Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista 64 bit syswow64\drivers\atapi.sys Infected


  • This topic is locked This topic is locked
8 replies to this topic

#1 sam300

sam300

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 20 March 2016 - 01:21 AM

This is the second time alibaba pop up infect my pc, last time I ran combofix to fix, this time combofix is giving me this error.
 
C:\windows\syswow64\drivers\atapi.sys
 
There is a similar tread with instrutions, so I download these apps and run on my pc, txt logs attach.
Attached File  rk_93C7.tmp.txt   6.4KB   3 downloads
Defogger-disable
Roguekiller
Adwclean
tdsskiller
aswMBR
Internet Options- delete all temp, history etc- advance-reset
HijackThis
 
Now when I run combofix, I am getting this error
 
C:\windows\syswow64\userinit.exe
 
Please help me.

Attached Files


Edited by Orange Blossom, 20 March 2016 - 09:28 AM.
Moved to log forum from Vista. ~ OB


BC AdBot (Login to Remove)

 


#2 sam300

sam300
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 21 March 2016 - 12:59 AM

Please let me know, if I did anything wrong by attaching txt files as attachments instead of copy and paste here.

Thanks again.



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:56 PM

Posted 21 March 2016 - 07:01 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Wait for further instruction.

Edited by nasdaq, 21 March 2016 - 12:58 PM.


#4 sam300

sam300
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 21 March 2016 - 07:48 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by sam (administrator) on NOTEBOOK (21-03-2016 17:41:17)
Running from C:\Users\sam\Desktop\Farbar Recovery Scan
Loaded Profiles: sam (Available Profiles: sam & Guest)
Platform: Windows Vista ™ Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 7 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Realtek Semiconductor) C:\Windows\RTKAUDIOSERVICE.EXE
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Care\VAIOCareService.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\Apoint.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(Sony Corporation) C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Windows\ehome\ehrecvr.exe
(Microsoft Corporation) C:\Windows\ehome\ehsched.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(InterVideo) C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Power Management\SPMService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Event Service\VESGfxMgr.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
() C:\Windows\SysWOW64\cfgmig32.exe
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio64.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\ApntEx.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Care\VCsystray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MpCmdRun.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MpCmdRun.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint\Apoint.exe [152576 2008-07-18] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Skytel] => C:\Windows\Skytel.exe [1826816 2008-07-15] (Realtek Semiconductor Corp.)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RAVCpl64.exe [6453760 2008-07-15] (Realtek Semiconductor)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169744 2015-09-12] (Apple Inc.)
HKLM-x32\...\Run: [ISBMgr.exe] => C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe [317280 2008-04-04] (Sony Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\PFW: 
HKU\S-1-5-21-2790494612-1924892951-544322720-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [138240 2008-01-21] (Microsoft Corporation)
Startup: C:\Users\sam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2015-11-11]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * PCloudBroom64.exe \systemroot\system32\BroomData.bit
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyServer: [S-1-5-21-2790494612-1924892951-544322720-1000] => 192.168.1.1:80
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{25A6E031-F139-4811-BF06-FAA29C4764DC}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{25A6E031-F139-4811-BF06-FAA29C4764DC}: [DhcpNameServer] 192.168.1.1 192.168.1.1
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2790494612-1924892951-544322720-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.sony.com/vaiopeople_f08
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.sony.com/vaiopeople_f08
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2790494612-1924892951-544322720-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.sony.com/vaiopeople_f08
HKU\S-1-5-21-2790494612-1924892951-544322720-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.sony.com/vaiopeople_f08
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2790494612-1924892951-544322720-1000 -> DefaultScope {EA78161E-D739-4A93-989B-EE9A13BEA2BB} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=843&invocationType=tb50sonyie7&query={searchTerms}
SearchScopes: HKU\S-1-5-21-2790494612-1924892951-544322720-1000 -> {EA78161E-D739-4A93-989B-EE9A13BEA2BB} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=843&invocationType=tb50sonyie7&query={searchTerms}
BHO: CA Anti-Phishing Toolbar Helper -> {45011CF5-E4A9-4F13-9093-F30A784EB9B2} -> No File
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-12] (Adobe Systems Incorporated)
BHO-x32: DivX Plus Web Player HTML5 <video> -> {326E768D-4182-46FD-9C16-1449A49795F4} -> No File
BHO-x32: CA Anti-Phishing Toolbar Helper -> {45011CF5-E4A9-4F13-9093-F30A784EB9B2} -> No File
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\ssv.dll [2015-04-15] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-04-15] (Oracle Corporation)
Toolbar: HKLM - CA Anti-Phishing Toolbar - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} -  No File
Toolbar: HKLM-x32 - CA Anti-Phishing Toolbar - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} -  No File
Toolbar: HKU\S-1-5-21-2790494612-1924892951-544322720-1000 -> CA Anti-Phishing Toolbar - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} -  No File
DPF: HKLM-x32 {1E54D648-B804-468d-BC78-4AFFED8E262F} hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: HKLM-x32 {233C1507-6A77-46A4-9443-F871F945D258} hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.3.0.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler-x32: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files (x86)\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll [2007-11-13] (TODO: <Company name>)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\SysWOW64\mscoree.dll [2009-11-08] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2008-06-27] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\syswow64\urlmon.dll [2008-06-27] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2008-06-27] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\syswow64\urlmon.dll [2008-06-27] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_245.dll [2015-11-12] ()
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_245.dll [2015-11-12] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-09-04] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-04-15] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-04-15] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll [2014-02-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin HKU\S-1-5-21-2790494612-1924892951-544322720-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\sam\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-2790494612-1924892951-544322720-1000: @talk.google.com/O1DPlugin -> C:\Users\sam\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-2790494612-1924892951-544322720-1000: @tools.google.com/Google Update;version=3 -> C:\Users\sam\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-2790494612-1924892951-544322720-1000: @tools.google.com/Google Update;version=9 -> C:\Users\sam\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2015-01-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2015-01-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2015-01-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2015-01-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2015-01-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\sam\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\sam\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-09-18] [not signed]
 
