scut1
-
Posts
15 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by scut1
-
False MS Office Positive with MBAE V 1.13 Build 424
scut1 replied to scut1's topic in Anti-Exploit Beta
Hi Arthi, thanks for the guidance. At my end, turning off "Detect penetration testing attacks" will not trigger the block. Interestingly, turning it on back again afterwards, does not trigger the block either. It appears that any change in settings or behavior (eg turning the protection off and then on again) disable the block, even if you then re-establish the pre-existing conditions that were causing the block in the first place. Hope it helps. Look forward to a solution. Thanks. -
My PC just got updated to MBAE V 1.13.1.424 and suddenly it started blocking all Powerpoint files because it opens splwow64.exe. I am also unable to exclude this "threat" as it does not show the bin symbol. If I stop the protection, work on the PPT file, close the file and then restart MBAE, then MBAE does not kick-in again. Please fix this bug. Thanks.
-
Malware Infection? Hijack.Hosts Found+Weird Behaviour
scut1 replied to scut1's topic in Resolved Malware Removal Logs
Hi Ron MBAM and AdwCleaner scans are clean now. The PC looks ok now - thanks for your help. Logs below. ======================== MBAM Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/20/17 Scan Time: 9:42 AM Log File: aea0954b-e561-11e7-a8d0-00ffa57e66d1.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3525 License: Free -System Information- OS: Windows XP Service Pack 3 CPU: x86 File System: NTFS User: SCPC002\sc -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 216329 Threats Detected: 0 (No malicious items detected) Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 32 min, 56 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end) AdwCleaner # AdwCleaner v6.046 - Logfile created 20/12/2017 at 10:17:53 # Updated on 24/04/2017 by Malwarebytes # Database : 2017-04-24.1 [Local] # Operating System : Microsoft Windows XP Service Pack 3 (X86) # Username : sc - SCPC002 # Running from : C:\Documents and Settings\sc\My Documents\Downloads\Malware_Tools\adwcleaner_6.046.exe # Mode: Scan # Support : https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious keys found. ***** [ Shortcuts ] ***** No infected shortcut found. ***** [ Scheduled Tasks ] ***** No malicious task found. ***** [ Registry ] ***** No malicious registry entries found. ***** [ Web browsers ] ***** No malicious Firefox based browser items found. No malicious Chromium based browser items found. ************************* C:\AdwCleaner\AdwCleaner[C0].txt - [2812 Bytes] - [19/12/2017 08:06:17] C:\AdwCleaner\AdwCleaner[R0].txt - [2127 Bytes] - [22/09/2013 19:47:17] C:\AdwCleaner\AdwCleaner[R1].txt - [938 Bytes] - [22/09/2013 20:03:32] C:\AdwCleaner\AdwCleaner[S0].txt - [2246 Bytes] - [22/09/2013 19:52:24] C:\AdwCleaner\AdwCleaner[S1].txt - [2810 Bytes] - [19/12/2017 08:03:02] C:\AdwCleaner\AdwCleaner[S2].txt - [1411 Bytes] - [20/12/2017 10:17:53] ########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1484 Bytes] ########## -
Malware Infection? Hijack.Hosts Found+Weird Behaviour
scut1 replied to scut1's topic in Resolved Malware Removal Logs
Hi Ron thanks for your help. I ran combofix as instructed. The log is attached. Please note that I will go on leave from tomorrow and will be unable to log in to this PC for the next 2 weeks. Please post your reply to this log and please make your recommendation for the next step, but please be informed that I won't be able to operate on the PC until w/c 8th January. Thanks again for your help. ============================= ComboFix 17-12-11.01 - sc 20/12/2017 8:40.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2037.1091 [GMT 1:00] Running from: c:\documents and settings\sc\Desktop\ComboFix.exe AV: Avast Antivirus *Disabled/Updated* {7591db91-41f0-48a3-b128-1a293fd8233d} AV: Bitdefender Antivirus Free Edition *Enabled/Updated* {9488E0FA-F058-4673-850E-E755F112BABC} FW: *Enabled* {9488E0FA-F058-4673-850E-E755F112BABC} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_ctypes.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_elementtree.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_hashlib.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_multiprocessing.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_psutil_windows.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_socket.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_ssl.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_yappi.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\common.time34.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\hashobjs_ext.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\PIL._imaging.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\pyexpat.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\pysqlite2._sqlite.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\python27.dll c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\pythoncom27.dll c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\pywintypes27.dll c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\select.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\thumbnails_ext.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\unicodedata.