Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think i'm infected but i can't find it....


  • Please log in to reply
15 replies to this topic

#1 Tim2017

Tim2017

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 AM

Posted 11 February 2017 - 03:45 PM

Hi,

 

I've had problems before, i think i was hacked in the past.  I've had weird things happen with my pc, crashing for no reason, internet disconnecting and the mouse and keyboard not working.  Really silly stuff..... Since i formatted the pc everything has been fine until recently.  The same kind of stuff as before, i've checked the event viewer with nothing really standing out.  I have avira pro installed with nothing showing up in the scans and malwarebytes free as a standalone scanner, again with nothing showing.  I installed metadefender (http://www.softpedia.com/get/Antivirus/Metascan.shtml) and it showed two ip addresses know for malware (69.16.175.42 and 69.16.175.10).  I'm mot sure if metadefender is the best program to use, if i am infected then i would of thought avira pro would detect something... if i am being hacked then i need some advice.


Edited by Chris Cosgrove, 11 February 2017 - 06:11 PM.
Moved from Win 10 to 'Am I infected?'


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:12:45 AM

Posted 11 February 2017 - 06:29 PM

This by itself doesn't sound like malware, but it could be a hardware problem.

 

Please download and install Speccy to provide us with information about your computer.  Clicking on this link will automatically initiate the download.

The one piece of information the Speccy will not provide is the make and model of your PSU.  If you know what it is please post this along with the Speccy link which will be generated.

When Speccy opens you will see a screen similar to the one below.

speccy...1png_zpsr3irze6o.png
 
Click on File which is outlined in red in the screen above, and then click on Publish Snapshot.
 
The following screen will appear, click on Yes.
 
speccy...2_zpsia3rp09d.png
 
The following screen will appear, click on Copy to Clipboard.
 
speccy...3_zpsnj1twsfh.png
 
In your next post right click inside the Reply to Topic box, then click on Paste.  This will load a link to the Speccy log.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 Tim2017

Tim2017
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 AM

Posted 12 February 2017 - 03:26 AM

http://speccy.piriform.com/results/qPYiO3BvU6FFKcyGTC4ODsJ



#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:12:45 AM

Posted 12 February 2017 - 10:11 AM

The Speccy didn't show anything that I was suspecting, so let's run some security scans.  I know that you have already run Malwarebytes Antimalware, but I would like for you to run this again and post the log it generates.  Download the version that I have provided the link for.
 
Please run Malwarebytes AntiMalware

Please download Malwarebytes Anti-Malware.

1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.

2)  Malwarebytes will automatically open.  You will see an image like the one below, click on Update Now.  

mbam1_zps98e7fba9.png

3)  Click on Settings, you will see a image like the one below.

malware%20settings_zpsixkea5sd.png

When Settings opens click on Detection and Protection, then under Non-Malware Protection, click on the down arrow for PUP (Potentially Unwanted Programs) detections and select Treat detections as malware.  Under Detection Options place a check in the box for Scan for rootkits

4)  Click on Scan (next to Settings), then click on Scan Now.  The scan will automatically run now.

5)  When the scan is complete the results will be displayed.  Click on Delete All.

malwarenew_zps34b58fdc.png

6)  Please post the Malwarebytes log.

To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  Copy and paste the entire log in your topic.

 
Please run TDSSKiller.
 
Please download TDSSKiller from here and save it to your Desktop.

The log for the TDSSKiller can be very long.  If you go to the bottom of the log to where you find Scan finished you will see the results of the scan.  If it shows Detected object count: 0 and Actual detected object count: 0, this means that nothing malicious was found and you will not need to post the log.
 
1.  Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
 
tdss1_zps90132559.png
 
2.  Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system.
 
If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
 
tdsskillermultiple_zps472c18eb.png
 
3.  Click Start Scan and allow the scan process to run.
 
tdss4_zps6792a13c.png
 
4.  If threats are detected select Cure (if available) for all of them unless otherwise instructed.
 
***Do NOT select Delete!

Click on Continue.
 
tdss5_zps98fc5887.png
 
5.  Click on Reboot computer.
 
Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply.

Note:  The log may be very long.  You may need to break it into parts to post the whole log.

Post this in your topic.
 
 
Please run AdwCleaner

Please download AdwCleaner and install it.

When AdwCleaner opens you will see an image like the one below.

adwcleaner11_zps48314883.png

Click on Scan to start the scan.

Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.