Chrome: 
=======
CHR HomePage: Default -> hxxps://www.google.com/
CHR StartupUrls: Default -> "hxxps://www.google.com.pk/"
CHR Profile: C:\Users\sam\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\sam\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-03-06]
CHR Extension: (YouTube) - C:\Users\sam\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-28]
CHR Extension: (Adblock Plus) - C:\Users\sam\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-03-10]
CHR Extension: (Google Search) - C:\Users\sam\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\sam\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-10]
CHR Extension: (Gmail) - C:\Users\sam\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-09]
CHR HKLM-x32\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - <no Path/update_url>
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-09-02] (Apple Inc.)
S4 CaCCProvSP; C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe [359248 2011-07-02] (CA, Inc.)
S4 ccSchedulerSVC; C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe [286032 2011-07-02] (Computer Associates International, Inc.)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 MSCSPTISRV; C:\Program Files (x86)\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [53248 2008-05-20] (Sony Corporation) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
S3 PACSPTISVR; C:\Program Files (x86)\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [53248 2008-05-20] (Sony Corporation) [File not signed]
S4 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2007-05-24] (Intuit Inc.) [File not signed]
R2 RtkAudioService; C:\Windows\RtkAudioService.exe [139808 2008-07-15] (Realtek Semiconductor)
S3 SampleCollector; C:\Program Files\Sony\VAIO Care\collsvc.exe [167424 2009-09-16] (Intel Corporation) [File not signed]
S4 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)
S4 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)
S4 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)
S3 SOHCImp; C:\Program Files (x86)\Sony\VAIO Media plus\SOHCImp.exe [103712 2008-05-21] (Sony Corporation)
S3 SOHDms; C:\Program Files (x86)\Sony\VAIO Media plus\SOHDms.exe [353568 2008-05-21] (Sony Corporation)
S3 SOHDs; C:\Program Files (x86)\Sony\VAIO Media plus\SOHDs.exe [62752 2008-05-21] (Sony Corporation)
S3 SPTISRV; C:\Program Files (x86)\Common Files\Sony Shared\AVLib\SPTISRV.exe [77824 2008-05-20] (Sony Corporation) [File not signed]
S4 uCamMonitor; C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe [104960 2008-03-26] (ArcSoft, Inc.)
S3 VAIO Entertainment TV Device Arbitration Service; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe [73728 2008-05-23] (Sony Corporation) [File not signed]
S3 Vcsw; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe [279848 2008-06-19] (Sony Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [383544 2008-01-21] (Microsoft Corporation)
R2 WinSvchostManagerSrv; C:\Windows\SysWOW64\cfgmig32.exe [263504 2011-07-02] ()
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
U5 AppMgmt; C:\Windows\system32\svchost.exe [27648 2008-01-21] (Microsoft Corporation)
R3 ArcSoftKsUFilter; C:\Windows\System32\DRIVERS\ArcSoftKsUFilter.sys [19456 2008-01-31] (ArcSoft, Inc.)
S1 Beep; no ImagePath
S1 DMICall; C:\Windows\SysWOW64\DRIVERS\DMICall.sys [10216 2008-07-11] (Sony Corporation)
S3 IpInIp; no ImagePath
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
S3 NwlnkFlt; no ImagePath
S3 NwlnkFwd; no ImagePath
S3 Pcouffin64; C:\Windows\System32\Drivers\pcouffin64a.sys [82048 2009-07-20] (VSO Software) [File not signed]
