Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop w/XP - Malwarebytes reports rootkit gone, but having odd probs


  • Please log in to reply
126 replies to this topic

#1 drjon

drjon

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 21 February 2016 - 10:39 PM

I'm not certain of the means of infection (seems to have been a PDF which i've now deleted), but i seem to have picked up a Rootkit.

 

I ran Malwarebytes Rootkit and it picked up (Trojan.Agent), (Worm.AutoRun), (Trojan.SpyEyes) and (Hijack.Shell) [i can post that log if you want] and seemed to delete them.

 

However, i still seem to be having problems, and would very much appreciate having someone with experience review my situation. I have run a number of different rootkit detectors, and nothing's being detected, but I'm getting odd processes pop up in my Task Manager that don't seemed to have parent processes and will not terminate. Processing seems to hang at times, after start-up, for a time. Enough suspicious activity that I'm worried things are still lurking.

 

Anyway, here's the FRST txt log (below) and the Addition file (attached). Thank you for your help!

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:21-02-2016 01
Ran by Manda (administrator) on ACER (22-02-2016 12:58:15)
Running from C:\Documents and Settings\Manda\Desktop
Loaded Profiles: Manda (Available Profiles: Manda & Work & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Check Point Software Technologies LTD) C:\Program Files\CheckPoint\ZoneAlarm\VSMON.EXE
(AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
(Check Point Software Technologies) C:\Program Files\CheckPoint\ZAForceField\ISWSVC.EXE
(Check Point Software Technologies) C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\SOUNDMAN.EXE
(Intel Corporation) C:\WINDOWS\System32\IGFXTRAY.EXE
(Intel Corporation) C:\WINDOWS\System32\HKCMD.EXE
(acer Inc.) C:\Acer\Empowering Technology\eRecovery\Monitor.exe
(OSA Technologies Inc.) C:\Acer\eManager\anbmServ.exe
(Check Point Software Technologies LTD) C:\Program Files\CheckPoint\ZoneAlarm\ZATRAY.EXE
(AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastUI.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
() C:\WINDOWS\System32\SantSvc.EXE
(Sysinternals - www.sysinternals.com) C:\Documents and Settings\Manda\Desktop\PROCEXP.EXE
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\FIREFOX.EXE
(Microsoft Corporation) C:\WINDOWS\System32\wuauclt.exe
(Microsoft Corporation) C:\WINDOWS\System32\WBEM\unsecapp.exe
(Microsoft Corporation) C:\WINDOWS\System32\wuauclt.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPLpr] => C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [102490 2005-02-04] (Synaptics, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [708698 2005-02-04] (Synaptics, Inc.)
HKLM\...\Run: [SoundMan] => C:\WINDOWS\SOUNDMAN.EXE [77824 2005-04-15] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Preload] => C:\Windows\RUNXMLPL.exe [32768 2005-05-19] (Wistron)
HKLM\...\Run: [PHIME2002ASync] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002A] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [MSPY2002] => C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [59392 2004-08-04] ()
HKLM\...\Run: [IMJPMIG8.1] => C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [208952 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [eRecoveryService] => C:\Acer\Empowering Technology\eRecovery\Monitor.exe [385024 2005-10-31] (acer Inc.)
HKLM\...\Run: [ePowerManagement] => C:\Acer\ePM\ePM.exe [2889728 2005-10-26] (Acer Value Labs, Taiwan)
HKLM\...\Run: [CtrlVol] => C:\Program Files\Launch Manager\CtrlVol.exe [20480 2003-09-16] (Wistron)
HKLM\...\Run: [ZoneAlarm] => C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe [73832 2013-03-27] (Check Point Software Technologies LTD)
HKLM\...\Run: [ISW] => C:\Program Files\CheckPoint\ZAForceField\ForceField.exe [738984 2012-11-23] (Check Point Software Technologies)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\Alwil Software\Avast5\AvastUI.exe [6108752 2015-12-02] (AVAST Software)
HKLM\...\Run: [MSConfig] => C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [158208 2004-08-04] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll [2005-01-23] (Intel Corporation)
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\Run: [Google Update] => "C:\Documents and Settings\Manda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: K - RECYCLERS\runmgr.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {0dada975-a460-11e5-9e1c-0014a45e6a35} - G:\Setup.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {150899e6-9b61-11e1-9dd4-0016ce4f1f8d} - H:\RunClubSanDisk.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {4cefa870-6edc-11e0-9da8-000ae4f68fc9} - G:\AutoRun.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {65fb319a-b4fb-11df-9d71-0016ce4f1f8d} - G:\AutoRun.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {81a0ce7e-b589-11dc-9bf8-0016ce4f1f8d} - F:\setupSNK.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {b670d766-b59a-11df-9d72-0016ce4f1f8d} - G:\AutoRun.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {b670d768-b59a-11df-9d72-0016ce4f1f8d} - H:\AutoRun.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {c919cbf4-9836-11e1-9dd3-0016ce4f1f8d} - G:\RunClubSanDisk.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {ceb9d8c8-645b-11de-9d10-0016ce4f1f8d} - F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe
HKU\S-1-5-18\...\RunOnce: [FlashPlayerUpdate] => C:\WINDOWS\system32\Macromed\Flash\FlashUtil11c_Plugin.exe -update plugin
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Alwil Software\Avast5\ashShell.dll [2015-07-24] (AVAST Software)
Startup: C:\Documents and Settings\Manda\Start Menu\Programs\Startup\Shortcut to procexp.lnk [2011-03-27]
ShortcutTarget: Shortcut to procexp.lnk -> C:\Documents and Settings\Manda\Desktop\procexp.exe (Sysinternals - www.sysinternals.com)
Startup: C:\Documents and Settings\Manda\Start Menu\Programs\Startup\Shortcut to CES.lnk [2012-07-20]
ShortcutTarget: Shortcut to CES.lnk -> C:\Documents and Settings\Manda\Desktop\CES.txt ()
BootExecute: autocheck autochk /p \??\F:autocheck autochk *

