Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown device detected/internet interruption


  • Please log in to reply
12 replies to this topic

#1 Bluelighter

Bluelighter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 11 February 2016 - 06:51 AM

I was online just surfing the net and I noticed a new icon in my system tray. I clicked on it and it asked if it was okay for an unknown device be allowed to access my media. At this point in time I had not added anything to my computer in a long time. I clicked "No."  Right after this (maybe coincidentally), my internet connection went down. I couldn't get a connection for maybe 5 minutes and then it came back.  I've looked around online and can find nothing about this. I am wondering if someone was trying to access my computer or if I have some sort of virus/malware on my computer. Any advice or help would be appreciated. Thank you.

 

Let me add that I ran a Malwarebytes scan and a Kaspersky full scan and both came up with no threats detected.


Edited by Bluelighter, 11 February 2016 - 06:57 AM.


BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,408 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:02 PM

Posted 11 February 2016 - 11:55 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
    The actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


:step4: MiniToolbox by Farbar

Disable your antivirus if it does not allow you to download the tool!
Please download MiniToolBox, save it to your desktop and run it.
Place a checkmark in Select all, then click Go and post the result (MTB.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Copy and paste the contents of that logfile in your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 Bluelighter

Bluelighter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 12 February 2016 - 05:44 AM

Thank you for your help, Jo. Here are the logs.

 

Security Check

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows Vista Service Pack 2 x64 (UAC is enabled)  
 Internet Explorer 9  
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
Kaspersky Total Security   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Flash Player     20.0.0.306  
 Adobe Reader 10.1.16 Adobe Reader out of Date!  
 Mozilla Firefox (44.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Kaspersky Lab Kaspersky Total Security 16.0.0 avp.exe  
 Kaspersky Lab Kaspersky Total Security 16.0.0 avpui.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 2 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

 

 

Malwarebytes Anti-Rootkit

No malware was found.

 

 

AdwCleaner

# AdwCleaner v5.033 - Logfile created 12/02/2016 at 02:34:06
# Updated 07/02/2016 by Xplode
# Database : 2016-02-07.2 [Server]
# Operating system : Windows ™ Vista Home Premium Service Pack 2 (x64)
# Username : RS - RS-PC
# Running from : C:\Users\RS\Desktop\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\APN PIP
Key Found : HKLM\SOFTWARE\APN PIP

***** [ Web browsers ] *****


########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [652 bytes] ##########

 

 

 

MiniToolbox

 

MiniToolBox by Farbar  Version: 07-02-2016 01
Ran by RS (administrator) on 12-02-2016 at 02:37:21
Running from "C:\Users\RS\Desktop"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X64)
Model: Studio XPS 435T Manufacturer: DELL Inc.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
127.0.0.1       localhost
========================= IP Configuration: ================================

Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.0) = Local Area Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : RS-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
   Physical Address. . . . . . . . . : 00-23-AE-E6-F9-34
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b936:d24a:706a:48c5%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.14(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, February 11, 2016 3:25:35 PM
   Lease Expires . . . . . . . . . . : Friday, February 12, 2016 3:25:57 AM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 251667374
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-11-E8-58-27-00-23-AE-E6-F9-34
   DNS Servers . . . . . . . . . . . : 71.10.216.1
                                       71.10.216.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{817B19A0-2F41-4AE7-8DF0-48A3965D7B62}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  rns01.charter.com
Address:  71.10.216.1

Name:    google.com
Addresses:  2607:f8b0:4002:c0c::65
      74.125.21.138
      74.125.21.101
      74.125.21.139
      74.125.21.102
      74.125.21.100
      74.125.21.113



Pinging google.com [74.125.21.102] with 32 bytes of data:

Reply from 74.125.21.102: bytes=32 time=69ms TTL=40

Reply from 74.125.21.102: bytes=32 time=70ms TTL=40



Ping statistics for 74.125.21.102:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 69ms, Maximum = 70ms, Average = 69ms

Server:  rns01.charter.com
Address:  71.10.216.1

Name:    yahoo.com
Addresses:  2001:4998:58:c02::a9
      2001:4998:c:a06::2:4008
      2001:4998:44:204::a7
      98.138.253.109
      98.139.183.24
      206.190.36.45



Pinging yahoo.com [206.190.36.45] with 32 bytes of data:

Reply from 206.190.36.45: bytes=32 time=52ms TTL=51

Reply from 206.190.36.45: bytes=32 time=46ms TTL=51



Ping statistics for 206.190.36.45:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 46ms, Maximum = 52ms, Average = 49ms



