Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible mouse/keybord/explorer Malware/Virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 Darcon

Darcon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 29 February 2016 - 03:22 AM

Dear collegues,

 

Yesterday i was challenged with a strange occurance. While trying to change the quality of a youtube video, suddenly the video speeded up and started jumping up frames, finishing a 6 minutes video in matter of seconds, at the same time highlighting the progress bar blue. Wondering if it was something wrong with my Firefox, i wanted to search for updates, this is when i noticed that the curor position while writing is changing (mouse cursor is not moving, like a keyboard arrow button is pressed) and few things on my desktop are highlited automatically/simultaneously.

 

Issuse is still present after detaching the kmouse and keyboard from my PC

issue disapears after disconnecting my pc from the network

 

PC Scanned with:

 

Kasprsky Antyvirus,

Spybot S&D

Avira

HitmanPro

And at the end, right now when i grew desperate with combofix(AttacIhed)

If

anyone sees something suspicious, or has any further advise on how should i proceed i would be greatfull.

Attached Files


Edited by Darcon, 29 February 2016 - 03:28 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:10 PM

Posted 29 February 2016 - 09:53 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs and wait for furthers instructions.

#3 Darcon

Darcon
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 29 February 2016 - 11:29 AM

Hello Nasdaq,

 

Thank you very much for your answer. Below the FRST log. If any translation to english is needed please let me know, i'll try to update a translated log soon (unfortunately, FRST did not let me choose a language version)

 

 

Rezultaty skanowania Farbar Recovery Scan Tool (FRST) (x64) Wersja:27-02-2016
Uruchomiony przez Admin (administrator)  TURBOS (29-02-2016 17:18:52)
Uruchomiony z C:\Users\Admin\Desktop
Załadowane profile: Admin (Dostępne profile: Admin)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Język: Polski (Polska)
Internet Explorer Wersja 11 (Domyślna przeglądarka: FF)
Tryb startu: Normal
Instrukcja obsługi Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Procesy (filtrowane) =================

(Załączenie wejścia w fixlist spowoduje zamknięcie procesu. Powiązany plik nie zostanie przeniesiony.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0 (1)\avp.exe
() C:\Program Files (x86)\Gigabyte\AppCenter\AdjustService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(Samsung Electronics Co., Ltd.) C:\Windows\System32\RAPID\SamsungRapidSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0 (1)\avpui.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
() C:\Program Files (x86)\Gigabyte\AppCenter\ApCent.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(NVIDIA Corporation) C:\Users\Admin\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\NvOAWrapperCache.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Samsung Electronics.) C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0 (1)\x64\wmi64.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe


==================== Rejestr (filtrowane) ===========================

(Załączenie wejścia w fixlist spowoduje usunięcie obiektu z rejestru lub przywrócenie jego domyślnej postaci. Powiązany plik nie zostanie przeniesiony.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7611608 2014-05-27] (Realtek Semiconductor)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2014-04-11] (Intel Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2787264 2016-01-12] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => "C:\Windows\system32\rundll32.exe" C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [SamsungRapidApp] => C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe [281776 2014-09-16] (Samsung Electronics Co., Ltd.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [66328 2016-01-27] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [804168 2016-02-17] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\RunOnce: [PreRun] => C:\Program Files (x86)\Gigabyte\AppCenter\PreRun.exe [8192 2013-04-29] ()
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-2768662842-2389292975-1816572339-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  Brak pliku
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (filtrowane) ====================

(Załączenie wejścia w fixlist, w przypadku gdy jest to obiekt rejestru, spowoduje usunięcie go z rejestru lub przywrócenie jego domyślnej postaci.)

Hosts: 127.0.0.1 validation.sls.microsoft.com
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{12D231DE-6B5F-431A-B33E-399346B82464}: [DhcpNameServer] 217.173.193.3 217.173.193.11
Tcpip\..\Interfaces\{4105E621-6C05-42C4-AF68-E191B26DE244}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
HKU\S-1-5-21-2768662842-2389292975-1816572339-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://search.avira.net/#web/result?source=art&q=
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2768662842-2389292975-1816572339-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
HKU\S-1-5-21-2768662842-2389292975-1816572339-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_73\bin\ssv.dll [2016-02-06] (Oracle Corporation)
BHO: Kaspersky Protection plugin -> {C66D064F-82FE-4E1A-B06A-B2490BA48B18} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0 (1)\x64\IEExt\ie_plugin.dll [2015-12-07] (AO Kaspersky Lab)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_73\bin\jp2ssv.dll [2016-02-06] (Oracle Corporation)
Toolbar: HKLM - Kaspersky Protection toolbar - {3507FA00-ADA2-4A02-99B9-51AD26CA9120} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0 (1)\x64\IEExt\ie_plugin.dll [2015-12-07] (AO Kaspersky Lab)

