Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VIRUS GAMELOFT.NAME


  • This topic is locked This topic is locked
34 replies to this topic

#1 Raviel

Raviel

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 14 June 2016 - 11:59 AM

Hi guys. Every time when i start my pc, during my navigation I enter automatically to the site write on the topic title. I use every program like RKill, malwarebyte's and farbar but the virus still exist. What can i do?

 

I leave you some logs on attach files.

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 14 June 2016 - 12:02 PM

Hello Raviel and Welcome to the BleepingComputer. :welcome:  
 My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.
  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here
Thanks
    
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
Sincerely
:hello:

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 Raviel

Raviel
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 14 June 2016 - 12:24 PM

Ok, thanks.



#4 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 14 June 2016 - 12:55 PM


Do you use the software Pokki ?

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 Raviel

Raviel
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 14 June 2016 - 01:29 PM

Do you use the software Pokki ?

No and i don't know what is it.



#6 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 14 June 2016 - 01:41 PM

Okay.

Using Programs and Features in the Control Panel; uninstall the following:
Host App Service
Menu Start
Pokki

and PC restart now
========================================================================================

Run FRST fixlist

  • Please open notepad (Start > All Programs > Accessories > Notepad)
  • Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
  • Save it to the Desktop, and name it: fixlist.txt
CreateRestorePoint:
CloseProcesses:
Task: {6F331EE7-D352-4B2E-ADCB-9D1F7D46162D} - System32\Tasks\MS => hxxp://gangnamgame.org
Task: {5D126B04-EA76-4ADC-B9DD-829A414382F4} - System32\Tasks\SweetLabs App Platform => C:\Users\FiorellaT\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe [2016-04-14] (Pokki)
AlternateDataStreams: C:\Windows:nlsPreferences [386]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\gatyinwp.sys:changelist [358]
(Pokki) C:\Users\FiorellaT\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe
(Pokki) C:\Users\FiorellaT\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\FiorellaT\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\FiorellaT\AppData\Local\SweetLabs App Platform\Engine\ServiceStartMenuIndexer.exe
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
HKU\S-1-5-21-281948597-1283091499-4118563720-1001\...\MountPoints2: {4d939fa8-1fcd-11e5-83d4-28e347c1d904} - "F:\setup.EXE" /AUTORUN
HKU\S-1-5-21-281948597-1283091499-4118563720-1001\...\MountPoints2: {71821881-bdda-11e5-8431-201a06aaf3c8} - "F:\Setup.exe"
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
FF Plugin: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelogx64.dll [No File]
FF Plugin: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelogx64.dll [No File]
FF Plugin-x32: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelog.dll [No File]
FF Plugin-x32: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelog.dll [No File]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
C:\Users\FiorellaT\Desktop\Thumbs.db
C:\Users\FiorellaT\Downloads\Thumbs.db
C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
Folder: C:\WINDOWS\4E0C6314A8B84026AC15084E8B63AFB5.TMP
C:\ProgramData\DP45977C.lfl
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:

NOTICE: This script is written specifically for this computer!!!

  • Running this on another computer may cause damage to the Operating System.
  • Now, please run FRST, and press the Fix button, just once, and wait.
  • When done, the tool creates a report on the Desktop called: Fixlog.txt

>> Please post the Fixlog.txt in your reply.

===============================================================================

Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

 

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 Raviel

Raviel
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 14 June 2016 - 02:30 PM

NOTE:

- I don't see these 3 programs on my pc, so i think that there are removed.

- I'm not able to activate the Windows Firewall.

 

MBAM LOG:

Malwarebytes Anti-Malware
www.malwarebytes.org
 
 
Protection, 14/06/2016 20:56, SYSTEM, FIORELLA, Protection, Malware Protection, Starting, 
Protection, 14/06/2016 20:56, SYSTEM, FIORELLA, Protection, Malware Protection, Started, 
Protection, 14/06/2016 20:56, SYSTEM, FIORELLA, Protection, Malicious Website Protection, Starting, 
Protection, 14/06/2016 20:56, SYSTEM, FIORELLA, Protection, Malicious Website Protection, Started, 
Update, 14/06/2016 20:57, SYSTEM, FIORELLA, Manual, Remediation Database, 2016.2.12.1, 2016.5.25.1, 
Update, 14/06/2016 20:57, SYSTEM, FIORELLA, Manual, Rootkit Database, 2016.2.8.1, 2016.5.27.1, 
Update, 14/06/2016 20:57, SYSTEM, FIORELLA, Manual, IP Database, 2016.2.8.1, 2016.6.14.2, 
Update, 14/06/2016 20:57, SYSTEM, FIORELLA, Manual, Domain Database, 2016.2.16.8, 2016.6.14.5, 
Update, 14/06/2016 20:57, SYSTEM, FIORELLA, Manual, Malware Database, 2016.2.16.6, 2016.6.14.4, 
Protection, 14/06/2016 20:57, SYSTEM, FIORELLA, Protection, Refresh, Starting, 
Protection, 14/06/2016 20:57, SYSTEM, FIORELLA, Protection, Malicious Website Protection, Stopping, 
Protection, 14/06/2016 20:57, SYSTEM, FIORELLA, Protection, Malicious Website Protection, Stopped, 
Protection, 14/06/2016 20:57, SYSTEM, FIORELLA, Protection, Refresh, Success, 
Protection, 14/06/2016 20:57, SYSTEM, FIORELLA, Protection, Malicious Website Protection, Starting, 
Protection, 14/06/2016 20:57, SYSTEM, FIORELLA, Protection, Malicious Website Protection, Started, 
Scan, 14/06/2016 21:24, SYSTEM, FIORELLA, Context, Inizio: 14/06/2016 20:57, Durata: 23 min 1 40 sec, Ricerca elementi nocivi, Completata, 0 malware rilevati, 33 "non-malware" rilevati, 
Scan, 14/06/2016 21:25, SYSTEM, FIORELLA, Manual, Inizio: 14/06/2016 21:24, Durata: 0 min 1 17 sec, Ricerca elementi nocivi, Annullata, 0 malware rilevati, 0 "non-malware" rilevati, 
 
(end)
 
FRST LOG:
Fix result of Farbar Recovery Scan Tool (x64) Version:13-06-2016
Ran by FiorellaT (2016-06-14 20:49:53) Run:1
Running from C:\Users\FiorellaT\Desktop
Loaded Profiles: FiorellaT (Available Profiles: FiorellaT)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
Task: {6F331EE7-D352-4B2E-ADCB-9D1F7D46162D} - System32\Tasks\MS => hxxp://gangnamgame.org
Task: {5D126B04-EA76-4ADC-B9DD-829A414382F4} - System32\Tasks\SweetLabs App Platform => C:\Users\FiorellaT\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe [2016-04-14] (Pokki)
AlternateDataStreams: C:\Windows:nlsPreferences [386]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\gatyinwp.sys:changelist [358]
(Pokki) C:\Users\FiorellaT\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe
(Pokki) C:\Users\FiorellaT\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\FiorellaT\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\FiorellaT\AppData\Local\SweetLabs App Platform\Engine\ServiceStartMenuIndexer.exe
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
HKU\S-1-5-21-281948597-1283091499-4118563720-1001\...\MountPoints2: {4d939fa8-1fcd-11e5-83d4-28e347c1d904} - "F:\setup.EXE" /AUTORUN
HKU\S-1-5-21-281948597-1283091499-4118563720-1001\...\MountPoints2: {71821881-bdda-11e5-8431-201a06aaf3c8} - "F:\Setup.exe"
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
FF Plugin: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelogx64.dll [No File]
FF Plugin: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelogx64.dll [No File]
FF Plugin-x32: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelog.dll [No File]
FF Plugin-x32: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelog.dll [No File]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
C:\Users\FiorellaT\Desktop\Thumbs.db
C:\Users\FiorellaT\Downloads\Thumbs.db
C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
Folder: C:\WINDOWS\4E0C6314A8B84026AC15084E8B63AFB5.TMP
C:\ProgramData\DP45977C.lfl
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{6F331EE7-D352-4B2E-ADCB-9D1F7D46162D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6F331EE7-D352-4B2E-ADCB-9D1F7D46162D}" => key removed successfully
C:\WINDOWS\System32\Tasks\MS => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MS" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5D126B04-EA76-4ADC-B9DD-829A414382F4} => key not found. 
C:\WINDOWS\System32\Tasks\SweetLabs App Platform => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SweetLabs App Platform => key not found. 
C:\Windows => ":nlsPreferences" ADS removed successfully.
C:\WINDOWS\system32\Drivers\gatyinwp.sys => ":changelist" ADS removed successfully.
C:\Users\FiorellaT\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe => No running process found
C:\Users\FiorellaT\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe => No running process found
C:\Users\FiorellaT\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe => No running process found
C:\Users\FiorellaT\AppData\Local\SweetLabs App Platform\Engine\ServiceStartMenuIndexer.exe => No running process found
 
========= Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F =========
 
Operazione completata.
 
