Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Install Microsoft Updates Blocked


  • This topic is locked This topic is locked
22 replies to this topic

#1 Cli7nt

Cli7nt

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:09:42 PM

Posted 12 August 2016 - 11:37 AM

I had system 32 cerber attack so I reinstalled windows 7 pro but now i cant get any security or regular updates. I attached 2 FRST reports for your review. Thanks for your help!

Attached Files


Music Is The Reason,

Clint Crisher
Los Angeles, CA

BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 12 August 2016 - 12:31 PM

Hi Cli7nt :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

To be honest, I don't see anything in your logs which would indicate that you are still infected. Regarding your issue, do you say that your Windows Updates are blocked by Windows keeps on searching for them for a long period of time (hours), and it keeps on checking for them indefinitely?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Cli7nt

Cli7nt
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:09:42 PM

Posted 12 August 2016 - 12:41 PM

yes, Windows keeps on searching for hours, and it keeps on checking for them. It shows most recent check 0 updates installed 0.


Music Is The Reason,

Clint Crisher
Los Angeles, CA

#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 12 August 2016 - 12:46 PM

This is a known issue with Windows 7 :) What you have to do in that case is install the SP1 (though in your case it's not needed as it's already installed), and from there, install the Convenience Rollup Update for Windows 7 that was released in April 2016.

https://support.microsoft.com/en-ca/kb/3125574

Once done, all you have to do is install the latest Rollup Update for Windows 7 (which is the one for July 2016) one and you'll be set.

https://support.microsoft.com/en-ca/kb/3172605

If you need assistance with this, you should create a thread in the Windows 7 section here. You'll notice that there's already a few similar threads posted, so you could read them too to see what was done :)

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Cli7nt

Cli7nt
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:09:42 PM

Posted 14 August 2016 - 03:34 AM

Hitmn pro found these but is grey out to delete or quarantine??????
 
Properties
Name ieframe.dll
Location C:\Windows\System32
Size 13.7 MB
Time 1.9 days ago (2016-08-12 01:20:54)
Entropy 6.3
Product Internet Explorer
Publisher Microsoft Corporation
Description Internet Browser
Version 11.00.9600.17840
Copyright © Microsoft Corporation. All rights reserved.
LanguageID 1033
SHA-256 C484CF7EF7C0346783BA8771BD621FABDFB24A49ECE3DAA687EBB559C78F73D7
 
Scoring (11.0)
This file contains a Thread Local Storage (TLS) data directory. This is not common for most programs.
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
 
Startup
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-21-2884753921-4226338202-955112698-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-21-2884753921-4226338202-955112698-1001\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
 
References
HKLM\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
HKU\S-1-5-21-2884753921-4226338202-955112698-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
 
Properties
Name IEEtwCollector.exe
Location C:\Windows\system32
Size 112 KB
Time 1.9 days ago (2016-08-12 01:20:54)
Entropy 6.0
Product Internet Explorer
Publisher Microsoft Corporation
Description IE ETW Collector Service
Version 11.00.9600.17840
Copyright © Microsoft Corporation. All rights reserved.
Service IEEtwCollectorService
LanguageID 1033
SHA-256 5ACD4F88586311C5CB6730B0536FA9935C1CEE56078C6B46D81FDE3A24A93237
 
Scoring (7.0)
Starts automatically as a service during system bootup.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
 
Startup
HKLM\SYSTEM\CurrentControlSet\Services\IEEtwCollectorService\
 
Properties
Name wecsvc.dll
Location C:\Windows\system32
Size 205 KB
Time 0.1 days ago (2016-08-13 21:09:03)
Entropy 6.0
Product Microsoft® Windows® Operating System
Publisher Microsoft Corporation
Description Event Collector Service
Version 10.0.10586.117
Copyright © Microsoft Corporation. All rights reserved.
Service Wecsvc
LanguageID 1033
SHA-256 1D94DB7ABC7A503BD79EA1D754AEC2858F62AB56F3FD8AA4F854462ED25AC29B
 
Scoring (7.0)
Starts automatically as a service during system bootup.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
 
Startup
HKLM\SYSTEM\CurrentControlSet\Services\Wecsvc\
 
Properties
Name ieframe.dll
Location C:\Windows\SysWOW64
Size 12.2 MB
Time 1.9 days ago (2016-08-12 01:20:55)
Entropy 6.4
Product Internet Explorer
Publisher Microsoft Corporation
Description Internet Browser
Version 11.00.9600.17840
Copyright © Microsoft Corporation. All rights reserved.
LanguageID 1033
SHA-256 77DC14828FA882E30FDE46D7CBFD62D5F1765A3AE24275507A5613C4CC8CC11F
 
Scoring (11.0)
This file contains a Thread Local Storage (TLS) data directory. This is not common for most programs.
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
 