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 208.67.220.222 208.67.220.220 198.142.0.51
Tcpip\..\Interfaces\{B3D2EE9D-493D-4A60-BE22-7E34C6AA645B}: [DhcpNameServer] 208.67.220.222 208.67.220.220 198.142.0.51
Tcpip\..\Interfaces\{EA284110-9292-438D-B30D-9C6DD1A4575E}: [DhcpNameServer] 192.168.3.1

Internet Explorer:
==================
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com.au/
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie
SearchScopes: HKU\S-1-5-21-909870766-1622110247-4080266991-1004 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}
SearchScopes: HKU\S-1-5-21-909870766-1622110247-4080266991-1004 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2011-08-30] (Adobe Systems Incorporated)
BHO: SSVHelper Class -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll [2009-07-25] (Sun Microsystems, Inc.)
BHO: ZoneAlarm Security Engine Registrar -> {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} -> C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll [2012-11-23] (Check Point Software Technologies)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll [2015-07-24] (AVAST Software)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> c:\program files\google\googletoolbar1.dll => No File
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2011-08-30] (Adobe Systems Incorporated)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25] (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25] (Sun Microsystems, Inc.)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2011-08-30] (Adobe Systems Incorporated)
Toolbar: HKLM - &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll No File
Toolbar: HKLM - ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll [2012-11-23] (Check Point Software Technologies)
Toolbar: HKU\S-1-5-21-909870766-1622110247-4080266991-1004 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2011-08-30] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-909870766-1622110247-4080266991-1004 -> ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll [2012-11-23] (Check Point Software Technologies)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL [2000-04-19] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default
FF DefaultSearchUrl: hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF SelectedSearchEngine: Google
FF Homepage: about:home
FF Session Restore: -> is enabled.
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll [2013-06-17] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2013-04-08] ()
FF Plugin: @checkpoint.com/FFApi -> C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll [2012-11-23] ()
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.21.169\npGoogleUpdate3.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.21.169\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-909870766-1622110247-4080266991-1004: @talk.google.com/GoogleTalkPlugin -> C:\Documents and Settings\Manda\Application Data\Mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-909870766-1622110247-4080266991-1004: @talk.google.com/O1DPlugin -> C:\Documents and Settings\Manda\Application Data\Mozilla\plugins\npo1d.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-909870766-1622110247-4080266991-1004: @tools.google.com/Google Update;version=3 -> C:\Documents and Settings\Manda\Local Settings\Application Data\Google\Update\1.3.28.13\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-909870766-1622110247-4080266991-1004: @tools.google.com/Google Update;version=9 -> C:\Documents and Settings\Manda\Local Settings\Application Data\Google\Update\1.3.28.13\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-909870766-1622110247-4080266991-1004: @unity3d.com/UnityPlayer,version=1.0 -> C:\Documents and Settings\Manda\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll [2013-06-07] (Unity Technologies ApS)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npOGAPlugin.dll [2008-02-04] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL [2007-03-22] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npdeploytk.dll [2009-07-25] (Sun Microsystems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll [2009-02-06] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppopcaploader.dll [2009-07-26] (PopCap Games)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2011-08-30] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npcosmop211.dll [2007-09-24] (PLATINUM technology, inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2013-06-18] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2013-06-18] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2013-06-18] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2013-06-18] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2013-06-18] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Documents and Settings\Manda\Application Data\mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
FF Plugin ProgramFiles/Appdata: C:\Documents and Settings\Manda\Application Data\mozilla\plugins\npo1d.dll [2015-04-17] (Google)
FF Extension: ImgLikeOpera - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\extensions\imglikeopera@imfo.ru.xpi [2015-07-17]
FF Extension: Neo Diggler - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\extensions\{9b84cce7-a817-45d7-865e-9e6e8da1c388}.xpi [2015-07-17]
FF Extension: UnloadTab - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\extensions\unloadtab@firefox.ext.xpi [2015-09-18]
FF Extension: Flash Video Downloader - YouTube HD Download [4K] - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\extensions\artur.dubovoy@gmail.com [2016-02-09]
FF Extension: Googlebar Lite - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\extensions\{79c50f9a-2ffe-4ee0-8a37-fae4f5dacd4f}.xpi [2016-02-14]
FF Extension: NoScript - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-02-17]
FF Extension: Classic Theme Restorer - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2016-02-19]
FF Extension: Tab Counter - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\tabcounter@morac.xpi [2016-02-08]
FF Extension: Echofon - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\twitternotifier@naan.net [2012-09-27] [not signed]
