Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection with Moon-like virus


  • Please log in to reply
42 replies to this topic

#1 norberth

norberth

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 27 May 2016 - 03:06 PM

Hello,

Few days ago I noticed fake Adobe Flash Pro Upgrade poping up in my browser (IE 11) when visiting certain sites (bleepingcomputer.com included). It only happens when I am on my home network (we have AT&T U-verse here in US with ARRIS NVG599 Wireless Router). When I am in the office or connected to my company network using VPN I am not experiencing that. I was reading about it and learned that there is possibility of me having something similar to home router infection called Moon virus. As far as I understand it is hijacking my DNS and that is why when only on home network I am having this issue (company has their own DNS servers and they are 'clean'). Apparently AT&T does not allow changes to DNS servers in the router as it is also used for TV so I am wondering if what I have is really an infected router. I have not checked what is happening on 4 other computers we use around the house but I am worried that if indeed router is infected all my computers may eventually become infected if they haven't yet. Please help!

 

Attached are FRST.txt and Addition.txt as instructed.

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 27 May 2016 - 04:47 PM

Hello norberth and Welcome to the BleepingComputer. :welcome:  
 My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.
  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here
Thanks
    
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
Sincerely
:hello:

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 27 May 2016 - 09:15 PM

Hi again,
 

ProxyServer: [S-1-5-21-117609710-2025429265-725345543-68067] => www-ad-proxy.sabre.com:80
AutoConfigURL: [S-1-5-21-117609710-2025429265-725345543-68067] => hxxp://inet-pac.sabre.com:81/sabre-proxy.pac
ManualProxies: 0hxxp://inet-pac.sabre.com:81/sabre-proxy.pac

This proxy settings to you or is belong to the company? Any opinions on this?

========================================================================================

C:\Program Files\Emhvig

Please post the contents of this folder. ()

================================================

 

Please go to: VirusTotal
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.

 

C:\Users\sg0893158\AppData\Roaming\FerroMilryl\Ucusrefs.exe -cms

C:\Windows\System32\DRIVERS\tdifd1252.sys

 

Next, click the Open button.
Then click the "Scan It!" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.

========================================================================
uninstall some programs
NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.
You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

 

Programs to remove

 

SpaceSoundPro

C:\Program Files\SpaceSoundPro

  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish

=================================================================================
Please do the following

 

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


Edited by olgun52, 27 May 2016 - 09:16 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 norberth

norberth
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 28 May 2016 - 12:03 AM

Hi Yılmaz,

Proxy settings in question are company's and are as they supposed to be.

Content of Emhvig folder:

C:\Program Files\Emhvig>dir
 Volume in drive C is OSDisk
 Volume Serial Number is CA78-0EB0

 Directory of C:\Program Files\Emhvig

05/17/2016  11:34 PM    <DIR>          .
05/17/2016  11:34 PM    <DIR>          ..
05/17/2016  11:15 PM            27,456 bsdpf64.sys
               1 File(s)         27,456 bytes
               2 Dir(s)  105,343,016,960 bytes free

C:\Program Files\Emhvig>

***** Oddly the file you wanted me to scan

C:\Users\sg0893158\AppData\Roaming\FerroMilryl\Ucusrefs.exe -cms

does not exist on my drive at that location:

C:\Users\sg0893158\AppData\Roaming>dir
 Volume in drive C is OSDisk
 Volume Serial Number is CA78-0EB0

 Directory of C:\Users\sg0893158\AppData\Roaming

05/24/2016  09:30 AM    <DIR>          .
05/24/2016  09:30 AM    <DIR>          ..
02/12/2016  11:52 PM    <DIR>          Adobe
02/16/2016  09:28 AM    <DIR>          Apple Computer
02/13/2016  12:30 AM    <DIR>          Canon
03/10/2016  09:42 AM    <DIR>          Cisco
05/18/2016  12:49 AM    <DIR>          Cittovfo
02/12/2016  11:53 PM    <DIR>          com.carrier.myinfinity
02/12/2016  08:28 PM    <DIR>          GoPro
02/17/2016  05:48 PM    <DIR>          Helios
11/20/2010  09:51 PM    <DIR>          Identities
03/10/2016  09:42 AM    <DIR>          JabberWerxCPP
02/11/2016  02:09 PM    <DIR>          Macromedia
02/03/2016  02:03 PM    <DIR>          McAfee
02/17/2016  05:52 PM    <DIR>          Notepad++
05/17/2016  11:24 PM    <DIR>          PlutoTV
02/14/2016  02:56 PM    <DIR>          Publish Providers
05/17/2016  10:56 PM    <DIR>          Skype
02/14/2016  03:02 PM    <DIR>          Sony
02/12/2016  08:34 PM    <DIR>          Sony Corporation
02/14/2016  02:59 PM    <DIR>          Sony Creative Software Inc
05/19/2016  12:46 AM    <DIR>          StatsManager
02/18/2016  08:09 AM    <DIR>          Subversion
02/08/2016  04:42 PM    <DIR>          Sun
08/03/2015  06:53 PM    <DIR>          Synaptics
02/14/2016  03:08 PM    <DIR>          Titler
04/01/2016  04:56 PM    <DIR>          TortoiseSVN
05/18/2016  12:24 AM                45 WB.CFG
05/16/2016  02:50 PM    <DIR>          webex
03/10/2016  09:42 AM    <DIR>          WebEx Connect
               1 File(s)             45 bytes
              29 Dir(s)  105,343,410,176 bytes free

[PlutoTV looks suspicious as I remember self-installing on my desktop and me then uninstalling it thru Control Panel / Uninstall. If I remember correctly my infection could have occurred on May 17 around 11 pm local time]

C:\Windows\System32\DRIVERS\tdifd1252.sys

This file was not visible when trying to locate it via VirusTotal explorer window but I could see it when displaying drivers folder in command window. I had to copy it elsewhere for explorer to see it and then scan it. I looks like it is harmless, link is below:

https://www.virustotal.com/en/file/2c86bf3134a6bb091b87e5ae3535ef7c5a1a32063ae47c0b91a91c2723a0c042/analysis/1464407235/

------------------------

**** Again odd thing. I do not see SpaceSoundPro in the location you provided hence Revo Uninstaller cannot find it:

C:\Program Files>dir
 Volume in drive C is OSDisk
 Volume Serial Number is CA78-0EB0

