1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Infected Router

Discussion in 'Malware and Virus Removal' started by yoruga, 2016/03/25.

Page 2 of 2
  1. 2016/03/27
    yoruga

    yoruga Well-Known Member Thread Starter

    Joined:
    2008/09/30
    Messages:
    144
    Likes Received:
    0
    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

    Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    Task: C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-1160702305-3582450622-2665941894-1000Core.job => C:\Users\Taliah\AppData\Local\Facebook\Update\FacebookUpdate.exe
    Task: C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-1160702305-3582450622-2665941894-1000UA.job => C:\Users\Taliah\AppData\Local\Facebook\Update\FacebookUpdate.exe
    Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
    Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
    Task: C:\WINDOWS\Tasks\HPCeeScheduleForRAWR$.job => C:\Program Files\Hewlett-Packard\HP Ceement\HPCEE.exe

    ==================== Shortcuts =============================

    (The entries could be listed to be restored or removed.)

    ==================== Loaded Modules (Whitelisted) ==============

    2015-10-30 15:44 - 2015-10-30 15:44 - 00149504 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
    2016-03-27 22:24 - 2016-03-27 22:24 - 00113496 _____ () C:\Program Files\AVAST Software\Avast\log.dll
    2016-03-27 22:24 - 2016-03-27 22:24 - 00133768 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
    2016-03-27 22:26 - 2016-03-27 22:26 - 02819072 _____ () C:\Program Files\AVAST Software\Avast\defs\16020200\algo.dll
    2016-03-27 22:24 - 2016-03-27 22:24 - 00480760 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
    2016-03-27 20:14 - 2016-03-27 20:14 - 02846208 _____ () C:\Program Files\AVAST Software\Avast\defs\16032701\algo.dll
    2016-03-27 22:24 - 2016-03-27 22:24 - 00307808 _____ () C:\Program Files\AVAST Software\Avast\browser_pass.dll
    2009-08-15 17:22 - 2009-01-22 04:47 - 00247152 ____N () C:\Program Files\CyberLink\Shared files\RichVideo.exe
    2016-03-03 21:53 - 2016-02-23 20:34 - 01859960 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
    2016-03-03 21:53 - 2016-02-23 20:34 - 01859960 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
    2011-01-17 19:28 - 2005-06-28 13:59 - 00053248 _____ () C:\Program Files\ArcSoft\PhotoImpression 5\share\pihook.dll
    2016-01-22 22:09 - 2016-01-22 22:09 - 00070656 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll
    2016-03-03 21:52 - 2016-02-23 17:48 - 00316416 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
    2016-01-22 22:09 - 2016-01-22 22:09 - 05340672 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
    2016-01-22 22:09 - 2016-01-22 22:09 - 00471552 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
    2016-02-10 20:30 - 2016-01-16 15:06 - 02366464 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
    2016-02-10 20:30 - 2016-01-16 15:09 - 02656768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
    2009-07-16 10:51 - 2009-07-16 10:51 - 00061440 _____ () C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\PCAlerts\PCAlertsPillar.dll
    2009-07-16 10:51 - 2009-07-16 10:51 - 00131072 _____ () C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\ECenter\ECLibrary.dll
    2009-07-16 10:50 - 2009-07-16 10:50 - 00040960 _____ () C:\Program Files\Hewlett-Packard\HP Advisor\MessagingServer.dll
    2009-07-16 10:50 - 2009-07-16 10:50 - 00005632 _____ () C:\Program Files\Hewlett-Packard\HP Advisor\MessagingInterface.dll
    2009-07-16 10:50 - 2009-07-16 10:50 - 00018944 _____ () C:\Program Files\Hewlett-Packard\HP Advisor\MessagingMessages.dll
    2009-07-16 10:50 - 2009-07-16 10:50 - 00036864 _____ () C:\Program Files\Hewlett-Packard\HP Advisor\MessagingClients.dll
    2009-07-16 10:50 - 2009-07-16 10:50 - 00028672 _____ () C:\Program Files\Hewlett-Packard\HP Advisor\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll
    2009-07-16 10:50 - 2009-07-16 10:50 - 00007680 _____ () C:\Program Files\Hewlett-Packard\HP Advisor\RemotingClient.dll
    2009-06-18 04:40 - 2009-06-18 04:40 - 02121728 _____ () C:\Program Files\Common Files\LightScribe\QtCore4.dll
    2009-06-18 04:40 - 2009-06-18 04:40 - 07745536 _____ () C:\Program Files\Common Files\LightScribe\QtGui4.dll
    2009-06-18 04:40 - 2009-06-18 04:40 - 00135168 _____ () C:\Program Files\Common Files\LightScribe\plugins\imageformats\qjpeg4.dll
    2009-07-02 08:44 - 2009-07-02 08:44 - 00632888 _____ () C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
    2015-12-03 07:42 - 2015-12-03 07:42 - 40539648 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
    2016-01-22 07:31 - 2016-01-22 07:31 - 00144384 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.13.20000.0_x86__8wekyb3d8bbwe\SkypeHost.exe
    2016-01-22 07:31 - 2016-01-22 07:31 - 00141312 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.13.20000.0_x86__8wekyb3d8bbwe\SkypeBackgroundTasks.dll
    2016-01-22 07:31 - 2016-01-22 07:31 - 22330368 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.13.20000.0_x86__8wekyb3d8bbwe\SkyWrap.dll
    2015-10-30 15:45 - 2015-10-30 15:45 - 01358688 _____ () C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe

    ==================== Alternate Data Streams (Whitelisted) =========

    (If an entry is included in the fixlist, only the ADS will be removed.)


    ==================== Safe Mode (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)


    ==================== EXE Association (Whitelisted) ===============

    (If an entry is included in the fixlist, the registry item will be restored to default or removed.)


    ==================== Internet Explorer trusted/restricted ===============

    (If an entry is included in the fixlist, it will be removed from the registry.)


    ==================== Hosts content: ===============================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2009-07-14 12:04 - 2014-04-09 10:59 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts

    127.0.0.1 localhost

    ==================== Other Areas ============================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-1160702305-3582450622-2665941894-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Taliah\AppData\Local\Microsoft\Windows\Themes\img19.jpg
    DNS Servers: 198.142.235.14 - 211.29.132.12
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
    Windows Firewall is enabled.

    ==================== MSCONFIG/TASK MANAGER disabled items ==

    (Currently there is no automatic fix for this section.)


    ==================== FirewallRules (Whitelisted) ===============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
    FirewallRules: [MSMQ-In-TCP] => (Allow) %systemroot%\system32\mqsvc.exe
    FirewallRules: [MSMQ-Out-TCP] => (Allow) %systemroot%\system32\mqsvc.exe
    FirewallRules: [MSMQ-In-UDP] => (Allow) %systemroot%\system32\mqsvc.exe
    FirewallRules: [MSMQ-Out-UDP] => (Allow) %systemroot%\system32\mqsvc.exe
    FirewallRules: [WCF-NetTcpActivator-In-TCP-32bit] => (Allow) LPort=808
    FirewallRules: [{A60D9D73-1F3E-481F-A265-67412254941E}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
    FirewallRules: [{69F50ECD-6DCF-468F-B6EC-973F0973B254}] => (Allow) C:\Program Files\TeamViewer\Version8\TeamViewer.exe
    FirewallRules: [{E78E2544-EB63-45B4-A919-483D05DFE676}] => (Allow) C:\Program Files\TeamViewer\Version8\TeamViewer.exe
    FirewallRules: [{EC4D603E-D810-47CC-AB38-CBD472D30AFD}] => (Allow) C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
    FirewallRules: [{B886B432-E7EA-4E4B-B4A5-35C9C7C62F0F}] => (Allow) C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
    FirewallRules: [{FB878EE5-F4A8-472D-B6E7-E35B1D8EA834}] => (Allow) C:\Program Files\AVG\AVG2014\avgdiagex.exe
    FirewallRules: [{9BF5036C-6E3D-486F-8AC4-FBAA0B3E56ED}] => (Allow) C:\Program Files\AVG\AVG2014\avgdiagex.exe
    FirewallRules: [{8B182900-4209-4FF6-A7F6-63939BEE96BB}] => (Allow) C:\Users\Taliah\AppData\Local\Facebook\Video\Skype\FacebookVideoCalling.exe
    FirewallRules: [{4DA263C5-FB95-4D67-996E-77DF78C271A6}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
    FirewallRules: [{827837D9-F071-43A8-A239-EC6B3B8F6CAD}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe

    ==================== Restore Points =========================

    28-02-2016 11:39:36 Scheduled Checkpoint
    03-03-2016 23:48:48 Windows Update
    14-03-2016 15:40:37 Windows Update
    21-03-2016 17:44:10 Windows Update
    27-03-2016 13:44:27 Windows Update
    27-03-2016 21:48:11 JRT Pre-Junkware Removal
     
    yoruga,
    #21
  2. 2016/03/27
    yoruga

    yoruga Well-Known Member Thread Starter

    Joined:
    2008/09/30
    Messages:
    144
    Likes Received:
    0
    ==================== Faulty Device Manager Devices =============


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (03/28/2016 11:11:27 AM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: Local Hostname Rawr.local already in use; will try Rawr-2.local instead

    Error: (03/28/2016 11:11:27 AM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: mDNSCoreReceiveResponse: ProbeCount 1; will deregister 16 Rawr.local. AAAA FE80:0000:0000:0000:DC46:6096:C5D8:A7FB

    Error: (03/28/2016 11:11:27 AM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: mDNSCoreReceiveResponse: Received from FE80:0000:0000:0000:DC46:6096:C5D8:A7FB:5353 4 Rawr.local. Addr 192.168.0.16

    Error: (03/27/2016 10:32:25 PM) (Source: MsiInstaller) (EventID: 11706) (User: Rawr)
    Description: Product: HP Support Assistant -- Error 1706.No valid source could be found for product HP Support Assistant. The Windows Installer cannot continue.

    Error: (03/27/2016 10:08:38 PM) (Source: MsiInstaller) (EventID: 11706) (User: Rawr)
    Description: Product: HP Support Assistant -- Error 1706.No valid source could be found for product HP Support Assistant. The Windows Installer cannot continue.

    Error: (03/27/2016 09:48:33 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
    Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

    Details:
    AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

    System Error:
    Access is denied.
    .

    Error: (03/27/2016 09:42:59 PM) (Source: Perflib) (EventID: 1008) (User: )
    Description: BITSC:\Windows\System32\bitsperf.dll4

    Error: (03/27/2016 09:35:24 PM) (Source: MsiInstaller) (EventID: 11706) (User: Rawr)
    Description: Product: HP Support Assistant -- Error 1706.No valid source could be found for product HP Support Assistant. The Windows Installer cannot continue.

    Error: (03/27/2016 07:39:17 PM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 19554485

    Error: (03/27/2016 07:39:17 PM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 19554485


    System errors:
    =============
    Error: (03/28/2016 12:34:33 AM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
    Description: 4

    Error: (03/27/2016 10:30:21 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The NetTcpActivator service depends on the NetTcpPortSharing service which failed to start because of the following error:
    %%1058

    Error: (03/27/2016 10:28:14 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
    Description: A timeout was reached (30000 milliseconds) while waiting for the Sync Host_4b5b0 service to connect.

    Error: (03/27/2016 10:28:04 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The Sync Host_4b5b0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

    Error: (03/27/2016 10:07:27 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The NetTcpActivator service depends on the NetTcpPortSharing service which failed to start because of the following error:
    %%1058

    Error: (03/27/2016 10:05:46 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The Sync Host_48d48 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

    Error: (03/27/2016 09:32:11 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The NetTcpActivator service depends on the NetTcpPortSharing service which failed to start because of the following error:
    %%1058

    Error: (03/27/2016 09:30:26 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The Sync Host_3bf17 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

    Error: (03/27/2016 09:30:19 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The MBAMService service terminated unexpectedly. It has done this 1 time(s).

    Error: (03/27/2016 09:30:19 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The MBAMScheduler service terminated unexpectedly. It has done this 1 time(s).


    CodeIntegrity:
    ===================================
    Date: 2016-03-27 20:16:04.341
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-03-18 14:04:40.519
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-03-16 03:40:40.265
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-03-04 03:49:55.433
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-03-04 03:35:19.266
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-02-19 17:42:12.048
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-02-17 03:43:59.834
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-01-29 19:57:37.106
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-01-26 01:32:35.438
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-01-22 04:50:40.238
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.