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
 11 ...00 23 ae e6 f9 34 ...... Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
  1 ........................... Software Loopback Interface 1
 12 ...00 00 00 00 00 00 00 e0  isatap.{817B19A0-2F41-4AE7-8DF0-48A3965D7B62}
 10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1     192.168.0.14     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link      192.168.0.14    266
     192.168.0.14  255.255.255.255         On-link      192.168.0.14    266
    192.168.0.255  255.255.255.255         On-link      192.168.0.14    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.0.14    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.0.14    266
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 11    266 fe80::/64                On-link
 11    266 fe80::b936:d24a:706a:48c5/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [48640] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [19968] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [61440] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [62976] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [78848] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [78848] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [27648] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (02/12/2016 01:31:49 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\RS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\GD8206K0.DEFAULT-1436749599328\SAFEBROWSING-TO_DELETE> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (02/12/2016 01:31:48 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\RS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\GD8206K0.DEFAULT-1436749599328\SAFEBROWSING-BACKUP> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (02/11/2016 03:30:57 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\RS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\GD8206K0.DEFAULT-1436749599328\SAFEBROWSING-TO_DELETE> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (02/11/2016 03:30:57 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\RS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\GD8206K0.DEFAULT-1436749599328\SAFEBROWSING-BACKUP> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (02/11/2016 03:27:10 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/11/2016 03:06:31 PM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (02/11/2016 11:03:47 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\RS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\GD8206K0.DEFAULT-1436749599328\SAFEBROWSING-TO_DELETE> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (02/11/2016 11:03:47 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\RS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\GD8206K0.DEFAULT-1436749599328\SAFEBROWSING-BACKUP> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (02/11/2016 10:59:39 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/11/2016 04:08:09 AM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}


System errors:
=============
Error: (02/11/2016 03:27:12 PM) (Source: Service Control Manager) (User: )
Description: Beep

Error: (02/11/2016 03:27:12 PM) (Source: Service Control Manager) (User: )
Description: Dock Login Service%%2

Error: (02/11/2016 10:59:41 AM) (Source: Service Control Manager) (User: )
Description: Beep

Error: (02/11/2016 10:59:41 AM) (Source: Service Control Manager) (User: )
Description: Dock Login Service%%2

Error: (02/10/2016 10:53:21 PM) (Source: netbt) (User: )
Description: The name "MARK-PC        :0" could not be registered on the interface with IP address 192.168.0.14.
The computer with the IP address 192.168.0.53 did not allow the name to be claimed by
this computer.

Error: (02/10/2016 10:43:21 PM) (Source: netbt) (User: )
Description: The name "MARK-PC        :0" could not be registered on the interface with IP address 192.168.0.14.
The computer with the IP address 192.168.0.53 did not allow the name to be claimed by
this computer.

Error: (02/10/2016 10:33:03 PM) (Source: netbt) (User: )
Description: The name "MARK-PC        :0" could not be registered on the interface with IP address 192.168.0.14.
The computer with the IP address 192.168.0.53 did not allow the name to be claimed by
this computer.

Error: (02/10/2016 10:23:01 PM) (Source: netbt) (User: )
Description: The name "MARK-PC        :0" could not be registered on the interface with IP address 192.168.0.14.
The computer with the IP address 192.168.0.53 did not allow the name to be claimed by
this computer.

Error: (02/10/2016 10:12:47 PM) (Source: netbt) (User: )
Description: The name "MARK-PC        :0" could not be registered on the interface with IP address 192.168.0.14.
The computer with the IP address 192.168.0.53 did not allow the name to be claimed by
this computer.

Error: (02/10/2016 10:02:27 PM) (Source: netbt) (User: )
Description: The name "MARK-PC        :0" could not be registered on the interface with IP address 192.168.0.14.
The computer with the IP address 192.168.0.53 did not allow the name to be claimed by
this computer.


