Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with AppInit_DLL and sysmsrv.dll


  • This topic is locked This topic is locked
6 replies to this topic

#1 badd7

badd7

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 18 June 2017 - 08:07 PM

Hi. My laptop infected with AppInit_DLL when i try to scan with MBAR. Then when i scan with MBAM, detected with symsrv.dll. After reboot, the malware still there when i rescan. Please help me. Thanks in advance!

 

Below is my FRST64 log and addition.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-06-2017 01
Ran by user (administrator) on USER-PC (19-06-2017 09:01:46)
Running from C:\Users\user\Downloads
Loaded Profiles: user (Available Profiles: user)
Platform: Windows 7 Enterprise Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
(Smadsoft) C:\Program Files (x86)\SMADAV\SMΔRTP.exe
(IVT Corporation) C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_YATIN2E.EXE
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_YATII2E.EXE
(HP) C:\Windows\System32\HPSIsvc.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(IVT Corporation) C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Google Inc.) C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
(HP Inc.) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [3146704 2017-05-09] (Malwarebytes)
HKLM-x32\...\Run: [ATKMEDIA] => C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [283903 2013-05-30] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ATKOSD2] => C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [406328 2013-09-09] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [SMΔRT-Protection] => C:\Program Files (x86)\Smadav\SMΔRTP.exe [1821808 2017-05-22] (Smadsoft)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-974777038-4268167425-1758523442-1000\...\Run: [Google Update] => C:\Users\user\AppData\Local\Google\Update\1.3.33.5\GoogleUpdateCore.exe [679447 2017-04-28] (Google Inc.)
HKU\S-1-5-21-974777038-4268167425-1758523442-1000\...\Run: [EPLTarget\P0000000000000002] => C:\Windows\system32\spool\DRIVERS\x64\3\E_YATIN2E.EXE [298560 2014-03-20] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-974777038-4268167425-1758523442-1000\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\x64\3\E_YATII2E.EXE [283232 2012-02-28] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-974777038-4268167425-1758523442-1000\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-974777038-4268167425-1758523442-1000\...\Policies\Explorer\DisallowRun: [1] Mshta.exe
HKU\S-1-5-21-974777038-4268167425-1758523442-1000\...\Policies\Explorer\DisallowRun: [2] powershell.exe
HKU\S-1-5-21-974777038-4268167425-1758523442-1000\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe
AppInit_DLLs-x32: C:\PROGRA~1\COMMON~1\System\symsrv.dll => C:\Program Files\Common Files\System\symsrv.dll [69337 2017-06-19] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
Winsock: Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{28D6A0BA-58B8-49B0-A66F-71FF0F334458}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{90F510CA-20DF-40C8-9232-5FB24C317819}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{A9CEB07A-55C0-4AC2-A46F-CCD40501A76B}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{E8251DC0-44F6-415C-8ADD-F9AAF96E5277}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-974777038-4268167425-1758523442-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-974777038-4268167425-1758523442-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2015-02-15] (Oracle Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-04-04] (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Windows\SysWOW64\skype4com.dll [2013-12-16] (Skype Technologies)
 
FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\9xludzv2.default-1493167823870 [2017-06-19]
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll [2015-02-15] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.2.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-04-26] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2012-04-04] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-974777038-4268167425-1758523442-1000: @tools.google.com/Google Update;version=3 -> C:\Users\user\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin HKU\S-1-5-21-974777038-4268167425-1758523442-1000: @tools.google.com/Google Update;version=9 -> C:\Users\user\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
 