 
 
========= End of Reg: =========
 
 
========= Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F =========
 
Operazione completata.
 
 
 
========= End of Reg: =========
 
"HKU\S-1-5-21-281948597-1283091499-4118563720-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4d939fa8-1fcd-11e5-83d4-28e347c1d904}" => key removed successfully
HKCR\CLSID\{4d939fa8-1fcd-11e5-83d4-28e347c1d904} => key not found. 
"HKU\S-1-5-21-281948597-1283091499-4118563720-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71821881-bdda-11e5-8431-201a06aaf3c8}" => key removed successfully
HKCR\CLSID\{71821881-bdda-11e5-8431-201a06aaf3c8} => key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1" => key removed successfully
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2" => key removed successfully
HKCR\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3" => key removed successfully
HKCR\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4" => key removed successfully
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5" => key removed successfully
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => key removed successfully
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => key removed successfully
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => key removed successfully
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found. 
"HKLM\Software\MozillaPlugins\@esn/npbattlelog,version=2.5.1" => key removed successfully
"HKLM\Software\MozillaPlugins\@esn/npbattlelog,version=2.6.2" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@esn/npbattlelog,version=2.5.1" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@esn/npbattlelog,version=2.6.2" => key removed successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => key removed successfully
C:\Users\FiorellaT\Desktop\Thumbs.db => moved successfully
C:\Users\FiorellaT\Downloads\Thumbs.db => moved successfully
C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => moved successfully
 
========================= Folder: C:\WINDOWS\4E0C6314A8B84026AC15084E8B63AFB5.TMP ========================
 
2016-06-12 22:02 - 2016-06-12 22:02 - 0180482 _____ (Enigma Software Group USA, LLC) C:\WINDOWS\4E0C6314A8B84026AC15084E8B63AFB5.TMP\WiseCustomCalla21.exe
 
====== End of Folder: ======
 
C:\ProgramData\DP45977C.lfl => moved successfully
 
=========  netsh advfirewall reset =========
 
 
Errore durante il tentativo di contattare il servizio Windows Firewall. Verificare che il servizio sia attivo, quindi provare a ripetere la richiesta.
 
 
========= End of CMD: =========
 
 
=========  netsh advfirewall set allprofiles state on =========
 
 
Errore durante il tentativo di contattare il servizio Windows Firewall. Verificare che il servizio sia attivo, quindi provare a ripetere la richiesta.
 
 
========= End of CMD: =========
 
 
=========  ipconfig /flushdns =========
 
 
Configurazione IP di Windows
 
Cache del resolver DNS svuotata.
 
========= End of CMD: =========
 
EmptyTemp: => 671.8 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 20:50:16 ====


#8 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 14 June 2016 - 03:21 PM

I didn't want Malwarebytes Protection log. I am waiting  application Log


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 Raviel

Raviel
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 14 June 2016 - 03:41 PM