Startup
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-21-2884753921-4226338202-955112698-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-21-2884753921-4226338202-955112698-1001\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
 
References
HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
HKU\S-1-5-21-2884753921-4226338202-955112698-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
 
Properties
Name ieframe.dll
Location C:\Windows\System32
Size 13.7 MB
Time 1.9 days ago (2016-08-12 01:20:54)
Entropy 6.3
Product Internet Explorer
Publisher Microsoft Corporation
Description Internet Browser
Version 11.00.9600.17840
Copyright © Microsoft Corporation. All rights reserved.
LanguageID 1033
SHA-256 C484CF7EF7C0346783BA8771BD621FABDFB24A49ECE3DAA687EBB559C78F73D7
 
Scoring (11.0)
This file contains a Thread Local Storage (TLS) data directory. This is not common for most programs.
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
 
Startup
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-21-2884753921-4226338202-955112698-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKU\S-1-5-21-2884753921-4226338202-955112698-1001\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
 
References
HKLM\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
HKU\S-1-5-21-2884753921-4226338202-955112698-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\
 

Music Is The Reason,

Clint Crisher
Los Angeles, CA

#6 Cli7nt

Cli7nt
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:09:42 PM

Posted 14 August 2016 - 03:49 AM

also does this make sense to you ntoskrnl.exe!KiCpuld+0x6a0


Music Is The Reason,

Clint Crisher
Los Angeles, CA

#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 14 August 2016 - 10:57 AM

These are legitimate Windows system files.

https://www.reasoncoresecurity.com/ieframe.dll-59fde6779aed41184b26c5f74814d9f4e3b643fe.aspx
https://www.reasoncoresecurity.com/ieframe.dll-b6ced5fd8721e8bfd0df67ee55d3d13fe3633756.aspx

My guess is that HitmanPro flagged them because they were modified recently, maybe because they got updated (some of your Windows Updates might have kicked in). Like I said above, your logs doesn't show any traces of infection, and your Windows Update issue is a known one which you can solve by following the instructions in my last post :)

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 Cli7nt

Cli7nt
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:09:42 PM

Posted 14 August 2016 - 03:53 PM

Is it strange to have these 2 files inside C:\Windows\System32??

 

 

C7483456-A289-439D-8115-601632D005A0 File (.C7483456-A289-439d-8115-601632D005A0)

C7483456-A289-439D-8115-601632D005A0 File (.C7483456-A289-439d-8115-601632D005A0)

 

Windows Shell Common Dll


Music Is The Reason,

Clint Crisher
Los Angeles, CA

#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 14 August 2016 - 03:58 PM

Not at all. These are also part of Windows.

http://lifeofageekadmin.com/how-to-manage-hidden-files-and-directories-from-the-command-line-in-windows/

I've seen them on every machine I worked on.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 Cli7nt

Cli7nt
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:09:42 PM

Posted 14 August 2016 - 08:31 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 7 Professional x64 
Ran by WOUTempAdmin (Administrator) on Sun 08/14/2016 at 17:38:56.91
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 28 
 
Successfully deleted: C:\ProgramData\paretologic\regcure pro (Folder) 
Successfully deleted: C:\Windows\system32\Tasks\ParetoLogic Registration3 (Task)
Successfully deleted: C:\Windows\system32\Tasks\ParetoLogic Update Version3 (Task)
Successfully deleted: C:\Windows\system32\Tasks\ParetoLogic Update Version3_triggeronce (Task)
Successfully deleted: C:\Windows\system32\Tasks\RegCure Pro Startup (Task)
Successfully deleted: C:\Windows\system32\Tasks\RegCure Pro_sch_3A3D88FE-61BF-11E6-8EE2-C860000C5471 (Task)
Successfully deleted: C:\Windows\Tasks\ParetoLogic Registration3.job (Task) 
Successfully deleted: C:\Windows\Tasks\ParetoLogic Update Version3.job (Task) 
Successfully deleted: C:\Windows\Tasks\ParetoLogic Update Version3_triggeronce.job (Task) 
Successfully deleted: C:\Windows\Tasks\RegCure Pro Startup.job (Task) 
Successfully deleted: C:\Windows\Tasks\RegCure Pro_sch_3A3D88FE-61BF-11E6-8EE2-C860000C5471.job (Task) 
Successfully deleted: C:\Program Files (x86)\paretologic\regcure pro (Folder) 
Successfully deleted: C:\Users\WOUTempAdmin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\WOUTempAdmin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ADPWEWO (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\WOUTempAdmin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\WOUTempAdmin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\WOUTempAdmin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I128UT87 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\WOUTempAdmin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\WOUTempAdmin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q6BJT990 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\WOUTempAdmin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\STZQP0VF (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ADPWEWO (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I128UT87 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q6BJT990 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\STZQP0VF (Temporary Internet Files Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 08/14/2016 at 17:43:14.31
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

