Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

potentially infected with MSIL5.AWAT


  • Please log in to reply
13 replies to this topic

#1 henriwit

henriwit

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 03 January 2016 - 04:00 PM

I have recently potentially been infected with MSIL5 trojan horse.

 

I did a number of scans with various tools but could not find anything decisive. Therefore, I ran Farbar recovery scan tool. Attached are the scanning results.

 

How can I see if there are any infections... ?

 

Thanks in advance

 

Henri

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 AM

Posted 03 January 2016 - 04:28 PM

Hello henriwit and Welcome to the BleepingComputer. :welcome:
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
  
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.

 

Sincerely
:hello:

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 AM

Posted 03 January 2016 - 06:10 PM

Hi henriwit,
 
Please uninstall: TuneUp Software
==============================================

Please send this report.
 C:\TDSSKiller.3.1.0.9_03.01.2016_20.12.40_log.txt
 
===========================================================================
 
Going over your logs I noticed that you have qBittorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall qBittorrent, however that choice is up to you. If you choose to remove these programs, you can do so viaStart > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.
===========================================================================================
Step 1:
FRST Script:

  • Please make sure your browsers are closed before continuing.
  • Be sure to temporarily disable all antivirus/anti-spyware softwares

Please download this attached Attached File  Fixlist.txt   1.21KB   4 downloads   and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

NOT : It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
and fixlist.txt are in the same location or the fix will not work.
 
Step 2:
Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search, then Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:

Please download PoweliksCleaner by ESET and save it to your desktop.

  • Double-click ESETPoweliksCleaner.exe and follow the prompts to run it.
  • Agree to the terms of the license agreement.
  • The tool will run automatically.
  • If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
  • If Poweliks was detected Win32/Poweliks was successfully removed from your system will be displayed.
  • Press any key to exit the tool and reboot your PC.
  • If an infection was found and disinfected, please attach the ESETPoweliksCleaner.exe_date.time.log it produces to your next reply.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 henriwit

henriwit
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 04 January 2016 - 08:21 AM

Hello Olgun52,

 

Thanks a lot for your support. I have uninstalled qbittorrent. The Tuneup application you refer to is a paid extension to the AVG free virusscanner that I did not install. So, the folders are empty, but apparently,  the folders are created during installation of AVG free virusscanner.

 

Firstly, attached is the report log TDSSKiller.3.1.0.9_03.01.2016_20.12.40_log.txt as you requested.

Then I followed the three steps and attached are the logs from the various tools used (in the sequence as you suggested).

 

In step 2 adwcleaner has found 1 service sssvc which was installed in a SmartSence folder. Not sure if this was malware, but it was successfully removed.

 

Based on the logs, it seems to me that not much was found. What do you think ?  Would it mean that based on the outcome of these three scanners my system is most likely clean ?

 

Regards,

Henri

 

 

After running step 1 this is fixlog.txt:

Fix resultaat van Farbar Recovery Scan Tool (x64) Versie:31-12-2015
Gestart door admin (2016-01-04 12:42:30) Run:1
Gestart vanaf D:\Documents\Desktop
Geladen Profielen: admin & witteveen (Beschikbare Profielen: admin & witteveen & Administrator)
Boot Modus: Normal
==============================================

fixlist inhoud:
*****************
CreateRestorePoint:
CloseProcesses:
Winlogon\Notify\igfxcui: igfxdev.dll 
GroupPolicyScripts: Restrictie <======= AANDACHT
C:\Users\witteveen\AppData\Local\WvpATrWEHGsndVIpqBfJ5aYYQJHKelXK5IA
BHO: Geen Naam -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> Geen bestand
C:\Users\admin\AppData\Roaming\TuneUp Software
2016-01-03 18:18 - 2016-01-03 18:18 - 00000000 ____D C:\Users\witteveen\AppData\Roaming\AVG
2016-01-03 18:18 - 2016-01-03 18:18 - 00000000 ____D C:\Users\admin\AppData\Roaming\AVG
C:\ProgramData\MFAData
C:\Users\witteveen\AppData\Roaming\SIMSCI
C:\Users\admin\AppData\Roaming\SIMSCI
C:\Users\witteveen\AppData\Roaming\UltraVNC
C:\Users\witteveen\AppData\Roaming\qBittorrent
2015-12-18 12:44 - 2015-10-20 13:00 - 00000000 ____D C:\Users\witteveen\AppData\Local\Packages
2015-12-14 16:05 - 2015-11-27 11:02 - 00000000 ____D C:\Users\witteveen\AppData\Roaming\webex
2015-12-02 13:45 - 2015-12-02 13:45 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-10-29 13:44 - 2015-10-29 13:56 - 0000090 _____ () C:\ProgramData\hxnet.ini
C:\Users\admin\AppData\Local\Temp\dllnt_dump.dll
C:\Users\admin\AppData\Local\Temp\xmlUpdater.exe
C:\Users\witteveen\AppData\Local\Temp\npp.6.8.8.Installer.exe
EmptyTemp:

 
*****************

Herstelpunt is succesfol gemaakt.
Proces succesvol afgesloten.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui" => sleutel is succesvol verwijderd.
C:\WINDOWS\system32\GroupPolicy\Machine => is succesvol verplaatst.
C:\WINDOWS\system32\GroupPolicy\GPT.ini => is succesvol verplaatst.
C:\Users\witteveen\AppData\Local\WvpATrWEHGsndVIpqBfJ5aYYQJHKelXK5IA => is succesvol verplaatst.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}" => sleutel is succesvol verwijderd.
"HKCR\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}" => sleutel is succesvol verwijderd.
C:\Users\admin\AppData\Roaming\TuneUp Software => is succesvol verplaatst.
C:\Users\witteveen\AppData\Roaming\AVG => is succesvol verplaatst.
C:\Users\admin\AppData\Roaming\AVG => is succesvol verplaatst.
C:\ProgramData\MFAData => is succesvol verplaatst.
C:\Users\witteveen\AppData\Roaming\SIMSCI => is succesvol verplaatst.
C:\Users\admin\AppData\Roaming\SIMSCI => is succesvol verplaatst.
C:\Users\witteveen\AppData\Roaming\UltraVNC => is succesvol verplaatst.
C:\Users\witteveen\AppData\Roaming\qBittorrent => is succesvol verplaatst.

"C:\Users\witteveen\AppData\Local\Packages" map verplaatsing:

Kon niet verplaatsen "C:\Users\witteveen\AppData\Local\Packages" => Gepland te verplaatsen bij herstart.

C:\Users\witteveen\AppData\Roaming\webex => is succesvol verplaatst.
C:\ProgramData\DP45977C.lfl => is succesvol verplaatst.
C:\ProgramData\hxnet.ini => is succesvol verplaatst.
C:\Users\admin\AppData\Local\Temp\dllnt_dump.dll => is succesvol verplaatst.
C:\Users\admin\AppData\Local\Temp\xmlUpdater.exe => is succesvol verplaatst.
C:\Users\witteveen\AppData\Local\Temp\npp.6.8.8.Installer.exe => is succesvol verplaatst.
EmptyTemp: => 532.5 MB tijdelijke gegevens verwijderd.

 

After running step 2 this is the log if adwcleaner:

# AdwCleaner v5.027 - Logbestand aangemaakt 04/01/2016 op 13:45:56
# Laatste update 30/12/2015 door Xplode
# Database : 2015-12-30.1 [Server]
# Besturingssysteem : Windows 10 Pro  (x64)
# Gebruikersnaam : admin - LTWITTEVEEN
# Gestart vanuit : D:\Documents\Desktop\adwcleaner_5.027.exe
# Optie : Verwijderen
# Ondersteuning : http://toolslib.net/forum

***** [ Services ] *****

[-] Service Verwijderd : sssvc

***** [ Mappen ] *****

[-] Map Verwijderd : C:\Program Files (x86)\SmartSense

***** [ Bestanden ] *****

***** [ DLLs ] *****

***** [ Snelkoppelingen ] *****

***** [ geplande taken ] *****

***** [ Register ] *****

[-] Sleutel Verwijderd : HKLM\SOFTWARE\Classes\I
[-] Sleutel Verwijderd : HKLM\SOFTWARE\Classes\S

