Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

in need of a fixlist of FRST or something


  • This topic is locked This topic is locked
24 replies to this topic

#1 Keraie

Keraie

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 30 April 2018 - 08:47 PM

Hello,

Recently my computer has been running slow and I can notice some delay between my clicks in games such as league of legends. Can someone help me please? I've ran 3 Norton scans but the computer still acts like this.

 

Sincerly -Keraie

Attached Files



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,855 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:14 PM

Posted 01 May 2018 - 08:39 AM

Keraie:

 
 
:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil.  May I address you by your first name?
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time.   Forum policy requires that I post within 48 hours after your last post, but I do endeavor to post within 24 hours of your last post.
 
I would ask that you please copy and paste the contents of all requested log files directly into your replies.   Please do not use "code" or "quote" boxes.  Thank you for your anticipated cooperation.  This makes it much easier for me to analyze the log results.
 
I will need some time to review your FRST logs.  That could take a day or two, but I do hope to respond later today with an initial FRST "fixlist" script.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.
 
Thank you and have a great day.
 
Regards,
-Phil

Graduate of the Bleeping Computer Malware Removal Study Hall


#3 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,855 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:14 PM

Posted 01 May 2018 - 10:40 AM

Keraie:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools. Malware removal can cause unpredictable and unintended issues. Also you should be aware that some of the tools and scripts that will be used, will remove malware detected, without notice.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post(s), unless otherwise instructed. Please do not use code or quote boxes.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

:step1: The FRST scan logs show that you have the following program installed on your computer:
 

Akamai NetSession Interface (HKU\S-1-5-21-2594332713-3088129888-4266447873-1001\...\Akamai) (Version: - Akamai Technologies, Inc)


I would recommend that you read this post to determine if you want to keep that program. Personally, I would not have it on my computer.

If you decide you do not want to keep this program, please go to the Control Panel, Programs, Uninstall Program, and uninstall it from your computer.

Please let me know whether you keep, or uninstall, this program. It is your computer, so it is YOUR decision.

.

:step2: The FRST scan logs show that you have the following program installed on your computer:
 

QuickTime 7 (HKLM-x32\...\{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}) (Version: 7.79.80.95 - Apple Inc.)


Apple has not supported this program for some time. As such, it poses a security vulnerability to your computer. Please see this link for more information. Unless you need this program, I would recommend that you uninstall it. Please let me know what you decide.

.

:step3: In going over your logs I noticed that you have qBittorrent installed. Please consider the following advice to reduce the possibility of being infected when surfing the web.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, your computer will get infected.
I would recommend that you uninstall qBittorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

.

:step4: Please run a FRST fix for me.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

Start::
CreateRestorePoint:
CloseProcesses:
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.14.0.54\Exts\Chrome.crx <not found>
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.14.0.54\Exts\Chrome.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
VirusTotal: C:\WINDOWS\system32\drivers\NGCx64\160E000.036\wpCtrlDrv.sys
End::
  • Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard.
  • Right click FRST64English.exe, and select "Run as Administrator".
  • Press Fix button once and wait.
  • Please reboot the computer, if requested.
  • A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
  • Please copy and paste the contents of the "fixlog.txt" file into your next reply.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#4 Keraie

Keraie
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 01 May 2018 - 02:33 PM

Hey Phil I've did what you requested. Yes I would like to remove Akamai NetSession.
 
 
 
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 25.04.2018
Ran by Kevin (01-05-2018 15:29:33) Run:1
Running from C:\Users\Kevin\Desktop\Virus
Loaded Profiles: Kevin (Available Profiles: Kevin)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.14.0.54\Exts\Chrome.crx <not found>
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.14.0.54\Exts\Chrome.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
VirusTotal: C:\WINDOWS\system32\drivers\NGCx64\160E000.036\wpCtrlDrv.sys
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe" => removed successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe" => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => removed successfully
 
 
The system needed a reboot.
 
==== End of Fixlog 15:29:42 ==== 

 

 


Edited by Keraie, 01 May 2018 - 02:35 PM.


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,855 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:14 PM

Posted 02 May 2018 - 07:19 AM

Keraie:
 
Thank you for your post and for running the FRST "fixlist" script and posting the results.  That looks great! :thumbup2:
 
.
 
