Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unusual internet traffic (botnet?) & OEM key injection into SLIC table


  • Please log in to reply
16 replies to this topic

#1 silverfx

silverfx

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 09 December 2015 - 12:09 PM

Hi,

 

Unusual internet traffic detected by google and sluggish performance on my laptop.

 

I looked into doing a clean windows install and discovered a false OEM key in the SLIC table.

 

Keen to identify and remove any loaders, rootkits or bios mods on the bios/eeprom, thanks!

 

silver


Edited by silverfx, 09 December 2015 - 08:22 PM.


BC AdBot (Login to Remove)

 


#2 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:07:05 AM

Posted 13 December 2015 - 04:02 AM

Hello,

 

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:

§  Flush DNS

§  Report IE Proxy Settings

§  Reset IE Proxy Settings

§  Report FF Proxy Settings

§  Reset FF Proxy Settings

§  List content of Hosts

§  List IP configuration

§  List Winsock Entries

§  List Installed Programs

§  List Users, Partitions and Memory size.

Click Go and post the result (MTB.txt). A copy of MTB.txt will be saved in the same directory the tool is run.

-------

 

Please download Rkill to your Desktop.

There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe
http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
 

§  Double-click on the Rkill desktop icon to run the tool.

§  If using Windows Vista, 7, 8 or 10 right-click on it and choose Run As Administrator.

§  black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

§  If not, delete the file, then download and use the one provided in Link 2.

§  Do not reboot until instructed.

§  If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from Safe Mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

-------

 

Kaspersky Virus Removal Tool

Please download Kaspersky Virus Removal Tool from here.

§  Right click on KVRT.exe and select Run as Administrator.

§  Read the EULA, then select Accept.

§  Wait for Kaspersky Virus Removal Tool to initialize.

§  In the main screen, select Change parameters, place a checkmark in System drive, then click OK.

§  Click Start scan.

§  Wait for Kaspersky Virus Removal Tool to complete scanning.

§  When the scan is finished, select Neutralize all for all detected objects.

§  Close Kaspersky Virus Removal Tool when done.

Informe me if something is detected.

-------


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#3 silverfx

silverfx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 13 December 2015 - 07:16 PM

Hi Severac, thanks for the help! 

 

Here are the logs:

 

MiniToolBox by Farbar  Version: 02-11-2015
Ran by Administrator (administrator) on 13-12-2015 at 23:41:38
Running from "C:\Users\Administrator\Desktop"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Model: Aspire E1-571 Manufacturer: Acer
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
========================= IP Configuration: ================================

Atheros AR5BWB222 Wireless Network Adapter = Wireless Network Connection (Connected)
VMware Virtual Ethernet Adapter for VMnet1 = VMware Network Adapter VMnet1 (Connected)
VMware Virtual Ethernet Adapter for VMnet8 = VMware Network Adapter VMnet8 (Connected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Hardware not present)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)
Broadcom NetLink ™ Gigabit Ethernet = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add address name="VMware Network Adapter VMnet8" address=192.168.204.1 mask=255.255.255.0
add address name="VMware Network Adapter VMnet1" address=192.168.127.1 mask=255.255.255.0


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : HOMELAPTOP
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Peer-Peer
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Atheros AR5BWB222 Wireless Network Adapter
   Physical Address. . . . . . . . . : 68-94-23-A5-11-3B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::40eb:48c7:8a13:8a09%14(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 13 December 2015 15:07:10
   Lease Expires . . . . . . . . . . : 14 December 2015 23:22:19
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 375952419
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-5E-30-AB-B8-88-E3-D2-E4-C5
   DNS Servers . . . . . . . . . . . : 194.168.4.100
                                       194.168.8.100
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 68-94-23-A5-11-3C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetLink ™ Gigabit Ethernet
   Physical Address. . . . . . . . . : B8-88-E3-D2-E4-C5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter VMware Network Adapter VMnet1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet1
   Physical Address. . . . . . . . . : 00-50-56-C0-00-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e091:7942:d06a:5fc9%28(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.127.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 486559830
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-5E-30-AB-B8-88-E3-D2-E4-C5
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter VMware Network Adapter VMnet8:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet8
   Physical Address. . . . . . . . . : 00-50-56-C0-00-08
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::fd66:7c5c:e2f7:f4df%30(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.204.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 754995286
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-5E-30-AB-B8-88-E3-D2-E4-C5
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 16:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:51c8:4032:2832:1c1:3f57:fffd(Preferred)
   Link-local IPv6 Address . . . . . : fe80::2832:1c1:3f57:fffd%26(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{37EB7121-A637-4B77-9EBD-319C8F4C3F90}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #7
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Reusable ISATAP Interface {523B5126-3ECE-4AC9-9D04-A62FD1C553C4}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{BEBD1BFC-6B19-4282-8E61-75C2A87E7640}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{9C8BA179-03B0-4F73-AC7A-A21B126773A2}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #6
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  cache1.service.virginmedia.net
Address:  194.168.4.100