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2016/06/14 20:57:27 +0200</date>
<logfile>mbam-log-2016-06-14 (20-56-16).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.2.1.1043</version>
<malware-database>v2016.06.14.04</malware-database>
<rootkit-database>v2016.05.27.01</rootkit-database>
<license>trial</license>
<file-protection>enabled</file-protection>
<web-protection>enabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<hostname>FIORELLA</hostname>
<ip>192.168.0.4</ip>
<osversion>Windows 10</osversion>
<arch>x64</arch>
<username>FiorellaT</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>309018</objects>
<time>1420</time>
<processes>0</processes>
<modules>0</modules>
<keys>0</keys>
<values>0</values>
<datas>0</datas>
<folders>8</folders>
<files>25</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<folder><path>C:\ProgramData\ReviverSoft\Driver Reviver</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></folder>
<folder><path>C:\ProgramData\ReviverSoft\Driver Reviver\backups</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></folder>
<folder><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></folder>
<folder><path>C:\ProgramData\ReviverSoft\Driver Reviver\S-1-5-21-281948597-1283091499-4118563720-1001</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></folder>
<folder><path>C:\ProgramData\ReviverSoft</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></folder>
<folder><path>C:\ProgramData\ReviverSoft\SmartNotifications</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></folder>
<folder><path>C:\ProgramData\ReviverSoft\SmartNotifications\S-1-5-21-281948597-1283091499-4118563720-1001</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></folder>
<folder><path>C:\ProgramData\ReviverSoft\SmartNotifications\S-1-5-21-281948597-1283091499-4118563720-1001\Agents</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></folder>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\COMMONSETTINGS.XML</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\freeDriver</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\backups\BackupInfo.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language\Brazilian.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language\Danish.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language\Dutch.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language\English.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language\Finnish.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language\French.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language\German.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language\Italian.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language\Japanese.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language\Norwegian.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language\Russian.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language\Spanish.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language\Swedish.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language\TradChinese.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\Language\Turkish.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\S-1-5-21-281948597-1283091499-4118563720-1001\AppSettings.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\S-1-5-21-281948597-1283091499-4118563720-1001\app_log.log</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\S-1-5-21-281948597-1283091499-4118563720-1001\DRmanager_log.log</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\S-1-5-21-281948597-1283091499-4118563720-1001\Request.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\Driver Reviver\S-1-5-21-281948597-1283091499-4118563720-1001\Response.xml</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\SmartNotifications\S-1-5-21-281948597-1283091499-4118563720-1001\Agents\AF4F5568-272A-4D13-A93E-FFC7E4A1887F.1.0.1.12.json</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
<file><path>C:\ProgramData\ReviverSoft\SmartNotifications\S-1-5-21-281948597-1283091499-4118563720-1001\Agents\BEE64B41-02F9-472A-9D86-D2DFA07F6912.1.2.4.12.json</path><vendor>PUP.Optional.DriverReviver</vendor><action>success</action><hash>2bb17686722796a086d08c08f90a8b75</hash></file>
</items>
</mbam-log>


#10 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 14 June 2016 - 04:38 PM

Run again. When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 Raviel

Raviel
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 15 June 2016 - 02:56 AM

Run again. When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

Done, 0 malware detected. But the problem of the activation of windows firewall is still here.



#12 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 15 June 2016 - 06:43 PM

For windows firewall:
 
After doing the above, please click Start > All Programs > Accessories > Command Prompt
Right-click Command Prompt and select: Run As Administrator
At the Command Prompt, type the following lines, one at a time, and press Enter after each.

sc config MpsSvc start= auto
Net start MpsSvc
exit

Or
 
Windows Firewall (MpsSvc) Service Defaults in Windows 10
Please read:

For your Windows 10 Home Version 1511 ==> Caution:  Version not RTM  !!
Win10_MpsSvc_Service_Startup.cmd file download

  • Save the Win10_MpsSvc_Service_Startup.cmd file
  • Run the saved file as an administrator.
  • Restart the computer.

Okay ? How is Firewall and run ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 Raviel

Raviel
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 16 June 2016 - 02:27 AM

Solution 1:

The firewall is already set in automatic but can't start (error 5).

 

Solution 2:

The program doesn't run.



#14 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 16 June 2016 - 06:17 PM

Does the operating system update?  Please check.

It may be associated with the virus. Before, we have to overcome this problem
=====================================================================

Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program .
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Scan type > Smart scan (Default)
  • Close all open files, folders and browsers
  • Click scan now ''Run as Administrator'' and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.
  • Please PC restart now.

=====================================================================

MalwareBytes Anti-Rootkit scan:

  • Close all the running processes
  • Be sure to temporarily disable all antivirus/anti-spyware softwares
  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Note: Malwarebytes Anti-Rootkit requires administrative privileges to function properly.

:step1: Download MalwareBytes Anti-Rootkit software from here to your desktop.

  • Right-click on Mbar 1.09.1.1004.exe and select Run As Administrator  to launch the application.