Chrome: 
=======
CHR DefaultProfile: Profile 1
CHR HomePage: Profile 1 -> hxxp://www.google.com.my/
CHR Session Restore: Profile 1 -> is enabled.
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default [2017-06-19]
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1 [2017-06-19]
CHR Extension: (Google Slides) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-10-17]
CHR Extension: (Google Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2016-10-17]
CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-10-17]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-10-17]
CHR Extension: (Google Sheets) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-10-17]
CHR Extension: (Google Docs Offline) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-10-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-10-17]
CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-15]
StartMenuInternet: Google Chrome.IEPJVRPKFMYJBU7HCDGNTRRIXE - C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AdobeARMservice; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [142207 2012-04-04] (Adobe Systems Incorporated) [File not signed]
R2 ASLDRService; C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe [189695 2013-09-09] (ASUSTek Computer Inc.) [File not signed]
R2 ATKGFNEXSrv; C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [175175 2011-11-21] (ASUS) [File not signed]
R2 BlueSoleilCS; C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe [1658159 2014-02-17] (IVT Corporation) [File not signed]
R3 BsHelpCS; C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe [145656 2013-12-16] (IVT Corporation)
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [321056 2017-06-01] (HP Inc.)
S3 Lenovo EasyPlus Hotspot; C:\Program Files (x86)\Common Files\LENOVO\easyplussdk\bin\EPHotspot64.exe [625648 2015-06-08] (Lenovo)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4470736 2017-05-09] (Malwarebytes)
S3 RealPlayer Cloud Service; C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe [1141848 2015-03-28] (RealNetworks, Inc.)
S3 ShareItSvc; D:\SHAREit\Shareit.Service.exe [33224 2016-04-15] (SHAREit Technologies Co.Ltd)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 BlueletAudio; C:\Windows\System32\DRIVERS\blueletaudio.sys [33968 2012-12-19] (IVT Corporation)
S3 BlueletAudio; C:\Windows\SysWOW64\DRIVERS\blueletaudio.sys [33968 2012-12-19] (IVT Corporation)
R3 BtAudioBusSrv; C:\Windows\System32\Drivers\BtAudioBus.sys [23136 2012-06-15] (IVT Corporation)
R3 BthL2caScoIfSrv; C:\Windows\System32\Drivers\BtL2caScoIf.sys [54064 2013-04-26] (Ralink Corporation)
R3 btUrbFilterDrv; C:\Windows\System32\Drivers\IvtUrbBtFlt.sys [51936 2014-01-20] (Ralink Corporation)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2013-11-16] (Intel Corporation)
R1 ISODrive; C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys [115600 2010-01-29] (EZB Systems, Inc.)
R3 m76usb; C:\Windows\System32\DRIVERS\m76usb.sys [539848 2014-02-12] (Ralink Technology Corp.)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [252832 2017-06-19] (Malwarebytes)
S3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2012-09-26] (Marvell Semiconductor, Inc.)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-19 09:01 - 2017-06-19 09:02 - 00014326 _____ C:\Users\user\Downloads\FRST.txt
2017-06-19 09:01 - 2017-06-19 09:01 - 00000000 ____D C:\FRST
2017-06-19 08:53 - 2017-06-19 08:54 - 02439680 _____ (Farbar) C:\Users\user\Downloads\FRST64.exe
2017-06-19 08:32 - 2017-06-19 08:32 - 00001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-06-19 08:32 - 2017-06-19 08:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-06-19 08:31 - 2017-06-19 08:50 - 00077376 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-06-19 08:24 - 2017-06-19 08:25 - 01663672 _____ (Malwarebytes) C:\Users\user\Downloads\JRT.exe
2017-06-19 07:58 - 2017-04-11 08:12 - 01663672 _____ (Malwarebytes) C:\Users\user\Desktop\JRT.exe
2017-06-19 07:54 - 2017-06-19 08:37 - 00234828 _____ C:\Windows\ntbtlog.txt
2017-06-19 05:30 - 2017-06-19 05:30 - 00048382 _____ C:\Users\user\Downloads\Extras.Txt
2017-06-19 05:28 - 2017-06-19 05:28 - 00060676 _____ C:\Users\user\Downloads\OTL.Txt
2017-06-19 04:41 - 2017-06-19 07:51 - 00000000 ____D C:\Users\user\AppData\Local\CrashDumps
2017-06-19 03:25 - 2017-06-19 03:25 - 00026800 _____ C:\ComboFix.txt
2017-06-18 20:34 - 2017-06-19 07:47 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2017-06-18 20:34 - 2017-06-19 06:37 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2017-06-18 05:45 - 2017-06-19 03:25 - 00000000 ____D C:\Qoobox
2017-06-18 05:45 - 2000-08-31 08:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2017-06-18 05:43 - 2017-06-18 05:45 - 00210482 _____ C:\TDSSKiller.3.1.0.15_18.06.2017_05.43.54_log.txt
2017-06-18 05:22 - 2017-06-19 07:47 - 00000000 ____D C:\ProgramData\RogueKiller
