Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet/Firefox Credit Card Malware


  • Please log in to reply
33 replies to this topic

#1 DavidMarlan

DavidMarlan

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 09 November 2015 - 05:04 PM

Hey, I've been having problems with a tricky malware... It first turned up and when I tried to log into Steam it asked for credit card verification. I assumed it was a virus as nobody else was getting it and managed to bypass the request and continue along. I did multiple virus scans, some things popped up and were removed but the problem persisted.

 

Then literally right before I went to this forum to post about it requesting assistance (I would rather not reformat to solve this problem) and went to find screenshots to help you guys determine the problem, the problem seemed to have gone away. I assume my anti-virus must have caught it, but clearly it didn't and it just migrated somewhere else/updated or whatever else.

 

Anyway, it seems to feed off of websites that normally require logins... bank accounts, steam, youtube, google, etc, and then forces you to put in your credit card otherwise you are unable to access the page.

 

BTW Youtube works on Google Chrome... though as I recall, when it happened on the Steam page, it did NOT work with Internet Explorer (I didn't try Chrome at the time)

 

Hopefully you can help...

 

Here are some screenshots.

 

http://puu.sh/lfGga/8f155aeb36.jpg

 

http://puu.sh/lfGoP/44c3109ad5.png

 

Oh.. and this is my home page on Internet Explorer for some reason... I never use this browser though, so it could be unrelated.

 

http://puu.sh/lfGyi/c0d6085e03.jpg

 

If you need any other info at all, please let me know! I've had you guys help me a couple times before and you guys are great.

 

 

 

 

Edit: .. After reading your post about how to make a request.. haha

 

I am using Windows 7 Ultimate..

I am using Vipre Antivirus 2015

 

And I should mention, my Dota 2 client (steam video game) fails to boot 3/4 of the time, but that's probably unrelated, so don't worry about that. (Though this problem came up around the same time!)

 

It happens on Facebook too. Looks exactly the same as in the screenshots, except with a blue facebook bar instead.

 

Edit3:

 

I've run a Malwarebytes scan with a few results, seems to be no improvement.

FYI: http://puu.sh/lfI0b/789b079e8d.png

I ran AdwCleaner as well, with a few reuslts, seems to be no improvement.

 

Also my firefox is crashing quite often. It seems to be getting worse.


Edited by DavidMarlan, 09 November 2015 - 05:30 PM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 10 November 2015 - 01:36 PM

Hi DavidMarlan :)

My name is Aura and I'll be assisting you with your issue. I've encountered that malware before and it's quite hard to remove. Right now, I'll ask you to uninstall both Google Chrome and Mozilla (make sure that you back up your bookmarks, favorites, etc. first if you don't have the sync feature enabled for them). Once done, delete the following folders:
C:\Program Files (x86)\Mozilla Firefox
C:\Program Files (x86)\Google\Chrome
C:\Users\$USERNAME\AppData\Local\Google\Chrome
C:\Program Files (x86)\Steam - MAKE SURE THAT YOUR GAMES AREN'T INSTALLED THERE, IF THEY ARE, DO NOT DELETE IT AND SKIP IT
C:­\Users\$USERNAME\AppData\Local\Steam
Once done, follow the instructions below please.

3Al62Pm.pngMiniToolBox
  • Download MiniToolBox and move the executable file to your Desktop;
  • Right-click on MiniToolBox.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options:
    • Flush DNS;
    • Report IE Proxy Settings;
    • Reset IE Proxy Settings;
    • Report FF Proxy Settings;
    • Reset FF Proxy Settings;
    • List content of Hosts;
    • List IP Configuration;
    • List Last 10 Event Viewer Errors;
    • List Installed Programs;
    • List Devices - Only Problems;
    • List Users, Partitions and Memory size;
      B8oLpa3.png
  • Once this is done, click on Go and wait for the scan to complete;
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 DavidMarlan

DavidMarlan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 10 November 2015 - 02:58 PM

 Steam is installed under my E:\ drive, though the path you mentioned "E:\Program Files (x86)\Steam" would have my games in it, so it was not deleted.

MiniToolBox by Farbar  Version: 02-11-2015
Ran by Chad (administrator) on 10-11-2015 at 13:56:08
Running from "C:\Users\Chad\Downloads"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Model: System Product Name Manufacturer: System manufacturer
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ============================== 

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ============================== 


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
========================= IP Configuration: ================================

Intel(R) 82579V Gigabit Network Connection = Local Area Connection (Connected)
Hamachi Network Interface = Hamachi (Connected)
TAP-Win32 Adapter V9 (Tunngle) = Tunngle (Hardware not present)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add route prefix=0.0.0.0/0 interface="Hamachi" nexthop=25.0.0.1 publish=Yes
set interface interface="Hamachi" forwarding=disabled advertise=disabled metric=9000 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel(R) 82579V Gigabit Network Connection
   Physical Address. . . . . . . . . : F4-6D-04-AC-F1-F9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1dde:2cae:c544:d913%14(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, November 10, 2015 12:33:48 PM
   Lease Expires . . . . . . . . . . : Tuesday, November 10, 2015 2:33:50 PM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 183790852
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-0E-75-73-F4-6D-04-AC-F1-F9
   DNS Servers . . . . . . . . . . . : 64.59.176.16
                                       64.59.176.228
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Hamachi:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Hamachi Network Interface
   Physical Address. . . . . . . . . : 7A-79-19-15-A2-5D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2620:9b::1915:a25d(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::240f:68c4:f284:624b%17(Preferred) 
   IPv4 Address. . . . . . . . . . . : 25.21.162.93(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.0.0.0
   Lease Obtained. . . . . . . . . . : Tuesday, November 10, 2015 12:33:47 PM
   Lease Expires . . . . . . . . . . : Wednesday, November 09, 2016 12:35:54 PM
   Default Gateway . . . . . . . . . : 2620:9b::1900:1
                                       25.0.0.1
   DHCP Server . . . . . . . . . . . : 25.0.0.1
   DHCPv6 IAID . . . . . . . . . . . : 242907443
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-0E-75-73-F4-6D-04-AC-F1-F9
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{16ED4BD0-5085-4998-9EC0-63FCC8C4F895}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  nsc4.nr.wp.shawcable.net
Address:  64.59.176.16

Name:    google.com
Addresses:  2607:f8b0:400a:804::1008
	  24.244.4.108
	  24.244.4.119
	  24.244.4.94
	  24.244.4.104
	  24.244.4.99
	  24.244.4.98
	  24.244.4.118
	  24.244.4.88
	  24.244.4.113
	  24.244.4.93
	  24.244.4.109
	  24.244.4.114
	  24.244.4.123
	  24.244.4.103
	  24.244.4.89
	  24.244.4.84


Pinging google.com [24.244.4.108] with 32 bytes of data:
Reply from 24.244.4.108: bytes=32 time=28ms TTL=60
Reply from 24.244.4.108: bytes=32 time=36ms TTL=60