FireFox:
========
FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne2sdtvq.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_20_0_0_306.dll [2016-02-10] ()
FF Plugin: @java.com/DTPlugin,version=11.73.2 -> C:\Program Files\Java\jre1.8.0_73\bin\dtplugin\npDeployJava1.dll [2016-02-06] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.73.2 -> C:\Program Files\Java\jre1.8.0_73\bin\plugin2\npjp2.dll [2016-02-06] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_306.dll [2016-02-10] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\dtplugin\npDeployJava1.dll [2016-02-06] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\plugin2\npjp2.dll [2016-02-06] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-01-23] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-01-23] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF Extension: Avira Browser Safety - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne2sdtvq.default\Extensions\abs@avira.com [2016-02-28]
FF Extension: Avira Browser Safety - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne2sdtvq.default\Extensions\abs@avira.com.xpi [2016-02-28]
FF Extension: Adblock Plus - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne2sdtvq.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-02-24]
FF HKLM-x32\...\Firefox\Extensions: [light_plugin_D772DC8D6FAF43A29B25C4EBAA5AD1DE@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0 (1)\FFExt\light_plugin_firefox
FF Extension: Kaspersky Protection - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0 (1)\FFExt\light_plugin_firefox [2016-02-28]

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\PepperFlash\pepflashplayer.dll => Brak pliku
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\ppGoogleNaClPluginChrome.dll => Brak pliku
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\pdf.dll => Brak pliku
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll => Brak pliku
CHR Profile: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Avira Browser Safety) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2015-12-09]
CHR Extension: (Płatności w sklepie Chrome Web Store) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-12-09]
CHR HKLM\...\Chrome\Extension: [eahebamiopdhefndnmappcihfajigkka] - hxxps://chrome.google.com/webstore/detail/eahebamiopdhefndnmappcihfajigkka
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eahebamiopdhefndnmappcihfajigkka] - hxxps://chrome.google.com/webstore/detail/eahebamiopdhefndnmappcihfajigkka
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

==================== Usługi (filtrowane) ========================

(Załączenie wejścia w fixlist spowoduje jego usunięcie z rejestru. Powiązany plik nie zostanie przeniesiony, o ile nie zostanie załączony z osobna.)

S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [948392 2016-02-17] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [466408 2016-02-17] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [466408 2016-02-17] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1417592 2016-02-17] (Avira Operations GmbH & Co. KG)
S4 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [260456 2016-01-27] (Avira Operations GmbH & Co. KG)
R2 AVP16.0.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0 (1)\avp.exe [194000 2015-12-07] (Kaspersky Lab ZAO)
S4 Disc Soft Lite Bus Service; D:\Program Files (x86)\DAEMON Tools Lite\DiscSoftBusService.exe [1368408 2015-11-30] (Disc Soft Ltd)
S4 Futuremark SystemInfo Service; C:\Program Files (x86)\Futuremark\SystemInfo\FMSISvc.exe [342240 2015-05-06] (Futuremark)
R2 gadjservice; C:\Program Files (x86)\Gigabyte\AppCenter\AdjustService.exe [16896 2015-04-14] () [Brak podpisu cyfrowego]
S3 GalaxyClientService; C:\Program Files (x86)\GalaxyClient\GalaxyClientService.exe [1616440 2015-10-15] (GOG.com)
S3 GalaxyCommunication; C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [7220792 2016-01-29] (GOG.com)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1163200 2016-01-12] (NVIDIA Corporation)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-04-11] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [345864 2015-03-19] (Intel Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1879488 2016-01-12] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [6308288 2016-01-12] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [4812736 2016-01-12] (NVIDIA Corporation)
R2 SamsungRapidSvc; C:\Windows\System32\RAPID\SamsungRapidSvc.exe [28848 2014-09-16] (Samsung Electronics Co., Ltd.)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 vssbrigde64; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0 (1)\x64\vssbridge64.exe [144640 2015-07-09] (AO Kaspersky Lab)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Sterowniki (filtrowane) ==========================

(Załączenie wejścia w fixlist spowoduje jego usunięcie z rejestru. Powiązany plik nie zostanie przeniesiony, o ile nie zostanie załączony z osobna.)