Name:    google.com
Addresses:  2a00:1450:4009:80d::200e
      216.58.208.46


Pinging google.com [216.58.208.46] with 32 bytes of data:
Reply from 216.58.208.46: bytes=32 time=16ms TTL=54
Reply from 216.58.208.46: bytes=32 time=52ms TTL=54

Ping statistics for 216.58.208.46:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 16ms, Maximum = 52ms, Average = 34ms
Server:  cache1.service.virginmedia.net
Address:  194.168.4.100

Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
      2001:4998:c:a06::2:4008
      2001:4998:58:c02::a9
      206.190.36.45
      98.139.183.24
      98.138.253.109


Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=131ms TTL=51
Reply from 98.139.183.24: bytes=32 time=133ms TTL=51

Ping statistics for 98.139.183.24:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 131ms, Maximum = 133ms, Average = 132ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time=1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms
===========================================================================
Interface List
 14...68 94 23 a5 11 3b ......Atheros AR5BWB222 Wireless Network Adapter
 12...68 94 23 a5 11 3c ......Bluetooth Device (Personal Area Network)
 11...b8 88 e3 d2 e4 c5 ......Broadcom NetLink ™ Gigabit Ethernet
 28...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
 30...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
  1...........................Software Loopback Interface 1
 26...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #7
 32...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
 29...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
 31...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.2     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link       192.168.0.2    281
      192.168.0.2  255.255.255.255         On-link       192.168.0.2    281
    192.168.0.255  255.255.255.255         On-link       192.168.0.2    281
    192.168.127.0    255.255.255.0         On-link     192.168.127.1    276
    192.168.127.1  255.255.255.255         On-link     192.168.127.1    276
  192.168.127.255  255.255.255.255         On-link     192.168.127.1    276
    192.168.204.0    255.255.255.0         On-link     192.168.204.1    276
    192.168.204.1  255.255.255.255         On-link     192.168.204.1    276
  192.168.204.255  255.255.255.255         On-link     192.168.204.1    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.127.1    276
        224.0.0.0        240.0.0.0         On-link     192.168.204.1    276
        224.0.0.0        240.0.0.0         On-link       192.168.0.2    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.127.1    276
  255.255.255.255  255.255.255.255         On-link     192.168.204.1    276
  255.255.255.255  255.255.255.255         On-link       192.168.0.2    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 26     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 26     58 2001::/32                On-link
 26    306 2001:0:51c8:4032:2832:1c1:3f57:fffd/128
                                    On-link
 28    276 fe80::/64                On-link
 30    276 fe80::/64                On-link
 14    281 fe80::/64                On-link
 26    306 fe80::/64                On-link
 26    306 fe80::2832:1c1:3f57:fffd/128
                                    On-link
 14    281 fe80::40eb:48c7:8a13:8a09/128
                                    On-link
 28    276 fe80::e091:7942:d06a:5fc9/128
                                    On-link
 30    276 fe80::fd66:7c5c:e2f7:f4df/128
                                    On-link
  1    306 ff00::/8                 On-link
 26    306 ff00::/8                 On-link
 28    276 ff00::/8                 On-link
 30    276 ff00::/8                 On-link
 14    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 09 C:\Windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 12 C:\Windows\SysWOW64\vsocklib.dll [64192] (VMware, Inc.)
Catalog9 13 C:\Windows\SysWOW64\vsocklib.dll [64192] (VMware, Inc.)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 09 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 12 C:\Windows\System32\vsocklib.dll [68288] (VMware, Inc.)
x64-Catalog9 13 C:\Windows\System32\vsocklib.dll [68288] (VMware, Inc.)

