Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Repeatly BSOD when connect to LAN


  • This topic is locked This topic is locked
13 replies to this topic

#1 rexmale

rexmale

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 29 August 2017 - 09:04 PM

Hello,

 

Since yesterday, some pc / laptop have bsod repeatedly because there is problem on srvnet.sys.
How to fix it.

 

Thank you

 

 

FRST :

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-08-2017

Ran by INTA (administrator) on INTA-PC (30-08-2017 08:50:43)
Running from F:\
Loaded Profiles: INTA (Available Profiles: INTA)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
(HP) C:\Windows\System32\HPSIsvc.exe
() C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler64.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(CANON INC.) C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE
() C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\DocuAction.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(CANON INC.) C:\Program Files (x86)\Canon\Quick Menu\CNQMUPDT.EXE
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [5581888 2014-02-24] (ESET)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [31072 2008-10-25] (Microsoft Corporation)
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1314432 2016-03-11] (CANON INC.)
HKLM-x32\...\Run: [DocuAction (Plustek MobileOffice S400) - Plustek MobileOffice S400] => C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\DocuAction.exe [226816 2014-12-08] ()
HKU\S-1-5-21-662141889-3582796728-3456690135-1000\...\MountPoints2: {c989ff9e-62bb-11e7-a3e2-001e3768d3a3} - F:\SISetup.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 10.1.2.1
Tcpip\..\Interfaces\{AFE67B1C-73D1-4908-B230-CEF08094E0CE}: [DhcpNameServer] 10.1.2.1
Tcpip\..\Interfaces\{B612A239-1553-46A1-BC5A-82D702015C4E}: [DhcpNameServer] 10.1.2.1
 
Internet Explorer:
==================
HKU\S-1-5-21-662141889-3582796728-3456690135-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/id-id/?ocid=iehp
SearchScopes: HKU\S-1-5-21-662141889-3582796728-3456690135-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12] (Microsoft Corporation)
Handler-x32: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll [2010-02-26] (SAP, Walldorf)
Handler-x32: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll [2010-02-26] (SAP, Walldorf)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
 
