Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help requested removing win32:aluroot-b


  • This topic is locked This topic is locked
9 replies to this topic

#1 davidsouren

davidsouren

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 12 February 2016 - 04:10 PM

Hello Forum Members,

 

I'm looking for assistance in removing a rootkit identified by Avast EndPoint Protection as win32:aluroot-b.

Avast "sees" the rootkit as a memory-resident threat that it recognizes, but can't identify the source or move it to the virus chest. Malware bytes doesn't recognize it, and even though Microsoft claims it can be removed by their Security Essentials it was still present after a scan. I've done a little searching and have followed suggestions to delete the system restore points, but it still comes back. I know I can simply wipe the system and start again, but in my environment that means almost three days reloading the system and apps and updating it to current levels, so I'm hoping someone can suggest a method to remove it manually or with a proven software product.

 

I've attached the two logs generated by FRST, and will greatly appreciate any advice that the members can give me.

 

Regards,

 

Dave Souren

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:07-02-2016
Ran by Administrator (administrator) on ENS30767 (11-02-2016 16:45:44)
Running from C:\Users\Administrator\Desktop
Loaded Profiles: Administrator (Available Profiles: marior & mrodriguez & minliu & dsouren & renkel & Administrator)
Platform: Microsoft Windows 7 Enterprise  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast Business\AvastSvc.exe
(Dell Inc.) C:\Program Files\Dell\KACE\AMPAgent.exe
(Dell Inc.) C:\Program Files\Dell\KACE\AMPWatchDog.exe
() C:\Program Files\Dell\KACE\konea.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast Business\AvastUI.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [avast] => C:\Program Files\AVAST Software\Avast Business\avastUI.exe [4767704 2015-12-08] (Avast Software s.r.o.)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\KUsrInit.exe,
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast Business\ashShell.dll [2015-12-08] (Avast Software s.r.o.)
Startup: C:\Users\renkel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2015-12-12]
ShortcutTarget: Dropbox.lnk -> C:\Users\Administrator\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 172.17.10.150 172.17.10.151 128.6.1.1
Tcpip\..\Interfaces\{72433D03-3C5E-4CFA-9DF1-B67AA83C546B}: [DhcpNameServer] 172.17.10.150 172.17.10.151 128.6.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-2264800226-3071125026-2465440567-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://msn.com/
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2016-01-12] (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast Business\aswWebRepIE.dll [2015-12-08] (Avast Software s.r.o.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
Toolbar: HKLM - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast Business\aswWebRepIE.dll [2015-12-08] (Avast Software s.r.o.)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2015-02-17] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\864yyodt.default
FF Homepage: msn.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_20_0_0_306.dll [2016-02-10] ()
FF Plugin: @cambridgesoft.com/Chem3D,version=15.0 -> C:\Program Files\CambridgeSoft\ChemOffice2015\Chem3D\npChem3DPlugin.dll [2015-03-14] (PerkinElmer)
FF Plugin: @cambridgesoft.com/ChemDraw,version=15.0 -> C:\Program Files\CambridgeSoft\ChemOffice2015\ChemDraw\npcdp32.dll [2015-03-14] (PerkinElmer)
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-11-18] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2015-11-18] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast Business\WebRep\FF
FF Extension: avast! WebRep - C:\Program Files\AVAST Software\Avast Business\WebRep\FF [2016-01-12] [not signed]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AMPAgent; C:\Program Files\Dell\KACE\AMPAgent.exe [3883136 2015-06-17] (Dell Inc.)
R2 AMPWatchDog; C:\Program Files\Dell\KACE\AMPWatchDog.exe [3045504 2015-06-17] (Dell Inc.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast Business\AvastSvc.exe [45648 2015-12-08] (Avast Software s.r.o.)
R2 konea; C:\Program Files\Dell\KACE\konea.exe [7144960 2015-06-17] () [File not signed]
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [45568 2013-05-16] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [55808 2013-05-16] (Hewlett-Packard) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [67248 2015-12-08] (Avast Software s.r.o.)
R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [61056 2015-12-08] (Avast Software s.r.o.)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49648 2015-12-08] ()
