008-08-20 16:20 - 0000000 _____ () C:\Users\Elizabeth\AppData\Local\DSwitch.txt
2010-04-24 18:38 - 2010-04-24 18:42 - 0007654 ___SH () C:\Users\Elizabeth\AppData\Local\f1pKdvbneJkm
2008-08-20 16:20 - 2008-08-20 16:20 - 0000000 _____ () C:\Users\Elizabeth\AppData\Local\QSwitch.txt
2010-04-23 17:04 - 2010-04-23 17:06 - 0008926 ___SH () C:\ProgramData\0D2HvP
2013-11-13 18:49 - 2013-11-13 18:49 - 0000057 _____ () C:\ProgramData\Ament.ini
2010-04-24 18:38 - 2010-04-24 18:42 - 0007654 ___SH () C:\ProgramData\f1pKdvbneJkm
2008-08-20 15:59 - 2010-03-20 14:44 - 0003180 _____ () C:\ProgramData\hpzinstall.log

Some files in TEMP:
====================
C:\Users\Elizabeth\AppData\Local\Temp\AdobeUpdater12345.exe
C:\Users\Elizabeth\AppData\Local\Temp\CmdLineExt03.dll
C:\Users\Elizabeth\AppData\Local\Temp\DivXSetup.exe
C:\Users\Elizabeth\AppData\Local\Temp\enamxcowsr.exe
C:\Users\Elizabeth\AppData\Local\Temp\hpsimplesave_1.0.2.0_1.0.2.15_all.exe
C:\Users\Elizabeth\AppData\Local\Temp\hpsimplesave_1.0.2.0_1.0.2.38_all.exe
C:\Users\Elizabeth\AppData\Local\Temp\jre-6u32-windows-i586-iftw.exe
C:\Users\Elizabeth\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\Elizabeth\AppData\Local\Temp\JREInstall160_11.exe
C:\Users\Elizabeth\AppData\Local\Temp\KoboSetup.exe
C:\Users\Elizabeth\AppData\Local\Temp\lowproc.exe
C:\Users\Elizabeth\AppData\Local\Temp\nxcmsweroa.exe
C:\Users\Elizabeth\AppData\Local\Temp\Quarantine.exe
C:\Users\Elizabeth\AppData\Local\Temp\rnsetup0.exe
C:\Users\Elizabeth\AppData\Local\Temp\SCC.dll
C:\Users\Elizabeth\AppData\Local\Temp\SetupA2.exe
C:\Users\Elizabeth\AppData\Local\Temp\SetupAC.exe
C:\Users\Elizabeth\AppData\Local\Temp\SIntf16.dll
C:\Users\Elizabeth\AppData\Local\Temp\SIntf32.dll
C:\Users\Elizabeth\AppData\Local\Temp\SIntfNT.dll
C:\Users\Elizabeth\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Elizabeth\AppData\Local\Temp\SP38900.exe
C:\Users\Elizabeth\AppData\Local\Temp\SP43871.exe
C:\Users\Elizabeth\AppData\Local\Temp\SSUPDATE.EXE
C:\Users\Elizabeth\AppData\Local\Temp\stubhelper.dll
C:\Users\Elizabeth\AppData\Local\Temp\wacnoresmx.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signedAttached File  Addition.txt   40.39KB   1 downloads
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-10-25 13:52

==================== End of FRST.txt ============================



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:11 AM

Posted 06 November 2015 - 11:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Windows Firewall is disabled.
If your Norton product has a Firewall this is normal. If not enable it.


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [hpqSRMon] => [X]
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {104390CA-E40C-43BF-A771-26DE9E4121CC} URL = hxxp://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
SearchScopes: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000 -> {104390CA-E40C-43BF-A771-26DE9E4121CC} URL = hxxp://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton Internet Security\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
FF Plugin: @divx.com/DivX Player Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll [No File]
U1 eabfiltr; no ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [X]
CustomCLSID: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll => No File
CustomCLSID: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll => No File
CustomCLSID: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{BB6410D8-F879-4184-9C5C-6A02D16AE0B3}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll => No File
CustomCLSID: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{CA1073A2-5F3F-4445-8E5E-7109BDCEDDBE}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll => No File
CustomCLSID: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll => No File
CustomCLSID: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{D5A55D2D-C59D-42C3-A5BF-4C08EEE74339}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll => No File
AlternateDataStreams: C:\ProgramData\TEMP:162E02F7

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#3 EmlynII

EmlynII
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 07 November 2015 - 04:43 PM

I ran Norton Antivirus again and it still says that the mountmgr.sys files are infected and that removal failed. Here is the Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:07-11-2015
Ran by Elizabeth (2015-11-07 11:22:30) Run:1
Running from C:\Users\Elizabeth\Downloads
Loaded Profiles: Elizabeth (Available Profiles: Elizabeth)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [hpqSRMon] => [X]
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {104390CA-E40C-43BF-A771-26DE9E4121CC} URL = hxxp://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
SearchScopes: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000 -> {104390CA-E40C-43BF-A771-26DE9E4121CC} URL = hxxp://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton Internet Security\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
FF Plugin: @divx.com/DivX Player Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll [No File]
U1 eabfiltr; no ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [X]
CustomCLSID: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll => No File
CustomCLSID: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll => No File
CustomCLSID: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{BB6410D8-F879-4184-9C5C-6A02D16AE0B3}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll => No File
CustomCLSID: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{CA1073A2-5F3F-4445-8E5E-7109BDCEDDBE}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll => No File
CustomCLSID: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll => No File
CustomCLSID: HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{D5A55D2D-C59D-42C3-A5BF-4C08EEE74339}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll => No File
AlternateDataStreams: C:\ProgramData\TEMP:162E02F7