S3 PSKMAD; C:\Windows\System32\DRIVERS\PSKMAD.sys [50320 2015-01-29] (Panda Security, S.L.)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [28416 2008-04-16] (Research In Motion Limited)
R2 risdptsk; C:\Windows\System32\DRIVERS\risdsn64.sys [64512 2008-07-18] (REDC)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [24688 2016-03-21] ()
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-03-21 17:40 - 2016-03-21 17:41 - 00000000 ____D C:\FRST
2016-03-21 17:37 - 2016-03-21 17:41 - 00000000 ____D C:\Users\sam\Desktop\Farbar Recovery Scan
2016-03-21 14:57 - 2016-03-21 14:57 - 00099764 _____ C:\Users\sam\Desktop\TDDSKILLER.txt
2016-03-21 14:49 - 2016-03-21 14:58 - 00199618 _____ C:\TDSSKiller.3.1.0.9_21.03.2016_14.49.05_log.txt
2016-03-21 09:16 - 2016-03-21 09:21 - 00197930 _____ C:\TDSSKiller.3.1.0.9_21.03.2016_09.16.50_log.txt
2016-03-21 07:33 - 2016-03-21 08:21 - 00004441 _____ C:\Users\sam\Desktop\Habits of successful people.txt
2016-03-20 13:32 - 2016-03-21 13:32 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-03-20 13:32 - 2016-03-20 13:32 - 00000941 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-03-20 13:32 - 2016-03-20 13:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-03-20 13:32 - 2016-03-20 13:32 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-03-20 13:32 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-03-20 13:32 - 2015-10-05 09:50 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-03-20 13:32 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-03-20 13:23 - 2016-03-20 13:25 - 22908888 _____ (Malwarebytes ) C:\Users\sam\Desktop\mbam-setup-bc.1878-2.2.0.1024.exe
2016-03-20 12:32 - 2016-03-20 13:26 - 00000000 ____D C:\Users\sam\AppData\Local\CrashDumps
2016-03-20 10:54 - 2016-03-20 10:54 - 00388608 _____ (Trend Micro Inc.) C:\Users\sam\Desktop\HijackThis.exe
2016-03-20 01:00 - 2016-03-20 01:02 - 00196516 _____ C:\TDSSKiller.3.1.0.9_20.03.2016_01.00.37_log.txt
2016-03-19 23:41 - 2016-03-19 23:41 - 00002017 _____ C:\Users\sam\Desktop\aswMBR.txt
2016-03-19 23:41 - 2016-03-19 23:41 - 00000512 _____ C:\Users\sam\Desktop\MBR.dat
2016-03-19 23:38 - 2016-03-19 23:39 - 05198336 _____ (AVAST Software) C:\Users\sam\Desktop\aswMBR.exe
2016-03-19 23:34 - 2016-03-19 23:35 - 00197256 _____ C:\TDSSKiller.3.1.0.9_19.03.2016_23.34.04_log.txt
2016-03-19 23:31 - 2016-03-19 23:33 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\sam\Desktop\tdsskiller.exe
2016-03-19 23:27 - 2016-03-19 23:27 - 00000000 _____ C:\Users\sam\defogger_reenable
2016-03-19 23:26 - 2016-03-19 23:26 - 00050477 _____ C:\Users\sam\Desktop\Defogger.exe
2016-03-19 23:04 - 2016-03-19 23:20 - 00000000 ___SD C:\ComboFix
2016-03-19 23:02 - 2016-03-19 23:02 - 00001554 _____ C:\Users\sam\Desktop\AdwCleaner[C1].txt
2016-03-19 22:53 - 2016-03-19 22:53 - 00006554 _____ C:\Users\sam\Desktop\rk_93C7.tmp.txt
2016-03-19 22:10 - 2016-03-21 09:28 - 00024688 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-03-19 22:08 - 2016-03-19 22:53 - 00000000 ____D C:\ProgramData\RogueKiller
2016-03-19 22:06 - 2016-03-19 22:08 - 19587656 _____ C:\Users\sam\Desktop\RogueKiller.exe
2016-03-06 10:02 - 2016-03-06 10:02 - 00034854 _____ C:\Users\sam\Desktop\combofix.txt
2016-03-06 09:40 - 2011-06-26 11:45 - 00256000 _____ C:\Windows\PEV.exe
2016-03-06 09:40 - 2010-11-07 22:20 - 00208896 _____ C:\Windows\MBR.exe
2016-03-06 09:40 - 2009-04-20 09:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-03-06 09:40 - 2000-08-31 05:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-03-06 09:40 - 2000-08-31 05:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-03-06 09:40 - 2000-08-31 05:00 - 00098816 _____ C:\Windows\sed.exe
