Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor.generic trojan keeps coming back after every AVG scan


  • This topic is locked This topic is locked
15 replies to this topic

#1 wolfy1

wolfy1

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 14 December 2015 - 04:35 PM

After every AVG scan i keep getting 2 backdoor.generic trojans, so im guessing its not being removed please help. This happened recently because i checked the AVG scan logs and it started about 4 days ago, everytime AVG would do its daily scan the backdoor.generic trojans return. Is this trojan serious? can it be removed or do i have to reformat? thanks in advance and hopefully you guys can help.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:14-12-2015
Ran by Skratch (administrator) on SKRATCH-PC (14-12-2015 13:07:37)
Running from C:\Users\Skratch\Desktop
Loaded Profiles: Skratch (Available Profiles: IUSR_NMPR & Skratch)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgcsrvx.exe
(NVIDIA Corporation) C:\WINDOWS\System32\nvvsvc.exe
(Microsoft Corporation) C:\WINDOWS\System32\SLsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\WINDOWS\System32\nvvsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avgsvcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgwdsvc.exe
() C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
() C:\WINDOWS\System32\PnkBstrA.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgemcx.exe
(Hewlett-Packard Company) C:\hp\support\hpsysdrv.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Realtek Semiconductor) C:\WINDOWS\RtHDVCpl.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avguix.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgui.exe
(Spotify Ltd) C:\Users\Skratch\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-18] (Microsoft Corporation)
HKLM\...\Run: [hpsysdrv] => c:\hp\support\hpsysdrv.exe [65536 2007-04-18] (Hewlett-Packard Company)
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [178712 2007-07-12] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4669440 2007-07-06] (Realtek Semiconductor)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [AvgUi] => C:\Program Files\AVG\Framework\Common\avguix.exe [1136552 2015-11-12] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2015\avgui.exe [3780008 2015-10-30] (AVG Technologies CZ, s.r.o.)
HKLM\...\RunOnce: [Launcher] => C:\Windows\SMINST\launcher.exe [44168 2007-04-03] (soft thinks)
HKU\S-1-5-21-3386350507-3755161252-3313584371-1001\...\Run: [Spotify Web Helper] => C:\Users\Skratch\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1676344 2014-12-21] (Spotify Ltd)
HKU\S-1-5-21-3386350507-3755161252-3313584371-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [10240 2006-11-02] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{C99DEC31-7C0A-4899-A032-45FF3F1DAE05}: [DhcpNameServer] 209.18.47.61 209.18.47.62

