Jump to content

SYSWOW64\dllhost.exe Infection


Recommended Posts

Norton internet Security gave a notice of blocking SYSWOW64.dllhost.exe several times. 

 

I upgraded to Malwarebytes Premium and scanned, but it did not find anything.  However, Malwarebytes Premium did give me notifications today.

 

Domain: 09967a.com, IP: 31.184.192.92, Port: 54019, Outbound,  Process: C:\Windows\SYSWOW64\dllhost.exe

 

Then I got:  Domain:  blank, IP: 195.2.241.167, Port: 54023, Outbound, Process: C:\Windows\SYSWOW64\dllhost.exe

 

I read the article and downloaded and ran the Farbar Recovery Scan Tool.  I have attached the files.  Addition.txt    FRST.txt

 

I also attached the results of the Malwarebytes Scan I ran right before running the Fabar tool.  I wasn't sure of attaching the xml file type, so I copied the info to the clipboard and made pdf files.    Scanning History Log 12312014.pdf       Daily Protection Log 12312014.pdf

 

I get notifications from Norton and Malwarebytes at the same time.  I am still getting them.

 

Please let me know how to proceed.

Link to post
Share on other sites

Welcome to the forum.

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

============================================

You're infected with the Poweliks Trojan and maybe more.

If your security settings won't allow you to download....the first part of this site explains how to fix that:

http://kb.eset.com/esetkb/index?page=content&id=SOLN3587

Download, update and run Malwarebytes Anti-Rookit:

Direct download:

http://downloads.malwarebytes.org/file/mbar/

Run it as Administrator! (right click..run as administrator)

Follow the directions

Note: If you have Malwarebytes Pro it must disabled to run MBAR

Right click on the Malwarebytes icon in the system tray and un-check

"Start with Windows" Re-boot and run MBAR

Don't forget to re-enable it when done.

Post the logs from MBAR

=====================

Then............

Download and run this tool on every user:

http://kb.eset.com/esetkb/index?page=content&id=SOLN3587 <---Poweliks

Last.......

Please re-scan with FRST and Make sure the Addition Box is checked.

Post or attach the 2 logs FRST(64).txt and Addition.txt

MrC

Link to post
Share on other sites

I'm not sure why Norton Internet Security didn't block this instead of waiting and giving me messages that I had it.

 

Backed up my files.

 

System Restore was turned on for Drive C.  I did not turn it on for Drive D.  Created a restore point for Drive C.

 

I had previously had to reset my Internet Explorer Security settings and had to again to do these downloads.

 

Ran the ESET Poweliks Cleaner.

 

Disabled Malwarebytes Professional (turned of to start and rebooted).

 

Downloaded, updated, and ran mbar anti root kit.

 

Question:  I had turned on the rootkit option in Malwarebytes Professional and run it prior to this post.  How is this different from mbar?

 

mbar logs:   system-log.txt     mbar-log-2015-01-01 (12-49-52).txt

 

Downloaded and ran the ESET Poweliks Cleaner on every user.  Even brought up XP MODE and ran it.

 

Reran FRST.  Here are the logs:  FRST.txt      Addition.txt

 

Re-enabled Malwarebytes to start with Windows.

 

I haven't gotten any messages from Norton or Malwarebytes lately and the Internet is working fine.  Before I could not use the back button and had other problems.  Computer was really slow.  It's running faster now, also.

 

Let me know, if you think we are done.

 

Thanks.

 

Link to post
Share on other sites

The infection is gone, if there's no other problems...........

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • If you can't post it, attach it
MrC
Link to post
Share on other sites

Before I read your email, I got a notification from Malwarebytes that it blocked something else.  I went away before I could write it down, but believe it said Outbound.  That would mean it is on my pc.

 

I do not see anything in the logs or Quarantine and just ran Malwarebytes scan again and it did not find anything.

 

Where would I find the notification message?

 

I'd like to see it before I proceed with your latest instructions.

 

By the way the email I got doesn't match the email posted below.  It talks about doing a little cleanup and this one is checking other pcs.  I would like to do both.

