Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Factory reset, am I still infected?


  • This topic is locked This topic is locked
26 replies to this topic

#1 koopa112

koopa112

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 24 February 2017 - 01:29 AM

I recently performed a factory reset after receiving constant malware notifications from my avast free addition while viewing twitch.tv. I had planned to reset for a while to clean up what I did not want. I copied the files I wish to keep onto an external and want to make sure nothing bad carried over before I spend the time loading them over. Am I infected and what should I do? Can I safely move my files over and should I what should I use to scan my external drive?

 

I forgot to mention the first thing I did was run combofix as recommended by a friend, and shortly after coming to this website I read that I should do run it without a helpers suggesting it first. Could this cause issues and do you want that log as well?

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-02-2017 01
Ran by Xavier (administrator) on XAVIER-HP (23-02-2017 22:16:35)
Running from C:\Users\Xavier\Desktop
Loaded Profiles: Xavier &  (Available Profiles: Xavier)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(AMD) C:\Windows\System32\atieclxx.exe
(Hewlett-Packard ) C:\Program Files\IDT\WDM\beats64.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe
() C:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.1.38\deploy\LoLLauncher.exe
() C:\Riot Games\League of Legends\RADS\projects\lol_patcher\releases\0.0.0.78\deploy\LoLPatcher.exe
() C:\Riot Games\League of Legends\RADS\projects\lol_patcher\releases\0.0.0.78\deploy\LoLPatcherUx.exe
() C:\Riot Games\League of Legends\RADS\projects\lol_patcher\releases\0.0.0.78\deploy\LoLPatcherUx.exe
(Apple Inc.) C:\Users\Xavier\Downloads\iTunes6464Setup.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Apple Inc.) C:\Users\Xavier\AppData\Local\Temp\IXP088.TMP\SetupAdmin.exe
(Microsoft Corporation) C:\Windows\SysWOW64\msiexec.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [BeatsOSDApp] => C:\Program Files\IDT\WDM\beats64.exe [37888 2011-09-14] (Hewlett-Packard )
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-09-14] (IDT, Inc.)
HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM-x32\...\Run: [StartCCC] => c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [343168 2011-09-08] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HP Software Update] => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [PDF Complete] => C:\Program Files (x86)\PDF Complete\pdfsty.exe [658424 2011-08-12] (PDF Complete Inc)
HKU\S-1-5-21-3334463587-1985392049-2254692259-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7946144 2017-02-06] (SUPERAntiSpyware)
HKU\S-1-5-21-3334463587-1985392049-2254692259-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02232017220358298\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7946144 2017-02-06] (SUPERAntiSpyware)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 97.64.168.12 97.64.183.165
Tcpip\..\Interfaces\{BEB8E672-2CC6-4813-8409-C63438C5E2A6}: [DhcpNameServer] 97.64.168.12 97.64.183.165
Tcpip\..\Interfaces\{E78D96E3-3D43-46F8-A407-8AC4BEBF8399}: [DhcpNameServer] 97.64.168.12 97.64.183.165
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3334463587-1985392049-2254692259-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3334463587-1985392049-2254692259-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02232017220358298\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPDSK/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPDSK/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK/1
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3334463587-1985392049-2254692259-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPDSK/1
HKU\S-1-5-21-3334463587-1985392049-2254692259-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3334463587-1985392049-2254692259-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02232017220358298\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPDSK/1
HKU\S-1-5-21-3334463587-1985392049-2254692259-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02232017220358298\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02232017220358298 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02232017220358298 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02232017220358298 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02232017220358298 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
BHO: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> c:\Program Files\AMD\SteadyVideo\SteadyVideo.dll [2011-06-07] (Advanced Micro Devices)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> c:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll [2011-06-07] (Advanced Micro Devices)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-08-01] (Microsoft Corporation.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-08-01] (Microsoft Corporation.)
Toolbar: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02232017220358298 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - c:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)
Filter-x32: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - c:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - c:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)
Filter-x32: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - c:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)
 
FireFox:
========
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-04-01] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-02-23] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-02-23] (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2010-12-07] ()
 
