Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zeroaccess rootkit found on old laptop


  • This topic is locked This topic is locked
8 replies to this topic

#1 hocktastic

hocktastic

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 02 October 2017 - 11:56 PM

following advice on another thread from malware response team member nasdaq

i have done the following 

 

Run the Farbar program and post both log logs.

Run the Rkill programd and post the log.

 

thanks,

Rachael

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-10-2017

Ran by Home (administrator) on HOME-TOSH (03-10-2017 05:22:58)
Running from C:\Users\Home\Downloads
Loaded Profiles: Home (Available Profiles: Home & DefaultAppPool)
Platform: Microsoft Windows 7 Home Premium  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\TecoService.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(McAfee, Inc.) C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
(Toshiba Europe GmbH) C:\Program Files\Toshiba TEMPRO\TemproTray.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\TEco.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Toshiba Europe GmbH) C:\Program Files\TOSHIBA\Registration\ToshibaReminder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
(HP Inc.) C:\Program Files\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\Update\realsched.exe
(Facebook Inc.) C:\Users\Home\AppData\Local\Facebook\Update\FacebookUpdate.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\osk.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SVPWUTIL] => C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe [352256 2009-08-12] (TOSHIBA CORPORATION)
HKLM\...\Run: [HWSetup] => C:\Program Files\TOSHIBA\Utilities\HWSetup.exe [425984 2009-06-02] (TOSHIBA Electronics, Inc.)
HKLM\...\Run: [KeNotify] => C:\Program Files\TOSHIBA\Utilities\KeNotify.exe [34088 2009-01-13] (TOSHIBA CORPORATION)
HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [611672 2009-08-03] (TOSHIBA Corporation)
HKLM\...\Run: [Toshiba TEMPRO] => C:\Program Files\Toshiba TEMPRO\TemproTray.exe [1546720 2011-02-10] (Toshiba Europe GmbH)
HKLM\...\Run: [TosNC] => C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [466792 2009-08-06] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] => C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [29528 2009-08-06] (TOSHIBA Corporation)
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [476512 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] => C:\Program Files\Toshiba\SmoothView\SmoothView.exe [521528 2009-08-13] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [738616 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7625248 2009-07-28] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1545512 2009-07-20] (Synaptics Incorporated)
HKLM\...\Run: [SmartFaceVWatcher] => C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [163840 2009-07-29] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] => C:\Program Files\TOSHIBA\TECO\Teco.exe [1324384 2009-08-26] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [611672 2009-08-06] (TOSHIBA Corporation)
HKLM\...\Run: [TWebCamera] => C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe [2446648 2009-08-11] (TOSHIBA CORPORATION.)
HKLM\...\Run: [Toshiba Registration] => C:\Program Files\Toshiba\Registration\ToshibaReminder.exe [134032 2009-07-30] (Toshiba Europe GmbH)
HKLM\...\Run: [TkBellExe] => c:\program files\real\realplayer\Update\realsched.exe [273528 2011-10-25] (RealNetworks, Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1002984 2016-11-14] (Microsoft Corporation)
HKU\S-1-5-21-406935302-2526777770-957223088-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6405912 2015-06-01] (Piriform Ltd)
HKU\S-1-5-18\...\Run: [TOSHIBA Online Product Information] => C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe [6203296 2009-08-12] (TOSHIBA)
BootExecute: autocheck autochk * bootdeletebootdelete
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{863F8E20-B4C0-4287-9792-4C36BC567725}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{D8938686-5869-47BD-A8CE-54DC1BFB6709}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{F2BE6767-432D-4957-AC18-D83308F79512}: [DhcpNameServer] 10.239.24.5
 
Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-406935302-2526777770-957223088-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-406935302-2526777770-957223088-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.co.uk/
BHO: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2009-05-21] (Hewlett-Packard Co.)
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-07-27] (Adobe Systems Incorporated)
BHO: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [2011-10-25] (RealPlayer)
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120507143030.dll [2012-03-20] (McAfee, Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2011-10-10] (Skype Technologies S.A.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-09-04] (Sun Microsystems, Inc.)
BHO: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2009-05-21] (Hewlett-Packard Co.)
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-06-08] (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2011-10-10] (Skype Technologies S.A.)
 
FireFox:
========
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: (RealPlayer Browser Record Plugin) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2017-01-17] [not signed]
FF HKLM\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files\Common Files\McAfee\SystemCore
FF Extension: (No Name) - C:\Program Files\Common Files\McAfee\SystemCore [2012-06-22] [not signed]
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: (HP Smart Web Printing) - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2015-07-16] [not signed]
FF HKU\S-1-5-21-406935302-2526777770-957223088-1001\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [2011-08-23] (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2013-09-09] ()
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll [2009-11-14] (DivX,Inc.)
FF Plugin: @divx.com/DivX Player Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll [2009-11-14] (DivX, Inc)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=12.0.1.669 -> c:\program files\real\realplayer\Netscape6\nppl3260.dll [2011-10-25] (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=12.0.1.669 -> c:\program files\real\realplayer\Netscape6\nprjplug.dll [2011-10-25] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=12.0.1.669 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [2011-10-25] (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=12.0.1.669 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll [2011-10-25] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=12.0.1.669 -> c:\program files\real\realplayer\Netscape6\nprpjplug.dll [2011-10-25] (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2012-07-27] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-406935302-2526777770-957223088-1001: @facebook.com/FBPlugin,version=1.0.1 -> C:\Users\Home\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll [No File]
FF Plugin HKU\S-1-5-21-406935302-2526777770-957223088-1001: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Home\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll [2014-07-24] (Skype Limited)
 