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\usb_ext.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32api.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32com.shell.shell.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32crypt.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32event.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32file.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32gui.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32inet.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32pdh.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32pipe.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32process.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32profile.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32security.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32ts.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\windows._lib_cacheinvalidation.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\windows.device_monitor.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\windows.volumes.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\windows.winwrap.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\winxpgui.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wx._controls_.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wx._core_.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wx._gdi_.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wx._html2.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wx._misc_.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wx._windows_.pyd c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wxbase30u_net_vc90.dll c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wxbase30u_vc90.dll c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wxmsw30u_adv_vc90.dll c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wxmsw30u_core_vc90.dll c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wxmsw30u_html_vc90.dll c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wxmsw30u_webview_vc90.dll c:\documents and settings\All Users\Application Data\1440322332.bdinstall.bin c:\documents and settings\All Users\Application Data\1442839455.bdinstall.bin c:\documents and settings\All Users\Application Data\1442839457.4676.bin c:\documents and settings\All Users\Application Data\1442839457.5048.bin c:\documents and settings\All Users\Application Data\1442839457.5720.bin c:\documents and settings\All Users\Application Data\1442839457.6044.bin c:\documents and settings\All Users\Application Data\1442839626.bdinstall.bin c:\documents and settings\All Users\Application Data\1442839955.bdinstall.bin c:\documents and settings\All Users\Application Data\1442840128.bdinstall.bin c:\documents and settings\All Users\Application Data\1442840514.bdinstall.bin c:\documents and settings\All Users\Application Data\1481724763.bdinstall.bin c:\documents and settings\All Users\Application Data\1481724766.bdinstall.bin c:\documents and settings\All Users\Application Data\1504685804.bdinstall.bin c:\documents and settings\All Users\Application Data\1504685814.bdinstall.bin c:\documents and settings\All Users\Application Data\1504686152.2312.bin c:\documents and settings\All Users\Application Data\1504686152.2524.bin c:\documents and settings\All Users\Application Data\1504686152.2740.bin c:\documents and settings\All Users\Application Data\1504686152.928.bin c:\documents and settings\All Users\Application Data\1504696396.bdinstall.bin c:\documents and settings\All Users\Application Data\1504696409.4480.bin c:\documents and settings\All Users\Application Data\1504696409.5476.bin c:\documents and settings\All Users\Application Data\1504696409.5768.bin c:\documents and settings\All Users\Application Data\1504696409.6116.bin c:\documents and settings\All Users\Application Data\1505656557.bdinstall.bin c:\documents and settings\All Users\Application Data\1505656560.1052.bin c:\documents and settings\All Users\Application Data\1505656560.2408.bin c:\documents and settings\All Users\Application Data\1505656560.3596.bin c:\documents and settings\All Users\Application Data\1505656560.4268.bin c:\documents and settings\sc\Application Data\inst.exe c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_ctypes.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_elementtree.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_hashlib.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_multiprocessing.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_psutil_windows.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_socket.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_ssl.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_yappi.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\common.time34.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\hashobjs_ext.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\PIL._imaging.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\pyexpat.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\pysqlite2._sqlite.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\python27.dll c:\documents and settings\sc\Local Settings\Temp\_MEI17682\pythoncom27.dll c:\documents and settings\sc\Local Settings\Temp\_MEI17682\pywintypes27.dll c:\documents and settings\sc\Local Settings\Temp\_MEI17682\select.