=========================== Installed Programs ============================

µTorrent (HKCU\...\uTorrent) (Version: 3.4.3.40298 - BitTorrent Inc.)
ACDSee 10 Photo Manager (HKLM-x32\...\{F8B98EB6-FC06-45BF-87D4-9784E0408611}) (Version: 10.0.219 - ACD Systems International)
Acer Crystal Eye Webcam (HKLM-x32\...\{A0382E3C-7384-429A-9BFA-AF5888E5A193}) (Version: 1.5.3501.00 - CyberLink Corp.) Hidden
Acer Crystal Eye Webcam (HKLM-x32\...\InstallShield_{A0382E3C-7384-429A-9BFA-AF5888E5A193}) (Version: 1.5.3501.00 - CyberLink Corp.)
Adobe Flash Player 19 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 19.0.0.245 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.13) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.13 - Adobe Systems Incorporated)
Atheros Bluetooth Suite (64) (HKLM\...\{230D1595-57DA-4933-8C4E-375797EBB7E1}) (Version: 7.4.0.122 - Atheros)
AVG (HKLM\...\{AB11E7BD-211E-4EBD-9EAE-0C11CE7B48AE}) (Version: 16.12.7294 - AVG Technologies) Hidden
AVG (HKLM\...\AvgZen) (Version: 1.22.1.40089 - AVG Technologies)
AVG 2016 (HKLM\...\{37EAACC8-78A9-4C52-A2FD-E758B8F0C9E5}) (Version: 16.0.4483 - AVG Technologies) Hidden
AVG Protection (HKLM\...\AVG) (Version: 2016.12.7294 - AVG Technologies)
AVG Zen (HKLM\...\{4BB3F53A-125D-4CD0-8448-620E9898CF96}) (Version: 1.22.1 - AVG Technologies) Hidden
Broadcom Card Reader Driver Installer (HKLM\...\{4710662C-8204-4334-A977-B1AC9E547819}) (Version: 15.0.7.3 - Broadcom Corporation)
Broadcom NetLink Controller (HKLM\...\{C91DCB72-F5BB-410D-A91A-314F5D1B4284}) (Version: 15.0.7.1 - Broadcom Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 4.16 - Piriform)
CDex - Open Source Digital Audio CD Extractor (HKLM-x32\...\CDex) (Version: 1.79.0.2015 - Georgy Berdyshev)
CleanUp! (HKLM-x32\...\CleanUp!) (Version:  - )
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
ETDWare PS/2-X64 10.6.9.9_WHQL (HKLM\...\Elantech) (Version: 10.6.9.9 - ELAN Microelectronic Corp.)
FBReader for Windows (HKLM-x32\...\FBReader for Windows) (Version:  - )
FMW 1 (HKLM\...\{BCA7CC8C-745B-4340-B3A8-BC79A8498107}) (Version: 1.32.2 - AVG Technologies) Hidden
Foxit PDF Editor (HKLM-x32\...\Foxit PDF Editor) (Version:  - )
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.28.15 - Google Inc.) Hidden
HashTab 5.2.0.14 (HKLM\...\HashTab) (Version: 5.2.0.14 - Implbits Software)
HP Deskjet 2540 series Basic Device Software (HKLM\...\{7AF1A318-2914-41CC-9B24-041C2D4AAAD7}) (Version: 32.0.1180.44630 - Hewlett-Packard Co.)
HP Deskjet 2540 series Help (HKLM-x32\...\{4539575D-C09D-4E71-B207-0F2D6BD74DA2}) (Version: 30.0.0 - Hewlett Packard)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP USB Disk Storage Format Tool (HKLM-x32\...\{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}) (Version:  - )
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.2.1410 - Intel Corporation)
Intel® OpenCL CPU Runtime (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version:  - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2712 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.1.0.1006 - Intel Corporation)
Intel® Trusted Connect Service Client (HKLM\...\{09536BA1-E498-4CC3-B834-D884A67D7E34}) (Version: 1.23.605.1 - Intel Corporation)
Launch Manager (HKLM-x32\...\LManager) (Version: 5.1.15 - Acer Inc.)
Macrium Reflect Free Edition (HKLM\...\{721F2572-706E-4C64-B9F1-AB438F704933}) (Version: 6.1.936 - Paramount Software (UK) Ltd.) Hidden