Chrome: 
=======
CHR StartupUrls: Default -> "hxxps://www.google.com/"
CHR Profile: C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default [2017-02-23]
CHR Extension: (Google Slides) - C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-02-23]
CHR Extension: (Google Docs) - C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-02-23]
CHR Extension: (Google Drive) - C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-02-23]
CHR Extension: (YouTube) - C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-02-23]
CHR Extension: (Google Sheets) - C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-02-23]
CHR Extension: (Google Docs Offline) - C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-02-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-23]
CHR Extension: (Gmail) - C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-02-23]
CHR Extension: (Chrome Media Router) - C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-23]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-01-30] (SUPERAntiSpyware.com)
R2 CalendarSynchService; C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe [16384 2011-08-16] (Hewlett-Packard) [File not signed]
R2 HPAuto; C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [682040 2011-02-16] (Hewlett-Packard)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1128952 2011-08-12] (PDF Complete Inc)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77416 2017-01-20] ()
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [176584 2017-02-23] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [110536 2017-02-23] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [43968 2017-02-23] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [251848 2017-02-23] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [81696 2017-02-23] (Malwarebytes)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R4 ccSet_NIS; \SystemRoot\system32\drivers\NISx64\1301000.01C\ccSetx64.sys [X]
R4 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20110726.001\IDSVia64.sys [X]
R4 SRTSPX; \SystemRoot\system32\drivers\NISx64\1301000.01C\SRTSPX64.SYS [X]
R4 SymDS; \SystemRoot\system32\drivers\NISx64\1301000.01C\SYMDS64.SYS [X]
R4 SymEFA; \SystemRoot\system32\drivers\NISx64\1301000.01C\SYMEFA64.SYS [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-02-23 22:16 - 2017-02-23 22:16 - 00018438 _____ C:\Users\Xavier\Desktop\FRST.txt
2017-02-23 22:16 - 2017-02-23 22:16 - 00000000 ____D C:\Program Files\Common Files\Apple
2017-02-23 22:15 - 2017-02-23 22:15 - 02423296 _____ (Farbar) C:\Users\Xavier\Downloads\FRST64 (2).exe
2017-02-23 22:15 - 2017-02-23 22:15 - 02423296 _____ (Farbar) C:\Users\Xavier\Downloads\FRST64 (1).exe
2017-02-23 22:14 - 2017-02-23 22:16 - 00000000 ____D C:\FRST
2017-02-23 22:14 - 2017-02-23 22:14 - 02423296 _____ (Farbar) C:\Users\Xavier\Desktop\FRST64.exe
2017-02-23 22:14 - 2017-02-23 22:14 - 00000000 ____D C:\ProgramData\Apple
2017-02-23 22:09 - 2017-02-23 22:09 - 00000000 ____D C:\ProgramData\Riot Games
2017-02-23 22:07 - 2008-07-31 10:41 - 00068616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_1.dll
2017-02-23 22:07 - 2008-07-31 10:40 - 00509448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_2.dll
2017-02-23 22:07 - 2008-07-12 08:18 - 03851784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_39.dll
2017-02-23 22:07 - 2008-07-12 08:18 - 01493528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_39.dll
2017-02-23 22:07 - 2008-07-12 08:18 - 00467984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_39.dll
2017-02-23 22:06 - 2017-02-23 22:06 - 00001613 _____ C:\Users\Public\Desktop\League of Legends.lnk
2017-02-23 22:06 - 2017-02-23 22:06 - 00000000 ____D C:\Riot Games
2017-02-23 22:04 - 2017-02-23 22:08 - 00000000 ____D C:\Users\Xavier\AppData\Roaming\Riot Games
2017-02-23 22:04 - 2017-02-23 22:05 - 177092424 _____ (Apple Inc.) C:\Users\Xavier\Downloads\iTunes6464Setup.exe
2017-02-23 22:04 - 2017-02-23 22:04 - 28411368 _____ (Riot Games) C:\Users\Xavier\Downloads\LeagueofLegends_NA_Installer_2016_05_13.exe
2017-02-23 16:29 - 2017-02-23 22:03 - 00081696 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-02-23 16:29 - 2017-02-23 22:01 - 00110536 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-02-23 16:29 - 2017-02-23 22:01 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-02-23 16:29 - 2017-02-23 16:29 - 00176584 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-02-23 16:28 - 2017-02-23 22:01 - 00251848 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-02-23 16:28 - 2017-02-23 16:28 - 00001869 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-02-23 16:28 - 2017-02-23 16:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-02-23 16:28 - 2017-02-23 16:28 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-02-23 16:28 - 2017-02-23 16:28 - 00000000 ____D C:\Program Files\Malwarebytes