FF Extension: Highlights - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\rj@reedmace.net.xpi [2011-12-03] [not signed]
FF Extension: ShareMeNot - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\sharemenot@franziroesner.com.xpi [2012-07-01] [not signed]
FF Extension: Remember The Milk for Gmail - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\rtmgmail@rememberthemilk.com.xpi [2015-08-17]
FF Extension: Add-on Compatibility Reporter - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\compatibility@addons.mozilla.org.xpi [2015-07-25]
FF Extension: English (Australian) Dictionary - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\en-AU@dictionaries.addons.mozilla.org [2014-09-15] [not signed]
FF Extension: Hola Better Internet - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\jid1-4P0kohSJxU1qGg@jetpack [2015-12-02] [not signed]
FF Extension: Anonymizer Nevercookie - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\supersecret187@nyms.net [2010-12-02] [not signed]
FF Extension: BarTab - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\bartap@philikon.de [2010-12-05] [not signed]
FF Extension: BarTab Lite - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\bartablite@philikon.de.xpi [2015-06-29]
FF Extension: LiveJournal Addons - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\homo_nudus@livejournal.com.xpi [2015-06-29]
FF Extension: Adblock Plus - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-02-08]
FF Extension: googlebar - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\{6b6601f1-361e-4b9f-bb6d-f8305000e4f6}.xpi [2015-06-29]
FF Extension: Session Manager - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2016-02-08]
FF Extension: Highlighter - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\{bbfec13c-8cb2-53f2-b852-999eb2a852c9}.xpi [2011-11-13] [not signed]
FF Extension: TextMarker! - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\{1c530060-b0ae-11d9-9669-0800200c9a66} [2015-06-29]
FF Extension: Popup ALT Attribute - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\{61FD08D8-A2CB-46c0-B36D-3F531AC53C12}.xpi [2016-02-08]
FF Extension: YouTube mp3 - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\info@youtube-mp3.org.xpi [2015-06-29]
FF Extension: Is It Compatible? - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\isitcompatible@eternicode.com.xpi [2015-06-29]
FF Extension: checkCompatibility - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\check-compatibility@dactyl.googlecode.com.xpi [2015-06-29]
FF Extension: PDF Download - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}.xpi [2015-06-29]
FF Extension: DownThemAll! - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2015-12-05]
FF Extension: OneTab - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\extension@one-tab.com.xpi [2015-10-06]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-05-30] [not signed]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009-05-31] [not signed]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\Alwil Software\Avast5\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\Alwil Software\Avast5\WebRep\FF [2011-04-12] [not signed]
FF HKLM\...\Firefox\Extensions: [{FFB96CC1-7EB3-449D-B827-DB661701C6BB}] - C:\Program Files\CheckPoint\ZAForceField\TrustChecker
FF Extension: ZoneAlarm Security Engine - C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2011-11-13] [not signed]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2013-05-29]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx [2015-07-24]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 Adobe Version Cue CS3; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe [153792 2007-03-20] (Adobe Systems Incorporated)
R2 anbmService; C:\Acer\eManager\anbmServ.exe [1273344 2005-06-06] (OSA Technologies Inc.) [File not signed]
R2 avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [146600 2015-07-24] (AVAST Software)
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [654848 2007-12-29] (Macrovision Europe Ltd.) [File not signed]
R2 IswSvc; C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe [497320 2012-11-23] (Check Point Software Technologies)
S4 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2009-07-25] (Sun Microsystems, Inc.)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 SantSvc; C:\WINDOWS\system32\SantSvc.EXE [44544 2005-09-02] () [File not signed]
S3 ServiceLayer; C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe [651776 2009-09-17] (Nokia) [File not signed]
R2 vsmon; C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe [2447888 2013-03-27] (Check Point Software Technologies LTD)
S3 WLSetupSvc; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [266240 2007-10-25] (Microsoft Corporation)
S4 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [X]
S4 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [X]
S4 gusvc; "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 2U2KG54; C:\WINDOWS\System32\DRIVERS\PRISMA02.sys [350240 2005-05-06] (Conexant Systems, Inc.) [File not signed]
R0 abp480n5; C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S3 AIFILT; C:\WINDOWS\System32\Drivers\aifilt.sys [3264 2004-05-28] () [File not signed]
R3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [2317504 2005-04-19] (Realtek Semiconductor Corp.)
R3 AR5211; C:\WINDOWS\System32\DRIVERS\ar5211.sys [449888 2005-01-10] (Atheros Communications, Inc.)
R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [24016 2015-07-24] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [76000 2015-07-24] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [55200 2015-07-24] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49776 2015-07-24] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [794952 2015-12-02] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [435464 2015-12-02] (AVAST Software)
R3 aswStmXP; C:\WINDOWS\system32\drivers\aswStmXP.sys [161472 2015-07-24] (AVAST Software)
S3 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57888 2015-07-24] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [208664 2015-07-24] (AVAST Software)
S3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [369024 2004-12-22] (Broadcom Corporation)
S3 BrScnUsb; C:\WINDOWS\System32\DRIVERS\BrScnUsb.sys [15295 2004-10-15] (Brother Industries Ltd.)