# AdwCleaner v6.000 - Logfile created 14/08/2016 at 17:48:29
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-08-13.3 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : WOUTempAdmin - CR75H3R
# Running from : C:\Windows_Repair_Toolbox\Downloads\Malware Removal\AdwCleaner.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
[-] Service deleted: scan
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\Users\CLi7NT\AppData\Roaming\ParetoLogic
[-] Folder deleted: C:\Users\CLi7NT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ParetoLogic
[-] Folder deleted: C:\ProgramData\ParetoLogic
[#] Folder deleted on reboot: C:\ProgramData\Application Data\ParetoLogic
[-] Folder deleted: C:\Program Files (x86)\ParetoLogic
[-] Folder deleted: C:\Program Files (x86)\Common Files\ParetoLogic
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKLM\SOFTWARE\Classes\uus3url-pl
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\CLSID\{65416821-217D-44BD-9C61-F53398FB1B46}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\CLSID\{6DFC0DC7-FDC5-44C2-8B80-5977BA8F8ACC}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\CLSID\{E5AFF088-92F8-41a9-8CAB-E9CDCCE967AC}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\CLSID\{4ABDD67C-44E3-42E0-816D-D7F0E54761DF}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\CLSID\{94915A56-4D71-4F85-B59C-CC040F5AC6F0}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{65416821-217D-44BD-9C61-F53398FB1B46}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{4ABDD67C-44E3-42E0-816D-D7F0E54761DF}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{65416821-217D-44BD-9C61-F53398FB1B46}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{4ABDD67C-44E3-42E0-816D-D7F0E54761DF}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{34F4FEAF-4921-4B5D-8BE5-CA384BFFC2CE}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{39A37965-0A96-43A3-870E-821FE5C84B0B}
[-] Key deleted: HKU\S-1-5-21-2884753921-4226338202-955112698-1000\Software\ParetoLogic
[-] Key deleted: HKLM\SOFTWARE\ParetoLogic
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C547F361-5750-4CD1-9FB6-BC93827CB6C1}
 
 
***** [ Web browsers ] *****
 
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock2 - Deleted C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [2597 Bytes] - [14/08/2016 17:48:29]
C:\AdwCleaner\AdwCleaner[S0].txt - [2699 Bytes] - [14/08/2016 17:48:08]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2743 Bytes] ##########

# AdwCleaner v6.000 - Logfile created 14/08/2016 at 17:48:08
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-08-13.3 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : WOUTempAdmin - CR75H3R
# Running from : C:\Windows_Repair_Toolbox\Downloads\Malware Removal\AdwCleaner.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
Service Found:  scan
 
 
***** [ Folders ] *****
 
Folder Found:  C:\Users\CLi7NT\AppData\Roaming\ParetoLogic
Folder Found:  C:\Users\CLi7NT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ParetoLogic
Folder Found:  C:\ProgramData\ParetoLogic
Folder Found:  C:\ProgramData\Application Data\ParetoLogic
Folder Found:  C:\Program Files (x86)\ParetoLogic
Folder Found:  C:\Program Files (x86)\Common Files\ParetoLogic
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Key Found:  HKLM\SOFTWARE\Classes\uus3url-pl
Key Found:  [x64] HKLM\SOFTWARE\Classes\CLSID\{65416821-217D-44BD-9C61-F53398FB1B46}
Key Found:  [x64] HKLM\SOFTWARE\Classes\CLSID\{6DFC0DC7-FDC5-44C2-8B80-5977BA8F8ACC}
Key Found:  [x64] HKLM\SOFTWARE\Classes\CLSID\{E5AFF088-92F8-41a9-8CAB-E9CDCCE967AC}
Key Found:  [x64] HKLM\SOFTWARE\Classes\CLSID\{4ABDD67C-44E3-42E0-816D-D7F0E54761DF}
Key Found:  [x64] HKLM\SOFTWARE\Classes\CLSID\{94915A56-4D71-4F85-B59C-CC040F5AC6F0}
Key Found:  [x64] HKLM\SOFTWARE\Classes\Interface\{65416821-217D-44BD-9C61-F53398FB1B46}
Key Found:  [x64] HKLM\SOFTWARE\Classes\Interface\{4ABDD67C-44E3-42E0-816D-D7F0E54761DF}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{65416821-217D-44BD-9C61-F53398FB1B46}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{4ABDD67C-44E3-42E0-816D-D7F0E54761DF}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{34F4FEAF-4921-4B5D-8BE5-CA384BFFC2CE}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{39A37965-0A96-43A3-870E-821FE5C84B0B}
Key Found:  HKU\S-1-5-21-2884753921-4226338202-955112698-1000\Software\ParetoLogic
Key Found:  HKLM\SOFTWARE\ParetoLogic
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C547F361-5750-4CD1-9FB6-BC93827CB6C1}
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [2519 Bytes] - [14/08/2016 17:48:08]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2592 Bytes] ##########

