Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with TODO: <XXXX>


  • This topic is locked This topic is locked
12 replies to this topic

#1 chrisb10a

chrisb10a

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 14 April 2016 - 09:09 PM

I noticed my Windows 8 PC was running slow. I took a look at the running processes and saw a suspicious "TODO" process. Some google searching reveals it is not good, but I have been unable to find a way to remove it. I am not able to run FRST64.exe. I see a message that says "The application has failed to start because it's side-by-side configuration is incorrect."
 
Any help would be appreciated. Thank you.
 
 
Chris

Attached Files



BC AdBot (Login to Remove)

 


#2 chrisb10a

chrisb10a
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 14 April 2016 - 09:10 PM

In an interesting note, if I include the Chinese characters in the topic title instead of XXXX, I get a message that says "Sorry, you don't have permission for that!". Must be some kind of filter. Anyway, the actual name of the process can be seen in the picture attached to the original message.

 

 

Thanks again for any help,

Chris



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:21 PM

Posted 15 April 2016 - 07:10 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.

#4 chrisb10a

chrisb10a
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 15 April 2016 - 09:49 PM

Hello nasdaq, thank you for your time and help.

 

Attached is the mbam scan history log.

 

I have also attached the AdwCleanerS1.txt log. I chose to Clean all items after saving the log.

 

I have copied and pasted the FRST.txt log below and attached the Addition.txt log file.

 

 

 

I think this is everything you have requested.

 

 

Thank you again for your time and help,

Chris B.

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-04-2016
Ran by Tim (administrator) on TIM (15-04-2016 22:14:59)
Running from E:\1
Loaded Profiles: Tim (Available Profiles: Tim)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.5.5.15\n360.exe
() C:\Windows\SysWOW64\srvany.exe
(TODO: <公司名>) C:\Windows\SysWOW64\SDIOAssist.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\livecomm.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.5.5.15\n360.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTsysTray8.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Logitech Inc.) C:\Program Files\Logitech\Gaming Software\LWEMon.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7632088 2014-06-10] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1386712 2014-06-12] (Realtek Semiconductor)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [286056 2013-09-24] (Intel Corporation)
HKLM\...\Run: [ISCT Tray] => C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTsysTray8.exe [5860656 2014-06-18] (Intel Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-08-13] (Apple Inc.)
HKLM\...\Run: [Start WingMan Profiler] => C:\Program Files\Logitech\Gaming Software\LWEMon.exe [190536 2010-06-14] (Logitech Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security Suite\Engine64\22.5.5.15\buShell.dll [2015-11-05] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security Suite\Engine64\22.5.5.15\buShell.dll [2015-11-05] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security Suite\Engine64\22.5.5.15\buShell.dll [2015-11-05] (Symantec Corporation)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 01 C:\Windows\SysWOW64\napinsp.dll [55296 2014-11-21] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\napinsp.dll"
Winsock: Catalog5 02 C:\Windows\SysWOW64\pnrpnsp.dll [70144 2014-11-21] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\pnrpnsp.dll"
Winsock: Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [70144 2014-11-21] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\pnrpnsp.dll"
Winsock: Catalog5 04 C:\Windows\SysWOW64\NLAapi.dll [65536 2014-11-21] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [286208 2014-11-21] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [23040 2014-11-21] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\System32\winrnr.dll"
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{AD37D579-367A-42C1-9324-8D5AF253D153}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-3318293501-4044962863-3732029287-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?gws_rd=ssl
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3318293501-4044962863-3732029287-1001 -> DefaultScope {5B262369-6AD0-48BE-9DB3-BEC0C6934DE7} URL = 
SearchScopes: HKU\S-1-5-21-3318293501-4044962863-3732029287-1001 -> {5B262369-6AD0-48BE-9DB3-BEC0C6934DE7} URL = 
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine64\22.5.5.15\coIEPlg.dll [2015-11-05] (Symantec Corporation)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine\22.5.5.15\coIEPlg.dll [2015-11-05] (Symantec Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine64\22.5.5.15\coIEPlg.dll [2015-11-05] (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\22.5.5.15\coIEPlg.dll [2015-11-05] (Symantec Corporation)
 
