Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Installed a virus. I know which file it came from, What can I do?


  • Please log in to reply
14 replies to this topic

#1 Person209

Person209

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 14 May 2017 - 02:50 AM

System Details:
Windows Vista Home Basic SP2 6.0.6002
Dell Latitude E4310
 
So I was looking to demo a video game, so I grabbed a *free* upload of it from the internet (No guilt here; It wasn't as fun as I'd hoped, so I won't be playing it again any time soon.
 
Unfortunately, the file had something extra attached to it, presumably some sort of noisemaking software (it's nearly a bleeping computer!) and definitely at least one trojan. (report on removal below.) However, I believe that these were only part of the malware installed by the software I wanted to try, and so I wanted to seek expertise on properly identifying everything else that likely came along with it.
 
How would I best go about identifying the malicious files so that I can solve these issues accordingly?
 
Noisemaking software

 
When the computer makes a sound, sometimes it will make a clicking noise instead of the sound it was going to play instead. Generally only occurs when opening files. Not a hardware issue.
 
Malware removal report
 
   C:\Users\Person209\AppData\Local\Kitty\Kitty.dll -> Deleted
      Size . . . . . . . : 505,344 bytes
      Age  . . . . . . . : 10.0 days (2017-04-26 17:57:34)
      Entropy  . . . . . : 6.6
      SHA-256  . . . . . : BC5F25F4DEC8F5868D0FD66350EEF786230BC875417112707D9D4058DE5D464A
      Product  . . . . . : kitty
      Publisher  . . . . : kitty
      Description  . . . : kitty
      Version  . . . . . : 1.0.0.1
      LanguageID . . . . : 2052
    > Bitdefender  . . . : Trojan.Agent.CGLV
    > Kaspersky  . . . . : HEUR:Trojan.Win32.Generic
    > HitmanPro  . . . . : App/Generic-KJ
      Fuzzy  . . . . . . : 101.0
      Forensic Cluster
          0.0s C:\Users\Person209\AppData\Local\Kitty\
          0.0s C:\Users\Person209\AppData\Local\Kitty\Kitty.dll
 
Original File
 
C:\Users\Person209\Downloads\Crusdrkngs2rprsdueprpr\Crusader.Kings.II.The.Reapers.Due.PROPER-SKIDROW\sr-cmiitrdp.rar
 
Downloaded it from ...pcgames-download.net/2014/12/pc-multi-crusader-ki...  (Mega)
about 10 days ago
 
Edit: Found the file link on site; will send for forensics on request.


Edited by hamluis, 14 May 2017 - 05:33 AM.
Merged posts, moved topic from Vista to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:35 PM

Posted 14 May 2017 - 09:31 AM

Delete the game/program from your PC immediately, and follow the below steps:

 

Download Farbar MiniToolBox and save the file to your desktop.

  1. Open MiniToolBox by right-clicking it and selecting Run as Administrator.

  2. Make sure the following options are checked and then click Go:

Report IE Proxy Settings

Report FF Proxy Settings

List content of Hosts

List IP configuration

List Winsock Entries

List last 10 Event Viewer log

List Installed Programs

List Devices (Don't change any settings here)

List Users, Partitions and Memory size

List Restore Points

  1. Paste the log file contents into a post.

 

 

 

Download SecurityCheck by screen317.

 

  1. Click on the downloaded file and follow the instructions in the box on the screen.

  2. Paste the log file contents into a post.

  3. Important: If you get an error message, please restart your computer and try again.

 

 

 

 

Download Malwarebytes Anti-Malware from the provided link.

  1. Launch MBAM by clicking the .EXE file you downloaded.

  2. Run the installation wizard.

  3. Once complete, open MBAM and click Scan.

  4. Let the scan complete, then make sure all threats are selected and click Quarantine.

  5. Once done, go to History > Logs. Select the most recent Scan Log and paste its contents into a post.

 

 

 

Download ESET Online Scanner and save it to your desktop

 

  1. Double-click on the ESET Online Scanner icon to launch ESET.

  2. Click through the prompts and select “Enable detection of potentially unwanted applications.”

  3. Click “Scan” and let the tool run.

  4. Once done, click the “Save to text file...” Save the file to your desktop and paste the contents into a post.

 

Download Rkill from one of the below three links. (Use the one that runs on your PC without being blocked).