R1 aswSnx; C:\Windows\system32\Drivers\aswSnx.sys [774864 2015-12-08] (Avast Software s.r.o.)
R1 aswSP; C:\Windows\system32\Drivers\aswSP.sys [412336 2015-12-08] (Avast Software s.r.o.)
R1 aswTdi; C:\Windows\system32\Drivers\aswTdi.sys [63184 2015-12-08] (Avast Software s.r.o.)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [175576 2015-12-08] ()
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-02-11 16:45 - 2016-02-11 16:46 - 00007091 _____ C:\Users\Administrator\Desktop\FRST.txt
2016-02-11 16:45 - 2016-02-11 16:45 - 00000000 ____D C:\FRST
2016-02-11 16:43 - 2016-02-11 16:43 - 01721344 _____ (Farbar) C:\Users\Administrator\Desktop\FRST.exe
2016-02-11 15:48 - 2016-02-11 15:48 - 249737210 _____ C:\Windows\MEMORY.DMP
2016-02-11 15:48 - 2016-02-11 15:48 - 00144344 _____ C:\Windows\Minidump\021116-18439-01.dmp
2016-02-11 15:48 - 2016-02-11 15:48 - 00000000 ____D C:\Windows\Minidump
2016-02-11 12:13 - 2016-01-16 13:36 - 01413632 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2016-02-11 12:13 - 2016-01-06 13:41 - 00216064 _____ (Microsoft Corporation) C:\Windows\system32\InkEd.dll
2016-02-11 12:13 - 2016-01-06 12:56 - 00019968 _____ (Microsoft Corporation) C:\Windows\system32\jnwmon.dll
2016-02-11 12:12 - 2016-01-07 12:47 - 02386944 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-02-11 12:02 - 2016-01-07 12:35 - 00116224 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2016-02-11 11:56 - 2016-01-22 01:06 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-02-11 11:56 - 2016-01-22 01:05 - 00654336 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-02-11 11:56 - 2016-01-22 01:05 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-02-11 11:56 - 2016-01-22 01:02 - 00293888 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2016-02-11 11:56 - 2016-01-22 01:02 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2016-02-11 11:56 - 2016-01-22 00:07 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-02-11 11:56 - 2016-01-21 23:51 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2016-02-11 11:56 - 2016-01-21 23:51 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-02-11 11:56 - 2016-01-21 23:51 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-02-11 11:56 - 2016-01-21 23:51 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2016-02-11 11:56 - 2016-01-21 23:51 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2016-02-11 11:56 - 2016-01-21 23:51 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2016-02-11 11:56 - 2016-01-21 23:51 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2016-02-11 11:56 - 2016-01-21 23:51 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2016-02-11 11:55 - 2016-02-06 05:01 - 20366848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-02-11 11:55 - 2016-02-06 04:54 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-02-11 11:55 - 2016-02-06 04:43 - 02280448 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-02-11 11:55 - 2016-02-06 04:38 - 00476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-02-11 11:55 - 2016-02-06 04:16 - 12857856 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-02-11 11:55 - 2016-02-06 03:54 - 01312256 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-02-11 11:55 - 2016-01-22 01:13 - 03993536 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2016-02-11 11:55 - 2016-01-22 01:13 - 03938752 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-02-11 11:55 - 2016-01-22 01:13 - 00138176 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-02-11 11:55 - 2016-01-22 01:13 - 00067520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-02-11 11:55 - 2016-01-22 01:09 - 01310232 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-02-11 11:55 - 2016-01-22 01:06 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2016-02-11 11:55 - 2016-01-22 01:06 - 00171520 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-02-11 11:55 - 2016-01-22 01:06 - 00169984 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2016-02-11 11:55 - 2016-01-22 01:06 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-02-11 11:55 - 2016-01-22 01:06 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2016-02-11 11:55 - 2016-01-22 01:05 - 00251392 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-02-11 11:55 - 2016-01-22 01:04 - 00642048 _____ (Microsoft Corporation) C:\Windows\system32\CPFilters.dll
2016-02-11 11:55 - 2016-01-22 01:04 - 00535040 _____ (Microsoft Corporation) C:\Windows\system32\EncDec.dll