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
SearchScopes: HKLM -> {B369CA74-08DC-4C3C-BD79-65388D118D80} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3386350507-3755161252-3313584371-1001 -> {B369CA74-08DC-4C3C-BD79-65388D118D80} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
BHO: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2012-01-17] (Skype Technologies S.A.)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2001-06-20] (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2012-01-17] (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\Skratch\AppData\Roaming\Mozilla\Firefox\Profiles\8ju8ochl.default-1440857654449
FF DefaultSearchEngine.US: Google
FF Homepage: www.yahoo.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_20_0_0_235.dll [2015-12-09] ()
FF Plugin: @esn.me/esnsonar -> C:\Program Files\BF3 Alpha Trial Web Plugins\Sonar\npesnsonar.dll [2011-07-14] (ESN AB)
FF Plugin: @esn.me/esnsonar,version=0.70.0 -> C:\Program Files\Battlelog Web Plugins\Sonar\0.70.0\npesnsonar.dll [No File]
FF Plugin: @esn.me/esnsonar,version=0.70.3 -> C:\Program Files\Battlelog Web Plugins\Sonar\0.70.3\npesnsonar.dll [No File]
FF Plugin: @esn.me/esnsonar,version=0.70.4 -> C:\Program Files\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll [2011-11-03] (ESN Social Software AB)
FF Plugin: @esn/esnlaunch -> C:\Program Files\BF3 Alpha Trial Web Plugins\npesnlaunch.dll [2011-07-20] (ESN AB)
FF Plugin: @esn/esnlaunch,version=0.80.0 -> C:\Program Files\Battlelog Web Plugins\0.80.0\npesnlaunch.dll [No File]
FF Plugin: @esn/esnlaunch,version=1.104.0 -> C:\Program Files\Battlelog Web Plugins\1.104.0\npesnlaunch.dll [No File]
FF Plugin: @esn/esnlaunch,version=1.96.0 -> C:\Program Files\Battlelog Web Plugins\1.96.0\npesnlaunch.dll [No File]
FF Plugin: @esn/npbattlelog,version=2.3.2 -> C:\Program Files\Battlelog Web Plugins\2.3.2\npbattlelog.dll [2013-11-21] (EA Digital Illusions CE AB)
FF Plugin: @java.com/DTPlugin,version=10.5.1 -> C:\Windows\system32\npDeployJava1.dll [2012-05-04] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41105.0\npctrl.dll [2015-11-04] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [No File]
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin: @real.com/RhapsodyPlayerEngine,version=1.0 -> C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll [2006-03-31] (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-03] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-03] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.8 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin HKU\S-1-5-21-3386350507-3755161252-3313584371-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Skratch\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-07-25] (Unity Technologies ApS)
FF user.js: detected! => C:\Users\Skratch\AppData\Roaming\Mozilla\Firefox\Profiles\8ju8ochl.default-1440857654449\user.js [2015-08-30]
FF Extension: YouTube™ Flash® Player - C:\Users\Skratch\AppData\Roaming\Mozilla\Firefox\Profiles\8ju8ochl.default-1440857654449\Extensions\jid1-HAV2inXAnQPIeA@jetpack.xpi [2015-09-23]
FF Extension: NoScript - C:\Users\Skratch\AppData\Roaming\Mozilla\Firefox\Profiles\8ju8ochl.default-1440857654449\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2015-11-23]
FF Extension: Adblock Plus - C:\Users\Skratch\AppData\Roaming\Mozilla\Firefox\Profiles\8ju8ochl.default-1440857654449\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-11-25]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2015-11-06] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-04-04] [not signed]

