hall140
-
Posts
21 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by hall140
-
-
The laptop behaves fine. This morning Windows Ink Workspace was randomly enabled, which I had never seen. Then I noticed the reinfection.
There are 2 more entries from roguekiller on this laptop, should I delete them?
-
Alright, I disconnected the ethernet cable from the infected PC (if it matters);
then the router was reset.
I ran DNSjumper, rebooted.
FRST logs attached.
-
This is the log from the laptop, it's sense been disconnected from wireless. I deleted the 2 PUM.dns entries I had previously deleted.
See the post above for the logs you requested from the PC.
-
This is the roguekiller log from the other PC. It seems my laptop that we have been working on above was reinfected. I ran roguekiller and the same IP's showed back up and couple other entries. I'll transfer the log via USB and post it bellow so you can look at it.
-
While that is scanning, should I check the other PC on this network? I found that IP in the same place within the registry of the other PC as well.
-
At least I don't think so....
-
-
-
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.=========== EmptyTemp: ==========
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 11671766 B
Java, Flash, Steam htmlcache => 543 B
Windows/system/drivers => 2937016 B
Edge => 211 B
Chrome => 360107860 B
Firefox => 106535559 B
Opera => 0 BTemp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 21322 B
NetworkService => 0 B
defaultuser0 => 128 B
Bryan => 57737431 BRecycleBin => 305669778 B
EmptyTemp: => 805.6 MB temporary data Removed.================================
The system needed a reboot.==== End of Fixlog 18:15:04 ====
-
Thank you Kevin, I appreciate your time and help. I didn't find anything.
-
Malwarebytes scan log:
Malwarebytes
www.malwarebytes.com-Log Details-
Scan Date: 4/29/17
Scan Time: 6:24 PM
Logfile: log11.txt
Administrator: Yes-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1837
License: Premium-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-DESVS04\Bryan-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 370346
Time Elapsed: 3 min, 3 sec-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled-Scan Details-
Process: 0
(No malicious items detected)Module: 0
(No malicious items detected)Registry Key: 0
(No malicious items detected)Registry Value: 0
(No malicious items detected)Registry Data: 0
(No malicious items detected)Data Stream: 0
(No malicious items detected)Folder: 0
(No malicious items detected)File: 0
(No malicious items detected)Physical Sector: 0
(No malicious items detected)
(end)adwCleaner Log:
# AdwCleaner v6.046 - Logfile created 29/04/2017 at 18:37:04
# Updated on 24/04/2017 by Malwarebytes
# Database : 2017-04-29.1 [Server]
# Operating System : Windows 10 Home (X64)
# Username : Bryan - DESKTOP-DESVS04
# Running from : C:\Users\Bryan\Downloads\adwcleaner_6.046.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support***** [ Services ] *****
No malicious services found.
***** [ Folders ] *****No malicious folders found.
***** [ Files ] *****No malicious files found.
***** [ DLL ] *****No malicious DLLs found.
***** [ WMI ] *****No malicious keys found.
***** [ Shortcuts ] *****No infected shortcut found.
***** [ Scheduled Tasks ] *****No malicious task found.
***** [ Registry ] *****No malicious registry entries found.
***** [ Web browsers ] *****No malicious Firefox based browser items found.
No malicious Chromium based browser items found.*************************
C:\AdwCleaner\AdwCleaner[S0].txt - [999 Bytes] - [29/04/2017 18:37:04]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1071 Bytes] ##########
MSRT log:
---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.47, April 2017 (build 5.47.13703.0)
Started On Sat Apr 29 18:40:43 2017Engine: 1.1.13601.0
Signatures: 1.239.313.0
Run Mode: Interactive Graphical ModeResults Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Sat Apr 29 18:49:32 2017
Return code: 0 (0x0)
-
I've had a couple accounts compromised, both used an identical password. I'm unsure how the password was stolen but I want to rule out possible backdoors / trojans. I did a fresh reformat a few months ago but have sense had another account compromised (I forgot to change the password and little harm was done). I'm unsure how my data was being stolen. I suspect a man in the middle attack but I'd like to ensure I don't have any back doors.
I started a thread a few days ago but no one responded.
-
Sorry, I forgot to upload the other file.
-
I've had a couple accounts compromised, both used an identical password. I'm unsure how the password was stolen but I want to rule out possible backdoors / trojans. I did a fresh reformat a few months ago but have sense had another account compromised (I forgot to change the password and little harm was done). I'm unsure how my data was being stolen. Perhaps packet sniffers? I don't know, not my area of expertise....