2016-02-11 11:55 - 2016-01-22 01:02 - 01060864 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-02-11 11:55 - 2016-01-22 01:02 - 00872448 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2016-02-11 11:55 - 2016-01-22 01:02 - 00553472 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-02-11 11:55 - 2016-01-22 01:02 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-02-11 11:55 - 2016-01-22 01:02 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-02-11 11:55 - 2016-01-22 01:02 - 00176128 _____ (Microsoft Corporation) C:\Windows\system32\msorcl32.dll
2016-02-11 11:55 - 2016-01-22 01:02 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-02-11 11:55 - 2016-01-22 01:02 - 00114176 _____ (Microsoft Corporation) C:\Windows\system32\mtxoci.dll
2016-02-11 11:55 - 2016-01-22 00:59 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-02-11 11:55 - 2016-01-22 00:59 - 00642560 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2016-02-11 11:55 - 2016-01-22 00:01 - 00271360 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2016-02-11 11:55 - 2016-01-22 00:00 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2016-02-11 11:55 - 2016-01-21 23:53 - 00225792 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-02-11 11:55 - 2016-01-21 23:53 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-02-11 11:55 - 2016-01-21 23:53 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-02-11 11:53 - 2016-01-22 01:14 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-02-11 11:53 - 2016-01-22 01:02 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-02-11 11:53 - 2016-01-22 01:01 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-02-11 11:53 - 2016-01-22 01:01 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-02-11 11:53 - 2016-01-22 01:00 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-02-11 11:53 - 2016-01-22 00:55 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-02-11 11:53 - 2016-01-22 00:55 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-02-11 11:53 - 2016-01-22 00:52 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-02-11 11:53 - 2016-01-22 00:51 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-02-11 11:53 - 2016-01-22 00:51 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-02-11 11:53 - 2016-01-22 00:46 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-02-11 11:53 - 2016-01-22 00:43 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-02-11 11:53 - 2016-01-22 00:39 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-02-11 11:53 - 2016-01-22 00:38 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-02-11 11:53 - 2016-01-22 00:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-02-11 11:53 - 2016-01-22 00:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-02-11 11:53 - 2016-01-22 00:34 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-02-11 11:53 - 2016-01-22 00:33 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-02-11 11:53 - 2016-01-22 00:27 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-02-11 11:53 - 2016-01-22 00:25 - 00687104 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-02-11 11:53 - 2016-01-22 00:24 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-02-11 11:53 - 2016-01-22 00:02 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-02-11 11:52 - 2016-01-22 15:10 - 00341200 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-02-11 11:52 - 2016-01-22 01:02 - 00496640 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-02-11 11:52 - 2016-01-22 00:51 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-02-11 11:52 - 2016-01-22 00:35 - 04611072 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-02-11 11:52 - 2016-01-22 00:25 - 00684032 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-02-11 11:52 - 2016-01-22 00:24 - 02050560 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-02-11 11:52 - 2016-01-22 00:07 - 02120704 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-02-11 11:50 - 2016-02-11 11:50 - 00007606 _____ C:\Users\Administrator\AppData\Local\Resmon.ResmonCfg
2016-02-11 11:05 - 2016-02-11 11:05 - 00166842 _____ C:\Windows\ntbtlog.txt
2016-02-09 14:00 - 2016-02-10 10:02 - 00001945 _____ C:\Windows\epplauncher.mif
2016-02-03 16:42 - 2016-02-03 16:42 - 00000000 ____D C:\Users\renkel\AppData\Local\Microsoft_Corporation
2016-02-03 15:23 - 2016-02-03 15:23 - 00645120 _____ (Microsoft Corporation) C:\Windows\system32\jsIntl.dll
2016-02-03 15:23 - 2016-02-03 15:23 - 00616104 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dat
2016-02-03 15:23 - 2016-02-03 15:23 - 00233472 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2016-02-03 15:23 - 2016-02-03 15:23 - 00194048 _____ (Microsoft Corporation) C:\Windows\system32\elshyph.dll
2016-02-03 15:23 - 2016-02-03 15:23 - 00182272 _____ (Microsoft Corporation) C:\Windows\system32\msls31.dll
2016-02-03 15:23 - 2016-02-03 15:23 - 00151552 _____ (Microsoft Corporation) C:\Windows\system32\iexpress.exe