***** [ Internetbrowsers ] *****

*************************

:: "Tracing" sleutels verwijderd
:: Winsock instellingen gereset

########## EOF - \AdwCleaner\AdwCleaner[C1].txt - [902 bytes] ##########

 

 

 

After running ESET this is the log:

[2016.01.04 13:58:58.652] - Begin
[2016.01.04 13:58:58.652] -
[2016.01.04 13:58:58.652] -     ....................................
[2016.01.04 13:58:58.652] -   ..::::::::::::::::::....................
[2016.01.04 13:58:58.652] -   .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT..    Win32/Poweliks
[2016.01.04 13:58:58.652] -  .::EE::::EE:SS:::::::.EE....EE....TT......   Version: 1.0.0.5
[2016.01.04 13:58:58.652] -  .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT......   Built: Jun 30 2015
[2016.01.04 13:58:58.652] -  .::EE:::::::::::::SS:.EE..........TT......
[2016.01.04 13:58:58.652] -   .::EEEEEE:::SSSSSS::..EEEEEE.....TT.....    Copyright © ESET, spol. s r.o.
[2016.01.04 13:58:58.652] -   ..::::::::::::::::::....................    1992-2015. All rights reserved.
[2016.01.04 13:58:58.652] -     ....................................
[2016.01.04 13:58:58.652] -
[2016.01.04 13:58:58.652] - --------------------------------------------------------------------------------
[2016.01.04 13:58:58.652] -
[2016.01.04 13:58:58.652] - INFO: OS: 6.2.9200 SP0
[2016.01.04 13:58:58.652] - INFO: Product Type: Workstation
[2016.01.04 13:58:58.652] - INFO: WoW64: True
[2016.01.04 13:58:58.652] - INFO: Machine guid: A6EC272C-0646-40F4-9850-3BCD0AF2A50C
[2016.01.04 13:58:58.652] -
[2016.01.04 13:59:00.833] - INFO: Scanning for system infection...
[2016.01.04 13:59:00.833] - --------------------------------------------------------------------------------
[2016.01.04 13:59:00.833] -
[2016.01.04 13:59:00.833] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2016.01.04 13:59:00.833] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2016.01.04 13:59:00.833] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2016.01.04 13:59:00.833] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2016.01.04 13:59:00.833] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]...
[2016.01.04 13:59:00.833] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]...
[2016.01.04 13:59:00.833] - INFO: Processing classes...
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{1CC6F158-C938-424B-A757-8DC337545084}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{40C37B6C-D273-41E2-8122-A338BBDB2528}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{53C06A7B-FC1E-40E6-9668-31CD219BAEA7}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{F73CF5DA-09E6-469D-B5BC-02D729B757C1}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1002\SOFTWARE\Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{1542FC7D-8D51-43D5-B757-67C763F27BF4}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{7ECF6F97-B4F3-4168-9835-F59C06D7875F}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
[2016.01.04 13:59:00.833] - INFO: Processing clsid [\Registry\User\S-1-5-21-1557006028-1809860708-2082995766-1003\SOFTWARE\Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}]
[2016.01.04 13:59:00.833] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2016.01.04 13:59:00.833] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2016.01.04 13:59:00.833] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2016.01.04 13:59:00.833] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2016.01.04 13:59:00.833] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2016.01.04 13:59:00.833] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2016.01.04 13:59:00.833] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2016.01.04 13:59:00.833] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2016.01.04 13:59:00.833] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2016.01.04 13:59:00.833] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2016.01.04 13:59:00.833] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2016.01.04 13:59:00.833] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2016.01.04 13:59:00.833] - INFO: (XSW) Scanning for XSW variant...
[2016.01.04 13:59:00.833] - INFO: (XSW) Processing users subkeys...
[2016.01.04 13:59:00.849] - INFO: Win32/Poweliks not found
[2016.01.04 13:59:13.027] - End

 

Attached Files



#5 henriwit

henriwit
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 04 January 2016 - 09:07 AM

One more remark I forgot to mention:

Ever since running the FRST script in step 1 my start button of windows 10 is not working anymore. Is there anything I can do to repair the start button functionality in windows 10 ?