2016-03-06 09:40 - 2000-08-31 05:00 - 00080412 _____ C:\Windows\grep.exe
2016-03-06 09:40 - 2000-08-31 05:00 - 00068096 _____ C:\Windows\zip.exe
2016-03-06 09:39 - 2016-03-19 21:25 - 00000000 ____D C:\Qoobox
2016-03-06 09:38 - 2016-03-06 09:57 - 00000000 ____D C:\Windows\erdnt
2016-03-06 09:13 - 2015-09-14 13:03 - 00039672 _____ C:\Windows\system32\Drivers\DasPtct.SYS
2016-03-01 10:32 - 2016-03-01 11:11 - 00007478 _____ C:\Users\sam\Desktop\10 ways to spot a truly exceptional employee.txt
2016-02-22 12:57 - 2016-02-22 13:06 - 00001440 _____ C:\Users\sam\Desktop\401K tax credit 1.txt
2016-02-22 12:56 - 2016-02-22 12:56 - 00000921 _____ C:\Users\sam\Desktop\401K tax credit.txt
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-03-21 17:31 - 2006-11-02 20:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-21 17:31 - 2006-11-02 20:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-21 14:55 - 2010-10-12 02:50 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-03-21 14:23 - 2012-02-28 18:10 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-03-21 14:20 - 2011-10-29 03:34 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2790494612-1924892951-544322720-1000UA.job
2016-03-21 10:59 - 2006-11-02 18:33 - 00000000 ____D C:\Windows\inf
2016-03-21 10:59 - 2006-11-02 17:46 - 00703388 _____ C:\Windows\system32\PerfStringBackup.INI
2016-03-21 10:55 - 2013-12-07 12:03 - 00000656 _____ C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
2016-03-21 10:54 - 2010-10-12 02:50 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-03-21 10:54 - 2006-11-02 20:42 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-03-21 10:54 - 2006-11-02 20:07 - 00000000 ___RD C:\Users\Public\Recorded TV
2016-03-21 10:53 - 2006-11-02 20:42 - 00032544 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-03-20 12:29 - 2012-01-20 23:49 - 00000000 ____D C:\Users\sam\AppData\Local\Apps\2.0
2016-03-19 23:27 - 2008-12-27 02:51 - 00000000 ____D C:\Users\sam
2016-03-19 14:01 - 2015-02-20 13:44 - 00000000 ____D C:\Users\sam\Desktop\MASTER
2016-03-18 18:50 - 2011-11-14 00:21 - 00000000 ____D C:\Users\sam\Desktop\P Folder
2016-03-18 18:44 - 2013-03-19 22:19 - 00000773 _____ C:\Users\sam\Desktop\emails.txt
2016-03-15 12:06 - 2015-11-27 10:32 - 00002037 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-03-15 12:06 - 2015-11-27 10:32 - 00002025 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-03-12 20:50 - 2012-05-12 23:58 - 00001826 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2016-03-12 20:50 - 2012-04-09 09:39 - 00002155 _____ C:\Windows\epplauncher.mif
2016-03-12 20:49 - 2012-05-12 23:58 - 00000000 ____D C:\Program Files\Microsoft Security Client
2016-03-12 20:49 - 2012-05-12 23:58 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2016-03-12 20:44 - 2013-07-14 11:36 - 00000000 ____D C:\Windows\system32\MRT
2016-03-12 20:35 - 2006-11-02 17:35 - 143659408 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2016-03-09 22:57 - 2012-02-12 18:51 - 00000000 ____D C:\Users\sam\AppData\Roaming\vlc
2016-03-06 09:54 - 2006-11-02 17:34 - 00000215 _____ C:\Windows\system.ini
2016-03-06 09:41 - 2012-02-28 01:47 - 00000732 _____ C:\Users\sam\AppData\Local\d3d9caps64.dat
2016-03-03 00:49 - 2016-01-08 18:01 - 00000000 ____D C:\Users\Guest
2016-03-03 00:48 - 2012-02-28 05:54 - 00000023 _____ C:\test.xml
2016-03-02 01:11 - 2013-12-07 12:03 - 00000628 _____ C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
 