Link 1

Link 2

Link 3

 

  1. Double-click on the file you downloaded (either rkill.exe, iExplore.exe, or rkill.com) to launch Rkill.

  2. If a black box appears, the program is running correctly. If nothing happens, then try another link.

  3. Let the scan complete, then paste the contents of the text file that pops up at the end into a post.

  4. Important: Do not restart your computer once the scan is done!


Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda

#3 Person209

Person209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 16 May 2017 - 10:21 AM

Thanks for the walkthrough, appreciate the assistance. The reports as follows:
 
MiniToolBox by Farbar  Version: 17-06-2016
Ran by User (administrator) on 16-05-2017 at 21:19:55
Running from "C:\Users\User\Desktop"
Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86)
Model: Latitude E4310 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================
127.0.0.1       localhost
========================= IP Configuration: ================================
 
Intel® Centrino® Advanced-N 6200 AGN = Wireless Network Connection (Connected)
Intel® 82577LM Gigabit Network Connection = Local Area Connection (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
set subinterface interface= subinterface=ethernet_7 mtu=1477
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : User_PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Home
 
Wireless LAN adapter Wireless Network Connection:
 
   Connection-specific DNS Suffix  . : Home
   Description . . . . . . . . . . . : Intel® Centrino® Advanced-N 6200 AGN
   Physical Address. . . . . . . . . : 58-94-6B-26-34-40
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::a538:729d:9488:b4ab%11(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.0.29(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, 16 May 2017 4:46:17 PM
   Lease Expires . . . . . . . . . . : Wednesday, 17 May 2017 4:46:16 PM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 307795051
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-FC-94-5E-5C-26-0A-1B-9E-72
   DNS Servers . . . . . . . . . . . : 192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Ethernet adapter Local Area Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : Home
   Description . . . . . . . . . . . : Intel® 82577LM Gigabit Network Connection
   Physical Address. . . . . . . . . : 5C-26-0A-1B-9E-72
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Local Area Connection* 7:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : isatap.Home
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Local Area Connection* 13:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:38b1:3d7d:ce44:5aad(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::38b1:3d7d:ce44:5aad%15(Preferred) 
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
 
Tunnel adapter Local Area Connection* 14:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : 6TO4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  MyGateway.Home
Address:  192.168.0.1
 
Name:    google.com
Addresses:  2404:6800:4006:809::200e
 216.58.200.110
 
 
 
Pinging google.com [216.58.200.110] with 32 bytes of data:
 
Reply from 216.58.200.110: bytes=32 time=702ms TTL=55
 
Reply from 216.58.200.110: bytes=32 time=620ms TTL=55
 
 
 
Ping statistics for 216.58.200.110:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 620ms, Maximum = 702ms, Average = 661ms
 
Server:  MyGateway.Home
Address:  192.168.0.1
 
Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
 2001:4998:58:c02::a9
 2001:4998:c:a06::2:4008
 206.190.36.45
 98.138.253.109
 98.139.183.24
 
 
 
Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
 
Reply from 206.190.36.45: bytes=32 time=1261ms TTL=45
 
Reply from 206.190.36.45: bytes=32 time=901ms TTL=45
 
 
 
Ping statistics for 206.190.36.45:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 901ms, Maximum = 1261ms, Average = 1081ms
 
 
 
Pinging 127.0.0.1 with 32 bytes of data:
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
 
 
Ping statistics for 127.0.0.1:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
 
