Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Infected? I think so.


  • Please log in to reply
6 replies to this topic

#1 Mandalore88

Mandalore88

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 12 November 2015 - 01:56 AM

Greetings,

 

Kind of a beginner, hoping to get some input. PC is running slow and it was probably my fault downloading stuff. I get several instances of conhost.exe in my task manager, and sometimes none. At times there were 5 or 6 instances using 30,000k  each.

 

I have run the following using instructions found here:

 

CCleaner

MTB

GMER

Malware Bytes

screen317's Security Check version 1.009

 

 

 

If I should run another test please let me know...Any advice is greatly appreciated! :)

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 11/11/2015
Scan Time: 9:35 PM
Logfile: results 1 11.11.15.txt
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2015.11.11.08
Rootkit Database: v2015.11.04.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Weaver
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 369943
Time Elapsed: 9 min, 36 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 

 Results of screen317's Security Check version 1.009  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Java 8 Update 25  
 Java version 32-bit out of Date! 
 Adobe Flash Player 19.0.0.245  
 Adobe Reader 10.1.16 Adobe Reader out of Date!  
 Mozilla Firefox 38.0.5 Firefox out of Date!  
 Google Chrome (46.0.2490.86) 
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 
 

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-11-11 22:30:54
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500413AS rev.JC45 465.76GB
Running: uxeg0mts.exe; Driver: C:\Users\Weaver\AppData\Local\Temp\awddypow.sys
 
 
---- User code sections - GMER 2.1 ----
 
.text    C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\UA.exe[1876] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint                                                                                                                          000000007751000c 1 byte [C3]
.text    C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\UA.exe[1876] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin                                                                                                                     000000007759fbaa 5 bytes JMP 0000000177559cfb
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                                0000000076031401 2 bytes JMP 7701b21b C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                                  0000000076031419 2 bytes JMP 7701b346 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                                0000000076031431 2 bytes JMP 77098f29 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                                000000007603144a 2 bytes CALL 76ff489d C:\Windows\syswow64\KERNEL32.dll
.text    ...                                                                                                                                                                                                                             * 9
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                                   00000000760314dd 2 bytes JMP 77098822 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                            00000000760314f5 2 bytes JMP 770989f8 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                                   000000007603150d 2 bytes JMP 77098718 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                            0000000076031525 2 bytes JMP 77098ae2 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                                  000000007603153d 2 bytes JMP 7700fca8 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                                       0000000076031555 2 bytes JMP 770168ef C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                                000000007603156d 2 bytes JMP 77098fe3 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                                  0000000076031585 2 bytes JMP 77098b42 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                                     000000007603159d 2 bytes JMP 770986dc C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                                  00000000760315b5 2 bytes JMP 7700fd41 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                                00000000760315cd 2 bytes JMP 7701b2dc C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                            00000000760316b2 2 bytes JMP 77098ea4 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                            00000000760316bd 2 bytes JMP 77098671 C:\Windows\syswow64\KERNEL32.dll
 
---- User IAT/EAT - GMER 2.1 ----
 
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2108] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord]                                         [7fef3ad741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2108] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet]                                                      [7fef3ad5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2108] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession]                                               [7fef3ad5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2108] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession]                                             [7fef3ad5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2108] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload]                                              [7fef3ad7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2108] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion]                                            [7fef3ad6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2108] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId]                                             [7fef3ad6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2108] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId]                                     [7fef3ad7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2108] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId]                                              [7fef3ad7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2108] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId]                                      [7fef3ad78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2108] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession]                                               [7fef3ad4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2108] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId]                                                 [7fef3ad5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2108] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString]                                        [7fef3ad7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
---- Processes - GMER 2.1 ----
 
Library  C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\MObexDll.dll (*** suspicious ***) @ C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\UA.exe [1876] (Obex Module/Samsung Electronics Co., Ltd.)(2014-12-10 21:36:44)                  00000000719c0000
Library  C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\SCommon.dll (*** suspicious ***) @ C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\UA.exe [1876] (TODO: <File description>/TODO: <Company name>)(2014-12-10 21:37:04)               00000000734e0000
Library  C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\UA_Modules.dll (*** suspicious ***) @ C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\UA.exe [1876] (TODO: <File description>/TODO: <Company name>)(2014-12-10 21:37:26)            0000000073d40000
Library  C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\GlobalUtils.dll (*** suspicious ***) @ C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\UA.exe [1876] (TODO: <File description>/TODO: <Company name>)(2014-12-10 21:37:02)           0000000072eb0000
Library  C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\DeviceDBModule.dll (*** suspicious ***) @ C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\UA.exe [1876] (TODO: <File description>/TODO: <Company name>)(2014-12-10 21:37:18)        0000000072e00000
Library  C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\NetworkModule.dll (*** suspicious ***) @ C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\UA.exe [1876] (TODO: <File description>/TODO: <Company name>)(2014-12-10 21:37:18)         000000006bac0000
Library  C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\FileAndProcessModule.dll (*** suspicious ***) @ C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\UA.exe [1876] (TODO: <File description>/TODO: <Company name>)(2014-12-10 21:37:18)  000000006b970000
Library  C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\DeviceModule.dll (*** suspicious ***) @ C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\UA.exe [1876] (TODO: <File description>/TODO: <Company name>)(2014-12-10 21:37:18)          000000006b6e0000
Library  C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\Resource.dll (*** suspicious ***) @ C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\UA.exe [1876] (TODO: <File description>/TODO: <Company name>)(2014-12-10 21:37:02)              000000006e9b0000
Library  C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\SS_RC.dll (*** suspicious ***) @ C:\Users\Weaver\AppData\Roaming\VERIZON\UA_ar\UA.exe [1876] (Rooting Count Check DLL/Samsung)(2014-02-04 18:11:50)                               0000000061050000
Library  C:\ProgramData\Razer\Synapse\Devices\RazerConfigNative.dll (*** suspicious ***) @ C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [2256] (Razer Configurator/Razer Inc.)(2015-05-15 10:05:26)                                0000000060590000
Library  C:\ProgramData\Razer\Synapse\CrashReporter\CrashRpt1402.dll (*** suspicious ***) @ C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [2256](2015-03-09 08:44:50)                                                               000000005ffa0000
 
