Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple regsvr32.exe & Malwarebytes quarantined Rootkit.Fileless


  • This topic is locked This topic is locked
6 replies to this topic

#1 ssmonty

ssmonty

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 24 June 2017 - 05:55 PM

I looked through many pages of virus descriptions and could not find a description for whatever I have if in fact it is a virus or malware.

I'm posting in this forum as jwoods301 suggested that I should post in this section after posting in the Windows 8.1 forum(Where to begin?regsvr32.exe multiple instances on resource monitor). He was concerned about the Malwarebytes quarantine of several files named Rootkit.Fileless.MTGen(registry Value, Registy Key, & 3 "files". Perhaps you could refer to the aforementioned post instead of me typing it all over, especially since a lot may not be relevant and I can't type/spell well. Sorry for any inconvenience!

I ran the FRST program and pasted/attached the 2 reports. Thank you very much for any and all help.

ssmonty

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 24-06-2017 01
Ran by david (administrator) on LAPTOP (24-06-2017 17:20:24)
Running from C:\Users\david\Downloads
Loaded Profiles: david (Available Profiles: david & pat lambert & david t lambert)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
() C:\Program Files (x86)\Toshiba\Password Utility\GFNEXSrv.exe
(ABBYY) C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Mentor Graphics Corporation) C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\remotesolverdispatcherservice.exe
(Mentor Graphics Corporation) C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\dispatcher.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(SRS Labs, Inc.) C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Teco\TecoResident.exe
(TOSHIBA Corporation) C:\Program Files (x86)\Toshiba\System Setting\TSleepSrv.exe
() C:\Windows\vsnpstd3.exe
(AppEx Networks Corporation) C:\Program Files\AMD Quick Stream\AMDQuickStream.exe
(ABBYY) C:\Program Files (x86)\ABBYY FineReader 9.0 Sprint\Bonus.ScreenshotReader.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_YATIJIE.EXE
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TPHM\TPCHSrv.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TPHM\TPCHWMsg.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Farbar) C:\Users\david\Downloads\FRST64 (6).exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13261456 2012-12-10] (Realtek Semiconductor)
HKLM\...\Run: [SRS Premium Sound HD] => C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2170784 2012-07-27] (SRS Labs, Inc.)
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [178016 2013-08-21] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [356776 2012-07-11] (TOSHIBA Corporation)
HKLM\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe [1548952 2012-08-04] (TOSHIBA Corporation)
HKLM\...\Run: [TODDMain] => C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-04] ()
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2916152 2012-08-14] (Synaptics Incorporated)
HKLM\...\Run: [snpstd3] => C:\WINDOWS\vsnpstd3.exe [827392 2006-09-19] ()
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2556768 2013-08-17] (TOSHIBA Corporation)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [3146704 2017-05-09] (Malwarebytes)
HKLM-x32\...\Run: [ToshibaAppPlace] => C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [TPUReg] => C:\Program Files (x86)\TOSHIBA\Password Utility\Reg.exe [2085376 2012-07-09] (TODO: <公司名稱>)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-08-19] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1058400 2012-01-26] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [502952 2012-07-09] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [863400 2012-07-09] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-03-15] (Oracle Corporation)
HKU\S-1-5-21-2034780167-4048909107-1795805668-1001\...\Run: [AppEx Accelerator UI] => C:\Program Files\AMD Quick Stream\AMDQuickStream.exe [429792 2013-04-11] (AppEx Networks Corporation)
HKU\S-1-5-21-2034780167-4048909107-1795805668-1001\...\Run: [ABBYY Screenshot Reader Bonus] => C:\Program Files (x86)\ABBYY FineReader 9.0 Sprint\Bonus.ScreenshotReader.exe [939272 2009-11-25] (ABBYY)
HKU\S-1-5-21-2034780167-4048909107-1795805668-1001\...\Run: [EPLTarget\P0000000000000000] => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIJIE.EXE [283232 2015-01-19] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-2034780167-4048909107-1795805668-1001\...\MountPoints2: {9c1e88d3-d172-11e3-bf2c-7054d25fe68d} - "D:\LaunchU3.exe" -a
ShellIconOverlayIdentifiers: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-03-14] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-03-14] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-03-14] (Microsoft Corporation)
Startup: C:\Users\david\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdafc9c6.lnk [2017-06-20]
ShortcutTarget: cdafc9c6.lnk -> C:\Users\david\AppData\Local\5743ad9a\c188473d.ce1b165d0 ()
Startup: C:\Users\david\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2017-06-21]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\onenotem.exe (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{59565FC0-141F-47BA-9101-B8DCB59B76D8}: [DhcpNameServer] 172.26.0.25
Tcpip\..\Interfaces\{EC2822C6-CDF7-40F5-B948-677C6AE97564}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://toshiba13.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://toshiba13.msn.com
HKU\S-1-5-21-2034780167-4048909107-1795805668-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/
SearchScopes: HKU\S-1-5-21-2034780167-4048909107-1795805668-1001 -> DefaultScope {56B5C110-BA00-4CF7-9C45-885E089047E3} URL = hxxp://www.bing.com/search?FORM=U162ID&PC=U162I&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2034780167-4048909107-1795805668-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2034780167-4048909107-1795805668-1001 -> {56B5C110-BA00-4CF7-9C45-885E089047E3} URL = hxxp://www.bing.com/search?FORM=U162ID&PC=U162I&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2034780167-4048909107-1795805668-1001 -> {85FCD469-49A1-434F-9117-7E6F363DFF0E} URL =
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2017-04-11] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-03-14] (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-04-04] (Adobe Systems Incorporated)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll [2017-04-11] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssv.dll [2017-05-11] (Oracle Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL [2017-03-14] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-05-11] (Oracle Corporation)
Toolbar: HKLM-x32 - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2016-04-19] (Microsoft Corporation)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\MSOSB.DLL [2016-04-19] (Microsoft Corporation)