2016-02-03 15:23 - 2016-02-03 15:23 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\wextract.exe
2016-02-03 15:23 - 2016-02-03 15:23 - 00116736 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2016-02-03 15:23 - 2016-02-03 15:23 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\IEAdvpack.dll
2016-02-03 15:23 - 2016-02-03 15:23 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2016-02-03 15:23 - 2016-02-03 15:23 - 00074240 _____ (Microsoft Corporation) C:\Windows\system32\SetIEInstalledDate.exe
2016-02-03 15:23 - 2016-02-03 15:23 - 00071680 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2016-02-03 15:23 - 2016-02-03 15:23 - 00069120 _____ (Microsoft Corporation) C:\Windows\system32\icardie.dll
2016-02-03 15:23 - 2016-02-03 15:23 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2016-02-03 15:23 - 2016-02-03 15:23 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\pngfilt.dll
2016-02-03 15:23 - 2016-02-03 15:23 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\mshtmler.dll
2016-02-03 15:23 - 2016-02-03 15:23 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2016-02-03 15:23 - 2016-02-03 15:23 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\imgutil.dll
2016-02-03 15:23 - 2016-02-03 15:23 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\licmgr10.dll
2016-02-03 15:23 - 2016-02-03 15:23 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2016-02-03 15:23 - 2016-02-03 15:23 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2016-02-03 15:21 - 2016-02-03 15:21 - 00619520 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
2016-02-03 15:05 - 2016-02-03 15:05 - 00000000 ____D C:\Users\Administrator\AppData\LocalLow\Adobe
2016-02-03 15:05 - 2016-02-03 15:05 - 00000000 ____D C:\Users\Administrator\AppData\Local\CEF
2016-02-03 15:03 - 2016-02-03 15:03 - 00000000 ____D C:\Python32
2016-02-03 15:03 - 2016-02-03 15:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 3.2
2016-02-03 14:57 - 2016-02-03 15:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChemOffice 2015
2016-02-03 14:55 - 2016-02-03 14:55 - 00000000 ____D C:\ProgramData\CambridgeSoft
2016-02-03 14:55 - 2016-02-03 14:55 - 00000000 ____D C:\Program Files\CambridgeSoft
2016-01-13 18:00 - 2015-12-08 16:53 - 00305664 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2016-01-12 18:04 - 2015-12-08 16:53 - 00509952 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2016-01-12 18:03 - 2015-11-13 17:50 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\mapistub.dll
2016-01-12 18:03 - 2015-11-13 17:50 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\mapi32.dll
2016-01-12 18:03 - 2015-11-13 17:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\fixmapi.exe
2016-01-12 18:02 - 2015-12-08 16:54 - 02285056 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
2016-01-12 18:02 - 2015-12-08 16:54 - 01620992 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2016-01-12 18:02 - 2015-12-08 16:54 - 01568768 _____ (Microsoft Corporation) C:\Windows\system32\WMVENCOD.DLL
2016-01-12 18:02 - 2015-12-08 16:54 - 01325056 _____ (Microsoft Corporation) C:\Windows\system32\WMSPDMOE.DLL
2016-01-12 18:02 - 2015-12-08 16:54 - 00902144 _____ (Microsoft Corporation) C:\Windows\system32\WMADMOD.DLL
2016-01-12 18:02 - 2015-12-08 16:54 - 00815616 _____ (Microsoft Corporation) C:\Windows\system32\WMADMOE.DLL
2016-01-12 18:02 - 2015-12-08 16:54 - 00740352 _____ (Microsoft Corporation) C:\Windows\system32\wmpmde.dll
2016-01-12 18:02 - 2015-12-08 16:54 - 00739328 _____ (Microsoft Corporation) C:\Windows\system32\WMSPDMOD.DLL
2016-01-12 18:02 - 2015-12-08 16:54 - 00665088 _____ (Microsoft Corporation) C:\Windows\system32\WMVXENCD.DLL
2016-01-12 18:02 - 2015-12-08 16:54 - 00541184 _____ (Microsoft Corporation) C:\Windows\system32\WMVSDECD.DLL
2016-01-12 18:02 - 2015-12-08 16:54 - 00358400 _____ (Microsoft Corporation) C:\Windows\system32\WMVSENCD.DLL
2016-01-12 18:02 - 2015-12-08 16:54 - 00154112 _____ (Microsoft Corporation) C:\Windows\system32\VIDRESZR.DLL
2016-01-12 18:02 - 2015-12-08 16:53 - 03209728 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2016-01-12 18:02 - 2015-12-08 16:53 - 01329664 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2016-01-12 18:02 - 2015-12-08 16:53 - 00970240 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2adec.dll
2016-01-12 18:02 - 2015-12-08 16:53 - 00829952 _____ (Microsoft Corporation) C:\Windows\system32\MSMPEG2ENC.DLL
2016-01-12 18:02 - 2015-12-08 16:53 - 00728576 _____ (Microsoft Corporation) C:\Windows\system32\mcmde.dll
2016-01-12 18:02 - 2015-12-08 16:53 - 00609280 _____ (Microsoft Corporation) C:\Windows\system32\MFWMAAEC.DLL
2016-01-12 18:02 - 2015-12-08 16:53 - 00519680 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2016-01-12 18:02 - 2015-12-08 16:53 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\evr.dll