If there are no malicious programs are found you will receive the following message.

adwcleaner%20111_zpsiduqrrrp.png  
 
Click on Clean to remove the selected items.  If you have any questions about any items in the list please copy and paste the list in your topic so we can review it.  
 
You will receive a message telling you that all programs will be closed so that the infections can be removed.  Click on OK.  The computer will be restarted to complete the cleaning process.
 
When the cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your topic.


Please run the ESET OnlineScan

This scan takes quite a long time to run, so be prepared to allow this to run
till it is completed.

***Please note. If you run this scan using Internet Explorer you won't need
to download the Eset Smartinstaller.***

ESET Online Scanner

  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that
    here
    .
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats ([color=redonly available if ESET Online Scanner found something
  • ).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

Edited by dc3, 12 February 2017 - 10:12 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 Tim2017

Tim2017
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 AM

Posted 12 February 2017 - 01:38 PM

mbam-check result log version:     2.3.2.0
========================================
 
User Account type:                 Administrator
DomainComputer:                    No
OS:                                Windows 10  64 bit Operating System
Current Version and Build:         10.0.14393 OS Product Info: Professional
 
 
mbam-check result log version: 2.3.2.0
 
Date Log Created: 02/12/17
Time Log Created: 19:38:20
 
 
User Information for Local System:
===========================================
User Account: Administrator
Account Level: Admin
User Account: DefaultAccount
Account Level: Guest
User Account: Guest
Account Level: Guest
User Account: tim
Account Level: Admin
Total # of user entries: 4
 
UAC Settings:
===================
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
DWORD 1 Status: ON
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
DWORD 3 Status: ON
DWORD 4 Status: ON
DWORD 5 Status: ON
 
AntiVirus Information:
===================
AntiVirus Software Installed: "Avira Antivirus"
AntiVirus Software Installed: "Windows Defender"
 
FireWall Information:
===================
NO 3rd Party Firewall Software Installed
 
AntiSpyware Information:
===================
AntiSpyware Software Installed: "Avira Antivirus"
AntiSpyware Software Installed: "Windows Defender"
 
Machine Information
===============================================
Machine ID: ade4dc1d7db09abe7fd2984f6bccceb7e968d136
System has been up for: 2.45472 Hours
Current Date: 2017-Feb-12 18:38:20.322427
Date Booted: 2017-Feb-12 16:38:20.322427
 
Compatibility Flag Settings:
=================================
 
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
C:\Program Files (x86)\Steam\Steam.exeREG_SZ ~ HIGHDPIAWARE
C:\Program Files (x86)\EMET 5.5\EMET_GUI.exeREG_SZ ~ HIGHDPIAWARE
D:\Blizzard\Battle.net\Battle.net Launcher.exeREG_SZ ~ HIGHDPIAWARE
D:\Blizzard\Battle.net\Battle.net.7575\Battle.net.exeREG_SZ ~ HIGHDPIAWARE
D:\SteamLibrary\steamapps\common\Stellaris\stellaris.exeREG_SZ ~ HIGHDPIAWARE
C:\Program Files (x86)\Avira\Antivirus\avcenter.exeREG_SZ ~ HIGHDPIAWARE
D:\Blizzard\Battle.net\Battle.net.7730\Battle.net.exeREG_SZ ~ HIGHDPIAWARE
C:\Program Files (x86)\EMET 5.5\EMET_Agent.exeREG_SZ ~ HIGHDPIAWARE
C:\Program Files (x86)\Notepad++\notepad++.exeREG_SZ ~ HIGHDPIAWARE
C:\Program Files (x86)\Origin\Origin.exeREG_SZ ~ HIGHDPIAWARE
 
 
Malwarebytes Anti-Malware Shell Extension Block Check:
======================================================
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked:
 
MBAM Startup Entries: 
=====================
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 
Malwarebytes Anti-Malware Service and Driver Status:
=======================================================
 
--------------Driver File Info:--------------
C:\WINDOWS\system32\drivers\mbam.sys
File Size: 43968     BYTES FileVersion: 3.0.0.83 MD5: [88bd122c3a35de63d75d382df75554ce]
C:\WINDOWS\system32\drivers\mwac.sys
File Size: 91584     BYTES FileVersion: 3.0.0.131 MD5: [d6067e2128f6ae309f9f39ee69de85a0]
C:\WINDOWS\system32\drivers\mbamswissarmy.sys
File Size: 251848    BYTES FileVersion: 4.2.0.106 MD5: [bde2fc7213c0897524c1357baae30239]
C:\WINDOWS\system32\drivers\mbamchameleon.sys
File Size: 176584    BYTES FileVersion: 3.0.0.153 MD5: [0e4ad4d8c0a8048c00cad9cfa082a26e]
 