===========================================================================
Interface List
 11 ...58 94 6b 26 34 40 ...... Intel® Centrino® Advanced-N 6200 AGN
 10 ...5c 26 0a 1b 9e 72 ...... Intel® 82577LM Gigabit Network Connection
  1 ........................... Software Loopback Interface 1
 17 ...00 00 00 00 00 00 00 e0  isatap.Home
 15 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
 16 ...00 00 00 00 00 00 00 e0  6TO4 Adapter
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1     192.168.0.29     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link      192.168.0.29    281
     192.168.0.29  255.255.255.255         On-link      192.168.0.29    281
    192.168.0.255  255.255.255.255         On-link      192.168.0.29    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.0.29    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.0.29    281
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 15     18 ::/0                     On-link
  1    306 ::1/128                  On-link
 15     18 2001::/32                On-link
 15    266 2001:0:9d38:6abd:38b1:3d7d:ce44:5aad/128
                                    On-link
 11    281 fe80::/64                On-link
 15    266 fe80::/64                On-link
 15    266 fe80::38b1:3d7d:ce44:5aad/128
                                    On-link
 11    281 fe80::a538:729d:9488:b4ab/128
                                    On-link
  1    306 ff00::/8                 On-link
 15    266 ff00::/8                 On-link
 11    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\system32\NLAapi.dll [48640] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\system32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Windows\system32\wshbth.dll [34304] (Microsoft Corporation)
Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 27 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 28 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 29 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (05/16/2017 09:05:35 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (05/16/2017 09:05:35 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (05/16/2017 08:35:18 PM) (Source: Application Error) (User: )
Description: Faulting application Origin.exe, version 9.5.3.636, time stamp 0x54878687, faulting module MSVCR100.dll, version 10.0.40219.325, time stamp 0x4df2be1e, exception code 0xc0000417, fault offset 0x0008af3e,
process id 0x12dc, application start time 0xOrigin.exe0.
 
Error: (05/15/2017 11:35:58 PM) (Source: Application Hang) (User: )
Description: The program Civ3Conquests.exe version 1.22.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 154c
Start Time: 01d2cd6ad9e89c15
Termination Time: 1469
 
Error: (05/15/2017 11:34:39 PM) (Source: Application Error) (User: )
Description: Faulting application Civ3Conquests.exe, version 1.22.0.0, time stamp 0x550a3e1f, faulting module Civ3Conquests.exe, version 1.22.0.0, time stamp 0x550a3e1f, exception code 0xc0000005, fault offset 0x0026b4cb,
process id 0x154c, application start time 0xCiv3Conquests.exe0.
 
Error: (05/15/2017 05:58:54 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (05/15/2017 05:58:54 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (05/15/2017 05:33:33 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (05/15/2017 05:33:33 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (05/15/2017 05:30:32 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c
 
 
System errors:
=============
Error: (05/16/2017 04:48:40 PM) (Source: Service Control Manager) (User: )
Description: Google Update Service (gupdate)%%1053 = The service did not respond to the start or control request in a timely fashion.
 
 
Error: (05/16/2017 04:48:40 PM) (Source: Service Control Manager) (User: )
Description: 30000Google Update Service (gupdate)
 
Error: (05/16/2017 04:46:15 PM) (Source: Microsoft-Windows-TaskScheduler) (User: NT AUTHORITY)
Description: 2147942402
 
Error: (05/15/2017 06:44:41 PM) (Source: Service Control Manager) (User: )
Description: Google Update Service (gupdate)%%1053 = The service did not respond to the start or control request in a timely fashion.
 
 
Error: (05/15/2017 06:44:41 PM) (Source: Service Control Manager) (User: )
Description: 30000Google Update Service (gupdate)
 
Error: (05/15/2017 06:44:15 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)
 
Error: (05/15/2017 06:42:25 PM) (Source: Microsoft-Windows-TaskScheduler) (User: NT AUTHORITY)
Description: 2147942402
 
Error: (05/15/2017 06:16:36 PM) (Source: Service Control Manager) (User: )
Description: Windows Search1300001Restart the service
 
Error: (05/15/2017 06:16:26 PM) (Source: Service Control Manager) (User: )
Description: Software Licensing11200001Restart the service
 
Error: (05/15/2017 06:16:22 PM) (Source: Service Control Manager) (User: )
Description: Intel® System Usage Report Service SystemUsageReportSvc_WILLAMETTE1
 
 
Microsoft Office Sessions:
=========================
Error: (05/16/2017 09:05:35 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Users\User\Desktop\Autoruns\autorunsc64.exe
 
Error: (05/16/2017 09:05:35 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Users\User\Desktop\Autoruns\Autoruns64.exe
 
Error: (05/16/2017 08:35:18 PM) (Source: Application Error)(User: )
Description: Origin.exe9.5.3.63654878687MSVCR100.dll10.0.40219.3254df2be1ec00004170008af3e12dc01d2ce2c4f1ab940
 
Error: (05/15/2017 11:35:58 PM) (Source: Application Hang)(User: )
Description: Civ3Conquests.exe1.22.0.0154c01d2cd6ad9e89c151469
 