Chrome:
=======
CHR HomePage: Default -> hxxps://www.yahoo.com/
CHR StartupUrls: Default -> "hxxps://www.yahoo.com/"
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Skratch\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.6.703\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\47.0.2526.80\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\47.0.2526.80\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll => No File
CHR Plugin: (ESN Sonar API) - C:\Program Files\BF3 Alpha Trial Web Plugins\Sonar\npesnsonar.dll (ESN AB)
CHR Plugin: (ESN Launch Mozilla Plugin) - C:\Program Files\BF3 Alpha Trial Web Plugins\npesnlaunch.dll (ESN AB)
CHR Plugin: (Battlelog Game Launcher) - C:\Program Files\Battlelog Web Plugins\2.3.2\npbattlelog.dll (EA Digital Illusions CE AB)
CHR Plugin: (ESN Sonar API) - C:\Program Files\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll (ESN Social Software AB)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll => No File
CHR Plugin: (Java Deployment Toolkit 8.0.250.18) - C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll => No File
CHR Plugin: (Java™ Platform SE 8 U25) - C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll => No File
CHR Plugin: (RealNetworks Rhapsody Player Engine) - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
CHR Plugin: (VLC Web Plugin) - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
CHR Plugin: (Unity Player) - C:\Users\Skratch\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw_1213153.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll => No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Profile: C:\Users\Skratch\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Adblock Plus) - C:\Users\Skratch\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-12-05]
CHR Extension: (AdBlock) - C:\Users\Skratch\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-12-07]
CHR Extension: (TweetDeck by Twitter) - C:\Users\Skratch\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbdpomandigafcibbmofojjchbcdagbl [2015-08-02]
CHR Extension: (Skype Click to Call) - C:\Users\Skratch\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-11-28]
CHR Extension: (Google Dictionary (by Google)) - C:\Users\Skratch\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgijmajocgfcbeboacabfgobmjgjcoja [2014-04-24]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Skratch\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-02]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2012-01-17]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AlertService; C:\Program Files\Intel\IntelDH\CCU\AlertService.exe [188416 2006-09-11] (Intel® Corporation) [File not signed]
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3642280 2015-10-30] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files\AVG\Framework\Common\avgsvcx.exe [862632 2015-11-12] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [335656 2015-10-30] (AVG Technologies CZ, s.r.o.)
R2 DQLWinService; C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [208896 2006-09-03] () [File not signed]
R2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [61440 2007-05-24] (Hewlett-Packard) [File not signed]
S3 IDriverT; c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
S2 IntelDHSvcConf; C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [29696 2006-05-10] (Intel® Corporation) [File not signed]
S3 ISSM; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe [75264 2006-09-11] (Intel® Corporation) [File not signed]
S3 M1 Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [26624 2006-08-31] () [File not signed]
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 MCLServiceATL; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe [167936 2006-09-11] (Intel® Corporation) [File not signed]
S3 npggsvc; C:\Windows\system32\GameMon.des [4005936 2011-06-06] (INCA Internet Co., Ltd.) [File not signed]
S3 Origin Client Service; C:\Program Files\Origin\OriginClientService.exe [1931632 2015-05-11] (Electronic Arts)
S3 PAExec; C:\Windows\PAExec.exe [207872 2015-08-30] (Power Admin LLC) [File not signed]
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76888 2014-02-24] ()
S3 Remote UI Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe [544256 2006-09-11] (Intel® Corporation) [File not signed]
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-18] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [132576 2015-03-11] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [252336 2015-10-19] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [222640 2015-08-19] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [31664 2015-07-23] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [207328 2015-06-16] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [290272 2015-05-07] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [189872 2015-08-04] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [35808 2015-03-20] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [230832 2015-08-04] (AVG Technologies CZ, s.r.o.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-10-05] (Malwarebytes Corporation)
S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [43520 2012-02-15] (Apple, Inc.) [File not signed]
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-14 13:07 - 2015-12-14 13:08 - 00018379 _____ C:\Users\Skratch\Desktop\FRST.txt
2015-12-14 13:06 - 2015-12-14 13:07 - 00000000 ____D C:\FRST
2015-12-14 13:04 - 2015-12-14 13:04 - 01720832 _____ (Farbar) C:\Users\Skratch\Desktop\FRST.exe
2015-12-10 03:15 - 2015-11-06 09:05 - 00627712 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll
2015-12-10 03:15 - 2015-11-06 08:32 - 01029120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10.dll
2015-12-10 03:15 - 2015-11-06 08:32 - 00219648 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
2015-12-10 03:15 - 2015-11-06 08:32 - 00189952 _____ (Microsoft Corporation) C:\Windows\system32\d3d10core.dll
2015-12-10 03:15 - 2015-11-06 08:32 - 00160768 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
2015-12-10 03:15 - 2015-11-06 07:27 - 01172480 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2015-12-10 03:15 - 2015-11-06 07:26 - 00486400 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
2015-12-10 03:15 - 2015-11-06 07:24 - 02068480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-12-10 03:15 - 2015-11-06 07:20 - 01073152 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-12-10 03:15 - 2015-11-06 07:20 - 00682496 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2015-12-10 03:15 - 2015-11-06 07:19 - 00802304 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-12-10 03:14 - 2015-11-02 09:04 - 00179200 _____ (Microsoft Corporation) C:\Windows\system32\els.dll
2015-12-10 03:12 - 2015-11-10 09:03 - 01208832 _____ (Microsoft Corporation) C:\Windows\system32\comsvcs.dll
2015-12-10 03:12 - 2015-11-10 09:03 - 00488448 _____ (Microsoft Corporation) C:\Windows\system32\catsrvut.dll
2015-12-10 03:12 - 2015-11-04 23:34 - 00113664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rmcast.sys
2015-12-10 03:12 - 2015-11-04 23:26 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2015-12-09 05:34 - 2015-11-12 12:39 - 01814528 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-12-09 05:34 - 2015-11-12 12:37 - 12389376 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-12-09 05:34 - 2015-11-12 12:36 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-12-09 05:34 - 2015-11-12 12:34 - 09753088 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-12-09 05:34 - 2015-11-12 12:34 - 01140224 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-12-09 05:34 - 2015-11-12 12:33 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-12-09 05:34 - 2015-11-12 12:32 - 01804288 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-12-09 05:34 - 2015-11-12 12:32 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-12-09 05:34 - 2015-11-12 12:32 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-12-09 05:34 - 2015-11-12 12:32 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-12-09 05:34 - 2015-11-12 12:32 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-12-09 05:34 - 2015-11-12 12:32 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2015-12-09 05:34 - 2015-11-12 12:32 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-12-09 05:34 - 2015-11-12 12:32 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-12-09 05:34 - 2015-11-12 12:32 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2015-12-09 05:34 - 2015-11-12 12:32 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2015-12-09 05:34 - 2015-11-12 12:31 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-12-09 05:34 - 2015-11-12 12:31 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-12-09 05:34 - 2015-11-12 12:31 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-12-09 05:34 - 2015-11-12 12:31 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-12-09 05:34 - 2015-11-12 12:31 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-12-09 05:34 - 2015-11-12 12:31 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2015-12-07 13:40 - 2015-12-07 14:35 - 1448421014 _____ C:\Users\Skratch\Desktop\a8.mp4
2015-11-22 10:40 - 2015-11-22 10:40 - 00000000 __SHD C:\found.001
2015-11-16 23:13 - 2015-12-13 00:57 - 00000000 ____D C:\Users\Skratch\AppData\Roaming\Kodi
2015-11-16 23:12 - 2015-11-16 23:12 - 00000000 ____D C:\Users\Skratch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Kodi
2015-11-16 23:11 - 2015-11-16 23:12 - 00000000 ____D C:\Program Files\Kodi