-
I was having an issue with web protection and exploit protection. I followed your directions in the pinned post, however during the uninstall there was an error. I believe the error was a failure to completely uninstall or a portion failed to uninstall. Anyways when I try to install Malwarebytes, now I get the following error shown in the attached image. Help would be appreciated.
Thanks,
Bryan
-
Hey Mr Charlie sorry to bother you again. I was having trouble deleting combofix so I did as you suggested and renamed it uninstall.exe and double clicked it. However this didn't uninstall combofix it ran it threw the scan process again which was blocked by mcafee. If I remember correctly it got to completed stage 2 before mcafee quarantined a file and it stoped. I closed the dos window and rebooted and was finally sucessfull with the uninstall. I did everything else as you suggested and pc is working fine. Is this anything to worry about?
-
My subscription to Mcafee ends today and I will not be renewing, It's expensive and I don't appreaciate thier auto renewal service. What would you recomend for firewall and antivirus service?
-
I had to reboot for this to work. Here it is:
Results of screen317's Security Check version 0.99.54
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
McAfee Anti-Virus and Anti-Spyware
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
Java 7 Update 9
Adobe Flash Player 11.4.402.287
Mozilla Firefox (16.0.2)
Google Chrome 22.0.1229.96
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:
````````````````````End of Log``````````````````````
-
Alright here is the AdwCleaner log:
# AdwCleaner v2.006 - Logfile created 11/02/2012 at 11:46:20
# Updated 30/10/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : BB - BB-PC
# Boot Mode : Normal
# Running from : C:\Users\BB\Desktop\adwcleaner.exe
# Option [Delete]
***** [services] *****
***** [Files / Folders] *****
File Deleted : C:\Users\BB\AppData\Roaming\Mozilla\Firefox\Profiles\n2dawz11.default\searchplugins\Conduit.xml
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Users\BB\AppData\Local\Conduit
Folder Deleted : C:\Users\BB\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
Folder Deleted : C:\Users\BB\AppData\LocalLow\Conduit
***** [Registry] *****
Key Deleted : HKCU\Software\AppDataLow\Software
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3220468
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
***** [internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&ctid=CT3220468 --> hxxp://www.google.com
-\\ Mozilla Firefox v16.0.2 (en-US)
Profile name : default
File : C:\Users\BB\AppData\Roaming\Mozilla\Firefox\Profiles\n2dawz11.default\prefs.js
Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=1[...]
Deleted : user_pref("Smartbar.ConduitSearchEngineList", "uTorrentControl_v2 Customized Web Search");
Deleted : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468[...]
Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3220468");
-\\ Google Chrome v [unable to get version]
File : C:\Users\BB\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[s1].txt - [2647 octets] - [02/11/2012 11:46:20]
########## EOF - C:\AdwCleaner[s1].txt - [2707 octets] ##########
Here is mbam log:
Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org
Database version: v2012.11.02.08
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
BB :: BB-PC [administrator]
Protection: Enabled
11/2/2012 11:56:50 AM
mbam-log-2012-11-02 (11-56-50).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 224127
Time elapsed: 27 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
My pc is doing fine; havent had any more lockups\freezing sence we started. Again thank you for all the help I do appreciate it. I suppose my PC is safe enough and I can quit using Character Map to type-in my passwords.
-
Lets see, we had ran several scans starting with RogueKiller, ListParts64, tdsskiller, and finally ComboFix. You had informed me that all previous scans were clear. I had removed a few trojans prior to posting and "might" have gotten them all. To help jog your memory you also wanted me to delete some P2P software "utorrent". Anyways I had just finished runing combofix. I do have the logs from the previous scans saved to a drive if you need them just ask.
Here is the log.
ComboFix 12-10-31.03 - BB 11/01/2012 15:53:06.1.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.16237.14101 [GMT -4:00]
Running from: c:\users\BB\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-10-01 to 2012-11-01 )))))))))))))))))))))))))))))))
.
.