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\thumbnails_ext.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\unicodedata.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\usb_ext.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32api.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32com.shell.shell.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32crypt.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32event.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32file.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32gui.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32inet.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32pdh.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32pipe.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32process.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32profile.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32security.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32ts.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\windows._lib_cacheinvalidation.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\windows.device_monitor.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\windows.volumes.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\windows.winwrap.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\winxpgui.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wx._controls_.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wx._core_.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wx._gdi_.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wx._html2.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wx._misc_.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wx._windows_.pyd c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wxbase30u_net_vc90.dll c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wxbase30u_vc90.dll c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wxmsw30u_adv_vc90.dll c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wxmsw30u_core_vc90.dll c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wxmsw30u_html_vc90.dll c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wxmsw30u_webview_vc90.dll c:\windows\$msi31uninstall_kb893803v2$ c:\windows\$msi31uninstall_kb893803v2$\msi.dll c:\windows\$msi31uninstall_kb893803v2$\msiexec.exe c:\windows\$msi31uninstall_kb893803v2$\msihnd.dll c:\windows\$msi31uninstall_kb893803v2$\msimsg.dll c:\windows\$msi31uninstall_kb893803v2$\msisip.dll c:\windows\$msi31uninstall_kb893803v2$\reg00013 c:\windows\$msi31uninstall_kb893803v2$\reg00014 c:\windows\$msi31uninstall_kb893803v2$\reg00015 c:\windows\$msi31uninstall_kb893803v2$\reg00016 c:\windows\$msi31uninstall_kb893803v2$\reg00017 c:\windows\$msi31uninstall_kb893803v2$\reg00018 c:\windows\$msi31uninstall_kb893803v2$\reg00019 c:\windows\$msi31uninstall_kb893803v2$\reg00020 c:\windows\$msi31uninstall_kb893803v2$\reg00021 c:\windows\$msi31uninstall_kb893803v2$\reg00022 c:\windows\$msi31uninstall_kb893803v2$\reg00023 c:\windows\$msi31uninstall_kb893803v2$\reg00024 c:\windows\$msi31uninstall_kb893803v2$\reg00025 c:\windows\$msi31uninstall_kb893803v2$\reg00026 c:\windows\$msi31uninstall_kb893803v2$\reg00027 c:\windows\$msi31uninstall_kb893803v2$\reg00028 c:\windows\$msi31uninstall_kb893803v2$\reg00029 c:\windows\$msi31uninstall_kb893803v2$\reg00030 c:\windows\$msi31uninstall_kb893803v2$\reg00031 c:\windows\$msi31uninstall_kb893803v2$\reg00032 c:\windows\$msi31uninstall_kb893803v2$\reg00033 c:\windows\$msi31uninstall_kb893803v2$\reg00034 c:\windows\$msi31uninstall_kb893803v2$\reg00035 c:\windows\$msi31uninstall_kb893803v2$\reg00036 c:\windows\$msi31uninstall_kb893803v2$\reg00037 c:\windows\$msi31uninstall_kb893803v2$\reg00038 c:\windows\$msi31uninstall_kb893803v2$\reg00039 c:\windows\$msi31uninstall_kb893803v2$\reg00040 c:\windows\$msi31uninstall_kb893803v2$\reg00041 c:\windows\$msi31uninstall_kb893803v2$\reg00042 c:\windows\$msi31uninstall_kb893803v2$\reg00043 c:\windows\$msi31uninstall_kb893803v2$\reg00044 c:\windows\$msi31uninstall_kb893803v2$\reg00045 c:\windows\$msi31uninstall_kb893803v2$\reg00046 c:\windows\$msi31uninstall_kb893803v2$\reg00047 c:\windows\$msi31uninstall_kb893803v2$\reg00048 c:\windows\$msi31uninstall_kb893803v2$\reg00051 c:\windows\$msi31uninstall_kb893803v2$\reg00052 c:\windows\$msi31uninstall_kb893803v2$\reg00053 c:\windows\$msi31uninstall_kb893803v2$\reg00054 c:\windows\$msi31uninstall_kb893803v2$\reg00055 c:\windows\$msi31uninstall_kb893803v2$\reg00056 c:\windows\$msi31uninstall_kb893803v2$\reg00057 c:\windows\$msi31uninstall_kb893803v2$\reg00058 c:\windows\$msi31uninstall_kb893803v2$\reg00059 c:\windows\$msi31uninstall_kb893803v2$\reg00060 c:\windows\$msi31uninstall_kb893803v2$\reg00061 c:\windows\$msi31uninstall_kb893803v2$\reg00062 c:\windows\$msi31uninstall_kb893803v2$\reg00063 c:\windows\$msi31uninstall_kb893803v2$\reg00064 c:\windows\$msi31uninstall_kb893803v2$\reg00065 c:\windows\$msi31uninstall_kb893803v2$\reg00066 c:\windows\$msi31uninstall_kb893803v2$\reg00067 c:\windows\$msi31uninstall_kb893803v2$\reg00068 c:\windows\$msi31uninstall_kb893803v2$\reg00069 c:\windows\$msi31uninstall_kb893803v2$\reg00070 