R1 BUFADPT; C:\WINDOWS\system32\BUFADPT.SYS [9600 2005-07-06] (BUFFALO INC.) [File not signed]
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2004-08-03] (Microsoft Corporation)
S3 CTL518; C:\WINDOWS\System32\DRIVERS\wcvid.sys [183589 2001-11-03] (Creative Technology Ltd.)
S2 DgivEcp; C:\WINDOWS\System32\Drivers\DgivEcp.Sys [40448 2003-01-06] (DeviceGuys, Inc.) [File not signed]
S3 epmntdrv; C:\WINDOWS\system32\epmntdrv.sys [13192 2009-08-26] () [File not signed]
R2 EpmPsd; C:\WINDOWS\system32\drivers\epm-psd.sys [4096 2004-07-19] (Acer Value Labs, USA) [File not signed]
R2 EpmShd; C:\WINDOWS\system32\drivers\epm-shd.sys [78208 2005-04-07] (Acer Value Labs, USA) [File not signed]
S3 EuGdiDrv; C:\WINDOWS\system32\EuGdiDrv.sys [8456 2009-09-16] () [File not signed]
S3 FETNDIS; C:\WINDOWS\System32\DRIVERS\fetnd5.sys [27165 2001-08-17] (VIA Technologies, Inc.              )
R1 Hotkey; C:\WINDOWS\system32\Drivers\Hotkey.sys [9867 2003-04-28] () [File not signed]
S3 HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [207232 2004-12-15] (Conexant Systems, Inc.)
R2 int15.sys; C:\Acer\Empowering Technology\eRecovery\int15.sys [69632 2005-01-13] () [File not signed]
R2 ISWKL; C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys [27056 2012-11-23] (Check Point Software Technologies)
S3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [121560 2016-02-21] (Malwarebytes)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2004-08-03] (Microsoft Corporation)
R3 NTIDrvr; C:\WINDOWS\System32\DRIVERS\NTIDrvr.sys [6144 2007-12-25] (NewTech Infosystems, Inc.) [File not signed]
R2 osaio; C:\WINDOWS\system32\drivers\osaio.sys [8704 2005-03-04] (Avocent/OSA Technologies Inc.) [File not signed]
R2 osanbm; C:\WINDOWS\system32\drivers\osanbm.sys [4010 2005-01-14] (Windows ® 2000 DDK provider) [File not signed]
S3 pfc; C:\WINDOWS\System32\drivers\pfc.sys [10368 2003-12-05] (Padus, Inc.) [File not signed]
S3 POWERKEY; C:\Program Files\Launch Manager\POWERKEY.sys [2343 2000-12-19] () [File not signed]
S3 qcusbser; C:\WINDOWS\System32\DRIVERS\ZTEusbser.sys [99584 2007-03-02] (ZTE Incorporated)
S3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
R3 RTL8023xp; C:\WINDOWS\System32\DRIVERS\Rtlnicxp.sys [70912 2004-12-02] (Realtek Semiconductor Corporation                           )
R0 tclondrv; C:\WINDOWS\System32\DRIVERS\tclondrv.sys [20352 2008-05-12] (TuneClone Software) [File not signed]
R2 tmcomm; C:\WINDOWS\system32\drivers\tmcomm.sys [102664 2009-09-25] (Trend Micro Inc.)
R1 Vsdatant; C:\WINDOWS\System32\vsdatant.sys [527848 2013-03-27] (Check Point Software Technologies LTD)
S1 wceusbsh; C:\WINDOWS\System32\DRIVERS\wceusbsh.sys [31744 2004-08-03] (Microsoft Corporation)
S1 mailKmd; no ImagePath
U5 Tcpip6; C:\Windows\System32\Drivers\Tcpip6.sys [225920 2008-06-20] (Microsoft Corporation)
S1 Wbutton; \SystemRoot\system32\drivers\Wbutton.sys [X]
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-22 12:58 - 2016-02-22 12:58 - 00028061 _____ C:\Documents and Settings\Manda\Desktop\FRST.txt
2016-02-22 12:56 - 2016-02-22 12:56 - 00000000 ____D C:\FRST
2016-02-22 12:56 - 2016-02-22 12:55 - 01722368 _____ (Farbar) C:\Documents and Settings\Manda\Desktop\FRST.exe
2016-02-22 12:03 - 2016-02-22 12:03 - 00000000 __SHD C:\FOUND.013
2016-02-22 11:08 - 2016-02-22 11:08 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2016-02-22 11:04 - 2016-02-22 11:04 - 00000000 __SHD C:\Documents and Settings\Administrator\PrivacIE
2016-02-22 10:37 - 2016-02-22 10:37 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\AVAST Software
2016-02-22 10:24 - 2016-02-22 10:24 - 00000000 ____D C:\FlashDisinfect
2016-02-22 09:55 - 2016-02-22 09:55 - 00000000 ____D C:\Documents and Settings\Administrator\Pavark
2016-02-22 09:50 - 2016-02-22 09:50 - 00000000 ____D C:\panda
2016-02-22 09:34 - 2016-02-22 09:34 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2016-02-22 09:34 - 2016-02-22 09:34 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Temp
2016-02-22 09:34 - 2016-02-22 09:34 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE
2016-02-22 09:10 - 2016-02-22 09:11 - 00164366 _____ C:\TDSSKiller.3.1.0.9_22.02.2016_09.10.09_log.txt
2016-02-22 08:39 - 2016-02-22 08:44 - 00010852 _____ C:\Documents and Settings\Manda\Desktop\MBRCheck_02.22.16_08.39.36.txt
2016-02-22 08:38 - 2016-02-22 08:39 - 00164806 _____ C:\TDSSKiller.3.1.0.9_22.02.2016_08.38.02_log.txt
2016-02-22 08:31 - 2016-02-22 08:32 - 00011228 _____ C:\Documents and Settings\Manda\Desktop\MBRCheck_02.22.16_08.31.11.txt
2016-02-22 08:12 - 2016-02-22 08:31 - 00164934 _____ C:\TDSSKiller.3.1.0.9_22.02.2016_08.12.21_log.txt
2016-02-21 23:05 - 2016-02-21 23:05 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
2016-02-21 20:14 - 2016-02-21 20:14 - 00000000 ____D C:\mbar
2016-02-21 19:50 - 2016-02-21 19:50 - 00000000 __SHD C:\FOUND.012
2016-02-21 17:05 - 2009-08-06 09:23 - 00377803 _____ C:\Documents and Settings\Manda\Desktop\Process Assassin.exe
2016-02-21 17:05 - 2009-04-14 19:36 - 00120054 _____ C:\Documents and Settings\Manda\Desktop\Process  Assassin.bmp
2016-02-21 14:02 - 2016-02-21 14:02 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2016-02-21 13:42 - 2016-02-21 13:42 - 00000000 ____D C:\Documents and Settings\Manda\Desktop\mbar
2016-02-21 13:37 - 2016-02-21 22:07 - 00121560 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-02-21 13:37 - 2016-02-21 13:37 - 00000685 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2016-02-21 13:37 - 2016-02-21 13:37 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-02-21 13:37 - 2016-02-21 13:37 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2016-02-21 13:01 - 2016-02-21 13:01 - 00000000 __SHD C:\FOUND.011
2016-02-17 11:25 - 2016-02-17 12:39 - 00003363 _____ C:\Documents and Settings\Manda\Desktop\162intercruises01.html
2016-02-17 11:24 - 2016-02-17 11:24 - 00004214 _____ C:\Documents and Settings\Manda\Desktop\102postpressed01.html
2016-02-17 11:13 - 2016-02-17 11:13 - 00000000 ____D C:\Program Files\7-Zip
2016-02-17 11:13 - 2016-02-17 11:13 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\7-Zip
2016-02-17 11:10 - 2016-02-17 11:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\UniqueId