2012-11-01 19:55 . 2012-11-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-29 03:43 . 2012-10-29 03:43 -------- d-----w- c:\program files (x86)\VideoLAN
2012-10-29 03:39 . 2012-10-29 03:39 -------- d-----w- c:\program files (x86)\Hobbyist Software
2012-10-29 01:34 . 2012-10-29 01:34 -------- d-----w- c:\program files\GIGABYTE
2012-10-29 01:34 . 2012-03-08 13:53 22128 ----a-w- c:\windows\system32\drivers\AppleCharger.sys
2012-10-29 01:34 . 2010-04-06 20:30 31272 ----a-w- c:\windows\system32\AppleChargerSrv.exe
2012-10-28 04:22 . 2012-10-28 04:22 -------- d-----w- c:\program files (x86)\Google
2012-10-27 05:43 . 2012-10-27 05:43 -------- d-----w- c:\program files\Microsoft Silverlight
2012-10-27 05:43 . 2012-10-27 05:43 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2012-10-27 04:04 . 2010-07-08 08:32 22792 ----a-w- c:\windows\system32\drivers\SaiMini.sys
2012-10-27 04:03 . 2012-10-27 04:03 -------- d-----w- c:\program files\Saitek
2012-10-27 04:03 . 2012-10-27 04:03 -------- d-----w- c:\programdata\Saitek
2012-10-26 15:19 . 2012-10-26 15:19 -------- d-----w- C:\Brother
2012-10-26 15:19 . 2012-10-26 15:19 -------- d-----w- c:\program files (x86)\Browny02
2012-10-26 15:19 . 2010-08-03 00:57 217088 ----a-w- c:\windows\SysWow64\NSSearch.dll
2012-10-26 15:19 . 2010-03-15 23:56 2560 ----a-w- c:\windows\SysWow64\BrDctF2S.dll
2012-10-26 15:19 . 2010-03-15 23:45 73728 ----a-w- c:\windows\SysWow64\BrDctF2.dll
2012-10-26 15:19 . 2007-12-14 02:16 5120 ----a-w- c:\windows\SysWow64\BrDctF2L.dll
2012-10-26 15:19 . 2010-02-05 15:42 180224 ------w- c:\windows\SysWow64\BroSNMP.dll
2012-10-26 07:13 . 2012-10-26 07:13 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2012-10-26 07:01 . 2012-10-26 07:13 -------- d-----w- c:\program files (x86)\Microsoft Works
2012-10-26 07:01 . 2012-10-26 07:01 -------- d-----w- c:\windows\PCHEALTH
2012-10-26 06:58 . 2012-10-26 06:58 -------- d-----w- c:\program files\Microsoft Office
2012-10-26 06:58 . 2012-10-26 06:58 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 8
2012-10-26 06:36 . 2012-10-26 06:36 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-10-26 03:42 . 2012-10-26 03:42 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-10-26 03:24 . 2012-10-27 03:51 -------- d-----w- c:\programdata\Microsoft Help
2012-10-25 22:31 . 2012-10-25 22:31 -------- d-----w- c:\program files (x86)\Conduit
2012-10-24 19:03 . 2012-10-24 19:03 -------- d-----w- c:\programdata\Malwarebytes
2012-10-24 19:03 . 2012-09-29 23:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-24 19:03 . 2012-10-24 19:03 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-10-24 09:10 . 2012-10-24 09:10 -------- d-----w- c:\windows\system32\appmgmt
2012-10-24 07:45 . 2012-10-24 07:45 -------- d-----w- c:\programdata\Apple
2012-10-24 05:13 . 2012-10-24 09:10 -------- d-----w- c:\programdata\Skype
2012-10-23 19:01 . 2011-09-14 10:16 32360 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2012-10-22 21:46 . 2012-10-31 20:51 281520 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-10-22 21:41 . 2012-10-22 21:41 -------- d-----w- c:\program files (x86)\Battlelog Web Plugins
2012-10-22 21:39 . 2012-10-24 20:33 -------- d-----w- c:\programdata\EA Logs
2012-10-22 21:39 . 2012-10-22 21:39 -------- d-----w- c:\programdata\EA Core
2012-10-22 19:10 . 2012-10-30 06:45 25640 ----a-w- c:\windows\etdrv.sys
2012-10-22 19:09 . 2012-10-30 06:43 30528 ----a-w- c:\windows\GVTDrv64.sys
2012-10-22 19:08 . 2012-10-22 19:08 -------- d--h--w- c:\program files (x86)\Common Files\EAInstaller
2012-10-22 19:08 . 2012-10-31 20:51 281520 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-10-22 19:08 . 2012-10-31 20:51 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-10-22 19:07 . 2012-10-24 20:37 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-10-22 19:07 . 2008-10-15 10:22 5631312 ----a-w- c:\windows\system32\D3DX9_40.dll
