Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

had a virus and ransomware


  • This topic is locked This topic is locked
3 replies to this topic

#1 ttyphoon29

ttyphoon29

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 17 September 2017 - 07:40 PM

 
ComboFix 17-09-14.01 - Family 09/17/2017  20:05:22.1.2 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.6109.3606 [GMT -4:00]
Running from: c:\users\Family\Downloads\ComboFix.exe
AV: AVG Antivirus *Disabled/Outdated* {4D41356F-32AD-7C42-C820-63775EE4F413}
AV: Malwarebytes *Enabled/Updated* {23007AD3-69FE-687C-2629-D584AFFAF72B}
FW: AVG Antivirus *Enabled* {757AB44A-78C2-7D1A-E37F-CA42A037B368}
SP: AVG Antivirus *Disabled/Outdated* {F620D48B-1497-73CC-F290-58052563BEAE}
SP: Malwarebytes *Enabled/Updated* {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\security\logs\scecomp.log
.
.
(((((((((((((((((((((((((   Files Created from 2017-08-18 to 2017-09-18  )))))))))))))))))))))))))))))))
.
.
2017-09-18 00:30 . 2017-09-17 21:09 -------- d-----w- c:\windows\Panther
2017-09-18 00:15 . 2017-09-18 00:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2017-09-17 22:58 . 2017-07-26 13:15 53008 ----a-w- c:\windows\system32\TURegOpt.exe
2017-09-17 22:58 . 2017-07-26 13:11 44304 ----a-w- c:\windows\system32\authuitu.dll
2017-09-17 22:58 . 2017-07-26 13:11 42256 ----a-w- c:\windows\SysWow64\authuitu.dll
2017-09-17 22:40 . 2017-09-17 22:39 547480 ----a-w- c:\windows\system32\drivers\avgNetSec.sys
2017-09-17 22:40 . 2017-09-17 22:38 402608 ----a-w- c:\windows\system32\avgBoot.exe
2017-09-17 22:39 . 2017-09-17 22:39 29944 ----a-w- c:\windows\system32\drivers\avgNetNd6.sys
2017-09-17 22:36 . 2017-09-17 22:57 -------- d-----w- c:\program files (x86)\AVG
2017-09-17 22:35 . 2017-09-17 23:56 -------- d-----w- c:\programdata\Avg
2017-09-17 22:35 . 2017-09-17 22:35 -------- d--h--w- c:\programdata\Common Files
2017-09-17 21:06 . 2017-09-17 21:06 -------- d-----w- c:\program files\CCleaner
2017-09-17 21:04 . 2017-09-17 21:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2017-09-17 21:04 . 2017-09-17 21:04 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2017-09-17 20:52 . 2012-02-17 06:38 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
2017-09-17 20:52 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2017-09-17 20:52 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2017-09-17 20:52 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2017-09-17 20:52 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2017-09-17 20:51 . 2017-09-17 22:58 -------- d-sh--w- c:\windows\Installer
2017-09-17 20:50 . 2017-09-17 20:50 192960 ----a-w- c:\windows\system32\drivers\MBAMChameleon.sys
2017-09-17 20:50 . 2017-09-17 22:45 84256 ----a-w- c:\windows\system32\drivers\mwac.sys
2017-09-17 20:50 . 2017-09-17 22:45 45472 ----a-w- c:\windows\system32\drivers\mbam.sys
2017-09-17 20:50 . 2017-09-17 22:45 253888 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2017-09-17 20:50 . 2017-08-24 15:27 77440 ----a-w- c:\windows\system32\drivers\mbae64.sys
2017-09-17 20:50 . 2017-09-17 20:50 -------- d-----w- c:\programdata\Malwarebytes
2017-09-17 20:50 . 2017-09-17 20:50 -------- d-----w- c:\program files\Malwarebytes
2017-09-17 20:45 . 2017-09-17 20:46 -------- d-----w- c:\program files (x86)\Google
2017-09-17 20:41 . 2017-09-17 20:42 -------- d-----w- c:\users\Family
2017-09-17 05:17 . 2017-09-17 05:17 -------- d-----w- C:\Windows.old
2017-09-17 02:21 . 2017-09-17 02:21 -------- d-----w- C:\$AV_ASW
2017-09-17 02:14 . 2017-09-17 02:14 -------- d-----w- C:\Downloads
2017-09-17 01:34 . 2017-09-17 20:41 -------- d-----w- C:\Recovery
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2017-08-17 7964064]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2017-09-07 9855192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService]
@="Service"
.
R3 avgHwid;avgHwid;c:\windows\system32\drivers\avgHwid.sys;c:\windows\SYSNATIVE\drivers\avgHwid.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 MBAMProtection;MBAMProtection;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
S0 avgRvrt;avgRvrt;c:\windows\\SystemRoot\system32\drivers\avgRvrt.sys;c:\windows\\SystemRoot\system32\drivers\avgRvrt.sys [x]
S1 avgSP;avgSP;c:\windows\system32\drivers\avgSP.sys;c:\windows\SYSNATIVE\drivers\avgSP.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 AVG Antivirus;AVG Antivirus;c:\program files (x86)\AVG\Antivirus\AVGSvc.exe;c:\program files (x86)\AVG\Antivirus\AVGSvc.exe [x]
S2 avgMonFlt;avgMonFlt;c:\windows\system32\drivers\avgMonFlt.sys;c:\windows\SYSNATIVE\drivers\avgMonFlt.sys [x]
S2 avgsvc;AVG Service;c:\program files (x86)\AVG\Framework\Common\avgsvca.exe;c:\program files (x86)\AVG\Framework\Common\avgsvca.exe [x]
S2 TuneUp.UtilitiesSvc;AVG PC TuneUp Service;c:\program files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe;c:\program files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe [x]
S3 AVG Firewall;AVG Firewall Service;c:\program files (x86)\AVG\Antivirus\afwServ.exe;c:\program files (x86)\AVG\Antivirus\afwServ.exe [x]
S3 avgbdisk;avgbdisk;c:\windows\system32\drivers\avgbdiska.sys;c:\windows\SYSNATIVE\drivers\avgbdiska.sys [x]
S3 avgbIDSAgent;avgbIDSAgent;c:\program files (x86)\AVG\Antivirus\x64\aswidsagenta.exe;c:\program files (x86)\AVG\Antivirus\x64\aswidsagenta.exe [x]
S3 avgbidsdriver;avgbidsdriver;c:\windows\system32\drivers\avgbidsdrivera.sys;c:\windows\SYSNATIVE\drivers\avgbidsdrivera.sys [x]
S3 avgbidsh;avgbidsh;c:\windows\system32\drivers\avgbidsha.sys;c:\windows\SYSNATIVE\drivers\avgbidsha.sys [x]
S3 avgblog;avgblog;c:\windows\system32\drivers\avgbloga.sys;c:\windows\SYSNATIVE\drivers\avgbloga.sys [x]
S3 avgbuniv;avgbuniv;c:\windows\system32\drivers\avgbuniva.sys;c:\windows\SYSNATIVE\drivers\avgbuniva.sys [x]
S3 avgNetNd6;AVG Firewall NDIS6 Helper;c:\windows\system32\DRIVERS\avgNetNd6.sys;c:\windows\SYSNATIVE\DRIVERS\avgNetNd6.sys [x]
S3 avgNetSec;avgNetSec;c:\windows\system32\drivers\avgNetSec.sys;c:\windows\SYSNATIVE\drivers\avgNetSec.sys [x]
S3 avgRdr;avgRdr;c:\windows\system32\drivers\avgRdr2.sys;c:\windows\SYSNATIVE\drivers\avgRdr2.sys [x]
S3 avgSnx;avgSnx;c:\windows\system32\drivers\avgSnx.sys;c:\windows\SYSNATIVE\drivers\avgSnx.sys [x]
S3 avgStm;avgStm;c:\windows\system32\drivers\avgStm.sys;c:\windows\SYSNATIVE\drivers\avgStm.sys [x]
S3 avgVmm;avgVmm;c:\windows\system32\drivers\avgVmm.sys;c:\windows\SYSNATIVE\drivers\avgVmm.sys [x]
S3 MBAMService;Malwarebytes Service;c:\program files\Malwarebytes\Anti-Malware\mbamservice.exe;c:\program files\Malwarebytes\Anti-Malware\mbamservice.exe [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys;c:\program files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGNETND6
*NewlyCreated* - AVGNETSEC
*NewlyCreated* - AVGRVRT
*NewlyCreated* - MBAMPROTECTION
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - SASDIFSV
*NewlyCreated* - TUNEUPUTILITIESDRV
*Deregistered* - ESProtectionDriver
*Deregistered* - MBAMFarflt
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AvgUi"="c:\program files (x86)\AVG\Framework\Common\avguirna.exe" [2017-09-14 239592]
"AVGUI.exe"="c:\program files (x86)\AVG\Antivirus\AvLaunch.exe" [2017-09-17 289248]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 75.75.76.76 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2017-09-17  20:28:36
ComboFix-quarantined-files.txt  2017-09-18 00:28
.
Pre-Run: 174,822,834,176 bytes free
Post-Run: 174,707,220,480 bytes free
.
- - End Of File - - 06B24F5D623B1A7C4185217D76BB4CFD
A36C5E4F47E84449FF07ED3517B43A31