Macrium Reflect Free Edition (HKLM\...\MacriumReflect) (Version: 6.1 - Paramount Software (UK) Ltd.)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft .NET Framework 4.6 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.00081 - Microsoft Corporation)
Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 15.0.4771.1004 - Microsoft Corporation)
Microsoft Office Outlook Connector (HKLM-x32\...\{95140000-0081-0409-0000-0000000FF1CE}) (Version: 14.0.6123.5001 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Word Viewer 2003 (HKLM-x32\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Online Services Sign-in Assistant (HKLM\...\{46E637E2-AC34-4B45-B5DF-D20903A3DB61}) (Version: 7.250.4303.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41105.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
MiniTool Partition Wizard Free 9.1 (HKLM\...\{05D996FA-ADCB-4D23-BA3C-A7C184A8FAC6}_is1) (Version:  - MiniTool Solution Ltd.)
mIRC (HKLM-x32\...\mIRC) (Version: 7.43 - mIRC Co. Ltd.)
Mozilla Firefox 42.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 42.0 (x86 en-US)) (Version: 42.0 - Mozilla)
Office 15 Click-to-Run Extensibility Component (HKLM-x32\...\{90150000-008C-0000-0000-0000000FF1CE}) (Version: 15.0.4771.1004 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (HKLM\...\{90150000-008F-0000-1000-0000000FF1CE}) (Version: 15.0.4771.1004 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (HKLM-x32\...\{90150000-008C-0409-0000-0000000FF1CE}) (Version: 15.0.4771.1004 - Microsoft Corporation) Hidden
Opera Stable 34.0.2036.25 (HKLM-x32\...\Opera 34.0.2036.25) (Version: 34.0.2036.25 - Opera Software)
Paint.NET v3.5.11 (HKLM\...\{72EF03F5-0507-4861-9A44-D99FD4C41418}) (Version: 3.61.0 - dotPDN LLC)
Qualcomm Atheros WiFi Driver Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 3.1 - Qualcomm Atheros)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6543 - Realtek Semiconductor Corp.)
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
RW-Everything v1.6.8.1 (HKLM\...\RW-Everything_is1) (Version:  - )
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.23.0 - SAMSUNG Electronics Co., Ltd.)
Secure Download Manager (HKLM-x32\...\{E040B65B-8683-4228-8C33-D44A141E40EA}) (Version: 3.1.60 - Kivuto Solutions Inc.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Skype™ 7.13 (HKLM-x32\...\{6A0549A9-1B96-498C-ACBC-3943001FEB19}) (Version: 7.13.101 - Skype Technologies S.A.)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.6.1014 - SUPERAntiSpyware.com)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.41.5 - Synaptics Incorporated)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
VLC media player 2.0.1 (HKLM\...\VLC media player) (Version: 2.0.1 - VideoLAN)
VMware Player (HKLM\...\{57AA4E8A-E2C9-4F1C-B3F1-762C36E34472}) (Version: 12.1.0 - VMware, Inc.)
Win32DiskImager version 0.9.5 (HKLM-x32\...\{D074CE74-912A-4AD3-A0BF-3937D9D01F17}_is1) (Version: 0.9.5 - ImageWriter Developers)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
WinRAR archiver (HKLM-x32\...\WinRAR archiver) (Version:  - )
ZoneAlarm Firewall (HKLM-x32\...\{616C96AC-9B4B-4446-8583-A10C2FDA24A4}) (Version: 13.3.209.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Free Firewall (HKLM-x32\...\ZoneAlarm Free Firewall) (Version: 13.3.209.000 - Check Point)
ZoneAlarm Security (HKLM-x32\...\{8E44476E-11BF-41A5-A457-266FD27F344D}) (Version: 13.3.209.000 - Check Point Software Technologies Ltd.) Hidden