FireFox:
========
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-07-30] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-04-29] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-04-29] (Intel Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon
FF Extension: Norton Identity Safe - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon [2016-01-19]
FF HKLM-x32\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://google.com/
CHR DefaultSearchURL: Default -> hxxp://nortonsafe.search.ask.com/web?q={searchTerms}&o=apn10506&prt=cr
CHR DefaultSearchKeyword: Default -> NortonSafe
CHR DefaultSuggestURL: Default -> hxxp://ss-sym.ask.com/query?q={searchTerms}&sstype=prefix&li=ff
CHR Profile: C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-08-15]
CHR Extension: (Google Docs) - C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-08-15]
CHR Extension: (Google Drive) - C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-25]
CHR Extension: (YouTube) - C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-26]
CHR Extension: (Google Search) - C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-03]
CHR Extension: (Norton Home Page for Chrome) - C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejbdobdndcjhdmljipngpeoekdinlohe [2015-08-23]
CHR Extension: (Google Sheets) - C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-08-15]
CHR Extension: (Google Docs Offline) - C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (Norton Safe) - C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmgcfemagnogdodbambjhdcmfcpicngl [2015-08-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-15]
CHR Extension: (Gmail) - C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-15]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.5.5.15\Exts\Chrome.crx [2015-12-06]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.5.5.15\Exts\Chrome.crx [2015-12-06]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-05-29] (Apple Inc.)
S4 AtherosSvc; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [319104 2014-04-29] (Windows ® Win 7 DDK provider) [File not signed]
S4 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\DCCService.exe [137968 2015-09-22] (Dell Inc.)
S4 Dell Foundation Services; C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe [119656 2016-01-15] (Dell)
S4 Dell Help & Support; C:\Program Files\Dell\Dell Help & Support\MDLCSvc.exe [36200 2016-01-11] ()
S4 Dell WMI Service; C:\Program Files (x86)\DELL\DELLOSD\DellOSDService.exe [147456 2013-12-27] () [File not signed]
S2 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2571352 2016-01-05] (Dell Inc.)
R2 DellDataVaultWiz; C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe [201816 2016-01-05] (Dell Inc.)
S3 DellProdRegManager; C:\Program Files (x86)\Dell Product Registration\regmgrsvc.exe [293440 2014-04-01] (Aviata, Inc.)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-08-27] (Dell Inc.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [14696 2013-09-24] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887232 2014-01-31] (Intel® Corporation)
R2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [209712 2014-06-18] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-04-29] (Intel Corporation)
R2 N360; C:\Program Files (x86)\Norton Security Suite\Engine\22.5.5.15\N360.exe [282016 2015-11-20] (Symantec Corporation)
S2 O2FLASH; C:\Windows\System32\drivers\o2flash.exe [65536 2014-03-07] (BayHubTech/O2Micro International)
R2 O2SDIOAssist; c:\Windows\SysWOW64\srvany.exe [8192 2012-03-09] () [File not signed]
S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [253776 2013-07-30] (CyberLink)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-01-08] (Realtek Semiconductor)
S2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1921768 2014-07-02] (SoftThinks SAS)
S2 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [31928 2016-01-12] (Dell Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3893248 2014-04-03] (Qualcomm Atheros Communications, Inc.)
R1 BHDrvx64; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\BASHDefs\20160309.001\BHDrvx64.sys [1766640 2016-03-09] (Symantec Corporation)
R3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2014-04-29] (Qualcomm Atheros)
R1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1605050.00F\ccSetx64.sys [173808 2015-07-10] (Symantec Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-05] (CyberLink)
R3 DDDriver; C:\Windows\system32\drivers\DDDriver64Dcsa.sys [23760 2015-05-22] (Dell Computer Corporation)
R3 DellProf; C:\Windows\system32\drivers\DellProf.sys [24240 2015-05-22] (Dell Computer Corporation)