--------------MBAMProtector:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMProtector
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A
 
 
--------------MBAMService:--------------
Type:                   16
State:                  4 (The service is running.)
WIN32_EXIT_CODE:        0
SERVICE_EXIT_CODE:      0
CHECKPOINT:             0
WAIT_HINT:              0
 
 
--------------MBAMScheduler:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMScheduler
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A
 
 
--------------MBAMChameleon:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMChameleon
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A
 
 
--------------MBAMWebAccessControl:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MbamWebAccessControl
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A
 
 
Required Dependencies:
======================
 
--------------BFE:--------------
Type:                   32
State:                  4 (The service is running.)
WIN32_EXIT_CODE:        0
SERVICE_EXIT_CODE:      0
CHECKPOINT:             0
WAIT_HINT:              0
 
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE
DisplayName                   REG_SZ @%SystemRoot%\system32\bfe.dll,-1001
ErrorControl                  REG_DWORD 1
Group                         REG_SZ NetworkProvider
ImagePath                     REG_EXPAND_SZ %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork
Start                         REG_DWORD 2
Type                          REG_DWORD 32
Description                   REG_SZ @%SystemRoot%\system32\bfe.dll,-1002
DependOnService               REG_MULTI_SZ RpcSs
 
ObjectName                    REG_SZ NT AUTHORITY\LocalService
ServiceSidType                REG_DWORD 3
RequiredPrivileges            REG_MULTI_SZ SeAuditPrivilege
 
FailureActions                REG_BINARY Binary Data
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters
ServiceDll                    REG_EXPAND_SZ %SystemRoot%\System32\bfe.dll
ServiceDllUnloadOnStop        REG_DWORD 1
ServiceMain                   REG_SZ BfeServiceMain
 
--------------fltmgr:--------------
Type:                   2
State:                  4 (The service is running.) (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE:        0
SERVICE_EXIT_CODE:      0
CHECKPOINT:             0
WAIT_HINT:              0
 
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr
AttachWhenLoaded              REG_DWORD 1
DisplayName                   REG_SZ @%SystemRoot%\system32\drivers\fltmgr.sys,-10001
ErrorControl                  REG_DWORD 3
Group                         REG_SZ FSFilter Infrastructure
ImagePath                     REG_EXPAND_SZ system32\drivers\fltmgr.sys
Start                         REG_DWORD 0
Tag                           REG_DWORD 1
Type                          REG_DWORD 2
Description                   REG_SZ @%SystemRoot%\system32\drivers\fltmgr.sys,-10000
 
 
C:\WINDOWS\system32\drivers\fltmgr.sys
File Size: 377696    BYTES FileVersion: 6.2.14393.0 MD5: [fda72aca14d516d18c33afcd0fd9260f]
C:\WINDOWS\SysWoW64\olepro32.dll
File Size: 90624     BYTES FileVersion: 6.2.14393.447 MD5: [58e51d527d2b82961a94fcde12e6fed7]
 
 
MBAM Registry Settings and License Info:
========================================
 
 
 
 
 
Scheduler Queue:
================
 
 
Pending File Rename Operations: 
================================
If any Malwarebytes Anti-Malware items are listed below, the user must reboot to complete a Malwarebytes Anti-Malware upgrade installation.
Pending File Rename Operations: 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
PendingFileRenameOperations REG_MULTI_SZ \??\C:\WINDOWS\system32\drivers\55234034.sys
 
 
 
MBAMProtector Registry Values:
==============================
 
 
 
MBAMService Registry Values:
============================
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService
Type                          REG_DWORD 16
Start                         REG_DWORD 3
ErrorControl                  REG_DWORD 1
ImagePath                     REG_EXPAND_SZ "C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe"
DisplayName                   REG_SZ Malwarebytes Service
DependOnService               REG_MULTI_SZ RPCSS
WINMGMT
 
ObjectName                    REG_SZ LocalSystem
Description                   REG_SZ Malwarebytes Service
 
MBAMScheduler Registry Values:
==============================
 
 
 