:step1: Please uninstall Akamai Netsession Interface using the Control Panel, Programs, Uninstall A Program.  Reboot your computer.
 
.
 
We are now going to start running some standard anti-malware scans to check for malware that might not have been detected by the FRST scan.
 
.
 
:step2: ESET Online Scanner using Internet Explorer:

Note: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Then select: "Enable detection of potentially unwanted applications" - Yes.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were detected. There will be no log, if no threats were detected.

Don't forget to re-enable your antivirus when finished!

.

:step3: Please run a Malwarebytes Anti-Malware scan for me.

  • Please download Malwarebytes to your Desktop.
  • Double-click mb3-setup-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Next, please go to "Settings", "Protection", and turn on "Scan for rootkits", if it is not "On."
  • Ensure that under "Potential Threat Protection", both switches are set to "Always Detect PUPs/PUMs (recommended).
  • Then scroll to the bottom of that page and ensure that "Automatic Quarantine" is turned "On."
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If an update of the definitions is available, it will be downloaded and installed before the scan commences.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.

The Scan log is available through Reports (double-click the appropriate scan log) or you can just double-click the "Last Scan" entry on the Dashboard. Click "Export"., and then select "Copy to Clipboard". Next, please paste the contents of the log into your next reply.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#6 Keraie

Keraie
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 02 May 2018 - 06:34 PM

The Old Shi* hard drive is an old hard drive from my old computer. I recently put it in my computer about 5-8 months ago.
 
 
 
E:\Documents and Settings\Kevin\Desktop\JUNKK\xd\Main Junk\ııı\utorrent-3-1-3-build-27498-es-en-br-fr-de-it-cn-jp-ar-ru-win.exe a variant of Win32/Bunndle potentially unsafe application
C:\$Recycle.Bin\S-1-5-21-2594332713-3088129888-4266447873-1001\$RZFEPB5.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
C:\Users\Kevin\Desktop\JUNKK\xd\Main Junk\ııı\utorrent-3-1-3-build-27498-es-en-br-fr-de-it-cn-jp-ar-ru-win.exe a variant of Win32/Bunndle potentially unsafe application cleaned by deleting
D:\ccsetup542pro.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
D:\HF Ebooks\Fresh Start\uTorrent.exe Win32/InstallCore.AVJ potentially unwanted application cleaned by deleting
E:\Old bleep\Program Files (x86)\Spotflux\netfilter\release\win32\ProtocolFilters.dll a variant of Win32/NetFilter.A potentially unsafe application cleaned by deleting
E:\Old bleep\Program Files (x86)\Spotflux\netfilter\release\x64\nfapi.dll a variant of Win64/NetFilter.A potentially unsafe application cleaned by deleting
E:\Old bleep\Program Files (x86)\xfin_portal\comcastdx.dll a variant of Win32/Toolbar.Visicom.B potentially unwanted application cleaned by deleting
E:\Old bleep\Program Files (x86)\xfin_portal\comcastdx64.dll a variant of Win64/Toolbar.Visicom.A potentially unwanted application cleaned by deleting
E:\Old bleep\Program Files (x86)\xfin_portal\comcasttb.dll a variant of Win32/Toolbar.Visicom.A potentially unwanted application cleaned by deleting
E:\Old bleep\Users\Kevin\Desktop\Output\VShareSetup.exe a variant of Win32/AceDeceiver.C trojan cleaned by deleting
E:\Old bleep\Users\Kevin\Desktop\Output\xfinity-master-installer_1.0.0.11.exe a variant of Win32/Visicom.B potentially unwanted application cleaned by deleting


#7 Keraie

Keraie
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 02 May 2018 - 06:45 PM

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 5/2/18
Scan Time: 7:38 PM
Log File: df65aab2-4e61-11e8-afc7-408d5c5aadfb.json
Administrator: Yes
 
-Software Information-
Version: 3.4.5.2467
Components Version: 1.0.342
Update Package Version: 1.0.4956
License: Trial
 
-System Information-
OS: Windows 10 (Build 16299.371)
CPU: x64
File System: NTFS
User: DESKTOP-HK88US2\Kevin
 
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 351269
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 6 min, 32 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


#8 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,855 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:14 PM

Posted 03 May 2018 - 08:53 AM

Keraie:
 
Thank you for running those scans and posting the logs.  Things are looking good! :thumbup2:
 
Let's run a couple of more standard anti-malware scans to ensure that your computer is not infected.
 