Ping statistics for 24.244.4.108:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 28ms, Maximum = 36ms, Average = 32ms
Server:  nsc4.nr.wp.shawcable.net
Address:  64.59.176.16

Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
	  2001:4998:c:a06::2:4008
	  2001:4998:58:c02::a9
	  98.139.183.24
	  206.190.36.45
	  98.138.253.109


Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=55ms TTL=53
Reply from 98.139.183.24: bytes=32 time=51ms TTL=53

Ping statistics for 98.139.183.24:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 51ms, Maximum = 55ms, Average = 53ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 14...f4 6d 04 ac f1 f9 ......Intel(R) 82579V Gigabit Network Connection
 17...7a 79 19 15 a2 5d ......Hamachi Network Interface
  1...........................Software Loopback Interface 1
 15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         25.0.0.1     25.21.162.93   9256
          0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.2     10
         25.0.0.0        255.0.0.0         On-link      25.21.162.93   9256
     25.21.162.93  255.255.255.255         On-link      25.21.162.93   9256
   25.255.255.255  255.255.255.255         On-link      25.21.162.93   9256
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link       192.168.0.2    266
      192.168.0.2  255.255.255.255         On-link       192.168.0.2    266
    192.168.0.255  255.255.255.255         On-link       192.168.0.2    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.0.2    266
        224.0.0.0        240.0.0.0         On-link      25.21.162.93   9256
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.0.2    266
  255.255.255.255  255.255.255.255         On-link      25.21.162.93   9256
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0         25.0.0.1  Default 
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 17   9020 ::/0                     2620:9b::1900:1
  1    306 ::1/128                  On-link
 17    276 2620:9b::/96             On-link
 17    276 2620:9b::1915:a25d/128   On-link
 14    266 fe80::/64                On-link
 17    276 fe80::/64                On-link
 14    266 fe80::1dde:2cae:c544:d913/128
                                    On-link
 17    276 fe80::240f:68c4:f284:624b/128
                                    On-link
  1    306 ff00::/8                 On-link
 14    266 ff00::/8                 On-link
 17    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
 If Metric Network Destination      Gateway
  0 4294967295 2620:9b::/96             On-link
  0   9000 ::/0                     2620:9b::1900:1
===========================================================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/10/2015 12:39:42 PM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (11/10/2015 12:39:42 PM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (11/10/2015 01:11:15 AM) (Source: Application Error) (User: )
Description: Faulting application name: chrome.exe, version: 46.0.2490.80, time stamp: 0x56262c73
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x000c573b
Faulting process id: 0x1d24
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3

Error: (11/10/2015 12:44:57 AM) (Source: Application Error) (User: )
Description: Faulting application name: dota2.exe, version: 0.0.0.0, time stamp: 0x563159af
Faulting module name: tier0.dll, version: 0.0.0.0, time stamp: 0x563156bb
Exception code: 0xc0000005
Fault offset: 0x00000000000180c4
Faulting process id: 0x1868
Faulting application start time: 0xdota2.exe0
Faulting application path: dota2.exe1
Faulting module path: dota2.exe2
Report Id: dota2.exe3

Error: (11/09/2015 11:15:30 PM) (Source: Application Error) (User: )
Description: Faulting application name: dota2.exe, version: 0.0.0.0, time stamp: 0x563159af
Faulting module name: tier0.dll, version: 0.0.0.0, time stamp: 0x563156bb
Exception code: 0xc0000005
Fault offset: 0x00000000000180c4
Faulting process id: 0x1f4c
Faulting application start time: 0xdota2.exe0
Faulting application path: dota2.exe1
Faulting module path: dota2.exe2
Report Id: dota2.exe3

Error: (11/09/2015 11:15:12 PM) (Source: Application Error) (User: )
Description: Faulting application name: dota2.exe, version: 0.0.0.0, time stamp: 0x563159af
Faulting module name: tier0.dll, version: 0.0.0.0, time stamp: 0x563156bb
Exception code: 0xc0000005
Fault offset: 0x00000000000180c4
Faulting process id: 0x1eac
Faulting application start time: 0xdota2.exe0
Faulting application path: dota2.exe1
Faulting module path: dota2.exe2
Report Id: dota2.exe3

Error: (11/09/2015 11:14:46 PM) (Source: Application Error) (User: )
Description: Faulting application name: dota2.exe, version: 0.0.0.0, time stamp: 0x563159af
Faulting module name: tier0.dll, version: 0.0.0.0, time stamp: 0x563156bb
Exception code: 0xc0000005
Fault offset: 0x00000000000180c4
Faulting process id: 0x1fec
Faulting application start time: 0xdota2.exe0
Faulting application path: dota2.exe1
Faulting module path: dota2.exe2
Report Id: dota2.exe3

Error: (11/09/2015 11:14:34 PM) (Source: Application Error) (User: )
Description: Faulting application name: dota2.exe, version: 0.0.0.0, time stamp: 0x563159af
Faulting module name: tier0.dll, version: 0.0.0.0, time stamp: 0x563156bb
Exception code: 0xc0000005
Fault offset: 0x00000000000180c4
Faulting process id: 0x1a9c
Faulting application start time: 0xdota2.exe0
Faulting application path: dota2.exe1
Faulting module path: dota2.exe2
Report Id: dota2.exe3

Error: (11/09/2015 11:14:16 PM) (Source: Application Error) (User: )
Description: Faulting application name: dota2.exe, version: 0.0.0.0, time stamp: 0x563159af
Faulting module name: tier0.dll, version: 0.0.0.0, time stamp: 0x563156bb
Exception code: 0xc0000005
Fault offset: 0x00000000000180c4
Faulting process id: 0x1d48
Faulting application start time: 0xdota2.exe0
Faulting application path: dota2.exe1
Faulting module path: dota2.exe2
Report Id: dota2.exe3

Error: (11/09/2015 11:14:06 PM) (Source: Application Error) (User: )
Description: Faulting application name: dota2.exe, version: 0.0.0.0, time stamp: 0x563159af
Faulting module name: tier0.dll, version: 0.0.0.0, time stamp: 0x563156bb
Exception code: 0xc0000005
Fault offset: 0x00000000000180c4
Faulting process id: 0x1f14
Faulting application start time: 0xdota2.exe0
Faulting application path: dota2.exe1
Faulting module path: dota2.exe2
Report Id: dota2.exe3


System errors:
=============
Error: (11/10/2015 12:33:49 PM) (Source: Service Control Manager) (User: )
Description: The tqDPsXxHquA service failed to start due to the following error: 
%%2

Error: (11/10/2015 12:33:47 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 12:29:53 PM on ‎11/‎10/‎2015 was unexpected.

Error: (11/09/2015 04:28:08 PM) (Source: Service Control Manager) (User: )
Description: The tqDPsXxHquA service failed to start due to the following error: 
%%2

Error: (11/09/2015 04:27:11 PM) (Source: Service Control Manager) (User: )
Description: The MBAMScheduler service terminated unexpectedly.  It has done this 1 time(s).