========================= Memory info: ===================================

Percentage of memory in use: 60%
Total physical RAM: 3914.36 MB
Available physical RAM: 1559.75 MB
Total Virtual: 7826.92 MB
Available Virtual: 5069.43 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:117.19 GB) (Free:57.48 GB) NTFS
2 Drive d: () (Fixed) (Total:110.75 GB) (Free:109.69 GB) NTFS
3 Drive e: (Linux Mint 17.3) (CDROM) (Total:1.47 GB) (Free:0 GB) CDFS
4 Drive h: () (Fixed) (Total:237.82 GB) (Free:206.57 GB) NTFS

========================= Users: ========================================

User accounts for \\HOMELAPTOP

Administrator            Guest                    Home User 1              


**** End of log ****
 

 

********************************************************************************************************************************************

 

Rkill 2.8.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/13/2015 11:43:07 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 12/13/2015 11:43:20 PM
Execution time: 0 hours(s), 0 minute(s), and 12 seconds(s)

********************************************************************************************************************************

 

Kaspersky Virus Removal Tool

 

No threats found.

 

*********************************************************************************************************************************

 

Thanks severac.



#4 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:07:05 AM

Posted 14 December 2015 - 02:50 AM

So far so good.

 

Run MBAM:
 

§  On the Dashboard, click the 'Update Now >>' link.

§  After the update completes, on Settings tab, set under Detection and Protection next options: 

1. 'Scan for rootkits'

2. Non-Malware Protection, for 'PUP detections', check, 'Threat detections as malware' option.

§  Return to Dashboard, click the Scan Now >> button.

§  A Threat Scan will begin.

§  When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

§  In most cases, a restart will be required.

§  Wait for the prompt to restart the computer to appear, than click on Yes.

§  After the restart once you are back at your desktop, open MBAM once more.

§  Click on the History tab > Application Logs.

§  Double click on the Scan Log which shows the Date and time of the scan just performed.

§  Click 'Export'.

§  Click 'Copy to Clipboard'

§  Paste the contents of the clipboard into your reply.

 

-----------

Please download AdwCleaner by Xplode onto your desktop.

§  Close all open programs and internet browsers.

§  Double click on adwcleaner.exe to run the tool.

§  In EULA window click I agree.

§  In Options uncheck Reset Winsock settings.

§  Click on Scan button.

§  When the scan has finished click on Cleaning button.

§  Your computer will be rebooted automatically. A text file will open after the restart.

§  Please post the contents of that logfile with your next reply.

§  You can find the logfile at C:\AdwCleaner[C1].txt as well.

--------

 

Please download Junkware Removal Tool  to your desktop.

§  Shut down your protection software now to avoid potential conflicts.

§  Run the tool by double-clicking it. If you are using Windows Vista, 7, 8 or 10; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

§  The tool will open and start scanning your system.

§  Please be patient as this can take a while to complete depending on your system's specifications.

§  On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

§  Post the contents of JRT.txt into your next message.

-------


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#5 silverfx

silverfx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 14 December 2015 - 04:21 AM

Malwarebytes Anti-Malware
www.malwarebytes.org


Update, 14/12/2015 07:52, SYSTEM, HOMELAPTOP, Manual, Rootkit Database, 2015.11.23.1, 2015.12.7.1,
Update, 14/12/2015 07:52, SYSTEM, HOMELAPTOP, Manual, Remediation Database, 2015.11.22.2, 2015.12.6.2,
Update, 14/12/2015 07:52, SYSTEM, HOMELAPTOP, Manual, Domain Database, 2015.11.24.8, 2015.12.13.1,
Update, 14/12/2015 07:52, SYSTEM, HOMELAPTOP, Manual, Malware Database, 2015.11.24.6, 2015.12.14.2,
Update, 14/12/2015 07:52, SYSTEM, HOMELAPTOP, Manual, IP Database, 2015.11.24.1, 2015.12.12.3,
Scan, 14/12/2015 08:36, SYSTEM, HOMELAPTOP, Manual, Start:14/12/2015 07:53, Duration:42 min 59 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,

(end)

 

*************************************************************************************************

*************************************************************************************************

 

# AdwCleaner v5.025 - Logfile created 14/12/2015 at 09:03:48
# Updated 13/12/2015 by Xplode
# Database : 2015-12-13.2 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Administrator - HOMELAPTOP
# Running from : C:\Users\Administrator\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\orbitdownloader
[-] Folder Deleted : C:\ProgramData\AVG Security Toolbar
[-] Folder Deleted : C:\ProgramData\Avg_Update_1214tb
[-] Folder Deleted : C:\Users\Administrator\AppData\Roaming\ProgSense
[-] Folder Deleted : C:\Users\Home User 1\AppData\LocalLow\AskToolbar

***** [ Files ] *****

[-] File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\wtu-secure-search.xml
[-] File Deleted : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qxza930l.default\searchplugins\zonealarm.xml
[-] File Deleted : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qxza930l.default\user.js

***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E00DE9B9-B128-4C39-B732-B5D85013FA48}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : HKCU\Software\OCS
[-] Key Deleted : HKLM\SOFTWARE\yuna software
[-] Key Deleted : HKU\.DEFAULT\Software\VNT