c:\windows\$msi31uninstall_kb893803v2$\reg00071 c:\windows\$msi31uninstall_kb893803v2$\reg00072 c:\windows\$msi31uninstall_kb893803v2$\reg00073 c:\windows\$msi31uninstall_kb893803v2$\reg00074 c:\windows\$msi31uninstall_kb893803v2$\reg00075 c:\windows\$msi31uninstall_kb893803v2$\reg00076 c:\windows\$msi31uninstall_kb893803v2$\reg00077 c:\windows\$msi31uninstall_kb893803v2$\reg00078 c:\windows\$msi31uninstall_kb893803v2$\reg00079 c:\windows\$msi31uninstall_kb893803v2$\reg00080 c:\windows\$msi31uninstall_kb893803v2$\reg00081 c:\windows\$msi31uninstall_kb893803v2$\reg00082 c:\windows\$msi31uninstall_kb893803v2$\reg00083 c:\windows\$msi31uninstall_kb893803v2$\reg00084 c:\windows\$msi31uninstall_kb893803v2$\reg00085 c:\windows\$msi31uninstall_kb893803v2$\reg00086 c:\windows\$msi31uninstall_kb893803v2$\reg00087 c:\windows\$msi31uninstall_kb893803v2$\reg00088 c:\windows\$msi31uninstall_kb893803v2$\reg00089 c:\windows\$msi31uninstall_kb893803v2$\reg00090 c:\windows\$msi31uninstall_kb893803v2$\reg00091 c:\windows\$msi31uninstall_kb893803v2$\reg00092 c:\windows\$msi31uninstall_kb893803v2$\reg00093 c:\windows\$msi31uninstall_kb893803v2$\reg00094 c:\windows\$msi31uninstall_kb893803v2$\reg00095 c:\windows\$msi31uninstall_kb893803v2$\reg00096 c:\windows\$msi31uninstall_kb893803v2$\reg00097 c:\windows\$msi31uninstall_kb893803v2$\reg00098 c:\windows\$msi31uninstall_kb893803v2$\reg00099 c:\windows\$msi31uninstall_kb893803v2$\reg00100 c:\windows\$msi31uninstall_kb893803v2$\reg00101 c:\windows\$msi31uninstall_kb893803v2$\reg00102 c:\windows\$msi31uninstall_kb893803v2$\reg00103 c:\windows\$msi31uninstall_kb893803v2$\reg00104 c:\windows\$msi31uninstall_kb893803v2$\reg00105 c:\windows\$msi31uninstall_kb893803v2$\reg00106 c:\windows\$msi31uninstall_kb893803v2$\reg00107 c:\windows\$msi31uninstall_kb893803v2$\reg00108 c:\windows\$msi31uninstall_kb893803v2$\reg00109 c:\windows\$msi31uninstall_kb893803v2$\reg00110 c:\windows\$msi31uninstall_kb893803v2$\reg00111 c:\windows\$msi31uninstall_kb893803v2$\reg00112 c:\windows\$msi31uninstall_kb893803v2$\reg00113 c:\windows\$msi31uninstall_kb893803v2$\reg00114 c:\windows\$msi31uninstall_kb893803v2$\reg00115 c:\windows\$msi31uninstall_kb893803v2$\reg00116 c:\windows\$msi31uninstall_kb893803v2$\spuninst\spuninst.exe c:\windows\$msi31uninstall_kb893803v2$\spuninst\spuninst.inf c:\windows\$msi31uninstall_kb893803v2$\spuninst\spuninst.txt c:\windows\$msi31uninstall_kb893803v2$\spuninst\updspapi.dll . . ((((((((((((((((((((((((( Files Created from 2017-11-20 to 2017-12-20 ))))))))))))))))))))))))))))))) . . 2017-12-19 07:13 . 2017-12-19 07:13 -------- d-----w- c:\program files\VS Revo Group 2017-12-17 12:55 . 2017-12-17 12:55 24688 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2017-12-17 12:54 . 2017-12-17 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\RogueKiller 2017-12-16 15:42 . 2017-12-16 15:42 -------- d-----w- c:\documents and settings\Administrator 2017-12-16 14:18 . 2017-12-16 14:18 -------- d-----w- c:\windows\Performance 2017-12-16 14:18 . 2017-12-16 14:18 -------- d-----w- c:\documents and settings\sc\Local Settings\Application Data\Microsoft Corporation 2017-12-16 09:46 . 2017-11-10 06:54 305328 ----a-w- c:\windows\system32\aswBoot.exe 2017-12-16 09:42 . 2017-12-16 09:42 -------- d-----w- c:\windows\system32\wbem\Repository 2017-12-14 08:16 . 2017-12-19 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes Anti-Exploit 2017-12-14 08:16 . 2017-12-16 16:06 -------- d-----w- c:\program files\Malwarebytes Anti-Exploit 2017-12-14 08:10 . 2017-12-19 13:40 221112 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys 2017-12-14 08:10 . 2017-12-14 08:10 -------- d-----w- c:\program files\Malwarebytes 2017-12-14 08:10 . 2017-12-14 08:10 -------- d-----w- c:\documents and settings\All Users\Application Data\MB2Migration 2017-12-14 07:59 . 2017-12-14 08:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2017-12-12 06:57 . 2017-12-06 19:42 873392 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe 2017-12-12 06:57 . 2017-12-06 19:42 66000 ----a-w- c:\program files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll 2017-12-11 08:13 . 2017-12-17 15:55 -------- d-----w- C:\FRST 2017-12-05 18:38 . 2017-12-05 18:38 -------- d-----w- c:\documents and settings\sc\Application Data\ProtonVPN AG 2017-11-28 14:05 . 2017-12-04 06:55 0 ----a-w- c:\windows\system32\TempWmicBatchFile.bat . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2017-12-13 09:36 . 2016-01-06 20:21 803328 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2017-12-13 09:36 . 2016-01-06 20:21 144896 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2017-11-29 08:11 . 2017-10-13 08:22 59896 ----a-w- c:\windows\system32\drivers\mbae.sys 2017-11-16 07:26 . 2017-09-06 07:41 388760 ----a-w- c:\windows\system32\drivers\aswSP.sys 2017-11-10 06:55 . 2017-09-06 07:41 205392 ----a-w- c:\windows\system32\drivers\aswStmXP.sys 2017-11-10 06:54 . 2017-11-10 06:55 157176 ----a-w- c:\windows\system32\drivers\aswArPot.sys 2017-11-10 06:54 . 2017-09-06 07:41 298360 ----a-w- c:\windows\system32\drivers\aswVmm.sys 2017-11-10 06:54 . 2017-09-06 07:41 70864 ----a-w- c:\windows\system32\drivers\aswRvrt.sys 2017-11-10 06:54 . 2017-09-06 07:41 42848 ----a-w- c:\windows\system32\drivers\aswHwid.sys 2017-11-10 06:54 . 