Error: (11/09/2015 04:27:11 PM) (Source: Service Control Manager) (User: )
Description: The MBAMService service terminated unexpectedly.  It has done this 1 time(s).

Error: (11/09/2015 04:27:11 PM) (Source: Service Control Manager) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (11/09/2015 04:27:11 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (11/09/2015 04:27:11 PM) (Source: Service Control Manager) (User: )
Description: The VIPRE Antivirus service terminated unexpectedly.  It has done this 1 time(s).

Error: (11/09/2015 04:27:11 PM) (Source: Service Control Manager) (User: )
Description: The Disc Soft Lite Bus Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (11/09/2015 04:27:10 PM) (Source: Service Control Manager) (User: )
Description: The LogMeIn Hamachi Tunneling Engine service terminated unexpectedly.  It has done this 1 time(s).


Microsoft Office Sessions:
=========================
Error: (11/10/2015 12:39:42 PM) (Source: Microsoft-Windows-LoadPerf)(User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (11/10/2015 12:39:42 PM) (Source: Microsoft-Windows-LoadPerf)(User: NT AUTHORITY)
Description: Performance1637070000144901000000000009030000

Error: (11/10/2015 01:11:15 AM) (Source: Application Error)(User: )
Description: chrome.exe46.0.2490.8056262c73unknown0.0.0.000000000c0000005000c573b1d2401d11b811b1c72cbC:\Program Files (x86)\Google\Chrome\Application\chrome.exeunknown3a8a9b83-877a-11e5-afed-f46d04acf1f9

Error: (11/10/2015 12:44:57 AM) (Source: Application Error)(User: )
Description: dota2.exe0.0.0.0563159aftier0.dll0.0.0.0563156bbc000000500000000000180c4186801d11b834b838c8fe:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exee:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\tier0.dll8e031dfd-8776-11e5-afed-f46d04acf1f9

Error: (11/09/2015 11:15:30 PM) (Source: Application Error)(User: )
Description: dota2.exe0.0.0.0563159aftier0.dll0.0.0.0563156bbc000000500000000000180c41f4c01d11b76cd829a34e:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exee:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\tier0.dll0eec23b0-876a-11e5-afed-f46d04acf1f9

Error: (11/09/2015 11:15:12 PM) (Source: Application Error)(User: )
Description: dota2.exe0.0.0.0563159aftier0.dll0.0.0.0563156bbc000000500000000000180c41eac01d11b76c2161692e:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exee:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\tier0.dll04246df8-876a-11e5-afed-f46d04acf1f9

Error: (11/09/2015 11:14:46 PM) (Source: Application Error)(User: )
Description: dota2.exe0.0.0.0563159aftier0.dll0.0.0.0563156bbc000000500000000000180c41fec01d11b76b3784438e:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exee:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\tier0.dllf4f41d79-8769-11e5-afed-f46d04acf1f9

Error: (11/09/2015 11:14:34 PM) (Source: Application Error)(User: )
Description: dota2.exe0.0.0.0563159aftier0.dll0.0.0.0563156bbc000000500000000000180c41a9c01d11b76ac08edc9e:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exee:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\tier0.dlledcb6e03-8769-11e5-afed-f46d04acf1f9

Error: (11/09/2015 11:14:16 PM) (Source: Application Error)(User: )
Description: dota2.exe0.0.0.0563159aftier0.dll0.0.0.0563156bbc000000500000000000180c41d4801d11b76a1758f45e:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exee:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\tier0.dlle3148169-8769-11e5-afed-f46d04acf1f9

Error: (11/09/2015 11:14:06 PM) (Source: Application Error)(User: )
Description: dota2.exe0.0.0.0563159aftier0.dll0.0.0.0563156bbc000000500000000000180c41f1401d11b769aa672cfe:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exee:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\tier0.dlldccd5ba1-8769-11e5-afed-f46d04acf1f9


CodeIntegrity Errors:
===================================
  Date: 2015-10-01 18:01:22.894
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\nvlddmkm.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-10-01 18:01:22.816
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\nvlddmkm.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