***** [ Web browsers ] *****

[-] [C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qxza930l.default\prefs.js] [Preference] Deleted : user_pref("extensions.zonealarm.dspFFXOld", "AVG Secure Search");
[-] [C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qxza930l.default\prefs.js] [Preference] Deleted : user_pref("extensions.zonealarm.hmpgUrl", "hxxp://search.zonealarm.com/?src=hp&tbid=HFA5&Lan=EN&gu=c1c117ce8a2c42f7830f661fe5a80643&tu=10G9y00HT2D33N0&sku=&tstsId=&ver=&");
[-] [C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qxza930l.default\prefs.js] [Preference] Deleted : user_pref("extensions.zonealarm.kw_url", "hxxp://search.zonealarm.com/search?src=sp&tbid=HFA5&Lan=EN&gu=c1c117ce8a2c42f7830f661fe5a80643&tu=10G9y00HT2D33N0&sku=&tstsId=&ver=&&q=");
[-] [C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qxza930l.default\prefs.js] [Preference] Deleted : user_pref("extensions.zonealarm.newTabUrl", "hxxp://search.zonealarm.com/?src=nt&tbid=HFA5&Lan=EN&gu=c1c117ce8a2c42f7830f661fe5a80643&tu=10G9y00HT2D33N0&sku=&tstsId=&ver=&");
[-] [C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qxza930l.default\prefs.js] [Preference] Deleted : user_pref("extensions.zonealarm.srchPrvdr", "Search By ZoneAlarm");
[-] [C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qxza930l.default\prefs.js] [Preference] Deleted : user_pref("extensions.zonealarm.tlbrSrchUrl", "hxxp://search.zonealarm.com/search?src=tb&tbid=HFA5&Lan={dfltLng}&gu=c1c117ce8a2c42f7830f661fe5a80643 [INSTALLTOOLBAR] [SETSEARCH] [SETHOME]&tu=10G9y00HT[...]

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [5158 bytes] ##########
 

*************************************************************************************************

*************************************************************************************************

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows 7 Ultimate x64
Ran by Administrator (Administrator) on 14/12/2015 at  9:11:09.13
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 19

Successfully deleted: C:\Users\Administrator\AppData\Local\{01A564FB-F6F2-4549-A1BF-1C72F1C33CDD} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{0A170DAE-EA76-4950-B172-08EFC0DC3F0C} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{18B97802-3094-479C-A7A5-F81800DE53DC} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{1BA90E2B-BE7D-43C9-A817-51E76A332E2F} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{45976557-952A-4CFB-A863-6F445C95ECF0} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{48095C63-3E29-463E-B002-636AE0ADFC73} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{4D168C80-A997-45D8-9BD2-B568FDB359E4} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{67A9951F-4182-48AE-AEB2-A5319A629848} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{7045CBC0-6E60-4A94-8E1E-CBBA0ABD5F24} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{81023992-5A9F-4661-8BB4-D680A9927C89} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{C3D9381D-B38A-40A3-A7E2-F31E26DDA1F3} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{C6A5C045-B0E3-4655-B697-DF59B113D433} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{C87594C2-22B3-40D2-AC96-7E3B21DD02E1} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{C97D8A55-7888-4F16-8D23-20F8890EE429} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{D5E5830B-FD39-4988-8385-C7E0EF821C92} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{E2263DFF-2C55-45E2-829E-C04A8A699432} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Local\{FEC08A3B-E582-4A74-90C8-C5960EA641D5} (Empty Folder)
Successfully deleted: C:\Users\Administrator\AppData\Roaming\red kawa (Folder)
Successfully deleted: C:\Windows\wininit.ini (File)



Registry: 0



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 14/12/2015 at  9:13:57.20
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

*************************************************************************************************

*************************************************************************************************


Edited by silverfx, 14 December 2015 - 04:22 AM.


#6 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:07:05 AM

Posted 14 December 2015 - 04:28 AM

You should be clean. 

 

Tell me the status of your PC, do you have some problems?


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#7 silverfx

silverfx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 14 December 2015 - 04:31 PM

Occasionally, my Acer laptop runs slowly.
 
When I do a scan with RWEverything, it shows a false Hewlitt Packard OEM key on the SLIC table (see below)
 
I want to find out if this is because of a loader such as Daz loader, or a modified BIOS done by the person before me.
 
If the BIOS was modified, then I need to know what I can do to 'un-modify' it to be sure of no background bootkits, and if updating the BIOS with the latest official update from Acer will wipe off any bootkits which might be there.

 

When I know I have a clean BIOS, I will make a clean genuine Windows installation.
 
Thanks for your help!