Microsoft Office Sessions:
=========================
Error: (02/12/2016 01:31:49 AM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\RS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\GD8206K0.DEFAULT-1436749599328\SAFEBROWSING-TO_DELETE

Error: (02/12/2016 01:31:48 AM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\RS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\GD8206K0.DEFAULT-1436749599328\SAFEBROWSING-BACKUP

Error: (02/11/2016 03:30:57 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\RS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\GD8206K0.DEFAULT-1436749599328\SAFEBROWSING-TO_DELETE

Error: (02/11/2016 03:30:57 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\RS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\GD8206K0.DEFAULT-1436749599328\SAFEBROWSING-BACKUP

Error: (02/11/2016 03:27:10 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/11/2016 03:06:31 PM) (Source: EventSystem)(User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (02/11/2016 11:03:47 AM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\RS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\GD8206K0.DEFAULT-1436749599328\SAFEBROWSING-TO_DELETE

Error: (02/11/2016 11:03:47 AM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\RS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\GD8206K0.DEFAULT-1436749599328\SAFEBROWSING-BACKUP

Error: (02/11/2016 10:59:39 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/11/2016 04:08:09 AM) (Source: EventSystem)(User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}


CodeIntegrity Errors:
===================================
  Date: 2016-02-12 02:14:13.511
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\WINDOWS\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-12 02:14:13.265
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\WINDOWS\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-12 02:14:13.022
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\WINDOWS\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-12 02:14:12.765
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\WINDOWS\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-12 02:14:12.508
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\WINDOWS\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-12 02:14:12.249
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\WINDOWS\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-12 02:14:11.974
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\WINDOWS\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-12 02:14:11.721
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\WINDOWS\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-12 02:14:11.471
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\WINDOWS\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-12 02:14:11.213
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\WINDOWS\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.


=========================== Installed Programs ============================

Canon MX310 series (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX310_series) (Version:  - )
Canon MX310 series (HKLM-x32\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX310_series) (Version:  - )
Canon My Printer (HKLM\...\CanonMyPrinter) (Version:  - )
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version:  - )
ccc-utility64 (HKLM-x32\...\{E4C229B2-51E3-49E7-3A42-A3B695B4E56E}) (Version: 2009.0213.2138.38808 - ATI) Hidden
EMCGadgets64 (HKLM\...\{02AD9D20-03D2-4DE0-8793-E8253026AD86}) (Version: 1.1.501 - Sonic) Hidden
EMCGadgets64 (HKLM-x32\...\{02AD9D20-03D2-4DE0-8793-E8253026AD86}) (Version: 1.1.501 - Sonic) Hidden
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - Intel Corporation)
Intel® Matrix Storage Manager (HKLM-x32\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - Intel Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM-x32\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (HKLM-x32\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM\...\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM-x32\...\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (HKLM\...\{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}) (Version: 8.0.51011 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (HKLM-x32\...\{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}) (Version: 8.0.51011 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM-x32\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Paint.NET v3.5.6 (HKLM\...\{639673E9-D53F-44F4-A046-485C8A6ADA16}) (Version: 3.56.0 - dotPDN LLC)
Paint.NET v3.5.6 (HKLM-x32\...\{639673E9-D53F-44F4-A046-485C8A6ADA16}) (Version: 3.56.0 - dotPDN LLC)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 59%
Total physical RAM: 6134.07 MB
Available physical RAM: 2486.96 MB
Total Virtual: 12439.62 MB
Available Virtual: 8845.13 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:683.57 GB) (Free:519.62 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:7.45 GB) NTFS
8 Drive j: () (Removable) (Total:3.79 GB) (Free:0.09 GB) FAT32

========================= Users: ========================================

User accounts for \\RS-PC

Administrator            Guest                    RS                       

========================= Minidump Files ==================================

C:\Windows\Minidump\Mini012916-01.dmp
========================= Restore Points ==================================