---- EOF - GMER 2.1 ----
 
 
 

MiniToolBox by Farbar  Version: 02-11-2015
Ran by Weaver (administrator) on 11-11-2015 at 22:17:44
Running from "C:\Users\Weaver\Downloads"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Model: MS-7599 Manufacturer: MSI
Boot Mode: Normal
***************************************************************************
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================
========================= IP Configuration: ================================
 
Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20) = Local Area Connection (Connected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : Science
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : click-network.com
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : click-network.com
   Description . . . . . . . . . . . : Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
   Physical Address. . . . . . . . . : 6C-62-6D-B0-F7-7E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e88b:82ba:eb8b:2b9a%10(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, November 11, 2015 9:47:47 PM
   Lease Expires . . . . . . . . . . : Thursday, November 12, 2015 9:47:47 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 241984109
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-DB-32-52-6C-62-6D-B0-F7-7E
   DNS Servers . . . . . . . . . . . : 131.191.7.12
                                       8.8.8.8
                                       131.191.7.194
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.click-network.com:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : click-network.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Local Area Connection* 9:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
 

 



BC AdBot (Login to Remove)

 


#2 Mandalore88

Mandalore88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 12 November 2015 - 01:58 AM

Darn it, I think I posted this in the wrong section. I am bad at the internet, sorry!



#3 buddy215

buddy215

  • BC Advisor
  • 12,881 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:27 PM

Posted 12 November 2015 - 04:54 AM

Welcome to BC !

 

Regarding conhost.exe....  It’s a completely legitimate executable—as long as it’s running from the system32 folder, and is signed by Microsoft.

 

Uninstall Java 8 Update 25

Either Update or Uninstall the other two RED items....Adobe Reader and Firefox.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click  Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

Edited by buddy215, 12 November 2015 - 04:56 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#4 Mandalore88

Mandalore88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 12 November 2015 - 09:11 PM

Thank you so much! I will start working on that tonight and report back tomorrow.



#5 Mandalore88

Mandalore88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 14 November 2015 - 03:20 AM

Here are my results, as you can see EEK did find some threats. Thank you again for the advice! :)

 

# AdwCleaner v5.019 - Logfile created 12/11/2015 at 20:27:54
# Updated 08/11/2015 by Xplode
# Database : 2015-11-09.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Weaver - SCIENCE
# Running from : C:\Users\Weaver\Downloads\AdwCleaner.exe
# Option : Cleaning
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.4 (09.28.2015:1)
OS: Windows 7 Home Premium x64
Ran by Weaver on Thu 11/12/2015 at 20:34:09.79
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Tasks
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
Successfully deleted: [File] C:\Users\Weaver\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\worldoftanks.lnk
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] C:\Users\Weaver\AppData\Roaming\worldoftanks
 
 
 
~~~ Chrome
 
 
[C:\Users\Weaver\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
 
[C:\Users\Weaver\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
 
[C:\Users\Weaver\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
 
[C:\Users\Weaver\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 11/12/2015 at 20:39:23.84
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
[-] File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\yahoo.xml
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{89449F37-4AB2-46ED-A566-BB3A7797701B}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F509ADC2-B40E-470F-A7B7-45191486B5CB}
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Weaver\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : bopakagnckmlgajfccecajhnimjiiedh
 
*************************
 
:: "Tracing" keys removed
:: Winsock settings cleared
 
########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [1141 bytes] ##########
 
 
Emsisoft Emergency Kit - Version 10.0
Last update: 11/12/2015 8:50:37 PM
User account: Science\Weaver
 
Scan settings:
 
Scan type: Custom Scan
Objects: Rootkits, Memory, Traces, C:\, E:\
 
Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 11/12/2015 8:51:50 PM
Value: HKEY_USERS\S-1-5-21-1559796410-171621321-655816305-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-1559796410-171621321-655816305-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
C:\ProgramData\InstallMate\{335DD210-B55D-423D-A0D6-FD7FE8BEF0E6}\Custom.dll detected: Gen:Variant.Application.Downloader.164 (B)
C:\Users\Weaver\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\14ca2d1e-6e288a3d -> sLYSgHkBDA.inmr detected: Trojan.Script.481281 (B)
C:\Users\Weaver\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\14ca2d1e-6e288a3d -> oPkwbFQ.class detected: Java.Exploit.CVE-2012-1723.AM (B)
C:\Users\Weaver\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\17d841f4-2bfb9f46 -> eiC.class detected: Java.Exploit.CVE-2012-5076.H (B)
 
Scanned 509918
Found 6
 
Scan end: 11/12/2015 11:00:47 PM
Scan time: 2:08:57
 


#6 buddy215

buddy215

  • BC Advisor
  • 12,881 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:27 PM

Posted 14 November 2015 - 04:50 AM

You must not of uninstalled Java as I asked you to. The malware found by Emsisoft was in Java's cache files.

Old Java programs are malware magnets...exploited often.

 

Post the three lists mentioned below using CCleaner.

 

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#7 Mandalore88

Mandalore88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 14 November 2015 - 09:06 PM

Sorry I thought I updated Java. I will do that first then post the three CCleaner lists. Thanks :).






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users