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-14 13:06 - 2006-11-02 03:18 - 00000000 ____D C:\WINDOWS
2015-12-14 13:05 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\inf
2015-12-14 13:05 - 2006-11-02 02:33 - 00759542 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-14 13:01 - 2014-05-24 02:36 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-14 13:01 - 2007-11-28 00:19 - 00000000 ____D C:\Windows\SMINST
2015-12-14 13:00 - 2006-11-02 05:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-14 13:00 - 2006-11-02 04:47 - 00003568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-14 13:00 - 2006-11-02 04:47 - 00003568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-14 12:59 - 2006-11-02 05:01 - 00032550 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-12-14 12:57 - 2011-04-04 03:26 - 00000000 ____D C:\ProgramData\MFAData
2015-12-14 12:49 - 2011-06-21 00:57 - 00000000 ____D C:\Users\Skratch\AppData\Roaming\Skype
2015-12-14 12:45 - 2015-08-30 12:11 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-14 12:37 - 2014-05-24 02:36 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-14 12:29 - 2011-04-04 08:49 - 00000000 ____D C:\Program Files\Steam
2015-12-13 23:56 - 2014-07-16 14:27 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-12-13 22:53 - 2011-04-04 08:49 - 00000000 ____D C:\Program Files\Common Files\Steam
2015-12-13 02:01 - 2011-07-06 23:15 - 00000000 ____D C:\Users\Skratch\AppData\Roaming\vlc
2015-12-13 01:30 - 2014-03-29 05:10 - 00000000 ____D C:\Users\Skratch\Desktop\new new
2015-12-13 01:14 - 2013-08-26 20:38 - 00000821 _____ C:\Users\Public\Desktop\VLC media player.lnk
2015-12-12 21:15 - 2014-07-21 04:38 - 00000000 ____D C:\Users\Skratch\AppData\Roaming\uTorrent
2015-12-10 07:53 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\rescache
2015-12-10 07:37 - 2006-11-02 04:47 - 00377176 _____ C:\Windows\system32\FNTCACHE.DAT
2015-12-10 07:36 - 2012-03-19 02:24 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-12-10 07:34 - 2006-11-02 04:37 - 00000000 ____D C:\Windows\system32\XPSViewer
2015-12-10 03:16 - 2012-03-19 02:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-12-10 03:12 - 2013-08-14 22:27 - 00000000 ____D C:\Windows\system32\MRT
2015-12-10 03:00 - 2006-11-02 02:24 - 137798368 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2015-12-09 03:45 - 2015-08-30 12:11 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-12-09 03:45 - 2015-08-30 12:11 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-12-07 15:03 - 2014-03-29 05:13 - 00000000 ____D C:\Users\Skratch\Desktop\MOV
2015-11-21 23:51 - 2011-06-21 00:57 - 00000000 ____D C:\ProgramData\Skype
2015-11-21 20:18 - 2015-04-14 00:41 - 00002116 ____H C:\Users\Skratch\.swfinfo
2015-11-18 04:26 - 2015-09-30 02:01 - 00000769 _____ C:\Users\Public\Desktop\AVG.lnk
2015-11-18 04:26 - 2015-08-30 06:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Zen