 Directory of C:\Program Files

05/18/2016  11:41 PM    <DIR>          .
05/18/2016  11:41 PM    <DIR>          ..
02/03/2016  12:08 PM    <DIR>          AMD
02/13/2016  12:21 AM    <DIR>          Canon
02/18/2016  10:52 PM    <DIR>          Common Files
02/03/2016  12:15 PM    <DIR>          Dell
02/03/2016  03:05 PM    <DIR>          DellTPad
02/03/2016  12:08 PM    <DIR>          DIFX
04/12/2011  02:45 AM    <DIR>          DVD Maker
05/17/2016  11:34 PM    <DIR>          Emhvig
05/18/2016  11:41 PM    <DIR>          GoPro
02/03/2016  12:08 PM    <DIR>          Intel
04/30/2016  07:21 AM    <DIR>          Internet Explorer
02/18/2016  05:40 PM    <DIR>          Java
02/03/2016  02:03 PM    <DIR>          McAfee
02/08/2016  04:32 PM    <DIR>          Microsoft Office
02/03/2016  12:31 PM    <DIR>          Microsoft Policy Platform
02/08/2016  05:22 PM    <DIR>          Microsoft Silverlight
07/14/2009  12:32 AM    <DIR>          MSBuild
02/03/2016  12:08 PM    <DIR>          Realtek
07/14/2009  12:32 AM    <DIR>          Reference Assemblies
02/03/2016  03:06 PM    <DIR>          STMicroelectronics
08/03/2015  09:45 PM    <DIR>          Synaptics
02/17/2016  05:48 PM    <DIR>          TextPad 8
02/17/2016  06:18 PM    <DIR>          TortoiseSVN
02/18/2016  10:52 PM    <DIR>          Western Digital
08/04/2015  10:20 AM    <DIR>          Windows Defender
02/26/2016  06:03 PM    <DIR>          Windows Journal
04/12/2011  02:38 AM    <DIR>          Windows Mail
03/31/2016  06:20 PM    <DIR>          Windows Media Player
07/14/2009  12:32 AM    <DIR>          Windows NT
04/12/2011  02:38 AM    <DIR>          Windows Photo Viewer
11/20/2010  10:31 PM    <DIR>          Windows Portable Devices
04/12/2011  02:38 AM    <DIR>          Windows Sidebar
               0 File(s)              0 bytes
              34 Dir(s)  105,317,613,568 bytes free

I see errors related to that program and it sounds like it could be some problem with disk encryption that company installed so this folder is not visible. Again, date for it is evening of May 17 which is when I suspect infection could have happened.

-------------

MiniToolBox log I will provide in the next post.



#5 norberth

norberth
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 28 May 2016 - 12:11 AM

Part 1 of MiniToolBox log is below (it seems to be too big and I cannot post my reply).

 

Note: I ran it while on VPN as otherwise, using my home network, I am unable to reach bleepingcomputer.com without popups speaking 'Your security is at risk, call number on the screen and you will be guided to remove ...

 

MiniToolBox by Farbar  Version: 07-02-2016 01
Ran by SG0893158 (administrator) on 27-05-2016 at 23:22:35
Running from "C:\Users\Public\Documents\Downloads"
Microsoft Windows 7 Enterprise  Service Pack 1 (X64)
Model: Precision M2800 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: www-ad-proxy.sabre.com:80

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
107.178.255.88 www.google-analytics.com
107.178.255.88 www.statcounter.com
107.178.255.88 statcounter.com
107.178.255.88 ssl.google-analytics.com
107.178.255.88 partner.googleadservices.com
107.178.255.88 google-analytics.com
107.178.248.130 static.doubleclick.net
107.178.247.130 connect.facebook.net
107.178.255.88 www.google-analytics.com
107.178.255.88 www.statcounter.com
107.178.255.88 statcounter.com
107.178.255.88 ssl.google-analytics.com
107.178.255.88 partner.googleadservices.com
107.178.255.88 google-analytics.com
107.178.248.130 static.doubleclick.net
107.178.247.130 connect.facebook.net127.0.0.1       down.baidu2016.com
127.0.0.1       123.sogou.com
127.0.0.1       www.czzsyzgm.com
127.0.0.1       www.czzsyzxl.com
127.0.0.1       union.baidu2019.com
========================= IP Configuration: ================================

Intel® Dual Band Wireless-AC 7260 = Wireless Network Connection (Connected)
Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64 = Local Area Connection 2 (Hardware not present)
Intel® Ethernet Connection I217-LM = Local Area Connection (Media disconnected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected)

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
set interface interface="Local Area Connection 2" forwarding=enabled advertise=enabled metric=1 nud=enabled

popd
# End of IPv4 configuration

 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : D9MQHJ72
   Primary Dns Suffix  . . . . . . . : Global.ad.sabre.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Global.ad.sabre.com
                                       attlocal.net
                                       ad.sabre.com

Wireless LAN adapter Wireless Network Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
   Physical Address. . . . . . . . . : 7E-5C-F8-96-F1-77
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 7C-5C-F8-96-F1-7B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : attlocal.net
   Description . . . . . . . . . . . : Intel® Dual Band Wireless-AC 7260
   Physical Address. . . . . . . . . : 7C-5C-F8-96-F1-77
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2602:306:30be:8900::23(Preferred)
   Lease Obtained. . . . . . . . . . : Friday, May 27, 2016 11:17:34 PM
   Lease Expires . . . . . . . . . . : Sunday, June 26, 2016 11:17:35 PM
   IPv6 Address. . . . . . . . . . . : 2602:306:30be:8900:c8f4:129c:6283:8b49(Preferred)
   Temporary IPv6 Address. . . . . . : 2602:306:30be:8900:dfe:bb46:c7e2:4734(Preferred)
   Link-local IPv6 Address . . . . . : fe80::c8f4:129c:6283:8b49%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.99(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, May 27, 2016 11:17:27 PM
   Lease Expires . . . . . . . . . . : Saturday, May 28, 2016 11:17:30 PM
   Default Gateway . . . . . . . . . : fe80::223d:66ff:fe3f:2340%12
                                       192.168.1.254
   DHCP Server . . . . . . . . . . . : 192.168.1.254
   DHCPv6 IAID . . . . . . . . . . . : 226254072
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-43-EC-43-F8-CA-B8-54-37-00
   DNS Servers . . . . . . . . . . . : 192.168.1.254
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : sabre.com
   Description . . . . . . . . . . . : Intel® Ethernet Connection I217-LM
   Physical Address. . . . . . . . . : F8-CA-B8-54-37-00
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.attlocal.net:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : attlocal.net
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  dsldevice.attlocal.net
Address:  192.168.1.254

Name:    google.com
Addresses:  2607:f8b0:4000:802::200e
   216.58.194.46

Pinging google.com [2607:f8b0:4000:801::200e] with 32 bytes of data:
Reply from 2607:f8b0:4000:801::200e: time=102ms
Reply from 2607:f8b0:4000:801::200e: time=95ms