2016-01-12 18:02 - 2015-12-08 16:53 - 00415744 _____ (Microsoft Corporation) C:\Windows\system32\MP4SDECD.DLL
2016-01-12 18:02 - 2015-12-08 16:53 - 00354816 _____ (Microsoft Corporation) C:\Windows\system32\mfplat.dll
2016-01-12 18:02 - 2015-12-08 16:53 - 00241152 _____ (Microsoft Corporation) C:\Windows\system32\MPG4DECD.DLL
2016-01-12 18:02 - 2015-12-08 16:53 - 00241152 _____ (Microsoft Corporation) C:\Windows\system32\MP43DECD.DLL
2016-01-12 18:02 - 2015-12-08 16:53 - 00206848 _____ (Microsoft Corporation) C:\Windows\system32\RESAMPLEDMO.DLL
2016-01-12 18:02 - 2015-12-08 16:53 - 00206848 _____ (Microsoft Corporation) C:\Windows\system32\qasf.dll
2016-01-12 18:02 - 2015-12-08 16:53 - 00193536 _____ (Microsoft Corporation) C:\Windows\system32\ksproxy.ax
2016-01-12 18:02 - 2015-12-08 16:53 - 00153600 _____ (Microsoft Corporation) C:\Windows\system32\COLORCNV.DLL
2016-01-12 18:02 - 2015-12-08 16:53 - 00103424 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll
2016-01-12 18:02 - 2015-12-08 16:53 - 00079872 _____ (Microsoft Corporation) C:\Windows\system32\MP3DMOD.DLL
2016-01-12 18:02 - 2015-12-08 16:53 - 00067584 _____ (Microsoft Corporation) C:\Windows\system32\devenum.dll
2016-01-12 18:02 - 2015-12-08 16:53 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\mfvdsp.dll
2016-01-12 18:02 - 2015-12-08 16:53 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe
2016-01-12 18:02 - 2015-12-08 16:53 - 00023040 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe
2016-01-12 18:02 - 2015-12-08 16:53 - 00004608 _____ (Microsoft Corporation) C:\Windows\system32\ksuser.dll
2016-01-12 18:02 - 2015-12-08 16:50 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll
2016-01-12 18:02 - 2015-12-08 16:43 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmk.sys
2016-01-12 18:02 - 2015-12-08 16:11 - 00177152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\portcls.sys
2016-01-12 18:02 - 2015-12-08 16:11 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmkaud.sys
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-02-11 16:43 - 2014-09-11 09:16 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-02-11 16:31 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\rescache
2016-02-11 16:22 - 2015-06-16 22:12 - 00000922 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1444835656-916386692-171291520-6692UA.job
2016-02-11 15:56 - 2009-07-13 23:34 - 00023616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-02-11 15:56 - 2009-07-13 23:34 - 00023616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-02-11 15:51 - 2010-11-20 16:01 - 00778150 _____ C:\Windows\system32\PerfStringBackup.INI
2016-02-11 15:51 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\inf
2016-02-11 15:48 - 2014-09-11 09:45 - 00000120 _____ C:\Windows\system32\config\netlogon.ftl
2016-02-11 15:48 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-02-11 14:54 - 2009-07-13 23:33 - 00361480 _____ C:\Windows\system32\FNTCACHE.DAT
2016-02-11 13:52 - 2011-04-11 20:34 - 00000000 ____D C:\Program Files\Windows Journal
2016-02-11 12:12 - 2014-07-23 11:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2016-02-11 12:11 - 2009-07-13 21:04 - 00000478 _____ C:\Windows\win.ini
2016-02-11 12:08 - 2014-07-22 08:44 - 00000000 ____D C:\Windows\system32\MRT
2016-02-11 12:03 - 2014-07-22 08:44 - 144254680 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-02-10 14:01 - 2015-01-06 16:08 - 00000000 ___RD C:\Users\renkel\Dropbox
2016-02-10 14:01 - 2015-01-06 15:46 - 00000000 ____D C:\Users\renkel\AppData\Roaming\Dropbox
2016-02-10 10:43 - 2014-09-11 09:16 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2016-02-10 10:43 - 2014-09-11 09:16 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2016-02-10 10:23 - 2015-06-16 22:12 - 00000870 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1444835656-916386692-171291520-6692Core.job
2016-02-08 21:18 - 2016-01-11 14:37 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-02-04 08:23 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\PolicyDefinitions
2016-02-03 15:18 - 2014-09-11 08:51 - 00000000 ____D C:\Users\Administrator\AppData\Local\Adobe
2016-02-03 15:14 - 2015-08-13 11:05 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-02-03 15:05 - 2014-07-23 10:54 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Adobe
2016-02-03 14:17 - 2015-01-07 11:12 - 00000000 ____D C:\Users\Public\Documents\EndNote
2016-01-28 09:26 - 2015-01-06 15:44 - 00000000 ____D C:\Users\renkel\Desktop\Seminar
2016-01-13 08:10 - 2014-09-11 09:18 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-01-12 11:28 - 2009-07-13 21:04 - 00002577 _____ C:\Windows\system32\config.nt
 