2017-06-18 05:21 - 2017-06-19 07:47 - 00000000 ____D C:\Program Files\RogueKiller
2017-06-18 02:07 - 2017-06-18 02:07 - 00000000 ____D C:\Program Files\Malwarebytes
2017-06-17 12:21 - 2017-06-19 07:47 - 00000000 ____D C:\Users\user\Desktop\DnsJumper
2017-06-17 11:36 - 2017-06-17 11:36 - 00397909 _____ C:\Users\user\Desktop\Asas dan Falsafah Pendidikan Islam.pptx
2017-06-10 10:29 - 2017-06-19 07:47 - 00000000 ____D C:\Users\user\Documents\My Data Sources
2017-05-23 13:42 - 2017-05-23 13:42 - 00000000 ____D C:\Users\user\AppData\Roaming\Psiphon3
2017-05-23 13:41 - 2017-05-23 13:41 - 05319727 _____ C:\Users\user\Desktop\psiphon3.exe
2017-05-23 13:41 - 2017-05-23 13:41 - 05241448 ___SH C:\Users\user\Desktop\psiphon3.exe.dat
2017-05-22 07:49 - 2017-05-22 07:49 - 00003146 _____ C:\Windows\System32\Tasks\smadav
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-19 08:53 - 2009-07-14 12:45 - 00022400 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-06-19 08:53 - 2009-07-14 12:45 - 00022400 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-06-19 08:50 - 2016-05-24 19:18 - 00252832 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-06-19 08:49 - 2009-07-14 13:13 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2017-06-19 08:49 - 2009-07-14 11:20 - 00000000 ____D C:\Windows\inf
2017-06-19 08:47 - 2016-11-08 08:47 - 00000911 _____ C:\Windows\Tasks\EPSON L220 Series Update {51133409-4BB0-4F74-9FC7-BFCEAFF77B09}.job
2017-06-19 08:46 - 2009-07-14 13:32 - 00000000 ____D C:\Windows\system32\FxsTmp
2017-06-19 08:45 - 2014-01-21 15:40 - 00000983 _____ C:\Windows\SysWOW64\bscs.ini
2017-06-19 08:44 - 2015-07-24 10:14 - 00004268 _____ C:\Windows\SysWOW64\LOCALSERVICE.INI
2017-06-19 08:44 - 2015-07-24 10:14 - 00000061 _____ C:\Windows\SysWOW64\LOCALDEVICE.INI
2017-06-19 08:44 - 2009-07-14 13:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-06-19 08:44 - 2009-07-14 11:20 - 00000000 ____D C:\Program Files\Common Files\System
2017-06-19 08:32 - 2016-05-24 19:18 - 00187320 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2017-06-19 08:32 - 2016-05-24 19:18 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-06-19 08:32 - 2015-02-15 14:33 - 00115488 _____ C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
2017-06-19 07:54 - 2017-05-17 21:25 - 00000000 ____D C:\Program Files\CCleaner
2017-06-19 07:49 - 2015-02-16 10:21 - 00000000 ____D C:\Windows\SysWOW64\vbox
2017-06-19 07:49 - 2015-02-15 14:39 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-06-19 07:49 - 2015-02-15 14:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2017-06-19 07:48 - 2017-05-18 22:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-06-19 07:48 - 2016-05-24 23:02 - 00000000 ____D C:\Windows\erdnt
2017-06-19 07:48 - 2016-05-24 19:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2017-06-19 07:48 - 2016-04-15 22:48 - 00000000 ____D C:\Windows\SysWOW64\ivtMobCache
2017-06-19 07:48 - 2015-02-15 14:46 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-06-19 07:48 - 2015-02-15 14:39 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-06-19 07:48 - 2015-02-15 14:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SharePoint
2017-06-19 07:48 - 2015-02-15 14:22 - 00000000 ____D C:\Windows\SysWOW64\NV
2017-06-19 07:48 - 2010-11-21 14:30 - 00000000 ____D C:\Windows\ShellNew
2017-06-19 07:48 - 2009-07-14 13:32 - 00000000 ____D C:\Program Files (x86)\MSBuild
2017-06-19 07:48 - 2009-07-14 11:20 - 00000000 ____D C:\Windows\system32\NDF
2017-06-19 07:48 - 2009-07-14 11:20 - 00000000 ____D C:\Windows\AppCompat
2017-06-19 07:48 - 2009-07-14 11:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2017-06-19 07:47 - 2016-05-24 20:01 - 00000000 ____D C:\AdwCleaner
2017-06-19 07:47 - 2016-05-24 19:18 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2017-06-19 07:47 - 2010-11-21 14:30 - 00000000 ___RD C:\Users\Public\Recorded TV
2017-06-19 07:47 - 2009-07-14 11:20 - 00000000 ____D C:\Windows\registration
2017-06-19 07:45 - 2016-05-23 20:13 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-06-19 07:06 - 2017-05-17 18:35 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-06-18 20:38 - 2015-08-06 17:13 - 00000000 ____D C:\Program Files\Common Files\AV
2017-06-18 00:54 - 2016-10-31 09:42 - 00000000 ____D C:\Users\user\AppData\LocalLow\Mozilla
2017-05-26 15:53 - 2016-02-10 00:09 - 00001837 _____ C:\Windows\SysWOW64\REMOTEDEVICE.INI
2017-05-23 10:00 - 2017-05-17 19:25 - 00000000 ____D C:\Program Files (x86)\SMADAV
2017-05-22 13:36 - 2009-07-14 11:20 - 00000000 ____D C:\Windows\rescache
2017-05-22 08:03 - 2017-05-17 19:25 - 00000000 ____D C:\[Smad-Cage]
2017-05-22 07:49 - 2017-05-17 19:25 - 00000718 _____ C:\Users\Public\Desktop\SMADΔV.lnk
2017-05-22 07:49 - 2017-05-17 19:25 - 00000000 ____D C:\Users\user\AppData\Roaming\Smadav
 