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\hpqSRMon => value removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{104390CA-E40C-43BF-A771-26DE9E4121CC}" => key removed successfully.
HKCR\CLSID\{104390CA-E40C-43BF-A771-26DE9E4121CC} => key not found.
"HKU\S-1-5-21-1894618690-1601026263-3801400080-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{104390CA-E40C-43BF-A771-26DE9E4121CC}" => key removed successfully.
HKCR\CLSID\{104390CA-E40C-43BF-A771-26DE9E4121CC} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}" => key removed successfully.
HKCR\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully.
"HKCR\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully.
"HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0" => key removed successfully.
eabfiltr => service removed successfully.
IpInIp => service removed successfully.
NwlnkFlt => service removed successfully.
NwlnkFwd => service removed successfully.
SymIMMP => service removed successfully.
"HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}" => key removed successfully.
"HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}" => key removed successfully.
"HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{BB6410D8-F879-4184-9C5C-6A02D16AE0B3}" => key removed successfully.
"HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{CA1073A2-5F3F-4445-8E5E-7109BDCEDDBE}" => key removed successfully.
"HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}" => key removed successfully.
"HKU\S-1-5-21-1894618690-1601026263-3801400080-1000_Classes\CLSID\{D5A55D2D-C59D-42C3-A5BF-4C08EEE74339}" => key removed successfully.
C:\ProgramData\TEMP => ":162E02F7" ADS removed successfully..
EmptyTemp: => 2.2 GB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 11:26:15 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:11 AM

Posted 08 November 2015 - 09:25 AM

The file date is old. This may be a false positive.
Check it at VirusTotal.

Go to this page
https://www.virustotal.com/

and sumit the file in bold for inspection.

C:\Windows\System32\drivers\mountmgr.sys

Please post the results

#5 EmlynII

EmlynII
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 10 November 2015 - 10:12 AM

Hi, I've tried multiple times and in multiple web browsers to scan the mountmgr.sys files. Everytime I do it says that I am not the owner and I don't have permission to open the file. Even though I am not trying to open it, but upload it, apparently it doesn't see the difference. I have changed the ownership of the file, and the folder it was in, in case that was the hold up, but still, it won't let me scan them.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:11 AM

Posted 10 November 2015 - 10:31 AM


Lets check if you have other copies on the computer.

Please run the Farbar Recovery Scan Tool. Enter mountmgr.sys in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

<<<>>>

#7 EmlynII

EmlynII
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 12 November 2015 - 04:50 PM

Here are the results of the Search.txt

 

Farbar Recovery Scan Tool (x86) Version:07-11-2015
Ran by Elizabeth (2015-11-12 16:42:03)
Running from C:\Users\Elizabeth\Downloads
Boot Mode: Normal

================== Search Files: "mountmgr.sys" =============

C:\Windows\winsxs\x86_microsoft-windows-mountpointmanager_31bf3856ad364e35_6.0.6001.18000_none_f29824c60705c394\mountmgr.sys
[2008-01-20 21:23][2008-01-20 21:23] 0057400 ____A () D41D8CD98F00B204E9800998ECF8427E [File not signed]

C:\Windows\System32\drivers\mountmgr.sys
[2008-01-20 21:23][2015-11-12 16:31] 0057400 ____A () 46BC531DCEC08F4C405FB4593ACD0DE1 [File not signed]

====== End of Search ======



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:11 AM

Posted 13 November 2015 - 07:53 AM


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

Replace: C:\Windows\winsxs\x86_microsoft-windows-mountpointmanager_31bf3856ad364e35_6.0.6001.18000_none_f29824c60705c394\mountmgr.sys C:\Windows\System32\drivers\mountmgr.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#9 EmlynII

EmlynII
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 16 November 2015 - 01:38 AM

Here is the fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:07-11-2015
Ran by Elizabeth (2015-11-14 17:42:30) Run:2
Running from C:\Users\Elizabeth\Downloads
Loaded Profiles: Elizabeth (Available Profiles: Elizabeth)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start

CreateRestorePoint:
CloseProcesses:

Replace:
C:\Windows\winsxs\x86_microsoft-windows-mountpointmanager_31bf3856ad364e35_6.0.6001.18000_none_f29824c60705c394\mountmgr.sys C:\Windows\System32\drivers\mountmgr.sys

End

*****************

Restore point was successfully created.
Processes closed successfully.
"Replace:" => not found
"C:\Windows\winsxs\x86_microsoft-windows-mountpointmanager_31bf3856ad364e35_6.0.6001.18000_none_f29824c60705c394\mountmgr.sys C:\Windows\System32\drivers\mountmgr.sys" => not found.

The system needed a reboot.

==== End of Fixlog 17:42:55 ====

 

 

I've rebooted the computer and run Norton Antivirus again and it doesn't find the virus anymore... so I think it's gone, yay!



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:11 AM

Posted 16 November 2015 - 09:25 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:11 AM

Posted 22 November 2015 - 08:07 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users