R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [22240 2013-10-28] ()
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [162072 2016-02-17] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [140448 2016-02-17] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2016-02-17] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [75472 2016-02-17] (Avira Operations GmbH & Co. KG)
R0 cm_km; C:\Windows\System32\DRIVERS\cm_km.sys [389816 2015-07-06] (Kaspersky Lab ZAO)
R3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [30264 2015-12-09] (Disc Soft Ltd)
R3 dtliteusbbus; C:\Windows\System32\DRIVERS\dtliteusbbus.sys [46392 2015-12-09] (Disc Soft Ltd)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 etocdrv; C:\Windows\etocdrv.sys [15584 2013-10-30] (Giga-Byte Technology CO., LTD.)
R1 HWiNFO32; C:\Windows\system32\drivers\HWiNFO64A.SYS [27552 2015-04-07] (REALiX™)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2014-04-11] (Intel Corporation)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [478392 2015-06-22] (Kaspersky Lab ZAO)
R0 klbackupdisk; C:\Windows\System32\DRIVERS\klbackupdisk.sys [53432 2015-06-06] (Kaspersky Lab ZAO)
R1 klbackupflt; C:\Windows\System32\DRIVERS\klbackupflt.sys [70000 2015-06-27] (Kaspersky Lab ZAO)
R2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [68280 2015-06-06] (Kaspersky Lab ZAO)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [181640 2015-12-07] (AO Kaspersky Lab)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [227000 2015-12-07] (AO Kaspersky Lab)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [940928 2015-12-07] (AO Kaspersky Lab)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [39096 2015-06-11] (Kaspersky Lab ZAO)
R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [41144 2015-06-06] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [41648 2015-06-07] (Kaspersky Lab ZAO)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [41352 2015-12-07] (AO Kaspersky Lab)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [65208 2015-06-11] (Kaspersky Lab ZAO)
R1 Klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [103096 2015-06-16] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [187056 2015-06-23] (Kaspersky Lab ZAO)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2014-09-30] (Intel Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [26560 2016-01-12] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [47760 2015-12-18] (NVIDIA Corporation)
R0 SamsungRapidDiskFltr; C:\Windows\System32\DRIVERS\SamsungRapidDiskFltr.sys [268976 2014-09-16] (Samsung Electronics Co., Ltd.)
R0 SamsungRapidFSFltr; C:\Windows\System32\DRIVERS\SamsungRapidFSFltr.sys [111280 2014-09-16] (Samsung Electronics Co., Ltd.)
R3 ssdevfactory; C:\Windows\System32\DRIVERS\ssdevfactory.sys [32792 2015-09-29] (SteelSeries ApS)
R3 sshid; C:\Windows\System32\DRIVERS\sshid.sys [51400 2016-02-02] (SteelSeries ApS)
S1 UsbCharger; C:\Windows\System32\DRIVERS\UsbCharger.sys [22240 2013-10-24] ()
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
U4 klkbdflt2; system32\DRIVERS\klkbdflt2.sys [X]

==================== NetSvcs (filtrowane) ===================

(Załączenie wejścia w fixlist spowoduje jego usunięcie z rejestru. Powiązany plik nie zostanie przeniesiony, o ile nie zostanie załączony z osobna.)


==================== Jeden miesiąc - utworzone pliki i foldery ========

(Załączenie wejścia w fixlist spowoduje przeniesienie pliku/folderu.)