==================== Files in the root of some directories =======
 
2015-02-15 14:14 - 2015-02-15 14:14 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-06-17 12:40
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 badd7

badd7
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 19 June 2017 - 02:03 AM

nobody can help?



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 AM

Posted 19 June 2017 - 08:12 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Submit the file in bold to VirusTotal
AppInit_DLLs-x32: C:\PROGRA~1\COMMON~1\System\symsrv.dll => C:\Program Files\Common Files\System\symsrv.dll [69337 2017-06-19] (Microsoft Corporation)

Follow the directives on this page.
https://www.virustotal.com/

Post the results for my review.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-974777038-4268167425-1758523442-1000\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-974777038-4268167425-1758523442-1000\...\Policies\Explorer\DisallowRun: [1] Mshta.exe
HKU\S-1-5-21-974777038-4268167425-1758523442-1000\...\Policies\Explorer\DisallowRun: [2] powershell.exe
HKU\S-1-5-21-974777038-4268167425-1758523442-1000\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File
Winsock: Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File
Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File
Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-974777038-4268167425-1758523442-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-15]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

cmd: netsh winsock reset catalog

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java™ 7 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417000FF}) (Version: 7.0.0 - Oracle)
===

The tool will create a log (Fixlog.txt) please post it to your reply.
===


Let me know what problem persists.

#4 badd7

badd7
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 20 June 2017 - 02:31 AM

Hi Nasdaq

Thanks for replying. I have submit symsrv.dll to virustotal.com and the result isntgood. Below is the link to analysed file page

 

https://www.virustotal.com/en/file/de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085/analysis/

 

I have also attached the fixlog.txt.

 

The symsrv.dll is still the Common Files folder after i run FRST Fix and reboot

 

Attached Files


Edited by badd7, 20 June 2017 - 03:27 AM.


#5 badd7

badd7
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 20 June 2017 - 02:41 AM

Old version of java removed, updated version has been installed



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 AM

Posted 20 June 2017 - 09:40 AM



Lets find out if you have a good copy on the HD.

Please run the Farbar Recovery Scan Tool. Enter symsrv.dll in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 AM

Posted 26 June 2017 - 08:22 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users