=========================== Installed Programs ============================

Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Photoshop CC 2014 (HKLM-x32\...\{D7A4F897-B20A-42D0-862D-CB5F6DB7391D}) (Version: 15.2 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.13) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.13 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.7.157 - Adobe Systems, Inc.)
Arma 3 (HKLM-x32\...\Steam App 107410) (Version:  - Bohemia Interactive)
ASUS GPU Tweak (HKLM-x32\...\{532F6E8A-AF97-41C3-915F-39F718EC07D1}) (Version: 2.7.5.0 - ASUSTek COMPUTER INC.) Hidden
ASUS GPU Tweak (HKLM-x32\...\InstallShield_{532F6E8A-AF97-41C3-915F-39F718EC07D1}) (Version: 2.7.5.0 - ASUSTek COMPUTER INC.)
ASUS Product Register Program (HKLM-x32\...\{C87D79F6-F813-4812-B7A9-CCCAAB8B1188}) (Version: 1.0.026 - ASUSTek Computer Inc.)
Audacity 2.1.0 (HKLM-x32\...\Audacity_is1) (Version: 2.1.0 - Audacity Team)
AutoHotkey 1.0.48.05 (HKLM-x32\...\AutoHotkey) (Version: 1.0.48.05 - Chris Mallett)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
BitTorrent (HKCU\...\BitTorrent) (Version: 7.9.5.41203 - BitTorrent Inc.)
BitTorrent Sync (HKLM\...\BitTorrent Sync) (Version: 2.0.128 - BitTorrent Inc.)
BitTorrent Sync (HKLM-x32\...\BitTorrent Sync) (Version: 1.4.110 - BitTorrent Inc.)
Castle Crashers (HKLM-x32\...\Steam App 204360) (Version:  - The Behemoth)
DAEMON Tools Lite (HKLM\...\DAEMON Tools Lite) (Version: 10.1.0.0074 - Disc Soft Ltd)
Discord (HKCU\...\Discord) (Version: 0.0.280 - Hammer & Chisel)
Divinity: Original Sin Enhanced Edition (HKLM-x32\...\Steam App 373420) (Version:  - Larian Studios)
Dota 2 (HKLM-x32\...\Steam App 570) (Version:  - Valve)
Dropbox (HKCU\...\Dropbox) (Version: 3.0.3 - Dropbox, Inc.)
Fallout 4 (HKLM-x32\...\Steam App 377160) (Version:  - Bethesda Game Studios)
Git version 1.9.5-preview20141217 (HKLM-x32\...\Git_is1) (Version: 1.9.5-preview20141217 - The Git Development Community)
GPUTweakStreaming (HKLM-x32\...\{D2A41AA7-4313-43D5-AA39-7E3FBBE0556D}) (Version: 1.0.3.5 - ASUS) Hidden
GPUTweakStreaming (HKLM-x32\...\InstallShield_{D2A41AA7-4313-43D5-AA39-7E3FBBE0556D}) (Version: 1.0.3.5 - ASUS)
Intel(R) Driver Update Utility 2.0 (HKLM-x32\...\{59DB38EB-F864-4E10-841D-38CFBCF864B0}) (Version: 2.0.0.29 - Intel) Hidden
Intel(R) Network Connections 15.6.25.0 (HKLM\...\PROSetDX) (Version: 15.6.25.0 - Intel)
Intel® Driver Update Utility (HKLM-x32\...\{8409c4f7-2340-4933-a304-5d37db4fb48b}) (Version: 2.0.0.29 - Intel)
Intruder (HKLM-x32\...\{F9687E06-72EC-4E3F-BCF1-49CD1012319D}) (Version: 449 - Superboss Games)
Java 8 Update 25 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418025F0}) (Version: 8.0.250 - Oracle Corporation)
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Java SE Development Kit 8 Update 25 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180250}) (Version: 8.0.250.18 - Oracle Corporation)
JMicron JMB36X Driver (HKLM-x32\...\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}) (Version: 1.17.58.2 - JMicron Technology Corp.)
Keep Talking and Nobody Explodes (HKLM-x32\...\Steam App 341800) (Version:  - Steel Crate Games)
Kerbal Space Program (HKLM-x32\...\Steam App 220200) (Version:  - Squad)
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version:  - )
LogMeIn Hamachi (HKLM-x32\...\{38DAAEA7-903D-4FBF-A5D3-F7EB8F83782A}) (Version: 2.2.0.406 - LogMeIn, Inc.) Hidden
LogMeIn Hamachi (HKLM-x32\...\LogMeIn Hamachi) (Version: 2.2.0.406 - LogMeIn, Inc.)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
marvell 91xx driver (HKLM-x32\...\MagniDriver) (Version: 1.0.0.1051 - Marvell)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.4734.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x64 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x86 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026 (HKLM-x32\...\{e46eca4f-393b-40df-9f49-076faf788d83}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026 (HKLM-x32\...\{74d0e5db-b326-4dae-a6b2-445b9de1836e}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 (HKLM-x32\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Mumble 1.2.8 (HKLM-x32\...\{A9DBD31A-A09F-4C7E-86D1-3B21C59000D1}) (Version: 1.2.8 - Thorvald Natvig)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.7.4 - Notepad++ Team)
NVIDIA GeForce Experience 2.4.5.28 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.4.5.28 - NVIDIA Corporation)
NVIDIA Graphics Driver 353.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 353.06 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.3 - NVIDIA Corporation)
NVIDIA PhysX (HKLM-x32\...\{8B922CF8-8A6C-41CE-A858-F1755D7F5D29}) (Version: 9.12.1031 - NVIDIA Corporation)
Path of Exile (HKLM-x32\...\Steam App 238960) (Version:  - Grinding Gear Games)
PAYDAY 2 (HKLM-x32\...\Steam App 218620) (Version:  - OVERKILL - a Starbreeze Studio.)
PBO Manager v.1.4 beta (HKLM\...\{127B5371-1802-4EDD-A25A-A43BF761D383}) (Version: 1.4.0 -  )
puush (HKLM-x32\...\{C3592426-531E-4110-911D-BFECE2CE284B}) (Version: 1.0.0.0 - Dean Herbert)
Razer Synapse 2.0 (HKLM-x32\...\{0D78BEE2-F8FF-4498-AF1A-3FF81CED8AC6}) (Version: 1.18.18.23036 - Razer Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7246 - Realtek Semiconductor Corp.)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.0.32.0 - Renesas Electronics Corporation) Hidden
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.0.32.0 - Renesas Electronics Corporation)
Rockstar Games Social Club (HKLM-x32\...\Rockstar Games Social Club) (Version: 1.1.5.8 - Rockstar Games)
Rust (HKLM-x32\...\Steam App 252490) (Version:  - Facepunch Studios)
SHIELD Streaming (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_GFExperience.NvStreamSrv) (Version: 4.1.2000 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_ShieldWirelessController) (Version: 2.4.5.28 - NVIDIA Corporation) Hidden
Skype™ 7.12 (HKLM-x32\...\{6A0549A9-1B96-498C-ACBC-3943001FEB19}) (Version: 7.12.101 - Skype Technologies S.A.)
Space Engineers (HKLM-x32\...\Steam App 244850) (Version:  - Keen Software House)
Space Engineers Toolbox (HKLM-x32\...\{551FE583-9DDA-4D55-8DAE-96B3D8DB4C34}) (Version: 01.069.005.1 - Mid-Space Productions)
Starbound (HKLM-x32\...\Steam App 211820) (Version:  - )
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TeamSpeak 3 Client (HKLM-x32\...\TeamSpeak 3 Client) (Version: 3.0.16 - TeamSpeak Systems GmbH)
TeamViewer 10 (HKLM-x32\...\TeamViewer) (Version: 10.0.47484 - TeamViewer)
Terraria (HKLM-x32\...\Steam App 105600) (Version:  - Re-Logic)
The Witcher 3: Wild Hunt (HKLM-x32\...\Steam App 292030) (Version:  - CD PROJEKT RED)
Tunngle (HKLM-x32\...\Tunngle_is1) (Version: 5.5 - Tunngle.net GmbH)
TurboTax Free Forms 2014 (HKLM-x32\...\{9755D4A0-8B7C-4E18-ABE1-5562F227E100}) (Version: 1.0.10.1 - Intuit Canada)
Unity Web Player (HKCU\...\UnityWebPlayer) (Version: 4.6.1f1 - Unity Technologies ApS)
Ventrilo Client for Windows x64 (HKLM\...\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}) (Version: 3.0.8.0 - Flagship Industries, Inc.)
VIPRE Antivirus (HKLM-x32\...\{3C3539EF-9E90-49DA-B1D0-CC941FE017D5}) (Version: 8.0.5.3 - ThreatTrack Security, Inc.) Hidden
VIPRE Antivirus (HKLM-x32\...\{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}) (Version: 8.0.5.3 - ThreatTrack Security Inc.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
Warcraft III (HKLM-x32\...\Warcraft III) (Version:  - )
Warcraft III: All Products (HKCU\...\Warcraft III) (Version:  - )
WinRAR 5.30 beta 3 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.30.3 - win.rar GmbH)
WinZip 15.0 (HKLM-x32\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240BE}) (Version: 15.0.9302 - WinZip Computing, S.L. )

========================= Devices: ================================

Name: TAP-Win32 Adapter V9 (Tunngle)
Description: TAP-Win32 Adapter V9 (Tunngle)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: TAP-Win32 Provider V9 (Tunngle)
Service: tap0901t
Device ID: ROOT\NET\0002
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


========================= Memory info: ===================================

Percentage of memory in use: 17%
Total physical RAM: 16351.13 MB
Available physical RAM: 13427.43 MB
Total Virtual: 16861.32 MB
Available Virtual: 12602.06 MB

========================= Partitions: =====================================

1 Drive c: (WINDOWS 7 x64) (Fixed) (Total:223.47 GB) (Free:161.47 GB) NTFS
2 Drive d: (STORAGE) (Fixed) (Total:465.76 GB) (Free:106.27 GB) NTFS
3 Drive e: (SSD GAMES) (Fixed) (Total:223.57 GB) (Free:32.55 GB) NTFS
4 Drive f: (WINDOWS 7 x86) (Fixed) (Total:1863.01 GB) (Free:1827.01 GB) NTFS

========================= Users: ========================================

User accounts for \\PC

Administrator            Chad                     Guest                    


**** End of log ****


Edited by DavidMarlan, 10 November 2015 - 03:03 PM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 10 November 2015 - 03:03 PM

Uninstall the following programs since they are outdated and vulnerable:
[*]Java 8 Update 25 (64-bit)
[*]Java 8 Update 25
[*]Java SE Development Kit 8 Update 25 (64-bit)
Once done, follow the instructions below please.