==================== Files in the root of some directories =======

2011-04-06 08:37 - 2014-02-24 09:42 - 0138904 _____ () C:\Users\Skratch\AppData\Roaming\PnkBstrK.sys
2011-04-04 03:19 - 2011-04-04 03:19 - 0000000 _____ () C:\Users\Skratch\AppData\Roaming\wklnhst.dat
2011-04-04 02:49 - 2015-08-30 06:11 - 0001356 _____ () C:\Users\Skratch\AppData\Local\d3d9caps.dat
2011-06-21 01:01 - 2011-06-21 01:01 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2011-06-14 16:40 - 2011-04-15 16:40 - 0000032 ____R () C:\ProgramData\hash.dat

Files to move or delete:
====================
C:\ProgramData\hash.dat


Some files in TEMP:
====================
C:\Users\Skratch\AppData\Local\Temp\AskSLib.dll
C:\Users\Skratch\AppData\Local\Temp\avguirn_081175283033.exe
C:\Users\Skratch\AppData\Local\Temp\avguirn_082005449804.exe
C:\Users\Skratch\AppData\Local\Temp\avguirn_08344664272.exe
C:\Users\Skratch\AppData\Local\Temp\avguirn_08582131434.exe
C:\Users\Skratch\AppData\Local\Temp\drm_dyndata_7410004.dll
C:\Users\Skratch\AppData\Local\Temp\DseShExt-x86.dll
C:\Users\Skratch\AppData\Local\Temp\Gw2.exe
C:\Users\Skratch\AppData\Local\Temp\ICReinstall_PMB_updater.exe
C:\Users\Skratch\AppData\Local\Temp\installerdll303980241.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll303981972.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll303988805.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll353268444.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll353270238.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll353277711.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll446785568.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll446798001.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll74489619.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll74491959.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll74498605.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll75788873.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll75790574.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll75796814.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll913413107.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll913414807.dll
C:\Users\Skratch\AppData\Local\Temp\installerdll913422654.dll
C:\Users\Skratch\AppData\Local\Temp\install_reader10_en_mssd_aih.exe
C:\Users\Skratch\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe
C:\Users\Skratch\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Skratch\AppData\Local\Temp\lowproc.exe
C:\Users\Skratch\AppData\Local\Temp\NGM.exe
C:\Users\Skratch\AppData\Local\Temp\NGMDll.dll
C:\Users\Skratch\AppData\Local\Temp\NGMResource.dll
C:\Users\Skratch\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\Skratch\AppData\Local\Temp\nvSCPAPISvr.exe
C:\Users\Skratch\AppData\Local\Temp\nvStereoApiI.dll
C:\Users\Skratch\AppData\Local\Temp\nvStInst.exe
C:\Users\Skratch\AppData\Local\Temp\oi_{D30B4573-3B38-4B7A-97D4-44CA66D270C7}.exe
C:\Users\Skratch\AppData\Local\Temp\OriginLauncher303980241.exe
C:\Users\Skratch\AppData\Local\Temp\OriginLauncher353268444.exe
C:\Users\Skratch\AppData\Local\Temp\OriginLauncher74489619.exe
C:\Users\Skratch\AppData\Local\Temp\OriginLauncher75788873.exe
C:\Users\Skratch\AppData\Local\Temp\OriginLauncher913413107.exe
C:\Users\Skratch\AppData\Local\Temp\Quarantine.exe
C:\Users\Skratch\AppData\Local\Temp\SDShelEx-win32.dll
C:\Users\Skratch\AppData\Local\Temp\Setup.exe
C:\Users\Skratch\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Skratch\AppData\Local\Temp\sonarinst.exe
C:\Users\Skratch\AppData\Local\Temp\SpotifyUpgrader.exe
C:\Users\Skratch\AppData\Local\Temp\sqlite3.dll
C:\Users\Skratch\AppData\Local\Temp\stubhelper.dll
C:\Users\Skratch\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Skratch\AppData\Local\Temp\SymLCSVC.EXE
C:\Users\Skratch\AppData\Local\Temp\vlc-2.0.4-win32.exe
C:\Users\Skratch\AppData\Local\Temp\vlc-2.1.2-win32.exe
C:\Users\Skratch\AppData\Local\Temp\vlc-2.1.5-win32.exe
C:\Users\Skratch\AppData\Local\Temp\vlc-2.2.1-win32.exe
C:\Users\Skratch\AppData\Local\Temp\wget.exe
C:\Users\Skratch\AppData\Local\Temp\_isF611.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-12-14 13:06