Error: (05/15/2017 11:34:39 PM) (Source: Application Error)(User: )
Description: Civ3Conquests.exe1.22.0.0550a3e1fCiv3Conquests.exe1.22.0.0550a3e1fc00000050026b4cb154c01d2cd6ad9e89c15
 
Error: (05/15/2017 05:58:54 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Users\User\Desktop\Autoruns\autorunsc64.exe
 
Error: (05/15/2017 05:58:54 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Users\User\Desktop\Autoruns\Autoruns64.exe
 
Error: (05/15/2017 05:33:33 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Users\User\Desktop\Autoruns\autorunsc64.exe
 
Error: (05/15/2017 05:33:33 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Users\User\Desktop\Autoruns\Autoruns64.exe
 
Error: (05/15/2017 05:30:32 PM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c
 
 
CodeIntegrity Errors:
===================================
  Date: 2017-05-05 11:33:29.638
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-05-05 11:33:29.373
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-05-05 11:33:29.092
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-05-05 11:33:28.811
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-05-05 11:33:27.938
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\MBAMChameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-05-05 11:33:27.595
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\MBAMChameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-05-05 11:33:27.236
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\MBAMChameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-05-05 11:33:26.877
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\MBAMChameleon.sys because the set of per-page image hashes could not be found on the system.
 