Chrome: 
=======
CHR DefaultProfile: Profile 1
CHR Profile: C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default [2017-09-11]
CHR Extension: (Google Docs) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-05]
CHR Extension: (Google Drive) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-05]
CHR Extension: (YouTube) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-05]
CHR Extension: (Google Search) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-03-28]
CHR Extension: (AdBlock) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-06-15]
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk [2013-05-17]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-05-27]
CHR Extension: (Skype Click to Call) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-05-18]
CHR Extension: (Google Wallet) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-05-18]
CHR Extension: (Gmail) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-29]
CHR Profile: C:\Users\Home\AppData\Local\Google\Chrome\User Data\Guest Profile [2016-06-22]
CHR Profile: C:\Users\Home\AppData\Local\Google\Chrome\User Data\Profile 1 [2017-10-03]
CHR Extension: (Google Slides) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-07-13]
CHR Extension: (Google Docs) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2015-07-13]
CHR Extension: (Google Drive) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-23]
CHR Extension: (YouTube) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Google Search) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
CHR Extension: (Google Sheets) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-07-13]
CHR Extension: (Google Docs Offline) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-16]
CHR Extension: (AdBlock) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-10-01]
CHR Extension: (Pinterest Save Button) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gpdjojdkbbmdfjfahjcgigfpmkopogic [2017-09-23]
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk [2015-07-13]
CHR Extension: (Skype) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2017-08-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-23]
CHR Extension: (Gmail) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-07-13]
CHR Extension: (Chrome Media Router) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-10-03]
CHR Profile: C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile [2016-06-22]
CHR Extension: (Google Slides) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-07-13]
CHR Extension: (Google Docs) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\aohghmighlieiainnegkcijnfilokake [2015-07-13]
CHR Extension: (Google Drive) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-07-13]
CHR Extension: (YouTube) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-07-13]
CHR Extension: (Google Search) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-07-13]
CHR Extension: (Complitly plugin for chrome) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\dlfienamagdnkekbbbocojppncdambda [2015-07-13] [UpdateUrl: hxxp://www.predictad.com/update/chrome/?si=36909&ver=1.1] <==== ATTENTION
CHR Extension: (Google Sheets) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-07-13]
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk [2015-07-13]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-07-13]
CHR Extension: (Skype Click to Call) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-07-13]
CHR Extension: (Google Wallet) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-13]
CHR Extension: (Gmail) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-07-13]
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx [2011-10-25]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2011-10-10]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 cfWiMAXService; C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [185712 2009-08-10] (TOSHIBA CORPORATION)
R2 ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [46448 2009-03-10] (TOSHIBA CORPORATION)
S3 GameConsoleService; C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe [250616 2009-05-22] (WildTangent, Inc.)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [113624 2017-09-11] (SurfRight B.V.)
R3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-21] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [133120 2009-05-21] (Hewlett-Packard Co.) [File not signed]
R2 HPSLPSVC; C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL [694784 2009-09-08] (Hewlett-Packard Co.) [File not signed]
R2 HPSupportSolutionsFrameworkService; C:\Program Files\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [321896 2017-07-06] (HP Inc.)
S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4430792 2017-08-21] (Malwarebytes)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [166288 2012-03-20] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [161632 2012-03-20] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [151880 2012-03-20] (McAfee, Inc.)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [103696 2016-11-14] (Microsoft Corporation)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44544 2008-12-03] (Hewlett-Packard) [File not signed]
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [280864 2016-11-14] (Microsoft Corporation)
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2008-12-03] (Hewlett-Packard) [File not signed]
S3 TemproMonitoringService; C:\Program Files\Toshiba TEMPRO\TemproSvc.exe [112080 2011-02-10] (Toshiba Europe GmbH)
S3 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [51512 2009-08-17] (TOSHIBA Corporation)
R2 TOSHIBA eco Utility Service; C:\Program Files\TOSHIBA\TECO\TecoService.exe [185712 2009-08-27] (TOSHIBA Corporation)
R3 TOSHIBA HDD SSD Alert Service; C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [111960 2009-08-03] (TOSHIBA Corporation)
R3 TPCHSrv; C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [685424 2009-08-06] (TOSHIBA Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [57600 2012-02-22] (McAfee, Inc.)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae.sys [59904 2017-08-24] ()
R0 FixZeroAccess; C:\Windows\System32\drivers\FixZeroAccess.sys [35752 2017-09-11] (Symantec Corporation)
R3 LPCFilter; C:\Windows\system32\DRIVERS\LPCFilter.sys [36208 2009-07-30] (COMPAL ELECTRONIC INC.)
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [166848 2017-09-11] (Malwarebytes)
S3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [85440 2017-09-12] (Malwarebytes)
S3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [40352 2017-09-12] (Malwarebytes)
S3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [65824 2017-10-01] (Malwarebytes)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [121544 2012-02-22] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [180848 2012-02-22] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [59456 2012-02-22] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [340920 2012-02-22] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [464304 2012-02-22] (McAfee, Inc.)
R1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [64912 2012-02-22] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [87656 2012-02-22] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [169608 2012-02-22] (McAfee, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [252808 2016-08-25] (Microsoft Corporation)
R1 MpKsl5433dd9d; C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A3CD3D40-F0E9-4895-9953-CACDF25B0247}\MpKsl5433dd9d.sys [49504 2017-10-01] (Microsoft Corporation)
R3 PGEffect; C:\Windows\System32\DRIVERS\pgeffect.sys [24064 2009-06-22] (TOSHIBA Corporation)
S3 RapportIaso; c:\programdata\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys [21520 2011-07-19] (Trusteer Ltd.)
R3 RTL8187B; C:\Windows\System32\DRIVERS\RTL8187B.sys [379904 2010-03-31] (Realtek Semiconductor Corporation )
R2 TVALZFL; C:\Windows\System32\DRIVERS\TVALZFL.sys [12920 2009-06-19] (TOSHIBA Corporation)