==================== Files in the root of some directories =======
 
2016-02-11 11:50 - 2016-02-11 11:50 - 0007606 _____ () C:\Users\Administrator\AppData\Local\Resmon.ResmonCfg
 
Some files in TEMP:
====================
C:\Users\Administrator\AppData\Local\Temp\ose00000.exe
C:\Users\renkel\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmprszkug.dll
C:\Users\renkel\AppData\Local\Temp\Risweb32.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-02-08 08:33
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version:07-02-2016
Ran by Administrator (2016-02-11 16:46:30)
Running from C:\Users\Administrator\Desktop
Microsoft Windows 7 Enterprise  Service Pack 1 (X86) (2014-07-21 18:44:54)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2264800226-3071125026-2465440567-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-2264800226-3071125026-2465440567-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
32 Bit HP CIO Components Installer (Version: 15.1.1 - Hewlett-Packard) Hidden
Adobe Acrobat Reader DC (HKLM\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.010.20056 - Adobe Systems Incorporated)
Adobe Flash Player 20 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 20.0.0.306 - Adobe Systems Incorporated)
Adobe Flash Player 20 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 20.0.0.306 - Adobe Systems Incorporated)
avast! Endpoint Protection Suite (HKLM\...\avast) (Version: 8.0.1606.0 - AVAST Software)
Dell KACE Agent (Version: 6.4.180 - Dell Inc.) Hidden
EndNote X7 (HKLM\...\{86B3F2D6-AC2B-0017-8AE1-F2F77F781B0C}) (Version: 17.2.1.8311 - Thomson Reuters)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 (HKLM\...\Office15.PROPLUS) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x86)) (Version: 10.0.50903 - Microsoft Corporation)
Mozilla Firefox 43.0.4 (x86 en-US) (HKLM\...\Mozilla Firefox 43.0.4 (x86 en-US)) (Version: 43.0.4 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 43.0.4.5848 - Mozilla)
Outils de vérification linguistique 2013 de Microsoft Office - Français (Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
PerkinElmer ChemOffice Professional 2015 (HKLM\...\{83DBA37B-B24C-431B-9D7B-8331D28A067C}) (Version: 15.0 - PerkinElmer Informatics, Inc.)
PerkinElmer ChemScript 15.0 (HKLM\...\{2623D946-2CA9-4E69-A6C1-DDFA46C87EFF}) (Version: 15.0 - PerkinElmer Informatics, Inc.)
Python 3.2.2 (HKLM\...\{4CDE3168-D060-4b7c-BC74-4D8F9BB01AFD}) (Version: 3.2.2150 - Python Software Foundation)
ResearchSoft Direct Export Helper (HKLM\...\ResearchSoft Direct Export Helper) (Version:  - Thomson Reuters)
Service Pack 1 for Microsoft Office 2013 (KB2850036) 32-Bit Edition (HKLM\...\{90150000-0011-0000-0000-0000000FF1CE}_Office15.PROPLUS_{7F6C4883-A18C-459A-82C1-A2F9403F2DA6}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB3039776) 32-Bit Edition (HKLM\...\{90150000-012B-0409-0000-0000000FF1CE}_Office15.PROPLUS_{9F6B3627-AF9E-40A5-AAD5-3497C4327616}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB3114732) 32-Bit Edition (HKLM\...\{90150000-0011-0000-0000-0000000FF1CE}_Office15.PROPLUS_{7B0DFC04-44CB-436D-9366-01D93383940D}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB3114732) 32-Bit Edition (HKLM\...\{90150000-012B-0409-0000-0000000FF1CE}_Office15.PROPLUS_{7B0DFC04-44CB-436D-9366-01D93383940D}) (Version:  - Microsoft)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {03D93866-A120-4768-ABE1-957D3704A440} - System32\Tasks\DropboxUpdateTaskUserS-1-5-21-1444835656-916386692-171291520-6692Core => C:\Users\renkel\AppData\Local\Dropbox\Update\DropboxUpdate.exe [2015-06-16] (Dropbox, Inc.)
Task: {169100E2-430E-4B63-9F40-4E46A1D82244} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2016-02-10] (Adobe Systems Incorporated)
Task: {244F63BE-24CF-4194-90DA-A9D534851CB1} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2015-08-25] (AVAST Software)
Task: {27FF47A6-08A5-4F80-B8C1-93024DF9E145} - System32\Tasks\DropboxUpdateTaskUserS-1-5-21-1444835656-916386692-171291520-6692UA => C:\Users\renkel\AppData\Local\Dropbox\Update\DropboxUpdate.exe [2015-06-16] (Dropbox, Inc.)
Task: {68664DCA-21E3-4263-857B-A3C738CEA85D} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-12-14] (Adobe Systems Incorporated)
Task: {A9B86926-6D22-4B93-B789-C3605AC40BA8} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-23] (Microsoft Corporation)
Task: {C817C7CB-7907-4223-918B-3F489C370E93} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast Business\AvastEmUpdate.exe [2015-12-08] (Avast Software s.r.o.)
Task: {E49E7D61-25F5-4D29-9F8A-B34E6A721CE8} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-23] (Microsoft Corporation)
Task: {F593DA63-48D8-4B81-A422-26D6E74CCC2E} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe [2014-01-23] (Microsoft Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1444835656-916386692-171291520-6692Core.job => C:\Users\renkel\AppData\Local\Dropbox\Update\DropboxUpdate.exe
Task: C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1444835656-916386692-171291520-6692UA.job => C:\Users\renkel\AppData\Local\Dropbox\Update\DropboxUpdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
ShortcutWithArgument: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Rutgers, The State University of New Jersey\Rutgers Volume Activation Site.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://mssg.rutgers.edu/volumeactivation
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-02-11 12:41 - 2016-02-11 11:21 - 02832384 _____ () C:\Program Files\AVAST Software\Avast Business\defs\16021101\algo.dll
2015-06-17 13:03 - 2015-06-17 13:03 - 07144960 _____ () C:\Program Files\Dell\KACE\konea.exe
2016-02-10 10:43 - 2016-02-10 10:43 - 17891008 _____ () C:\Windows\system32\Macromed\Flash\NPSWF32_20_0_0_306.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 21:04 - 2009-06-10 16:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2264800226-3071125026-2465440567-500\Control Panel\Desktop\\Wallpaper -> C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 172.17.10.150 - 172.17.10.151
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{FE41980A-F21A-4DC2-A905-F9B229D5F3B5}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{828A7C87-2DC7-4C58-BDB9-DFEF54EEEAAC}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{3A90726E-F9FF-4C6F-A198-A76A25D8A6F0}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{F26048EC-334D-4A6B-8C22-1DD0815C4C50}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{3AFB12EB-E647-46CC-A4BD-16A8A3BB208D}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{9FCD8C07-43E5-4186-84C1-20BBB4D8FBFB}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{7D02D26A-66C4-47FD-B128-B6443EF69105}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{10D1B8C4-662A-4B8F-B983-55180EF92DE8}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{3F2E189C-7FB3-4D65-8F28-4215815A66B6}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
 
