Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Conhost.exe, can't disable scheduled tasks in CCleaner, etc despite many scans


  • This topic is locked This topic is locked
25 replies to this topic

#1 handerson5790

handerson5790

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 30 March 2016 - 02:15 PM

Hi! I am having an issue with persistent Malware on Windows 7. On 3/27, I opened a file that downloaded a whole bunch of trojans and other PUPs onto my computer. With help from someone on the "Am I infected? What do I do?" forum (http://www.bleepingcomputer.com/forums/t/609197/malware-wont-budge-mysearchcom-homepage-flashing-pointer/), I have run MBAM, Junk Removal Tool, AdwCleaner, CCleaner, Eset, and McAfee scans and reset Google Chrome. Doing all of that removed a TON of crap and made my computer much faster with WAY fewer pop-ups, but they still find new PUPs every time I run them and my Bleeping Computer helper still thinks there is junk on my computer. 
 
The last thing he told me to do was to Disable a bunch of startup windows and scheduled tasks in CCleaner. I was able to Disable all of the startup windows he suggested. There was one "conhost.exe" that he didn't recognize and suspects as Malware. This is the log entry from CCleaner for it: Yes HKCU:Run conhost C:\Users\Hayley\AppData\Roaming\Microsoft\conhost.exe. I tried to scan it with "Virus Total--Free Online Virus and Malware Scan," but couldn't locate it on my C drive to submit it for a scan. 
 
I also wasn't able to Disable any scheduled tasks in CCleaner. These are the tasks that he wanted me to disable:
Yes Task Adobe Flash Player Updater Adobe Systems Incorporated C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes Task DropboxUpdateTaskUserS-1-5-21-800099794-227068069-1844908692-1005Core Dropbox, Inc. C:\Users\Hayley\AppData\Local\Dropbox\Update\DropboxUpdate.exe /c
Yes Task DropboxUpdateTaskUserS-1-5-21-800099794-227068069-1844908692-1005UA Dropbox, Inc. C:\Users\Hayley\AppData\Local\Dropbox\Update\DropboxUpdate.exe /ua /installsource scheduler
Yes Task G2MUpdateTask-S-1-5-21-800099794-227068069-1844908692-1005 Citrix Online, a division of Citrix Systems, Inc. C:\Users\Hayley\AppData\Local\Citrix\GoToMeeting\4670\g2mupdate.exe
Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task GoogleUpdateTaskUserS-1-5-21-800099794-227068069-1844908692-1005Core Google Inc. C:\Users\Hayley\AppData\Local\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskUserS-1-5-21-800099794-227068069-1844908692-1005UA Google Inc. C:\Users\Hayley\AppData\Local\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Do you know what this is...Yes Task Mimnyds C:\PROGRA~1\KEZKEO~1\Uguykh.bat....if not, Disable 
for now.
Yes Task thpm2104063961126221479 \\.\globalroot\Device\HarddiskVolume3\Users\Hayley\AppData\Local\Temp\thpm2104063961126221479.tmp
Yes Task thpm5885264203745478740 \\.\globalroot\Device\HarddiskVolume3\Users\Hayley\AppData\Local\Temp\thpm5885264203745478740.tmp
Yes Task VAIO Care Support "%ProgramFiles%\Sony\VAIO Care\VCSpt.exe"
Yes Task win2066888880 \\.\globalroot\Device\HarddiskVolume3\Users\Hayley\AppData\Local\Temp\win2066888880.exe
Yes Task win4036e0 \\.\globalroot\Device\HarddiskVolume3\Users\Hayley\AppData\Local\Temp\win4036e0.dat
Yes Task win765813708 \\.\globalroot\Device\HarddiskVolume3\Users\Hayley\AppData\Local\Temp\win765813708.exe
Yes Task {146A0EDE-3C00-47E4-BF19-3CE9B18DB42D} Microsoft Corporation C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\Common Files\Saildubdom\uninstall.exe" -c shuz -f "C:\Program Files (x86)\Common Files\Saildubdom\uninstall.dat" -a uninstallme D6CDD76C-BC79-48B0-9B2A-4D8657743145 DeviceId=06820469-219e-69a3-5ead-1ad38b0e8e1c BarcodeId=51130006 ChannelId=6 DistributerName=APSFInsTerra
 
When I clicked on them and hit disable, I got an error that says "Failed to enable/disable startup item: Transaction support within the specified resource manager is not started or was shut down due to an error." My helper thinks that this means that malware is interfering. 
 