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-22 12:52 - 2012-07-29 11:58 - 00000366 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2016-02-22 12:52 - 2005-06-24 12:29 - 00001158 _____ C:\WINDOWS\system32\wpa.dbl
2016-02-22 12:51 - 2014-01-07 20:50 - 00000494 _____ C:\WINDOWS\system32\eRLog.ini
2016-02-22 12:50 - 2014-01-05 16:45 - 00000098 _____ C:\WINDOWS\ComponentList.xml
2016-02-22 12:50 - 2009-05-30 22:40 - 00000236 _____ C:\WINDOWS\Tasks\OGALogon.job
2016-02-22 12:50 - 2005-06-24 12:29 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-02-22 12:41 - 2005-06-24 12:29 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2016-02-22 12:24 - 2014-01-08 20:14 - 02495600 _____ C:\WINDOWS\ntbtlog.txt
2016-02-22 11:53 - 2008-09-10 11:27 - 00000422 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{765A14F0-607F-4985-AB88-54B1273F48EE}.job
2016-02-22 09:34 - 2011-02-15 23:32 - 00095752 ____H C:\WINDOWS\system32\mlfcache.dat
2016-02-22 09:18 - 2010-09-22 20:23 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2016-02-22 09:07 - 2005-06-24 12:29 - 00032562 _____ C:\WINDOWS\SchedLgU.Txt
2016-02-21 23:02 - 2010-11-16 05:56 - 00000440 __RSH C:\Documents and Settings\All Users\ntuser.pol
2016-02-21 19:57 - 2004-08-17 13:22 - 00000784 _____ C:\WINDOWS\win.ini
2016-02-21 19:57 - 2004-08-17 13:14 - 00000227 _____ C:\WINDOWS\system.ini
2016-02-21 19:57 - 2002-11-26 10:38 - 00000194 __RSH C:\BOOT.INI
2016-02-21 18:17 - 2007-12-25 00:09 - 00000178 ___SH C:\Documents and Settings\Manda\ntuser.ini
2016-02-15 09:45 - 2012-07-13 18:23 - 00000546 _____ C:\Documents and Settings\Manda\Desktop\CES.txt