Music Is The Reason,

Clint Crisher
Los Angeles, CA

#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 14 August 2016 - 08:35 PM

Were these ran on your current install of Windows 7?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 Cli7nt

Cli7nt
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:09:42 PM

Posted 14 August 2016 - 08:39 PM

ComboFix 16-08-10.01 - WOUTempAdmin 08/14/2016  18:26:53.3.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8097.5269 [GMT -7:00]
Running from: c:\users\WOUTempAdmin\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {DA9F8ED0-D0DE-39CC-F55A-51AB4CC1B556}
FW: McAfee Firewall *Enabled* {E2A40FF5-9AB1-3894-DE05-F89EB212F22D}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {61FE6F34-F6E4-3642-CFEA-6AD93746FFEB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\WOUTEM~1\AppData\Local\Temp\dllnt_dump.dll
c:\users\WOUTempAdmin\AppData\Local\Temp\dllnt_dump.dll
.
.
(((((((((((((((((((((((((   Files Created from 2016-07-15 to 2016-08-15  )))))))))))))))))))))))))))))))
.
.
2016-08-15 00:54 . 2016-08-15 00:54 28272 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2016-08-15 00:54 . 2016-08-15 00:54 -------- d-----w- c:\programdata\RogueKiller
2016-08-15 00:45 . 2016-08-15 00:48 -------- d-----w- C:\AdwCleaner
2016-08-15 00:21 . 2016-08-15 01:18 -------- d-----r- c:\users\Public
2016-08-15 00:21 . 2016-08-15 01:36 -------- d-----w- C:\Windows_Repair_Toolbox
2016-08-14 22:49 . 2016-08-14 22:49 3218944 ----a-w- c:\windows\system32\win32k.sys
2016-08-14 22:49 . 2016-08-14 22:49 70656 ----a-w- c:\windows\SysWow64\fontsub.dll
2016-08-14 22:49 . 2016-08-14 22:49 46080 ----a-w- c:\windows\system32\atmlib.dll
2016-08-14 22:49 . 2016-08-14 22:49 41472 ----a-w- c:\windows\system32\lpk.dll
2016-08-14 22:49 . 2016-08-14 22:49 382184 ----a-w- c:\windows\system32\atmfd.dll
2016-08-14 22:49 . 2016-08-14 22:49 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2016-08-14 22:49 . 2016-08-14 22:49 308456 ----a-w- c:\windows\SysWow64\atmfd.dll
2016-08-14 22:49 . 2016-08-14 22:49 25600 ----a-w- c:\windows\SysWow64\lpk.dll
2016-08-14 22:49 . 2016-08-14 22:49 14336 ----a-w- c:\windows\system32\dciman32.dll
2016-08-14 22:49 . 2016-08-14 22:49 10240 ----a-w- c:\windows\SysWow64\dciman32.dll
2016-08-14 22:49 . 2016-08-14 22:49 100864 ----a-w- c:\windows\system32\fontsub.dll
2016-08-14 22:48 . 2016-08-14 22:48 833024 ----a-w- c:\windows\SysWow64\user32.dll
2016-08-14 22:48 . 2016-08-14 22:48 1550848 ----a-w- c:\windows\system32\DWrite.dll
2016-08-14 22:48 . 2016-08-14 22:48 1148416 ----a-w- c:\windows\system32\FntCache.dll
2016-08-14 22:48 . 2016-08-14 22:48 1081856 ----a-w- c:\windows\SysWow64\DWrite.dll
2016-08-14 22:48 . 2016-08-14 22:48 1008640 ----a-w- c:\windows\system32\user32.dll
2016-08-14 22:48 . 2016-08-14 22:48 1838080 ----a-w- c:\windows\system32\d3d10warp.dll
2016-08-14 22:48 . 2016-08-14 22:48 1171456 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2016-08-14 22:48 . 2016-08-14 22:48 64512 ----a-w- c:\windows\SysWow64\devobj.dll
2016-08-14 22:48 . 2016-08-14 22:48 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
2016-08-14 22:48 . 2016-08-14 22:48 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
2016-08-14 22:48 . 2016-08-14 22:48 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
2016-08-14 22:48 . 2016-08-14 22:48 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
2016-08-14 18:51 . 2016-08-14 23:08 -------- d-----w- c:\users\CLi7NT
2016-08-14 18:51 . 2016-08-15 01:18 -------- d-----w- c:\users\WOUTempAdmin
2016-08-14 18:50 . 2016-08-14 18:50 -------- d-----w- c:\programdata\SonicFocus
2016-08-14 18:50 . 2016-08-14 18:50 -------- d-----w- c:\windows\SysWow64\RTCOM
2016-08-14 18:50 . 2016-08-14 18:50 -------- d-----w- c:\program files\Realtek
2016-08-14 06:07 . 2016-08-14 19:06 -------- d-----w- c:\program files (x86)\Common Files\Windows Live
2016-08-14 04:35 . 2016-08-14 19:13 -------- d-----w- c:\windows\SysWow64\Configuration
2016-08-14 04:08 . 2016-02-13 10:35 25600 ------w- c:\windows\system32\DscTimer.dll