R3 e1dexpress; C:\Windows\system32\DRIVERS\e1d64x64.sys [468240 2013-08-29] (Intel Corporation)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [498512 2015-11-18] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [157520 2015-11-18] (Symantec Corporation)
R1 IDSVia64; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\IPSDefs\20160315.001\IDSvia64.sys [767224 2016-02-15] (Symantec Corporation)
R3 ikbevent; C:\Windows\system32\DRIVERS\ikbevent.sys [22216 2014-05-27] ()
R3 imsevent; C:\Windows\system32\DRIVERS\imsevent.sys [22728 2014-05-27] ()
R3 INETMON; C:\Windows\System32\Drivers\INETMON.sys [25800 2014-05-27] ()
R3 ISCT; C:\Windows\System32\drivers\ISCTD.sys [44744 2014-05-27] ()
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [118272 2014-04-29] (Intel Corporation)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [80160 2015-02-13] (McAfee, Inc.)
R3 NAVENG; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\VirusDefs\20160316.005\ENG64.SYS [138488 2015-10-27] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\VirusDefs\20160316.005\EX64.SYS [2148080 2015-10-27] (Symantec Corporation)
R3 O2FJ2RDR; C:\Windows\System32\drivers\O2FJ2w8x64.sys [210616 2014-05-14] (BayHubTech/O2Micro )
R3 SRTSP; C:\Windows\System32\Drivers\N360x64\1605050.00F\SRTSP64.SYS [928496 2015-11-11] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360x64\1605050.00F\SRTSPX64.SYS [50936 2015-07-10] (Symantec Corporation)
R0 SymEFASI; C:\Windows\System32\drivers\N360x64\1605050.00F\SYMEFASI64.SYS [1621232 2015-11-11] (Symantec Corporation)
S0 SymELAM; C:\Windows\System32\drivers\N360x64\1605050.00F\SymELAM.sys [24192 2015-07-10] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [111344 2015-08-15] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\N360x64\1605050.00F\Ironx64.SYS [297720 2015-07-10] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\N360x64\1605050.00F\SYMNETS.SYS [577768 2015-11-11] (Symantec Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
U3 McMPFSvc; no ImagePath
S3 PCDSRVC{3B54B31B-D06B6431-06020200}_0; \??\c:\program files\dell\supportassist\pcdsrvc_x64.pkms [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-15 22:14 - 2016-04-15 22:14 - 00000000 ____D C:\FRST
2016-04-15 22:11 - 2016-04-15 22:11 - 00001488 _____ C:\Users\Tim\Desktop\AdwCleaner[S1].txt
2016-04-15 22:09 - 2016-04-15 22:11 - 00000000 ____D C:\AdwCleaner
2016-04-15 22:09 - 2016-04-15 22:09 - 00001050 _____ C:\Users\Tim\Desktop\mbam_scan_history.txt
2016-04-15 22:08 - 2016-04-15 22:08 - 00000411 _____ C:\Users\Tim\Desktop\mbam_daily_protection_log.txt
2016-04-15 21:57 - 2016-04-15 21:57 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-15 21:56 - 2016-04-15 21:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-04-15 21:56 - 2016-04-15 21:56 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-04-15 21:56 - 2016-04-15 21:56 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-04-15 21:56 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-04-15 21:56 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-04-15 21:56 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-04-14 21:56 - 2016-04-14 21:51 - 02375168 _____ C:\Users\Tim\Downloads\FRST64.exe
2016-03-16 18:56 - 2016-03-16 18:56 - 00380928 _____ C:\Users\Tim\Downloads\gxm0dlrl.exe
2016-03-16 18:55 - 2016-03-16 18:55 - 00380928 _____ C:\Users\Tim\Downloads\873nssrl.exe
2016-03-16 18:55 - 2016-03-16 18:55 - 00371282 _____ C:\Users\Tim\Downloads\gmer.zip
2016-03-16 18:36 - 2016-03-16 18:50 - 00000000 ____D C:\Users\Tim\Downloads\backups
2016-03-16 18:34 - 2016-03-16 18:34 - 00388608 _____ (Trend Micro Inc.) C:\Users\Tim\Downloads\HijackThis.exe
2016-03-16 18:21 - 2016-02-12 15:14 - 00136904 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2016-03-16 18:21 - 2016-02-12 11:14 - 03708416 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2016-03-16 18:21 - 2016-02-12 10:55 - 00409088 _____ (Microsoft Corporation) C:\Windows\system32\WUSettingsProvider.dll
2016-03-16 18:21 - 2016-02-12 10:54 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2016-03-16 18:21 - 2016-02-12 10:54 - 00095744 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2016-03-16 18:21 - 2016-02-12 10:54 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2016-03-16 18:21 - 2016-02-12 10:51 - 00124928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2016-03-16 18:21 - 2016-02-12 10:51 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2016-03-16 18:21 - 2016-02-12 10:51 - 00029696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2016-03-16 18:21 - 2016-02-12 10:48 - 02244096 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2016-03-16 18:21 - 2016-02-12 10:47 - 00897024 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2016-03-16 18:21 - 2016-02-12 10:46 - 00726528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2016-03-16 18:21 - 2016-02-06 14:08 - 00031744 _____ (Microsoft Corporation) C:\Windows\system32\seclogon.dll
