Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected laptop system of ZeroAccess rootkit


  • This topic is locked This topic is locked
18 replies to this topic

#1 chaithep3

chaithep3

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec. Canada
  • Local time:03:45 AM

Posted 13 June 2017 - 03:17 PM

So as stated from the title, my Sony Vaio Laptop (Model number: SVE15111FDW) is infected by this rootkit; or so be told by a user named bwv848 (credits to him to figure out what is wrong with my system.) I had created another post about my problem in the beginning about my problem (click this link). If you want to understand my situation in great detail, hit the link there. If it is too long to read, and you do not have the time, I will summarize the problem.

 

Malwarebytes scan w/ rootkit on my laptop for the first time (first time only w/ rootkit on; I have done it once before but without it enabled), and I was prompt to restart my system so I had done so. Once booted, I was unable to connect to the internet; to be more specific, I was connected to the network but I had no access to it. With all the efforts other users had helped me through my previous post, they had realized it was a rootkit. So basically up until now, I have yet to fix this situation.

 

I should also note something of the following, during my process with the other thread, I was asked to uninstall my network driver so I had did in order to use Windows Repair. But after that, when I had tried to install my network driver (I of course downloaded through the manufacturers website), it had not work; specifically, it created a "Other Devices" category under device manager as "Network Controller." I had tried to uninstall it and reinstall it again but to no avail.

 

I am still currently looking for help to get this issue solved without reformatting my whole system.

 

NOTE: I have followed the guide to uploading the files required for this (FRST.txt and Addition.txt) but I am very sure that I had posted the same files on my previous post but please do check that one and compare it to the one's I uploaded into this post (the text files in this post were scanned at the time I am trying to get this post up.)

 

Thank you.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 AM

Posted 14 June 2017 - 12:58 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3185023692-1559785953-1393835412-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre1.8.0_45\bin\new_plugin\npjp2.dll [No File]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\new_plugin\npjp2.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-3185023692-1559785953-1393835412-1000: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Phil\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Chrome Media Router) - C:\Users\Phil\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-16]
S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [X]
S3 AthBTPort; system32\DRIVERS\btath_flt.sys [X]
S3 BT; system32\DRIVERS\btnetdrv.sys [X]
S3 BTATH_A2DP; system32\drivers\btath_a2dp.sys [X]
S3 btath_avdt; system32\drivers\btath_avdt.sys [X]
S3 BTATH_BUS; system32\DRIVERS\btath_bus.sys [X]
S3 BTATH_HCRP; \SystemRoot\system32\drivers\btath_hcrp.sys [X]
S3 BTATH_LWFLT; system32\DRIVERS\btath_lwflt.sys [X]
S3 BTATH_RCP; \SystemRoot\system32\drivers\btath_rcp.sys [X]
S3 BTATH_VDP; system32\drivers\btath_vdp.sys [X]
S3 BTCOM; system32\DRIVERS\btcomport.sys [X]
S3 BtFilter; system32\DRIVERS\btfilter.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 IvtComBusSrv; System32\Drivers\btcombus.sys [X]
S3 massfilter_hs; \??\C:\Windows\system32\drivers\massfilter_hs.sys [X]
S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [X]
S3 WacHidRouter; system32\DRIVERS\wachidrouter.sys [X]
S3 wacomrouterfilter; system32\DRIVERS\wacomrouterfilter.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{092dfa86-5807-5a94-bf3b-5a53ba9e5308}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Phil\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Phil\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Phil\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\Phil\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\Phil\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Phil\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> no filepath



End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after these updates remove these old version(s) via the Control Panel > Programs > Programs and Features.
Java 8 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418045F0}) (Version: 8.0.450 - Oracle Corporation)
Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • Click Go and copy/paste the log (MTB.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
Please let me know what problem persists with this computer.

#3 chaithep3

chaithep3
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec. Canada
  • Local time:03:45 AM

Posted 15 June 2017 - 12:58 PM

So I have followed everything that you have told me; though as for Java, I uninstalled it (I of course restarted my laptop right after before continuing onto the next step.) I know I don't need it anymore. Also, my browser opened a page for the PUM from RogueKiller but considering in my situation where my laptop can't connect to the internet, I was unable to get to the page.

 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 AM

Posted 16 June 2017 - 07:18 AM


Network settings is not my forte.

At this time I can only suggest if you did not already done so, is to Reset your router.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

===

If that fails to restore your Internet I suggest you start a new topic in the Networking Forum.
https://www.bleepingcomputer.com/forums/f/21/networking/

Explain your difficulties to connect to the internet.

Post the Minitool box log for their review.
I will leave this topic open for 6 days. If you need to return for further malware check please do.

#5 chaithep3

chaithep3
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec. Canada
  • Local time:03:45 AM

Posted 16 June 2017 - 10:43 AM

That's the reason I had posted something in this specific and in the previous section; can't connect to the internet because of the malware rootkit scan I had done. I had made a previous thread about it before and a user has suggested it was a ZeroAccess rootkit, and I was suggested to make another post but in this section. If you prefer back to this link that I have stated in the post, it will show what I have done within the last week to try to solve this issue with my laptop: https://www.bleepingcomputer.com/forums/t/648489/no-internet-after-malware-removal/

 

Thank you for the help.


Edited by chaithep3, 16 June 2017 - 11:01 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 AM

Posted 16 June 2017 - 12:32 PM


It's not a ZeroAccess infection. The Roguekiller program would have reported it.