2016-08-14 04:08 . 2016-02-13 10:34 19968 ------w- c:\windows\system32\DscProxy.dll
2016-08-14 04:08 . 2016-02-13 10:42 38912 ------w- c:\windows\SysWow64\PSModuleDiscoveryProvider.dll
2016-08-14 04:08 . 2016-02-13 10:34 141824 ------w- c:\windows\SysWow64\DscCoreConfProv.dll
2016-08-14 04:08 . 2016-02-13 10:31 127488 ------w- c:\windows\SysWow64\wmidcom.dll
2016-08-14 04:07 . 2016-02-13 10:34 90624 ------w- c:\windows\system32\mibincodec.dll
2016-08-14 04:02 . 2016-08-14 19:10 -------- d-----w- c:\program files (x86)\WindowsPowerShell
2016-08-14 04:02 . 2016-08-14 19:06 -------- d-----w- c:\program files\WindowsPowerShell
2016-08-14 04:01 . 2016-08-14 19:12 -------- d-----w- c:\windows\system32\dsc
2016-08-14 03:53 . 2016-08-14 04:01 61726 ----a-w- c:\windows\woubak-winlogon.reg
2016-08-14 03:53 . 2016-08-14 04:01 2524 ----a-w- c:\windows\woubak-system-policies.reg
2016-08-14 03:51 . 2016-08-14 19:12 -------- d-----w- c:\windows\Migration
2016-08-14 03:48 . 2016-08-14 19:09 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2016-08-14 03:48 . 2016-08-14 19:06 -------- d-----w- c:\program files\Microsoft Silverlight
2016-08-14 01:34 . 2016-08-14 18:58 -------- d-----w- c:\program files\BDServices
2016-08-13 21:35 . 2016-08-14 19:06 -------- d-----w- c:\program files (x86)\Common Files\Nikon
2016-08-13 21:32 . 2016-08-14 19:11 -------- d-----w- c:\programdata\PDVD
2016-08-13 21:31 . 2016-08-14 18:58 -------- d-----w- c:\program files\Common Files\NewBlue
2016-08-13 21:31 . 2016-08-14 19:06 -------- d-----w- c:\program files (x86)\Common Files\NewBlue
2016-08-13 21:31 . 2016-08-14 19:06 -------- d-----w- c:\program files\NewBlue
2016-08-13 21:31 . 2016-08-14 19:09 -------- d-----w- c:\program files (x86)\NewBlue
2016-08-13 21:28 . 2016-08-14 19:06 -------- d-----w- c:\program files\CyberLink
2016-08-13 21:27 . 2016-08-14 19:06 -------- d-----w- c:\program files (x86)\Common Files\CyberLink
2016-08-13 21:27 . 2016-08-14 19:09 -------- d-----w- c:\program files (x86)\NSIS Uninstall Information
2016-08-13 21:26 . 2016-08-14 19:11 -------- d-----w- c:\programdata\SUPPORTDIR
2016-08-13 21:25 . 2016-08-14 19:09 -------- d-----w- c:\program files (x86)\CyberLink
2016-08-13 21:24 . 2016-08-14 19:11 -------- d-----w- c:\programdata\install_clap
2016-08-13 21:24 . 2016-08-14 19:11 -------- d-----w- c:\programdata\CLSK
2016-08-13 20:48 . 2016-08-14 19:11 -------- d-----w- c:\programdata\CyberLink
2016-08-13 19:03 . 2016-08-14 19:11 -------- d-----w- c:\programdata\LightScribe
2016-08-13 09:32 . 2016-08-14 19:06 -------- d-----w- c:\program files (x86)\Common Files\LightScribe
2016-08-13 05:33 . 2016-08-14 18:58 -------- d-----w- c:\program files\CCleaner
2016-08-13 05:18 . 2016-02-25 04:07 207968 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2016-08-13 05:18 . 2016-08-14 19:11 -------- d-----w- c:\programdata\Intel Security
2016-08-13 05:16 . 2016-08-14 19:06 -------- d-----w- c:\program files\McAfee
2016-08-13 05:16 . 2016-08-14 18:58 -------- d-----w- c:\program files\Common Files\Intel Security
2016-08-13 05:16 . 2016-08-14 18:58 -------- d-----w- c:\program files\Common Files\AV
2016-08-13 05:16 . 2016-08-14 19:09 -------- d-----w- c:\program files (x86)\McAfee
2016-08-13 05:14 . 2016-04-27 00:56 277744 ----a-w- c:\windows\system32\mfevtps.exe
2016-08-13 05:14 . 2016-08-14 19:06 -------- d-----w- c:\program files (x86)\Common Files\McAfee
2016-08-13 05:14 . 2016-08-14 18:58 -------- d-----w- c:\program files\Common Files\McAfee
2016-08-13 05:14 . 2016-08-14 19:11 -------- d-----w- c:\programdata\McAfee
2016-08-13 03:03 . 2016-08-13 03:03 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2016-08-13 03:03 . 2016-08-14 19:12 -------- d-----w- c:\windows\system32\Macromed
2016-08-13 02:59 . 2016-08-14 18:58 -------- d-----w- c:\program files\Common Files\Adobe
2016-08-13 02:58 . 2016-08-14 18:57 -------- d-----w- c:\program files\Adobe
2016-08-13 02:57 . 2016-08-14 19:06 -------- d-----w- c:\program files (x86)\Common Files\PX Storage Engine