2017-09-06 07:41 124952 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2017-11-10 06:54 . 2017-09-06 07:41 70112 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2017-11-10 06:54 . 2017-09-06 07:41 783136 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2017-11-10 06:54 . 2017-09-06 07:41 50376 ----a-w- c:\windows\system32\drivers\aswbunivx.sys 2017-11-10 06:54 . 2017-09-06 07:41 276728 ----a-w- c:\windows\system32\drivers\aswblogx.sys 2017-11-10 06:54 . 2017-09-06 07:41 255616 ----a-w- c:\windows\system32\drivers\aswbidsdriverx.sys 2017-11-10 06:54 . 2017-09-06 07:41 157408 ----a-w- c:\windows\system32\drivers\aswbidshx.sys 2017-10-21 20:09 . 2017-09-24 19:54 34864 ----a-w- c:\windows\system32\drivers\tapwindscribe0901.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ GoogleDriveBlacklisted] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}] 2017-09-15 07:49 576408 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ GoogleDriveSynced] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}] 2017-09-15 07:49 576408 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ GoogleDriveSyncing] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}] 2017-09-15 07:49 576408 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00asw] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2017-11-10 06:54 1396816 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0Genie9 Zoolz-BackedupIcon] @="{9DB6687B-FDB2-4284-AF2A-4562D4EB371D}" [HKEY_CLASSES_ROOT\CLSID\{9DB6687B-FDB2-4284-AF2A-4562D4EB371D}] 2017-07-30 12:05 148992 ----a-w- c:\program files\Genie9\Zoolz2\Overlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0Genie9 Zoolz-BackedUpModifiedIcon] @="{9DB6687D-FDB2-4284-AF2A-4562D4EB371D}" [HKEY_CLASSES_ROOT\CLSID\{9DB6687D-FDB2-4284-AF2A-4562D4EB371D}] 2017-07-30 12:05 148992 ----a-w- c:\program files\Genie9\Zoolz2\Overlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0Genie9 Zoolz-ColdStorageIcon] @="{9DB6687F-FDB2-4284-AF2A-4562D4EB371D}" [HKEY_CLASSES_ROOT\CLSID\{9DB6687F-FDB2-4284-AF2A-4562D4EB371D}] 2017-07-30 12:05 148992 ----a-w- c:\program files\Genie9\Zoolz2\Overlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0Genie9 Zoolz-FolderInCloudIcon] @="{9DB6687E-FDB2-4284-AF2A-4562D4EB371D}" [HKEY_CLASSES_ROOT\CLSID\{9DB6687E-FDB2-4284-AF2A-4562D4EB371D}] 2017-07-30 12:05 148992 ----a-w- c:\program files\Genie9\Zoolz2\Overlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0Genie9 Zoolz-NotBackedUpIcon] @="{9DB6687C-FDB2-4284-AF2A-4562D4EB371D}" [HKEY_CLASSES_ROOT\CLSID\{9DB6687C-FDB2-4284-AF2A-4562D4EB371D}] 2017-07-30 12:05 148992 ----a-w- c:\program files\Genie9\Zoolz2\Overlay.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HP Officejet 5740 series (NET)"="c:\program files\HP\HP Officejet 5740 series\Bin\ScanToPCActivationApp.exe" [2014-08-22 2424840] "Zoolz Tray"="c:\program files\Genie9\Zoolz2\ZoolzLauncher.exe" [2017-07-31 395920] "GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2017-09-15 40258552] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232] "V0420Mon.exe"="c:\windows\V0420Mon.exe" [2007-04-29 32768] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-12-13 135536] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2013-05-30 96056] "AvastUI.exe"="c:\program files\AVAST Software\Avast\AvLaunch.exe" [2017-11-10 253344] "NetWorx"="c:\program files\NetWorx\networx.exe" [2016-09-22 5219144] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2017-07-27 1160408] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Malwarebytes Anti-Exploit.lnk - c:\program files\Malwarebytes Anti-Exploit\mbae.exe [2017-12-14 2480584] Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2016-2-2 605400] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2017-07-27 05:29 1160408 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon] 2015-03-20 15:12 60712 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 02:42 15360 ----a-w- c:\windows\system32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update] 2014-11-06 08:24 138096 ----atw- c:\documents and settings\sc\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2009-01-21 03:20 166912 ----a-w- c:\windows\system32\hkcmd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2009-01-21 03:20 134656 ----a-w- c:\windows\system32\igfxtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2015-09-12 02:25 157456 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2009-01-21 03:18 134656 ----a-w- c:\windows\system32\igfxpers.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] 2017-05-05 14:43 27716568 ----a-r- c:\program files\Skype\Phone\Skype.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "Freemake Improver"=2 (0x2) "Apple Mobile Device"=2 (0x2) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"= "c:\\Documents and Settings\\sc\\Application Data\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"= "c:\\Program Files\\NetWorx\\networx.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Windscribe\\wsappcontrol.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Slimjet\\slimjet.