2017-02-23 16:28 - 2017-01-20 07:47 - 00077416 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-02-23 16:27 - 2017-02-23 22:00 - 00000512 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task cb01ee3b-7c1f-48f1-bb01-8f279fab0d47.job
2017-02-23 16:27 - 2017-02-23 22:00 - 00000512 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 82ff6d43-e7db-4e49-b146-d35d405811ec.job
2017-02-23 16:27 - 2017-02-23 16:27 - 00003594 _____ C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task 82ff6d43-e7db-4e49-b146-d35d405811ec
2017-02-23 16:27 - 2017-02-23 16:27 - 00003520 _____ C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task cb01ee3b-7c1f-48f1-bb01-8f279fab0d47
2017-02-23 16:27 - 2017-02-23 16:27 - 00000000 ____D C:\Users\Xavier\AppData\Roaming\SUPERAntiSpyware.com
2017-02-23 16:26 - 2017-02-23 16:27 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2017-02-23 16:26 - 2017-02-23 16:26 - 00001810 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2017-02-23 16:26 - 2017-02-23 16:26 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2017-02-23 16:26 - 2017-02-23 16:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2017-02-23 16:21 - 2017-02-23 16:21 - 00012647 _____ C:\ComboFix.txt
2017-02-23 15:59 - 2011-06-25 22:45 - 00256000 _____ C:\Windows\PEV.exe
2017-02-23 15:59 - 2010-11-07 09:20 - 00208896 _____ C:\Windows\MBR.exe
2017-02-23 15:59 - 2009-04-19 20:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2017-02-23 15:59 - 2000-08-30 16:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2017-02-23 15:59 - 2000-08-30 16:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2017-02-23 15:59 - 2000-08-30 16:00 - 00098816 _____ C:\Windows\sed.exe
2017-02-23 15:59 - 2000-08-30 16:00 - 00080412 _____ C:\Windows\grep.exe
2017-02-23 15:59 - 2000-08-30 16:00 - 00068096 _____ C:\Windows\zip.exe
2017-02-23 15:58 - 2017-02-23 16:22 - 00000000 ____D C:\Qoobox
2017-02-23 15:58 - 2017-02-23 16:19 - 00000000 ____D C:\Windows\erdnt
2017-02-23 15:58 - 2017-02-23 15:58 - 05659775 ____R (Swearware) C:\Users\Xavier\Desktop\ComboFix.exe
2017-02-23 15:57 - 2017-02-23 15:58 - 55566792 _____ (Malwarebytes ) C:\Users\Xavier\Downloads\mb3-setup-consumer-3.0.6.1469.exe
2017-02-23 15:57 - 2017-02-23 15:57 - 29347248 _____ (SUPERAntiSpyware) C:\Users\Xavier\Downloads\SUPERAntiSpyware.exe
2017-02-23 15:57 - 2017-02-23 15:57 - 00002273 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-02-23 15:57 - 2017-02-23 15:57 - 00002261 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-02-23 15:56 - 2017-02-23 16:35 - 00000000 ____D C:\Users\Xavier\AppData\Local\Google
2017-02-23 15:56 - 2017-02-23 15:56 - 00003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-02-23 15:56 - 2017-02-23 15:56 - 00003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-02-23 15:56 - 2017-02-23 15:56 - 00000000 ____D C:\Program Files (x86)\Google
2017-02-23 15:55 - 2017-02-23 15:56 - 00000000 ____D C:\Users\Xavier\AppData\Local\Deployment
2017-02-23 15:55 - 2017-02-23 15:55 - 00057560 _____ C:\Users\Xavier\AppData\Local\GDIPFONTCACHEV1.DAT
2017-02-23 15:55 - 2017-02-23 15:55 - 00000000 ____D C:\Users\Xavier\AppData\Roaming\ATI
2017-02-23 15:55 - 2017-02-23 15:55 - 00000000 ____D C:\Users\Xavier\AppData\Roaming\Adobe
2017-02-23 15:55 - 2017-02-23 15:55 - 00000000 ____D C:\Users\Xavier\AppData\Local\ATI
2017-02-23 15:55 - 2017-02-23 15:55 - 00000000 ____D C:\Users\Xavier\AppData\Local\Apps\2.0
2017-02-23 15:54 - 2017-02-23 15:54 - 00003890 _____ C:\Windows\System32\Tasks\FileTransfer
2017-02-23 15:54 - 2017-02-23 15:54 - 00003836 _____ C:\Windows\System32\Tasks\Accessories
2017-02-23 15:54 - 2017-02-23 15:54 - 00003824 _____ C:\Windows\System32\Tasks\SetupManager
2017-02-23 15:54 - 2017-02-23 15:54 - 00001449 _____ C:\Users\Xavier\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-02-23 15:54 - 2017-02-23 15:54 - 00001415 _____ C:\Users\Xavier\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2017-02-23 15:54 - 2017-02-23 15:54 - 00000000 ____D C:\Users\Xavier\AppData\Local\PDFC
2017-02-23 15:53 - 2017-02-23 15:54 - 00003934 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{C69FDF35-9DAB-422A-B9A2-A01CDC70D667}
2017-02-23 15:53 - 2017-02-23 15:53 - 00000000 ____D C:\Users\Xavier\AppData\Local\VirtualStore
2017-02-23 15:52 - 2017-02-23 15:54 - 00000000 ____D C:\Users\Xavier\AppData\Roaming\Hewlett-Packard
2017-02-23 14:50 - 2017-02-23 15:54 - 00000000 ____D C:\Users\Xavier\AppData\Local\Hewlett-Packard_Company
2017-02-23 14:50 - 2017-02-23 15:52 - 00003572 _____ C:\Windows\System32\Tasks\Registration
2017-02-23 14:50 - 2017-02-23 14:50 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Music, Photos and Videos
2017-02-23 14:50 - 2017-02-23 14:50 - 00000000 ____D C:\Users\Xavier\AppData\Local\TouchSmartData