==================== End of FRST.txt ============================

Attached Files


Edited by wolfy1, 14 December 2015 - 05:09 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:20 PM

Posted 15 December 2015 - 08:11 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

No walware entries were found on your logs.
This is just a cleanup of empty items.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
FF Plugin: @esn.me/esnsonar,version=0.70.0 -> C:\Program Files\Battlelog Web Plugins\Sonar\0.70.0\npesnsonar.dll [No File]
FF Plugin: @esn.me/esnsonar,version=0.70.3 -> C:\Program Files\Battlelog Web Plugins\Sonar\0.70.3\npesnsonar.dll [No File]
FF Plugin: @esn/esnlaunch,version=0.80.0 -> C:\Program Files\Battlelog Web Plugins\0.80.0\npesnlaunch.dll [No File]
FF Plugin: @esn/esnlaunch,version=1.104.0 -> C:\Program Files\Battlelog Web Plugins\1.104.0\npesnlaunch.dll [No File]
FF Plugin: @esn/esnlaunch,version=1.96.0 -> C:\Program Files\Battlelog Web Plugins\1.96.0\npesnlaunch.dll [No File]
FF Plugin: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [No File]
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF user.js: detected! => C:\Users\Skratch\AppData\Roaming\Mozilla\Firefox\Profiles\8ju8ochl.default-1440857654449\user.js [2015-08-30]
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Skratch\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.6.703\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\47.0.2526.80\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll => No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll => No File
CHR Plugin: (Java Deployment Toolkit 8.0.250.18) - C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll => No File
CHR Plugin: (Java Platform SE 8 U25) - C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll => No File
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw_1213153.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll => No File
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
AlternateDataStreams: C:\Users\Skratch\Desktop\Survivalists.avi:TOC.WMV

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Lets check further.

You will need to temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Click the Options in bold the following options are available to you.
Select only the check boxes for the options in bold.
 

Running Processes
Installed Programs
Startup Information
FireFox look
Chrome Look
Auto Clean


Do a Quick Scan
HijackThis log
Uninstall list
Shortcut Fix
Do a Deep Scan
Installer List
IE Default
Silent Runner
System Restore Info
Symlink Check
Reset Chrome
System Specs
Recently created
Empty Temp
Auto Clean



Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.
Do
Please attach the zoek-results.log in your reply. It's probably too long to post.

How to:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.

Make sure you Enable your AV Program.