 
=========================== Installed Programs ============================
 
32 Bit HP CIO Components Installer (HKLM\...\{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}) (Version: 6.1.1 - Hewlett-Packard) Hidden
AccelerometerP11 (HKLM\...\{87434D51-51DB-4109-B68F-A829ECDCF380}) (Version: 2.00.10.34 - STMicroelectronics)
Adobe Flash Player 11 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 11.1.102.55 - Adobe Systems Incorporated)
Adobe Reader X (10.1.13) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.13 - Adobe Systems Incorporated)
Age of Mythology: Extended Edition (HKLM\...\Steam App 266840) (Version:  - SkyBox Labs)
Apple Application Support (32-bit) (HKLM\...\{AFA1153A-F547-409B-B837-3A0D6C5A3FEC}) (Version: 3.1.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{A75CA58D-DB9C-4D14-9428-E0C7B0F623DC}) (Version: 9.0.0.26 - Apple Inc.)
Apple Software Update (HKLM\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.)
Audacity 2.0.6 (HKLM\...\Audacity_is1) (Version: 2.0.6 - Audacity Team)
Avast Free Antivirus (HKLM\...\Avast Antivirus) (Version: 17.4.2294 - AVAST Software)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.29 - Piriform)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.1007.101.210 - ALPS ELECTRIC CO., LTD.)
Downwell (HKLM\...\Steam App 360740) (Version:  - Moppin)
f.lux (HKCU\...\Flux) (Version:  - )
Factorio version 0.14.21 (HKLM\...\Factorio_is1) (Version:  - )
Fallout: New Vegas (HKLM\...\Steam App 22380) (Version:  - Obsidian Entertainment)
GIMP 2.8.14 (HKLM\...\GIMP-2_is1) (Version: 2.8.14 - The GIMP Team)
Google Chrome (HKLM\...\Google Chrome) (Version: 49.0.2623.112 - Google Inc.)
Google Drive (HKLM\...\{A1238426-ECDF-4639-BE2F-8D12A97AE23C}) (Version: 2.34.5075.1619 - Google, Inc.)
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Google Update Helper (HKLM\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
IDT Audio (HKLM\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6292.0 - IDT)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 15.2 - Intel)
Intel® Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2993 - Intel Corporation)
Intel® PROSet/Wireless WiFi Software (HKLM\...\{9E4B37D6-D7F8-4067-B900-3F314C709916}) (Version: 13.03.0000 - Intel Corporation)
IrfanView (remove only) (HKLM\...\IrfanView) (Version: 4.42 - Irfan Skiljan)
LAME v3.99.3 (for Windows) (HKLM\...\LAME_is1) (Version:  - )
LibreOffice 5.0.2.2 (HKLM\...\{71508AE2-346A-4E56-AE95-DBB8DE692258}) (Version: 5.0.2.2 - The Document Foundation)
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.10.209.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24210 (HKLM\...\{23658c02-145e-483d-ba6b-1eb82c580529}) (Version: 14.0.24210.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 (HKLM\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation)
MSVC80_x86_v2 (HKLM\...\{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}) (Version: 1.0.3.0 - Nokia) Hidden
MSVC90_x86 (HKLM\...\{AF111648-99A1-453E-81DD-80DBBF6DAD0D}) (Version: 1.0.1.2 - Nokia) Hidden
MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MusicBrainz Picard (HKLM\...\MusicBrainz Picard) (Version: 1.3.2 - MusicBrainz)
NeoEE Patch (HKLM\...\{B0741513-4B2B-48B9-871A-1AB0E53500E9}) (Version: 2.0.0.2 - NeoEE Devlopment) Hidden
NeoEE Patch (HKLM\...\{B4B4876C-8305-44C9-98A2-4D3ADDADC2A0}) (Version: 2.0.0.2 - NeoEE Devlopment) Hidden
Network (HKLM\...\{097CDB1E-07C9-40F1-9972-F0F9F3A287E4}) (Version: 140.0.215.000 - Hewlett-Packard) Hidden
Network Addon Mod (HKCU\...\Network Addon Mod) (Version: 35 - The NAM Team)
Nokia Connectivity Cable Driver (HKLM\...\{B9C9DB4C-6D77-4AE9-AD1C-C708C23239A0}) (Version: 7.1.27.0 - Nokia)
NVIDIA PhysX (HKLM\...\{B455E95A-B804-439F-B533-336B1635AE97}) (Version: 9.14.0702 - NVIDIA Corporation)
Origin (HKLM\...\Origin) (Version: 9.5.3.636 - Electronic Arts, Inc.)
Paint.NET v3.5.11 (HKLM\...\{72EF03F5-0507-4861-9A44-D99FD4C41417}) (Version: 3.61.0 - dotPDN LLC)
PS_AIO_05_C309_Software_Min (HKLM\...\{FA0E7183-6B11-4899-B25F-2C490543967E}) (Version: 140.0.690.000 - Hewlett-Packard) Hidden
Recuva (HKLM\...\Recuva) (Version: 1.53 - Piriform)
RICOH Media Driver ver.2.11.01.02 (HKLM\...\{2B818257-E6C7-4841-8C29-C5C9A982BCE5}) (Version: 2.11.01.02 - RICOH)
Rocket League (HKLM\...\Steam App 252950) (Version:  - Psyonix)
Scan (HKLM\...\{06A1D88C-E102-4527-AF70-29FFD7AF215A}) (Version: 140.0.80.000 - Hewlett-Packard) Hidden
Sid Meier's Civilization III: Complete (HKLM\...\Steam App 3910) (Version:  - Firaxis Games)
Sid Meier's Civilization V (HKLM\...\Steam App 8930) (Version:  - 2K Games, Inc.)
Sid Meier's Civilization: Beyond Earth (HKLM\...\Steam App 65980) (Version:  - Firaxis Games)
SPORE™ (HKLM\...\{9DF0196F-B6B8-4C3A-8790-DE42AA530101}) (Version: 1.02.0000 - Electronic Arts)
SPORE™ Creepy & Cute Parts Pack (HKLM\...\{C07F8D75-7A8D-400E-A8F9-A3F396B49BB1}) (Version: 1.00.0000 - Electronic Arts)
Starbound (HKLM\...\Steam App 211820) (Version:  - )
Steam (HKLM\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
System Requirements Lab for Intel (HKLM\...\{04C4B49D-45D9-4A28-9ED1-B45CBD99B8C7}) (Version: 4.5.24.0 - Husdawg, LLC)
Terraria (HKLM\...\Steam App 105600) (Version:  - Re-Logic)
TI-Nspire CAS Student Software (HKLM\...\TI-Nspire CAS Student Software) (Version: 3.0.2.1791 - Texas Instruments)
Toolbox (HKLM\...\{292F0F52-B62D-4E71-921B-89A682402201}) (Version: 140.0.428.000 - Hewlett-Packard) Hidden
Traffic Simulator Configuration Tool (HKCU\...\Traffic Simulator Configuration Tool) (Version:  - )
Undertale (HKLM\...\Steam App 391540) (Version:  - tobyfox)
Unity Web Player (HKCU\...\UnityWebPlayer) (Version: 5.1.0f3 - Unity Technologies ApS)
Wacom Tablet (HKLM\...\Wacom Tablet Driver) (Version: 6.3.15-2 - Wacom Technology Corp.)
WebTablet FB Plugin 32 bit (HKLM\...\Wacom WebTabletPlugin for Internet Explorer and Netscape) (Version: 2.1.0.7 - Wacom Technology Corp.)
WinRAR 5.21 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.21.0 - win.rar GmbH)
XCOM: Enemy Unknown (HKLM\...\Steam App 200510) (Version:  - Firaxis Games)
 