2017-02-23 14:50 - 2017-02-23 14:50 - 00000000 ____D C:\Users\Xavier\AppData\Local\RemEngine
2017-02-23 14:49 - 2017-02-23 15:53 - 00000000 ____D C:\Users\Xavier
2017-02-23 14:49 - 2017-02-23 14:52 - 00000000 ____D C:\Users\Xavier\AppData\Local\Hewlett-Packard
2017-02-23 14:49 - 2017-02-23 14:49 - 00000020 ___SH C:\Users\Xavier\ntuser.ini
2017-02-23 14:49 - 2017-02-23 14:49 - 00000000 _SHDL C:\Users\Xavier\My Documents
2017-02-23 14:49 - 2017-02-23 14:49 - 00000000 _SHDL C:\Users\Xavier\Documents\My Videos
2017-02-23 14:49 - 2017-02-23 14:49 - 00000000 _SHDL C:\Users\Xavier\Documents\My Pictures
2017-02-23 14:49 - 2017-02-23 14:49 - 00000000 _SHDL C:\Users\Xavier\Documents\My Music
2017-02-23 14:49 - 2017-02-23 14:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Mathematics
2017-02-23 14:49 - 2017-02-23 14:49 - 00000000 ____D C:\Program Files (x86)\Microsoft Mathematics
2017-02-23 14:49 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2017-02-23 14:49 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2017-02-23 14:49 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2017-02-23 14:49 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2017-02-23 14:49 - 2014-05-14 08:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2017-02-23 14:49 - 2014-05-14 08:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2017-02-23 14:49 - 2014-05-14 08:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2017-02-23 14:49 - 2014-05-14 08:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2017-02-23 14:49 - 2014-05-14 08:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2017-02-23 14:49 - 2014-05-14 08:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2017-02-23 14:49 - 2014-05-14 08:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2017-02-23 14:49 - 2014-05-14 08:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2017-02-23 14:49 - 2014-05-14 08:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2017-02-23 14:49 - 2014-05-14 08:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2017-02-23 14:49 - 2010-11-20 23:16 - 00000000 ____D C:\Users\Xavier\AppData\Roaming\Media Center Programs
2017-02-23 14:47 - 2017-02-23 14:50 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Communication and Chat
2017-02-23 14:46 - 2017-02-23 14:50 - 00000000 __RSH C:\Windows\SysWOW64\Drivers\103C_HP_cPC_p7-1247cb_Y53316J_0U_Q4CE2130517_E12NA1MRW605_4A_I2ACD_SPEGATRON CORPORATION_V1.03_B7.16_T111216_W73-1_L409_M7665_J1000_7AMD_8F10_92.50_#120529_N10EC8168;18145390_Z_G10029640.MRK
2017-02-23 14:46 - 2017-02-23 14:50 - 00000000 __RSH C:\Windows\system32\Drivers\103C_HP_cPC_p7-1247cb_Y53316J_0U_Q4CE2130517_E12NA1MRW605_4A_I2ACD_SPEGATRON CORPORATION_V1.03_B7.16_T111216_W73-1_L409_M7665_J1000_7AMD_8F10_92.50_#120529_N10EC8168;18145390_Z_G10029640.MRK
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-02-23 22:10 - 2012-03-23 12:21 - 00000000 ____D C:\ProgramData\Norton
2017-02-23 22:10 - 2012-03-23 12:21 - 00000000 ____D C:\Program Files (x86)\Norton Internet Security
2017-02-23 22:09 - 2009-07-13 20:45 - 00024400 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-23 22:09 - 2009-07-13 20:45 - 00024400 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-23 22:06 - 2009-07-13 21:13 - 00775032 _____ C:\Windows\system32\PerfStringBackup.INI
2017-02-23 22:06 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2017-02-23 22:01 - 2012-03-23 12:17 - 00000000 ____D C:\ProgramData\PDFC
2017-02-23 22:00 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-23 16:09 - 2009-07-13 18:34 - 00000215 _____ C:\Windows\system.ini
2017-02-23 15:53 - 2011-02-11 08:32 - 00000000 ____D C:\SWSETUP
2017-02-23 15:52 - 2012-03-23 11:34 - 00000000 ___RD C:\SYSTEM.SAV
2017-02-23 15:42 - 2009-07-13 21:32 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2017-02-23 14:50 - 2012-03-23 12:16 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eReaders and Document Viewers
2017-02-23 14:50 - 2012-03-23 12:09 - 00000000 ___RD C:\Program Files (x86)\Online Services
2017-02-23 14:50 - 2012-03-23 12:08 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Productivity and Tools
2017-02-23 14:50 - 2012-03-23 12:04 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security and Protection
2017-02-23 14:50 - 2012-03-23 12:02 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP Help and Support
2017-02-23 14:50 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2017-02-23 14:50 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
2017-02-23 14:49 - 2011-02-11 09:00 - 00000000 ____D C:\Windows\Panther
2017-02-23 14:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2017-02-23 14:47 - 2012-03-23 12:01 - 00000000 ____D C:\ProgramData\Hewlett-Packard
2017-02-23 14:46 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\system32\sysprep
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2011-02-11 11:22
 