:step2: Open a folder with MBAR name on desktop.
:step3: The MBAR folder in the list you find.
:step4: Click once. :step5:  Now click the OK button. :step6: Click the OK button again.

Ashampoo_Snap_2015.05.21_21h16m53s_002__
 
:step7: Then Next and click on the Uptade button
:step8: Now click on the scan button

  • When finished updating, click 'Next' then 'Scan'.
  • If you are told you have the 'AppInit_Dlls rootkit', choose not to fix it and proceed with the scan.
  • With some infections, you may see two messages boxes:
  • Could not load protection driver'. Click 'OK'.
  • Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart, then continue with the rest of these instructions.
  • If malware is found, do NOT press the 'Cleanup' button yet. Click 'Exit'.
  • Please  attach the two log files created by the tool within the folder from which it was run.
  • The logs will be named mbar-log-YYYY-MM-DD (##-##-##).txt and system-log.txt

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 Raviel

Raviel
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 17 June 2016 - 01:17 PM

- Windows update doesn't work.

- No virus found in the 2 scans.

 

Zemana AntiMalware 2.21.2.15 (Installato)
 
-------------------------------------------------------
Risultato scansione        : Completato
Data scansione             : 2016/6/17
Sistema operativo          : Windows 10 64-bit
Processore                 : 4X Intel® Core™ i3-3110M CPU @ 2.40GHz
Modalità BIOS              : UEFI
CUID                       : 124E481BEFA03BD762F2BF
Tipo di scansione          : Scansione accurata
Durata                     : 36m 46s
Oggetti scansionati        : 374210
Oggetti rilevati           : 9
Oggetti esclusi            : 0
Livello lettura            : SCSI
Caricamento automatico     : Attivato
Mostra tutte le estensioni : Attivato
Scansione documenti        : Disattivato
Informazioni dominio       : WORKGROUP,0,2
 
Oggetti rilevati
-------------------------------------------------------
 
abs@avira
Stato             : Scansionato
Oggetto           : %appdata%\mozilla\firefox\profiles\v14oprge.default\extensions\abs@avira.com
MD5               : -
Editore           : -
Dimensione        : -
Versione          : -
Rilevamento       : Estensione del browser
Azione pulizia    : Ripara
Oggetti correlati :
                Estensione del browser - abs@avira
 
Adblock Plus
Stato             : Scansionato
Oggetto           : %appdata%\mozilla\firefox\profiles\v14oprge.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
MD5               : 6DF6292DDAFBE9B944813151D0B48545
Editore           : -
Dimensione        : 1013992
Versione          : -
Rilevamento       : Estensione del browser
Azione pulizia    : Ripara
Oggetti correlati :
                Estensione del browser - Adblock Plus
                File - %appdata%\mozilla\firefox\profiles\v14oprge.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
 
Gmail
Stato             : Scansionato
Oggetto           : %localappdata%\google\chrome\user data\default\extensions\pjkljhegncpnkpknbcohdijeoejaedia
MD5               : -
Editore           : -
Dimensione        : -
Versione          : -
Rilevamento       : Estensione del browser
Azione pulizia    : Ripara
Oggetti correlati :
                Estensione del browser - Gmail
 
Pagamenti Chrome Web Store
Stato             : Scansionato
Oggetto           : %localappdata%\google\chrome\user data\default\extensions\nmmhkkegccagdldgiimedpiccmgmieda
MD5               : -
Editore           : -
Dimensione        : -
Versione          : -
Rilevamento       : Estensione del browser
Azione pulizia    : Ripara
Oggetti correlati :
                Estensione del browser - Pagamenti Chrome Web Store
 
AdBlock
Stato             : Scansionato
Oggetto           : %localappdata%\google\chrome\user data\default\extensions\gighmmpiobklfepjocnamgkkbiglidom
MD5               : -
Editore           : -
Dimensione        : -
Versione          : -
Rilevamento       : Estensione del browser
Azione pulizia    : Ripara
Oggetti correlati :
                Estensione del browser - AdBlock
 
Google Documenti offline
Stato             : Scansionato
Oggetto           : %localappdata%\google\chrome\user data\default\extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi
MD5               : -
Editore           : -
Dimensione        : -
Versione          : -
Rilevamento       : Estensione del browser
Azione pulizia    : Ripara
Oggetti correlati :
                Estensione del browser - Google Documenti offline
 