I also uninstalled McAfee via My Computer. My Bleeping Computer friend told me to use the McAfee Consumer Products Removal Tool to make sure it was really gone, but I get the message: "Incomplete Uninstallation. Some or all files may not have been removed successfully. See logs for more details." I have installed Sophos Home to replace it. 
 
The FRST.txt and Addition.txt from my FRST scan are attached. 
 
Thanks in advance! 

Attached Files



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:08 PM

Posted 30 March 2016 - 02:52 PM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Copy FRST / FSRT64 to your desktop!

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt



start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-800099794-227068069-1844908692-1005\...\Run: [conhost] => C:\Users\Hayley\AppData\Roaming\Microsoft\conhost.exe
C:\Users\Hayley\AppData\Roaming\Microsoft\conhost.exe
HKLM-x32\...\Run: [] => [X]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 => not found
FF HKU\S-1-5-21-800099794-227068069-1844908692-1005\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 => not found
S2 Khygocja; "C:\Users\Hayley\AppData\Roaming\EsiyNhpa\Omeimzes.exe" -cms [X]
U2 MSSQL$DDNI; no ImagePath
C:\Windows\assembly\tmp
C:\Windows\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
C:\Users\Hayley\AppData\Local\1abb1331
C:\Users\Hayley\AppData\Local\1abb1331\@
Task: {0685076B-8F4B-4EE4-B00B-6C390B7AD58F} - System32\Tasks\thpm5885264203745478740 => \.\globalroot\Device\HarddiskVolume3\Users\Hayley\AppData\Local\Temp\thpm5885264203745478740.tmp <==== ATTENTION
Task: {097B882F-08B9-43A5-BF99-F9E9156E6CB9} - \2273153280 -> No File <==== ATTENTION
Task: {22A295DA-0E8D-4869-A5C9-3B91B4AE9926} - System32\Tasks\win2066888880 => \.\globalroot\Device\HarddiskVolume3\Users\Hayley\AppData\Local\Temp\win2066888880.exe <==== ATTENTION
Task: {3D25B854-1B54-41E8-8028-38AF390E3EC7} - \2943231872 -> No File <==== ATTENTION
Task: {469D8322-F97F-40E2-BEA9-3FC16F27A38C} - \1720952824 -> No File <==== ATTENTION
Task: {491EB4C1-BA4E-45ED-82F2-0E1E84A4F8EF} - System32\Tasks\win765813708 => \.\globalroot\Device\HarddiskVolume3\Users\Hayley\AppData\Local\Temp\win765813708.exe <==== ATTENTION
Task: {494AE905-5B9B-4356-B0CD-37748A79BE5E} - \1860012496 -> No File <==== ATTENTION
Task: {5B02A928-9574-4DEC-85B2-D2963D6F5FDC} - System32\Tasks\win4036e0 => \.\globalroot\Device\HarddiskVolume3\Users\Hayley\AppData\Local\Temp\win4036e0.dat <==== ATTENTION
Task: {5B251B7F-8599-4B0B-BDD5-0DE0B82963E1} - \psv_Zummaozeit -> No File <==== ATTENTION
Task: {5F98A383-BCE7-43D1-A86C-FF07C1EB8A8F} - System32\Tasks\thpm2104063961126221479 => \.\globalroot\Device\HarddiskVolume3\Users\Hayley\AppData\Local\Temp\thpm2104063961126221479.tmp <==== ATTENTION
Task: {86154E29-7ECE-4B0D-8B4A-CEFF009CD6DE} - \1929787128 -> No File <==== ATTENTION
Task: {8B06E842-1796-4325-99EF-B3EB41F690C4} - \3581582128 -> No File <==== ATTENTION
Task: {9635A179-FA13-44AE-9747-41971E00923F} - System32\Tasks\{7D0A0947-040C-0A7A-0C11-050D780F117A} => powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand OwAgADsAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAiAHMAdABvAHAAIgA7ACQAcwBjAD0AIgBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACIAOwAkAFcAYQByAG4AaQBuAGcAUAByAGUAZgBlAHIAZQBuAGMAZQA9ACQAcwBjADsA (the data entry has 9232 more characters).
Task: {9A2B90BD-D45A-48FB-AD8A-3418A2A294C0} - \1542925696 -> No File <==== ATTENTION
Task: {9A30B2AC-7238-4FB3-803F-1B96473D71DF} - \psv_Aptom -> No File <==== ATTENTION
Task: {A5FEE4D1-3CF6-4FBC-8029-438C43122135} - \1107923008 -> No File <==== ATTENTION
Task: {AB527734-3D42-4548-8E8E-498D2FE5D216} - System32\Tasks\Mimnyds => C:\PROGRA~1\KEZKEO~1\Uguykh.bat
Task: {EAD3C5FB-C100-4A6F-B8CA-10722C39E8E0} - \3563762892 -> No File <==== ATTENTION
Task: {F6336416-CCF9-4486-B4F7-6227D4C81A9C} - \DNSWILLISTON -> No File <==== ATTENTION
Task: C:\Windows\Tasks\McAfee Cleanup.job => C:\Users\Hayley\AppData\Local\Temp\MCPR\mccleanup.exe <==== ATTENTION
EmptyTemp:
end


NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

---

How the computer is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:08 AM

Posted 30 March 2016 - 02:52 PM

Sorry JO we must have posted at same time.


Edited by fireman4it, 30 March 2016 - 02:54 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 handerson5790

handerson5790
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 30 March 2016 - 06:19 PM

Security Check log: 

 

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Sophos Home   
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Adobe Flash Player 21.0.0.197  
 Google Chrome (49.0.2623.108) 
 Google Chrome (49.0.2623.87) 
````````Process Check: objlist.exe by Laurent````````  
 Sophos Sophos Anti-Virus Web Control swc_service.exe 
 Sophos Sophos Anti-Virus SavService.exe  
 Sophos Sophos Anti-Virus SAVAdminService.exe  
 Sophos Sophos Anti-Virus Web Intelligence swi_service.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 
 
MBAR log: 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.3.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
 
Account is Administrative
 
Internet Explorer version: 8.0.7601.17514
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.394000 GHz
Memory total: 3940651008, free: 1565519872
 
Downloaded database version: v2016.03.30.08
Downloaded database version: v2016.03.30.01
Downloaded database version: v2016.03.24.01
=======================================
Initializing...
Driver version: 0.3.0.4
------------ Kernel report ------------
     03/30/2016 17:57:09
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\walmmav.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\compbatt.sys
\SystemRoot\system32\drivers\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\iaStor.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\ctxusbm.sys
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\blbdrive.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\drivers\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\NETw5s64.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\drivers\sdbus.sys
\SystemRoot\system32\drivers\rimssne64.sys
\SystemRoot\system32\drivers\risdsne64.sys
\SystemRoot\system32\DRIVERS\yk62x64.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\drivers\SynTP.sys
\SystemRoot\system32\drivers\USBD.SYS
\SystemRoot\system32\drivers\mouclass.sys
\SystemRoot\system32\drivers\SFEP.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\drivers\Impcd.sys
\SystemRoot\system32\drivers\intelppm.sys
\SystemRoot\system32\drivers\CmBatt.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\WDKMD.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\ArcSoftKsUFilter.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\??\C:\Windows\system32\drivers\npf.sys
\SystemRoot\system32\drivers\peauth.sys
\??\C:\Windows\system32\Drivers\pnpnptool.sys
\??\C:\Windows\system32\drivers\regi.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\savonaccess.sys
\SystemRoot\system32\DRIVERS\WSDPrint.sys
\SystemRoot\system32\DRIVERS\WSDScan.sys
\SystemRoot\System32\ATMFD.DLL
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\msctf.dll
\Windows\System32\user32.dll
\Windows\System32\normaliz.dll
\Windows\System32\iertutil.dll
\Windows\System32\ole32.dll
\Windows\System32\difxapi.dll
\Windows\System32\setupapi.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\imm32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\kernel32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\wininet.dll
\Windows\System32\imagehlp.dll
\Windows\System32\gdi32.dll
\Windows\System32\advapi32.dll
\Windows\System32\usp10.dll
\Windows\System32\urlmon.dll
\Windows\System32\nsi.dll
\Windows\System32\lpk.dll
\Windows\System32\clbcatq.dll
\Windows\System32\psapi.dll
\Windows\System32\sechost.dll
\Windows\System32\Wldap32.dll
\Windows\System32\shell32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\ws2_32.dll
\Windows\System32\wintrust.dll
\Windows\System32\KernelBase.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\xmllite.dll
\Windows\System32\comctl32.dll
\Windows\System32\devobj.dll
\Windows\System32\crypt32.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!
 
Scan started
Database versions:
  main:    v2016.03.30.08
  rootkit: v2016.03.30.01
 
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800636d060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800636dab0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800636d060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80043343c0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa8004339050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: A78011DD
 
Partition information:
 
    Partition 0 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 22136832
    Partition is bootable