========================= Devices: ================================
 
Name: Microsoft ISATAP Adapter #3
Description: Microsoft ISATAP Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Device ID: ROOT\*ISATAP\0002
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver
 
Name: Dell Wireless 375 Bluetooth Module
Description: Dell Wireless 375 Bluetooth Module
Class Guid: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
Manufacturer: Broadcom
Service: BTHUSB
Device ID: USB\VID_413C&PID_8187\5CAC4CFC058E
Problem: : Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)
Resolution: Reasons for this error include a driver that is not present; a binary file that is corrupt; a file I/O problem, or a driver that references an entry point in another binary file that could not be loaded.
Uninstall the driver, and then click "Scan for hardware changes" to reinstall or upgrade the driver.
 
Name: Broadcom USH
Description: Broadcom USH
Class Guid: 
Manufacturer: 
Service: 
Device ID: USB\VID_0A5C&PID_5800&MI_00\7&66DE6C9&1&0000
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: Photosmart C309a series
Description: Photosmart C309a series
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: HP
Service: StillCam
Device ID: ROOT\IMAGE\0000
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: Photosmart C309a series
Description: Photosmart C309a series
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service: 
Device ID: ROOT\MULTIFUNCTION\0000
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 51%
Total physical RAM: 3509.05 MB
Available physical RAM: 1714.49 MB
Total Virtual: 7247.03 MB
Available Virtual: 5376.19 MB
 
========================= Partitions: =====================================
 
1 Drive c: () (Fixed) (Total:232.88 GB) (Free:62.43 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\USER_PC
 
Administrator            Guest                    User                  
 
========================= Restore Points ==================================
 
12-05-2017 03:49:22 Windows Update
13-05-2017 03:19:34 Windows Update
13-05-2017 14:23:33 Removed Microsoft Visual C++ 2005 Redistributable
14-05-2017 08:19:14 Restore Operation
14-05-2017 08:53:59 Restore Operation
15-05-2017 08:46:22 Removed Google Drive
15-05-2017 08:48:04 Intel® Driver Update Utility
 
**** End of log ****

Edited by Person209, 16 May 2017 - 10:24 AM.


#4 Person209

Person209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 16 May 2017 - 10:25 AM