2016-02-29 17:18 - 2016-02-29 17:19 - 00020263 _____ C:\Users\Admin\Desktop\FRST.txt
2016-02-29 17:18 - 2016-02-29 17:18 - 00000000 ____D C:\FRST
2016-02-29 17:17 - 2016-02-29 17:17 - 02371072 _____ (Farbar) C:\Users\Admin\Desktop\FRST64.exe
2016-02-29 09:24 - 2016-02-29 09:29 - 00000254 _____ C:\Users\Admin\Desktop\Link do strony.txt
2016-02-29 09:06 - 2016-02-29 09:06 - 00028383 _____ C:\ComboFix.txt
2016-02-29 09:01 - 2011-06-26 07:45 - 00256000 _____ C:\Windows\PEV.exe
2016-02-29 09:01 - 2010-11-07 18:20 - 00208896 _____ C:\Windows\MBR.exe
2016-02-29 09:01 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-02-29 09:01 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-02-29 09:01 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-02-29 09:01 - 2000-08-31 01:00 - 00098816 _____ C:\Windows\sed.exe
2016-02-29 09:01 - 2000-08-31 01:00 - 00080412 _____ C:\Windows\grep.exe
2016-02-29 09:01 - 2000-08-31 01:00 - 00068096 _____ C:\Windows\zip.exe
2016-02-29 08:59 - 2016-02-29 09:06 - 00000000 ____D C:\Qoobox
2016-02-29 08:59 - 2016-02-29 09:05 - 00000000 ____D C:\Windows\erdnt
2016-02-29 08:33 - 2016-02-29 08:38 - 00000000 ____D C:\ProgramData\HitmanPro
2016-02-29 08:23 - 2016-02-28 23:42 - 00000864 _____ C:\Windows\system32\Drivers\etc\hosts.20160229-082343.backup
2016-02-29 08:20 - 2016-02-28 23:42 - 00000864 _____ C:\Windows\system32\Drivers\etc\hosts.20160229-082021.backup
2016-02-28 23:51 - 2016-02-28 23:51 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Avira
2016-02-28 23:51 - 2016-02-17 08:41 - 00162072 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2016-02-28 23:51 - 2016-02-17 08:41 - 00140448 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2016-02-28 23:51 - 2016-02-17 08:41 - 00075472 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2016-02-28 23:51 - 2016-02-17 08:41 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2016-02-28 23:50 - 2016-02-28 23:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2016-02-28 23:50 - 2016-02-28 23:51 - 00000000 ____D C:\ProgramData\Avira
2016-02-28 23:50 - 2016-02-28 23:51 - 00000000 ____D C:\Program Files (x86)\Avira
2016-02-28 23:50 - 2016-02-28 23:50 - 00001223 _____ C:\Users\Public\Desktop\Avira Launcher.lnk
2016-02-28 23:13 - 2016-02-28 23:13 - 00000000 ____D C:\Program Files\Common Files\AV
2016-02-28 23:13 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe
2016-02-28 23:12 - 2016-02-29 08:16 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2016-02-28 23:12 - 2016-02-28 23:14 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2016-02-28 23:12 - 2016-02-28 23:12 - 00001422 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2016-02-28 23:12 - 2016-02-28 23:12 - 00001410 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2016-02-28 23:12 - 2016-02-28 23:12 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2016-02-28 23:12 - 2016-02-28 23:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2016-02-28 23:12 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2016-02-28 23:06 - 2016-02-28 23:06 - 00000000 ____D C:\Users\Admin\Downloads\backups
2016-02-28 23:04 - 2016-02-28 23:04 - 00388608 _____ (Trend Micro Inc.) C:\Users\Admin\Downloads\HijackThis_2.0.4.exe
2016-02-28 22:39 - 2016-02-28 22:39 - 00002144 _____ C:\Users\Public\Desktop\Kaspersky Anti-Virus.lnk
2016-02-28 22:39 - 2016-02-28 22:39 - 00000000 ____D C:\Windows\ELAMBKUP
2016-02-28 22:39 - 2016-02-28 22:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Anti-Virus
2016-02-28 22:39 - 2015-12-07 19:54 - 00940928 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klif.sys
2016-02-28 22:39 - 2015-12-07 19:54 - 00227000 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klhk.sys
2016-02-28 22:39 - 2015-12-07 19:54 - 00181640 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klflt.sys
2016-02-28 22:39 - 2013-05-06 08:13 - 00110176 _____ (Kaspersky Lab ZAO) C:\Windows\system32\klfphc.dll
2016-02-28 21:25 - 2016-02-29 17:16 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2016-02-28 21:25 - 2016-02-28 22:39 - 00000000 ____D C:\Program Files (x86)\Kaspersky Lab
2016-02-12 06:06 - 2016-02-13 07:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-02-06 18:34 - 2016-02-06 18:33 - 00110176 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-64.dll
2016-02-02 19:09 - 2016-02-02 19:09 - 00051400 _____ (SteelSeries ApS) C:\Windows\system32\Drivers\sshid.sys
2016-02-02 19:09 - 2016-02-02 19:09 - 00025656 _____ (Windows ® Win 7 DDK provider) C:\Windows\system32\Drivers\hidkmdf.sys
2016-01-31 15:43 - 2016-01-31 15:43 - 00000008 _____ C:\Users\Admin\Documents\jajajajaja...txt
2016-01-30 22:43 - 2016-01-31 10:24 - 00000000 ____D C:\Users\Admin\AppData\Local\dxhr
2016-01-30 22:43 - 2016-01-30 22:43 - 00000000 ____D C:\Users\Admin\AppData\Local\238010