Terminal Services Status for (null) entries in PM logs and GetUserToken errors:
===============================================================================
 
--------------TERMService:--------------
Type:                   32
State:                  1 (The service is not running.) (State is stopped)
WIN32_EXIT_CODE:        1077
SERVICE_EXIT_CODE:      0
CHECKPOINT:             0
WAIT_HINT:              0
 
 
TermService Start is set to: 3 (Manual Startup)
 
Proxy Status: No proxy is Set
 
LAN Settings:
=============
 
only 'Automatically detect settings' is selected
 
SystemPartition:
================
 
HKEY_LOCAL_MACHINE\SYSTEM\Setup\
SystemPartition REG_SZ \Device\HarddiskVolume2
 
Balloon Tips Status:
====================
 
Enabled
 
Time Format Settings:
=====================
 
Should be:
h:mm:ss tt
AM 
PM 
:
 
Currently:
REG_SZ HH:mm:ss
REG_SZ AM
REG_SZ PM
REG_SZ :
 
Language and Regional Settings:
===============================
 
ACP: Language is English (United States)
MACCP: Language is English (United States)
OEMCP: 850 Please refer to this link for details: Here 
 
Startup Folders for Error_Expanding_Variables Check:
====================================================
 
All Users Startup Folder Exists.
Current User's Startup Folder Exists.
 
 
 
MBAM DLL's and Runtime Files:
=============================
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
MBAM Registry Settings and License Info (part 2):
==================================================
 
 
 
 
 
 
 
Context Menu Entries:
=====================
 
HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt
(Default):                    REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
 
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\MBAMShlExt
(Default):                    REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
 
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt
(Default):                    REG_SZ MBAMShlExt Class
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CLSID
(Default):                    REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CurVer
(Default):                    REG_SZ MBAMExt.MBAMShlExt.1
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1
(Default):                    REG_SZ MBAMShlExt Class
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1\CLSID
(Default):                    REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
 
 
HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}
(Default):                    REG_SZ IMBAMShlExt
HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid32
(Default):                    REG_SZ {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\TypeLib
(Default):                    REG_SZ {AFF1A83B-6C83-4342-8E68-1648DE06CB65}
Version                       REG_SZ 1.0
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}
(Default):                    REG_SZ MBAMShlExt Class
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32
(Default):                    REG_SZ C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll
ThreadingModel                REG_SZ Apartment
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\ProgID
(Default):                    REG_SZ MBAMExt.MBAMShlExt.1
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\TypeLib
(Default):                    REG_SZ {AFF1A83B-6C83-4342-8E68-1648DE06CB65}
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\VersionIndependentProgID
(Default):                    REG_SZ MBAMExt.MBAMShlExt
 
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0
(Default):                    REG_SZ MBAMExt 1.0 Type Library
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0\win64
(Default):                    REG_SZ C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\FLAGS
(Default):                    REG_SZ 0
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\HELPDIR
(Default):                    REG_SZ C:\Program Files\Malwarebytes\Anti-Malware
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0
(Default):                    REG_SZ MBAMExt 1.0 Type Library
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0\win64
(Default):                    REG_SZ C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\FLAGS
(Default):                    REG_SZ 0
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\HELPDIR
(Default):                    REG_SZ C:\Program Files\Malwarebytes\Anti-Malware
 