Ping statistics for 2607:f8b0:4000:801::200e:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 95ms, Maximum = 102ms, Average = 98ms
Server:  dsldevice.attlocal.net
Address:  192.168.1.254

Name:    yahoo.com
Addresses:  2001:4998:58:c02::a9
   2001:4998:c:a06::2:4008
   2001:4998:44:204::a7
   206.190.36.45
   98.139.183.24
   98.138.253.109

Pinging yahoo.com [2001:4998:44:204::a7] with 32 bytes of data:
Reply from 2001:4998:44:204::a7: time=205ms
Reply from 2001:4998:44:204::a7: time=134ms

Ping statistics for 2001:4998:44:204::a7:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 134ms, Maximum = 205ms, Average = 169ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 16...7e 5c f8 96 f1 77 ......Microsoft Virtual WiFi Miniport Adapter
 14...7c 5c f8 96 f1 7b ......Bluetooth Device (Personal Area Network)
 12...7c 5c f8 96 f1 77 ......Intel® Dual Band Wireless-AC 7260
 11...f8 ca b8 54 37 00 ......Intel® Ethernet Connection I217-LM
  1...........................Software Loopback Interface 1
 18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.99     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.1.99    266
     192.168.1.99  255.255.255.255         On-link      192.168.1.99    266
    192.168.1.255  255.255.255.255         On-link      192.168.1.99    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.1.99    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.1.99    266
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 12    266 ::/0                     fe80::223d:66ff:fe3f:2340
  1    306 ::1/128                  On-link
 12     26 2602:306:30be:8900::/60  fe80::223d:66ff:fe3f:2340
 12     18 2602:306:30be:8900::/64  On-link
 12    266 2602:306:30be:8900::23/128
                                    On-link
 12    266 2602:306:30be:8900:dfe:bb46:c7e2:4734/128
                                    On-link
 12    266 2602:306:30be:8900:c8f4:129c:6283:8b49/128
                                    On-link
 12    266 fe80::/64                On-link
 12    266 fe80::c8f4:129c:6283:8b49/128
                                    On-link
  1    306 ff00::/8                 On-link
 12    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None



#6 norberth

norberth
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 28 May 2016 - 12:16 AM

Part 2

 

========================= Winsock entries =====================================

Catalog5 01 C:\windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
Catalog5 08 C:\ProgramData\Application Data\hpservice\Accessible\\NamespaceEvents32_0.dll [103384] (FireEye, Inc.)
Catalog9 01 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 11 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
x64-Catalog5 08 C:\ProgramData\Application Data\hpservice\Accessible\\NamespaceEvents_0.dll [122328] (FireEye, Inc.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (05/27/2016 11:17:40 PM) (Source: AutoEnrollment) (User: )
Description: GLOBAL\SG08931580x8007003aThe specified server cannot perform the requested operation.

Error: (05/27/2016 11:17:26 PM) (Source: ATIeRecord) (User: )
Description: ATI EEU Client has failed to start

Error: (05/27/2016 11:17:26 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/27/2016 02:35:08 PM) (Source: AutoEnrollment) (User: )
Description: GLOBAL\SG08931580x8007003aThe specified server cannot perform the requested operation.

Error: (05/27/2016 02:34:57 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/27/2016 02:34:49 PM) (Source: ATIeRecord) (User: )
Description: ATI EEU Client has failed to start

Error: (05/27/2016 06:44:32 AM) (Source: AutoEnrollment) (User: )
Description: GLOBAL\SG08931580x8007003aThe specified server cannot perform the requested operation.

Error: (05/27/2016 06:44:23 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/27/2016 06:44:14 AM) (Source: ATIeRecord) (User: )
Description: ATI EEU Client has failed to start

Error: (05/27/2016 06:41:21 AM) (Source: AutoEnrollment) (User: )
Description: GLOBAL\SG08931580x8007003aThe specified server cannot perform the requested operation.

System errors:
=============
Error: (05/27/2016 11:21:40 PM) (Source: Service Control Manager) (User: )
Description: The Diagnostic Service Host service failed to start due to the following error:
%%1297

Error: (05/27/2016 11:21:40 PM) (Source: Service Control Manager) (User: )
Description: The Diagnostic Service Host service failed to start due to the following error:
%%1297

Error: (05/27/2016 11:21:26 PM) (Source: Service Control Manager) (User: )
Description: The Diagnostic Service Host service failed to start due to the following error:
%%1297

Error: (05/27/2016 11:21:26 PM) (Source: Service Control Manager) (User: )
Description: The Diagnostic Service Host service failed to start due to the following error:
%%1297

Error: (05/27/2016 11:21:26 PM) (Source: Service Control Manager) (User: )
Description: The Diagnostic Service Host service failed to start due to the following error:
%%1297

Error: (05/27/2016 11:21:26 PM) (Source: Service Control Manager) (User: )
Description: The Diagnostic Service Host service failed to start due to the following error:
%%1297

Error: (05/27/2016 11:21:24 PM) (Source: Service Control Manager) (User: )
Description: The Diagnostic Service Host service failed to start due to the following error:
%%1297

Error: (05/27/2016 11:21:24 PM) (Source: Service Control Manager) (User: )
Description: The Diagnostic Service Host service failed to start due to the following error:
%%1297

Error: (05/27/2016 11:21:24 PM) (Source: Service Control Manager) (User: )
Description: The Diagnostic Service Host service failed to start due to the following error:
%%1297

Error: (05/27/2016 11:21:24 PM) (Source: Service Control Manager) (User: )
Description: The Diagnostic Service Host service failed to start due to the following error:
%%1297

Microsoft Office Sessions:
=========================
Error: (05/27/2016 11:17:40 PM) (Source: AutoEnrollment)(User: )
Description: GLOBAL\SG08931580x8007003aThe specified server cannot perform the requested operation.

Error: (05/27/2016 11:17:26 PM) (Source: ATIeRecord)(User: )
Description:

Error: (05/27/2016 11:17:26 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/27/2016 02:35:08 PM) (Source: AutoEnrollment)(User: )
Description: GLOBAL\SG08931580x8007003aThe specified server cannot perform the requested operation.

Error: (05/27/2016 02:34:57 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/27/2016 02:34:49 PM) (Source: ATIeRecord)(User: )
Description:

Error: (05/27/2016 06:44:32 AM) (Source: AutoEnrollment)(User: )
Description: GLOBAL\SG08931580x8007003aThe specified server cannot perform the requested operation.

Error: (05/27/2016 06:44:23 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/27/2016 06:44:14 AM) (Source: ATIeRecord)(User: )
Description:

Error: (05/27/2016 06:41:21 AM) (Source: AutoEnrollment)(User: )
Description: GLOBAL\SG08931580x8007003aThe specified server cannot perform the requested operation.