Google Search
Stato             : Scansionato
Oggetto           : %localappdata%\google\chrome\user data\default\extensions\coobgpohoikkiipiblmjeljniedjpjpf
MD5               : -
Editore           : -
Dimensione        : -
Versione          : -
Rilevamento       : Estensione del browser
Azione pulizia    : Ripara
Oggetti correlati :
                Estensione del browser - Google Search
 
YouTube
Stato             : Scansionato
Oggetto           : %localappdata%\google\chrome\user data\default\extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo
MD5               : -
Editore           : -
Dimensione        : -
Versione          : -
Rilevamento       : Estensione del browser
Azione pulizia    : Ripara
Oggetti correlati :
                Estensione del browser - YouTube
 
Google Drive
Stato             : Scansionato
Oggetto           : %localappdata%\google\chrome\user data\default\extensions\apdfllckaahabafndbhieahigkjlhalf
MD5               : -
Editore           : -
Dimensione        : -
Versione          : -
Rilevamento       : Estensione del browser
Azione pulizia    : Ripara
Oggetti correlati :
                Estensione del browser - Google Drive
 
 
 
 
Risultati pulizia
-------------------------------------------------------
Puliti                : 9
Segnalati come sicuri : 0
Falliti               : 0
 
Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2016.06.17.04
  rootkit: v2016.05.27.01
 
Windows 10 x64 NTFS
Internet Explorer 11.306.10586.0
FiorellaT :: FIORELLA [administrator]
 
17/06/2016 19:36:10
mbar-log-2016-06-17 (19-36-10).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 312563
Time elapsed: 33 minute(s), 7 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
Malwarebytes Anti-Rootkit BETA 1.09.3.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 10.0.9200 Windows 10 x64
 
Account is Administrative
 
Internet Explorer version: 11.306.10586.0
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.395000 GHz
Memory total: 4187770880, free: 2416435200
 
Downloaded database version: v2016.06.17.04
Downloaded database version: v2016.05.27.01
Downloaded database version: v2016.06.16.01
=======================================
Initializing...
Driver version: 0.3.0.4
------------ Kernel report ------------
     06/17/2016 19:35:58
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\System32\drivers\ntosext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\ksecdd.sys
\SystemRoot\System32\drivers\clipsp.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\WindowsTrustedRT.sys
\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\system32\drivers\CEA.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\storahci.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\system32\drivers\WdFilter.sys
\SystemRoot\System32\Drivers\NTFS.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\drivers\wfplwfs.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\amdkmpfd.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\DRIVERS\LhdX64.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\drivers\cdrom.sys
\SystemRoot\system32\drivers\filecrypt.sys
\SystemRoot\system32\drivers\tbs.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\drivers\vwififlt.sys
\SystemRoot\System32\drivers\pacer.sys
\SystemRoot\system32\drivers\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\??\C:\WINDOWS\System32\drivers\zamguard64.sys
\??\C:\WINDOWS\System32\drivers\zam64.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\gpuenergydrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\drivers\tap0901.sys
\SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_912dfdedc3d2f520\CompositeBus.sys
\SystemRoot\System32\drivers\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\USBXHCI.SYS
\SystemRoot\system32\drivers\ucx01000.sys
\SystemRoot\System32\drivers\HECIx64.sys
\SystemRoot\System32\drivers\usbehci.sys
\SystemRoot\System32\drivers\USBPORT.SYS
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\portcls.sys
\SystemRoot\System32\drivers\drmk.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\L1C63x64.sys
\SystemRoot\System32\drivers\athw8x.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\ETD.sys
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\System32\drivers\AcpiVpc.sys
\SystemRoot\System32\drivers\CmBatt.sys
\SystemRoot\System32\drivers\BATTC.SYS
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\System32\drivers\dtliteusbbus.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\iwdbus.sys
\SystemRoot\System32\drivers\dtlitescsibus.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\drivers\usbhub.sys
\SystemRoot\System32\drivers\USBD.SYS
\SystemRoot\System32\drivers\UsbHub3.sys
\SystemRoot\system32\DRIVERS\HdAudio.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_storahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\drivers\usbccgp.sys
\SystemRoot\System32\drivers\hidusb.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\System32\drivers\mouhid.sys
\SystemRoot\System32\drivers\kbdhid.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\win32kfull.sys
\SystemRoot\System32\win32kbase.sys
\SystemRoot\system32\DRIVERS\rtsuvc.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\drivers\dxgmms2.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\storqosflt.sys
\SystemRoot\System32\drivers\WUDFRd.sys
\SystemRoot\System32\drivers\mshidumdf.sys
\SystemRoot\system32\drivers\rspndr.sys
\SystemRoot\system32\drivers\mslldp.sys
\SystemRoot\system32\drivers\lltdio.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\ndisuio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\??\C:\WINDOWS\system32\drivers\mbam.sys
\SystemRoot\system32\drivers\mmcss.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\drivers\vwifimp.sys
\SystemRoot\System32\drivers\tunnel.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\System32\drivers\umpass.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
----------- End -----------
Done!
 