    ==================== Memory info ===========================

    Processor: Celeron(R) Dual-Core CPU T3000 @ 1.80GHz
    Percentage of memory in use: 59%
    Total physical RAM: 1978.92 MB
    Available physical RAM: 794.25 MB
    Total Virtual: 3962.92 MB
    Available Virtual: 2265.4 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:220.68 GB) (Free:139.57 GB) NTFS ==>[system with boot components (obtained from drive)]
    Drive d: (RECOVERY) (Fixed) (Total:11.24 GB) (Free:1.83 GB) NTFS ==>[system with boot components (obtained from drive)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 232.9 GB) (Disk ID: CFAD9F98)
    Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=220.7 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=783 MB) - (Type=27)
    Partition 4: (Not Active) - (Size=11.2 GB) - (Type=07 NTFS)

    ==================== End of Addition.txt ============================
     
    yoruga,
    #22


  3. to hide this advert.

  4. 2016/03/27
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Run FRST(FRST64) and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
     

    Attached Files:

    broni,
    #23
  5. 2016/03/27
    yoruga

    yoruga Well-Known Member Thread Starter

    Joined:
    2008/09/30
    Messages:
    144
    Likes Received:
    0
    Fix result of Farbar Recovery Scan Tool (x86) Version:05-03-2016 01
    Ran by Taliah (2016-03-28 14:13:34) Run:1
    Running from C:\Users\Taliah\Downloads\Desktop
    Loaded Profiles: Taliah (Available Profiles: Taliah & DefaultAppPool)
    Boot Mode: Normal

    ==============================================

    fixlist content:
    *****************
    SearchScopes: HKLM -> DefaultScope value is missing
    CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Taliah\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.1.377\_platform_specific\win_x86\widevinecdmadapter.dl l => No File
    CHR Plugin: (Native Client) - C:\Users\Taliah\AppData\Local\Google\Chrome\Application\49.0.2623.87\ppGoog leNaClPluginChrome.dll => No File
    CHR Plugin: (Chrome PDF Viewer) - C:\Users\Taliah\AppData\Local\Google\Chrome\Application\49.0.2623.87\pdf.dl l => No File
    CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll => No File
    CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll => No File
    CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll => No File
    CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\17.3.0\\npsitesafety.dll => No File
    CHR Plugin: (Java(TM) Platform SE 7 U15) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll => No File
    CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll => No File
    CHR Plugin: (Google Update) - C:\Users\Taliah\AppData\Local\Google\Update\1.3.22.3\npGoogleUpdate3.dll => No File
    CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw_1168638.dll => No File
    CHR Plugin: (Java Deployment Toolkit 7.0.150.3) - C:\Windows\system32\npDeployJava1.dll => No File
    CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll => No File
    2016-01-02 21:22 - 2016-01-02 21:22 - 0000000 _____ () C:\Users\Taliah\AppData\Local\AtStart.txt
    2016-01-02 21:22 - 2016-01-02 21:22 - 0000000 _____ () C:\Users\Taliah\AppData\Local\DSwitch.txt
    2016-01-02 21:22 - 2016-01-02 21:22 - 0000000 _____ () C:\Users\Taliah\AppData\Local\QSwitch.txt
    2016-01-02 21:22 - 2016-03-27 22:33 - 0000320 _____ () C:\ProgramData\hpqp.ini
    2016-01-02 21:22 - 2016-03-27 22:33 - 0000187 _____ () C:\ProgramData\HPWALog.txt
    C:\Users\Taliah\AppData\Local\Temp\dllnt_dump.dll
    C:\Users\Taliah\AppData\Local\Temp\sqlite3.dll
    CustomCLSID: HKU\S-1-5-21-1160702305-3582450622-2665941894-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Taliah\AppData\Local\Google\Update\1.3.29.1\psuser.dll => No File