U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S3 catchme; \??\C:\Users\Home\AppData\Local\Temp\catchme.sys [X]
S3 MFE_RR; \??\C:\Users\Home\AppData\Local\Temp\mfe_rr.sys [X]
S3 MREMP50; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [X]
S3 pccsmcfd; system32\DRIVERS\pccsmcfd.sys [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 upperdev; system32\DRIVERS\usbser_lowerflt.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-10-03 05:22 - 2017-10-03 05:23 - 000026673 _____ C:\Users\Home\Downloads\FRST.txt
2017-10-03 05:22 - 2017-10-03 05:22 - 001795584 _____ (Farbar) C:\Users\Home\Downloads\FRST.exe
2017-10-03 05:22 - 2017-10-03 05:22 - 000000000 ____D C:\FRST
2017-10-01 06:06 - 2017-10-01 10:15 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-10-01 05:17 - 2017-10-01 05:18 - 016563352 _____ (Malwarebytes Corp.) C:\Users\Home\Downloads\mbar-1.09.3.1001.exe
2017-10-01 05:15 - 2017-10-01 05:16 - 000784152 _____ (McAfee, Inc.) C:\Users\Home\Downloads\rootkitremover.exe
2017-09-12 00:29 - 2017-09-12 00:29 - 000085440 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-09-11 10:01 - 2017-09-11 10:01 - 406666619 _____ C:\Windows\MEMORY.DMP
2017-09-11 10:01 - 2017-09-11 10:01 - 000149576 _____ C:\Windows\Minidump\091117-24289-01.dmp
2017-09-11 09:57 - 2017-09-11 09:57 - 000035752 _____ (Symantec Corporation) C:\Windows\system32\Drivers\FixZeroAccess.sys
2017-09-11 09:52 - 2017-09-11 09:55 - 000620812 _____ C:\TDSSKiller.3.1.0.15_11.09.2017_09.52.32_log.txt
2017-09-11 09:48 - 2017-09-11 09:48 - 000004688 _____ C:\TDSSKiller.3.1.0.15_11.09.2017_09.48.36_log.txt
2017-09-11 09:26 - 2017-09-11 09:26 - 000275576 _____ C:\Users\Home\Desktop\JRT.txt
2017-09-11 09:15 - 2017-09-11 09:15 - 001790024 _____ (Malwarebytes) C:\Users\Home\Downloads\JRT.exe
2017-09-11 09:11 - 2017-09-11 09:11 - 000325792 _____ (ESET) C:\Users\Home\Downloads\ESETInstallationFixer_32.exe
2017-09-11 09:07 - 2017-09-11 09:08 - 110073472 _____ (ESET) C:\Users\Home\Downloads\eav_nt32_enu.exe
2017-09-11 08:56 - 2017-09-11 08:56 - 003124864 _____ (ESET) C:\Users\Home\Downloads\eset_nod32_antivirus_live_installer_rt_uk (1).exe
2017-09-11 08:52 - 2017-09-11 08:52 - 000000000 ____D C:\Program Files\ESET
2017-09-11 08:49 - 2017-09-11 08:49 - 003124864 _____ (ESET) C:\Users\Home\Downloads\eset_nod32_antivirus_live_installer_rt_uk.exe
2017-09-11 08:47 - 2017-09-11 08:47 - 000430280 _____ (ESET) C:\Users\Home\Downloads\ESETSirefefCleaner (1).exe
2017-09-11 08:47 - 2017-09-11 08:47 - 000001112 _____ C:\Users\Home\Downloads\ESETSirefefCleaner (1).exe_20170911.084721.3912.zip
2017-09-11 08:40 - 2017-09-11 08:44 - 000223122 _____ C:\TDSSKiller.3.1.0.15_11.09.2017_08.40.43_log.txt
2017-09-11 08:39 - 2017-09-11 08:39 - 004922400 _____ (AO Kaspersky Lab) C:\Users\Home\Downloads\iexplore.exe.exe
2017-09-11 08:38 - 2017-09-11 08:38 - 000002286 _____ C:\TDSSKiller.3.1.0.15_11.09.2017_08.38.10_log.txt
2017-09-11 08:37 - 2017-09-11 08:37 - 004922400 _____ (AO Kaspersky Lab) C:\Users\Home\Downloads\tdsskiller.exe
2017-09-11 08:32 - 2017-09-11 08:32 - 001805736 _____ (Symantec Corporation) C:\Users\Home\Downloads\FixZeroAccess (1).exe
2017-09-11 08:30 - 2017-09-11 08:30 - 001805736 _____ (Symantec Corporation) C:\Users\Home\Downloads\FixZeroAccess.exe
2017-09-11 08:17 - 2017-09-11 08:28 - 000012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2017-09-11 08:17 - 2017-09-11 08:28 - 000003596 _____ C:\Windows\system32\bootdelete.lst
2017-09-11 08:05 - 2017-09-11 08:17 - 000000000 ____D C:\ProgramData\HitmanPro
2017-09-11 08:05 - 2017-09-11 08:05 - 000001860 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2017-09-11 08:05 - 2017-09-11 08:05 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2017-09-11 08:05 - 2017-09-11 08:05 - 000000000 ____D C:\Program Files\HitmanPro
2017-09-11 07:59 - 2017-09-11 08:01 - 011007936 _____ (SurfRight B.V.) C:\Users\Home\Downloads\hitmanpro.exe
2017-09-11 07:56 - 2017-09-11 07:56 - 000001100 _____ C:\Users\Home\Downloads\ESETSirefefCleaner.exe_20170911.075621.3196.zip
2017-09-11 06:30 - 2017-09-11 06:30 - 002953520 _____ (AVAST Software) C:\Users\Home\Downloads\avast-browser-cleanup.exe
2017-09-11 06:28 - 2017-09-11 07:50 - 000000000 ____D C:\AdwCleaner
2017-09-11 06:27 - 2017-09-11 06:27 - 008182736 _____ (Malwarebytes) C:\Users\Home\Downloads\AdwCleaner.exe
2017-09-11 05:30 - 2017-09-11 05:31 - 000001117 _____ C:\Users\Home\Downloads\ESETSirefefCleaner.exe_20170911.053057.3052.zip
2017-09-11 05:28 - 2017-09-11 05:28 - 000430280 _____ (ESET) C:\Users\Home\Downloads\ESETSirefefCleaner.exe
2017-09-11 05:22 - 2017-10-01 05:18 - 000065824 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-09-11 05:22 - 2017-09-12 00:28 - 000040352 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-09-11 05:22 - 2017-09-11 05:22 - 000166848 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-09-11 05:21 - 2017-10-01 07:34 - 000170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-09-11 05:21 - 2017-09-11 05:21 - 000001987 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-09-11 05:21 - 2017-09-11 05:21 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-09-11 05:21 - 2017-09-11 05:21 - 000000000 ____D C:\Program Files\Malwarebytes
2017-09-11 05:21 - 2017-08-24 11:27 - 000059904 _____ C:\Windows\system32\Drivers\mbae.sys
2017-09-11 05:20 - 2017-09-11 05:20 - 000000000 ____D C:\ProgramData\MB2Migration
2017-09-11 05:14 - 2017-09-11 05:14 - 000013491 _____ C:\ComboFix.txt
2017-09-11 03:58 - 2011-06-26 07:45 - 000256000 _____ C:\Windows\PEV.exe
2017-09-11 03:58 - 2010-11-07 18:20 - 000208896 _____ C:\Windows\MBR.exe
2017-09-11 03:58 - 2009-04-20 05:56 - 000060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2017-09-11 03:58 - 2000-08-31 01:00 - 000518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2017-09-11 03:58 - 2000-08-31 01:00 - 000406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2017-09-11 03:58 - 2000-08-31 01:00 - 000098816 _____ C:\Windows\sed.exe
2017-09-11 03:58 - 2000-08-31 01:00 - 000080412 _____ C:\Windows\grep.exe
2017-09-11 03:58 - 2000-08-31 01:00 - 000068096 _____ C:\Windows\zip.exe
2017-09-11 03:53 - 2017-09-11 05:14 - 000000000 ____D C:\Qoobox
2017-09-11 03:52 - 2017-09-11 05:11 - 000000000 ____D C:\Windows\erdnt
2017-09-11 03:45 - 2017-10-02 00:01 - 000002568 _____ C:\Users\Home\Desktop\Rkill.txt
2017-09-11 03:45 - 2017-09-11 03:45 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\Home\Desktop\rkill.com
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-10-03 05:17 - 2012-09-09 22:32 - 000000924 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-406935302-2526777770-957223088-1001UA.job
2017-10-03 05:17 - 2012-09-09 22:32 - 000000902 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-406935302-2526777770-957223088-1001Core.job
2017-10-01 10:36 - 2013-05-17 16:57 - 000002108 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-10-01 10:36 - 2013-05-17 16:57 - 000002096 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-10-01 10:15 - 2015-07-24 05:34 - 000000000 ____D C:\Users\Home\Desktop\mbar
2017-10-01 06:55 - 2009-07-14 05:34 - 000019248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-10-01 06:55 - 2009-07-14 05:34 - 000019248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-10-01 05:39 - 2009-07-14 05:53 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-09-11 10:01 - 2009-12-22 12:50 - 000000000 ____D C:\Windows\Minidump
2017-09-11 07:50 - 2015-07-16 21:59 - 000000000 ____D C:\Users\Home\AppData\Roaming\Yahoo!
2017-09-11 07:50 - 2012-02-02 12:00 - 000000000 ____D C:\Users\Home\AppData\LocalLow\Yahoo!
2017-09-11 05:21 - 2015-07-24 04:58 - 000000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2017-09-11 05:21 - 2011-10-24 23:12 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-09-11 05:07 - 2009-07-14 03:04 - 000000215 _____ C:\Windows\system.ini
2017-09-11 05:05 - 2009-11-09 00:33 - 000000000 ____D C:\Users\Home\AppData\Roaming\Adobe
 
