Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Just ran GMER - csrss.exe positive hit


  • Please log in to reply
10 replies to this topic

#1 HockingBob

HockingBob

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 17 August 2016 - 07:27 AM

Just ran GMER and it gave me 2 positive hits on csrss.exe:

1.  C:\WINDOWS\System32\csrss.exe [860:1484] with a value shown of fffff9602fff4030

2.  C:\WINDOWS\System32\csrss.exe [860:1420] with a value shown of fffff9602fff4030

Recommendations?



BC AdBot (Login to Remove)

 


#2 HockingBob

HockingBob
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 18 August 2016 - 08:35 AM

Just ran GMER again after running RKill and it added a few more potential Rootkit / Malware hits.  Here's the report:

 

---- Threads - GMER 2.2 ----
 
Thread  C:\WINDOWS\system32\csrss.exe [868:7076]                                                       fffff9618d184030
Thread  C:\WINDOWS\system32\csrss.exe [868:7104]                                                       fffff9618d184030
Thread  C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe [9004:3420]  00007ffbdf537bd0
Thread  C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe [9004:1356]  00007ffbd0eec040
Thread  C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe [9004:960]   00007ffbd0eec040
Thread  C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe [9004:9060]  00007ffbcfaeada0
Thread  C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe [9004:7912]  00007ffbc5c70f20
Thread  C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe [9004:9336]  00007ffbcfa93310
Thread  C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe [9004:8132]  00007ffbdba57650
Thread  C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe [9004:3540]  00007ffbd6fb1c70
Thread  C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe [9004:7796]  00007ffbdbaea890
Thread  C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe [9004:5596]  00007ffbd4dde200
 
---- EOF - GMER 2.2 ----


#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:02 PM

Posted 18 August 2016 - 10:10 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs.

Wait for further instructions.

#4 HockingBob

HockingBob
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 19 August 2016 - 05:12 AM

Thank you for your help.  :-)

 