2012-10-22 19:07 . 2008-10-15 10:22 519000 ----a-w- c:\windows\system32\d3dx10_40.dll
2012-10-22 19:07 . 2008-10-15 10:22 452440 ----a-w- c:\windows\SysWow64\d3dx10_40.dll
2012-10-22 19:07 . 2008-10-15 10:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
2012-10-22 19:07 . 2008-10-15 10:22 2605920 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2012-10-22 19:07 . 2008-10-15 10:22 2036576 ----a-w- c:\windows\SysWow64\D3DCompiler_40.dll
2012-10-22 18:18 . 2012-10-22 21:39 -------- d-----w- c:\programdata\Electronic Arts
2012-10-22 18:18 . 2012-10-22 18:21 -------- d-----w- c:\program files (x86)\Origin Games
2012-10-22 18:18 . 2012-10-22 18:21 -------- d-----w- c:\programdata\Origin
2012-10-22 18:18 . 2012-10-27 16:04 -------- d-----w- c:\program files (x86)\Origin
2012-10-22 18:07 . 2012-10-26 15:19 -------- d-----w- c:\program files (x86)\Brother
2012-10-22 18:06 . 2012-10-22 18:11 -------- d-----w- c:\programdata\Brother
2012-10-22 18:03 . 2012-10-29 01:34 -------- d-----w- c:\program files (x86)\GIGABYTE
2012-10-22 18:03 . 2012-10-30 06:45 25640 ----a-w- c:\windows\gdrv.sys
2012-10-22 17:53 . 2012-10-22 17:53 -------- d-----w- c:\program files\7-Zip
2012-10-22 17:38 . 2012-10-31 22:58 -------- d-----w- c:\program files (x86)\EVGA Precision X
2012-10-22 09:52 . 2012-10-22 09:52 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-10-22 09:50 . 2012-10-22 17:33 -------- d-----w- c:\program files (x86)\Razer
2012-10-22 09:50 . 2012-10-22 09:50 -------- d-----w- c:\programdata\Razer
2012-10-22 09:45 . 2008-10-27 14:04 518480 ----a-w- c:\windows\system32\XAudio2_3.dll
2012-10-22 09:32 . 2012-10-22 09:32 -------- d-----w- c:\program files (x86)\SystemRequirementsLab
2012-10-22 09:32 . 2012-10-22 09:32 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-10-22 09:31 . 2012-10-22 09:31 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-10-22 09:31 . 2012-10-22 09:31 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-10-22 09:31 . 2012-10-22 09:31 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-10-22 09:31 . 2012-10-22 09:31 -------- d-----w- c:\program files (x86)\Java
2012-10-22 09:08 . 2012-10-22 09:08 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-22 09:08 . 2012-10-22 09:08 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-10-22 09:08 . 2012-10-22 09:08 -------- d-----w- c:\windows\SysWow64\Macromed
2012-10-22 09:08 . 2012-10-22 09:08 -------- d-----w- c:\windows\system32\Macromed
2012-10-22 06:52 . 2012-10-22 02:57 -------- d-----w- c:\windows\Panther
2012-10-22 06:43 . 2012-10-30 20:30 -------- d-----w- c:\windows\Downloaded Program Files
2012-10-22 05:16 . 2012-10-22 05:21 -------- d-----w- c:\program files (x86)\Samsung SSD Magician
2012-10-22 05:16 . 2012-10-22 05:16 -------- d-----w- c:\programdata\Samsung
2012-10-22 05:09 . 2012-04-20 20:40 196440 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2012-10-22 05:09 . 2012-09-14 20:26 73096 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2012-10-22 05:09 . 2012-10-22 05:09 -------- d-----w- c:\program files (x86)\Common Files\McAfee
2012-10-22 05:09 . 2012-07-17 18:51 10288 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-10-22 05:09 . 2012-07-17 18:55 69672 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-10-22 05:09 . 2012-07-17 18:51 106112 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-10-22 05:09 . 2012-07-17 18:49 513456 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-10-22 05:09 . 2012-07-17 18:48 300392 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-10-22 05:09 . 2012-10-22 05:09 -------- d-----w- c:\program files\Common Files\McAfee
2012-10-22 05:09 . 2012-10-22 05:09 -------- d-----w- c:\program files\McAfee
2012-10-22 05:09 . 2012-10-22 23:31 -------- d-----w- c:\program files (x86)\McAfee