 

Software Licensing Description Table: 0x00000000A6FEB000

53 4C 49 43 76 01 00 00 01 16 48 50 51 4F 45 4D    SLICv.....HPQOEM
53 4C 49 43 2D 57 4B 53 01 00 00 00 20 48 50 51    SLIC-WKS.... HPQ
24 08 09 20 00 00 00 00 9C 00 00 00 06 02 00 00    $.. ............
00 24 00 00 52 53 41 31 00 04 00 00 01 00 01 00    .$..RSA1........
5B AB 60 56 BC 58 1E E8 C1 D2 A1 5C E5 4F BB FD    [.`V.X.....\.O..
1D A9 8C 94 B4 AE 08 11 DC 13 59 D3 7F F6 3E 87    ..........Y...>.
31 B9 95 74 10 DA 3B A4 5B B5 19 82 7C 39 D7 0D    1..t..;.[...|9..
7C 22 AC 1C 2A 84 E9 0A 88 6D FA B1 E2 D8 E8 21    |"..*....m.....!
96 E1 2E 68 9A BF 44 45 3E 3C 8E 99 90 DE 37 38    ...h..DE><....78
57 0B 92 15 BC DE FF F2 07 7E B5 40 8C 51 3A C3    W........~.@.Q:.
02 48 F6 13 12 72 FB 42 78 E6 47 88 54 C7 B0 F0    .H...r.Bx.G.T...
93 9E FB 04 B7 B8 B8 90 DE DB ED 32 E1 FB 54 A6    ...........2..T.
01 00 00 00 B6 00 00 00 00 00 02 00 48 50 51 4F    ............HPQO
45 4D 53 4C 49 43 2D 57 4B 53 57 49 4E 44 4F 57    EMSLIC-WKSWINDOW
53 20 01 00 02 00 00 00 00 00 00 00 00 00 00 00    S ..............
00 00 00 00 00 00 46 F8 1F 4B DE 68 A5 DA 19 CC    ......F..K.h....
D0 A9 62 CA 39 E8 3F 4D E2 37 32 CC F6 EA 7D 7C    ..b.9.?M.72...}|
63 34 68 68 4D C4 FF E1 E0 BB 94 DE 07 31 01 E5    c4hhM........1..
18 49 2F 49 89 BD AA A4 1C 6A 46 19 0D B6 0F F4    .I/I.....jF.....
38 93 5E 12 9E BA AB 6F 13 17 AF 70 46 75 DF 6C    8.^....o...pFu.l
88 A1 4A C9 CE 21 C4 C2 4F 5D 02 FB E0 24 C7 3F    ..J..!..O]...$.?
B4 B0 D1 30 8F C9 82 52 E1 19 F1 C8 FA 2F 02 20    ...0...R...../.
A2 B9 4A 01 DA 21 11 B7 51 A2 B3 6E 4B 2F 7E D2    ..J..!..Q..nK/~.
B2 64 02 7F A7 D3                                  .d....          

Signature    "SLIC"
Length    0x00000176 (374)
Revision    0x01 (1)
Checksum    0x16 (22)
OEM ID    "HPQOEM"
OEM Table ID    "SLIC-WKS"
OEM Revision    0x00000001 (1)
Creator ID    " HPQ"
Creator Revision    0x20090824 (537462820)
OEM Public Key Structure
  Type    0x00000000 (0)
  Length    0x0000009C (156)
  Key Type    0x06 (6)
  Version    0x02 (2)
  Reserved    0x0000 (0)
  Algorithm    0x00002400 (9216)
  Magic    "RSA1"
  Bit Length    0x00000400 (1024)
  Exponent    0x00010001 (65537)
  Modulus    0x5B 0xAB 0x60 0x56 0xBC 0x58 0x1E 0xE8 0xC1 0xD2 0xA1 0x5C 0xE5 0x4F 0xBB 0xFD
             0x1D 0xA9 0x8C 0x94 0xB4 0xAE 0x08 0x11 0xDC 0x13 0x59 0xD3 0x7F 0xF6 0x3E 0x87
             0x31 0xB9 0x95 0x74 0x10 0xDA 0x3B 0xA4 0x5B 0xB5 0x19 0x82 0x7C 0x39 0xD7 0x0D
             0x7C 0x22 0xAC 0x1C 0x2A 0x84 0xE9 0x0A 0x88 0x6D 0xFA 0xB1 0xE2 0xD8 0xE8 0x21
             0x96 0xE1 0x2E 0x68 0x9A 0xBF 0x44 0x45 0x3E 0x3C 0x8E 0x99 0x90 0xDE 0x37 0x38
             0x57 0x0B 0x92 0x15 0xBC 0xDE 0xFF 0xF2 0x07 0x7E 0xB5 0x40 0x8C 0x51 0x3A 0xC3
             0x02 0x48 0xF6 0x13 0x12 0x72 0xFB 0x42 0x78 0xE6 0x47 0x88 0x54 0xC7 0xB0 0xF0
             0x93 0x9E 0xFB 0x04 0xB7 0xB8 0xB8 0x90 0xDE 0xDB 0xED 0x32 0xE1 0xFB 0x54 0xA6
SLIC Marker Structure
  Type    0x00000001 (1)
  Length    0x000000B6 (182)
  Version    0x00020000 (131072)
  OEM ID    "HPQOEM"
  OEM Table ID    "SLIC-WKS"
  Windows Flag    "WINDOWS "
  SLIC Ver    0x00020001 (v2.1)
 