==================== End of FRST.txt ============================

Attached Files


Edited by koopa112, 24 February 2017 - 01:36 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,545 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:38 AM

Posted 24 February 2017 - 10:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3334463587-1985392049-2254692259-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3334463587-1985392049-2254692259-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02232017220358298\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02232017220358298 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02232017220358298 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02232017220358298 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
Toolbar: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-3334463587-1985392049-2254692259-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02232017220358298 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-23]
CHR Extension: (Chrome Media Router) - C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-23]
R4 ccSet_NIS; \SystemRoot\system32\drivers\NISx64\1301000.01C\ccSetx64.sys [X]
R4 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20110726.001\IDSVia64.sys [X]
R4 SRTSPX; \SystemRoot\system32\drivers\NISx64\1301000.01C\SRTSPX64.SYS [X]
R4 SymDS; \SystemRoot\system32\drivers\NISx64\1301000.01C\SYMDS64.SYS [X]
R4 SymEFA; \SystemRoot\system32\drivers\NISx64\1301000.01C\SYMEFA64.SYS [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

ADOBE FLASH PLAYER

Go to this page with Firefox or Opera to download the current version for your browser:
https://get.adobe.com/flashplayer/

Note:
Flash Player is pre-installed in Google Chrome and updates automatically!
Flash Player is pre-installed in IE/Hedge and updates automatically!
===

Remove this old version via the Control Panel > Programs > Programs and Features.
Adobe Flash Player 11 ActiveX (x64) (HKLM\...\{421976B6-DEC6-4CA5-941F-F0663B3A2B74}) (Version: 11.1.102.55 - Adobe Systems Incorporated)
===

Please let me know what problem persists with this computer.

#3 koopa112

koopa112
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 25 February 2017 - 01:50 PM

I ran the fix tool before heading to work and returned to what seemed to have been an update reset, so I ran the tool again. It has been running for over 12 hour. Is this normal or did I cause more issues?



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,545 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:38 AM

Posted 26 February 2017 - 09:35 AM

Close the Process and find out if a Fixlist.txt file was created.
===

Run the AdwCleaner tool.
===


Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

Post the logs that that have been created.

#5 koopa112

koopa112
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 26 February 2017 - 01:45 PM

When I attempt to download zoek from the link provided superantispyware flags it as a trojan and deletes it when I attempt to drag it to the desktop. Should I disable my AV for the download of zoek?



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,545 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:38 AM

Posted 27 February 2017 - 07:45 AM

Yes disable the AV.

But first check the AV quarantine folder. The program is good but if may have been quarantined by the AV.