20-12-2015 22:23:39 Scheduled Checkpoint
21-12-2015 20:19:05 Scheduled Checkpoint
24-12-2015 04:21:23 Scheduled Checkpoint
24-12-2015 22:39:54 Scheduled Checkpoint
25-12-2015 12:18:08 Scheduled Checkpoint
27-12-2015 01:36:20 Scheduled Checkpoint
28-12-2015 19:28:05 Scheduled Checkpoint
29-12-2015 20:47:38 Scheduled Checkpoint
30-12-2015 08:44:25 First Restore Point
30-12-2015 08:50:34 Device Driver Package Install: Kaspersky Lab Network Service
30-12-2015 08:51:20 Device Driver Package Install: Kaspersky Lab
30-12-2015 08:52:10 Device Driver Package Install: Kaspersky Lab
30-12-2015 08:53:03 Device Driver Package Install: Kaspersky Lab ZAO System devices
30-12-2015 08:53:59 Device Driver Package Install: Kaspersky Lab
30-12-2015 08:54:51 Device Driver Package Install: Kaspersky Lab
30-12-2015 08:55:45 Device Driver Package Install: Kaspersky Lab
30-12-2015 08:58:19 Device Driver Package Install: Kaspersky Lab
30-12-2015 17:24:15 First Restore Point
30-12-2015 17:35:44 First Restore Point
30-12-2015 17:39:36 First Restore Point
31-12-2015 05:50:24 Scheduled Checkpoint
31-12-2015 21:32:37 Scheduled Checkpoint
01-01-2016 12:52:51 Scheduled Checkpoint
02-01-2016 05:27:39 Scheduled Checkpoint
02-01-2016 22:30:11 Scheduled Checkpoint
05-01-2016 02:08:12 Scheduled Checkpoint
05-01-2016 20:54:59 Scheduled Checkpoint
07-01-2016 07:39:01 Scheduled Checkpoint
07-01-2016 22:58:27 Scheduled Checkpoint
08-01-2016 12:12:50 Scheduled Checkpoint
09-01-2016 02:16:22 Scheduled Checkpoint
10-01-2016 07:14:13 Scheduled Checkpoint
10-01-2016 23:03:02 Scheduled Checkpoint
13-01-2016 03:17:56 Scheduled Checkpoint
13-01-2016 11:00:17 Windows Update
14-01-2016 03:13:57 Scheduled Checkpoint
15-01-2016 08:15:41 Scheduled Checkpoint
16-01-2016 03:00:18 Scheduled Checkpoint
17-01-2016 07:37:24 Scheduled Checkpoint
18-01-2016 10:51:24 Scheduled Checkpoint
19-01-2016 01:24:38 Scheduled Checkpoint
20-01-2016 03:54:28 Scheduled Checkpoint
21-01-2016 19:00:14 Scheduled Checkpoint
22-01-2016 08:00:00 Scheduled Checkpoint
23-01-2016 07:35:02 Scheduled Checkpoint
23-01-2016 20:01:46 Scheduled Checkpoint
09-02-2016 20:17:57 Windows Update
12-02-2016 09:35:20 My restore point

**** End of log ****
 



#4 Jo*

Jo*

  • Malware Response Team
  • 3,408 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:02 PM

Posted 12 February 2016 - 12:34 PM

Hello,

:step1: Run Malwarebytes Anti-Rootkit again: Right-click mbar.exe and select Run As Administrator
  • Scan your system for malware
  • If malware is found, click on the Cleanup
  • button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step2: Double click on AdwCleaner.exe to run the tool again.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • When the scan has finished, the actual line should say "Pending. Please uncheck elements you do not want to remove". Look through the scan results and uncheck any entries that you do not wish to remove.
  • This time, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***


:step3: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 Bluelighter

Bluelighter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 12 February 2016 - 02:24 PM

Malwarebytes Anti-Rootkit

No malware was found.

 

AdvCleaner:

No malware was found.

 

# AdwCleaner v5.033 - Logfile created 12/02/2016 at 02:34:06
# Updated 07/02/2016 by Xplode
# Database : 2016-02-07.2 [Server]
# Operating system : Windows ™ Vista Home Premium Service Pack 2 (x64)
# Username : RS - RS-PC
# Running from : C:\Users\RS\Desktop\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\APN PIP
Key Found : HKLM\SOFTWARE\APN PIP

***** [ Web browsers ] *****


########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [652 bytes] ##########

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows ™ Vista Home Premium x64
Ran by RS (Administrator) on Fri 02/12/2016 at 11:12:14.31
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 7

Successfully deleted: C:\Users\RS\AppData\Roaming\Mozilla\Firefox\Profiles\gd8206k0.default-1436749599328\searchplugins\norton-safe-search.xml (File)
Successfully deleted: C:\Users\RS\Documents\my pagemanager (Folder)
Successfully deleted: C:\Windows\system32\newsoft (File)
Successfully deleted: C:\Users\RS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4YDTVTLL (Folder)
Successfully deleted: C:\Users\RS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TVWZVN7T (Folder)
Successfully deleted: C:\Users\RS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XHRY9X89 (Folder)
Successfully deleted: C:\Users\RS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZSZ8NEEQ (Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 02/12/2016 at 11:18:04.80
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 



#6 Jo*

Jo*

  • Malware Response Team
  • 3,408 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:02 PM

Posted 12 February 2016 - 05:26 PM

Hi,

:step1: Download Sophos Free Virus Removal Tool and save it to your desktop.
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program

***


:step2: ZN3USrZ.png Emsisoft Emergency Kit
  • Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
    dQVDkTW.png
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon qwL1Upn.png will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    yEgPemv.png
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    RUeRoi4.png
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    P7FSALs.png
  • Please Copy and Paste the contents of the scan log in your next reply.