.
 
:step1: zcMPezJ.pngAdwCleaner - Fix Mode

  • Download AdwCleaner and move it to your Desktop.
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users).
  • Accept the EULA (I accept), then click on Scan.
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button.
    5ace519a6ff4a_Dashboard-firstrun.png.567
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, please do so.
  • After the restart, a log will open when logging in. Please copy and paste the contents of that log into your next reply.

.

:step2: RogueKiller Scan

  • Download the right version of RogueKiller for your Windows version (32 or 64-bit).
  • Move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users).
  • Click on the Start Scan button in the right panel, which will bring up another tab, and click on it again (this time it'll be in the bottom right corner).
  • Wait for the scan to complete.
  • On the completion of the scan, the results will be displayed.
  • Check every single entry (threat found), and click on the Remove Selected button.
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner).
  • This will open the report in Notepad. Please copy and paste the contents of the report into your next reply.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#9 Keraie

Keraie
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 03 May 2018 - 02:22 PM

# -------------------------------
# Malwarebytes AdwCleaner 7.1.1.0
# -------------------------------
# Build:    04-27-2018
# Database: 2018-05-02.2
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    05-03-2018
# Duration: 00:00:02
# OS:       Windows 10 Home
# Cleaned:  1
# Failed:   1
 
 
***** [ Services ] *****
 
No malicious services cleaned.
 
***** [ Folders ] *****
 
No malicious folders cleaned.
 
***** [ Files ] *****
 
No malicious files cleaned.
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
No malicious tasks cleaned.
 
***** [ Registry ] *****
 
No malicious registry entries cleaned.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries cleaned.
 
***** [ Chromium URLs ] *****
 
Deleted       Ask
Not Deleted   AOL
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries cleaned.
 
***** [ Firefox URLs ] *****
 
No malicious Firefox URLs cleaned.
 
 
*************************
 
[+] Delete Tracing Keys
[+] Reset Winsock
 
*************************
 
 
########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C01].txt ##########


#10 Keraie

Keraie
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 03 May 2018 - 02:46 PM

.RogueKiller V12.12.15.0 (x64) [Apr 30 2018] (Free) by Adlice Software

 
Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : Kevin [Administrator]
Started from : C:\Users\Kevin\Desktop\Virus\RogueKiller_portable64.exe
Mode : Delete -- Date : 05/03/2018 15:23:57 (Duration : 00:43:25)
 
¤¤¤ Processes : 1 ¤¤¤
[Adw.Elex|Adw.Wizzcaster|BitMiner.Gen0] MBAMService.exe(4336) -- D:\Anti-Malware\mbamservice.exe[7] -> Killed [DrvNtTerm]
 
¤¤¤ Registry : 1 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{10cb8f4c-09bc-4815-ac26-54bf80179a79} | DhcpNameServer : 172.20.10.1 ([])  -> Not selected
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 1 ¤¤¤
[Hidden.ADS][Stream] C:\Windows:AstInfo -> Deleted
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EZEX-21M2NA0 +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 953740 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: Samsung SSD 850 EVO 250GB +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 923648 | Size: 99 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1126400 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1159168 | Size: 237031 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 486600704 | Size: 876 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive2: ST1000DM003-1CH162 +++++
--- User ---
[MBR] a7c5e3fb21506d7c03c557b4549eb0ed
[BSP] db0bd55e070842cff58a72326b6ba8d2 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 936700 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1920059392 | Size: 16340 MB
User = LL1 ... OK
User = LL2 ... OK

Edited by Keraie, 03 May 2018 - 04:29 PM.


#11 Keraie

Keraie
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 03 May 2018 - 04:30 PM

One thing wasn't selected, but I'm pretty sure this was selected. Can you help me remove this please Thank You!



#12 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,855 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:14 PM

Posted 04 May 2018 - 11:41 AM

Keraie:
 
Thank you for your post and for running those scans and posting the results.
 
OK, let's see if the registry subkey is still there and what else is associated with that subkey.  Please run another FRST "fixlist" script for me.
 
.
 
:step1: Please run a FRST fix for me.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.