Link to post
Share on other sites

It would be the protection log:
 

Logs can be located by clicking on the History button. You can double click a log and choose to export in either text or xml file formats. In most cases you can simply click on the Copy to Clipboard button when the log is opened and then paste it back to a reply here on the forum if looking for help or someone requested you to post the log. Please do not post xml log files on the forum unless requested by a helper or Staff member. The logs are also stored in the following location by default for Vista/Win7/8 unless you move the path. C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs The path for Windows XP is: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs

 


=============================

By the way the email I got doesn't match the email posted below. It talks about doing a little cleanup and this one is checking other pcs. I would like to do both.

I had to edit the post, because I copied and pasted the incorrect information.

MrC

Link to post
Share on other sites

I looked at the logs.  I didn't see anything.  Here is the Protection Log:

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Update, 1/1/2015 12:20:53 AM, SYSTEM, DCOMPUTER, Scheduler, Malware Database, 2014.12.31.7, 2015.1.1.1,
Protection, 1/1/2015 12:20:53 AM, SYSTEM, DCOMPUTER, Protection, Refresh, Starting,
Protection, 1/1/2015 12:20:53 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Stopping,
Protection, 1/1/2015 12:20:53 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Stopped,
Protection, 1/1/2015 12:20:59 AM, SYSTEM, DCOMPUTER, Protection, Refresh, Success,
Protection, 1/1/2015 12:20:59 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Starting,
Protection, 1/1/2015 12:20:59 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Started,
Detection, 1/1/2015 12:29:58 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 57115, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 12:29:58 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 57115, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 12:30:01 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 195.2.241.167, 57117, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 12:30:01 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 195.2.241.167, 57117, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 1:30:02 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 57222, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 1:30:03 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 195.2.241.167, 57224, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Update, 1/1/2015 1:59:44 AM, SYSTEM, DCOMPUTER, Scheduler, Malware Database, 2015.1.1.1, 2015.1.1.2,
Protection, 1/1/2015 1:59:44 AM, SYSTEM, DCOMPUTER, Protection, Refresh, Starting,
Protection, 1/1/2015 1:59:44 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Stopping,
Protection, 1/1/2015 1:59:44 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Stopped,
Protection, 1/1/2015 2:00:19 AM, SYSTEM, DCOMPUTER, Protection, Refresh, Success,
Protection, 1/1/2015 2:00:19 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Starting,
Protection, 1/1/2015 2:00:21 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Started,
Detection, 1/1/2015 2:30:03 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 57337, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 2:30:03 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 57337, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 2:30:06 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 195.2.241.167, 57340, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 2:30:06 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 195.2.241.167, 57340, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 3:30:07 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 57436, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 3:30:08 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 195.2.241.167, 57439, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 4:30:08 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 57532, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 4:30:09 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 195.2.241.167, 57535, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 5:30:09 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 57630, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 5:30:10 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 195.2.241.167, 57633, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 6:30:11 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 57739, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 6:30:11 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 195.2.241.167, 57742, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Scan, 1/1/2015 7:06:52 AM, SYSTEM, DCOMPUTER, Manual, Start:1/1/2015 6:52:03 AM, Duration:14 min 48 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,