2016-08-13 02:57 . 2013-09-03 10:01 56336 ----a-w- c:\windows\system32\drivers\PxHlpa64.sys
2016-08-13 02:57 . 2012-04-24 10:01 11376 ----a-w- c:\windows\system32\drivers\cdralw2k.sys
2016-08-13 02:57 . 2012-04-24 10:01 10864 ----a-w- c:\windows\system32\drivers\cdr4_xp.sys
2016-08-13 02:55 . 2016-08-14 19:06 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2016-08-13 00:57 . 2016-08-14 19:09 -------- d-----w- c:\program files (x86)\Microsoft OneDrive
2016-08-13 00:57 . 2016-08-14 19:11 -------- d-----w- c:\programdata\Microsoft OneDrive
2016-08-13 00:48 . 2016-08-13 00:47 2736328 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2016-08-13 00:47 . 2016-08-14 19:11 -------- d-----w- c:\programdata\regid.1991-06.com.microsoft
2016-08-12 23:24 . 2016-08-14 19:11 -------- d-----w- c:\programdata\AmUStor
2016-08-12 23:24 . 2016-08-14 19:06 -------- d-----w- c:\program files (x86)\AmIcoSingLun
2016-08-12 23:21 . 2016-08-14 19:09 -------- d-----w- c:\program files (x86)\Intel Corporation
2016-08-12 23:21 . 2016-08-14 19:06 -------- d-----w- c:\program files (x86)\Common Files\Intel Corporation
2016-08-12 22:55 . 2016-08-14 19:06 -------- d-----w- c:\program files\DIFX
2016-08-12 22:55 . 2016-08-14 19:06 -------- d-----w- c:\program files\WDCSAM
2016-08-12 22:46 . 2011-02-22 18:59 8192 ----a-w- c:\windows\system32\drivers\IntelMEFWVer.dll
2016-08-12 22:46 . 2016-08-14 19:06 -------- d-----w- c:\program files (x86)\Common Files\postureAgent
2016-08-12 22:45 . 2016-08-14 09:20 -------- d-----w- C:\SWTOOLS
2016-08-12 22:45 . 2010-10-19 23:34 56344 ----a-w- c:\windows\system32\drivers\HECIx64.sys
2016-08-12 21:56 . 2011-04-26 18:07 557848 ----a-w- c:\windows\system32\drivers\iaStor.sys
2016-08-12 21:51 . 2014-03-07 02:20 138456 ----a-w- c:\windows\system32\drivers\asmthub3.sys
2016-08-12 21:33 . 2013-08-16 19:37 424192 ----a-w- c:\windows\system32\drivers\asmtxhci.sys
2016-08-12 21:33 . 2016-08-14 19:06 -------- d-----w- c:\program files\WinRAR
2016-08-12 21:24 . 2016-08-14 19:06 -------- d-----w- c:\program files (x86)\Cisco
2016-08-12 21:24 . 2016-08-14 18:58 -------- d-----w- c:\program files\Common Files\Intel
2016-08-12 20:44 . 2012-05-15 14:13 144896 ----a-w- c:\windows\system32\IntelOpenCL64.dll
2016-08-12 20:44 . 2012-05-15 14:13 20992 ----a-w- c:\windows\system32\OpenCL.dll
2016-08-12 20:44 . 2012-05-15 13:20 104448 ----a-w- c:\windows\SysWow64\IntelOpenCL32.dll
2016-08-12 20:44 . 2012-05-15 13:20 17920 ----a-w- c:\windows\SysWow64\OpenCL.dll
2016-08-12 20:42 . 2016-08-12 20:43 -------- d-----w- C:\Intel
2016-08-12 20:24 . 2016-08-14 19:06 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
2016-08-12 20:04 . 2016-08-14 19:12 -------- d--h--w- c:\windows\system32\WLANProfiles
2016-08-12 20:04 . 2016-08-14 19:09 -------- d-----w- c:\program files (x86)\Intel
2016-08-12 20:01 . 2016-08-14 19:11 -------- d-----w- c:\programdata\Intel
2016-08-12 20:01 . 2015-06-04 20:33 21984 ----a-w- c:\windows\system32\drivers\semav6msr64.sys
2016-08-12 19:57 . 2016-08-14 19:06 -------- d-----w- c:\program files\Intel
2016-08-12 19:54 . 2016-08-14 19:09 -------- d-----w- c:\program files (x86)\Microsoft.NET
2016-08-12 19:52 . 2016-08-14 19:11 -------- d-----w- c:\programdata\Package Cache
2016-08-12 18:03 . 2016-08-14 19:11 -------- d-----w- c:\windows\CheckSur
2016-08-12 16:02 . 2016-08-14 09:20 -------- d-----w- C:\RegBackup
2016-08-12 15:55 . 2016-08-14 19:06 -------- d-----w- c:\program files\HitmanPro
2016-08-12 15:34 . 2016-08-14 23:31 -------- d-----w- c:\programdata\HitmanPro
2016-08-12 15:17 . 2016-08-15 00:57 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-08-12 15:17 . 2016-08-14 19:11 -------- d-----w- c:\programdata\Malwarebytes
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-08-14 22:49 . 2016-08-14 22:49 2560 ----a-w- c:\windows\apppatch\AcRes.dll
2016-07-14 21:43 . 2016-07-14 21:43 29376 ----a-w- c:\windows\SysWow64\aspnet_counters.dll
2016-07-14 21:43 . 2016-07-14 21:43 18592 ----a-w- c:\windows\SysWow64\msvcr110_clr0400.dll