CodeIntegrity Errors:
===================================
  Date: 2016-05-17 23:18:25.855
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-17 23:18:25.835
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-17 23:18:20.725
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-17 23:18:20.695
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-17 23:18:18.905
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-17 23:18:18.885
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-17 23:17:07.695
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-17 23:17:07.675
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-17 23:16:59.145
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-17 23:16:59.125
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.



#7 norberth

norberth
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 28 May 2016 - 12:25 AM

Part 3

 

=========================== Installed Programs ============================

64 Bit HP CIO Components Installer (HKLM\...\{5737101A-27C4-408A-8A57-D1DC78DF84B4}) (Version: 8.2.1 - Hewlett-Packard) Hidden
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 20.0.0.260 - Adobe Systems Incorporated)
Adobe Flash Player 21 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 21.0.0.242 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
AgentInstall64 (HKLM\...\{D37485C2-CC03-4EEB-9BFA-E1409AE00A6C}) (Version: 12.5.2103.01001 - Symantec Corp.)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Araxis Merge v6.5 (HKLM-x32\...\{895256D1-CDEF-4A50-8F71-82D8FB5C9C5A}) (Version: 6.5.2172 - Araxis)
Canon Easy-PhotoPrint EX (HKLM-x32\...\Easy-PhotoPrint EX) (Version: 4.5.0 - Canon Inc.)
Canon MP Navigator EX 1.1 (HKLM-x32\...\MP Navigator EX 1.1) (Version:  - )
Canon MX850 series (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX850_series) (Version:  - )
Canon My Image Garden (HKLM-x32\...\Canon My Image Garden) (Version: 3.3.0 - Canon Inc.)
Canon My Image Garden Design Files (HKLM-x32\...\Canon My Image Garden Design Files) (Version: 3.2.0 - Canon Inc.)
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version: 3.3.0 - Canon Inc.)
Canon Utilities Solution Menu (HKLM-x32\...\CanonSolutionMenu) (Version:  - )
Cisco AnyConnect Secure Mobility Client  (HKLM-x32\...\Cisco AnyConnect Secure Mobility Client) (Version: 3.1.05187 - Cisco Systems, Inc.)
Cisco AnyConnect Secure Mobility Client (HKLM-x32\...\{CC3BBF96-7A4C-4B1D-B34D-6AC88CE46C6C}) (Version: 3.1.05187 - Cisco Systems, Inc.) Hidden
Cisco IP Communicator (HKLM-x32\...\{EAC94DF2-C780-4954-924F-0EE3780A75D1}) (Version: 8.6.3.0 - Cisco Systems, Inc.)
Cisco Jabber (HKLM-x32\...\{98DBEA69-CCF9-4C70-991D-71795C381080}) (Version: 11.5.1.29337 - Cisco Systems, Inc)
Cisco WebEx Meetings (HKLM-x32\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM-x32\...\{09DA5EE2-7E46-4DC4-96F9-BFEE50D40659}) (Version: 1.0.408 - Citrix)
Configuration Manager Client (HKLM\...\{8864FB91-94EE-4F16-A144-0D82A232049D}) (Version: 5.00.7958.1000 - Microsoft Corporation) Hidden
Dell Command | Configure (HKLM-x32\...\{DF3680A9-B4C6-48D1-ACEF-0FF004446314}) (Version: 3.1.0.250 - Dell Inc.)
Dell Command | Monitor (HKLM\...\{DF0B9A53-C87D-49F9-95E3-AEAAC8C4D77B}) (Version: 9.1.0.98 - Dell Inc.)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 8.1206.101.110 - ALPS ELECTRIC CO., LTD.)
DVD Architect Studio 5.0 (HKLM-x32\...\{3822E74F-08F8-11E3-99EE-F04DA23A5C58}) (Version: 5.0.186 - Sony)
FireEye Agent (HKLM\...\{68035ADC-F74F-45F5-9B57-D866C6854216}) (Version: 11.8.5 - FireEye)
Google Chrome (HKCU\...\Google Chrome) (Version: 43.0.2357.81 - Google Inc.)
GoPro (HKLM\...\{11994124-739A-42BB-A6D2-3AC95355BDC6}) (Version: 0.1.2371 - GoPro, Inc.) Hidden
GoPro for Desktop (HKLM-x32\...\{701bfbd9-f576-470f-8fd0-eca3e608bd97}) (Version: 0.1.0.2371 - GoPro, Inc.)
GoPro Studio (HKLM-x32\...\{BCBF5E75-C1AD-4169-A70C-3A0BD9A7F9CF}) (Version: 5.8.2371 - GoPro, Inc.) Hidden
GoToMeeting 7.18.0.4962 (HKCU\...\GoToMeeting) (Version: 7.18.0.4962 - CitrixOnline)
HP MyRoom (HKLM-x32\...\{26A9052F-164A-402F-B9C1-E820591DD65D}) (Version: 10.5.0691 - Hewlett Packard Enterprise)
iZotope Audio Enhancer (HKLM-x32\...\iZotope Audio Enhancer_is1) (Version: 1.00 - iZotope, Inc.)
Java 7 Update 55 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217055FF}) (Version: 7.0.550 - Oracle)
Java 8 Update 74 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418074F0}) (Version: 8.0.740.2 - Oracle Corporation)
Java SE Development Kit 8 Update 74 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180740}) (Version: 8.0.740.2 - Oracle Corporation)
McAfee Agent (HKLM\...\{86D55FFD-408E-4F73-8557-157E920A6AC6}) (Version: 5.0.1.516 - McAfee, Inc.)
McAfee Drive Encryption (HKLM\...\{D4B39EF4-9B0C-433F-8054-BA6EE300764C}) (Version: 7.1.3.547 - McAfee, Inc.) Hidden
McAfee Drive Encryption Agent (HKLM\...\{0B392DFA-18CB-4A3E-B0B6-3C82359B86C8}) (Version: 7.1.3.547 - McAfee, Inc.) Hidden
McAfee ePO Deep Command Client (HKLM-x32\...\{1B8A8C44-8C68-4218-A4F8-CF58ED4817A8}) (Version: 2.4.0.418 - McAfee, Inc.)
McAfee Host Intrusion Prevention (HKLM\...\{D2B9C003-A3CD-44A0-9DE5-52FE986C03E5}) (Version: 8.00.0600 - McAfee, Inc.) Hidden
McAfee Host Intrusion Prevention (HKLM\...\{D2B9C003-A3CD-44A0-9DE5-52FE986C03E5}_Uninst) (Version: 8.00.0600 - McAfee, Inc.)
McAfee Product Improvement Program (HKLM-x32\...\{D45EAF28-A176-41B3-98B7-20375F0A1ADF}) (Version: 1.5.1.604 - McAfee, Inc.)
McAfee VirusScan Enterprise (HKLM-x32\...\{CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF}) (Version: 8.8.05001 - McAfee, Inc.)
MergeModule_x64 (HKLM\...\{12DCC5A7-0100-4433-B4FF-217A3C5DC83B}) (Version: 9.3.00 - Sony Corporation) Hidden
MergeModule_x86 (HKLM-x32\...\{DD7721BB-CF1C-4DC9-AD87-8D5FB75413B7}) (Version: 9.3.00 - Sony Corporation) Hidden
Microsoft .NET Framework 4.6 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.00081 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 (HKLM-x32\...\Office15.PROPLUS) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft Visio 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-0057-0000-0000-0000000FF1CE}_Office14.VISIO_{01D8AE4B-A04D-47E5-81BF-E3F98B81B8C3}) (Version:  - Microsoft)
Microsoft Visio Premium 2010 (HKLM-x32\...\Office14.VISIO) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Visio Viewer 2013 (HKLM\...\{95150000-0052-0409-1000-0000000FF1CE}) (Version: 15.0.4420.1017 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MyInfinity (HKLM-x32\...\{FF348636-6DE1-BC34-22FF-94291391ECAE}) (Version: 2.05 - Carrier Corporation) Hidden
MyInfinity (HKLM-x32\...\com.carrier.myinfinity) (Version: 2.05 - Carrier Corporation)
NewBlue Titler and VideoFX for Sony Vegas MSPPS (HKLM-x32\...\NewBlue Titler for Sony Vegas MSPS) (Version: 1.0 - NewBlue)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.8.8 - Notepad++ Team)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
Outils de vérification linguistique 2013 de Microsoft Office - Français (HKLM-x32\...\{90150000-001F-040C-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
PlayMemories Home (HKLM-x32\...\{94F4815B-755A-4FFA-AFDC-EE8FE776981E}) (Version: 5.1.00.12260 - Sony Corporation)
PMB_ModeEditor (HKLM-x32\...\{D5318740-B088-4B1A-B6A8-1F90A172CCD1}) (Version: 9.3.00 - Sony Corporation) Hidden
PMB_ServiceUploader (HKLM-x32\...\{E7FDF11C-12BB-4D6F-9B6D-F8E488C776DC}) (Version: 10.1.00 - Sony Corporation) Hidden
QuickTime 7 (HKLM-x32\...\{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}) (Version: 7.79.80.95 - Apple Inc.)
Realtek Audio COM Components (HKLM-x32\...\{2355B503-9B11-4449-861D-1C1748B26320}) (Version: 1.0.2 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6053 - Realtek Semiconductor Corp.)
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Skype for Business Web App Plug-in (HKLM-x32\...\{37C8167B-B653-4955-A6E8-EBB8DE937DDD}) (Version: 15.8.20020.400 - Microsoft Corporation)
Skype™ 7.18 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.18.112 - Skype Technologies S.A.)
Sound Forge Audio Studio 10.0 (HKLM-x32\...\{BC208D90-4643-11E3-987B-F04DA23A5C58}) (Version: 10.0.252 - Sony)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.25.0 - Synaptics Incorporated)
TextPad 8 (HKLM\...\{861AB1C1-1967-4C4A-BF86-C255E2D2B8FD}) (Version: 8.0.1 - Helios)
TortoiseSVN 1.9.3.27038 (64 bit) (HKLM\...\{2114A96B-51D7-4C45-B2E1-003562464D99}) (Version: 1.9.27038 - TortoiseSVN)
UserNotify (HKLM-x32\...\{83D4188F-6907-45CA-B73A-ABA4DA1FFFE0}) (Version: 1.00.0000 - Hewlett Packard)
Vegas Movie Studio HD Platinum 11.0 (HKLM-x32\...\{7E734C70-7F67-11E1-82AA-F04DA23A5C58}) (Version: 11.0.322 - Sony)
VFW_Codec32 (HKLM-x32\...\{32223B55-ECE6-4093-971B-D176C4A4C89A}) (Version: 0.1.160.0 - GoPro, Inc.) Hidden
VFW_Codec64 (HKLM\...\{C75FFC1A-4578-4D11-BC60-188BDD72A668}) (Version: 0.1.160.0 - GoPro, Inc.) Hidden
WD Drive Utilities (HKLM-x32\...\{E61CFDDA-40DD-4400-95CA-12819C50B5C2}) (Version: 1.1.0.51 - Western Digital Technologies, Inc.)
WD Quick View (HKLM-x32\...\{5AEBFB66-61FE-4833-ACE3-E966980E40D5}) (Version: 2.4.14.13 - Western Digital Technologies, Inc.)
WD Security (HKLM-x32\...\{919ADA61-13BF-43C4-A2DD-8BA49A244FC8}) (Version: 1.1.0.51 - Western Digital Technologies, Inc.)
WD SES Driver Setup (HKLM-x32\...\{924A274D-38B6-4930-8859-F3F51CFA8DDD}) (Version: 1.1.0.51 - Western Digital) Hidden
WD SmartWare (HKLM\...\{739778ED-D095-4725-BF78-ADFF96004C52}) (Version: 2.4.14.13 - Western Digital Technologies, Inc.)
WD SmartWare Installer (HKLM-x32\...\{e72369b3-306a-4d10-a766-3433a65e8dc2}) (Version: 2.4.14.13 - Western Digital Technologies, Inc.)
WinZip 11.2 (HKLM-x32\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}) (Version: 11.2.8094 - WinZip Computing, S.L. )