    *****************

    HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
    CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Taliah\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.1.377\_platform_specific\win_x86\widevinecdmadapter.dl l => No File => not found.
    C:\Users\Taliah\AppData\Local\Google\Chrome\Application\49.0.2623.87\ppGoog leNaClPluginChrome.dll => not found.
    CHR Plugin: (Chrome PDF Viewer) - C:\Users\Taliah\AppData\Local\Google\Chrome\Application\49.0.2623.87\pdf.dl l => No File => not found.
    C:\Program Files\QuickTime\plugins\npqtplugin6.dll => not found.
    C:\Program Files\QuickTime\plugins\npqtplugin7.dll => not found.
    C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll => not found.
    C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\17.3.0\\npsitesafety.dll => not found.
    C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll => not found.
    C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll => not found.
    C:\Users\Taliah\AppData\Local\Google\Update\1.3.22.3\npGoogleUpdate3.dll => not found.
    C:\Windows\system32\Adobe\Director\np32dsw_1168638.dll => not found.
    C:\Windows\system32\npDeployJava1.dll => not found.
    c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll => not found.
    C:\Users\Taliah\AppData\Local\AtStart.txt => moved successfully
    C:\Users\Taliah\AppData\Local\DSwitch.txt => moved successfully
    C:\Users\Taliah\AppData\Local\QSwitch.txt => moved successfully
    C:\ProgramData\hpqp.ini => moved successfully
    C:\ProgramData\HPWALog.txt => moved successfully
    C:\Users\Taliah\AppData\Local\Temp\dllnt_dump.dll => moved successfully
    C:\Users\Taliah\AppData\Local\Temp\sqlite3.dll => moved successfully
    "HKU\S-1-5-21-1160702305-3582450622-2665941894-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}" => key removed successfully.

    ==== End of Fixlog 14:13:34 ====
     
    yoruga,
    #24
  6. 2016/03/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Last scans...

    [​IMG] Download Security Check from here or here and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
    NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
    NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run


    [​IMG] Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services

    Press "Scan ".
    It will create a log (FSS.txt) in the same directory the tool is run.
    Please copy and paste the log to your reply.


    [​IMG] Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    [​IMG] Download Sophos Free Virus Removal Tool and save it to your desktop.
    • Double click the icon and select Run
    • Click Next
    • Select I accept the terms in this license agreement, then click Next twice
    • Click Install
    • Click Finish to launch the program
    • Once the virus database has been updated click Start Scanning
    • If any threats are found click Details, then View log file... (bottom left hand corner)
    • Copy and paste the results in your reply
    • Close the Notepad document, close the Threat Details screen, then click Start cleanup
    • Click Exit to close the program
     
    broni,
    #25
  7. 2016/03/28
    yoruga

    yoruga Well-Known Member Thread Starter

    Joined:
    2008/09/30
    Messages:
    144
    Likes Received:
    0
    security check log

    Results of screen317's Security Check version 1.014 --- 12/23/15
    x86 (UAC is enabled)
    Internet Explorer 11
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Windows Defender
    avast! Antivirus
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Adobe Flash Player 21.0.0.197
    Adobe Reader XI
    Google Chrome (48.0.2564.116)
    Google Chrome (49.0.2623.87)
    ````````Process Check: objlist.exe by Laurent````````
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbam.exe
    Malwarebytes Anti-Malware2 mbamscheduler.exe
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast afwServ.exe
    avast software avast asww10mon.exe
    AVAST Software Avast AvastUI.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C::
    ````````````````````End of Log``````````````````````
     
    yoruga,
    #26
  8. 2016/03/28
    yoruga

    yoruga Well-Known Member Thread Starter

    Joined:
    2008/09/30
    Messages:
    144
    Likes Received:
    0
    Fss log

    Farbar Service Scanner Version: 27-01-2016
    Ran by Taliah (administrator) on 29-03-2016 at 14:06:37
    Running from "C:\Users\Taliah\Downloads\Desktop "
    Microsoft Windows 10 Home (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error. Google IP is unreachable
    Google.com is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Policy:
    ========================