FireFox:
========
FF DefaultProfile: 7my3smt0.default
FF ProfilePath: C:\Users\INTA\AppData\Roaming\Mozilla\Firefox\Profiles\7my3smt0.default [2017-07-04]
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
FF Extension: (ESET Smart Security Extension) - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2017-07-04] [not signed]
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro PDF\Professional 7\npnitromozilla.dll [2011-11-02] ( )
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-07-06] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-07-06] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\INTA\AppData\Local\Google\Chrome\User Data\Default [2017-08-29]
CHR Extension: (Google Documents) - C:\Users\INTA\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-07-06]
CHR Extension: (Google Drive) - C:\Users\INTA\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-07-04]
CHR Extension: (YouTube) - C:\Users\INTA\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-07-04]
CHR Extension: (Google Dokumen Offline) - C:\Users\INTA\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-07-04]
CHR Extension: (Pembayaran Toko Web Chrome) - C:\Users\INTA\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-28]
CHR Extension: (Gmail) - C:\Users\INTA\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-07-06]
CHR Extension: (Chrome Media Router) - C:\Users\INTA\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-08-16]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [1343408 2014-02-24] (ESET)
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [387144 2016-02-04] ()
R2 NitroDriverReadSpool2; C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe [341280 2011-11-02] (Nitro PDF Software)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [239320 2013-09-17] (ESET)
U5 edevmon; C:\Windows\System32\Drivers\edevmon.sys [239296 2013-09-17] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [168256 2013-09-17] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [157432 2013-09-17] (ESET)
S3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2011-04-04] (Marvell Semiconductor, Inc.)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-08-30 08:50 - 2017-08-30 08:50 - 000000000 ____D C:\FRST
2017-08-29 16:21 - 2017-08-29 16:21 - 000276224 _____ C:\Windows\Minidump\082917-22448-01.dmp
2017-08-29 13:42 - 2017-08-29 13:42 - 000276224 _____ C:\Windows\Minidump\082917-18376-01.dmp
2017-08-29 10:20 - 2017-08-29 10:20 - 000276224 _____ C:\Windows\Minidump\082917-24429-01.dmp
2017-08-28 12:39 - 2017-08-28 12:39 - 000276216 _____ C:\Windows\Minidump\082817-18127-01.dmp
2017-08-22 16:36 - 2017-08-22 16:36 - 000428990 _____ C:\Users\INTA\Downloads\794-1446-1-SM (2).pdf
2017-08-22 16:29 - 2017-08-22 16:29 - 000428990 _____ C:\Users\INTA\Downloads\794-1446-1-SM.pdf
2017-08-22 16:29 - 2017-08-22 16:29 - 000428990 _____ C:\Users\INTA\Downloads\794-1446-1-SM (1).pdf
2017-08-22 16:20 - 2017-08-22 16:20 - 000127943 _____ C:\Users\INTA\Downloads\penerapan-manajemen-risiko-2015 (1).pdf
2017-08-22 13:58 - 2017-08-22 13:58 - 000127943 _____ C:\Users\INTA\Downloads\penerapan-manajemen-risiko-2015.pdf
2017-08-22 10:19 - 2017-08-22 10:19 - 000577848 _____ C:\Users\INTA\Downloads\15.04.1400_jurnal_eproc.pdf
2017-08-21 15:40 - 2017-08-29 10:11 - 000000000 ____D C:\Users\INTA\Desktop\scan mr baru
2017-08-14 10:45 - 2017-08-15 14:22 - 000000000 ____D C:\Users\INTA\Desktop\Reinhat
2017-08-14 10:26 - 2017-08-14 10:26 - 000016033 _____ C:\Users\INTA\Desktop\CL.xls
2017-08-14 10:04 - 2017-08-14 10:04 - 000268133 _____ C:\Users\INTA\Desktop\ALL DO 1.xlsx
2017-08-14 10:02 - 2017-08-14 10:22 - 000040461 _____ C:\Users\INTA\Desktop\all do.xls
2017-08-10 09:01 - 2017-08-10 09:35 - 000113298 _____ C:\Users\INTA\Downloads\risk_assessment (1).ppt.crdownload
2017-08-09 15:43 - 2017-08-22 17:11 - 000000000 ____D C:\Users\INTA\Downloads\New folder
2017-08-09 15:43 - 2017-08-09 15:43 - 000000000 ____D C:\Users\INTA\Downloads\New folder (2)
2017-08-09 15:33 - 2017-08-09 15:38 - 002770944 _____ C:\Users\INTA\Downloads\risk_assessment.ppt
2017-07-31 14:39 - 2017-07-31 14:39 - 000000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-08-30 08:43 - 2009-07-14 11:45 - 000031088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-08-30 08:43 - 2009-07-14 11:45 - 000031088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-08-30 08:41 - 2009-07-14 12:13 - 000781298 _____ C:\Windows\system32\PerfStringBackup.INI
2017-08-30 08:41 - 2009-07-14 10:20 - 000000000 ____D C:\Windows\inf
2017-08-30 08:37 - 2009-07-14 12:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-08-29 16:21 - 2017-07-19 21:10 - 210467116 _____ C:\Windows\MEMORY.DMP
2017-08-29 16:21 - 2017-07-19 21:10 - 000000000 ____D C:\Windows\Minidump
2017-08-29 13:55 - 2017-07-04 09:33 - 000000000 ____D C:\Users\INTA\AppData\Roaming\Nitro PDF
2017-08-29 13:44 - 2009-07-14 12:08 - 000020652 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-08-29 08:35 - 2017-07-04 09:56 - 000002185 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-08-29 08:35 - 2017-07-04 09:56 - 000002173 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-08-21 13:57 - 2017-07-07 10:13 - 000000000 ____D C:\ProgramData\CanonIJPLM
2017-08-15 14:07 - 2017-07-04 09:52 - 000000000 ____D C:\Users\INTA\AppData\Roaming\SAP
2017-08-15 14:07 - 2017-07-04 09:34 - 000000000 ____D C:\Users\INTA\Documents\SAP
2017-08-15 14:07 - 2017-07-04 09:34 - 000000000 ____D C:\Users\INTA\AppData\Local\SAP
 
Some files in TEMP:
====================
2017-07-04 09:43 - 2017-07-04 09:43 - 000374208 _____ (ESET) C:\Users\INTA\AppData\Local\Temp\InstHelper.exe
2017-07-07 09:48 - 2011-05-11 18:19 - 000607800 ____R (HP) C:\Users\INTA\AppData\Local\Temp\siinst.exe
2017-07-07 09:48 - 2011-05-06 04:26 - 000270336 ____R (HP) C:\Users\INTA\AppData\Local\Temp\strings.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-08-21 17:17
 