Scan, 1/1/2015 7:18:21 AM, SYSTEM, DCOMPUTER, Manual, Start:1/1/2015 7:07:30 AM, Duration:10 min 50 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,
Detection, 1/1/2015 7:30:12 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 57881, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 7:30:12 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 57881, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 7:30:15 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 195.2.241.167, 57884, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 7:30:15 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 195.2.241.167, 57884, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 8:30:16 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 57986, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 8:30:16 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 195.2.241.167, 57989, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 9:30:17 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 58443, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 9:30:17 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 195.2.241.167, 58446, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 10:30:18 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 59123, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 10:30:18 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 195.2.241.167, 59126, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 11:30:19 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 31.184.192.92, e9967a.com, 59585, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Detection, 1/1/2015 11:30:20 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 195.2.241.167, 59587, Outbound, C:\Windows\SysWOW64\dllhost.exe,
Update, 1/1/2015 12:20:29 PM, SYSTEM, DCOMPUTER, Scheduler, Malware Database, 2015.1.1.2, 2015.1.1.4,
Protection, 1/1/2015 12:20:29 PM, SYSTEM, DCOMPUTER, Protection, Refresh, Starting,
Protection, 1/1/2015 12:20:29 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Stopping,
Protection, 1/1/2015 12:20:29 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Stopped,
Protection, 1/1/2015 12:21:27 PM, SYSTEM, DCOMPUTER, Protection, Refresh, Success,
Protection, 1/1/2015 12:21:31 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Starting,
Protection, 1/1/2015 12:21:32 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Started,
Protection, 1/1/2015 12:34:06 PM, SYSTEM, DCOMPUTER, Protection, Malware Protection, Starting,
Protection, 1/1/2015 12:34:06 PM, SYSTEM, DCOMPUTER, Protection, Malware Protection, Started,
Protection, 1/1/2015 12:34:06 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Starting,
Protection, 1/1/2015 12:36:50 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Started,
Protection, 1/1/2015 1:43:49 PM, SYSTEM, DCOMPUTER, Protection, Malware Protection, Starting,
Protection, 1/1/2015 1:43:50 PM, SYSTEM, DCOMPUTER, Protection, Malware Protection, Started,
Protection, 1/1/2015 1:43:50 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Starting,
Protection, 1/1/2015 1:43:50 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Started,
Detection, 1/1/2015 2:54:19 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 5.150.195.167, ba2b687.se, 57642, Outbound, C:\Program Files (x86)\Internet Explorer\iexplore.exe,
Detection, 1/1/2015 2:54:19 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 5.150.195.167, ba2b687.se, 57642, Outbound, C:\Program Files (x86)\Internet Explorer\iexplore.exe,
Detection, 1/1/2015 2:54:19 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, IP, 5.150.195.167, ba2b687.se, 57643, Outbound, C:\Program Files (x86)\Internet Explorer\iexplore.exe,
Update, 1/1/2015 3:17:47 PM, SYSTEM, DCOMPUTER, Manual, Malware Database, 2015.1.1.4, 2015.1.1.5,
Protection, 1/1/2015 3:17:47 PM, SYSTEM, DCOMPUTER, Protection, Refresh, Starting,
Protection, 1/1/2015 3:17:47 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Stopping,
Protection, 1/1/2015 3:17:47 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Stopped,
Protection, 1/1/2015 3:17:55 PM, SYSTEM, DCOMPUTER, Protection, Refresh, Success,
Protection, 1/1/2015 3:17:55 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Starting,
Protection, 1/1/2015 3:17:55 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Started,
Scan, 1/1/2015 3:34:19 PM, SYSTEM, DCOMPUTER, Manual, Start:1/1/2015 3:17:48 PM, Duration:16 min 30 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,
Update, 1/1/2015 3:58:08 PM, SYSTEM, DCOMPUTER, Scheduler, Malware Database, 2015.1.1.5, 2015.1.1.6,
Protection, 1/1/2015 3:58:08 PM, SYSTEM, DCOMPUTER, Protection, Refresh, Starting,
Protection, 1/1/2015 3:58:08 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Stopping,
Protection, 1/1/2015 3:58:08 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Stopped,
Protection, 1/1/2015 3:58:18 PM, SYSTEM, DCOMPUTER, Protection, Refresh, Success,
Protection, 1/1/2015 3:58:18 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Starting,
Protection, 1/1/2015 3:58:19 PM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Started,