Edited by Orange Blossom, 17 September 2017 - 07:42 PM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:11:26 PM

Posted 19 September 2017 - 10:23 AM

ttyphoon29:

 
:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil.  May I address you by your first name?
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time, normally 48 hours after your last post.
 
I would ask that you please continue to copy and paste the contents of all requested log files directly into your replies.   Please do not use "code" or "quote" boxes.  Thank you for your anticipated cooperation.
 
Please follow the instructions in this post and provide me with FRST logs, copied and pasted into your next reply.
 
You should also be aware that running ComboFix, without having been trained in its use, and limitations, is not recommended.  See this post by quietman7, one of Bleeping Computer's leading computer security experts.
 
I will need some time to review your FRST logs once I receive them.  That could take a day or two.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you submit.
 
Thank you and have a great day.
 
Regards,
-Phil

 

 

 

 


Member of the Unified Network of Instructors and Trusted Eliminators


#3 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:11:26 PM

Posted 22 September 2017 - 11:29 AM

ttyphoon29:

 
Are you still there?  Do you still require assistance?  It has been three days since I last posted to you.
 
According to Forum policy, topics must be concluded after five days of non-response from the Topic Starter.
 
If I have not heard from you in another two days, I will conclude your topic.  You can always reopen it by sending a Personal Message to a Moderator.
 
Thank you and have a great day.
 
Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:11:26 PM

Posted 24 September 2017 - 05:11 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Member of the Unified Network of Instructors and Trusted Eliminators





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users