==================== Files in the root of some directories =======
 
2015-11-28 12:46 - 2015-11-28 12:47 - 0000045 _____ () C:\Users\sam\AppData\Roaming\MCVi2UserDetail.ini
2013-11-29 19:15 - 2013-11-29 19:20 - 0001181 _____ () C:\Users\sam\AppData\Roaming\trace_FilterInstaller.1.txt
2013-11-29 19:15 - 2013-11-29 19:15 - 0001181 _____ () C:\Users\sam\AppData\Roaming\trace_FilterInstaller.2.txt
2013-11-29 19:15 - 2014-11-22 17:30 - 0000919 _____ () C:\Users\sam\AppData\Roaming\trace_FilterInstaller.txt
2013-11-29 19:15 - 2014-11-22 17:30 - 0000000 _____ () C:\Users\sam\AppData\Roaming\trace_FilterInstaller.txt-CRT.txt
2012-01-16 17:53 - 2014-11-14 22:32 - 0024147 _____ () C:\Users\sam\AppData\Roaming\UserTile.png
2013-03-25 22:19 - 2013-03-25 22:19 - 0000000 _____ () C:\Users\sam\AppData\Roaming\wklnhst.dat
2012-02-28 01:48 - 2016-01-07 13:59 - 0001356 _____ () C:\Users\sam\AppData\Local\d3d9caps.dat
2012-02-28 01:47 - 2016-03-06 09:41 - 0000732 _____ () C:\Users\sam\AppData\Local\d3d9caps64.dat
2009-06-03 21:31 - 2014-11-08 10:01 - 0022528 _____ () C:\Users\sam\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-02-20 10:12 - 2012-02-20 10:13 - 0410478 _____ () C:\Users\sam\AppData\Local\dd_vcredistMSI1255.txt
2013-01-02 14:32 - 2013-01-02 14:32 - 0332500 _____ () C:\Users\sam\AppData\Local\dd_vcredistMSI18F6.txt
2013-01-02 14:33 - 2013-01-02 14:33 - 0318506 _____ () C:\Users\sam\AppData\Local\dd_vcredistMSI19EE.txt
2013-01-01 22:49 - 2013-01-01 22:49 - 0332500 _____ () C:\Users\sam\AppData\Local\dd_vcredistMSI4762.txt
2013-01-02 12:56 - 2013-01-02 12:56 - 0330598 _____ () C:\Users\sam\AppData\Local\dd_vcredistMSI4F6F.txt
2013-01-02 12:57 - 2013-01-02 12:57 - 0321026 _____ () C:\Users\sam\AppData\Local\dd_vcredistMSI5061.txt
2012-06-10 12:49 - 2012-06-10 12:49 - 0353386 _____ () C:\Users\sam\AppData\Local\dd_vcredistMSI6B34.txt
2012-06-10 12:51 - 2012-06-10 12:51 - 0344016 _____ () C:\Users\sam\AppData\Local\dd_vcredistMSI6C20.txt
2012-03-23 22:14 - 2012-03-23 22:14 - 0456524 _____ () C:\Users\sam\AppData\Local\dd_vcredistMSI7EB3.txt
2012-02-20 10:12 - 2012-02-20 10:13 - 0011374 _____ () C:\Users\sam\AppData\Local\dd_vcredistUI1255.txt
2013-01-02 14:32 - 2013-01-02 14:32 - 0011462 _____ () C:\Users\sam\AppData\Local\dd_vcredistUI18F6.txt
2013-01-02 14:33 - 2013-01-02 14:33 - 0011350 _____ () C:\Users\sam\AppData\Local\dd_vcredistUI19EE.txt
2013-01-01 22:49 - 2013-01-01 22:49 - 0011462 _____ () C:\Users\sam\AppData\Local\dd_vcredistUI4762.txt
2013-01-02 12:56 - 2013-01-02 12:56 - 0011382 _____ () C:\Users\sam\AppData\Local\dd_vcredistUI4F6F.txt
2013-01-02 12:57 - 2013-01-02 12:57 - 0011462 _____ () C:\Users\sam\AppData\Local\dd_vcredistUI5061.txt
2012-06-10 12:49 - 2012-06-10 12:49 - 0011654 _____ () C:\Users\sam\AppData\Local\dd_vcredistUI6B34.txt
2012-06-10 12:51 - 2012-06-10 12:51 - 0011606 _____ () C:\Users\sam\AppData\Local\dd_vcredistUI6C20.txt
2012-03-23 22:14 - 2012-03-23 22:14 - 0011660 _____ () C:\Users\sam\AppData\Local\dd_vcredistUI7EB3.txt
 