==================== Files in the root of some directories =======
 
2010-05-23 18:06 - 2010-05-23 18:31 - 000004271 _____ () C:\Users\Home\AppData\Roaming\transfer.log
2011-07-10 17:04 - 2011-09-12 18:24 - 000000194 _____ () C:\Users\Home\AppData\Roaming\wklnhst.dat
2011-10-14 17:38 - 2011-10-14 17:38 - 000004011 _____ () C:\Users\Home\AppData\Local\bvecjpca.log
2011-10-14 17:39 - 2011-10-14 17:39 - 000003146 _____ () C:\Users\Home\AppData\Local\ojqusuxw.log
2011-10-14 17:38 - 2011-10-14 17:38 - 000000000 _____ () C:\Users\Home\AppData\Local\rmjgvtrc.log
2011-08-15 04:41 - 2011-10-14 17:39 - 000000024 _____ () C:\Users\Home\AppData\Local\vmjehwli.log
2011-08-15 04:41 - 2011-10-14 17:38 - 000336576 _____ () C:\Users\Home\AppData\Local\wdnrdtsf.log
2010-10-27 16:33 - 2010-10-27 16:33 - 000000056 ____H () C:\ProgramData\ezsidmv.dat
2015-07-16 21:51 - 2015-07-16 22:08 - 000000835 _____ () C:\ProgramData\hpzinstall.log
 