FireFox:
========
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2014-12-03] (Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-05-11] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-05-11] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-07-12] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\NPSPWRAP.DLL [2014-12-03] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3503.0728 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-07-28] (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2012-04-04] (Adobe Systems Inc.)

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] -  <not found>

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3042544 2017-03-14] (Microsoft Corporation)
R2 EpsonScanSvc; C:\WINDOWS\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)
R2 GFNEXSrv; C:\Program Files (x86)\Toshiba\Password Utility\GFNEXSrv.exe [156672 2011-10-13] () [File not signed]
S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4470736 2017-05-09] (Malwarebytes)
R2 RemoteSolverDispatcher; C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\remotesolverdispatcherservice.exe [218248 2013-02-22] (Mentor Graphics Corporation) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201872 2012-12-10] (Realtek Semiconductor)
S3 SolidWorks Licensing Service; C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2013-06-20] (SolidWorks) [File not signed]
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [348392 2013-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2013-10-30] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 APXACC; C:\WINDOWS\system32\DRIVERS\appexDrv.sys [219360 2013-04-18] (AppEx Networks Corporation)
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWB6.sys [138240 2013-06-22] (Advanced Micro Devices)
R2 PEGAGFN; C:\Program Files (x86)\Toshiba\Password Utility\PEGAGFN.sys [14344 2009-09-11] (PEGATRON)
R3 RTWlanE; C:\WINDOWS\system32\DRIVERS\rtwlane.sys [2946264 2013-10-21] (Realtek Semiconductor Corporation                           )
S3 SNPSTD3; C:\WINDOWS\system32\DRIVERS\snpstd3.sys [10550272 2007-03-27] (Sonix Co. Ltd.)
S3 SNPSTD3; C:\Windows\SysWOW64\DRIVERS\snpstd3.sys [10246400 2007-05-17] (Sonix Co. Ltd.) [File not signed]
R3 Thotkey; C:\WINDOWS\System32\drivers\Thotkey.sys [32624 2013-08-19] (Windows ® Win 7 DDK provider)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [35856 2013-10-30] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [236888 2013-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [124760 2013-10-30] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-24 17:20 - 2017-06-24 17:20 - 00015344 _____ C:\Users\david\Downloads\FRST.txt
2017-06-24 17:19 - 2017-06-24 17:19 - 02440704 _____ (Farbar) C:\Users\david\Downloads\FRST64 (6).exe