    Partition file system is NTFS
 
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 22138880  Numsec = 204800
    Partition is bootable
    Partition file system is NTFS
 
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 22343680  Numsec = 954427440
    Partition is not bootable
    Partition file system is NTFS
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable
 
Disk Size: 500107862016 bytes
Sector size: 512 bytes
 
Done!
File "C:\ProgramData\Sophos\Sophos Anti-Virus\logs\SAV.txt" is compressed (flags = 1)
Infected: C:\Users\Hayley\AppData\Roaming\Puhziml\Korgotog.dll --> [Adware.PennyBee.WnskRST]
Infected: C:\Users\Hayley\AppData\Roaming\Puhziml\Korgotog.exe --> [Adware.PennyBee]
Infected: C:\Users\Hayley\AppData\Roaming\Puhziml\Wiffemk.exe --> [Adware.PennyBee]
Infected: C:\Windows\System32\drivers\etc\hosts --> [Hijack.Host]
Infected: C:\Windows\System32\drivers\etc\hosts --> [Hijack.Host]
Infected: C:\Windows\System32\drivers\etc\hosts --> [Hijack.Host]
Scan finished
User declined to cleanup malware.
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-22138880-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-2-22343680-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 
 
FRST Fix log: 

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Hayley (2016-03-30 19:09:12) Run:1
Running from C:\Users\Hayley\Desktop
Loaded Profiles: Hayley (Available Profiles: boinc_master & Hayley)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-800099794-227068069-1844908692-1005\...\Run: [conhost] => C:\Users\Hayley\AppData\Roaming\Microsoft\conhost.exe
C:\Users\Hayley\AppData\Roaming\Microsoft\conhost.exe
HKLM-x32\...\Run: [] => [X]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 => not found
FF HKU\S-1-5-21-800099794-227068069-1844908692-1005\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 => not found
S2 Khygocja; "C:\Users\Hayley\AppData\Roaming\EsiyNhpa\Omeimzes.exe" -cms [X]
U2 MSSQL$DDNI; no ImagePath
C:\Windows\assembly\tmp
C:\Windows\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
C:\Users\Hayley\AppData\Local\1abb1331
C:\Users\Hayley\AppData\Local\1abb1331\@
Task: {0685076B-8F4B-4EE4-B00B-6C390B7AD58F} - System32\Tasks\thpm5885264203745478740 => \.\globalroot\Device\HarddiskVolume3\Users\Hayley\AppData\Local\Temp\thpm5885264203745478740.tmp <==== ATTENTION
Task: {097B882F-08B9-43A5-BF99-F9E9156E6CB9} - \2273153280 -> No File <==== ATTENTION
Task: {22A295DA-0E8D-4869-A5C9-3B91B4AE9926} - System32\Tasks\win2066888880 => \.\globalroot\Device\HarddiskVolume3\Users\Hayley\AppData\Local\Temp\win2066888880.exe <==== ATTENTION
Task: {3D25B854-1B54-41E8-8028-38AF390E3EC7} - \2943231872 -> No File <==== ATTENTION
Task: {469D8322-F97F-40E2-BEA9-3FC16F27A38C} - \1720952824 -> No File <==== ATTENTION
Task: {491EB4C1-BA4E-45ED-82F2-0E1E84A4F8EF} - System32\Tasks\win765813708 => \.\globalroot\Device\HarddiskVolume3\Users\Hayley\AppData\Local\Temp\win765813708.exe <==== ATTENTION
Task: {494AE905-5B9B-4356-B0CD-37748A79BE5E} - \1860012496 -> No File <==== ATTENTION
Task: {5B02A928-9574-4DEC-85B2-D2963D6F5FDC} - System32\Tasks\win4036e0 => \.\globalroot\Device\HarddiskVolume3\Users\Hayley\AppData\Local\Temp\win4036e0.dat <==== ATTENTION
Task: {5B251B7F-8599-4B0B-BDD5-0DE0B82963E1} - \psv_Zummaozeit -> No File <==== ATTENTION
Task: {5F98A383-BCE7-43D1-A86C-FF07C1EB8A8F} - System32\Tasks\thpm2104063961126221479 => \.\globalroot\Device\HarddiskVolume3\Users\Hayley\AppData\Local\Temp\thpm2104063961126221479.tmp <==== ATTENTION
Task: {86154E29-7ECE-4B0D-8B4A-CEFF009CD6DE} - \1929787128 -> No File <==== ATTENTION
Task: {8B06E842-1796-4325-99EF-B3EB41F690C4} - \3581582128 -> No File <==== ATTENTION
Task: {9635A179-FA13-44AE-9747-41971E00923F} - System32\Tasks\{7D0A0947-040C-0A7A-0C11-050D780F117A} => powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand OwAgADsAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAiAHMAdABvAHAAIgA7ACQAcwBjAD0AIgBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACIAOwAkAFcAYQByAG4AaQBuAGcAUAByAGUAZgBlAHIAZQBuAGMAZQA9ACQAcwBjADsA (the data entry has 9232 more characters).
Task: {9A2B90BD-D45A-48FB-AD8A-3418A2A294C0} - \1542925696 -> No File <==== ATTENTION
Task: {9A30B2AC-7238-4FB3-803F-1B96473D71DF} - \psv_Aptom -> No File <==== ATTENTION
Task: {A5FEE4D1-3CF6-4FBC-8029-438C43122135} - \1107923008 -> No File <==== ATTENTION
Task: {AB527734-3D42-4548-8E8E-498D2FE5D216} - System32\Tasks\Mimnyds => C:\PROGRA~1\KEZKEO~1\Uguykh.bat
Task: {EAD3C5FB-C100-4A6F-B8CA-10722C39E8E0} - \3563762892 -> No File <==== ATTENTION
Task: {F6336416-CCF9-4486-B4F7-6227D4C81A9C} - \DNSWILLISTON -> No File <==== ATTENTION
Task: C:\Windows\Tasks\McAfee Cleanup.job => C:\Users\Hayley\AppData\Local\Temp\MCPR\mccleanup.exe <==== ATTENTION
EmptyTemp:
end
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-800099794-227068069-1844908692-1005\Software\Microsoft\Windows\CurrentVersion\Run\\conhost => value removed successfully
"C:\Users\Hayley\AppData\Roaming\Microsoft\conhost.exe" => not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\smartwebprinting@hp.com => value removed successfully
HKU\S-1-5-21-800099794-227068069-1844908692-1005\Software\Mozilla\Firefox\Extensions\\smartwebprinting@hp.com => value removed successfully
Khygocja => service removed successfully
MSSQL$DDNI => service removed successfully
C:\Windows\assembly\tmp => moved successfully
"C:\Windows\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}" => not found.
C:\Users\Hayley\AppData\Local\1abb1331 => moved successfully
"C:\Users\Hayley\AppData\Local\1abb1331\@" => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{0685076B-8F4B-4EE4-B00B-6C390B7AD58F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0685076B-8F4B-4EE4-B00B-6C390B7AD58F}" => key removed successfully
C:\Windows\System32\Tasks\thpm5885264203745478740 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\thpm5885264203745478740" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{097B882F-08B9-43A5-BF99-F9E9156E6CB9}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{097B882F-08B9-43A5-BF99-F9E9156E6CB9}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\2273153280" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{22A295DA-0E8D-4869-A5C9-3B91B4AE9926}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{22A295DA-0E8D-4869-A5C9-3B91B4AE9926}" => key removed successfully
C:\Windows\System32\Tasks\win2066888880 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\win2066888880" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3D25B854-1B54-41E8-8028-38AF390E3EC7}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3D25B854-1B54-41E8-8028-38AF390E3EC7}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\2943231872" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{469D8322-F97F-40E2-BEA9-3FC16F27A38C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{469D8322-F97F-40E2-BEA9-3FC16F27A38C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\1720952824" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{491EB4C1-BA4E-45ED-82F2-0E1E84A4F8EF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{491EB4C1-BA4E-45ED-82F2-0E1E84A4F8EF}" => key removed successfully
C:\Windows\System32\Tasks\win765813708 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\win765813708" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{494AE905-5B9B-4356-B0CD-37748A79BE5E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{494AE905-5B9B-4356-B0CD-37748A79BE5E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\1860012496" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5B02A928-9574-4DEC-85B2-D2963D6F5FDC}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B02A928-9574-4DEC-85B2-D2963D6F5FDC}" => key removed successfully
C:\Windows\System32\Tasks\win4036e0 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\win4036e0" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5B251B7F-8599-4B0B-BDD5-0DE0B82963E1}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B251B7F-8599-4B0B-BDD5-0DE0B82963E1}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\psv_Zummaozeit => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5F98A383-BCE7-43D1-A86C-FF07C1EB8A8F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5F98A383-BCE7-43D1-A86C-FF07C1EB8A8F}" => key removed successfully
C:\Windows\System32\Tasks\thpm2104063961126221479 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\thpm2104063961126221479" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{86154E29-7ECE-4B0D-8B4A-CEFF009CD6DE}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{86154E29-7ECE-4B0D-8B4A-CEFF009CD6DE}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\1929787128" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8B06E842-1796-4325-99EF-B3EB41F690C4}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8B06E842-1796-4325-99EF-B3EB41F690C4}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\3581582128" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9635A179-FA13-44AE-9747-41971E00923F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9635A179-FA13-44AE-9747-41971E00923F}" => key removed successfully