2012-10-22 05:01 . 2012-07-17 18:52 177144 ----a-w- c:\windows\system32\mfevtps.exe
2012-10-22 05:01 . 2012-10-24 09:00 -------- d-----w- c:\programdata\McAfee
2012-10-22 04:45 . 2012-10-24 19:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-10-22 04:42 . 2012-10-28 02:51 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-10-22 04:17 . 2012-10-26 07:01 -------- d-----w- c:\program files (x86)\Microsoft.NET
2012-10-22 04:07 . 2012-10-22 04:07 -------- d-----w- c:\windows\SysWow64\Wat
2012-10-22 04:07 . 2012-10-22 04:07 -------- d-----w- c:\windows\system32\Wat
2012-10-22 04:06 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-10-22 04:06 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-10-22 04:00 . 2012-09-28 04:18 65309168 ----a-w- c:\windows\system32\MRT.exe
2012-10-22 03:49 . 2012-10-17 06:31 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DBCDE71F-3EB4-4583-B021-127C4A23CFC5}\mpengine.dll
2012-10-22 03:48 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-10-22 03:48 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-10-22 03:48 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-10-22 03:48 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-10-22 03:48 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-10-22 03:46 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2012-10-22 03:46 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2012-10-22 03:39 . 2012-10-22 03:39 -------- d-----w- c:\programdata\Intel
2012-10-22 03:33 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-10-22 03:33 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-10-22 03:33 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-10-22 03:32 . 2012-11-01 15:10 -------- d-----w- c:\programdata\NVIDIA
2012-10-22 03:32 . 2012-10-22 04:07 -------- d-----w- c:\users\UpdatusUser
2012-10-22 03:32 . 2012-10-02 19:51 3536817 ----a-w- c:\windows\system32\nvcoproc.bin
2012-10-22 03:32 . 2012-10-02 19:51 3293544 ----a-w- c:\windows\system32\nvsvc64.dll
2012-10-22 03:32 . 2012-10-02 19:51 6200680 ----a-w- c:\windows\system32\nvcpl.dll
2012-10-22 03:32 . 2012-10-02 19:50 891240 ----a-w- c:\windows\system32\nvvsvc.exe
2012-10-22 03:32 . 2012-10-02 19:50 63336 ----a-w- c:\windows\system32\nvshext.dll
2012-10-22 03:32 . 2012-10-02 19:50 2557800 ----a-w- c:\windows\system32\nvsvcr.dll
2012-10-22 03:32 . 2012-10-02 19:50 118120 ----a-w- c:\windows\system32\nvmctray.dll
2012-10-22 03:32 . 2012-10-22 03:32 -------- d-----w- c:\programdata\NVIDIA Corporation
2012-10-22 03:32 . 2012-10-22 03:32 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2012-10-22 03:26 . 2012-08-07 07:09 88832 ----a-w- c:\windows\system32\drivers\EtronXHCI.sys
2012-10-22 03:26 . 2012-08-07 07:09 65152 ----a-w- c:\windows\system32\drivers\EtronHub3.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-02 17:15 . 2012-10-02 17:15 430952 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2012-09-12 08:33 . 2012-09-12 08:33 2782848 ----a-w- c:\windows\system32\drivers\kinonivd.sys
2012-09-12 08:33 . 2012-09-12 08:33 23040 ----a-w- c:\windows\system32\drivers\kinonivad.sys
2012-08-20 17:38 . 2012-10-22 03:47 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-08-17 07:01 . 2012-08-17 07:01 112640 ----a-w- c:\windows\system32\drivers\rzudd.sys
2012-08-17 07:01 . 2012-08-17 07:01 22016 ----a-w- c:\windows\system32\drivers\rzendpt.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EADM"="c:\program files (x86)\Origin\Origin.exe" [2012-10-27 3389080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2012-04-23 507744]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-09-12 1535112]
"Razer Synapse"="c:\program files (x86)\Razer\Synapse\RzSynapse.exe" [2012-10-11 336304]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
"GrooveMonitor"="s:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
.