 

Henri



#6 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 AM

Posted 04 January 2016 - 09:54 PM


my system is most likely clean

Yes, there is not important issue.

=====================================

Open command prompt

To do this try doing the followimg:

Press windows key and S and type cmd
In command prompt type SFC /scannow

Press enter and let it scan for missing or corrupt files and reboot when it finishes

You could also try last known good configuration at boot up

================================================================
Or please do the following.

 

Entering into the System Recovery Options

Option :step1:

To enter System Recovery Options in Windows 8:

Option :step2:

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

Option :step3:

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next

----------

Running Farbar's Recovery Scan Tool in System Recovery

  • Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in sfc /scannow and press Enter.

You will get a blinking curser while it checks and attempts to repair any issues it may find, it could take quite a bit of time to complete.To close the command window after the scan type exit and hit the <enter> key.
 
http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html?ltr=S
 
How is now  start button ?

 

If the problem does not improve,perform system restore. Return to the prescan

 

How is now ?


Edited by olgun52, 04 January 2016 - 10:36 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 henriwit

henriwit
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 05 January 2016 - 05:34 PM

Hello Olgun52,

 

As you suggested I ran sfc /scannow and it finished successfully. But the left mouse button is still not working on the taskbat items.

This is only the case for the current user account. If I logon as another user (admin), then all is working fine.

 

Henri



#8 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 AM

Posted 06 January 2016 - 02:47 PM

Hello Olgun52,

 

As you suggested I ran sfc /scannow and it finished successfully. But the left mouse button is still not working on the taskbat items.

This is only the case for the current user account. If I logon as another user (admin), then all is working fine.

witteveen (S-1-5-21-1557006028-1809860708-2082995766-1003 - Limited - Enabled) => C:\Users\witteveen

You are not admin.You must be the Admin.Please check your permission settings, and try again.

http://www.wikihow.com/Find-or-Change-My-Computer's-Administrator


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 henriwit

henriwit
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 08 January 2016 - 10:37 AM

Hello Olgun52,

 

What I mean is that the left clicking on the start button is not working in my normal user account, which has no admin rights. In the admin account the startmenu is working fine.

The command sfc /scannow was run in a cmd windows with admin rights. So, that has done its job. Errors were fixed. So, no errors anymore.

 

But the startmenu problem persists. But if I just google around a bit I can see many people with start button problem. And no-one reaaly posting a solution that works in all cases. Some people have fixed using sfc /scannow, other ran this command:

Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

Then other again could only fix by adding a new user account, which is my case also works. But I just dont want to do that yet as it will take a bit of time to configure that account again..



#10 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 AM

Posted 10 January 2016 - 06:31 AM

Sorry for the delay

How to perform a clean boot
https://support.microsoft.com/en-us/kb/929135
Do this and write me results. is there still problem ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 henriwit

henriwit
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 11 January 2016 - 03:17 PM

Hello Olgun52,

 

I tried the command given in my previous post first. This did not give the desired effect. When executed in a powershell with admin rights it gave errors telling that for some apps "a new version was already installed" and therefore could not be updated. No other errors. Still it did not work. 

I decided to create a new user account and move all to the new account.

That worked and is still working...



#12 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 AM

Posted 11 January 2016 - 04:41 PM

Okay. İs there any other problem ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 henriwit

henriwit
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 13 January 2016 - 04:28 AM

No. All problems fixed now. Subject can be closed.

 

Thanks for the help.



#14 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 AM

Posted 14 January 2016 - 03:25 PM

You're welcome,

 

Thank you for your patience.  Please do the following:
Uninstall Combofix:

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Combofix_uninstall_image.jpg
 
next.....
In any case please download delfix to your desktop.

  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

You can do fllowing:
 
The easiest and safest way to do this is:

  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

to remove all but the most recently created Restore Point.

  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically. Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.

ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

 

Please take the time to carefully review this info contained below. Its invaluable.
Answers to common security questions - Best Practices
 
Note:  Some safety suggestions !
http://trmalwarefix.freeforums.net/t...ty-suggestions

Best regards.wave.gif Greetings.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users