==================== End of FRST.txt ============================
 
 
Addition :
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by INTA (30-08-2017 08:51:54)
Running from F:\
Windows 7 Professional Service Pack 1 (X64) (2017-07-04 00:58:44)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-662141889-3582796728-3456690135-500 - Administrator - Disabled)
Guest (S-1-5-21-662141889-3582796728-3456690135-501 - Limited - Disabled)
INTA (S-1-5-21-662141889-3582796728-3456690135-1000 - Administrator - Enabled) => C:\Users\INTA
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: ESET NOD32 Antivirus 7.0 (Enabled - Up to date) {19259FAE-8396-A113-46DB-15B0E7DFA289}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: ESET NOD32 Antivirus 7.0 (Enabled - Up to date) {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISE_{E64BA721-2310-4B55-BE5A-2925F9706192}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-002A-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}) (Version:  - Microsoft)
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-0116-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}) (Version:  - Microsoft) Hidden
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}) (Version:  - Microsoft) Hidden
Canon E410 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_E410_series) (Version: 1.01 - Canon Inc.)
Canon E410 series On-screen Manual (HKLM-x32\...\Canon E410 series On-screen Manual) (Version: 1.0.0 - Canon Inc.)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version: 1.3.1.4 - Canon Inc.)
Canon Inkjet Printer/Scanner/Fax Extended Survey Program (HKLM-x32\...\CANONIJPLM100) (Version: 5.2.0 - Canon Inc.)
Canon Quick Menu (HKLM-x32\...\CanonQuickMenu) (Version: 2.7.0 - Canon Inc.)
CanoScan LiDE 110 Scanner Driver (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ2414) (Version:  - Canon Inc.)
ESET NOD32 Antivirus (HKLM\...\{FBC0F617-1AA0-4483-8153-3FD97FE01D9E}) (Version: 7.0.317.4 - ESET, spol s r. o.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 60.0.3112.113 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version:  - )
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6425.1000 - Microsoft Corporation)
Microsoft redistributable runtime DLLs VS2008 SP1(x86) (HKLM-x32\...\{A47A9101-6EB5-4314-BDA1-297880FBB908}) (Version: 9.0 - SAP AG)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Mozilla Firefox 54.0 (x64 en-US) (HKLM\...\Mozilla Firefox 54.0 (x64 en-US)) (Version: 54.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 54.0 - Mozilla)
MSXML4.0 redistributable (HKLM-x32\...\{44D66AD9-AE19-4AFD-BE7E-A1B44C856697}) (Version: 4.0.0.0 - SAP)
Nitro Pro 7 (HKLM\...\{6D3AAA06-F2E1-4AB5-AB64-38B7E64DDAEF}) (Version: 7.0.1.5 - Nitro PDF Software)
Plustek MobileOffice S400 (HKLM-x32\...\{244514D4-A52D-41F5-BEEC-42ECC92D4998}) (Version: 5.2.0.5 - Plustek)
SAP GUI for Windows 7.20 (HKLM-x32\...\SAPGUI710) (Version: 7.20 Compilation 1 - SAP)
vcredist_x86 (HKLM-x32\...\{CEC7A786-A9C8-4EF7-BB59-6518E3B3C878}) (Version: 1.0.0 - SAP)
Windows Driver Package - Product Image  (06/27/2012 4.1.1.0) (HKLM\...\8E5CE7CE33E0A6359F82B3450BBEEA76CED9A4CC) (Version: 06/27/2012 4.1.1.0 - Product)
Windows Driver Package - Product Image  (06/27/2012 4.1.1.0) (HKLM\...\D1DD47BAB968BD715DEAEEE1E0D812F8C9A2188E) (Version: 06/27/2012 4.1.1.0 - Product)
WinRAR 4.20 (64-bit) (HKLM\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ContextMenuHandlers1: [ESET Smart Security - Context Menu Shell Extension] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll [2014-02-24] (ESET)
ContextMenuHandlers1: [NPShellExtension] -> {D0DC6B97-C6FA-4B42-9649-5891A97E5005} => C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NPShellExtension64.dll [2011-11-02] ()
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2012-06-09] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2012-06-09] (Alexander Roshal)
ContextMenuHandlers2: [ESET Smart Security - Context Menu Shell Extension] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll [2014-02-24] (ESET)
ContextMenuHandlers6: [ESET Smart Security - Context Menu Shell Extension] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll [2014-02-24] (ESET)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2012-06-09] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2012-06-09] (Alexander Roshal)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0B50D42B-64F9-4035-9E46-680E8650B926} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-07-04] (Google Inc.)
Task: {402DBC9D-3188-47D4-9CCE-C6F71F84BD8C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-07-04] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-07-07 09:49 - 2011-04-02 16:05 - 000290304 _____ () C:\Windows\System32\HP1100LM.DLL
2017-07-07 09:49 - 2011-04-02 16:04 - 000074240 _____ () C:\Windows\system32\spool\PRTPROCS\x64\HP1100PP.DLL
2017-07-07 10:13 - 2016-02-04 18:53 - 000387144 _____ () C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
2017-07-07 10:48 - 2014-12-08 15:41 - 000226816 _____ () C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\DocuAction.exe
2017-07-07 10:48 - 2014-01-28 11:39 - 000028672 _____ () C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\AmCommonLib.dll
2017-07-07 10:48 - 2014-04-09 07:17 - 000073728 _____ () C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\DocuRes.dll
2017-07-07 10:31 - 2008-08-27 17:58 - 000045056 _____ () C:\Program Files (x86)\Common Files\iMpacct\EdgeFillRsc.dll
2017-07-07 10:31 - 2006-05-15 15:24 - 000122938 _____ () C:\Program Files (x86)\Common Files\iMpacct\CommonFunc.dll
2017-07-07 10:31 - 2013-11-28 11:07 - 001060352 _____ () C:\Program Files (x86)\Common Files\iMpacct\libzbar.dll
2017-07-07 10:48 - 2014-12-08 15:41 - 000297984 _____ () C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\Scan.dll
2017-07-07 10:48 - 2013-08-23 16:55 - 000163840 _____ () C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\ScanRes.dll
2017-07-07 10:48 - 2015-03-06 13:47 - 000183296 _____ () C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\ScanProcess.dll
2017-07-07 10:48 - 2009-06-25 10:00 - 000897024 _____ () C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\EncryptPdf.dll
2017-07-07 10:48 - 2014-12-05 15:21 - 000065024 _____ () C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\PlkMsg.dll
2017-07-07 10:48 - 2014-12-09 12:03 - 000073728 _____ () C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\PlkMsgRes.dll
2017-07-07 10:48 - 2014-12-08 15:41 - 000115200 _____ () C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\PDF.DLL
2017-07-07 10:48 - 2014-01-28 11:40 - 000089600 _____ () C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\FormatManager.dll
2017-07-07 10:48 - 2014-04-09 07:17 - 000040960 _____ () C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\FormatManagerRes.dll
2017-07-07 10:48 - 2013-08-05 17:46 - 000036864 _____ () C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\FilingRes.dll
2017-07-07 10:48 - 2014-12-08 15:41 - 000120832 _____ () C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\Custom.DLL
2017-07-07 10:48 - 2013-08-05 17:30 - 000036864 _____ () C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\CustomRes.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Windows:nlsPreferences [0]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 09:34 - 2009-06-11 04:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-662141889-3582796728-3456690135-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\INTA\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{EBC00951-EDBD-4F72-988E-5A0CE860ED00}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{35F8D6C3-5768-4186-874F-E41CDBBEF502}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{8A2A62C8-00DC-44F8-8D83-AF9FAE4666F0}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
21-08-2017 17:24:05 Scheduled Checkpoint
29-08-2017 12:57:11 Scheduled Checkpoint
 