(end)

 

I also ran the Security Check:

 

Results of screen317's Security Check version 0.99.93 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Norton Internet Security  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Norton Ghost   
 Auslogics Registry Cleaner  
 JavaFX 2.1.1   
 Java 7 Update 65 
 Java 8 Update 25 
 Java version 32-bit out of Date!
 Adobe Reader XI 
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbam.exe 
 Malwarebytes Anti-Malware mbamscheduler.exe  
 DGK Documents Computers documentation Malaware Bytes Antimalware\SecurityCheck.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

 

 

Do I need to do the cleanup per the email I got or is this enough?

I'm getting away from the computer for a while.   Football games started.

Link to post
Share on other sites

 Here are the logs.  The post was too long with them inserted, so I have attached them.

 

FRST.txt       Addition.txt

 

 

Here is the new Protection Log:   Wish it could be run manually when needed, instead of waiting a day.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Update, 1/2/2015 12:14:01 AM, SYSTEM, DCOMPUTER, Scheduler, Malware Database, 2015.1.2.2, 2015.1.2.3,
Protection, 1/2/2015 12:14:02 AM, SYSTEM, DCOMPUTER, Protection, Refresh, Starting,
Protection, 1/2/2015 12:14:02 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Stopping,
Protection, 1/2/2015 12:14:02 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Stopped,
Protection, 1/2/2015 12:14:08 AM, SYSTEM, DCOMPUTER, Protection, Refresh, Success,
Protection, 1/2/2015 12:14:08 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Starting,
Protection, 1/2/2015 12:14:09 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Started,
Update, 1/2/2015 6:14:25 AM, SYSTEM, DCOMPUTER, Scheduler, Malware Database, 2015.1.2.3, 2015.1.2.4,
Protection, 1/2/2015 6:14:25 AM, SYSTEM, DCOMPUTER, Protection, Refresh, Starting,
Protection, 1/2/2015 6:14:25 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Stopping,
Protection, 1/2/2015 6:14:26 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Stopped,
Protection, 1/2/2015 6:14:58 AM, SYSTEM, DCOMPUTER, Protection, Refresh, Success,
Protection, 1/2/2015 6:14:58 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Starting,
Protection, 1/2/2015 6:15:00 AM, SYSTEM, DCOMPUTER, Protection, Malicious Website Protection, Started,
Scan, 1/2/2015 7:05:23 AM, SYSTEM, DCOMPUTER, Manual, Start:1/2/2015 6:48:05 AM, Duration:17 min 17 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,
Scan, 1/2/2015 7:23:33 AM, SYSTEM, DCOMPUTER, Manual, Start:1/2/2015 7:10:22 AM, Duration:13 min 10 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,

(end)

 

 

What next?

 

 

Link to post
Share on other sites

Wish it could be run manually when needed, instead of waiting a day.

I'm not sure what this means??

===================================

The logs look OK but lets run some scans again:

Clean out temp files:

Download TFC from here and save it to your desktop.
http://oldtimer.geekstogo.com/TFC.exe
http://www.bleepingcomputer.com/download/tfc/dl/92/
Close any open programs and Internet browsers.
Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
Please be patient as clearing out temp files may take a while.
Once it completes you may be prompted to restart your computer, please do so.
Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

=====================

Download, update and run Malwarebytes Anti-Rookit:
Direct download:
http://downloads.malwarebytes.org/file/mbar/

Run it as Administrator! (right click..run as administrator)
Follow the directions
Note: If you have Malwarebytes Pro it must disabled to run MBAR
Right click on the Malwarebytes icon in the system tray and un-check
"Start with Windows" Re-boot and run MBAR
Don't forget to re-enable it when done.
Post the logs from MBAR

=====================

Then............
Download and run this tool on every user:
http://kb.eset.com/esetkb/index?page=content&id=SOLN3587 <---Poweliks

=========================

Then.......
Download and run this cleaner: Trojan.Poweliks Removal Tool 64bit
http://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-0511-99

Last.........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.bleepingcomputer.com/download/combofix/dl/12/<---ComboFix direct download

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.
 

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Wish it could be run manually when needed, instead of waiting a day.

 

I'm not sure what this means??   I was referring to the Protection log that only runs once a day.

 

Everything has been done.   Here is the ComboFix log:

 