2016-03-16 18:21 - 2016-02-05 15:07 - 00292696 _____ (Microsoft Corporation) C:\Windows\system32\WMASF.DLL
2016-03-16 18:21 - 2016-02-05 15:07 - 00243032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMASF.DLL
2016-03-16 18:21 - 2016-02-05 11:03 - 15432704 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2016-03-16 18:21 - 2016-02-05 11:00 - 13318144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmp.dll
2016-03-16 18:21 - 2016-02-04 14:18 - 04174336 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-03-16 18:21 - 2016-02-03 16:37 - 01661576 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2016-03-16 18:21 - 2016-02-03 16:36 - 01212248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ole32.dll
2016-03-16 18:21 - 2016-02-03 11:09 - 00086016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\olepro32.dll
2016-03-16 18:21 - 2016-02-03 11:00 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\asycfilt.dll
2016-03-16 18:21 - 2016-02-03 11:00 - 00077824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\asycfilt.dll
2016-03-16 18:21 - 2016-01-31 15:16 - 00148832 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\USBSTOR.SYS
2016-03-16 18:21 - 2016-01-10 12:41 - 01707008 _____ (Microsoft Corporation) C:\Windows\system32\comsvcs.dll
2016-03-16 18:21 - 2016-01-10 12:31 - 01344512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comsvcs.dll
2016-03-16 18:21 - 2015-12-30 16:49 - 00470360 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2016-03-16 18:21 - 2015-11-19 10:33 - 00994760 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2016-03-16 18:21 - 2015-11-19 10:26 - 00922432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ucrtbase.dll
2016-03-16 18:20 - 2016-02-04 13:24 - 00603648 _____ (Microsoft Corporation) C:\Windows\system32\mfds.dll
2016-03-16 18:20 - 2016-02-04 13:02 - 00483328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfds.dll
2016-03-16 18:20 - 2016-01-15 12:56 - 02487296 _____ (Microsoft Corporation) C:\Windows\system32\storagewmi.dll
2016-03-16 18:20 - 2016-01-15 12:45 - 01482240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\storagewmi.dll
2016-03-16 18:20 - 2015-12-20 10:56 - 00616960 _____ (Microsoft Corporation) C:\Windows\system32\msra.exe
2016-03-16 18:11 - 2016-03-16 18:11 - 00000000 ___RD C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-15 22:15 - 2015-04-28 18:48 - 00000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2016-04-15 22:13 - 2015-08-15 10:19 - 00000000 ___RD C:\Users\Tim\OneDrive
2016-04-15 22:12 - 2015-08-15 10:32 - 00000910 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-15 22:12 - 2013-08-22 10:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-15 22:12 - 2013-08-22 09:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2016-04-15 22:11 - 2015-08-15 10:14 - 00000000 ____D C:\Users\Tim
2016-04-15 22:02 - 2015-08-15 10:21 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3318293501-4044962863-3732029287-1001
2016-04-15 21:57 - 2015-08-15 10:32 - 00000914 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-15 21:49 - 2014-11-21 00:42 - 00865408 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-15 21:49 - 2013-08-22 09:36 - 00000000 ____D C:\Windows\Inf
2016-04-14 22:06 - 2015-08-30 19:18 - 00000000 ____D C:\Program Files (x86)\Dell Update
2016-04-14 22:01 - 2013-08-22 11:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-04-14 22:01 - 2013-08-22 11:36 - 00000000 ____D C:\Windows\AppReadiness
2016-04-14 21:39 - 2013-08-22 10:44 - 00346744 _____ C:\Windows\system32\FNTCACHE.DAT
2016-04-14 21:37 - 2013-08-22 09:25 - 00262144 ___SH C:\Windows\system32\config\ELAM
2016-03-28 19:30 - 2013-08-22 11:20 - 00000000 ____D C:\Windows\CbsTemp
2016-03-28 19:29 - 2015-08-21 08:47 - 00000000 ____D C:\Windows\system32\MRT
2016-03-28 19:28 - 2015-08-21 08:47 - 143659408 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-03-28 19:21 - 2015-12-07 01:16 - 00000000 ____D C:\Windows\System32\Tasks\Remediation
2016-03-16 18:58 - 2015-08-15 10:32 - 00002227 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-03-16 18:58 - 2015-08-15 10:32 - 00002217 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-03-16 18:35 - 2015-08-15 10:16 - 00000000 ____D C:\Users\Tim\AppData\Local\VirtualStore
2016-03-16 15:28 - 2015-10-14 19:19 - 00000000 ____D C:\Program Files (x86)\Dell Customer Connect
2016-03-16 10:24 - 2015-08-15 10:29 - 00003898 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{AFD649F4-CA22-46BD-ABC3-21A1723785C3}
 