==================== Jeden miesiąc - zmodyfikowane pliki i foldery ========

(Załączenie wejścia w fixlist spowoduje przeniesienie pliku/folderu.)

2016-02-29 17:17 - 2015-04-03 18:11 - 00001048 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-02-29 17:16 - 2015-04-03 18:24 - 00026192 _____ (Windows ® Server 2003 DDK provider) C:\Windows\gdrv.sys
2016-02-29 17:16 - 2015-04-03 18:11 - 00001044 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-02-29 17:16 - 2015-04-03 12:36 - 00000000 ____D C:\ProgramData\NVIDIA
2016-02-29 17:16 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-02-29 09:12 - 2009-07-14 05:45 - 00030928 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-02-29 09:12 - 2009-07-14 05:45 - 00030928 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-02-29 09:10 - 2011-02-04 18:20 - 00741090 _____ C:\Windows\system32\perfh015.dat
2016-02-29 09:10 - 2011-02-04 18:20 - 00156162 _____ C:\Windows\system32\perfc015.dat
2016-02-29 09:10 - 2009-07-14 06:13 - 01672416 _____ C:\Windows\system32\PerfStringBackup.INI
2016-02-29 09:10 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\inf
2016-02-29 09:04 - 2009-07-14 03:34 - 00000215 _____ C:\Windows\system.ini
2016-02-29 08:38 - 2015-04-03 12:41 - 00000930 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-02-28 23:50 - 2015-04-03 18:13 - 00000000 ____D C:\ProgramData\Package Cache
2016-02-28 22:46 - 2015-12-27 19:58 - 00000000 ____D C:\Users\Admin\AppData\Roaming\steelseries-engine-3-client
2016-02-28 22:44 - 2015-04-03 18:24 - 00025640 _____ (Windows ® Server 2003 DDK provider) C:\Windows\etdrv.sys
2016-02-28 22:27 - 2015-04-03 18:07 - 00000000 ____D C:\Users\Admin
2016-02-28 22:26 - 2015-05-03 19:31 - 00000000 ___SD C:\Windows\system32\GWX
2016-02-28 22:26 - 2015-04-19 12:09 - 00000000 ____D C:\Users\Admin\AppData\Roaming\vlc
2016-02-28 22:26 - 2015-04-05 17:59 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Battle.net
2016-02-28 22:26 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\registration
2016-02-28 11:59 - 2015-04-05 17:59 - 00000000 ____D C:\Users\Admin\AppData\Local\Battle.net
2016-02-27 13:02 - 2015-04-05 17:53 - 00000000 ____D C:\Users\Admin\AppData\Local\Steam
2016-02-27 12:55 - 2015-04-03 13:16 - 00000000 __SHD C:\Users\Admin\IntelGraphicsProfiles
2016-02-26 23:27 - 2015-04-06 11:35 - 00000000 ____D C:\Users\Admin\AppData\Roaming\qBittorrent
2016-02-26 20:56 - 2015-04-06 19:14 - 00000000 ____D C:\Users\Admin\AppData\Roaming\TS3Client
2016-02-20 08:18 - 2015-04-03 18:11 - 00002227 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-02-19 09:42 - 2015-11-14 22:19 - 00002471 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-02-18 07:44 - 2015-12-27 20:52 - 00000000 ____D C:\Users\Admin\AppData\Local\CrashDumps
2016-02-17 21:34 - 2015-04-05 17:58 - 00000000 ____D C:\ProgramData\Battle.net
2016-02-13 07:40 - 2015-04-03 12:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-02-10 19:38 - 2015-04-03 12:41 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-02-10 19:38 - 2015-04-03 12:41 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-02-10 19:38 - 2015-04-03 12:41 - 00003868 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-02-06 18:34 - 2015-08-28 15:00 - 00000000 ____D C:\Users\Admin\.oracle_jre_usage
2016-02-06 18:34 - 2015-04-03 12:39 - 00000000 ____D C:\ProgramData\Oracle
2016-02-06 18:34 - 2015-04-03 12:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-02-06 18:34 - 2015-04-03 12:39 - 00000000 ____D C:\Program Files\Java
2016-02-06 18:34 - 2015-04-03 12:39 - 00000000 ____D C:\Program Files (x86)\Java
2016-02-06 18:33 - 2016-01-26 16:33 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2016-02-06 18:33 - 2015-04-03 12:39 - 00110176 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2016-02-02 15:58 - 2015-05-19 18:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2016-02-02 00:12 - 2015-04-03 18:11 - 00004044 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-02-02 00:12 - 2015-04-03 18:11 - 00003792 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