Download RegScanner from NirSoft. Once downloaded, extract the content of the .zip archive and launch RegScanner.exe. In the Find String zone, enter tqDPsXxHquA. Click on every items under Scan the following base keys and click on Scan. Once the scan is done, click on View followed by HTML Report - All Items. This will open a page in your webrowser displaying the results. Right-click on the page and select Save as then save the page (it'll be in an .html format). Once done, upload that file on Dropbox, Google Drive or OneDrive and post the download URL for it here please.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 DavidMarlan

DavidMarlan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 10 November 2015 - 03:09 PM

Download: http://puu.sh/lgLHt/de0e2451b6.html

 

or

 

Screenshot: https://ssl-proxy-updated.herokuapp.com/ab7a3c1ccadf41f10bd2c27270921b8db4ef2913/687474703a2f2f7075752e73682f6c674c4a6a2f313466393435376665372e706e67/14f9457fe7.png



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 10 November 2015 - 03:18 PM

Screenshot is perfect :) Now, carefully, can you go in your C:\ProgramData folder, and confirm that there's indeed a folder called nWfxEYMPby in it? If so, what does it contains? Do not click on any files in that folder.

You might need to enable your hidden and system files in order to see it.

http://www.bleepingcomputer.com/tutorials/show-hidden-files-in-windows-7/

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 DavidMarlan

DavidMarlan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 10 November 2015 - 03:24 PM

No such folder can be found, hidden folders are enabled.

 

07612b5bd8.png



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 10 November 2015 - 03:32 PM

Did you enable the system files view? Uncheck Hide protected operating system files (recommended) under the "View" tab of "Folder Options".

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 DavidMarlan

DavidMarlan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 10 November 2015 - 03:37 PM

8911760786.png



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 10 November 2015 - 03:50 PM

Alright so it's indeed gone. Let's remove that rogue service then :)
  • On Windows Vista & 7, click on the Windows Start Menu, then enter cmd in the search box, right-click on the cmd icon and select Spcusrh.pngRun as Administrator
  • On Windows 8, drag your cursor in the bottom-left corner, and right-click on the metro menu preview, then select Command Prompt (Admin);
  • On Windows 8.1, right click on the Windows logo in the bottom-left corner and select Command Prompt (Admin);
  • Enter the command below and press on Enter;
    sc delete tqDPsXxHquA
  • Let me know what message is returned after entering the command;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 DavidMarlan

DavidMarlan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 10 November 2015 - 04:03 PM

ac2372a9cf.png

I haven't reinstalled firefox/chrome BTW, or restarted my computer... but YouTube still doesn't work (haven't tried anything else)


Edited by DavidMarlan, 10 November 2015 - 04:19 PM.


#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 10 November 2015 - 05:22 PM

Can you follow the first set of instructions I posted here please?

http://www.bleepingcomputer.com/forums/t/595888/internetfirefox-credit-card-malware/#entry3860753

Once done, we'll move on (and use Internet Explorer for the time being).

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 DavidMarlan

DavidMarlan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 10 November 2015 - 05:45 PM

MiniToolBox by Farbar  Version: 02-11-2015
Ran by Chad (administrator) on 10-11-2015 at 16:45:02
Running from "C:\Users\Chad\Downloads"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Model: System Product Name Manufacturer: System manufacturer
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ============================== 

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ============================== 


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
========================= IP Configuration: ================================

Intel(R) 82579V Gigabit Network Connection = Local Area Connection (Connected)
Hamachi Network Interface = Hamachi (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add route prefix=0.0.0.0/0 interface="Hamachi" nexthop=25.0.0.1 publish=Yes
set interface interface="Hamachi" forwarding=disabled advertise=disabled metric=9000 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel(R) 82579V Gigabit Network Connection
   Physical Address. . . . . . . . . : F4-6D-04-AC-F1-F9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1dde:2cae:c544:d913%14(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, November 10, 2015 12:33:48 PM
   Lease Expires . . . . . . . . . . : Tuesday, November 10, 2015 5:33:57 PM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 183790852
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-0E-75-73-F4-6D-04-AC-F1-F9
   DNS Servers . . . . . . . . . . . : 64.59.176.16
                                       64.59.176.228
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Hamachi:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Hamachi Network Interface
   Physical Address. . . . . . . . . : 7A-79-19-15-A2-5D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2620:9b::1915:a25d(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::240f:68c4:f284:624b%17(Preferred) 
   IPv4 Address. . . . . . . . . . . : 25.21.162.93(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.0.0.0
   Lease Obtained. . . . . . . . . . : Tuesday, November 10, 2015 12:33:47 PM
   Lease Expires . . . . . . . . . . : Wednesday, November 09, 2016 12:35:55 PM
   Default Gateway . . . . . . . . . : 2620:9b::1900:1
                                       25.0.0.1
   DHCP Server . . . . . . . . . . . : 25.0.0.1
   DHCPv6 IAID . . . . . . . . . . . : 242907443
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-0E-75-73-F4-6D-04-AC-F1-F9
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{16ED4BD0-5085-4998-9EC0-63FCC8C4F895}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  nsc4.nr.wp.shawcable.net
Address:  64.59.176.16

Name:    google.com
Addresses:  2607:f8b0:4009:80a::200e
	  24.244.4.50
	  24.244.4.45
	  24.244.4.29
	  24.244.4.40
	  24.244.4.30
	  24.244.4.44
	  24.244.4.55
	  24.244.4.24
	  24.244.4.34
	  24.244.4.25
	  24.244.4.54
	  24.244.4.39
	  24.244.4.20
	  24.244.4.59
	  24.244.4.49
	  24.244.4.35


Pinging google.com [24.244.4.50] with 32 bytes of data:
Reply from 24.244.4.50: bytes=32 time=24ms TTL=60
Reply from 24.244.4.50: bytes=32 time=32ms TTL=60

Ping statistics for 24.244.4.50:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 24ms, Maximum = 32ms, Average = 28ms
Server:  nsc4.nr.wp.shawcable.net
Address:  64.59.176.16

Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
	  2001:4998:58:c02::a9
	  2001:4998:c:a06::2:4008
	  98.138.253.109
	  206.190.36.45
	  98.139.183.24


Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Reply from 98.138.253.109: bytes=32 time=39ms TTL=54
Reply from 98.138.253.109: bytes=32 time=41ms TTL=54

Ping statistics for 98.138.253.109:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 39ms, Maximum = 41ms, Average = 40ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 14...f4 6d 04 ac f1 f9 ......Intel(R) 82579V Gigabit Network Connection
 17...7a 79 19 15 a2 5d ......Hamachi Network Interface
  1...........................Software Loopback Interface 1
 15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         25.0.0.1     25.21.162.93   9256
          0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.2     10
         25.0.0.0        255.0.0.0         On-link      25.21.162.93   9256
     25.21.162.93  255.255.255.255         On-link      25.21.162.93   9256
   25.255.255.255  255.255.255.255         On-link      25.21.162.93   9256
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link       192.168.0.2    266
      192.168.0.2  255.255.255.255         On-link       192.168.0.2    266
    192.168.0.255  255.255.255.255         On-link       192.168.0.2    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.0.2    266
        224.0.0.0        240.0.0.0         On-link      25.21.162.93   9256
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.0.2    266
  255.255.255.255  255.255.255.255         On-link      25.21.162.93   9256
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0         25.0.0.1  Default 
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 17   9020 ::/0                     2620:9b::1900:1
  1    306 ::1/128                  On-link
 17    276 2620:9b::/96             On-link
 17    276 2620:9b::1915:a25d/128   On-link
 14    266 fe80::/64                On-link
 17    276 fe80::/64                On-link
 14    266 fe80::1dde:2cae:c544:d913/128
                                    On-link
 17    276 fe80::240f:68c4:f284:624b/128
                                    On-link
  1    306 ff00::/8                 On-link
 14    266 ff00::/8                 On-link
 17    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
 If Metric Network Destination      Gateway
  0 4294967295 2620:9b::/96             On-link
  0   9000 ::/0                     2620:9b::1900:1
===========================================================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/10/2015 12:39:42 PM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (11/10/2015 12:39:42 PM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (11/10/2015 01:11:15 AM) (Source: Application Error) (User: )
Description: Faulting application name: chrome.exe, version: 46.0.2490.80, time stamp: 0x56262c73
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x000c573b
Faulting process id: 0x1d24
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3

Error: (11/10/2015 12:44:57 AM) (Source: Application Error) (User: )
Description: Faulting application name: dota2.exe, version: 0.0.0.0, time stamp: 0x563159af
Faulting module name: tier0.dll, version: 0.0.0.0, time stamp: 0x563156bb
Exception code: 0xc0000005
Fault offset: 0x00000000000180c4
Faulting process id: 0x1868
Faulting application start time: 0xdota2.exe0
Faulting application path: dota2.exe1
Faulting module path: dota2.exe2
Report Id: dota2.exe3

Error: (11/09/2015 11:15:30 PM) (Source: Application Error) (User: )
Description: Faulting application name: dota2.exe, version: 0.0.0.0, time stamp: 0x563159af
Faulting module name: tier0.dll, version: 0.0.0.0, time stamp: 0x563156bb
Exception code: 0xc0000005
Fault offset: 0x00000000000180c4
Faulting process id: 0x1f4c
Faulting application start time: 0xdota2.exe0
Faulting application path: dota2.exe1
Faulting module path: dota2.exe2
Report Id: dota2.exe3

Error: (11/09/2015 11:15:12 PM) (Source: Application Error) (User: )
Description: Faulting application name: dota2.exe, version: 0.0.0.0, time stamp: 0x563159af
Faulting module name: tier0.dll, version: 0.0.0.0, time stamp: 0x563156bb
Exception code: 0xc0000005
Fault offset: 0x00000000000180c4
Faulting process id: 0x1eac
Faulting application start time: 0xdota2.exe0
Faulting application path: dota2.exe1
Faulting module path: dota2.exe2
Report Id: dota2.exe3

Error: (11/09/2015 11:14:46 PM) (Source: Application Error) (User: )
Description: Faulting application name: dota2.exe, version: 0.0.0.0, time stamp: 0x563159af
Faulting module name: tier0.dll, version: 0.0.0.0, time stamp: 0x563156bb
Exception code: 0xc0000005
Fault offset: 0x00000000000180c4
Faulting process id: 0x1fec
Faulting application start time: 0xdota2.exe0
Faulting application path: dota2.exe1
Faulting module path: dota2.exe2
Report Id: dota2.exe3

Error: (11/09/2015 11:14:34 PM) (Source: Application Error) (User: )
Description: Faulting application name: dota2.exe, version: 0.0.0.0, time stamp: 0x563159af
Faulting module name: tier0.dll, version: 0.0.0.0, time stamp: 0x563156bb
Exception code: 0xc0000005
Fault offset: 0x00000000000180c4
Faulting process id: 0x1a9c
Faulting application start time: 0xdota2.exe0
Faulting application path: dota2.exe1
Faulting module path: dota2.exe2
Report Id: dota2.exe3

Error: (11/09/2015 11:14:16 PM) (Source: Application Error) (User: )
Description: Faulting application name: dota2.exe, version: 0.0.0.0, time stamp: 0x563159af
Faulting module name: tier0.dll, version: 0.0.0.0, time stamp: 0x563156bb
Exception code: 0xc0000005
Fault offset: 0x00000000000180c4
Faulting process id: 0x1d48
Faulting application start time: 0xdota2.exe0
Faulting application path: dota2.exe1
Faulting module path: dota2.exe2
Report Id: dota2.exe3

Error: (11/09/2015 11:14:06 PM) (Source: Application Error) (User: )
Description: Faulting application name: dota2.exe, version: 0.0.0.0, time stamp: 0x563159af
Faulting module name: tier0.dll, version: 0.0.0.0, time stamp: 0x563156bb
Exception code: 0xc0000005
Fault offset: 0x00000000000180c4
Faulting process id: 0x1f14
Faulting application start time: 0xdota2.exe0
Faulting application path: dota2.exe1
Faulting module path: dota2.exe2
Report Id: dota2.exe3


System errors:
=============
Error: (11/10/2015 02:35:58 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (11/10/2015 12:33:49 PM) (Source: Service Control Manager) (User: )
Description: The tqDPsXxHquA service failed to start due to the following error: 
%%2

Error: (11/10/2015 12:33:47 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 12:29:53 PM on ‎11/‎10/‎2015 was unexpected.

Error: (11/09/2015 04:28:08 PM) (Source: Service Control Manager) (User: )
Description: The tqDPsXxHquA service failed to start due to the following error: 
%%2

Error: (11/09/2015 04:27:11 PM) (Source: Service Control Manager) (User: )
Description: The MBAMScheduler service terminated unexpectedly.  It has done this 1 time(s).