ZeroAccess:
C:\Users\Home\AppData\Local\{e0bf8ada-50bf-cda9-5ba0-063a62064391}
 
Some files in TEMP:
====================
2017-09-25 08:41 - 2017-09-05 14:52 - 000186224 _____ (RealNetworks, Inc.) C:\Users\Home\AppData\Local\temp\lowproc.exe
2017-09-25 08:41 - 2017-09-05 14:52 - 000096440 _____ (RealNetworks, Inc.) C:\Users\Home\AppData\Local\temp\stubhelper.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-10-01 06:48
 
==================== End of FRST.txt ============================
 
Rkill 2.9.1 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 10/03/2017 05:43:13 AM in x86 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Users\Home\AppData\Local\{e0bf8ada-50bf-cda9-5ba0-063a62064391}\ [ZA Dir]
     * C:\Users\Home\AppData\Local\{e0bf8ada-50bf-cda9-5ba0-063a62064391}\L\ [ZA Dir]
     * C:\Users\Home\AppData\Local\{e0bf8ada-50bf-cda9-5ba0-063a62064391}\U\ [ZA Dir]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
 
Program finished at: 10/03/2017 05:54:41 AM
Execution time: 0 hours(s), 11 minute(s), and 28 seconds(s)
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:48 AM

Posted 03 October 2017 - 08:40 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin HKU\S-1-5-21-406935302-2526777770-957223088-1001: @facebook.com/FBPlugin,version=1.0.1 -> C:\Users\Home\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll [No File]
CHR Extension: (Complitly plugin for chrome) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\dlfienamagdnkekbbbocojppncdambda [2015-07-13] [UpdateUrl: hxxp://www.predictad.com/update/chrome/?si=36909&ver=1.1] <==== ATTENTION
S3 catchme; \??\C:\Users\Home\AppData\Local\Temp\catchme.sys [X]
S3 MFE_RR; \??\C:\Users\Home\AppData\Local\Temp\mfe_rr.sys [X]
S3 MREMP50; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [X]
S3 pccsmcfd; system32\DRIVERS\pccsmcfd.sys [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 upperdev; system32\DRIVERS\usbser_lowerflt.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
ContextMenuHandlers2: [SD Format] -> {932CFB31-6AC9-4FE2-BEAC-A27FAF631D48} =>  -> No File
Task: {4D7AB843-FD50-40BA-A0FB-3ED4A7109220} - System32\Tasks\81ea5d4 => C:\Users\Home\AppData\Local\Temp\\setup2396325208.exe <==== ATTENTION
Task: {B143F270-052A-46EC-8AF3-AEE7A04A5C43} - System32\Tasks\25635bd4 => C:\Users\Home\AppData\Local\Temp\\setup4243947860.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:0B4227B4 [124]
AlternateDataStreams: C:\ProgramData\TEMP:C39E55C5 [119]
C:\Windows\System32\Tasks\81ea5d4
C:\Users\Home\AppData\Local\Temp\\setup2396325208.exe
C:\Windows\System32\Tasks\25635bd4
C:\Users\Home\AppData\Local\Temp\\setup4243947860.exe
C:\Users\Home\AppData\Local\{e0bf8ada-50bf-cda9-5ba0-063a62064391}
2010-05-23 18:06 - 2010-05-23 18:31 - 000004271 _____ () C:\Users\Home\AppData\Roaming\transfer.log
2011-07-10 17:04 - 2011-09-12 18:24 - 000000194 _____ () C:\Users\Home\AppData\Roaming\wklnhst.dat
2011-10-14 17:38 - 2011-10-14 17:38 - 000004011 _____ () C:\Users\Home\AppData\Local\bvecjpca.log
2011-10-14 17:39 - 2011-10-14 17:39 - 000003146 _____ () C:\Users\Home\AppData\Local\ojqusuxw.log
2011-10-14 17:38 - 2011-10-14 17:38 - 000000000 _____ () C:\Users\Home\AppData\Local\rmjgvtrc.log
2011-08-15 04:41 - 2011-10-14 17:39 - 000000024 _____ () C:\Users\Home\AppData\Local\vmjehwli.log
2011-08-15 04:41 - 2011-10-14 17:38 - 000336576 _____ () C:\Users\Home\AppData\Local\wdnrdtsf.log
2010-10-27 16:33 - 2010-10-27 16:33 - 000000056 ____H () C:\ProgramData\ezsidmv.dat
2015-07-16 21:51 - 2015-07-16 22:08 - 000000835 _____ () C:\ProgramData\hpzinstall.log
C:\Windows\MEMORY.DMP
C:\Windows\Minidump\091117-24289-01.dmp

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Later when all is well update all the 3rd party programs reported as outdated.
Please download Security Analysis by Rocket Grannie from here
  • Save it to your Desktop.
  • Close your security software to avoid potential conflicts.
  • Double click RGSA.exe
  • Click OK on the copyright-disclaimer
  • When finished, a Notepad window will open with the results of the scan.
  • The log named SALog.txt can also be found on the Desktop or in the same folder from where the tool is run if installed elsewhere.
  • For your security I suggest you update all the old programs.
Note: If you get a Warning from Windows about running the program, click on More info and then click Run Anyway to run it even though Windows says it might put your PC at risk.
Note: The link to the most current version of the program will always be in the first post of this topic.
Note: Windows 10 may pop up a warning message.
Note: The current java version on XP will show as "out of date".
Note: Flash Player is pre-installed in Google Chrome and updates automatically!
Note: Flash Player is pre-installed in IE/Hedge and updates automatically!
---

Please let me know what problem persists with this computer.

p.s.