==================== Pliki w katalogu głównym wybranych folderów =======

2015-10-08 05:21 - 2015-10-08 05:21 - 0000017 _____ () C:\Users\Admin\AppData\Local\resmon.resmoncfg
2015-04-03 18:15 - 2015-04-03 18:15 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Niektóre pliki w TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\avgnt.exe


==================== Bamital & volsnap =================

(Brak automatycznej naprawy dla plików które nie przeszły weryfikacji.)

C:\Windows\system32\winlogon.exe => Plik podpisany cyfrowo
C:\Windows\system32\wininit.exe => Plik podpisany cyfrowo
C:\Windows\SysWOW64\wininit.exe => Plik podpisany cyfrowo
C:\Windows\explorer.exe => Plik podpisany cyfrowo
C:\Windows\SysWOW64\explorer.exe => Plik podpisany cyfrowo
C:\Windows\system32\svchost.exe => Plik podpisany cyfrowo
C:\Windows\SysWOW64\svchost.exe => Plik podpisany cyfrowo
C:\Windows\system32\services.exe => Plik podpisany cyfrowo
C:\Windows\system32\User32.dll => Plik podpisany cyfrowo
C:\Windows\SysWOW64\User32.dll => Plik podpisany cyfrowo
C:\Windows\system32\userinit.exe => Plik podpisany cyfrowo
C:\Windows\SysWOW64\userinit.exe => Plik podpisany cyfrowo
C:\Windows\system32\rpcss.dll => Plik podpisany cyfrowo
C:\Windows\system32\dnsapi.dll => Plik podpisany cyfrowo
C:\Windows\SysWOW64\dnsapi.dll => Plik podpisany cyfrowo
C:\Windows\system32\Drivers\volsnap.sys => Plik podpisany cyfrowo


LastRegBack: 2016-02-18 02:32

==================== Koniec  FRST.txt ============================

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:10 PM

Posted 01 March 2016 - 07:58 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to the a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  Brak pliku
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
HKU\S-1-5-21-2768662842-2389292975-1816572339-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\PepperFlash\pepflashplayer.dll => Brak pliku
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\ppGoogleNaClPluginChrome.dll => Brak pliku
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\pdf.dll => Brak pliku
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll => Brak pliku
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
U4 klkbdflt2; system32\DRIVERS\klkbdflt2.sys [X]


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
---

If the probem persists and are using using a router try this.

Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

Please let me know what problem persists with this computer.

#5 Darcon

Darcon
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 01 March 2016 - 02:45 PM