==================== Restore Points =========================
 
09-02-2016 14:04:48 Windows Update
11-02-2016 11:36:21 Windows Update
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/11/2016 03:51:23 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.9600.18205 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: ef8
 
Start Time: 01d1650dc5981aca
 
Termination Time: 0
 
Application Path: C:\Program Files\Internet Explorer\iexplore.exe
 
Report Id:
 
Error: (02/11/2016 03:49:57 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/11/2016 02:55:29 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/11/2016 11:32:39 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/11/2016 11:07:06 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/10/2016 01:53:04 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/09/2016 02:03:21 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/08/2016 07:50:02 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/04/2016 08:26:36 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/03/2016 04:44:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: EXCEL.EXE, version: 15.0.4787.1002, time stamp: 0x567a2cb1
Faulting module name: KERNELBASE.dll, version: 6.1.7601.18847, time stamp: 0x554d7b00
Exception code: 0xe0434352
Fault offset: 0x0000812f
Faulting process id: 0xb1c
Faulting application start time: 0xEXCEL.EXE0
Faulting application path: EXCEL.EXE1
Faulting module path: EXCEL.EXE2
Report Id: EXCEL.EXE3
 
 
System errors:
=============
Error: (02/11/2016 03:48:20 PM) (Source: BugCheck) (EventID: 1001) (User: )
Description: 0x000000f4 (0x00000003, 0x85d11790, 0x85d118fc, 0x82c5e5a0)C:\Windows\MEMORY.DMP021116-18439-01
 
Error: (02/11/2016 03:48:16 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 3:46:45 PM on ‎2/‎11/‎2016 was unexpected.
 
Error: (02/11/2016 01:53:24 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Dell KACE One Agent service terminated with service-specific error %%2.
 
Error: (02/11/2016 11:31:13 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: 
a) Name Resolution failure on the current domain controller. 
B) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
 
Error: (02/11/2016 11:31:11 AM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain EOHSI due to the following: 
%%1311
 
This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.
 
 
 
ADDITIONAL INFO
 
If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.
 
Error: (02/11/2016 11:05:26 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
AFD
aswRdr
aswSnx
aswSP
aswTdi
aswVmm
CSC
DfsC
discache
NetBIOS
NetBT
nsiproxy
Psched
rdbss
spldr
tdx
Wanarpv6
WfpLwf
 
Error: (02/11/2016 11:05:26 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: 
%%1068
 
Error: (02/11/2016 11:05:26 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: 
%%1068
 
Error: (02/11/2016 11:05:26 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: 
%%1068
 
Error: (02/11/2016 11:05:26 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: 
%%31
 
 
==================== Memory info =========================== 
 
Processor: Intel® Pentium® D CPU 3.20GHz
Percentage of memory in use: 44%
Total physical RAM: 2046.14 MB
Available physical RAM: 1145.68 MB
Total Virtual: 4092.28 MB
Available Virtual: 3041.5 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:74.41 GB) (Free:24.71 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: 41AB2316)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=74.4 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

Attached Files


Edited by xXToffeeXx, 13 February 2016 - 08:03 AM.
Posted logs for ease~


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:49 PM

Posted 12 February 2016 - 05:29 PM

Welcome to Bleeping Computer's Malware Removal Logs area. My name is Sintharius. I will assist you with your problem.

Please allow me some time to review your logs and I will be back with instructions.