Microsort Security Essentials is your main Security Program.
I do see some McAfee entries on your logs. If this program is no longer used and updated I suggest you removal it using their uninstaller.

https://www.bleepingcomputer.com/download/mcafee-consumer-products-removal-tool/

---

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:48 AM

Posted 03 October 2017 - 08:41 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin HKU\S-1-5-21-406935302-2526777770-957223088-1001: @facebook.com/FBPlugin,version=1.0.1 -> C:\Users\Home\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll [No File]
CHR Extension: (Complitly plugin for chrome) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\dlfienamagdnkekbbbocojppncdambda [2015-07-13] [UpdateUrl: hxxp://www.predictad.com/update/chrome/?si=36909&ver=1.1] <==== ATTENTION
S3 catchme; \??\C:\Users\Home\AppData\Local\Temp\catchme.sys [X]
S3 MFE_RR; \??\C:\Users\Home\AppData\Local\Temp\mfe_rr.sys [X]
S3 MREMP50; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [X]
S3 pccsmcfd; system32\DRIVERS\pccsmcfd.sys [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 upperdev; system32\DRIVERS\usbser_lowerflt.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
ContextMenuHandlers2: [SD Format] -> {932CFB31-6AC9-4FE2-BEAC-A27FAF631D48} =>  -> No File
Task: {4D7AB843-FD50-40BA-A0FB-3ED4A7109220} - System32\Tasks\81ea5d4 => C:\Users\Home\AppData\Local\Temp\\setup2396325208.exe <==== ATTENTION
Task: {B143F270-052A-46EC-8AF3-AEE7A04A5C43} - System32\Tasks\25635bd4 => C:\Users\Home\AppData\Local\Temp\\setup4243947860.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:0B4227B4 [124]
AlternateDataStreams: C:\ProgramData\TEMP:C39E55C5 [119]
C:\Windows\System32\Tasks\81ea5d4
C:\Users\Home\AppData\Local\Temp\\setup2396325208.exe
C:\Windows\System32\Tasks\25635bd4
C:\Users\Home\AppData\Local\Temp\\setup4243947860.exe
C:\Users\Home\AppData\Local\{e0bf8ada-50bf-cda9-5ba0-063a62064391}
2010-05-23 18:06 - 2010-05-23 18:31 - 000004271 _____ () C:\Users\Home\AppData\Roaming\transfer.log
2011-07-10 17:04 - 2011-09-12 18:24 - 000000194 _____ () C:\Users\Home\AppData\Roaming\wklnhst.dat
2011-10-14 17:38 - 2011-10-14 17:38 - 000004011 _____ () C:\Users\Home\AppData\Local\bvecjpca.log
2011-10-14 17:39 - 2011-10-14 17:39 - 000003146 _____ () C:\Users\Home\AppData\Local\ojqusuxw.log
2011-10-14 17:38 - 2011-10-14 17:38 - 000000000 _____ () C:\Users\Home\AppData\Local\rmjgvtrc.log
2011-08-15 04:41 - 2011-10-14 17:39 - 000000024 _____ () C:\Users\Home\AppData\Local\vmjehwli.log
2011-08-15 04:41 - 2011-10-14 17:38 - 000336576 _____ () C:\Users\Home\AppData\Local\wdnrdtsf.log
2010-10-27 16:33 - 2010-10-27 16:33 - 000000056 ____H () C:\ProgramData\ezsidmv.dat
2015-07-16 21:51 - 2015-07-16 22:08 - 000000835 _____ () C:\ProgramData\hpzinstall.log
C:\Windows\MEMORY.DMP
C:\Windows\Minidump\091117-24289-01.dmp

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Later when all is well update all the 3rd party programs reported as outdated.
Please download Security Analysis by Rocket Grannie from here
  • Save it to your Desktop.
  • Close your security software to avoid potential conflicts.
  • Double click RGSA.exe
  • Click OK on the copyright-disclaimer
  • When finished, a Notepad window will open with the results of the scan.
  • The log named SALog.txt can also be found on the Desktop or in the same folder from where the tool is run if installed elsewhere.
  • For your security I suggest you update all the old programs.
Note: If you get a Warning from Windows about running the program, click on More info and then click Run Anyway to run it even though Windows says it might put your PC at risk.
Note: The link to the most current version of the program will always be in the first post of this topic.
Note: Windows 10 may pop up a warning message.
Note: The current java version on XP will show as "out of date".
Note: Flash Player is pre-installed in Google Chrome and updates automatically!
Note: Flash Player is pre-installed in IE/Hedge and updates automatically!
---

Please let me know what problem persists with this computer.

p.s.

Microsort Security Essentials is your main Security Program.
I do see some McAfee entries on your logs. If this program is no longer used and updated I suggest you removal it using their uninstaller.

https://www.bleepingcomputer.com/download/mcafee-consumer-products-removal-tool/

---

#4 hocktastic

hocktastic
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 03 October 2017 - 12:20 PM

Hello again,

 

I've followed your instrutions and here are the logs as requested.