    Security Center:
    ============


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware "=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\WINDOWS\system32\nsisvc.dll => File is digitally signed
    C:\WINDOWS\system32\Drivers\nsiproxy.sys => File is digitally signed
    C:\WINDOWS\system32\Drivers\afd.sys => File is digitally signed
    C:\WINDOWS\system32\Drivers\tdx.sys => File is digitally signed
    C:\WINDOWS\system32\Drivers\tcpip.sys => File is digitally signed
    C:\WINDOWS\system32\dnsrslvr.dll => File is digitally signed
    C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
    C:\WINDOWS\system32\mpssvc.dll => File is digitally signed
    C:\WINDOWS\system32\bfe.dll => File is digitally signed
    C:\WINDOWS\system32\Drivers\mpsdrv.sys => File is digitally signed
    C:\WINDOWS\system32\SDRSVC.dll => File is digitally signed
    C:\WINDOWS\system32\vssvc.exe => File is digitally signed
    C:\WINDOWS\system32\wscsvc.dll => File is digitally signed
    C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
    C:\WINDOWS\system32\wuaueng.dll => File is digitally signed
    C:\WINDOWS\system32\qmgr.dll => File is digitally signed
    C:\WINDOWS\system32\es.dll => File is digitally signed
    C:\WINDOWS\system32\cryptsvc.dll => File is digitally signed
    C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
    C:\WINDOWS\system32\ipnathlp.dll => File is digitally signed
    C:\WINDOWS\system32\iphlpsvc.dll => File is digitally signed
    C:\WINDOWS\system32\svchost.exe => File is digitally signed
    C:\WINDOWS\system32\rpcss.dll => File is digitally signed


    **** End of log ****
     
    yoruga,
    #27
  9. 2016/03/29
    yoruga

    yoruga Well-Known Member Thread Starter

    Joined:
    2008/09/30
    Messages:
    144
    Likes Received:
    0
    Hi Broni NO THREATS WERE Found..... there was no txt file and the details button didn't work... that's when I used Sophos...
     
    Last edited: 2016/03/29
    yoruga,
    #28
  10. 2016/03/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Your computer is clean [​IMG]

    1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
    This is a very crucial step so make sure you don't skip it.
    Download [​IMG]DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

    Double-click Delfix.exe to start the tool.
    Make sure the following items are checked:
    • Activate UAC (optional; some users prefer to keep it off)
    • Remove disinfection tools
    • Create registry backup
    • Purge System Restore
    • Reset system settings
    Now click "Run" and wait patiently.
    Once finished a logfile will be created. You don't have to attach it to your next reply.

    2. Make sure Windows Updates are current.

    3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    4. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Scan without installing plugin" and then on "Scan now ")

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly (you need to redownload these tools since they were removed by DelFix).

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    11. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
    About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: http://www.bleepingcomputer.com/for...curity-questions-best-practices/#entry3187642

    12. Please, let me know, how your computer is doing.
     
    broni,
    #29
  11. 2016/03/29
    yoruga

    yoruga Well-Known Member Thread Starter

    Joined:
    2008/09/30
    Messages:
    144
    Likes Received:
    0
    With the following programs :Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool, am I able to use the links you sent in the previous replies?

    Sound like a stupid question... but I need to make sure....
     
    yoruga,
    #30
  12. 2016/03/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes.

    12. Please, let me know, how your computer is doing.
     
    broni,
    #31
  13. 2016/03/29
    yoruga

    yoruga Well-Known Member Thread Starter

    Joined:
    2008/09/30
    Messages:
    144
    Likes Received:
    0
    Ok , tried to download adwcleaner but to no avail.... suspious item was detected on my antivirus....Woops... Quarantined it straight away....

    Okay so the message read the following:

    adwcleaner_5.107.exe
    Failed - Network error
     
    Last edited: 2016/03/29
    yoruga,
    #32
  14. 2016/03/29
    yoruga

    yoruga Well-Known Member Thread Starter

    Joined:
    2008/09/30
    Messages:
    144
    Likes Received:
    0
    will run antimalware....
     
    yoruga,
    #33
  15. 2016/03/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    This is false positive.
    Disable your AV program momentarily.
     
    broni,
    #34
  16. 2016/03/29
    yoruga

    yoruga Well-Known Member Thread Starter

    Joined:
    2008/09/30
    Messages:
    144
    Likes Received:
    0
    oh ok.... anyway no threats were found so all gd
     
    yoruga,
    #35
  17. 2016/03/29
    yoruga

    yoruga Well-Known Member Thread Starter

    Joined:
    2008/09/30
    Messages:
    144
    Likes Received:
    0
    Okay it starts a little slow at first.... I think I have probs with Avast subscriptions because it is on trial.... I purchased a year of subscription so I don't know what happenned there..... besides that .... the computer is working fine..... WOOHOOOO!!!. now I have been scanning a lot lately especially adwareCl, Malware AB, and my antivirus..... so far so good...
     
    yoruga,
    #36
  18. 2016/03/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Way to go!! [​IMG]
    Good luck and stay safe :)
     
    broni,
    #37
Page 2 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...