==================== Files in the root of some directories =======

2012-09-20 05:48 - 2012-09-20 05:48 - 4096000 _____ () C:\Program Files\GUT9.tmp
2013-11-23 11:46 - 2013-11-23 11:48 - 50053120 _____ () C:\Program Files\GUTB7.tmp
2009-07-11 09:23 - 2010-09-22 21:34 - 0000000 _____ () C:\Documents and Settings\Manda\Application Data\bcrypt.html
2013-06-04 12:17 - 2013-06-04 12:17 - 0001577 _____ () C:\Documents and Settings\Manda\Application Data\testtool.ini
2007-12-29 11:00 - 2007-12-29 11:07 - 0000746 ____H () C:\Documents and Settings\Manda\Local Settings\Application Data\FASTWiz.html
2008-03-03 16:24 - 2010-12-23 06:21 - 0089600 ____H () C:\Documents and Settings\Manda\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2008-10-08 00:06 - 2008-10-08 00:06 - 0000032 _____ () C:\Documents and Settings\All Users\Application Data\ezsid.dat

Some files in TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\NEventMessages.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 22 February 2016 - 05:47 AM

Hello drjon and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
    
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
Sincerely
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 drjon

drjon
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 22 February 2016 - 07:01 AM

hello, Yılmaz. thank you for helping me. i will wait for your instructions.

#4 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 22 February 2016 - 10:25 AM

Hi drjon,

Administrator (S-1-5-21-909870766-1622110247-4080266991-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Guest (S-1-5-21-909870766-1622110247-4080266991-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-909870766-1622110247-4080266991-1003 - Limited - Disabled)
Manda (S-1-5-21-909870766-1622110247-4080266991-1004 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Manda
SUPPORT_388945a0 (S-1-5-21-909870766-1622110247-4080266991-1002 - Limited - Disabled)
Work (S-1-5-21-909870766-1622110247-4080266991-1006 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Work

C:\Documents and Settings\Administrator\Pavark ===>> What is this and do you know ?
 =================================================================================

C:\Documents and Settings\All Users\Application Data\UniqueId
C:\Documents and Settings\Manda\Desktop\162intercruises01.html
C:\Documents and Settings\Manda\Desktop\102postpressed01.html
C:\Documents and Settings\Manda\Application Data\bcrypt.html

What is this informations  and do you know ?
===================================================
C:\TDSSKiller.3.1.0.9_22.02.2016_08.12.21_log.txt
Please post me this Log file.
===================================================================
Uninstall: PopCap Browser Plugin
 
======================================================[

Let me know when you get that done


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 drjon

drjon
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 22 February 2016 - 06:35 PM

Hi, Yılmaz.

 

 

C:\Documents and Settings\Administrator\Pavark ===>> What is this and do you know ?

 

That is Panda Anti-Rootkit, which i ran yesterday. It found nothing, but i can run it again if you want.

 

 

What is this informations  and do you know ?

C:\Documents and Settings\All Users\Application Data\UniqueId

C:\Documents and Settings\Manda\Application Data\bcrypt.html

 

I do not know anything about these two files.