Scan started
Database versions:
  main:    v2016.06.17.04
  rootkit: v2016.05.27.01
 
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffe00184c96060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffe00184c96b10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffe00184c95040, DeviceName: Unknown, DriverName: \Driver\LHDmgr\
DevicePointer: 0xffffe00184c96060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffe00184bbf060, DeviceName: \Device\0000001f\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\LHDmgr\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: 9D41BA67
 
GPT Protective MBR Partition information:
 
    Partition 0 type is EFI-GPT (0xee)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1  Numsec = 4294967295
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
GPT Partition information:
 
    GPT Header Signature 4546492050415254
    GPT Header Revision 65536 Size 92 CRC 2047215755
    GPT Header CurrentLba = 1 BackupLba 976773167
    GPT Header FirstUsableLba 34  LastUsableLba 976773134
    GPT Header Guid 6f33679b-d3a5-470c-8a31-de6fbe5aea62
    GPT Header Contains 128 partition entries starting at LBA 2
    GPT Header Partition entry size = 128
 
    Backup GPT header Signature 4546492050415254
    Backup GPT header Revision 65536 Size 92 CRC 2047215755
    Backup GPT header CurrentLba = 976773167 BackupLba 1
    Backup GPT header FirstUsableLba 34  LastUsableLba 976773134
    Backup GPT header Guid 6f33679b-d3a5-470c-8a31-de6fbe5aea62
    Backup GPT header Contains 128 partition entries starting at LBA 976773135
    Backup GPT header Partition entry size = 128
 
    Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID 25228b26-40ba-4bc7-aff6-51f46d8196b
    FirstLBA 2048  Last LBA 2050047
    Attributes 1
    Partition Name                 Basic data partition
 
    Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
    Partition ID daac9b6-b379-4219-b956-f1e595fb361
    FirstLBA 2050048  Last LBA 2582527
    Attributes 1
    Partition Name                 EFI system partition
 
    GPT Partition 1 is bootable
    Partition 2 Type bfbfafe7-a34f-448a-9a5b-6213eb736c22
    Partition ID 22540df1-4d7d-4847-8ff9-e24f12f23e6
    FirstLBA 2582528  Last LBA 4630527
    Attributes 1
    Partition Name                 Basic data partition
 
    Partition 3 Type e3c9e316-b5c-4db8-817d-f92df0215ae
    Partition ID 5cffc1a7-f570-44cd-8325-ec1f30da77e
    FirstLBA 4630528  Last LBA 4892671
    Attributes 0
    Partition Name         Microsoft reserved partition
 
    Partition 4 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID a436afd1-e29-4aae-9148-54756936e364
    FirstLBA 4892672  Last LBA 896006143
    Attributes 0
    Partition Name                 Basic data partition
 
    Partition 5 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID b73a19d5-5724-4994-9957-37b854e6eefb
    FirstLBA 896006144  Last LBA 948434943
    Attributes 0
    Partition Name                 Basic data partition
 
    Partition 6 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID e3b9b9e4-5328-49cf-a714-59f7cfd137a
    FirstLBA 948434944  Last LBA 976773119
    Attributes 1
    Partition Name                 Basic data partition
 
Disk Size: 500107862016 bytes
Sector size: 512 bytes
 
Done!
File "C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat" is sparse (flags = 32768)
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users