Is the issue persisting?

#3 wolfy1

wolfy1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 15 December 2015 - 08:24 PM

I ran the first part but the second part when i disabled AVG and ran zoek it gave me an error, Cant find script engine VBScript for script. So i just included the Fixlog.txt. Also ran AVG scan and its still picking up 2 backdoor.generic trojans.

 

Fix result of Farbar Recovery Scan Tool (x86) Version:14-12-2015
Ran by Skratch (2015-12-15 15:38:31) Run:1
Running from C:\Users\Skratch\Desktop
Loaded Profiles: Skratch (Available Profiles: IUSR_NMPR & Skratch)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
FF Plugin: @esn.me/esnsonar,version=0.70.0 -> C:\Program Files\Battlelog Web Plugins\Sonar\0.70.0\npesnsonar.dll [No File]
FF Plugin: @esn.me/esnsonar,version=0.70.3 -> C:\Program Files\Battlelog Web Plugins\Sonar\0.70.3\npesnsonar.dll [No File]
FF Plugin: @esn/esnlaunch,version=0.80.0 -> C:\Program Files\Battlelog Web Plugins\0.80.0\npesnlaunch.dll [No File]
FF Plugin: @esn/esnlaunch,version=1.104.0 -> C:\Program Files\Battlelog Web Plugins\1.104.0\npesnlaunch.dll [No File]
FF Plugin: @esn/esnlaunch,version=1.96.0 -> C:\Program Files\Battlelog Web Plugins\1.96.0\npesnlaunch.dll [No File]
FF Plugin: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [No File]
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF user.js: detected! => C:\Users\Skratch\AppData\Roaming\Mozilla\Firefox\Profiles\8ju8ochl.default-1440857654449\user.js [2015-08-30]
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Skratch\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.6.703\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\47.0.2526.80\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll => No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll => No File
CHR Plugin: (Java Deployment Toolkit 8.0.250.18) - C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll => No File
CHR Plugin: (Java Platform SE 8 U25) - C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll => No File
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw_1213153.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll => No File
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
AlternateDataStreams: C:\Users\Skratch\Desktop\Survivalists.avi:TOC.WMV

End
*****************

Error: (0) Failed to create a restore point.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => key removed successfully.
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found.
"HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.0" => key removed successfully.
"HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.3" => key removed successfully.
"HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=0.80.0" => key removed successfully.
"HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.104.0" => key removed successfully.
"HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.96.0" => key removed successfully.
"HKLM\Software\MozillaPlugins\@nexon.net/NxGame" => key removed successfully.
"HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => key removed successfully.
C:\Users\Skratch\AppData\Roaming\Mozilla\Firefox\Profiles\8ju8ochl.default-1440857654449\user.js => moved successfully
C:\Users\Skratch\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.6.703\_platform_specific\win_x86\widevinecdmadapter.dll => not found.
C:\Program Files\Google\Chrome\Application\47.0.2526.80\pdf.dll => not found.
C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll => not found.
C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll => not found.
C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll => not found.
C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll => not found.
C:\Windows\system32\Adobe\Director\np32dsw_1213153.dll => not found.
C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll => not found.
c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll => not found.
blbdrive => service removed successfully.
EagleXNt => service removed successfully.
IpInIp => service removed successfully.
NwlnkFlt => service removed successfully.
NwlnkFwd => service removed successfully.
C:\Users\Skratch\Desktop\Survivalists.avi => ":TOC.WMV" ADS removed successfully..
 


Edited by wolfy1, 15 December 2015 - 10:21 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:20 PM

Posted 16 December 2015 - 09:38 AM

With AVG disable run the Zoek.exe tool as an Administrator.

Right click on the .exe file and select Run as ...

#5 wolfy1

wolfy1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 16 December 2015 - 03:11 PM

Disabled AVG, right clicked on the .exe to run as administrator and its giving me: Cant find script engine "VBScript" for script "C:\Users\Skratch\AppData\Local\Temp\os.vbs"


Edited by wolfy1, 16 December 2015 - 03:12 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:20 PM

Posted 17 December 2015 - 09:48 AM

Check this for me?