2017-06-24 17:15 - 2017-06-24 17:15 - 02440704 _____ (Farbar) C:\Users\david\Downloads\FRST64 (5).exe
2017-06-24 17:13 - 2017-06-24 17:13 - 01779712 _____ (Farbar) C:\Users\david\Downloads\FRST (1).exe
2017-06-24 17:04 - 2017-06-24 17:04 - 02440704 _____ (Farbar) C:\Users\david\Downloads\FRST64 (4).exe
2017-06-24 17:00 - 2017-06-24 17:00 - 02440704 _____ (Farbar) C:\Users\david\Downloads\FRST64 (3).exe
2017-06-24 16:59 - 2017-06-24 16:59 - 02440704 _____ (Farbar) C:\Users\david\Downloads\FRST64 (2).exe
2017-06-24 16:58 - 2017-06-24 17:20 - 00000000 ____D C:\FRST
2017-06-24 16:58 - 2017-06-24 16:58 - 02440704 _____ (Farbar) C:\Users\david\Downloads\FRST64 (1).exe
2017-06-24 16:57 - 2017-06-24 16:57 - 01779712 _____ (Farbar) C:\Users\david\Downloads\FRST.exe
2017-06-24 16:51 - 2017-06-24 16:51 - 02440704 _____ (Farbar) C:\Users\david\Downloads\FRST64.exe
2017-06-24 11:29 - 2017-06-24 11:39 - 00000000 ____D C:\AVG_Remover
2017-06-23 16:12 - 2017-06-23 16:12 - 00000000 ____D C:\Users\david\New folder (2)
2017-06-23 16:11 - 2017-06-23 16:16 - 00000000 ____D C:\Users\david\New folder
2017-06-20 08:20 - 2017-06-24 13:47 - 00093600 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2017-06-20 08:20 - 2017-06-24 11:42 - 00252832 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-06-20 08:20 - 2017-06-24 11:42 - 00113592 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2017-06-20 08:20 - 2017-06-24 11:42 - 00044960 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-06-20 08:20 - 2017-06-24 11:37 - 00188312 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMChameleon.sys
2017-06-20 08:20 - 2017-06-24 10:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-06-20 08:20 - 2017-06-20 08:20 - 00001894 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-06-20 08:20 - 2017-06-20 08:20 - 00000000 ____D C:\Program Files\Malwarebytes
2017-06-20 08:20 - 2017-05-25 11:58 - 00077376 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-06-19 19:33 - 2014-04-15 18:35 - 00028352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\aspnet_counters.dll
2017-06-19 19:33 - 2014-04-15 18:34 - 00029888 _____ (Microsoft Corporation) C:\WINDOWS\system32\aspnet_counters.dll
2017-06-19 18:36 - 2017-06-19 18:36 - 00950784 _____ C:\Users\david\Downloads\60645K331_STEEL BALL JOINT ROD END.SLDPRT
2017-06-19 18:34 - 2017-06-19 18:34 - 00953856 _____ C:\Users\david\Downloads\60645K321_STEEL BALL JOINT ROD END.SLDPRT
2017-06-19 18:01 - 2014-10-30 17:37 - 00129536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\poqexec.exe
2017-06-19 18:01 - 2014-10-30 17:34 - 00146432 _____ (Microsoft Corporation) C:\WINDOWS\system32\poqexec.exe
2017-06-18 14:40 - 2017-06-24 10:02 - 00000000 ____D C:\Users\david\AppData\Local\67df8ed3f5
2017-06-18 14:09 - 2017-06-20 08:28 - 00000000 ____D C:\Users\david\AppData\Local\5743ad9a