 

thanks,

rachael

 

RogueKiller V12.11.18.0 [Oct  2 2017] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Home [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 10/03/2017 15:23:17 (Duration : 02:11:31)
Switches : -refid
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 2 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F2BE6767-432D-4957-AC18-D83308F79512} | DhcpNameServer : 10.239.24.5 ([])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F2BE6767-432D-4957-AC18-D83308F79512} | DhcpNameServer : 10.239.24.5 ([])  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 2 ¤¤¤
[Root.ZeroAccess][Folder] C:\Users\Home\AppData\Local\{e0bf8ada-50bf-cda9-5ba0-063a62064391}\L -> Found
[Root.ZeroAccess][Folder] C:\Users\Home\AppData\Local\{e0bf8ada-50bf-cda9-5ba0-063a62064391}\U -> Found
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: FUJITSU MJA2320BH G2 +++++
--- User ---
[MBR] 306088ef157187d185e739571483cc44
[BSP] 1ee798fb9f3e75439e428f641ac3dcb2 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 400 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 821248 | Size: 153000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 314165248 | Size: 151843 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
 
 
Fix result of Farbar Recovery Scan Tool (x86) Version: 01-10-2017
Ran by Home (03-10-2017 17:46:02) Run:1
Running from C:\Users\Home\Downloads
Loaded Profiles: Home (Available Profiles: Home & DefaultAppPool)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin HKU\S-1-5-21-406935302-2526777770-957223088-1001: @facebook.com/FBPlugin,version=1.0.1 -> C:\Users\Home\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll [No File]
CHR Extension: (Complitly plugin for chrome) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\dlfienamagdnkekbbbocojppncdambda [2015-07-13] [UpdateUrl: hxxp://www.predictad.com/update/chrome/?si=36909&ver=1.1] <==== ATTENTION
S3 catchme; \??\C:\Users\Home\AppData\Local\Temp\catchme.sys [X]
S3 MFE_RR; \??\C:\Users\Home\AppData\Local\Temp\mfe_rr.sys [X]
S3 MREMP50; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [X]
S3 pccsmcfd; system32\DRIVERS\pccsmcfd.sys [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 upperdev; system32\DRIVERS\usbser_lowerflt.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
ContextMenuHandlers2: [SD Format] -> {932CFB31-6AC9-4FE2-BEAC-A27FAF631D48} =>  -> No File
Task: {4D7AB843-FD50-40BA-A0FB-3ED4A7109220} - System32\Tasks\81ea5d4 => C:\Users\Home\AppData\Local\Temp\\setup2396325208.exe <==== ATTENTION
Task: {B143F270-052A-46EC-8AF3-AEE7A04A5C43} - System32\Tasks\25635bd4 => C:\Users\Home\AppData\Local\Temp\\setup4243947860.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:0B4227B4 [124]
AlternateDataStreams: C:\ProgramData\TEMP:C39E55C5 [119]
C:\Windows\System32\Tasks\81ea5d4
C:\Users\Home\AppData\Local\Temp\\setup2396325208.exe
C:\Windows\System32\Tasks\25635bd4
C:\Users\Home\AppData\Local\Temp\\setup4243947860.exe
C:\Users\Home\AppData\Local\{e0bf8ada-50bf-cda9-5ba0-063a62064391}
2010-05-23 18:06 - 2010-05-23 18:31 - 000004271 _____ () C:\Users\Home\AppData\Roaming\transfer.log
2011-07-10 17:04 - 2011-09-12 18:24 - 000000194 _____ () C:\Users\Home\AppData\Roaming\wklnhst.dat
2011-10-14 17:38 - 2011-10-14 17:38 - 000004011 _____ () C:\Users\Home\AppData\Local\bvecjpca.log
2011-10-14 17:39 - 2011-10-14 17:39 - 000003146 _____ () C:\Users\Home\AppData\Local\ojqusuxw.log
2011-10-14 17:38 - 2011-10-14 17:38 - 000000000 _____ () C:\Users\Home\AppData\Local\rmjgvtrc.log
2011-08-15 04:41 - 2011-10-14 17:39 - 000000024 _____ () C:\Users\Home\AppData\Local\vmjehwli.log
2011-08-15 04:41 - 2011-10-14 17:38 - 000336576 _____ () C:\Users\Home\AppData\Local\wdnrdtsf.log
2010-10-27 16:33 - 2010-10-27 16:33 - 000000056 ____H () C:\ProgramData\ezsidmv.dat
2015-07-16 21:51 - 2015-07-16 22:08 - 000000835 _____ () C:\ProgramData\hpzinstall.log
C:\Windows\MEMORY.DMP
C:\Windows\Minidump\091117-24289-01.dmp
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully.
HKU\S-1-5-21-406935302-2526777770-957223088-1001\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.1 => key removed successfully.
C:\Users\Home\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll => not found.
CHR Extension: (Complitly plugin for chrome) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\dlfienamagdnkekbbbocojppncdambda [2015-07-13] [UpdateUrl: hxxp://www.predictad.com/update/chrome/?si=36909&ver=1.1] <==== ATTENTION => Error: No automatic fix found for this entry.
HKLM\System\CurrentControlSet\Services\catchme => key removed successfully.
catchme => service removed successfully.
HKLM\System\CurrentControlSet\Services\MFE_RR => key removed successfully.
MFE_RR => service removed successfully.
HKLM\System\CurrentControlSet\Services\MREMP50 => key removed successfully.
MREMP50 => service removed successfully.
HKLM\System\CurrentControlSet\Services\MREMPR5 => key removed successfully.
MREMPR5 => service removed successfully.
HKLM\System\CurrentControlSet\Services\MRENDIS5 => key removed successfully.
MRENDIS5 => service removed successfully.
HKLM\System\CurrentControlSet\Services\MRESP50 => key removed successfully.
MRESP50 => service removed successfully.
HKLM\System\CurrentControlSet\Services\pccsmcfd => key removed successfully.
pccsmcfd => service removed successfully.
HKLM\System\CurrentControlSet\Services\RtsUIR => key removed successfully.
RtsUIR => service removed successfully.
HKLM\System\CurrentControlSet\Services\upperdev => key removed successfully.
upperdev => service removed successfully.
HKLM\System\CurrentControlSet\Services\USBCCID => key removed successfully.
USBCCID => service removed successfully.
HKLM\Software\Classes\Drive\ShellEx\ContextMenuHandlers\SD Format => key removed successfully.
HKLM\Software\Classes\CLSID\{932CFB31-6AC9-4FE2-BEAC-A27FAF631D48} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4D7AB843-FD50-40BA-A0FB-3ED4A7109220} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D7AB843-FD50-40BA-A0FB-3ED4A7109220} => key removed successfully.
C:\Windows\System32\Tasks\81ea5d4 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\81ea5d4 => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B143F270-052A-46EC-8AF3-AEE7A04A5C43} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B143F270-052A-46EC-8AF3-AEE7A04A5C43} => key removed successfully.
C:\Windows\System32\Tasks\25635bd4 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\25635bd4 => key removed successfully.
C:\ProgramData\TEMP => ":0B4227B4" ADS removed successfully..
C:\ProgramData\TEMP => ":C39E55C5" ADS removed successfully..
"C:\Windows\System32\Tasks\81ea5d4" => not found.
"C:\Users\Home\AppData\Local\Temp\\setup2396325208.exe" => not found.
"C:\Windows\System32\Tasks\25635bd4" => not found.
"C:\Users\Home\AppData\Local\Temp\\setup4243947860.exe" => not found.
C:\Users\Home\AppData\Local\{e0bf8ada-50bf-cda9-5ba0-063a62064391} => moved successfully
C:\Users\Home\AppData\Roaming\transfer.log => moved successfully
C:\Users\Home\AppData\Roaming\wklnhst.dat => moved successfully
C:\Users\Home\AppData\Local\bvecjpca.log => moved successfully
C:\Users\Home\AppData\Local\ojqusuxw.log => moved successfully
C:\Users\Home\AppData\Local\rmjgvtrc.log => moved successfully
C:\Users\Home\AppData\Local\vmjehwli.log => moved successfully
C:\Users\Home\AppData\Local\wdnrdtsf.log => moved successfully
C:\ProgramData\ezsidmv.dat => moved successfully
C:\ProgramData\hpzinstall.log => moved successfully
C:\Windows\MEMORY.DMP => moved successfully
C:\Windows\Minidump\091117-24289-01.dmp => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 36830127 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 393391743 B
Edge => 0 B
Chrome => 767104552 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 33125 B
Public => 0 B
ProgramData => 0 B
systemprofile => 96805 B
LocalService => 132244 B
NetworkService => 69865452 B
Home => 15682191 B
DefaultAppPool.IIS APPPOOL.119 => 33125 B
 