Dear Nasdaq, Thank you! The issue does not affect my PC anymore! Rezultat naprawy Farbar Recovery Scan Tool (x64) Wersja:27-02-2016 Uruchomiony przez Admin (2016-03-01 20:41:49) Run:1 Uruchomiony z C:\Users\Admin\Desktop\FRST Załadowane profile: Admin (Dostępne profile: Admin) Tryb startu: Normal ============================================== fixlist - zawartość: ***************** Start CreateRestorePoint: EmptyTemp: CloseProcesses: cmd: ipconfig /flushdns cmd: IPCONFIG /release cmd: IPCONFIG /renew Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X] ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => Brak pliku HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA HKU\S-1-5-21-2768662842-2389292975-1816572339-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\PepperFlash\pepflashplayer.dll => Brak pliku CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\ppGoogleNaClPluginChrome.dll => Brak pliku CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\pdf.dll => Brak pliku CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll => Brak pliku S3 catchme; \??\C:\ComboFix\catchme.sys [X] U4 klkbdflt2; system32\DRIVERS\klkbdflt2.sys [X] End ***************** Punkt przywracania został pomyślnie utworzony. Procesy zostały pomyślnie zamknięte. ========= ipconfig /flushdns ========= Konfiguracja IP systemu Windows Pomy�lnie opr��niono pami�� podr�czn� programu rozpoznawania nazw DNS. ========= Koniec CMD: ========= ========= IPCONFIG /release ========= Konfiguracja IP systemu Windows Nie mo�na przeprowadzi� �adnej operacji na karcie Po��czenie sieci bezprzewodowej, poniewa� no�nik/kabel tej karty jest od��czony. Karta bezprzewodowej sieci LAN Po��czenie sieci bezprzewodowej: Stan no�nika . . . . . . . . . . .: No�nik od��czony Sufiks DNS konkretnego po��czenia : Karta Ethernet Po��czenie lokalne 2: Sufiks DNS konkretnego po��czenia : Adres IPv6 po��czenia lokalnego . : fe80::1c6:6c0f:397c:cf2f%13 Brama domy�lna. . . . . . . . . . : Karta tunelowa isatap.local: Stan no�nika . . . . . . . . . . .: No�nik od��czony Sufiks DNS konkretnego po��czenia : Karta tunelowa Teredo Tunneling Pseudo-Interface: Stan no�nika . . . . . . . . . . .: No�nik od��czony Sufiks DNS konkretnego po��czenia : Karta tunelowa isatap.{3968FE9A-58A3-4718-8C76-256F4A0D91F8}: Stan no�nika . . . . . . . . . . .: No�nik od��czony Sufiks DNS konkretnego po��czenia : ========= Koniec CMD: ========= ========= IPCONFIG /renew ========= Konfiguracja IP systemu Windows Nie mo�na przeprowadzi� �adnej operacji na karcie Po��czenie sieci bezprzewodowej, poniewa� no�nik/kabel tej karty jest od��czony. Karta bezprzewodowej sieci LAN Po��czenie sieci bezprzewodowej: Stan no�nika . . . . . . . . . . .: No�nik od��czony Sufiks DNS konkretnego po��czenia : Karta Ethernet Po��czenie lokalne 2: Sufiks DNS konkretnego po��czenia : local Adres IPv6 po��czenia lokalnego . : fe80::1c6:6c0f:397c:cf2f%13 Adres IPv4. . . . . . . . . . . . . : 192.168.0.25 Maska podsieci. . . . . . . . . . : 255.255.255.0 Brama domy�lna. . . . . . . . . . : 192.168.0.1 Karta tunelowa isatap.local: Stan no�nika . . . . . . . . . . .: No�nik od��czony Sufiks DNS konkretnego po��czenia : local Karta tunelowa Teredo Tunneling Pseudo-Interface: Stan no�nika . . . . . . . . . . .: No�nik od��czony Sufiks DNS konkretnego po��czenia : Karta tunelowa isatap.{3968FE9A-58A3-4718-8C76-256F4A0D91F8}: Stan no�nika . . . . . . . . . . .: No�nik od��czony Sufiks DNS konkretnego po��czenia : ========= Koniec CMD: ========= HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon => klucz nie znaleziono. "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => klucz pomyślnie usunięto HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => klucz nie znaleziono. "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => klucz pomyślnie usunięto "HKU\S-1-5-21-2768662842-2389292975-1816572339-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => klucz pomyślnie usunięto C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\PepperFlash\pepflashplayer.dll => nie znaleziono. C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\ppGoogleNaClPluginChrome.dll => nie znaleziono. C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\pdf.dll => nie znaleziono. C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll => nie znaleziono. catchme => serwis pomyślnie usunięto klkbdflt2 => serwis niepowodzenie przy usuwaniu EmptyTemp: => 831 MB danych tymczasowych Usunięto. System wymagał restartu. ==== Koniec Fixlog 20:42:07 ====

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:10 PM

Posted 01 March 2016 - 03:12 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:10 PM

Posted 08 March 2016 - 07:36 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users