==================== Faulty Device Manager Devices =============
 
Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (08/30/2017 08:38:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/29/2017 04:22:48 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/29/2017 01:45:20 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/29/2017 01:44:14 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_ShellHWDetection, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c8f9
Exception code: 0xc0000005
Fault offset: 0x000000000005165a
Faulting process id: 0x390
Faulting application start time: 0x01d3209201284b69
Faulting application path: C:\Windows\system32\svchost.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 783453ab-8c85-11e7-96bc-001e3768d3a3
 
Error: (08/29/2017 12:03:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: DocuAction.exe, version: 0.0.0.0, time stamp: 0x5485562d
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x742b2e09
Faulting process id: 0x6c
Faulting application start time: 0x01d32081b8538903
Faulting application path: C:\Program Files (x86)\Plustek\Plustek MobileOffice S400\DocuAction.exe
Faulting module path: unknown
Report Id: 5ca399e1-8c77-11e7-8fa9-001e3768d3a3
 
Error: (08/29/2017 11:47:24 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/29/2017 11:37:05 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/29/2017 11:24:32 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wmpnetwk.exe, version: 12.0.7601.17514, time stamp: 0x4ce7ae7f
Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c8f9
Exception code: 0xc0000005
Fault offset: 0x00000000000526ca
Faulting process id: 0xa48
Faulting application start time: 0x01d3207c8b22648b
Faulting application path: C:\Program Files\Windows Media Player\wmpnetwk.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: f472fced-8c71-11e7-b5d7-001e3768d3a3
 
Error: (08/29/2017 11:10:10 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/29/2017 11:04:34 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_Wlansvc, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c8f9
Exception code: 0xc0000005
Fault offset: 0x000000000005135a
Faulting process id: 0x370
Faulting application start time: 0x01d32075b21b8b31
Faulting application path: C:\Windows\System32\svchost.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 2a1e743f-8c6f-11e7-ac22-001e3768d3a3
 
 
System errors:
=============
Error: (08/30/2017 08:49:36 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (08/30/2017 08:37:01 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 16:25:59 on ‎29/‎08/‎2017 was unexpected.
 