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:02 PM

Posted 19 August 2016 - 09:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2277035199-1240022929-2395763791-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Bob's Box\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.824\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Users\Bob's Box\AppData\Local\Google\Chrome\User Data\PepperFlash\19.0.0.226\pepflashplayer.dll => No File
CHR Extension: (Norton Security Toolbar) - C:\Users\Bob's Box\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe [2016-07-01]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Bob's Box\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-25]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
U3 idsvc; no ImagePath
S3 NAVENG; \??\C:\Program Files (x86)\Norton Internet Security\NortonData\22.5.0.124\Definitions\SDSDefs\20160713.021\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Internet Security\NortonData\22.5.0.124\Definitions\SDSDefs\20160713.021\EX64.SYS [X]
C:\Users\Bob's Box\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
CustomCLSID: HKU\S-1-5-21-2277035199-1240022929-2395763791-1000_Classes\CLSID\{004B49B7-11B9-5058-FF22-08DD093ADC4B}\InprocServer32 -> {1FC05C39-9468-D082-6FCC-B1EE85889A47} => No File
CustomCLSID: HKU\S-1-5-21-2277035199-1240022929-2395763791-1000_Classes\CLSID\{DD0822FF-3A09-4BDC-B749-4B00B9115850}\InprocServer32 -> {58FD5889-9468-D082-DFC8-8CA985889A47} => No File
Task: {200E0C2B-DB5A-40C8-8701-A89FE8DF8F5E} - System32\Tasks\{06005832-0DB8-46C9-8FB2-8A9140809CF7} => pcalua.exe -a D:\Wizard.exe -d D:\
Task: {2D7D1DD9-BC48-4C6F-8C62-3E91F4E0EFC1} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {415AA7ED-45A2-4981-A124-CE7E283CD676} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {4370B294-CCA6-4344-8436-29838EE55D73} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {4CFDFA3F-F17A-42AF-A09A-3AC30A367062} - System32\Tasks\{C0C6A7DC-195C-4A6C-BCE0-A90AEEB2A888} => pcalua.exe -a "C:\Users\Bob's Box\Documents\My Completed Downloads\ComboFix.exe" -d "C:\Users\Bob's Box\Documents\My Completed Downloads"
Task: {578DF6AA-F6FA-4C20-9584-FFD1ACDF4BB2} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {586D6391-DA52-4CBA-ACBE-F02B5BD6068A} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {65F0FAC2-B983-433F-8C40-7814046A77E7} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {B0AB159E-41C5-4909-A2EB-3A33751964E2} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {C390B3C2-ABDD-4AEE-8F6C-92D9319832E4} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {C86DC407-BC91-47B3-AEB6-5AA8730732B0} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {C88CC1DD-4FC2-4AE0-8F12-D5189498ABFB} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {E7385E19-49C3-4AFB-9CD3-766B52590FF9} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
AlternateDataStreams: C:\WINDOWS\SysWOW64\Comctl32.ocx:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\Cp5dll32.dll:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\Flp32a30.ocx:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\Msexcl35.dll:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\msjet35.dll:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\msjint35.dll:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\msjter35.dll:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\msrd2x35.dll:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\msrepl35.dll:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\Mstext35.dll:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\Mswinsck.ocx:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\pbsvc.exe:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\Richtx32.ocx:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\Rsrc32.dll:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\Ssdw3b32.ocx:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\Ssmedt32.dll:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\Ssprn32.dll:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\tab32x30.ocx:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\TAXPDF.DLL:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\Vb5db.dll:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\Vb5stkit.dll:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\Vbar332.dll:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\SysWOW64\VBPrnDlg.dll:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\Ext2Fsd.sys:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\gwdrv.sys:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\oodisr.sys:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\oodisrh.sys:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\oodivd.sys:$CmdTcID [64]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\oodivdh.sys:$CmdTcID [64]
AlternateDataStreams: C:\ProgramData\TEMP:0FF263E8 [380]
AlternateDataStreams: C:\ProgramData\TEMP:933B2316 [124]
AlternateDataStreams: C:\ProgramData\TEMP:A50487F0 [233]
AlternateDataStreams: C:\Users\Bob's Box\Desktop\exiftool(-overwrite_original_in_place -all=).exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\02 - Sweet Home Alabama (Karaoke Instrumental Track)[In the style of Lynyrd Skynyrd].mp3:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\1490_001.pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\150334 Jeffrey Machine_ES.zip:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\AdwCleaner.exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\AdwCleaner.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\adwcleaner_4.203.exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\adwcleaner_4.203.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\Alleged contradictions in the Bible-Feb 10.docx:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\anki-2.0.32.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\bbblogosbw091010_large.png:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\Belling Tools.zip:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\ccsetup501.exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\ccsetup501.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\ccsetup502.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\ccsetup505 (1).exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\ccsetup505 (1).exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\ccsetup505.exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\ccsetup505.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\Current Information for Church Reports (1).pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\Current Information for Church Reports (2).pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\Eraser 6.2.0.2962.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\ES_jmcatalog_combo1502181144-5.pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\exiftool-9.82.zip:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\exiftoolgui515.zip:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\ExpandingTextBox.pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\FileZilla_3.10.1.1_win32-setup.exe:$CmdTcID [130]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\ghostpdl-9.16.tar.gz:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\GlassWireSetup.exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\GlassWireSetup.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\GoodSync-Setup.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\gs916w64.exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\gs916w64.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\history (1).csv:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\history.csv:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\Image-ExifTool-9.82.tar.gz:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\jmcatalog_ noted.pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\jmcatalog_combo1502181144 14.zip:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\JRT (1).exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\JRT (1).exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\JRT (2).exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\JRT (2).exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\MediaKit.pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\Membership_4-12-2015.pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\MemClean.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\MiniToolBox.exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\MiniToolBox.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\Multipurpose v2.PDF:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\naps2-2.6.3-setup (1).exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\naps2-2.6.3-setup (1).exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\OffCAT v2 ReadMe.docx:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\OffCAT v2 ReadMe.docx:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\Offer Letter- Amanda Green -  Athens Messenger.pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\OriginSetup.exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\OriginSetup.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\OriginThinSetup.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\p7_CCM_253.zip:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\p7_CSSPBM_109.zip:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\PEST CONTROL or PESTICIDE - PowerPoint Presentation 2-13-2015.ppsx:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\Portable PDF Unlocker x86 x64 2.1.7z:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\Press Release - The Space-Aged Solution to an Age-Old Problem.pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\ProcessExplorer.zip:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\ProcessExplorer.zip:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\qrcode.27744747.png:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\RecentPageload-P6316426-2015-02-19T11-12-53--2015-03-25T13-05-57-5-length.csv:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\RecentPageload-P6316426-2015-02-19T11-12-53--2015-03-25T13-19-22-5-length.csv:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\RecentVisitor-P6316426-2015-02-19T11-12-53--2015-03-24T12-26-26--NHI.csv:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\rkill (1).exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\rkill (1).exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\rkill.exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\rkill.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\Search results for core.zip:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\Setup-NB-Prof-DL.exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\setup_wipe (1).exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\si_brochure_8_en.pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\SteamSetup.exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\SteamSetup.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\tdsskiller (2).exe:$CmdTcID [130]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\tdsskiller (2).exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\tdsskiller (3).exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\tdsskiller (3).exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\tdsskiller (4).exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\tdsskiller (4).exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\torbrowser-install-4.0.8_en-US.exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\torbrowser-install-4.0.8_en-US.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\TP010186391.cab:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\UplayInstaller.exe:$CmdTcID [130]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\UplayInstaller.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\vcredist_x86.exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\vcredist_x86.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Bob's Box\Downloads\wampserver2.5-Apache-2.4.9-Mysql-5.6.17-php5.5.12-64b.exe:$CmdZnID [26]
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\COMODO Internet Security
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\tvncontrol

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the log and let me know what problem persists.

Edited by nasdaq, 19 August 2016 - 09:20 AM.


#6 HockingBob

HockingBob
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 19 August 2016 - 11:56 AM

Testing



#7 HockingBob

HockingBob
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 19 August 2016 - 12:44 PM

Attached File  Fixlog.txt   33.71KB   0 downloads

 

File attached.



#8 HockingBob

HockingBob
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 19 August 2016 - 12:47 PM

Right after restarting I lost most of my Desktop so I rebooted and everything came back.  I've noticed some anomalies such as my apache server not loading.  Did you want me to run Rogue Killer again or was there another program you'd prefer?



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:02 PM

Posted 19 August 2016 - 01:32 PM

Were you able to run the Apache server.

You previously had Comodo on the computer and I remove all the remaining traces.
That might be the reason the server was not found. Not sure.

What is the current situation with the computer?

#10 HockingBob

HockingBob
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 19 August 2016 - 02:02 PM

Seems to be running okay.  Regarding the Comodo, that might have been the reason I've had troubles with my localhost.  I'll probably just go get the latest version of Wamp, do a complete uninstall / reinstall.  Thank you for the help and the work you've done on my machine.  It is immensely appreciated!!  If it weren't for bleepingcomputer, I and so many others would just simply be dead in the water.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:02 PM

Posted 20 August 2016 - 06:42 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users