========================= Memory info: ===================================

Percentage of memory in use: 18%
Total physical RAM: 16289.15 MB
Available physical RAM: 13350.84 MB
Total Virtual: 32576.48 MB
Available Virtual: 29491.34 MB

========================= Partitions: =====================================

1 Drive c: (OSDisk) (Fixed) (Total:335.35 GB) (Free:97.43 GB) NTFS

========================= Users: ========================================

User accounts for \\D9MQHJ72

Coffee                   SabreNTGuest            

**** End of log ****



#8 norberth

norberth
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 28 May 2016 - 11:10 AM

Hello again,

I took liberty to scan few more files with creation date May 17 (potential infection date) using VirusTotal and got the following results:

 

C:\Users\sg0893158\AppData\Roaming\StatsManager\StatsManager.exe
https://www.virustotal.com/en/file/39f5b5fefa0c5ab71eb9e84073284b3140d1ac75e96421f39bbdbab31dcafb84/analysis/1464449739/

 

[That is the file found in a folder you wanted me to provide content of]

C:\Program Files\Emhvig\bsdpf64.sys
https://www.virustotal.com/en/file/c3024f562885c7a7c67ec8f4170f0925ef2079ea6761aa9d3de899c91a1005df/analysis/1464450168/

 

C:\Users\sg0893158\AppData\Roaming\Cittovfo\Opiayu.exe
https://www.virustotal.com/en/file/e0760e5944c88c9bcc4f6d1906f9072d4d68796d022ee24b0ebcbb809376c292/analysis/1464450423/

 

C:\Users\sg0893158\AppData\Roaming\Cittovfo\Cejlost.exe
https://www.virustotal.com/en/file/eaf016d9402b0dd83086a98488e5002b1d5a2e0aa9719a61d64373becce66655/analysis/1464450504/

 

C:\Users\sg0893158\AppData\Roaming\Cittovfo\Cejlost.dll
McAfee cleaned it up when trying to upload to VirusTotal as it vas infected with some Trojan (I did not note it down :()

 

I hope they may be helpful to you. They all seem no good.