Error: (08/29/2017 04:24:57 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "INTA-PC        :0" could not be registered on the interface with IP address 10.1.11.151.
The computer with the IP address 10.1.11.208 did not allow the name to be claimed by
this computer.
 
Error: (08/29/2017 04:24:57 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "INTA-PC        :20" could not be registered on the interface with IP address 10.1.11.151.
The computer with the IP address 10.1.11.208 did not allow the name to be claimed by
this computer.
 
Error: (08/29/2017 04:24:57 PM) (Source: Server) (EventID: 2505) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{AFE67B1C-73D1-4908-B230-CEF08094E0CE} because another computer on the network has the same name.  The server could not start.
 
Error: (08/29/2017 04:21:14 PM) (Source: BugCheck) (EventID: 1001) (User: )
Description: The computer has rebooted from a bugcheck.  The bugcheck was: 0x00000050 (0xfffffa8001665000, 0x0000000000000001, 0xfffff880038ae585, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 082917-22448-01.
 
Error: (08/29/2017 04:21:08 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 16:20:11 on ‎29/‎08/‎2017 was unexpected.
 
Error: (08/29/2017 01:46:18 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Computer Browser service, but this action failed with the following error: 
An instance of the service is already running.
 
Error: (08/29/2017 01:46:18 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the IKE and AuthIP IPsec Keying Modules service, but this action failed with the following error: 
An instance of the service is already running.
 
Error: (08/29/2017 01:46:18 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: 
An instance of the service is already running.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™2 Duo CPU T5270 @ 1.40GHz
Percentage of memory in use: 52%
Total physical RAM: 1527.3 MB
Available physical RAM: 733.08 MB
Total Virtual: 3054.61 MB
Available Virtual: 1958.73 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:53.61 GB) (Free:34.28 GB) NTFS
Drive d: (New Volume) (Fixed) (Total:58.08 GB) (Free:22.87 GB) NTFS
Drive f: (Win7_SP1_lite_v4-IK) (Removable) (Total:14.94 GB) (Free:12.92 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 111.8 GB) (Disk ID: E20D2A4D)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=53.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=58.1 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 14.9 GB) (Disk ID: 0062E3EA)
Partition 1: (Active) - (Size=14.9 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================
 

 



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 31 August 2017 - 08:32 PM

Hi rexmale :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

I don't see any traces of infection in your logs. However, I noticed that your Windows 7 installation seems to be strongly outdated. Let's start by installing all your Windows Updates, as these might help with your BSOD issues.

http://www.dummies.com/computers/computer-networking/network-security/how-to-manually-check-for-windows-7-updates

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 02 September 2017 - 11:45 PM

Hi rexmale,

Are you still with me?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 rexmale

rexmale
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 03 September 2017 - 08:21 PM

Ho Yoan,

 

So  I just need to update the Windows?



#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 03 September 2017 - 08:24 PM

For now let's start with that, yes. Once all your Windows Updates are installed, let me know.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 rexmale

rexmale
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 05 September 2017 - 08:38 PM

Its look like that computer being attacked by another computer that has malware exploits EternalBlues, So I need to find out which computer attacks it



#7 rexmale

rexmale
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 05 September 2017 - 08:38 PM

Sorry double


Edited by rexmale, 05 September 2017 - 08:40 PM.


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 06 September 2017 - 07:27 AM

What makes you say that?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 rexmale

rexmale
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 06 September 2017 - 08:43 PM

If I want to check that suspected computer, can I report here or I have to create another topic?



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 06 September 2017 - 08:45 PM

You can check it here since you think the issue with this computer might be related.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 rexmale

rexmale
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 06 September 2017 - 08:46 PM

What makes you say that?

Many computer has same problem and the one that has antivirus said that it being attack by smb:CVE-2017-0144



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 06 September 2017 - 08:48 PM

In order to stop that, you can disable SMBv1 under Windows 7.

http://www.thewindowsclub.com/disable-smb1-windows

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 09 September 2017 - 09:47 AM

Hi rexmale,

Are you still with me?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 11 September 2017 - 07:29 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users