Error: (11/09/2015 04:27:11 PM) (Source: Service Control Manager) (User: )
Description: The MBAMService service terminated unexpectedly.  It has done this 1 time(s).

Error: (11/09/2015 04:27:11 PM) (Source: Service Control Manager) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (11/09/2015 04:27:11 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (11/09/2015 04:27:11 PM) (Source: Service Control Manager) (User: )
Description: The VIPRE Antivirus service terminated unexpectedly.  It has done this 1 time(s).

Error: (11/09/2015 04:27:11 PM) (Source: Service Control Manager) (User: )
Description: The Disc Soft Lite Bus Service service terminated unexpectedly.  It has done this 1 time(s).


Microsoft Office Sessions:
=========================
Error: (11/10/2015 12:39:42 PM) (Source: Microsoft-Windows-LoadPerf)(User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (11/10/2015 12:39:42 PM) (Source: Microsoft-Windows-LoadPerf)(User: NT AUTHORITY)
Description: Performance1637070000144901000000000009030000

Error: (11/10/2015 01:11:15 AM) (Source: Application Error)(User: )
Description: chrome.exe46.0.2490.8056262c73unknown0.0.0.000000000c0000005000c573b1d2401d11b811b1c72cbC:\Program Files (x86)\Google\Chrome\Application\chrome.exeunknown3a8a9b83-877a-11e5-afed-f46d04acf1f9

Error: (11/10/2015 12:44:57 AM) (Source: Application Error)(User: )
Description: dota2.exe0.0.0.0563159aftier0.dll0.0.0.0563156bbc000000500000000000180c4186801d11b834b838c8fe:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exee:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\tier0.dll8e031dfd-8776-11e5-afed-f46d04acf1f9

Error: (11/09/2015 11:15:30 PM) (Source: Application Error)(User: )
Description: dota2.exe0.0.0.0563159aftier0.dll0.0.0.0563156bbc000000500000000000180c41f4c01d11b76cd829a34e:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exee:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\tier0.dll0eec23b0-876a-11e5-afed-f46d04acf1f9

Error: (11/09/2015 11:15:12 PM) (Source: Application Error)(User: )
Description: dota2.exe0.0.0.0563159aftier0.dll0.0.0.0563156bbc000000500000000000180c41eac01d11b76c2161692e:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exee:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\tier0.dll04246df8-876a-11e5-afed-f46d04acf1f9

Error: (11/09/2015 11:14:46 PM) (Source: Application Error)(User: )
Description: dota2.exe0.0.0.0563159aftier0.dll0.0.0.0563156bbc000000500000000000180c41fec01d11b76b3784438e:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exee:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\tier0.dllf4f41d79-8769-11e5-afed-f46d04acf1f9

Error: (11/09/2015 11:14:34 PM) (Source: Application Error)(User: )
Description: dota2.exe0.0.0.0563159aftier0.dll0.0.0.0563156bbc000000500000000000180c41a9c01d11b76ac08edc9e:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exee:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\tier0.dlledcb6e03-8769-11e5-afed-f46d04acf1f9

Error: (11/09/2015 11:14:16 PM) (Source: Application Error)(User: )
Description: dota2.exe0.0.0.0563159aftier0.dll0.0.0.0563156bbc000000500000000000180c41d4801d11b76a1758f45e:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exee:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\tier0.dlle3148169-8769-11e5-afed-f46d04acf1f9

Error: (11/09/2015 11:14:06 PM) (Source: Application Error)(User: )
Description: dota2.exe0.0.0.0563159aftier0.dll0.0.0.0563156bbc000000500000000000180c41f1401d11b769aa672cfe:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exee:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\tier0.dlldccd5ba1-8769-11e5-afed-f46d04acf1f9


CodeIntegrity Errors:
===================================
  Date: 2015-10-01 18:01:22.894
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\nvlddmkm.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-10-01 18:01:22.816
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\nvlddmkm.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