C:\Windows\System32\Tasks\{7D0A0947-040C-0A7A-0C11-050D780F117A} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7D0A0947-040C-0A7A-0C11-050D780F117A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9A2B90BD-D45A-48FB-AD8A-3418A2A294C0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9A2B90BD-D45A-48FB-AD8A-3418A2A294C0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\1542925696" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9A30B2AC-7238-4FB3-803F-1B96473D71DF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9A30B2AC-7238-4FB3-803F-1B96473D71DF}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\psv_Aptom => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A5FEE4D1-3CF6-4FBC-8029-438C43122135}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A5FEE4D1-3CF6-4FBC-8029-438C43122135}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\1107923008" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AB527734-3D42-4548-8E8E-498D2FE5D216}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AB527734-3D42-4548-8E8E-498D2FE5D216}" => key removed successfully
C:\Windows\System32\Tasks\Mimnyds => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Mimnyds" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EAD3C5FB-C100-4A6F-B8CA-10722C39E8E0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EAD3C5FB-C100-4A6F-B8CA-10722C39E8E0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\3563762892" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{F6336416-CCF9-4486-B4F7-6227D4C81A9C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F6336416-CCF9-4486-B4F7-6227D4C81A9C}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DNSWILLISTON => key not found. 
C:\Windows\Tasks\McAfee Cleanup.job => moved successfully
EmptyTemp: => 496.5 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 19:10:46 ====


#5 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:08 PM

Posted 31 March 2016 - 01:17 AM

One or more of the identified infections is a backdoor trojan.
=> ZEROACCESS !


This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#6 handerson5790

handerson5790
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 31 March 2016 - 08:04 PM

If we clean it, would there be a way to monitor to know it the Trojan is back?

#7 handerson5790

handerson5790
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 31 March 2016 - 08:07 PM

Alternatively, since I backed up my files to an external drive, would it be safe to transfer them to a new machine?
Does it mean anything that none of my accounts have been tampered with so far?

#8 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:08 PM

Posted 01 April 2016 - 02:44 AM

Alternatively, since I backed up my files to an external drive, would it be safe to transfer them to a new machine?
Does it mean anything that none of my accounts have been tampered with so far?

We scan the external drive later.
We can only see a backdoor but we do not know if account data were stolen.

---


We now will run ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Then Enable your anti virus program(s).

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 handerson5790

handerson5790
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 01 April 2016 - 04:20 AM

I'm a little bit confused. Will reformatting and reinstalling the OS make the computer secure? If not, is there a way to monitor for the backdoor Trojan?

#10 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:08 PM

Posted 01 April 2016 - 04:33 AM

I'm a little bit confused. Will reformatting and reinstalling the OS make the computer secure?

Yes

is there a way to monitor for the backdoor Trojan?

If you do not want to reformat:
We can clean the pc; the first scan would be with Combofix as instructed.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 handerson5790

handerson5790
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 01 April 2016 - 04:53 AM

Ok. So reformatting and reinstalling will make it remain secure in the future as well?

Thanks for being patient with me.

#12 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:08 PM

Posted 01 April 2016 - 04:59 AM

reformatting and reinstalling will make it secure now.

Using the internet, download / install things means:
There is always a risk to be infected later.

Do you have a backup of your data?
Do you have any backup image of your system?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 handerson5790

handerson5790
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 02 April 2016 - 09:26 AM

It was about time for a new machine anyway (I think this one had about a year max left), so I think I am going to go ahead and do that. I backed up my office files, photos, and music to an external drive. Can you help me scan that to make sure I'm not transferring anything dangerous to the new machine?

#14 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:08 PM

Posted 02 April 2016 - 09:33 AM

Before we scan the external drive, we delete as much malware from the infected pc as we can!


:step1: Run Malwarebytes Anti-Rootkit again: Right-click mbar.exe and select Run As Administrator
  • Scan your system for malware