==================== Files in the root of some directories =======
 
2015-04-28 18:37 - 2015-04-28 18:37 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-04-28 18:36 - 2015-04-28 18:36 - 0000121 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2015-04-28 18:33 - 2015-04-28 18:34 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2015-04-28 18:34 - 2015-04-28 18:35 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log
2015-04-28 18:35 - 2015-04-28 18:36 - 0000108 _____ () C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log
2015-04-28 18:33 - 2015-04-28 18:33 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
 
Some files in TEMP:
====================
C:\Users\Tim\AppData\Local\Temp\libeay32.dll
C:\Users\Tim\AppData\Local\Temp\msvcr120.dll
C:\Users\Tim\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-04-14 22:01
 
==================== End of FRST.txt ============================

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:21 PM

Posted 16 April 2016 - 07:12 AM

Please run the AdwCleaner tool and clean everything that was found.
===

These security programs are disabled and or Out of date.
Enable Windows Defender which is Up to date.

AV: Norton Security Suite (Disabled - Out of date) {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Security Suite (Disabled - Out of date) {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}G
FW: Norton Security Suite (Disabled) {6BFC5632-188D-B806-D13E-C607121B42A0}

===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winsock: Catalog5 01 C:\Windows\SysWOW64\napinsp.dll [55296 2014-11-21] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\napinsp.dll"
Winsock: Catalog5 02 C:\Windows\SysWOW64\pnrpnsp.dll [70144 2014-11-21] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\pnrpnsp.dll"
Winsock: Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [70144 2014-11-21] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\pnrpnsp.dll"
Winsock: Catalog5 04 C:\Windows\SysWOW64\NLAapi.dll [65536 2014-11-21] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [286208 2014-11-21] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [23040 2014-11-21] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\System32\winrnr.dll"
CHR DefaultSearchURL: Default -> hxxp://nortonsafe.search.ask.com/web?q={searchTerms}&o=apn10506&prt=cr
CHR DefaultSearchKeyword: Default -> NortonSafe
CHR DefaultSuggestURL: Default -> hxxp://ss-sym.ask.com/query?q={searchTerms}&sstype=prefix&li=ff
CHR Extension: (Chrome Web Store Payments) - C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-15]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.5.5.15\Exts\Chrome.crx [2015-12-06]
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.5.5.15\Exts\Chrome.crx [2015-12-06]
U3 McMPFSvc; no ImagePath
S3 PCDSRVC{3B54B31B-D06B6431-06020200}_0; \??\c:\program files\dell\supportassist\pcdsrvc_x64.pkms [X]
C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
cmd: netsh winsock reset catalog

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#6 chrisb10a

chrisb10a
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 16 April 2016 - 09:00 AM

nasdaq,

 

Thank you.