Open a Command Prompt
How to:
http://windows.microsoft.com/en-ca/windows-vista/open-a-command-prompt-window

At the prompt type PATH hit the enter key.

Note the information correctly and past it in your next reply.

===


Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

====

#7 wolfy1

wolfy1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 17 December 2015 - 05:37 PM

Ok i did the PATH step and the ComboFix, but AVG is still detecting these 2 trojans i will include what it says (Trojan horse BackDoor.Generic_c.AKAB C:\WINDOWS\Help\OEM\scripts\system.jse and Trojan horse BackDoor.Generic_c.AJZF C:\WINDOWS\Help\OEM\scripts\launchHPSU.jse)

 

PATH=C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\hp\bin\Python;c:\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\NVIDIA Corporation\PhysX\Common;C:\Program Files\Skype\Phone\

 

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:20 PM

Posted 18 December 2015 - 10:04 AM



AVG is still detecting these 2 trojans i will include what it says (Trojan horse BackDoor.Generic_c.AKAB C:\WINDOWS\Help\OEM\scripts\system.jse and Trojan horse BackDoor.Generic_c.AJZF C:\WINDOWS\Help\OEM\scripts\launchHPSU.jse)

These I believe are for the HP Help and Support functions
Please run or open the help support for HP and see if you have any problems.

If needed read and follow the instructions on this page.
http://h30434.www3.hp.com/t5/Notebook-Boot-and-Lockup/G71-340US-HP-Help-and-Support-Problems/td-p/987731
===


This will add C\: to your path.


Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixmebat
Save as Type: All files
Click: Save


PATH=C:\;C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\hp\bin\Python;c:\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\NVIDIA Corporation\PhysX\Common;C:\Program Files\Skype\Phone\

Back on the Desktop, double-click on the fixme.bat file you just saved.

Restart the computer normally.

Run the Zoek tool. Post the log if you can..

You can remove the fixme.bat file when done.

#9 wolfy1

wolfy1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 18 December 2015 - 02:08 PM

1st step i followed the instructions on the HP help page, but when i try to install the program its giving me: Error 2738 could not access VBScript run time for custom action. As for the 2nd part i did all the steps and its still giving me: Cant find script engine VBScript for script when running the zoek tool.

 

On another note the AVG scan is now only picking up the BackDoor.Generic_c.AJZF C:\WINDOWS\Help\OEM\scripts\launchHPSU.jse, the other one is gone.


Edited by wolfy1, 18 December 2015 - 04:05 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:20 PM

Posted 19 December 2015 - 08:13 AM

Microsoft may have a fix for this error.

Go to this page.

http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_programs/error-2738-could-not-access-vbscript-run-time-for/1a4499ae-8bc1-4534-9c6f-4d399ac70d9a?auth=1

Read the instructions and download the program from this URL as suggested.
The link to the Fix it is: http://go.microsoft.com/?linkid=9804433

Let me know if the script error is solved and post the ZOEK log if you can.

#11 wolfy1

wolfy1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 19 December 2015 - 09:40 PM

I got the zoek tool to work, here is the log

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:20 PM

Posted 20 December 2015 - 10:50 AM

The log is clean.

Any remaining issues with this computer?

#13 wolfy1

wolfy1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 20 December 2015 - 02:35 PM

AVG is still detecting BackDoor.Generic_c.AJZF C:\WINDOWS\Help\OEM\scripts\launchHPSU.jse. Wondering how the other Backdoor.Generic disappeared.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:20 PM

Posted 21 December 2015 - 08:19 AM

It's a false alarm.
Check it out.

https://support.avg.com/answers?id=906b00000008tmDAAQ
===


If the problem persists on your Vista computer after having received the latest file definition from AVG I would contact them and see what they have to say.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#15 wolfy1

wolfy1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 21 December 2015 - 03:26 PM

Thats good to hear, thank you and i appreciate all the help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users