Start::
CreateRestorePoint:
CloseProcesses:
ExportKey: HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{10cb8f4c-09bc-4815-ac26-54bf80179a79}
End::
  • Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard.
  • Right click FRST/FRST64.exe, and select "Run as Administrator".
  • Press Fix button once and wait.
  • Please reboot the computer, if requested.
  • A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
  • Please copy and paste the contents of the "fixlog.txt" file into your next reply.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#13 Keraie

Keraie
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 04 May 2018 - 02:20 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 03.05.2018
Ran by Kevin (04-05-2018 15:16:42) Run:2
Running from C:\Users\Kevin\Desktop\Virus
Loaded Profiles: Kevin &  (Available Profiles: Kevin)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
ExportKey: HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{10cb8f4c-09bc-4815-ac26-54bf80179a79}
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
================== ExportKey: ===================
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{10cb8f4c-09bc-4815-ac26-54bf80179a79}]
"EnableDHCP"="1"
"Domain"=""
"NameServer"=""
"DhcpIPAddress"="172.20.10.6"
"DhcpSubnetMask"="255.255.255.240"
"DhcpServer"="172.20.10.1"
"Lease"="85536"
"LeaseObtainedTime"="76096"
"T1"="118864"
"T2"="150940"
"LeaseTerminatesTime"="161632"
"AddressType"="0"
"IsServerNapAware"="0"
"DhcpConnForceBroadcastFlag"="0"
"DhcpNameServer"="172.20.10.1"
"DhcpDefaultGateway"="172.20.10.1"
"DhcpSubnetMaskOpt"="255.255.255.240"
"DhcpInterfaceOptions"="fc00000000000000000000000000000050d001007900000000000000000000000000000050d001002f00000000000000000000000000000050d001002e00000000000000000000000000000050d001002c00000000000000000000000000000050d00100 (the data entry has 448 more characters)."
"DhcpGatewayHardware"="ac140a01060000007a7b8a5e4064"
"DhcpGatewayHardwareCount"="1"
 
=== End of ExportKey ===
 
 
The system needed a reboot.
 
==== End of Fixlog 15:16:58 ====


#14 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,855 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:14 PM

Posted 04 May 2018 - 02:50 PM

Keraie:
 
Thank you for run the FRST "fixlist" script and for posting the results.
 
RogueKiller detected the Value Data (172.20.10.1) of the Value Name: DhcpNameServer of the registry subkey that I exported as a "PUM" (Potentially Unwanted Modification).  This could be a false positive; or, that URL may have been, at one time or another, associated with other potentially unwanted modifications made by one or more malware applications.  I submitted the URL to VirusTotal and you can see the results here.
 
This "detection" does not cause me concern, UNLESS you are having browser issues.  My opinion is that this is a "false positive", and all anti-virus and anti-malware software applications are guilty of "false positives", some, more than others.  That is why I wanted to export everything under that registry subkey to see if anything looked amiss.  Nothing does.
 
.
 
:step1:  So how is your computer working now?  If there are still issues, please describe them in as much detail as possible; otherwise, in a subsequent post I will remove the anti-malware applications that you don't want that I asked you to download to scan your computer.  I call that "housekeeping time." :)
 
.
 
:step2: Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
- Kaspersky Lab report: Evaluating the threat level of software vulnerabilities
- Microsoft: Unprecedented Wave of Java Exploitation
- Ghosts of Java Haunt Users

Personally, I uninstalled Java over two years ago on both of my computers, and I have never missed it. Some people do need Java, but most do not. Some older games will not play, except on an older version of Java, so that might be why your Java is so old.

Please follow these steps to update Java:

  • Click here.
  • Click Free Java Download button.
  • Click on the Agree and Start Free Download button.
  • Uncheck any optional offers.
  • Click on the downloaded installer file to start the installation.
  • Once completed you should be notified that You have successfully installed Java.
  • If Java notifies you older versions of the program need to be removed check each of the versions and click Uninstall.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#15 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,855 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:14 PM

Posted 07 May 2018 - 12:01 PM

Keraie:

 
Are you still there?  Do you still require assistance?  It has been three days since I last posted to you.
 
According to Forum policy, topics must be concluded after five days of non-response from the Topic Starter.
 
If I have not heard from you in another two days, I will conclude your topic.  You can always reopen it by sending a Personal Message to me or to a Moderator.
 
Thank you and have a great day.
 
Regards,
-Phil

Graduate of the Bleeping Computer Malware Removal Study Hall





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users