===

Try this.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If that fails reset your router.

#7 chaithep3

chaithep3
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec. Canada
  • Local time:03:45 AM

Posted 16 June 2017 - 01:59 PM

It's not a ZeroAccess infection. The Roguekiller program would have reported it.

At least we can scratch that off the list. :) Though only problem is that in my previous thread, someone told me to uninstall the network driver then reinstall it after (I of course downloaded the network driver through the manufacturers website.) When I tried to do that, I was unable to install the network driver properly; it was then listed under Other Devices as "Network Controller." I also had trouble when I tried to reinstall my webcam driver but to no avail.

 

I will try to do what you suggested, and I hope it'll give me results.

 

EDIT: I guess I can also mention which I had forgotten but it is crucial is that when plugging my laptop to the modem using an ethernet cord, I still get no access to the network.

Attached Files


Edited by chaithep3, 16 June 2017 - 02:08 PM.


#8 chaithep3

chaithep3
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec. Canada
  • Local time:03:45 AM

Posted 20 June 2017 - 01:55 PM

Worse case scenario, I'll just wipe everything off and have a fresh windows installation done to my laptop if I am unable to solve this issue.


Edited by chaithep3, 20 June 2017 - 02:42 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 AM

Posted 21 June 2017 - 08:30 AM

Did you reset the registry after the re-install of Windows?

What is the issue(s) still pending?

#10 chaithep3

chaithep3
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec. Canada
  • Local time:03:45 AM

Posted 21 June 2017 - 02:03 PM

Did you reset the registry after the re-install of Windows?

What is the issue(s) still pending?

I have yet to do it; I plan to re-install a Windows OS this weekend. I was hoping someone would still try to aid me with this issue without resorting to the re-installation of Windows.



#11 chaithep3

chaithep3
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec. Canada
  • Local time:03:45 AM

Posted 21 June 2017 - 09:42 PM

Found out about my laptops system restore; there was a date that was created a couple of weeks before this issue started though the description said's Windows Update. I'm just going to try it out and see what happens.

 

EDIT: So it seemed to work; I was able to have internet again but the thing is, the malware is probably still within the files in my system. I am noticing how slow it was before the Malwarebytes scan w/ rootkit enabled. Hoping someone can help me get it removed without facing this issue again. Also I was given a message that it failed to extract this file: D:\Programfiles (x86)\InstalledShield Installation Information\{C14EAE86-4E000-B254-CFF86233C3D2}\setup.exe


Edited by chaithep3, 21 June 2017 - 11:15 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 AM

Posted 22 June 2017 - 07:03 AM

Good work.

Please run the Farbar tool and post fresh FRST and Addition.txt logs.

Make sure you check the box to create a new Addition.txt log.

#13 chaithep3

chaithep3
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec. Canada
  • Local time:03:45 AM

Posted 22 June 2017 - 11:40 AM

Here are the two files requested to be uploaded.

Attached Files


Edited by chaithep3, 22 June 2017 - 11:40 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 AM

Posted 23 June 2017 - 07:20 AM

Hi,

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-3185023692-1559785953-1393835412-1000\...\Winlogon: [Shell] C:\Windows\explorer.exe [3229696 2016-08-29] (Microsoft Corporation) <==== ATTENTION
GroupPolicy: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={97E25FB9-1E91-4729-9860-88F82B339CD4}&mid=f05d8afada5c47d3abf7e1b0ab50c31c-a3f3327c47e26cb21a6daa2ae144ed6b30138c26&lang=en&ds=AVG&coid=avgtbavg&cmpid=1114avi&pr=fr&d=2014-12-13 13:29:33&v=4.0.0.19&pid=wtu&sg=&sap=dsp&q={searchTerms}
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-3185023692-1559785953-1393835412-1000: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Phil\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-06-22]
CHR Extension: (Chrome Media Router) - C:\Users\Phil\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-22]
S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [X]
S3 BT; system32\DRIVERS\btnetdrv.sys [X]
S3 BTCOM; system32\DRIVERS\btcomport.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 IvtComBusSrv; System32\Drivers\btcombus.sys [X]
S3 massfilter_hs; \??\C:\Windows\system32\drivers\massfilter_hs.sys [X]
S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [X]
S3 WacHidRouter; system32\DRIVERS\wachidrouter.sys [X]
S3 wacomrouterfilter; system32\DRIVERS\wacomrouterfilter.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{092dfa86-5807-5a94-bf3b-5a53ba9e5308}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Phil\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Phil\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Phil\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\Phil\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\Phil\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Phil\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-3185023692-1559785953-1393835412-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> no filepath
FirewallRules: [TCP Query User{6E12489E-E56A-4C83-BAD7-1AB5FB4D8AE1}C:\program files (x86)\java\jre1.8.0_45\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_45\bin\javaw.exe
FirewallRules: [UDP Query User{8D55709E-FF0D-44EF-A11C-3AB1E14B67EE}C:\program files (x86)\java\jre1.8.0_45\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_45\bin\javaw.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#15 chaithep3

chaithep3
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec. Canada
  • Local time:03:45 AM

Posted 23 June 2017 - 10:45 AM

I mean now the whole issue is solved, just no access to the internet after a malwarebytes scan removal w/ rootkit enabled. I'd like to get the malware removed at this point but it isn't a major issue now. Also, I am unable to install my webcam driver.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users