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows Vista Service Pack 2 x86 (UAC is enabled)  
 Internet Explorer 9  
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Avast Antivirus                 
Microsoft Security Essentials   
 Antivirus up to date!  (On Access scanning disabled!) 
`````````Anti-malware/Other Utilities Check:````````` 
 CCleaner     
  Adobe Flash Player 11.1.102.55 Flash Player out of Date!  
 Adobe Reader 10.1.13 Adobe Reader out of Date!  
 Google Chrome (49.0.2623.110) 
 Google Chrome (49.0.2623.112) 
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials msseces.exe 
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamtray.exe  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast aswidsagent.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 7 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 


#5 Person209

Person209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 16 May 2017 - 10:26 AM

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 5/16/17
Scan Time: 9:32 PM
Logfile: export.txt
Administrator: Yes
 
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1951
License: Free
 
-System Information-
OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: User_PC\User
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 205463
Time Elapsed: 27 min, 7 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 5
HackTool.GameCrack, C:\USERS\USER\DESKTOP\CKII\SKIDROW\STEAM_API.DLL, Delete-on-Reboot, [4053], [123139],1.0.1951
PUP.Optional.eShopComp, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\https_pstatic.eshopcomp.com_0.localstorage, Delete-on-Reboot, [15446], [255829],1.0.1951
PUP.Optional.eShopComp, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\https_pstatic.eshopcomp.com_0.localstorage-journal, Delete-on-Reboot, [15446], [255829],1.0.1951
PUP.Optional.eShopComp, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\http_pstatic.eshopcomp.com_0.localstorage, Delete-on-Reboot, [15446], [255829],1.0.1951
PUP.Optional.eShopComp, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\http_pstatic.eshopcomp.com_0.localstorage-journal, Delete-on-Reboot, [15446], [255829],1.0.1951
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)

Edited by Person209, 17 May 2017 - 02:15 AM.


#6 Person209

Person209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 16 May 2017 - 10:29 AM

ESET
 
C:\Users\User\Desktop\rcsetup153.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\User\Downloads\Crusdrkngs2rprsdueprpr\Crusader.Kings.II.The.Reapers.Due.PROPER-SKIDROW\sr-cmiitrdp.iso a variant of Win32/Packed.VMProtect.ABO trojan

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 05/17/2017 12:59:49 AM in x86 mode.
Windows Version: Windows Vista ™ Home Basic Service Pack 2
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * Your %Temp% folder is set to C:\Windows\TEMP, which can be dangerous. Skipping termination for this folder.
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
 * Reparse Point/Junctions Found (Most likely legitimate)!
 
     * C:\Windows\Prey\current => c:\Windows\Prey\versions\1.6.8 [Dir]
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
  ::1             localhost
 
Program finished at: 05/17/2017 01:03:36 AM
Execution time: 0 hours(s), 3 minute(s), and 47 seconds(s)


#7 Person209

Person209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 16 May 2017 - 10:32 AM

That's a lot of data, I hope that's readable



#8 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:35 PM

Posted 16 May 2017 - 10:51 AM

You may want to update your Flash Player once the infection has been cleaned. Old Flash and Java versions can be hacked much more easily than the latest version.

 

Have you deleted the game yet?

 

Download Junkware Removal Tool and save it to your desktop.

  1. Double-click on the JRT.exe file on your desktop.

  2. Let JRT scan your computer and remove any infections.

  3. On your desktop, there will be a logfile called JRT.txt. Paste its contents into a post.

 

 

Download AdwCleaner and save it to your desktop.

  1. Click on the file you downloaded.

  2. Click Scan to start AdwCleaner's scanning process.

  3. Once done, make sure to delete all found threats.

  4. Open the “Logfile” and paste its contents into a post.


Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda

#9 Person209

Person209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 17 May 2017 - 02:13 AM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows Vista ™ Home Basic x86 
Ran by User (Administrator) on Wed 17/05/2017 at 17:06:03.81
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 16 
 
Successfully deleted: C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0Z2T8HA9 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62B80VVI (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HLW594O0 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JL7W3ETJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JOS2GAN3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LCDFMP9C (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N2797TAX (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YWOO81NR (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0Z2T8HA9 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62B80VVI (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HLW594O0 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JL7W3ETJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JOS2GAN3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LCDFMP9C (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N2797TAX (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YWOO81NR (Temporary Internet Files Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 17/05/2017 at 17:09:28.63