c:\users\BB\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EVGA Precision X.lnk - c:\program files (x86)\EVGA Precision X\EVGAPrecision.exe [2012-10-17 553800]
Samsung SSD Magician.lnk - c:\program files (x86)\Samsung SSD Magician\Samsung SSD Magician.exe [2012-10-22 2056192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-28 116648]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-29 676936]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-22 250808]
R3 ALSysIO;ALSysIO;c:\users\BB\AppData\Local\Temp\ALSysIO64.sys [x]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [2010-04-06 31272]
R3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe [2010-01-25 245760]
R3 cphs;Intel® Content Protection HECI Service;c:\windows\SysWow64\IntelCpHeciSvc.exe [2012-10-10 277024]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 etdrv;etdrv;c:\windows\etdrv.sys [2012-10-30 25640]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-28 116648]
R3 GVTDrv64;GVTDrv64;c:\windows\GVTDrv64.sys [2012-10-30 30528]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-04-20 196440]
R3 KINONI_Wave;Kinoni Audio Source;c:\windows\system32\drivers\kinonivad.sys [2012-09-12 23040]
R3 kinonivd;Kinoni Video Source;c:\windows\system32\DRIVERS\kinonivd.sys [2012-09-12 2782848]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-29 25928]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-07-17 106112]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-10-27 115168]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-10-22 1255736]
S0 iaStorA;iaStorA;c:\windows\system32\DRIVERS\iaStorA.sys [2012-08-16 645952]
S0 iaStorF;iaStorF;c:\windows\system32\DRIVERS\iaStorF.sys [2012-08-16 27456]
S0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2012-09-14 73096]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-07-17 335784]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [2012-03-08 22128]
S1 ndisrd;WinpkFilter LightWeight Filter;c:\windows\system32\DRIVERS\ndisrd.sys [2011-09-14 32360]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-09-24 65192]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-29 399432]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-07-17 218320]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-07-17 177144]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-10-02 1258856]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-02 382824]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-08-08 2656536]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-07-17 69672]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys [2012-08-07 65152]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys [2012-08-07 88832]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-06 331264]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-19 56344]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-07-17 513456]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-07-03 189288]
S3 RTCore64;RTCore64;c:\program files (x86)\EVGA Precision X\RTCore64.sys [2012-10-17 15176]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-09-29 646248]
S3 rzendpt;rzendpt;c:\windows\system32\DRIVERS\rzendpt.sys [2012-08-17 22016]
S3 rzudd;Razer Mouse Driver;c:\windows\system32\DRIVERS\rzudd.sys [2012-08-17 112640]
S3 SaiK0836;SaiK0836;c:\windows\system32\DRIVERS\SaiK0836.sys [2010-06-17 172040]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-22 09:08]
.
2012-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-28 04:22]
.
2012-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-28 04:22]
.
2012-11-01 c:\windows\Tasks\RtlLanOptimizerVistaStart.job
- c:\program files (x86)\Realtek\LanOptimizer\LanOptimizer.exe [2012-10-23 08:05]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-06-11 12503184]
"RtHDVBg_Dolby"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2012-06-13 1212560]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2010-07-07 310272]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2010-07-07 158208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-10-10 171040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-10-10 399392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-10-10 441888]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3220468
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - s:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\BB\AppData\Roaming\Mozilla\Firefox\Profiles\n2dawz11.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - ExtSQL: 2012-10-22 01:12; {4ED1F68A-5463-4931-9384-8FFF5ED91D92}; c:\program files (x86)\McAfee\SiteAdvisor
FF - ExtSQL: 2012-10-23 10:53; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\BB\AppData\Roaming\Mozilla\Firefox\Profiles\n2dawz11.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2012-10-23 10:53; {3d7eb24f-2740-49df-8937-200b1cc08f8a}; c:\users\BB\AppData\Roaming\Mozilla\Firefox\Profiles\n2dawz11.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}.xpi
FF - ExtSQL: 2012-10-23 10:56; {AE93811A-5C9A-4d34-8462-F7B864FC4696}; c:\users\BB\AppData\Roaming\Mozilla\Firefox\Profiles\n2dawz11.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-17430523.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-01 15:56:18
ComboFix-quarantined-files.txt 2012-11-01 19:56
.
Pre-Run: 174,193,786,880 bytes free
Post-Run: 174,075,535,360 bytes free
.
- - End Of File - - 4F8BCC5566C9521FCC797FF0AF8DF590
Account passwords stolen
in Resolved Malware Removal Logs
Posted
Can I delete both PUM.startmenu ?
RogueKiller V12.10.7.0 (x64) [May 1 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : Bryan [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 05/01/2017 12:19:07 (Duration : 00:19:09)
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 4 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 172.18.11.1 ([]) -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{be9b44c8-be9e-48c9-93ca-6ff935b40049} | DhcpNameServer : 172.18.11.1 ([]) -> Replaced ()
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1332302035-2113573720-2638189068-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Not selected
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1332302035-2113573720-2638189068-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Not selected
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SK hynix SH920 mSATA 128GB +++++
--- User ---
[MBR] b224d69bf1a5eb7129ae4076bb1d9402
[BSP] b13aa31d14056dfac65d48caf3d6b181 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 923648 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1128448 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1161216 | Size: 121537 MB
User = LL1 ... OK
User = LL2 ... OK