 

 

C:\Documents and Settings\Manda\Desktop\162intercruises01.html
C:\Documents and Settings\Manda\Desktop\102postpressed01.html

 

 

These files are okay. I created them the other day, they are plain html, no javascript or other code.

 

C:\TDSSKiller.3.1.0.9_22.02.2016_08.12.21_log.txt -- file attached.

 

 

Uninstall: PopCap Browser Plugin

 

I have run the uninstaller for that plugin.

 

Thank you again for your help.

jon

 

 

Attached Files



#6 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 23 February 2016 - 06:50 PM

Hi drjon,

 

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

CreateRestorePoint:
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-909870766-1622110247-4080266991-1004_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll => No File
CustomCLSID: HKU\S-1-5-21-909870766-1622110247-4080266991-1004_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> "C:\Documents and Settings\Manda\Local Settings\Application Data\Google\Update\1.3.28.13\GoogleUpdat (the data entry has 25 more characters).
CustomCLSID: HKU\S-1-5-21-909870766-1622110247-4080266991-1004_Classes\CLSID\{29A96789-9595-4947-BEDB-0FCC776F7DB8}\InprocServer32 -> C:\Documents and Settings\Manda\Local Settings\Application Data\Google\Update\1.2.183.39\goopdate.dl (the data entry has 12 more characters).
CustomCLSID: HKU\S-1-5-21-909870766-1622110247-4080266991-1004_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> "C:\Documents and Settings\Manda\Local Settings\Application Data\Google\Update\1.3.28.13\GoogleUpdat (the data entry has 25 more characters).
CustomCLSID: HKU\S-1-5-21-909870766-1622110247-4080266991-1004_Classes\CLSID\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\InprocServer32 -> C:\Documents and Settings\Manda\Local Settings\Application Data\Google\Update\1.2.131.27\goopdate.dl (the data entry has 12 more characters).
CustomCLSID: HKU\S-1-5-21-909870766-1622110247-4080266991-1004_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll => No File
CustomCLSID: HKU\S-1-5-21-909870766-1622110247-4080266991-1004_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> "C:\Documents and Settings\Manda\Local Settings\Application Data\Google\Update\1.3.28.13\GoogleUpdat (the data entry has 25 more characters).
CustomCLSID: HKU\S-1-5-21-909870766-1622110247-4080266991-1004_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Documents and Settings\Manda\Local Settings\Application Data\Google\Update\1.3.28.13\npGoogleUpda (the data entry has 18 more characters).
CustomCLSID: HKU\S-1-5-21-909870766-1622110247-4080266991-1004_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Documents and Settings\Manda\Local Settings\Application Data\Google\Update\1.3.28.13\npGoogleUpda (the data entry has 18 more characters).
CustomCLSID: HKU\S-1-5-21-909870766-1622110247-4080266991-1004_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll => No File
Task: C:\WINDOWS\Tasks\Disk Cleanup.job => C:\WINDOWS\system32\cleanmgr.exe
Task: C:\WINDOWS\Tasks\OGALogon.job => C:\WINDOWS\system32\OGAEXEC.exe
Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\Alwil Software\Avast5\AvastEmUpdate.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: K - RECYCLERS\runmgr.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {0dada975-a460-11e5-9e1c-0014a45e6a35} - G:\Setup.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {150899e6-9b61-11e1-9dd4-0016ce4f1f8d} - H:\RunClubSanDisk.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {4cefa870-6edc-11e0-9da8-000ae4f68fc9} - G:\AutoRun.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {65fb319a-b4fb-11df-9d71-0016ce4f1f8d} - G:\AutoRun.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {81a0ce7e-b589-11dc-9bf8-0016ce4f1f8d} - F:\setupSNK.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {b670d766-b59a-11df-9d72-0016ce4f1f8d} - G:\AutoRun.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {b670d768-b59a-11df-9d72-0016ce4f1f8d} - H:\AutoRun.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {c919cbf4-9836-11e1-9dd3-0016ce4f1f8d} - G:\RunClubSanDisk.exe
HKU\S-1-5-21-909870766-1622110247-4080266991-1004\...\MountPoints2: {ceb9d8c8-645b-11de-9d10-0016ce4f1f8d} - F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> c:\program files\google\googletoolbar1.dll => No File
Toolbar: HKLM - &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll No File
FF ProfilePath: C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.21.169\npGoogleUpdate3.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.21.169\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-909870766-1622110247-4080266991-1004: @tools.google.com/Google Update;version=3 -> C:\Documents and Settings\Manda\Local Settings\Application Data\Google\Update\1.3.28.13\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-909870766-1622110247-4080266991-1004: @tools.google.com/Google Update;version=9 -> C:\Documents and Settings\Manda\Local Settings\Application Data\Google\Update\1.3.28.13\npGoogleUpdate3.dll [No File]
FF Extension: BarTab - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\bartap@philikon.de [2010-12-05] [not signed]
FF Extension: BarTab Lite - C:\Documents and Settings\Manda\Application Data\Mozilla\Firefox\Profiles\es0ry1h7.default\Extensions\bartablite@philikon.de.xpi [2015-06-29]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx
R2 tmcomm; C:\WINDOWS\system32\drivers\tmcomm.sys [102664 2009-09-25] (Trend Micro Inc.)
S1 mailKmd; no ImagePath
U1 WS2IFSL; no ImagePath
U1 WS2IFSL; no ImagePath
C:\panda
C:\Documents and Settings\All Users\Application Data\Norton
C:\mbar
C:\WINDOWS\Tasks\OGALogon.job
C:\WINDOWS\ntbtlog.txt
C:\Program Files\GUT9.tmp
C:\Program Files\GUTB7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\NEventMessages.dll
C:\Documents and Settings\Administrator\Pavark
CMD: netsh advfirewall reset /c
CMD: netsh advfirewall set allprofiles state ON /c
CMD: ipconfig /flushdns /c
CMD: netsh winsock reset catalog /c
CMD: netsh int ip reset c:\resetlog.txt  /c
CMD: ipconfig /release /c
CMD: ipconfig /renew /c
EmptyTemp:
CMD: bitsadmin /reset /allusers