#8 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:07:05 AM

Posted 14 December 2015 - 05:18 PM

I don't know what to tell you about that OEM key, I don't know to read that results.

 

Your system is clean, and I don't think that something is wrong with your BIOS. 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#9 silverfx

silverfx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 14 December 2015 - 05:39 PM

Ok, two questions:

 

1.  Could there be a bootkit or something on the BIOS which MiniToolbox/Rkill/Kaspersky/MBAM/JRT so far did not detect?

 

2.  What about the false OEM key?  There must be a loader at least, e.g. Daz loader.  Does the BC software so far not detect loaders as malware?

 

Thanks!


Edited by silverfx, 14 December 2015 - 05:46 PM.


#10 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:07:05 AM

Posted 14 December 2015 - 05:50 PM

 

 

bootkit is a type of malware that infects the Master Boot Record (MBR).

This infection method allows the malicious program to be executed before the operating system boots. As soon as BIOS (Basic Input Output System) selects an appropriate boot device (it can be a hard disk or a flash drive), the bootkit that resides in the MBR starts executing its code. Once the bootkit receives the control, it usually starts preparing itself (reads and decrypts its auxiliary files in its own file system that it has created somewhere in the unallocated disk space) and returns the control to the legitimate boot loader overseeing all stages of the boot process.

The main feature of a bootkit is that it cannot be detected by standard means of an operating system because all its components reside outside of the standard file systems. 
Some types of bootkits hide even the fact that the MBR has been compromised by returning the legitimate copy of the MBR when an attempt to read it has been made. 
A system infected with a bootkit can be cured with the TDSSKiller utility.  

 

  • Download the TDSSKiller.exe file;
  • Run the TDSSKiller.exe file;
  • The utility starts scanning the system for malicious and suspicious objects when you click the button Start scan.
  • If the utility detects an infection with the MBR bootkit, it will report the it has detected an infected object type “Physical drive” and prompt for action:
    • Cure. This action is only available if the utility has identified the exact type of the bootkit. If it has detected an unknown bootkit, it will be reported as Rootkit.Win32.BackBoot.gen.
    • Skip.
    • Copy to quarantine. The utility quarantines the infected MBR.
    • Restore. The utility restores a standard MBR.
  • A reboot might require after the disinfection has been completed.

---------------


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#11 silverfx

silverfx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 15 December 2015 - 06:24 AM

I ran TDSSKiller and it found one medium risk threat, "FsUsbExDisk" in the following location:

 

C:\Windows\SysWOW64\FsUsbExDisk.SYS

 

What should I do, skip/copy to quarintine/delete/restore?


Edited by silverfx, 15 December 2015 - 06:27 AM.


#12 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:07:05 AM

Posted 15 December 2015 - 12:30 PM

Use skip. 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#13 silverfx

silverfx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 15 December 2015 - 08:23 PM

You mean it is not dangerous?



#14 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:07:05 AM

Posted 16 December 2015 - 03:29 AM

I think it is related to Samsung. 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#15 silverfx

silverfx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 16 December 2015 - 07:06 AM

Ok, thanks.

 

So what wrote the Hewlett Packard OEM key to the SLIC table on the BIOS, a loader or a BIOS modification?

 

- If it is a loader, e.g. Daz loader, how can I remove it?

- If it is a BIOS modification, how can I unmodify it?  Will an update of the latest official BIOS from Acer wipe the BIOS clean, including EEPROM chip?

 

Thanks!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users