ComboFix 15-01-02.01 - DGK 01/02/2015  19:46:56.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.12031.10057 [GMT -6:00]
Running from: c:\users\DGK\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
FW: Norton Internet Security *Disabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
SP: Norton Internet Security *Disabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Carole\ESETPoweliksCleaner.exe
c:\users\CaroleNew\ESETPoweliksCleaner.exe
c:\users\Default\ESETPoweliksCleaner.exe
c:\users\DGK\AppData\Local\assembly\tmp
c:\users\Dlaptop\ESETPoweliksCleaner.exe
c:\users\Public\ESETPoweliksCleaner.exe
c:\users\XPMUSER\ESETPoweliksCleaner.exe
.
.
(((((((((((((((((((((((((   Files Created from 2014-12-03 to 2015-01-03  )))))))))))))))))))))))))))))))
.
.
2015-01-03 01:55 . 2015-01-03 01:55 -------- d-----w- c:\users\Dlaptop\AppData\Local\temp
2015-01-01 18:49 . 2015-01-03 00:45 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2015-01-01 16:07 . 2015-01-01 16:08 -------- d-----w- C:\Sparks
2014-12-31 20:45 . 2015-01-02 16:15 -------- d-----w- C:\FRST
2014-12-31 02:15 . 2013-10-16 09:01 56336 ------w- c:\windows\system32\drivers\PxHlpa64.sys
2014-12-31 02:15 . 2012-04-24 09:01 11376 ------w- c:\windows\system32\drivers\cdralw2k.sys
2014-12-31 02:15 . 2012-04-24 09:01 10864 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2014-12-31 02:15 . 2014-12-31 02:15 -------- d-----w- c:\program files (x86)\Common Files\Sonic Shared
2014-12-21 19:51 . 2014-12-13 05:09 144384 ----a-w- c:\windows\system32\ieUnatt.exe
2014-12-21 19:51 . 2014-12-13 03:33 115712 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2014-12-11 15:31 . 2014-10-18 01:33 3209728 ----a-w- c:\windows\SysWow64\mf.dll
2014-12-11 15:31 . 2014-07-07 02:06 206848 ----a-w- c:\windows\system32\mfps.dll
2014-12-11 15:31 . 2014-07-07 02:06 55808 ----a-w- c:\windows\system32\rrinstaller.exe
2014-12-11 15:31 . 2014-07-07 02:06 24576 ----a-w- c:\windows\system32\mfpmp.exe
2014-12-11 15:31 . 2014-07-07 02:02 2048 ----a-w- c:\windows\system32\mferror.dll
2014-12-11 15:31 . 2014-07-07 01:40 103424 ----a-w- c:\windows\SysWow64\mfps.dll
2014-12-11 15:31 . 2014-07-07 01:39 50176 ----a-w- c:\windows\SysWow64\rrinstaller.exe
2014-12-11 15:31 . 2014-07-07 01:39 23040 ----a-w- c:\windows\SysWow64\mfpmp.exe
2014-12-11 15:31 . 2014-07-07 01:37 2048 ----a-w- c:\windows\SysWow64\mferror.dll
2014-12-11 15:31 . 2014-10-18 02:05 4121600 ----a-w- c:\windows\system32\mf.dll
2014-12-11 15:15 . 2014-11-11 03:09 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-12-11 15:14 . 2014-11-11 01:46 119296 ----a-w- c:\windows\system32\drivers\tdx.sys
2014-12-05 17:45 . 2014-11-11 03:08 241152 ----a-w- c:\windows\system32\pku2u.dll
2014-12-05 17:45 . 2014-11-11 03:08 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-12-05 17:45 . 2014-11-11 02:44 186880 ----a-w- c:\windows\SysWow64\pku2u.dll
2014-12-05 17:45 . 2014-11-11 02:44 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-03 01:00 . 2014-07-07 17:04 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-01-03 00:29 . 2014-07-07 17:04 96472 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-12-23 17:42 . 2012-04-03 11:32 701616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-12-23 17:42 . 2011-06-03 01:55 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-12-11 15:46 . 2011-02-25 18:50 112710672 ----a-w- c:\windows\system32\MRT.exe
2014-11-30 13:28 . 2012-05-23 15:39 114 ----a-w- c:\windows\Printdir.bat