Some files in TEMP:
====================
C:\Users\sam\AppData\Local\temp\dllnt_dump.dll
C:\Users\sam\AppData\Local\temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-03-21 11:00
 
==================== End of FRST.txt ============================

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:56 PM

Posted 21 March 2016 - 01:08 PM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to the a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2790494612-1924892951-544322720-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-2790494612-1924892951-544322720-1000 -> DefaultScope {EA78161E-D739-4A93-989B-EE9A13BEA2BB} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=843&invocationType=tb50sonyie7&query={searchTerms}
SearchScopes: HKU\S-1-5-21-2790494612-1924892951-544322720-1000 -> {EA78161E-D739-4A93-989B-EE9A13BEA2BB} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=843&invocationType=tb50sonyie7&query={searchTerms}
BHO: CA Anti-Phishing Toolbar Helper -> {45011CF5-E4A9-4F13-9093-F30A784EB9B2} -> No File
BHO-x32: DivX Plus Web Player HTML5 <video> -> {326E768D-4182-46FD-9C16-1449A49795F4} -> No File
BHO-x32: CA Anti-Phishing Toolbar Helper -> {45011CF5-E4A9-4F13-9093-F30A784EB9B2} -> No File
Toolbar: HKLM - CA Anti-Phishing Toolbar - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} -  No File
Toolbar: HKLM-x32 - CA Anti-Phishing Toolbar - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} -  No File
Toolbar: HKU\S-1-5-21-2790494612-1924892951-544322720-1000 -> CA Anti-Phishing Toolbar - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} -  No File
CHR HKLM-x32\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - <no Path/update_url>
S1 Beep; no ImagePath
S3 IpInIp; no ImagePath
S3 NwlnkFlt; no ImagePath
S3 NwlnkFwd; no ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.
---

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features applet.
Java 8 Update 25 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418025F0}) (Version: 8.0.250 - Oracle Corporation)
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
===

If still having issues with the atapi.sys file please run this scan.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:
    :file
    atapi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
===

#6 sam300

sam300
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 21 March 2016 - 03:01 PM