 

------

 

One other observation which may be helpful with this investigation.

Before I contated you for help, every time i encountered fake Flash Update popup and had to close the browser I was running AdvCleaner and it was always finding no problems except two registy keys:

 

***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\bestpriceninja.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\pstatic.bestpriceninja.com

 

which were removed by AdvCleaner every time.

 

I found traces of pstatic.bestninja.com in PlutoTV folder:

C:\Users\sg0893158\AppData\Roaming\PlutoTV\Local Storage>dir
 Volume in drive C is OSDisk
 Volume Serial Number is CA78-0EB0

 Directory of C:\Users\sg0893158\AppData\Roaming\PlutoTV\Local Storage

05/17/2016  11:25 PM    <DIR>          .
05/17/2016  11:25 PM    <DIR>          ..
05/18/2016  12:29 AM             5,120 https_d19tqk5t6qcjac.cloudfront.net_0.localstorage
05/18/2016  12:29 AM                 0 https_d19tqk5t6qcjac.cloudfront.net_0.localstorage-journal
05/17/2016  11:26 PM             3,072 https_static.cmptch.com_0.localstorage
05/17/2016  11:26 PM                 0 https_static.cmptch.com_0.localstorage-journal
05/18/2016  12:29 AM             3,072 https_target-talent.com_0.localstorage
05/18/2016  12:29 AM                 0 https_target-talent.com_0.localstorage-journal
05/18/2016  12:29 AM             3,072 https_v3x3b3b5.map2.ssl.hwcdn.net_0.localstorage
05/18/2016  12:29 AM                 0 https_v3x3b3b5.map2.ssl.hwcdn.net_0.localstorage-journal
05/18/2016  12:29 AM             3,072 http_pluto.tv_0.localstorage
05/18/2016  12:29 AM                 0 http_pluto.tv_0.localstorage-journal
05/18/2016  12:29 AM             3,072 http_pstatic.bestpriceninja.com_0.localstorage
05/18/2016  12:29 AM                 0 http_pstatic.bestpriceninja.com_0.localstorage-journal
05/18/2016  12:28 AM             3,072 http_q2u3z6t7.ssl.hwcdn.net_0.localstorage
05/18/2016  12:28 AM                 0 http_q2u3z6t7.ssl.hwcdn.net_0.localstorage-journal
              14 File(s)         23,552 bytes
               2 Dir(s)  104,360,148,992 bytes free

 

I do not know if it matters but PlutoTV is definitely unwanted program for me.


Edited by norberth, 28 May 2016 - 11:13 AM.


#9 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 29 May 2016 - 07:15 PM

Thank you. :thumbup2:
 
For PlutoTV;
Just my suggestion: You can userevouninstal for free, if you did not deliberately this install, safe to uninstall.

I do not see SpaceSoundPro in the location you provided hence Revo Uninstaller cannot find it:

No problem. We can delete it

I see errors related to that program and it sounds like it could be some problem with disk encryption that company installed so this folder is not visible. Again, date for it is evening of May 17 which is when I suspect infection could have happened.
I found traces of pstatic.bestninja.com in PlutoTV folder:
I do not know if it matters but PlutoTV is definitely unwanted program for me.

 I agree.

pstatic.bestninja.com
05/17/2016  11:24 PM    <DIR>          PlutoTV
2016-05-17 23:24 - 2016-05-17 23:24 - 00000000 ____D C:\Users\sg0893158\AppData\Roaming\PlutoTV

C:\Program Files\SpaceSoundPro ==>(Date: 2016-05-17 23:18:25.855)
and
PlutoTV


107.178.247.130 connect.facebook.net127.0.0.1 down.baidu2016.com
127.0.0.1 123.sogou.com
127.0.0.1 www.czzsyzgm.com
127.0.0.1 www.czzsyzxl.com
127.0.0.1 union.baidu2019.com

========================================================================================
Please do the following;

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

CreateRestorePoint:
CloseProcesses:
Task: {5720874A-BCFF-4B3A-B9C7-C78FB6C3A181} - System32\Tasks\Pritc => C:\Users\sg0893158\AppData\Local\Temp\00010903\casrss.exe <==== ATTENTION
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
C:\Program Files\SpaceSoundPro
C:\Program Files\SpaceSoundPro\SpaceSoundPro.dll 
Task: {6F49FC75-1670-4B76-A7AF-FB7EC3B581A7} - System32\Tasks\{7FDACE5D-2060-4A18-88FE-C735DC8426C0} => pcalua.exe -a "C:\Program Files\SpaceSoundPro\uninstaller.exe"
HKLM\...\Run: [Adobe ARM] => [X]
HKU\S-1-5-21-117609710-2025429265-725345543-68067\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2016-04-25] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2016-04-25] (Oracle Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2016-04-25] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2016-04-25] (Oracle Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
CHR HKLM\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-117609710-2025429265-725345543-68067\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
C:\Users\sg0893158\AppData\Roaming\PlutoTV
CHR HKLM-x32\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\bestpriceninja.com
HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\pstatic.bestpriceninja.com
C:\Users\sg0893158\AppData\Roaming\Cittovfo\Opiayu.exe
C:\Users\sg0893158\AppData\Roaming\Cittovfo\Cejlost.exe
C:\Users\sg0893158\AppData\Roaming\Cittovfo\Cejlost.dll
U3 mfeavfk01; no ImagePath
U4 AdobeARMservice; no ImagePath
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\sg0893158\AppData\Roaming\Cittovfo
C:\windows\System32\Tasks\Pritc
cmd: dir /s C:\Program Files\Emhvig
C:\Users\sg0893158\AppData\Local\PUTTY.RND
C:\Users\sg0893158\AppData\Local\Temp\57lORfAW88.exe
C:\Users\sg0893158\AppData\Local\Temp\61BE.tmp.exe
C:\Users\sg0893158\AppData\Local\Temp\F643MlLuyV.exe
C:\Users\sg0893158\AppData\Local\Temp\GNEkWqP5Nm.exe
C:\Users\sg0893158\AppData\Local\Temp\io4.exe
C:\Users\sg0893158\AppData\Local\Temp\libeay32.dll
C:\Users\sg0893158\AppData\Local\Temp\MSETUP4.EXE
C:\Users\sg0893158\AppData\Local\Temp\msvcr120.dll
C:\Users\sg0893158\AppData\Local\Temp\setup_ra.exe
C:\Users\sg0893158\AppData\Local\Temp\sqlite3.dll
C:\Users\sg0893158\AppData\Local\Temp\VTlh4htPaB.exe
C:\Users\sg0893158\AppData\Local\Temp\xmlUpdater.exe
C:\Users\sg0893158\AppData\Local\Temp\Y1DAP5TPH2.exe
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Hosts:
Emptytemp:

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

====================================================================================

 

 

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Any issue ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 norberth

norberth
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 30 May 2016 - 07:37 PM

Yilmaz,

as per your instructions I executed the fixlist.txt script and below is output of that run:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:29-05-2016 02

Ran by SG0893158 (2016-05-30 16:21:04) Run:1

Running from C:\Users\Public\Documents\Downloads

Loaded Profiles: SG0893158 (Available Profiles: SG0893158 & Coffee & DefaultAppPool)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

[I removed it as it was causing problems with pasting or even attaching this file to the Forum, not sure why, perhaps due to some character encoding stuff, but that is where your script would go]

*****************

 

Restore point was successfully created.

Processes closed successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5720874A-BCFF-4B3A-B9C7-C78FB6C3A181}" => key removed successfully

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5720874A-BCFF-4B3A-B9C7-C78FB6C3A181}" => key removed successfully

C:\windows\System32\Tasks\Pritc => moved successfully

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Pritc" => key removed successfully

 

========= Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========

 

The operation completed successfully.

 

 

 

========= End of Reg: =========

 

 

========= Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========

 

The operation completed successfully.

 

 

 

========= End of Reg: =========

 

"C:\Program Files\SpaceSoundPro" => not found.

"C:\Program Files\SpaceSoundPro\SpaceSoundPro.dll" => not found.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6F49FC75-1670-4B76-A7AF-FB7EC3B581A7}" => key removed successfully

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6F49FC75-1670-4B76-A7AF-FB7EC3B581A7}" => key removed successfully

C:\windows\System32\Tasks\{7FDACE5D-2060-4A18-88FE-C735DC8426C0} => moved successfully

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7FDACE5D-2060-4A18-88FE-C735DC8426C0}" => key removed successfully

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe ARM => value removed successfully

"HKU\S-1-5-21-117609710-2025429265-725345543-68067\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully

HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => key removed successfully

"HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => key removed successfully

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully

"HKCR\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully

"HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.55.2" => key removed successfully

C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll => moved successfully

"HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin,version=10.55.2" => key removed successfully

C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll => moved successfully

"HKLM\Software\Wow6432Node\MozillaPlugins\Adobe Reader" => key removed successfully

C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll => moved successfully

"HKLM\SOFTWARE\Google\Chrome\Extensions\pilplloabdedfmialnfchjomjmpjcoej" => key removed successfully

"HKU\S-1-5-21-117609710-2025429265-725345543-68067\SOFTWARE\Google\Chrome\Extensions\pilplloabdedfmialnfchjomjmpjcoej" => key removed successfully

C:\Users\sg0893158\AppData\Roaming\PlutoTV => moved successfully

"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pilplloabdedfmialnfchjomjmpjcoej" => key removed successfully

HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\bestpriceninja.com => Error: No automatic fix found for this entry.

HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\pstatic.bestpriceninja.com => Error: No automatic fix found for this entry.

C:\Users\sg0893158\AppData\Roaming\Cittovfo\Opiayu.exe => moved successfully

C:\Users\sg0893158\AppData\Roaming\Cittovfo\Cejlost.exe => moved successfully

"C:\Users\sg0893158\AppData\Roaming\Cittovfo\Cejlost.dll" => not found.

mfeavfk01 => service removed successfully

AdobeARMservice => service removed successfully

VGPU => service removed successfully

C:\Users\sg0893158\AppData\Roaming\Cittovfo => moved successfully

"C:\windows\System32\Tasks\Pritc" => not found.

 

=========  dir /s C:\Program Files\Emhvig =========

 

The system cannot find the file specified.

 

========= End of CMD: =========

 

C:\Users\sg0893158\AppData\Local\PUTTY.RND => moved successfully

C:\Users\sg0893158\AppData\Local\Temp\57lORfAW88.exe => moved successfully

C:\Users\sg0893158\AppData\Local\Temp\61BE.tmp.exe => moved successfully

C:\Users\sg0893158\AppData\Local\Temp\F643MlLuyV.exe => moved successfully

C:\Users\sg0893158\AppData\Local\Temp\GNEkWqP5Nm.exe => moved successfully

C:\Users\sg0893158\AppData\Local\Temp\io4.exe => moved successfully

C:\Users\sg0893158\AppData\Local\Temp\libeay32.dll => moved successfully

C:\Users\sg0893158\AppData\Local\Temp\MSETUP4.EXE => moved successfully

C:\Users\sg0893158\AppData\Local\Temp\msvcr120.dll => moved successfully

C:\Users\sg0893158\AppData\Local\Temp\setup_ra.exe => moved successfully

C:\Users\sg0893158\AppData\Local\Temp\sqlite3.dll => moved successfully

C:\Users\sg0893158\AppData\Local\Temp\VTlh4htPaB.exe => moved successfully

C:\Users\sg0893158\AppData\Local\Temp\xmlUpdater.exe => moved successfully

C:\Users\sg0893158\AppData\Local\Temp\Y1DAP5TPH2.exe => moved successfully

 

=========  netsh advfirewall reset =========

 

Ok.

 

 

========= End of CMD: =========

 

 

=========  netsh advfirewall set allprofiles state on =========

 

Ok.

 

 

========= End of CMD: =========

 

 

=========  ipconfig /flushdns =========

 

 

Windows IP Configuration

 

Successfully flushed the DNS Resolver Cache.

 

========= End of CMD: =========

 

C:\Windows\System32\Drivers\etc\hosts => moved successfully

Hosts restored successfully.

EmptyTemp: => 1.4 GB temporary data Removed.

 

 

The system needed a reboot.

 

==== End of Fixlog 16:21:37 ====

 

 

I am not sure about this line:

=========  dir /s C:\Program Files\Emhvig =========

The system cannot find the file specified.