***


:step3: How the computer is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 Bluelighter

Bluelighter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 12 February 2016 - 11:48 PM

Sophos was run and there was not any malware detected.

 

I installed Emsisoft Emergency Kit but was unable to use it. A pop up box says it will not run in Windows prior to Windows version 7. I am currently still using Vista.

 

The computer is running the same as before. Not bad. I have not had another unknown device detected.



#8 Jo*

Jo*

  • Malware Response Team
  • 3,408 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:02 PM

Posted 13 February 2016 - 07:42 AM

Hello,

:step1: Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7/8/10 users need to right click and choose Run as Administrator
You only need to get one of them to run, not all of them.Do not reboot your computer after running rkill as the malware programs will start again.


---


:step2: Malwarebytes' Anti-Malware
If this program is already installed: Skip the installation and run only the scan!
Download and install: Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
How to get logs: (Export log to save as txt)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
(Copy to clipboard for pasting into forum replies or tickets)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

---


:step3: Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 Bluelighter

Bluelighter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 13 February 2016 - 10:12 PM

Rkill 2.8.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 02/13/2016 06:38:23 PM in x64 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\WINDOWS\System32\spool\drivers\x64\3\WrtMon.exe (PID: 2896) [WD-HEUR]
 * C:\WINDOWS\System32\spool\drivers\x64\3\WrtProc.exe (PID: 4876) [WD-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 02/13/2016 06:39:23 PM
Execution time: 0 hours(s), 0 minute(s), and 59 seconds(s)
 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/13/2016
Scan Time: 6:41:34 PM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.02.14.01
Rootkit Database: v2016.02.08.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x64
File System: NTFS
User: RS

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 361963
Time Elapsed: 18 min, 11 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

Farbar Service Scanner Version: 27-01-2016
Ran by RS (administrator) on 13-02-2016 at 19:11:04
Running from "C:\Users\RS\Desktop"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcsvc.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****



#10 Jo*

Jo*

  • Malware Response Team
  • 3,408 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:02 PM

Posted 14 February 2016 - 11:11 AM

Hello again,

:step1: We need to download Temp File Cleaner (TFC) by OldTimer:
  • Please download TFC.exe by Oldtimer at one of the two links: Link 1 Link 2
  • Save and close all running applications
  • Double-click on TFC.exe to run the program
  • Click on Start to begin the cleaning process note: this program may close running applications, make your screen disappear temporarily, or require a reboot of your PC - this is normal and part of the cleanup
  • When the scan is complete, if you were not asked to reboot the computer, please do so now
More Information can be found about the tool here:
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/



***


:step2: ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Open the scan log and copy and paste the content to your next reply.
 

***


:step3: How the computer is running now?


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 Bluelighter

Bluelighter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 15 February 2016 - 12:09 AM

TFC run and completed.

 

 

ESET

C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe    a variant of Win32/HiddenStart.A potentially unsafe application    cleaned by deleting
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe    a variant of Win32/HiddenStart.A potentially unsafe application    cleaned by deleting

 

 

Computer is running fine. I have not had another unknown device detected since you began helping me.
 



#12 Jo*

Jo*

  • Malware Response Team
  • 3,408 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:02 PM

Posted 15 February 2016 - 04:58 AM

It Appears That Your Pc Is Now Clean!


***


Clean up:


***


Right-click AdwCleaner.exe and select Run As Administrator.
  • Click on the Uninstall button.
  • A window will open, press the Confirm button.
  • AdwCleaner will uninstall now.

***


Clean up with delfix:
  • please download delfix to your desktop.
  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

***


Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.


***


Here are some Preventive tips to reduce the potential for spyware infection in the future

:step1: Browse more secure :step2: Make sure you keep your Windows OS current.
  • Windows XP users can visit Windows update regularly to download and install any critical updates and service packs.
  • Windows Vista / 7 / 8 users can update via
    Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).
:step3: Avoid P2P
  • If you think you're using a "safe" P2P program, only the program is safe, not the data.
  • You will share files from unsafe sources, and these may be infected.
  • Some bad guys use P2P filesharing as an important chanel to spread their wares.
:step4: Use only one anti-virus software and keep it up-to-date.

:step5: Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

:step6: Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

:step7: Use Strong passwords!

:step8: Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
And you could install Malwarebytes Anti-Exploit to run alongside your traditional anti-virus or anti-malware products.

Make sure your programs are up to date - because older versions may contain Security Leaks.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 Bluelighter

Bluelighter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 16 February 2016 - 09:43 AM

Thank you.  Sorry for the late reply. I will be finishing up tonight.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users