#7 koopa112

koopa112
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 27 February 2017 - 03:40 PM

 
 
Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by Xavier on Mon 02/27/2017 at 12:12:45.04.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Xavier\Desktop\ZOEK.EXE [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
2/27/2017 12:13:49 PM Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\Users\Xavier\AppData\Local\PDFC deleted successfully
C:\Users\Xavier\AppData\Local\VirtualStore deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
HKEY_USERS\S-1-5-21-3334463587-1985392049-2254692259-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8dcb7100-df86-4384-8842-8fa844297b3f} deleted successfully
HKEY_USERS\S-1-5-21-3334463587-1985392049-2254692259-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8dcb7100-df86-4384-8842-8fa844297b3f} deleted successfully
HKEY_USERS\S-1-5-21-3334463587-1985392049-2254692259-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F} deleted successfully
HKEY_USERS\S-1-5-21-3334463587-1985392049-2254692259-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D2CE3E00-F94A-4740-988E-03DC2F38C34F} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{8dcb7100-df86-4384-8842-8fa844297b3f} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D2CE3E00-F94A-4740-988E-03DC2F38C34F} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2CE3E00-F94A-4740-988E-03DC2F38C34F} deleted successfully
 
==== Deleting CLSID Registry Values ======================
 
HKEY_USERS\S-1-5-21-3334463587-1985392049-2254692259-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{8dcb7100-df86-4384-8842-8fa844297b3f} deleted successfully
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~3\{A8DA1505-E615-42BB-BB77-74D5CC91FE7E} deleted
 
==== Chromium Look ======================
 
 
BTTV - Xavier\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped
AdblockPro - Xavier\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocifcklkibdehekfnmflempfgjhbedch
Chrome Media Router - Xavier\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
==== All HKCU SearchScopes ======================
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
 
==== Reset Google Chrome ======================
 
C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully
 
==== Empty IE Cache ======================
 
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Xavier\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Xavier\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\Xavier\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
No Flash Cache Found
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=3 folders=1 47870361 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\Default\AppData\Local\temp emptied successfully
C:\Users\Default User\AppData\Local\temp emptied successfully
C:\Users\Public\AppData\Local\temp emptied successfully
C:\Users\Xavier\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\Windows\Temp successfully emptied
C:\Users\Xavier\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== Deleting Files / Folders ======================
 
"C:\Users\Xavier\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not found
 
==== EOF on Mon 02/27/2017 at 12:37:32.26 ======================
 

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,545 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:38 AM

Posted 28 February 2017 - 08:44 AM

Any remaining issues?

#9 koopa112

koopa112
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 28 February 2017 - 09:13 AM

Everything seems fine, but I would like to know the best method for recovering my files from my external drive. Should I perform a scan on the drive before copying the files over, and what program would you recommend? After the files have been moved, should I run one or more of the tools I had used before?



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,545 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:38 AM

Posted 28 February 2017 - 09:36 AM

Can you not run Avast on the external drive?

https://blog.avast.com/2012/09/27/how-do-i-scan-a-flash-drive-for-viruses-using-avast/

#11 koopa112

koopa112
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 28 February 2017 - 10:07 AM

Wouldn't I still run the risk of spreading a potential infection when I plug in the external drive?



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,545 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:38 AM

Posted 28 February 2017 - 11:28 AM

Read the article.

Avast! security products come with a number of pre-defined scans installed including the ability to scan any removable storage device that is connected to your computer, such as USB flash drives, external hard drives, etc. It will scan the drive to detect potential "auto-run" programs that may try to launch when the device is connected.



#13 koopa112

koopa112
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 28 February 2017 - 11:37 AM

When I attempted to download avast I received this message. I looked up the website download.cnet and I've seen more poor reviews than good ones hinting that it may contain malware even if downloaded from a  trusted site. Is it safe to download avast from this link? https://www.avast.com/en-us/index

 

Because of the following filter

||download.cnet.com^$document



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,545 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:38 AM

Posted 28 February 2017 - 11:48 AM


Your copy of Avast may be compromised.

Remove the current version using their uninstaller.

How To:
https://www.avast.com/uninstall-utility

Restart the computer normally when completed.


Reinstall the application using this link.

https://www.avast.com/en-us/index

#15 koopa112

koopa112
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 28 February 2017 - 11:51 AM

I have yet to download or install avast and the link you provided is the same one that gave me the warning and continues to give me the warning. Is the chrome extension "Adblock Pro" giving me a false reading? Can I trust the website download.cnet.com?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users