RecycleBin => 0 B
EmptyTemp: => 1.2 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 17:49:00 ====


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:48 AM

Posted 03 October 2017 - 12:33 PM


Hi,

Please run the RogueKiller tool and if these 2 entries are still listed delete them.

[Root.ZeroAccess][Folder] C:\Users\Home\AppData\Local\{e0bf8ada-50bf-cda9-5ba0-063a62064391}\L -> Found
[Root.ZeroAccess][Folder] C:\Users\Home\AppData\Local\{e0bf8ada-50bf-cda9-5ba0-063a62064391}\U -> Found



Restart the computer normally.

How is the computer running now?

#6 hocktastic

hocktastic
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 03 October 2017 - 02:43 PM

Hello there,

 

I've ran rougekiller again those two entries are gone. However there are two PUMs, I read the article you suggested but im still unsure if the are malicious or not. What do you think, should i remove them? I've attached the log.

 

I have also run rkill again and added the log for that too.

 

thanks,

Rachael

 

RogueKiller V12.11.18.0 [Oct  2 2017] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Home [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 10/03/2017 18:40:38 (Duration : 01:35:17)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 2 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F2BE6767-432D-4957-AC18-D83308F79512} | DhcpNameServer : 10.239.24.5 ([])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F2BE6767-432D-4957-AC18-D83308F79512} | DhcpNameServer : 10.239.24.5 ([])  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: FUJITSU MJA2320BH G2 +++++
--- User ---
[MBR] 306088ef157187d185e739571483cc44
[BSP] 1ee798fb9f3e75439e428f641ac3dcb2 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 400 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 821248 | Size: 153000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 314165248 | Size: 151843 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
 
Rkill 2.9.1 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 10/03/2017 08:53:04 PM in x86 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
 
Program finished at: 10/03/2017 08:53:49 PM
Execution time: 0 hours(s), 0 minute(s), and 45 seconds(s)
 

Edited by hocktastic, 03 October 2017 - 02:56 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:48 AM

Posted 04 October 2017 - 07:12 AM


Hi,

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F2BE6767-432D-4957-AC18-D83308F79512} | DhcpNameServer : 10.239.24.5 ([]) -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F2BE6767-432D-4957-AC18-D83308F79512} | DhcpNameServer : 10.239.24.5 ([]) -> Found


This IP address is part of your local network Nothing to worry about.

Read about dit.
https://whois.arin.net/rest/net/NET-10-0-0-0-1

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#8 hocktastic

hocktastic
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 04 October 2017 - 12:58 PM

Thank you so much for helping me with this, myself and my mum really appreciate it!

I will read this stuff and also show it to my mum so hopefully we won't have any more issues.

 

Kind regards,

Rachael



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:48 AM

Posted 11 October 2017 - 08:28 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users