  • If malware is found, click on the Cleanup
  • button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step2: Double click on AdwCleaner.exe to run the tool again.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • When the scan has finished, the actual line should say "Pending. Please uncheck elements you do not want to remove". Look through the scan results and uncheck any entries that you do not wish to remove.
  • This time, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***


:step3: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


:step4: We now will run ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Then Enable your anti virus program(s).

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#15 handerson5790

handerson5790
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 02 April 2016 - 04:24 PM

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2016.04.02.04
  rootkit: v2016.03.30.01
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Hayley :: HAYLEY-VAIO [administrator]
 
4/2/2016 11:52:42 AM
mbar-log-2016-04-02 (11-52-42).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 421643
Time elapsed: 1 hour(s), 4 minute(s), 22 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 6
C:\Users\Hayley\AppData\Roaming\Puhziml\Korgotog.dll (Adware.PennyBee.WnskRST) -> Delete on reboot. [3bd19f0b5c3d91a55a296ca3ab576898]
C:\Users\Hayley\AppData\Roaming\Puhziml\Korgotog.exe (Adware.PennyBee) -> Delete on reboot. [67a524865d3ce74f6c150a05bf438b75]
C:\Users\Hayley\AppData\Roaming\Puhziml\Wiffemk.exe (Adware.PennyBee) -> Delete on reboot. [a963ccde0f8a8aac2a569a750200fe02]
C:\Windows\System32\drivers\etc\hosts (Hijack.Host) -> Bad: (107.178.255.88 s ssl.goo.88 partner.googleadservices.com) Good: () -> Replace on reboot. [e824555546530531b0272038f5105ba5]
C:\Windows\System32\drivers\etc\hosts (Hijack.Host) -> Bad: (leadservices.com
107.178.255.88 go) Good: () -> Replace on reboot. [b557604addbca29435a2f167699ce51b]
C:\Windows\System32\drivers\etc\hosts (Hijack.Host) -> Bad: ( partner.googleadservices.com
107.178.255.88 google-ana) Good: () -> Replace on reboot. [0a0265451386d85e8a4d5efab550dd23]
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
 
# AdwCleaner v5.107 - Logfile created 02/04/2016 at 17:01:37
# Updated 28/03/2016 by Xplode
# Database : 1984.9 [Local]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Hayley - HAYLEY-VAIO
# Running from : C:\Users\Hayley\Downloads\AdwCleaner (1).exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Hayley\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Hayley\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [934 bytes] - [02/04/2016 17:01:37]
C:\AdwCleaner\AdwCleaner[S1].txt - [983 bytes] - [02/04/2016 16:57:40]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1078 bytes] ##########
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.4 (03.14.2016)
Operating System: Windows 7 Home Premium x64 
Ran by Hayley (Administrator) on Sat 04/02/2016 at 17:05:47.60
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 16 
 
Successfully deleted: C:\Users\Hayley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\33SRLV8M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Hayley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9LGB8HL7 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Hayley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C49R2O2W (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Hayley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F0XZT9IN (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Hayley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GVH9BQT5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Hayley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N9C0Q20P (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Hayley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OUJ9GA1K (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Hayley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V8JHOU9C (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\33SRLV8M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9LGB8HL7 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C49R2O2W (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F0XZT9IN (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GVH9BQT5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N9C0Q20P (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OUJ9GA1K (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V8JHOU9C (Temporary Internet Files Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 04/02/2016 at 17:09:56.19
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

I tried to run combofix and it said "The file NIRKMD cannot be found." 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users