=========================== Installed Programs ============================

Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Photoshop CC 2014 (HKLM-x32\...\{D7A4F897-B20A-42D0-862D-CB5F6DB7391D}) (Version: 15.2 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.13) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.13 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.7.157 - Adobe Systems, Inc.)
Arma 3 (HKLM-x32\...\Steam App 107410) (Version:  - Bohemia Interactive)
ASUS GPU Tweak (HKLM-x32\...\{532F6E8A-AF97-41C3-915F-39F718EC07D1}) (Version: 2.7.5.0 - ASUSTek COMPUTER INC.) Hidden
ASUS GPU Tweak (HKLM-x32\...\InstallShield_{532F6E8A-AF97-41C3-915F-39F718EC07D1}) (Version: 2.7.5.0 - ASUSTek COMPUTER INC.)
ASUS Product Register Program (HKLM-x32\...\{C87D79F6-F813-4812-B7A9-CCCAAB8B1188}) (Version: 1.0.026 - ASUSTek Computer Inc.)
Audacity 2.1.0 (HKLM-x32\...\Audacity_is1) (Version: 2.1.0 - Audacity Team)
AutoHotkey 1.0.48.05 (HKLM-x32\...\AutoHotkey) (Version: 1.0.48.05 - Chris Mallett)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
BitTorrent (HKCU\...\BitTorrent) (Version: 7.9.5.41203 - BitTorrent Inc.)
BitTorrent Sync (HKLM\...\BitTorrent Sync) (Version: 2.0.128 - BitTorrent Inc.)
BitTorrent Sync (HKLM-x32\...\BitTorrent Sync) (Version: 1.4.110 - BitTorrent Inc.)
Castle Crashers (HKLM-x32\...\Steam App 204360) (Version:  - The Behemoth)
DAEMON Tools Lite (HKLM\...\DAEMON Tools Lite) (Version: 10.1.0.0074 - Disc Soft Ltd)
Discord (HKCU\...\Discord) (Version: 0.0.280 - Hammer & Chisel)
Divinity: Original Sin Enhanced Edition (HKLM-x32\...\Steam App 373420) (Version:  - Larian Studios)
Dota 2 (HKLM-x32\...\Steam App 570) (Version:  - Valve)
Dropbox (HKCU\...\Dropbox) (Version: 3.0.3 - Dropbox, Inc.)
Fallout 4 (HKLM-x32\...\Steam App 377160) (Version:  - Bethesda Game Studios)
Git version 1.9.5-preview20141217 (HKLM-x32\...\Git_is1) (Version: 1.9.5-preview20141217 - The Git Development Community)
GPUTweakStreaming (HKLM-x32\...\{D2A41AA7-4313-43D5-AA39-7E3FBBE0556D}) (Version: 1.0.3.5 - ASUS) Hidden
GPUTweakStreaming (HKLM-x32\...\InstallShield_{D2A41AA7-4313-43D5-AA39-7E3FBBE0556D}) (Version: 1.0.3.5 - ASUS)
Intel(R) Driver Update Utility 2.0 (HKLM-x32\...\{59DB38EB-F864-4E10-841D-38CFBCF864B0}) (Version: 2.0.0.29 - Intel) Hidden
Intel(R) Network Connections 15.6.25.0 (HKLM\...\PROSetDX) (Version: 15.6.25.0 - Intel)
Intel® Driver Update Utility (HKLM-x32\...\{8409c4f7-2340-4933-a304-5d37db4fb48b}) (Version: 2.0.0.29 - Intel)
Intruder (HKLM-x32\...\{F9687E06-72EC-4E3F-BCF1-49CD1012319D}) (Version: 449 - Superboss Games)
JMicron JMB36X Driver (HKLM-x32\...\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}) (Version: 1.17.58.2 - JMicron Technology Corp.)
Keep Talking and Nobody Explodes (HKLM-x32\...\Steam App 341800) (Version:  - Steel Crate Games)
Kerbal Space Program (HKLM-x32\...\Steam App 220200) (Version:  - Squad)
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version:  - )
LogMeIn Hamachi (HKLM-x32\...\{38DAAEA7-903D-4FBF-A5D3-F7EB8F83782A}) (Version: 2.2.0.406 - LogMeIn, Inc.) Hidden
LogMeIn Hamachi (HKLM-x32\...\LogMeIn Hamachi) (Version: 2.2.0.406 - LogMeIn, Inc.)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
marvell 91xx driver (HKLM-x32\...\MagniDriver) (Version: 1.0.0.1051 - Marvell)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.4734.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x64 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x86 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026 (HKLM-x32\...\{e46eca4f-393b-40df-9f49-076faf788d83}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026 (HKLM-x32\...\{74d0e5db-b326-4dae-a6b2-445b9de1836e}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 (HKLM-x32\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Mumble 1.2.8 (HKLM-x32\...\{A9DBD31A-A09F-4C7E-86D1-3B21C59000D1}) (Version: 1.2.8 - Thorvald Natvig)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.7.4 - Notepad++ Team)
NVIDIA GeForce Experience 2.4.5.28 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.4.5.28 - NVIDIA Corporation)
NVIDIA Graphics Driver 353.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 353.06 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.3 - NVIDIA Corporation)
NVIDIA PhysX (HKLM-x32\...\{8B922CF8-8A6C-41CE-A858-F1755D7F5D29}) (Version: 9.12.1031 - NVIDIA Corporation)
Path of Exile (HKLM-x32\...\Steam App 238960) (Version:  - Grinding Gear Games)
PAYDAY 2 (HKLM-x32\...\Steam App 218620) (Version:  - OVERKILL - a Starbreeze Studio.)
PBO Manager v.1.4 beta (HKLM\...\{127B5371-1802-4EDD-A25A-A43BF761D383}) (Version: 1.4.0 -  )
puush (HKLM-x32\...\{C3592426-531E-4110-911D-BFECE2CE284B}) (Version: 1.0.0.0 - Dean Herbert)
Razer Synapse 2.0 (HKLM-x32\...\{0D78BEE2-F8FF-4498-AF1A-3FF81CED8AC6}) (Version: 1.18.18.23036 - Razer Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7246 - Realtek Semiconductor Corp.)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.0.32.0 - Renesas Electronics Corporation) Hidden
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.0.32.0 - Renesas Electronics Corporation)
Rockstar Games Social Club (HKLM-x32\...\Rockstar Games Social Club) (Version: 1.1.5.8 - Rockstar Games)
Rust (HKLM-x32\...\Steam App 252490) (Version:  - Facepunch Studios)
SHIELD Streaming (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_GFExperience.NvStreamSrv) (Version: 4.1.2000 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_ShieldWirelessController) (Version: 2.4.5.28 - NVIDIA Corporation) Hidden
Skype™ 7.12 (HKLM-x32\...\{6A0549A9-1B96-498C-ACBC-3943001FEB19}) (Version: 7.12.101 - Skype Technologies S.A.)
Space Engineers (HKLM-x32\...\Steam App 244850) (Version:  - Keen Software House)
Space Engineers Toolbox (HKLM-x32\...\{551FE583-9DDA-4D55-8DAE-96B3D8DB4C34}) (Version: 01.069.005.1 - Mid-Space Productions)
Starbound (HKLM-x32\...\Steam App 211820) (Version:  - )
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TeamSpeak 3 Client (HKLM-x32\...\TeamSpeak 3 Client) (Version: 3.0.16 - TeamSpeak Systems GmbH)
TeamViewer 10 (HKLM-x32\...\TeamViewer) (Version: 10.0.47484 - TeamViewer)
Terraria (HKLM-x32\...\Steam App 105600) (Version:  - Re-Logic)
The Witcher 3: Wild Hunt (HKLM-x32\...\Steam App 292030) (Version:  - CD PROJEKT RED)
TurboTax Free Forms 2014 (HKLM-x32\...\{9755D4A0-8B7C-4E18-ABE1-5562F227E100}) (Version: 1.0.10.1 - Intuit Canada)
Unity Web Player (HKCU\...\UnityWebPlayer) (Version: 4.6.1f1 - Unity Technologies ApS)
Ventrilo Client for Windows x64 (HKLM\...\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}) (Version: 3.0.8.0 - Flagship Industries, Inc.)
VIPRE Antivirus (HKLM-x32\...\{3C3539EF-9E90-49DA-B1D0-CC941FE017D5}) (Version: 8.0.5.3 - ThreatTrack Security, Inc.) Hidden
VIPRE Antivirus (HKLM-x32\...\{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}) (Version: 8.0.5.3 - ThreatTrack Security Inc.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
Warcraft III (HKLM-x32\...\Warcraft III) (Version:  - )
Warcraft III: All Products (HKCU\...\Warcraft III) (Version:  - )
WinRAR 5.30 beta 3 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.30.3 - win.rar GmbH)
WinZip 15.0 (HKLM-x32\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240BE}) (Version: 15.0.9302 - WinZip Computing, S.L. )

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 55%
Total physical RAM: 16351.13 MB
Available physical RAM: 7332.07 MB
Total Virtual: 16861.32 MB
Available Virtual: 3758.11 MB

========================= Partitions: =====================================

1 Drive c: (WINDOWS 7 x64) (Fixed) (Total:223.47 GB) (Free:164.6 GB) NTFS
2 Drive d: (STORAGE) (Fixed) (Total:465.76 GB) (Free:108.81 GB) NTFS
3 Drive e: (SSD GAMES) (Fixed) (Total:223.57 GB) (Free:33.46 GB) NTFS
4 Drive f: (WINDOWS 7 x86) (Fixed) (Total:1863.01 GB) (Free:1827.01 GB) NTFS

========================= Users: ========================================

User accounts for \\PC

Administrator            Chad                     Guest                    


**** End of log ****



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 10 November 2015 - 05:49 PM

Not the MiniToolBox instructions, the ones about uninstall Mozilla Firefox and Google Chrome and deleting their related folders :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 DavidMarlan

DavidMarlan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 10 November 2015 - 06:08 PM

Yes.. both have already been uninstalled/deleted.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users