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-24 17:03 - 2014-05-21 14:40 - 00007643 _____ C:\Users\david\AppData\Local\resmon.resmoncfg
2017-06-24 13:43 - 2012-07-26 02:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-06-24 11:42 - 2014-02-27 20:04 - 00000000 __RDO C:\Users\david\SkyDrive (2)
2017-06-24 11:42 - 2013-08-22 09:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-06-24 11:41 - 2013-08-22 08:25 - 00786432 ___SH C:\WINDOWS\system32\config\BBI
2017-06-24 11:38 - 2014-11-18 10:28 - 00000000 ____D C:\Users\david\AppData\Local\Avg
2017-06-24 11:28 - 2013-04-04 06:02 - 00000000 ____D C:\Users\david\AppData\Local\CrashDumps
2017-06-24 10:02 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\Windows Defender
2017-06-24 10:02 - 2013-06-20 13:49 - 00000000 ____D C:\ProgramData\FLEXnet
2017-06-24 10:01 - 2013-08-22 10:36 - 00000000 __RSD C:\WINDOWS\Media
2017-06-24 10:01 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\MediaViewer
2017-06-24 10:01 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\FileManager
2017-06-24 10:01 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\Camera
2017-06-24 10:00 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\WinStore
2017-06-24 10:00 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\system32\SystemResetPlatform
2017-06-24 10:00 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\system32\SecureBootUpdates
2017-06-24 10:00 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\system32\migwiz
2017-06-24 10:00 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\SysWOW64\Dism
2017-06-24 10:00 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\system32\Sysprep
2017-06-24 10:00 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\system32\oobe
2017-06-24 10:00 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\system32\Dism
2017-06-24 09:35 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\registration
2017-06-24 09:03 - 2013-09-29 23:04 - 00799036 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-06-24 09:03 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\Inf
2017-06-23 16:12 - 2013-11-13 09:02 - 00000000 ____D C:\Users\david
2017-06-23 13:04 - 2013-06-20 12:33 - 00000000 ____D C:\Users\david\AppData\Roaming\SolidWorks
2017-06-23 09:39 - 2017-03-24 16:48 - 00000000 ____D C:\Users\david\AppData\Local\Wings of Prey
2017-06-23 09:30 - 2013-06-20 13:50 - 00000000 ____D C:\Users\david\AppData\Local\TempSWBackupDirectory
2017-06-23 08:12 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-06-20 08:31 - 2013-03-02 12:01 - 00003600 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2034780167-4048909107-1795805668-1001
2017-06-20 08:20 - 2014-12-03 13:46 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-06-20 06:54 - 2013-08-22 10:36 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-06-20 06:51 - 2014-12-03 14:19 - 00000000 ____D C:\Program Files\Microsoft Office 15
2017-06-19 16:18 - 2014-02-25 15:30 - 00000000 ____D C:\Users\david\Documents\ONLINE
2017-06-18 15:58 - 2015-01-18 20:45 - 00000000 ____D C:\temp
2017-06-17 18:48 - 2013-11-14 15:30 - 00000000 ____D C:\Users\david\AppData\Local\ElevatedDiagnostics
2017-06-16 07:52 - 2013-08-22 10:36 - 00000000 ___HD C:\Program Files\WindowsApps
2017-06-14 08:17 - 2013-08-16 19:00 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-06-14 08:13 - 2013-03-03 14:17 - 133627792 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-06-07 17:55 - 2017-03-16 13:34 - 00000000 ____D C:\Users\david\AppData\Local\WarThunder
2017-06-07 07:42 - 2017-03-16 18:54 - 00000000 ____D C:\WINDOWS\Minidump
2017-06-07 07:41 - 2013-09-15 07:00 - 702306831 _____ C:\WINDOWS\MEMORY.DMP
2017-05-30 15:45 - 2016-09-18 19:15 - 00565416 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe

==================== Files in the root of some directories =======

2013-05-20 14:08 - 2013-05-20 14:08 - 0003584 _____ () C:\Users\david\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-05-21 14:40 - 2017-06-24 17:03 - 0007643 _____ () C:\Users\david\AppData\Local\resmon.resmoncfg
2014-02-08 08:50 - 2015-01-16 15:43 - 0000000 _____ () C:\Users\david\AppData\Local\Temptable.xml