 

I have run the AdwCleaner tool and cleaned everything that was found. The log is attached. Note: Every time the computer restarts, those same two registry keys return.

 

I have enabled and updated Norton Security Suite. I do not think it is possible to enable Windows Defender if Norton is already running.

 

I have created the fixlist.txt and ran FRST. The fixlog.txt is attached.

 

 

I still see the suspicious TODO process running.

 

 

 

Thank you,

Chris

 

 

 

 

 

 

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:21 PM

Posted 17 April 2016 - 07:28 AM

The process TODO is associated with this .exe file

(TODO: <公司名>) C:\Windows\SysWOW64\SDIOAssist.exe

which is belongs to software O2Micro Flash Memory Card Windows Driver or SDIOAssist service application by O2Micro (www.o2micro.com)

This may not be the reason for the "The application has failed to start because it's side-by-side configuration is incorrect." error.

Check the integrity of the operating system files.
How to run sfc /Scannow
http://support.microsoft.com/kb/929833
<<<>>>

Let me know what problem persists.

#8 chrisb10a

chrisb10a
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 20 April 2016 - 08:40 PM

I apologize for the delayed response. My schedule is very busy. I will post asap in the next day or so. Thank you for your patience.



#9 chrisb10a

chrisb10a
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 24 April 2016 - 09:32 AM

Okay, I ran the system file checker tool. The result was "Windows Resource Protection did not find any integrity violations."

 

I have also uninstalled the O2Micro Flash Memory Card driver. This has removed the TODO: <XXXX> process, thank you.

 

I still see two suspicious registry entries when I run AdwCleaner. If I choose to clean them, they both come back after a restart. Should I be concerned?

 

 

Thanks again,

Chris

 

 

 

# AdwCleaner v5.111 - Logfile created 24/04/2016 at 10:28:00
# Updated 14/04/2016 by Xplode
# Database : 2016-04-10.2 [Local]
# Operating system : Windows 8.1  (X64)
# Username : Tim - TIM
# Running from : F:\virus_removal\1_progs\adwcleaner_5.111.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
 
***** [ DLL ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif
Key Found : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif
 
***** [ Web browsers ] *****
 
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [1599 bytes] - [15/04/2016 22:11:43]
C:\AdwCleaner\AdwCleaner[C2].txt - [1215 bytes] - [16/04/2016 09:15:20]
C:\AdwCleaner\AdwCleaner[C3].txt - [1361 bytes] - [16/04/2016 09:44:58]
C:\AdwCleaner\AdwCleaner[S1].txt - [1488 bytes] - [15/04/2016 22:09:45]
C:\AdwCleaner\AdwCleaner[S2].txt - [1040 bytes] - [16/04/2016 09:14:34]
C:\AdwCleaner\AdwCleaner[S3].txt - [1188 bytes] - [16/04/2016 09:43:47]
C:\AdwCleaner\AdwCleaner[S4].txt - [1198 bytes] - [24/04/2016 10:28:00]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [1271 bytes] ##########


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:21 PM

Posted 24 April 2016 - 01:14 PM

It's the same one set by Norton Identity safe.

You can disable the Chrome Extension if you do not want this.

#11 chrisb10a

chrisb10a
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 24 April 2016 - 02:26 PM

Excellent, thank you. It sounds like I am all set then.

 

 

Thanks again,

Chris



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:21 PM

Posted 25 April 2016 - 07:25 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:21 PM

Posted 01 May 2016 - 06:58 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users