 
List of MBAM Related Directories:
=================================
 
===============================================================
END OF FILE


#6 Tim2017

Tim2017
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 AM

Posted 12 February 2017 - 01:42 PM

19:35:23.0864 0x23d0  TDSS rootkit removing tool 3.1.0.12 Nov  7 2016 07:10:01
19:35:23.0864 0x23d0  UEFI system
19:35:27.0799 0x23d0  ============================================================
19:35:27.0800 0x23d0  Current date / time: 2017/02/12 19:35:27.0799
19:35:27.0800 0x23d0  SystemInfo:
19:35:27.0800 0x23d0  
19:35:27.0800 0x23d0  OS Version: 10.0.14393 ServicePack: 0.0
19:35:27.0800 0x23d0  Product type: Workstation
19:35:27.0800 0x23d0  ComputerName: DESKTOP-D20JVLT
19:35:27.0800 0x23d0  UserName: tim
19:35:27.0800 0x23d0  Windows directory: C:\WINDOWS
19:35:27.0800 0x23d0  System windows directory: C:\WINDOWS
19:35:27.0800 0x23d0  Running under WOW64
19:35:27.0800 0x23d0  Processor architecture: Intel x64
19:35:27.0800 0x23d0  Number of processors: 4
19:35:27.0800 0x23d0  Page size: 0x1000
19:35:27.0800 0x23d0  Boot type: Normal boot
19:35:27.0800 0x23d0  CodeIntegrityOptions = 0x00000001
19:35:27.0800 0x23d0  ============================================================
19:35:27.0841 0x23d0  KLMD registered as C:\WINDOWS\system32\drivers\55234034.sys
19:35:27.0841 0x23d0  KLMD ARK init status: drvProperties = 0xFFF00, osBuild = 14393.693, osProperties = 0x19
19:35:28.0076 0x23d0  System UUID: {74F9AA45-0818-D1D1-D668-79A611D67128}
19:35:28.0750 0x23d0  Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 ( 232.89 Gb ), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
19:35:28.0750 0x23d0  Drive \Device\Harddisk1\DR1 - Size: 0x3A38B2E000 ( 232.89 Gb ), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
19:35:28.0750 0x23d0  Drive \Device\Harddisk2\DR2 - Size: 0xE8E0DB6000 ( 931.51 Gb ), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
19:35:28.0773 0x23d0  Drive \Device\Harddisk3\DR3 - Size: 0x4A85D56000 ( 298.09 Gb ), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
19:35:28.0783 0x23d0  ============================================================
19:35:28.0783 0x23d0  \Device\Harddisk0\DR0:
19:35:28.0783 0x23d0  GPT partitions:
19:35:28.0784 0x23d0  \Device\Harddisk0\DR0\Partition1: GPT, TypeGUID: {DE94BBA4-06D1-4D40-A16A-BFD50179D6AC}, UniqueGUID: {FFFBD11B-A8F0-4446-8503-79499B688F4B}, Name: Basic data partition, StartLBA 0x800, BlocksNum 0xE1000
19:35:28.0784 0x23d0  \Device\Harddisk0\DR0\Partition2: GPT, TypeGUID: {C12A7328-F81F-11D2-BA4B-00A0C93EC93B}, UniqueGUID: {BA610091-BFAE-400E-87BA-F2D55600DDA2}, Name: EFI system partition, StartLBA 0xE1800, BlocksNum 0x32000
19:35:28.0784 0x23d0  \Device\Harddisk0\DR0\Partition3: GPT, TypeGUID: {E3C9E316-0B5C-4DB8-817D-F92DF00215AE}, UniqueGUID: {17D7F13D-5F95-465A-9055-58D47C8A628C}, Name: Microsoft reserved partition, StartLBA 0x113800, BlocksNum 0x8000
19:35:28.0784 0x23d0  \Device\Harddisk0\DR0\Partition4: GPT, TypeGUID: {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}, UniqueGUID: {B8B896F3-A524-44F7-9455-63079F35D605}, Name: Basic data partition, StartLBA 0x11B800, BlocksNum 0x1D0AA000
19:35:28.0784 0x23d0  MBR partitions:
19:35:28.0784 0x23d0  \Device\Harddisk1\DR1:
19:35:28.0784 0x23d0  MBR partitions:
19:35:28.0784 0x23d0  \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x1D1C4000
19:35:28.0784 0x23d0  \Device\Harddisk2\DR2:
19:35:28.0784 0x23d0  GPT partitions:
19:35:28.0784 0x23d0  \Device\Harddisk2\DR2\Partition1: GPT, TypeGUID: {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}, UniqueGUID: {E409685B-794B-4A61-AB96-779BCB9BE36A}, Name: Basic data partition, StartLBA 0x800, BlocksNum 0x74706000
19:35:28.0784 0x23d0  MBR partitions:
19:35:28.0784 0x23d0  \Device\Harddisk3\DR3:
19:35:28.0784 0x23d0  MBR partitions:
19:35:28.0784 0x23d0  \Device\Harddisk3\DR3\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x2542D800
19:35:28.0784 0x23d0  ============================================================
19:35:28.0785 0x23d0  C: <-> \Device\Harddisk0\DR0\Partition4
19:35:28.0795 0x23d0  D: <-> \Device\Harddisk2\DR2\Partition1
19:35:28.0812 0x23d0  E: <-> \Device\Harddisk3\DR3\Partition1
19:35:28.0813 0x23d0  Z: <-> \Device\Harddisk1\DR1\Partition1
19:35:28.0813 0x23d0  ============================================================
19:35:28.0813 0x23d0  Initialize success
19:35:28.0813 0x23d0  ============================================================
19:39:09.0855 0x1748  KLMD registered as C:\WINDOWS\system32\drivers\27978569.sys
19:39:13.0176 0x1748  Deinitialize success