Some files in TEMP:
====================
2013-11-22 08:45 - 2010-09-17 02:48 - 0456664 ____R (Macrovision Corporation) C:\Users\david\AppData\Local\Temp\_is12F5.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-06-24 10:22

==================== End of FRST.txt ============================

Attached Files


Edited by ssmonty, 24 June 2017 - 05:56 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,962 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 PM

Posted 25 June 2017 - 09:15 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Startup: C:\Users\david\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdafc9c6.lnk [2017-06-20]
ShortcutTarget: cdafc9c6.lnk -> C:\Users\david\AppData\Local\5743ad9a\c188473d.ce1b165d0 ()
Toolbar: HKLM-x32 - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
CHR HKLM-x32\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] -  <not found>
C:\Users\david\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdafc9c6.lnk

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 ssmonty

ssmonty
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 25 June 2017 - 07:47 PM

I should have mentioned before I posted that the link to FRST download did not work anything like the description. I could not save it to the location I wanted. When I selected "save" it resonded with a window to "run" while I was still on this website instead of me being able to download it and install it from my download directory. Perhaps I misunderstood the instructions(most likely). When I opened my download folder it appears that I downloaded the prog. six times. Anyway I ran it from the website and it created the file requested.

Today when I turned on the pc it spent a long time upgrading windows. Afterward it was very flakey, and more than half of my desktop icons were gone? Never did that before. I tried to follow you instructions for the FRST fix, but I could not get the program to run from any of the downloaded file. Tried all six multiple times. So I thought I would do what I did yesterday from the site. However every time I tried to open the link to the FRST download, the website would not open and sometimes explorer would close by itself???

 I tried again just a few minutes ago to open in a new tab and got a reply " website restore error". I'll try again tomorrow afternoon. I don't know if its because of the way my pc is acting or the website is down?

ssmonty 


Edited by ssmonty, 25 June 2017 - 07:51 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,962 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 PM

Posted 26 June 2017 - 08:06 AM



I should have mentioned before I posted that the link to FRST download did not work anything like the description. I could not save it to the location I wanted. When I selected "save" it resonded with a window to "run" while I was still on this website instead of me being able to download it and install it from my download directory.


I suspect that you download a compromised copy of AdwCleaner.
This is the site we suggest and I use it often.

Please download AdwCleaner by Xplode onto your Desktop.


Where did you download the file from?

If the Microsoft updates failed then I suggest you restore your system prior to the updates.

Then download the AdwCleaner from the link above and run it. Post both logs for my review.

#5 ssmonty

ssmonty
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 27 June 2017 - 04:02 PM

 

I didn't run the "AdwCleaner". I ran the FRST program per instructions at the begging of this forum.

I got the link from this site at the beginning of this forum "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" item number 6. The last few days when I click on the link I get a message "website error". I deleted the copy I had and can't get another?

I don't know if you read my original post on the Windows 8.1 forum where I was direct to post here, but I mentioned that I have a copy of Solidworks that I can't replace and don't want to lose. I'm afraid if I restore windows I'll lose my app correct?

I'll just disconnect this pc from the internet and keep it just for SW projects. I ordered a new pc from Dell yesterday.

Thank you very much for your time.

ssmonty

PS working without wifi enabled seems to calm down the processor, but the disk is running like crazy. It looks like "svchost.exe(LocalServiceNet..." is constantly running. I can "end task" and the disk almost stops for a while, then "svchost.exe(LocalServiceNet..." starts running again. Can't make it stop coming back.

 


Edited by ssmonty, 27 June 2017 - 04:04 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,962 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 PM

Posted 28 June 2017 - 06:45 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

#7 ssmonty

ssmonty
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 28 June 2017 - 10:31 AM

 I'm really afraid I'll lose my Soliworks app if I mess around anymore. I'll just leave it disconnected from the internet and be able to use it for SW projects. Got another pc on the way. I made a donation to the FRST author. I'll just lick my wounds and move on. Thanks for your efforts!

ssmonty






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users