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edited by Person209, 17 May 2017 - 02:14 AM.


#10 Person209

Person209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 17 May 2017 - 02:16 AM

# AdwCleaner v6.046 - Logfile created 17/05/2017 at 17:14:36
# Updated on 24/04/2017 by Malwarebytes
# Database : 2017-05-16.1 [Server]
# Operating System : Windows Vista ™ Home Basic Service Pack 2 (X86)
# Username : User - USER_PC
# Running from : C:\Users\User\Desktop\adwcleaner_6.046.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
No malicious folders found.
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [1364 Bytes] - [13/05/2017 20:49:43]
C:\AdwCleaner\AdwCleaner[C2].txt - [1273 Bytes] - [14/05/2017 00:41:57]
C:\AdwCleaner\AdwCleaner[C3].txt - [1446 Bytes] - [15/05/2017 18:16:33]
C:\AdwCleaner\AdwCleaner[S0].txt - [1643 Bytes] - [13/05/2017 19:29:25]
C:\AdwCleaner\AdwCleaner[S1].txt - [1388 Bytes] - [13/05/2017 20:49:27]
C:\AdwCleaner\AdwCleaner[S2].txt - [1397 Bytes] - [14/05/2017 00:38:00]
C:\AdwCleaner\AdwCleaner[S3].txt - [1543 Bytes] - [15/05/2017 17:33:17]
C:\AdwCleaner\AdwCleaner[S4].txt - [1614 Bytes] - [15/05/2017 18:16:18]
C:\AdwCleaner\AdwCleaner[S5].txt - [1608 Bytes] - [17/05/2017 17:14:36]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S5].txt - [1681 Bytes] ##########


#11 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:35 PM

Posted 17 May 2017 - 09:17 AM

Have you deleted/uninstalled the game yet?


Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda

#12 Person209

Person209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 18 May 2017 - 07:40 AM

yeah did that first.



#13 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:35 PM

Posted 18 May 2017 - 09:38 AM

Download Temp File Cleaner and save it to your desktop.

 

  1. Double-click on TFC.exe to launch the program.

  2. Click on Scan to start the cleaning process.

  3. TFC may ask you to restart the computer.


 

Download Sophos Free Virus Removal Tool and save it to your desktop.

  1. Double-click the file and click RUn.

  2. Select Next, then I accept the terms in this license agreement, then click Next twice

  3. Click Install, then Finish .

  4. Once Sophos is done updating, click Start Scanning.

  5. If Sophos finds viruses click Details, then View Log File.

  6. Paste the results into a reply.

  7. Important: Once done pasting the results, close the notepad documents and the Threat Details windows and select Start Cleanup.

  8. Click exit to quit the program.

 

 

 

Download Google Chrome Cleanup Tool and save it to your desktop.

  1. Open the program and start a scan.

  2. Paste the logfile contents into a post.

 

 

Download Kaspersky TDSSKiller and save it to your desktop.

  1. Open TDSSKiller and click Change Parameters.

  2. Select Detect TDLFS File System and then click OK.

  3. Click Start Scan to begin scanning your PC.

  4. If anything is found, make sure any Unsigned Files or Suspicious Objects are set to Skip. Click COntinue, then wait for TDSSKiller to remove the malwares from your computer.

  5. Click Report once done and paste the logfile into a post. Restart the PC if needed.


Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda

#14 Person209

Person209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 19 May 2017 - 09:41 AM

 

Download Temp File Cleaner and save it to your desktop.

 

  1. Double-click on TFC.exe to launch the program.

  2. Click on Scan to start the cleaning process.

  3. TFC may ask you to restart the computer.

 

Download Sophos Free Virus Removal Tool and save it to your desktop.

  1. Double-click the file and click RUn.

  2. Select Next, then I accept the terms in this license agreement, then click Next twice

  3. Click Install, then Finish .

  4. Once Sophos is done updating, click Start Scanning.

  5. If Sophos finds viruses click Details, then View Log File.

  6. Paste the results into a reply.

  7. Important: Once done pasting the results, close the notepad documents and the Threat Details windows and select Start Cleanup.

  8. Click exit to quit the program.

 

 

 

Download Google Chrome Cleanup Tool and save it to your desktop.

  1. Open the program and start a scan.

  2. Paste the logfile contents into a post.

 

 

Download Kaspersky TDSSKiller and save it to your desktop.

  1. Open TDSSKiller and click Change Parameters.

  2. Select Detect TDLFS File System and then click OK.

  3. Click Start Scan to begin scanning your PC.

  4. If anything is found, make sure any Unsigned Files or Suspicious Objects are set to Skip. Click COntinue, then wait for TDSSKiller to remove the malwares from your computer.

  5. Click Report once done and paste the logfile into a post. Restart the PC if needed.

 

 

The malware has been removed, but I suspect that the system may have been altered. Is there anything I should do at this point to undo any potential damage?



#15 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:35 PM

Posted 19 May 2017 - 10:04 AM

Run the Temp File Cleaner, but don't run the others if the malware has been removed.

 

Download Xplode Delfix and save it to your desktop.

 

  1. Run the Delfix file you downloaded.

  2. Make sure that Remove disinfecton tools is selected and that nothing else is checked. This will remove all the tools we used to clean up the malware.

  3. Click OK . Once completed, delete Delfix from your computer. Don't post the log file

  4. Once finished running Delfix, your computer is clean.

Your computer is clean. :) 

Re-download AdwCleaner and Malwarebytes and scan your PC often with them. Use Temporary File Cleaner once every month to clear out any temporary files on your computer.

 

Good luck and happy computing!


Edited by iMacg3, 19 May 2017 - 10:24 AM.

Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users