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5357:TCP"= 5357:TCP:WS-Eventing TCP Port 5357 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 0 (0x0) . R0 aswbidsh;aswbidsh;c:\windows\system32\drivers\aswbidshx.sys [06/09/2017 08:41 157408] R0 aswblog;aswblog;c:\windows\system32\drivers\aswblogx.sys [06/09/2017 08:41 276728] R0 aswbuniv;aswbuniv;c:\windows\system32\drivers\aswbunivx.sys [06/09/2017 08:41 50376] R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [06/09/2017 08:41 70864] R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [06/09/2017 08:41 298360] R1 aswArPot;aswArPot;c:\windows\system32\drivers\aswArPot.sys [10/11/2017 07:55 157176] R1 aswbidsdriver;aswbidsdriver;c:\windows\system32\drivers\aswbidsdriverx.sys [06/09/2017 08:41 255616] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [06/09/2017 08:41 783136] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [06/09/2017 08:41 388760] R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\Malwarebytes Anti-Exploit\mbae.sys [14/12/2017 09:16 59896] R1 networx;networx;c:\windows\system32\drivers\networx.sys [18/09/2016 09:20 67640] R2 ABBYY.Licensing.PDFTransformer.Classic.3.0;ABBYY PDF Transformer 3.0 Licensing Service;c:\program files\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe [14/05/2009 17:07 759048] R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [06/09/2017 08:41 124952] R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files\Malwarebytes Anti-Exploit\mbae-svc.exe [14/12/2017 09:16 139776] R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [02/02/2016 13:45 1570520] R2 WindscribeService;WindscribeService;c:\program files\Windscribe\WindscribeService.exe [24/09/2017 20:54 356968] R2 Zoolz 2 Service;Zoolz Backup Service;c:\program files\Genie9\Zoolz2\ZoolzService.exe [30/07/2017 13:06 475792] R3 aswbIDSAgent;aswbIDSAgent;c:\program files\AVAST Software\Avast\aswidsagent.exe [10/11/2017 07:54 5904136] R3 aswStmXP;aswStmXP;c:\windows\system32\drivers\aswStmXP.sys [06/09/2017 08:41 205392] R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [04/09/2010 19:39 44032] R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [16/05/2013 18:43 30576] R3 PSI;PSI;c:\windows\system32\drivers\psi_mf_x86.sys [02/02/2016 13:45 16024] R3 tapwindscribe0901;Windscribe VPN;c:\windows\system32\drivers\tapwindscribe0901.sys [24/09/2017 20:54 34864] S1 BAPIDRV;BAPIDRV;c:\windows\system32\DRIVERS\BAPIDRV.sys --> c:\windows\system32\DRIVERS\BAPIDRV.sys [?] S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [02/02/2016 13:45 837848] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [05/04/2017 15:09 317400] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [04/09/2010 19:33 1684736] S3 aswHwid;aswHwid;c:\windows\system32\drivers\aswHwid.sys [06/09/2017 08:41 42848] S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys --> c:\windows\system32\DRIVERS\ew_hwusbdev.sys [?] S3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys --> c:\windows\system32\DRIVERS\ew_usbenumfilter.sys [?] S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys --> c:\windows\system32\DRIVERS\ewusbnet.sys [?] S3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys --> c:\windows\system32\DRIVERS\ew_jucdcacm.sys [?] S3 huawei_cdcecm;huawei_cdcecm;c:\windows\system32\DRIVERS\ew_jucdcecm.sys --> c:\windows\system32\DRIVERS\ew_jucdcecm.sys [?] S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys --> c:\windows\system32\DRIVERS\ew_jubusenum.sys [?] S3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\DRIVERS\ew_juextctrl.sys --> c:\windows\system32\DRIVERS\ew_juextctrl.sys [?] S3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys --> c:\windows\system32\drivers\massfilter.sys [?] S3 MBAMService;Malwarebytes Service;c:\program files\Malwarebytes\Anti-Malware\MBAMService.exe [14/12/2017 09:10 4563920] S3 V0420VID;Live! Cam Vista IM (VF0420);c:\windows\system32\drivers\V0420Vid.sys [05/09/2010 10:27 99648] S4 Freemake Improver;Freemake Improver;c:\documents and settings\All Users\Application Data\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe [06/05/2015 16:57 108032] . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2016-04-12 06:22 1106072 ----a-w- c:\program files\Google\Chrome\Application\49.0.2623.112\Installer\chrmstp.exe . Contents of the 'Scheduled Tasks' folder . 2017-12-20 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2016-01-06 09:36] . 2017-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2017-02-14 15:54] . 2017-12-20 c:\windows\Tasks\Avast Emergency Update.job - c:\program files\AVAST Software\Avast\AvEmUpdate.exe [2017-11-10 06:54] . 2017-12-19 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1202660629-1035525444-682003330-1003Core.job - c:\documents and settings\sc\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2014-11-06 08:24] . 2017-12-19 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1202660629-1035525444-682003330-1003UA.job - c:\documents and settings\sc\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2014-11-06 08:24] . 2017-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-09-30 12:56] . 2017-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-09-30 12:56] . 