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by sam (2016-03-22 00:45:46) Run:1
Running from C:\Users\sam\Desktop\Farbar Recovery Scan
Loaded Profiles: sam (Available Profiles: sam & Guest)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2790494612-1924892951-544322720-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-2790494612-1924892951-544322720-1000 -> DefaultScope {EA78161E-D739-4A93-989B-EE9A13BEA2BB} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=843&invocationType=tb50sonyie7&query={searchTerms}
SearchScopes: HKU\S-1-5-21-2790494612-1924892951-544322720-1000 -> {EA78161E-D739-4A93-989B-EE9A13BEA2BB} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=843&invocationType=tb50sonyie7&query={searchTerms}
BHO: CA Anti-Phishing Toolbar Helper -> {45011CF5-E4A9-4F13-9093-F30A784EB9B2} -> No File
BHO-x32: DivX Plus Web Player HTML5 <video> -> {326E768D-4182-46FD-9C16-1449A49795F4} -> No File
BHO-x32: CA Anti-Phishing Toolbar Helper -> {45011CF5-E4A9-4F13-9093-F30A784EB9B2} -> No File
Toolbar: HKLM - CA Anti-Phishing Toolbar - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} -  No File
Toolbar: HKLM-x32 - CA Anti-Phishing Toolbar - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} -  No File
Toolbar: HKU\S-1-5-21-2790494612-1924892951-544322720-1000 -> CA Anti-Phishing Toolbar - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} -  No File
CHR HKLM-x32\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - <no Path/update_url>
S1 Beep; no ImagePath
S3 IpInIp; no ImagePath
S3 NwlnkFlt; no ImagePath
S3 NwlnkFwd; no ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
 
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-2790494612-1924892951-544322720-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKU\S-1-5-21-2790494612-1924892951-544322720-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-2790494612-1924892951-544322720-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EA78161E-D739-4A93-989B-EE9A13BEA2BB}" => key removed successfully
HKCR\CLSID\{EA78161E-D739-4A93-989B-EE9A13BEA2BB} => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45011CF5-E4A9-4F13-9093-F30A784EB9B2}" => key removed successfully
"HKCR\CLSID\{45011CF5-E4A9-4F13-9093-F30A784EB9B2}" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{326E768D-4182-46FD-9C16-1449A49795F4}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{326E768D-4182-46FD-9C16-1449A49795F4}" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45011CF5-E4A9-4F13-9093-F30A784EB9B2}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{45011CF5-E4A9-4F13-9093-F30A784EB9B2}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{0123B506-0AD9-43AA-B0CF-916C122AD4C5} => value removed successfully
"HKCR\CLSID\{0123B506-0AD9-43AA-B0CF-916C122AD4C5}" => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{0123B506-0AD9-43AA-B0CF-916C122AD4C5} => value removed successfully
"HKCR\Wow6432Node\CLSID\{0123B506-0AD9-43AA-B0CF-916C122AD4C5}" => key removed successfully
HKU\S-1-5-21-2790494612-1924892951-544322720-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0123B506-0AD9-43AA-B0CF-916C122AD4C5} => value removed successfully
HKCR\CLSID\{0123B506-0AD9-43AA-B0CF-916C122AD4C5} => key not found. 
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\nneajnkjbffgblleaoojgaacokifdkhm" => key removed successfully
Beep => service removed successfully
IpInIp => service removed successfully
NwlnkFlt => service removed successfully
NwlnkFwd => service removed successfully
catchme => service removed successfully
EmptyTemp: => 557.4 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 00:47:06 ====
 
I was getting Java update from time to time, but the update will not install.
I am using Google Chrome now, but soon chrome will stop updates for Vista.
Do I really need Java? if I install Firefox or Safari in future instead of Google Chrome?
Also I do not use IE, and there is no way to delete IE 7 from Vista, in internet properties under security, I move all to high level.
 
Last time, Alibaba pop up hijack my chrome browser, infect Firewall. I delete chrome and reinstall, and repair Vista with Tweaking.com from here.
Alibaba pop up came back, but this time not in the browser, I also have adblocker on chrome.
So when I tried to run Combofix, my first error was "atapi.sys"
After running RogueKiller, I tried to run Combofix, second time I got "userinit.exe" error.
Thanks.

Edited by sam300, 21 March 2016 - 03:19 PM.


#7 sam300

sam300
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 22 March 2016 - 12:09 AM

Everything seems fine now, Chrome does not need Java, I unchecked " Enable java content in the browser" for now, and will deal with it later, if I switch browser in future. 

 

I want to Thank You for all your help. 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:56 PM

Posted 22 March 2016 - 07:02 AM

Do I really need Java? if I install Firefox or Safari in future instead of Google Chrome?


You may not need.t Java. With Firefox you will be prompted to install Java if needed, or the pageyou are viewing may not upload completely.

---

 

Also I do not use IE, and there is no way to delete IE 7 from Vista,

No. It's an integral part of the Operating system.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:56 PM

Posted 28 March 2016 - 07:10 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users