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

================================================================================================

ComboFix run:
Please be sure to run our tools with administrator rights.
* IMPORTAN: 1   Place ComboFix.exe on your Desktop
* IMPORTAN: 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 drjon

drjon
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 23 February 2016 - 07:55 PM

Hi, Yılmaz.

 

This is a 32-bit machine, so I am running FRST.exe not FRST64.exe. Is that okay?

 

I am having to use the Administerator account in Safe Mode to access the internet, because Firefox using my usual account "Manda" will not access the internet anymore.

 

I used the Admin account in Safe Mode to get the data for the fixlist and download Combofix, and then logged out.

 

I then ran FRST.exe from the "Manda" account, in normal mode.

 

When I ran FRST.exe it processed for about 5 minutes and then crashed. I have attached the crash files.

 

Should I try running FRST again?

 

Thanks,

jon

Attached Files



#8 drjon

drjon
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 23 February 2016 - 08:49 PM

I have tried two more times, but FRST keeps crashing.

#9 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 23 February 2016 - 09:19 PM

Yes okay. Frst.exe run. not FRST 64.exe
 
Firefox does not open in normal mode and Can you not download In normal mode ?
=====================================================================
Please delete If you see,  Floola-win.zip
==============================================

 

Please try ComboFix run. If not run it; Run MalwareBytes

===========================================

Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 drjon

drjon
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 23 February 2016 - 09:44 PM

Although it seem to connect to the internet in normal mode, I cannot open any web pages, and get no response to a ping.

I did a search, and found a Floola directory, but no file called "Floola-win.zip"

I am running ComboFix now. It could not connect to the Microsoft site to download the Recovery Console, but it is now scanning for infected files. I will leave another message when it is finished.

#11 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 24 February 2016 - 05:25 PM

Okay. I am waiting ComboFix Log.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#12 drjon

drjon
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 24 February 2016 - 11:08 PM

I tried to run ComboFix about four times, but it hung every time. I was very careful not to touch the computer when it was running, and only restarted when the computer had no activity for over an hour.

 

I did manage to get FRST.exe to run properly. I have attached the log.

 

I have just run MBAM again, there was nothing detected, and no log generated.

 

Also, the Manda account internet access is working again.

 

I will post this, and then try and run ComboFix again.

Attached Files



#13 drjon

drjon
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 24 February 2016 - 11:30 PM

Also, MBAM was unable to create the Anti-Rootkit Driver. The error codes were:

SDKCreate failed with code 20023

and

Error: Malwarebytes was unable to create Anti-Rootkit Driver Error code 20025

#14 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 25 February 2016 - 02:45 PM

Try combofix run in safe mode.

 

I haven't wanted you to run Malwarebytes Anti-Rootkit. I have wanted malwarebytes antimalware scan
For MBAM Log;

Open MalwareBytes software > History > Application Logs > MBAM Scan log


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 drjon

drjon
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 25 February 2016 - 08:05 PM

Try combofix run in safe mode.

 

Error message: "This service cannot be started in safe mode".

 

I haven't wanted you to run Malwarebytes Anti-Rootkit. I have wanted malwarebytes antimalware scan

 

I'm not running the Anti-Rootkit, I'm running Malwarebytes Anti-Malware (v. 2.3.125.0). It is invoking the Anti-Rootkit Driver as part of the start-up process. Those are the error messages it's reporting before it goes on to run the antimalware scan.

 

Open MalwareBytes software > History > Application Logs > MBAM Scan log

 

There are no scan logs listed there. The list is empty.

 

Sorry about this.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users