2017-11-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job - c:\windows\system32\xp_eos.exe [2014-03-14 01:59] . . ------- Supplementary Scan ------- . uStart Page = about:blank mStart Page = about:blank uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.1.1 0.0.0.0 TCP: Interfaces\{01FC6E01-A598-468A-9B58-779F5EF062DB}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39 TCP: Interfaces\{2D6F0057-ECC6-4EA2-AB33-ED564A8C94AD}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39 TCP: Interfaces\{7056DC40-C8E6-4F4A-A0DA-9763B7DF46EA}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39 TCP: Interfaces\{713E59D1-7A69-4EAE-BDAC-FA8E23A6689C}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39 TCP: Interfaces\{8745FD36-125F-43EA-B107-7586B438C8BB}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39 TCP: Interfaces\{91C57662-15D9-4F3B-B4E3-4A8C15835586}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39 TCP: Interfaces\{CE2F0623-0FD6-42DB-BF03-450473E889D2}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39 TCP: Interfaces\{D498E0B0-F3EA-4643-81C8-A12726D1D964}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39 TCP: Interfaces\{D664E313-6BE6-497A-8F18-B1BFEE898D18}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39 TCP: Interfaces\{E26FC572-A2D6-41A3-8259-DB69F4590EC1}: NameServer = 8.8.8.8,8.8.4.4,195.175.39.39 DPF: {2E8655A5-AF65-4BAC-8207-A17C6AF2987C} - hxxp://www.ttnet.com.tr/ZeroTouch/TTNETMD.cab FF - ProfilePath - c:\documents and settings\sc\Application Data\Mozilla\Firefox\Profiles\4p26ie4p.default-1504680299156\ . . ------- File Associations ------- . inifile="%SystemRoot%\system32\NOTEPAD.EXE" %1 txtfile="%SystemRoot%\system32\NOTEPAD.EXE" %1 . - - - - ORPHANS REMOVED - - - - . MSConfigStartUp-EaseUS TB Tray Agent - c:\program files\EaseUS\TrayPopup\TrayTipAgent.exe MSConfigStartUp-ProductUpdater - c:\program files\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe MSConfigStartUp-TRKY-DnsAyar - c:\program files\TRKY-DnsAyar\TRKY-DnsAyar.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2017-12-20 08:53 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_28_0_0_126_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_28_0_0_126_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}] @Denied: (A 2) (Everyone) @="IFlashBroker6" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(3976) c:\windows\system32\WININET.dll c:\program files\Google\Drive\googledrivesync32.dll c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll c:\windows\system32\api-ms-win-core-string-l1-1-0.dll c:\program files\Genie9\Zoolz2\Overlay.dll c:\program files\Genie9\Zoolz2\Communicator.dll c:\program files\Genie9\Zoolz2\GSLogging.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\AVAST Software\Avast\AvastSvc.exe c:\program files\Google\Update\1.3.33.7\GoogleCrashHandler.exe c:\windows\RTHDCPL.EXE c:\program files\AVAST Software\Avast\AvastUI.exe c:\program files\HP\HP Officejet 5740 series\Bin\HPNetworkCommunicatorCom.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\program files\Microsoft LifeCam\MSCamS32.exe c:\program files\Genie9\Zoolz2\Zoolz.exe . ************************************************************************** . Completion time: 2017-12-20 09:03:00 - machine was rebooted ComboFix-quarantined-files.txt 2017-12-20 08:02 ComboFix2.txt 2013-01-19 16:46 ComboFix3.txt 2013-01-19 16:40 . Pre-Run: 102,718,873,600 bytes free Post-Run: 105,616,908,288 bytes free . - - End Of File - - 9FFE3A84C865EF30C26A11DC63139AE5 8F558EB6672622401DA993E1E865C861 -
Malware Infection? Hijack.Hosts Found+Weird Behaviour
scut1 replied to scut1's topic in Resolved Malware Removal Logs
Hi Ron thanks for your reply. Please find attached the logs requested: - mbam - you will find 2 files: pre- and post malware detection - adwcleaner - frst (2 files) A note on the FRST log. The file says that I have both Avast and BD up to date. However, I uninstalled BD more than 2 months ago (with both Windows Uninstall and BD's own uninstall tool). I double checked this using REVO, and it does not show BD as an installed program. As mentioned, my main issue is the fact that I am unable to open Internet Options and System Restore seems in some ways compromised as it does not restore to dates prior to last week. I am not sure if this is due to malware, as the AV scans appear to me inconclusive (but I do not consider myself an expert). I leave it to you to determine. Thanks for your help. mbam_scan_pre.txt mbam_scan_post.txt FRST.txt Addition.txt AdwCleaner[S1].txt mbam_scan_post.txt -
I am running a PC with Win Xp SP3 (32Bit) with Avast Free 17.8 as primary real-time AV, complemented by MBAE v45 and MBAM free 3.3.1 as an on-demand malware scanner. Since yesterday my system has started behaving weirdly. It started when Secunia PSI asked to check my internet connection, was not able to connect to the update server and was unable to scan files. After a couple of reboots, it came online again and now it's working fine. Thinking it was an issue linked to the firewall permission, I tried to open the internet option tab in control panel and - here is the problem. Internet Options would not open, not even using the inetcpl.cpl command. A quick browse pointed to a malware infection. I ran MBAM which found hijack.host, which I quarantined. A second scan showed zero infections. I also ran Avast which found VBS: Malware generic, that I also quarantined. A second scan showed no issues. Reading