#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:49 PM

Posted 13 February 2016 - 08:50 AM

Hello Dave,

Below are some rules that you will need to follow while receiving my assistance:
  • I am currently in training, so my responses might be delayed. I will generally reply within 48 hours - if this is not possible, I will let you know.
  • Please do not seek assistance elsewhere without letting me know, as "Too many cooks can spoil the soup".
  • Please do not run any tools without being instructed to
  • , as this makes my job much harder in trying to figure out what you have done.
  • If you wish to do other interventions, please let me know. I will assist you if possible.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the Follow this topic button, and make sure a tick is in the receive notifications and is set to Instantly. Any replies should be made in this topic by clicking the Reply to this topic button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. Please inform me if you need more time.
  • Please stay with me until I have confirmed that you are clean. Absence of symptoms does not mean that the computer is clean.
  • If you do not agree with any of the above, please let me know so I can have this topic closed.

    ===

    This machine is running Windows 7 Enterprise - it appears to be a corporate workstation.

    Did you check in with the IT department? It would be best that they handle it since there could be local policies in place that I do not know of.

    Let me know if you still wish to continue receiving assistance.


#4 davidsouren

davidsouren
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 15 February 2016 - 04:31 PM

Hello, and thanks for your help!

 

Yes, I'm still working on this problem and will appreciate any help you can provide. The system is on a domain, and I have administrative rights and can work through any solution on the workstation. The only thing I've done since my first posting was I removed the Avast EndPoint Protection we normally use and scanned the system with Symantec and Microsoft Security Essentials to see if either one of them would see the problem and could eliminate it (neither saw it.) Avast initially discovered the problem during a weekly scan as a memory-resident threat, and it kept coming back several times after reboots.... now, Avast does not see it but I'm not convinced that it's actually gone. I have not done any registry-level modifications and the only other products I've used have been Malware Bytes and their beta rootkit eliminator.... neither of them saw the problem. I'm concerned about this particular threat, and have seen three separate incidents; two on domain systems, one on a personal laptop, and I'm having trouble determining where this is originally coming from because there's no common element between the infected systems.

 

Thanks again, and please let me know how you would suggest I proceed.

 

Regards,

 

Dave Souren



#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:49 PM

Posted 18 February 2016 - 01:30 AM

Hello David, and my apologies for the delay.

 

Please do this.

 

ListParts in Recovery Environment

On a clean machine, please download ListParts and save it to a flash drive.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html




To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========


Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and navigate to your flash drive.
  • Right click on ListParts and select Run as Administrator.
  • The tool will start to run.
  • Press Scan button.
  • It will make a log (Result.txt) on the flash drive. Please copy and paste it to your reply.


#6 davidsouren

davidsouren
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 19 February 2016 - 04:10 PM

Hi Sintharius,

 

I've downloaded and run the Listparts application and have attached the Result file. This threat has some interesting symptoms..... it is not even seen by Symantec antivirus products and is recognized by Avast EndPoint Protection (our standard antivirus solution) as a memory-resident problem that is seen only once or twice (but obviously can't be removed if the root of the infection isn't seen) but after two or three scans the Avast no longer sees the rootkit unless it is uninstalled and reinstalled, which makes me think it's "intelligent" enough to fool Avast into thinking it's no longer present. What a pain!  The memory processes it takes over are csrsrv.dll and csrss.exe, both of which are critical processes that can only be quit by shutting down the system.

 

Thanks again for your assistance!

 

Regards,

 

Dave Souren

Attached Files



#7 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:49 PM

Posted 23 February 2016 - 08:13 AM

Hello Dave,

My apologies for the delay - my instructor has ISP issues.

Your logs did not show any signs of malware. Considering that other scanners also did not turn up anything, I suspect this is a false positive from Avast.

Do you have any other questions?

#8 davidsouren

davidsouren
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 23 February 2016 - 12:02 PM

Hello Sintharius,

 

Thank you very much for your assistance with this...... I have opened a case with Avast about this problem and can let you know the final outcome if you are interested. A false positive is always a possibility, but we've been using Avast for a number of years and have only had one incident that turned out to be a false positive and Avast immediately identified it as one when we contacted them. There is quite a bit of information on the web about win32:aluroot-b; some of it is several years old and there was no indication that it wasn't a real threat, but I've been supporting pc's for too long (over 35 years....my first pc was a Victor running CP/M) to say it can't be so.

 

Thanks again for your help.

 

Regards,

 

Dave Souren



#9 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:49 PM

Posted 25 February 2016 - 03:54 AM

Hello David,

Please let us know about the results from Avast - it can help other people that search for similar problems later.

Please run one last tool to clean things up, and you are good to go.

Download DelFix from here and save it to your Desktop.

  • Close all running programs and start DelFix.
  • Make sure all available options are checked.
  • Click Run.
  • DelFix will remove the most of the tools used during the cleaning process, purge all system restore points and create a new one, activate UAC (if you have it disabled) and restore settings changed by malware removal tools.

Safe computing practices

Best Practices for Safe Computing - Prevention of Malware Infection
How Malware Spreads - How did I get infected
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs)

Please reply to this thread one more time so it can be closed. It has been a pleasure to help. 



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:49 PM

Posted 27 February 2016 - 01:49 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users