Perhaps in the script we should have used quotes:

=========  dir /s C:\"Program Files"\Emhvig =========

Spaces mess that command up as this folder definitelly exists:

C:\Users\sg0893158>dir /s C:\"Program Files"\Emhvig
 Volume in drive C is OSDisk
 Volume Serial Number is CA78-0EB0

 Directory of C:\Program Files\Emhvig

05/17/2016  11:34 PM    <DIR>          .
05/17/2016  11:34 PM    <DIR>          ..
05/17/2016  11:15 PM            27,456 bsdpf64.sys
               1 File(s)         27,456 bytes

     Total Files Listed:
               1 File(s)         27,456 bytes
               2 Dir(s)  106,329,690,112 bytes free

Please let me know what we need to do with that. Perhaps re-run it with corrected path?

 

--------

 

I also downloaded and ran AdvCleaner. It found only 3 registry keys that I removed by choosing Clean option. Log file is below.

# AdwCleaner v5.119 - Logfile created 30/05/2016 at 16:26:55
# Updated 30/05/2016 by Xplode
# Database : 2016-05-30.3 [Server]
# Operating system : Windows 7 Enterprise Service Pack 1 (X64)
# Username : SG0893158 - D9MQHJ72
# Running from : C:\Users\Public\Documents\Downloads\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\bestpriceninja.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\pstatic.bestpriceninja.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\softonic.com

***** [ Web browsers ] *****

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [8392 bytes] - [18/05/2016 00:24:25]
C:\AdwCleaner\AdwCleaner[C2].txt - [4113 bytes] - [24/05/2016 09:30:07]
C:\AdwCleaner\AdwCleaner[C3].txt - [1626 bytes] - [25/05/2016 00:45:16]
C:\AdwCleaner\AdwCleaner[C4].txt - [1772 bytes] - [25/05/2016 00:49:02]
C:\AdwCleaner\AdwCleaner[C5].txt - [2138 bytes] - [25/05/2016 01:05:52]
C:\AdwCleaner\AdwCleaner[C6].txt - [2285 bytes] - [25/05/2016 14:55:53]
C:\AdwCleaner\AdwCleaner[C7].txt - [2432 bytes] - [27/05/2016 06:43:21]
C:\AdwCleaner\AdwCleaner[C8].txt - [2727 bytes] - [27/05/2016 14:33:52]
C:\AdwCleaner\AdwCleaner[C9].txt - [1637 bytes] - [30/05/2016 16:26:55]
C:\AdwCleaner\AdwCleaner[S10].txt - [1965 bytes] - [25/05/2016 01:04:52]
C:\AdwCleaner\AdwCleaner[S11].txt - [2112 bytes] - [25/05/2016 14:48:30]
C:\AdwCleaner\AdwCleaner[S12].txt - [2259 bytes] - [27/05/2016 06:42:25]
C:\AdwCleaner\AdwCleaner[S13].txt - [2204 bytes] - [27/05/2016 06:49:19]
C:\AdwCleaner\AdwCleaner[S14].txt - [2480 bytes] - [27/05/2016 06:51:07]
C:\AdwCleaner\AdwCleaner[S15].txt - [2554 bytes] - [27/05/2016 14:32:57]
C:\AdwCleaner\AdwCleaner[S16].txt - [2786 bytes] - [30/05/2016 16:25:39]
C:\AdwCleaner\AdwCleaner[S1].txt - [10080 bytes] - [18/05/2016 00:22:44]
C:\AdwCleaner\AdwCleaner[S2].txt - [4532 bytes] - [24/05/2016 09:29:23]
C:\AdwCleaner\AdwCleaner[S3].txt - [1103 bytes] - [24/05/2016 11:07:43]
C:\AdwCleaner\AdwCleaner[S4].txt - [1177 bytes] - [24/05/2016 13:49:12]
C:\AdwCleaner\AdwCleaner[S5].txt - [1452 bytes] - [25/05/2016 00:43:41]
C:\AdwCleaner\AdwCleaner[S6].txt - [1598 bytes] - [25/05/2016 00:48:03]
C:\AdwCleaner\AdwCleaner[S7].txt - [1542 bytes] - [25/05/2016 00:50:38]
C:\AdwCleaner\AdwCleaner[S8].txt - [1817 bytes] - [25/05/2016 00:57:38]
C:\AdwCleaner\AdwCleaner[S9].txt - [1890 bytes] - [25/05/2016 01:01:12]

########## EOF - C:\AdwCleaner\AdwCleaner[C9].txt - [2886 bytes] ##########

 

Looking forward to hearing back from you.

 

 


Edited by norberth, 30 May 2016 - 07:41 PM.


#11 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 31 May 2016 - 04:18 PM

Sorry, I guess, after fixlist run, there is a problem. If you have problems,we can fix
You can do the following actions
 

Restore From Backup:

C:\FRST\ERDNT

ERDNT  folder you can run as an administrator. Backup files will be back install

 

How is now and any issue ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#12 norberth

norberth
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 31 May 2016 - 05:26 PM

What do you mean? What problem are you referring to? Do you see something in the fixlist.txt?

 

What I meant was that part of the fixlist.txt (where your script was included) has some encoded characters that Forum did not like it so I had to remove it from the post.

 

Also, path to Emhvig folder should have quotes to clean that up.

 

=========  dir /s C:\Program Files\Emhvig =========

The system cannot find the file specified.

Perhaps in the script we should have used quotes:

=========  dir /s C:\"Program Files"\Emhvig =========

 

Do you want me to restore from backup? If so why?



#13 norberth

norberth
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 31 May 2016 - 05:32 PM

I checked and I do not see

C:\FRST\ERDNT

folder so not sure how the restore would work.



#14 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 31 May 2016 - 07:27 PM

Do you want me to restore from backup? If so why?
I guess,i have not perceived, your said
---------------------------------
Perhaps in the script we should have used quotes

I do not fully understand, want to tell you

----------------------------------


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 norberth

norberth
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 31 May 2016 - 09:43 PM

To answer your question the best in can in plain English:

 

1. Is there something wrong with my system after running fixlist.txt script? Why do you want me to restore from backup? I am afraid there is no backup, folder C:\FRST\ERDNT  does not exist.

 

2. In your script (fixlist.txt) you have line that says:

=========  dir /s C:\Program Files\Emhvig =========

Executing it resulted in an error: 

The system cannot find the file specified.

 

I think that is because there is a space in the name of the folder Program Files.

If we used:

=========  dir /s C:\"Program Files"\Emhvig =========

(Program File in qutes)

it would work and fix wirus in Emhvig folder

 

What do we do next?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users