through various forums, both viruses may be false positives. I also tried a system restore, but after a first attempt at restoring to 2 days ago, it will not restore further ("restore incomplete"). Systems restore shows that this morning my PC installed Windows XP wdf01009. Another search pointed again to malware. I tried to follow the MS-suggested protocol for malware infections, starting with MS Malicious Software Removal Tool, AdwCleaner and Rogue Killer. However, when trying to launch the programs I get the message that the "..........exe file is not a valid Win32 application". Again, a quick search with this query points to malware. The situation has not improved. Current status as follows: - MBAM shows no issues - Avast shows no issues - Emsisoft Emergency Kit shows no issues - FRST shows no issues - Junkware Removal Tools shows no issues Apart from the snags mentioned above, the system is not slower than usual or using more resources than usual. Any recommendations how to move forward? Thanks
-
Hi Arthi thanks for the information. I have tried following your reco, but the registry key is already set at the value requested. Screenshot of the current situation attached. Pls let me know. Thx
-
Apologies - here it goes Malwarebytes Anti-Exploit.zip
-
Thanks for coming back to me Arthi. Logs from MBAE user data as well as from FRST attached. Look forward to knowing what's wrong with my PC. Malwarebytes Anti-Exploit.zip Addition.txt FRST.txt
-
Thanks Arthi. I upgraded to v45 and the issue persists, ie - MBAE.exe doesn't start neither at boot nor at the launch of a program it was supposed to protect. The only active service is mbae-svc.exe, yet the logs show that my programs are being protected anyway. I have worked around it by putting a shortcut to mbae.exe into the startup folder, thus forcing a launch at boot. Thanks for your help.
-
Hi Rsullinger, An update on this issue. This morning we are back to square one. On system startup, MBAE.exe didn't start, the only active service is mbae-svc.exe, yet the logs show that my programs are being protected anyway. Something i didn't notice until today is that If I manually launch mbae and then I click on "hide icon" on the mbae icon on my system tray, then mbae.exe gets killed. I will stick to mbae in its current form (only mbae-svc.exe active) until I get further advice/ input from you guys. Thanks for your help.
-
Hi Rsullinger I followed your recommendation and it appears everything is now back to order. The MBAE icon is showing on the system tray and both mbae.exe and mbae-svc.exe are now running. Thanks for your help. As a side note, pls remember to instruct folks trying to install a lower version (eg v24) that the MBAE installer has the option "automatically upgrade to new versions" enabled by default. This means that if you download the installer for v24 and try to install the program, before you actually manage to reach the GUI and uncheck the "automatically upgrade to new versions" box, the program has already updated itself to v41. For the majority of people this is not an issue, but for people like me (XP user), this is a problem. The only workaround is to download the installer, shut your internet connection, install the program offline, uncheck the "automatically upgrade to new versions" option, restart your internet connection. This way it won't upgrade to a new version unless you check the box again. Hope it helps.
-
Here you go Malwarebytes Anti-Exploit.zip
-
I have a doubt about MBAE 1.10.1.24 startup on my XP SP3 machine. I recently had to downgrade to v24 from v41 after v41 proved not supported on XP machines. Since this downgrade, I noticed that the MBAE icon does not show on the system tray although the program it's set to launch on boot. Puzzled, I reviewed the active services via Process Explorer and I noticed that the only active MBAE service is mbae-svc.exe, not the main mbae.exe. If I launch MBAE, then the icon appears on my sytem tray and mbae.exe starts. When reviewing the logs on MBAE UI, I also saw that all programs appeared to have been protected, although mbae.exe was not actually started. It looks like mbae-svc works on the background, without the need to launch mbae.exe and without showing an icon on the system tray. In this case, mbae.exe acts as a pure UI, with no active protection role. If what I am saying is correct, I should not be worried, but I would like to have a confirmation by others. Have anyone else noticed the same thing? Do you agree with my conclusions?
-
Very similar issue running XP SP3. On top of the snags mentioned above, on my PC MBAE 1.10.1.41 never starts at boot. Most of the time, killing the hung task via Task Manager solves the issue, but sometimes it doesn't and a system restart becomes necessary. My PC has also become more unpredictable, particularly with longer lag times, especially on web browsing, but also on app opening (Acrobat, Office 2010) As an additional background, I have Avast Free 17.7.2314 running as primary AV, supplemented by MBAM 3.2.2.2029 (downgraded to free) standalone. I initially thought it could be the dual presence of MBAM and MBAE that caused the trouble, but I read in the forum they could co-exist. Logs attached. Malwarebytes Anti-Exploit.zip