2016-07-14 21:43 . 2016-07-14 21:43 18592 ----a-w- c:\windows\SysWow64\msvcr100_clr0400.dll
2016-07-14 21:43 . 2016-07-14 21:43 18592 ----a-w- c:\windows\SysWow64\msvcp110_clr0400.dll
2016-07-14 21:37 . 2016-07-14 21:37 30912 ----a-w- c:\windows\system32\aspnet_counters.dll
2016-07-14 21:37 . 2016-07-14 21:37 18600 ----a-w- c:\windows\system32\msvcr110_clr0400.dll
2016-07-14 21:37 . 2016-07-14 21:37 18600 ----a-w- c:\windows\system32\msvcr100_clr0400.dll
2016-07-14 21:37 . 2016-07-14 21:37 18600 ----a-w- c:\windows\system32\msvcp110_clr0400.dll
2016-06-14 18:58 . 2016-06-14 18:58 452040 ----a-w- c:\windows\system32\drivers\Trufos.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2011-04-16 2741616]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"DSCAutomationHostEnabled"= 2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys;c:\windows\SYSNATIVE\drivers\HipShieldK.sys [x]
R3 mfencrk;McAfee Inc. mfencrk;c:\windows\system32\DRIVERS\mfencrk.sys;c:\windows\SYSNATIVE\DRIVERS\mfencrk.sys [x]
R3 semav6msr64;semav6msr64;c:\windows\system32\drivers\semav6msr64.sys;c:\windows\SYSNATIVE\drivers\semav6msr64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R4 AdobeActiveFileMonitor13.0;Adobe Active File Monitor V13;c:\program files\Adobe\Elements 13 Organizer\PhotoshopElementsFileAgent.exe;c:\program files\Adobe\Elements 13 Organizer\PhotoshopElementsFileAgent.exe [x]
R4 BitDefenderCOM;BitDefenderCOM;c:\program files\BDServices\BitDefenderCom.exe;c:\program files\BDServices\BitDefenderCom.exe [x]
R4 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\Intel\WiMAX\Bin\DMAgent.exe;c:\program files\Intel\WiMAX\Bin\DMAgent.exe [x]
R4 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe;c:\program files\HitmanPro\hmpsched.exe [x]
R4 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [x]
R4 McBootDelayStartSvc;McAfee Boot Delay Start Service;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
R4 mccspsvc;McAfee CSP Service;c:\program files\Common Files\McAfee\CSP\1.9.829.0\\McCSPServiceHost.exe;c:\program files\Common Files\McAfee\CSP\1.9.829.0\\McCSPServiceHost.exe [x]
R4 ModuleCoreService;McAfee Module Core Service;c:\program files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe;c:\program files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe [x]
R4 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R4 PEFService;Intel Security PEF Service;c:\program files\Common Files\Intel Security\PEF\CORE\PEFService.exe;c:\program files\Common Files\Intel Security\PEF\CORE\PEFService.exe [x]
R4 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\CyberLink\Shared files\RichVideo64.exe;c:\program files\CyberLink\Shared files\RichVideo64.exe [x]
R4 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
R4 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\Intel\WiMAX\Bin\AppSrv.exe;c:\program files\Intel\WiMAX\Bin\AppSrv.exe [x]
R4 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys;c:\windows\SYSNATIVE\drivers\mfewfpk.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\drivers\PxHlpa64.sys [x]
S1 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
S2 ClickToRunSvc;Microsoft Office Click-to-Run Service;c:\program files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe;c:\program files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [x]
S2 HomeNetSvc;McAfee Home Network;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S2 McAPExe;McAfee AP Service;c:\program files\McAfee\MSC\McAPExe.exe;c:\program files\McAfee\MSC\McAPExe.exe [x]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 mcpltsvc;McAfee Platform Services;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 mfemms;McAfee Service Controller;c:\program files\Common Files\McAfee\SystemCore\\mfemms.exe;c:\program files\Common Files\McAfee\SystemCore\\mfemms.exe [x]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
S3 bpenum;Intel® Centrino® WiMAX Enumerator;c:\windows\system32\DRIVERS\bpenum.sys;c:\windows\SYSNATIVE\DRIVERS\bpenum.sys [x]