#7 Tim2017

Tim2017
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 AM

Posted 12 February 2017 - 01:52 PM

# AdwCleaner v6.043 - Logfile created 12/02/2017 at 19:50:42
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-09.1 [Server]
# Operating System : Windows 10 Pro  (X64)
# Username : tim - DESKTOP-D20JVLT
# Running from : C:\Users\tim\Downloads\AdwCleaner.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKLM\SOFTWARE\Google\Chrome\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp
[-] Key deleted: [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\tim\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: ipmkfpcnmccejididiaagpgchgjfajgp
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [1050 Bytes] - [12/02/2017 19:50:42]
C:\AdwCleaner\AdwCleaner[S0].txt - [1365 Bytes] - [12/02/2017 19:45:25]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1196 Bytes] ##########


#8 Tim2017

Tim2017
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 AM

Posted 12 February 2017 - 01:54 PM

I have questions about what was detected, there was one in temp folder and in keys within chrome.  What were these?



#9 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:12:45 AM

Posted 12 February 2017 - 02:05 PM

Temp files are not to be worried about in this instance.  We regularly suggested deleting your temp files since they only take up disk space.

 

If you post the folder in question I will take a look at it.

 

The TDSSKiller should have either stated that nothing was found or list what was found.  Did you omit this from the scan log?


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#10 Tim2017

Tim2017
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 AM

Posted 12 February 2017 - 03:15 PM

The rest of the TDSSKiller will not post, its too long.  Can i upload it as a .txt?



#11 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:12:45 AM

Posted 12 February 2017 - 03:26 PM

Post the last portion of the log, this will show if anything was found.

 

You need to understand that I will not ask you to post anything in your topic which could potentially be too large to post.  If I'm aware that the file will be too long I usually will either suggest breaking it into smaller parts or use a host website like Dropbox.  When I request a log to be posted I want the entire log.  I suspect that you will not know if something is pertinent in a log or not, but I will.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#12 Tim2017

Tim2017
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 AM

Posted 12 February 2017 - 03:29 PM

19:40:17.0852 0x18d4  Waiting for KSN requests completion. In queue: 7
19:40:18.0876 0x18d4  AV detected via SS2: Avira Antivirus, C:\Program Files (x86)\Avira\Antivirus\WindowsSecurityCenter.exe ( 15.0.25.138 ), 0x41000 ( enabled : updated )
19:40:18.0876 0x18d4  AV detected via SS2: Windows Defender, C:\Program Files\Windows Defender\MSASCui.exe ( 4.10.14393.187 ), 0x60100 ( disabled : updated )
19:40:18.0876 0x18d4  Win FW state via NFP2: enabled ( trusted )
19:40:19.0393 0x18d4  ============================================================
19:40:19.0393 0x18d4  Scan finished
19:40:19.0393 0x18d4  ============================================================
19:40:19.0393 0x181c  Detected object count: 0
19:40:19.0393 0x181c  Actual detected object count: 0
19:42:32.0873 0x12b4  Deinitialize success


#13 Tim2017

Tim2017
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 AM

Posted 12 February 2017 - 03:31 PM

i'm running eset now, 23% done



#14 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:12:45 AM

Posted 12 February 2017 - 03:32 PM

The last three lines tell me that nothing was found.  This is why this is so important.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#15 Tim2017

Tim2017
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:45 AM

Posted 12 February 2017 - 04:21 PM

C:\$Recycle.Bin\S-1-5-21-651125616-2359398230-350431959-1001\$R8FG2JJ.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
C:\$Recycle.Bin\S-1-5-21-651125616-2359398230-350431959-1001\$RE1P63D.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
C:\$Recycle.Bin\S-1-5-21-651125616-2359398230-350431959-1001\$RNKSTMR.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
C:\$Recycle.Bin\S-1-5-21-651125616-2359398230-350431959-1001\$RWLM3R5.exe a variant of Win32/DownloadSponsor.C potentially unwanted application cleaned by deleting
E:\AiO-SRT_2016-05-15.iso a variant of Win32/PSWTool.ProductKey potentially unsafe application deleted





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users