S3 bpmp;Intel® Centrino® WiMAX 6050 Series;c:\windows\system32\DRIVERS\bpmp.sys;c:\windows\SYSNATIVE\DRIVERS\bpmp.sys [x]
S3 bpusb;Intel® Centrino® WiMAX 6050 Series Function Driver;c:\windows\system32\Drivers\bpusb.sys;c:\windows\SYSNATIVE\Drivers\bpusb.sys [x]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys;c:\windows\SYSNATIVE\drivers\cfwids.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
S3 mfeaack;McAfee Inc. mfeaack;c:\windows\system32\drivers\mfeaack.sys;c:\windows\SYSNATIVE\drivers\mfeaack.sys [x]
S3 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys;c:\windows\SYSNATIVE\drivers\mfefirek.sys [x]
S3 mfencbdc;McAfee Inc. mfencbdc;c:\windows\system32\DRIVERS\mfencbdc.sys;c:\windows\SYSNATIVE\DRIVERS\mfencbdc.sys [x]
S3 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - TRUESIGHT
*NewlyCreated* - WINRING0_1_2_0
*Deregistered* - TrueSight
*Deregistered* - WinRing0_1_2_0
.
Contents of the 'Scheduled Tasks' folder
.
2016-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2016-08-12 11:24]
.
2016-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2016-08-12 11:24]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2016-08-13 00:49 2101040 ----a-w- c:\program files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2016-08-13 00:49 2101040 ----a-w- c:\program files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2016-08-13 00:49 2101040 ----a-w- c:\program files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2015-06-05 173672]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2015-06-05 401512]
"Persistence"="c:\windows\system32\igfxpers.exe" [2015-06-05 444008]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2016-08-12 13662936]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2016-08-12 1368792]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 209.18.47.62 209.18.47.61
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - c:\program files (x86)\Microsoft Office\root\Office16\MSOSB.DLL
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - c:\program files (x86)\Microsoft Office\root\Office16\MSOSB.DLL
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - c:\program files (x86)\Microsoft Office\root\Office16\MSOSB.DLL
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - c:\program files (x86)\Microsoft Office\root\Office16\MSOSB.DLL
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0]
"ImagePath"="\??\c:\windows_repair_toolbox\Windows_Repair_Toolbox.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2016-08-14  18:38:51
ComboFix-quarantined-files.txt  2016-08-15 01:38
ComboFix2.txt  2016-08-12 16:36
.
Pre-Run: 676,663,701,504 bytes free
Post-Run: 676,384,993,280 bytes free
.
- - End Of File - - 61E585B3A93F32C25E66BB7065144BF5
A36C5E4F47E84449FF07ED3517B43A31

Music Is The Reason,

Clint Crisher
Los Angeles, CA

#13 Cli7nt

Cli7nt
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:09:42 PM

Posted 14 August 2016 - 08:43 PM

yes ran during the install of updates using WSUS as WOUTempAdmin


Music Is The Reason,

Clint Crisher
Los Angeles, CA

#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 14 August 2016 - 08:44 PM

Seems to me like a few PUPs got installed, maybe when you installed your programs after Windows 7 install, or if you installed other programs after providing me the initial FRST logs. How's the update install coming along?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 Cli7nt

Cli7nt
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:09:42 PM

Posted 16 August 2016 - 03:52 PM

I'm so screwed every i'm forced to restart the desktop.ini file with bleep like this:

 
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183
 
and 
 
 
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799
 
comes back. When ever I try to run any type of security software it seems to delete it or stop it by turning my laptop off. I'm just beaten down. Can you please help me?

Music Is The Reason,

Clint Crisher
Los Angeles, CA




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users