2014-11-24 23:14 . 2014-11-24 23:14 194048 ----a-w- c:\windows\SysWow64\elshyph.dll
2014-11-24 23:14 . 2014-11-24 23:14 942592 ----a-w- c:\windows\system32\jsIntl.dll
2014-11-24 23:14 . 2014-11-24 23:14 90112 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2014-11-24 23:14 . 2014-11-24 23:14 86016 ----a-w- c:\windows\SysWow64\iesysprep.dll
2014-11-24 23:14 . 2014-11-24 23:14 86016 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2014-11-24 23:14 . 2014-11-24 23:14 77312 ----a-w- c:\windows\system32\tdc.ocx
2014-11-24 23:14 . 2014-11-24 23:14 74240 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2014-11-24 23:14 . 2014-11-24 23:14 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2014-11-24 23:14 . 2014-11-24 23:14 645120 ----a-w- c:\windows\SysWow64\jsIntl.dll
2014-11-24 23:14 . 2014-11-24 23:14 62464 ----a-w- c:\windows\SysWow64\tdc.ocx
2014-11-24 23:14 . 2014-11-24 23:14 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2014-11-24 23:14 . 2014-11-24 23:14 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2014-11-24 23:14 . 2014-11-24 23:14 48640 ----a-w- c:\windows\system32\mshtmler.dll
2014-11-24 23:14 . 2014-11-24 23:14 36352 ----a-w- c:\windows\SysWow64\imgutil.dll
2014-11-24 23:14 . 2014-11-24 23:14 337408 ----a-w- c:\windows\SysWow64\html.iec
2014-11-24 23:14 . 2014-11-24 23:14 247808 ----a-w- c:\windows\system32\msls31.dll
2014-11-24 23:14 . 2014-11-24 23:14 24576 ----a-w- c:\windows\SysWow64\licmgr10.dll
2014-11-24 23:14 . 2014-11-24 23:14 235008 ----a-w- c:\windows\system32\elshyph.dll
2014-11-24 23:14 . 2014-11-24 23:14 182272 ----a-w- c:\windows\SysWow64\msls31.dll
2014-11-24 23:14 . 2014-11-24 23:14 151552 ----a-w- c:\windows\SysWow64\iexpress.exe
2014-11-24 23:14 . 2014-11-24 23:14 139264 ----a-w- c:\windows\SysWow64\wextract.exe
2014-11-24 23:14 . 2014-11-24 23:14 13312 ----a-w- c:\windows\SysWow64\mshta.exe
2014-11-24 23:14 . 2014-11-24 23:14 13312 ----a-w- c:\windows\system32\msfeedssync.exe
2014-11-24 23:14 . 2014-11-24 23:14 131072 ----a-w- c:\windows\system32\IEAdvpack.dll
2014-11-24 23:14 . 2014-11-24 23:14 111616 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2014-11-24 23:14 . 2014-11-24 23:14 105984 ----a-w- c:\windows\system32\iesysprep.dll
2014-11-24 23:14 . 2014-11-24 23:14 81408 ----a-w- c:\windows\system32\icardie.dll
2014-11-24 23:14 . 2014-11-24 23:14 774144 ----a-w- c:\windows\system32\jscript.dll
2014-11-24 23:14 . 2014-11-24 23:14 62464 ----a-w- c:\windows\system32\pngfilt.dll
2014-11-24 23:14 . 2014-11-24 23:14 616104 ----a-w- c:\windows\system32\ieapfltr.dat
2014-11-24 23:14 . 2014-11-24 23:14 48128 ----a-w- c:\windows\system32\imgutil.dll
2014-11-24 23:14 . 2014-11-24 23:14 413696 ----a-w- c:\windows\system32\html.iec
2014-11-24 23:14 . 2014-11-24 23:14 30208 ----a-w- c:\windows\system32\licmgr10.dll
2014-11-24 23:14 . 2014-11-24 23:14 243200 ----a-w- c:\windows\system32\webcheck.dll
2014-11-24 23:14 . 2014-11-24 23:14 235520 ----a-w- c:\windows\system32\url.dll
2014-11-24 23:14 . 2014-11-24 23:14 167424 ----a-w- c:\windows\system32\iexpress.exe
2014-11-24 23:14 . 2014-11-24 23:14 147968 ----a-w- c:\windows\system32\occache.dll
2014-11-24 23:14 . 2014-11-24 23:14 143872 ----a-w- c:\windows\system32\wextract.exe
2014-11-24 23:14 . 2014-11-24 23:14 13824 ----a-w- c:\windows\system32\mshta.exe
2014-11-24 23:14 . 2014-11-24 23:14 135680 ----a-w- c:\windows\system32\iepeers.dll
2014-11-24 23:14 . 2014-11-24 23:14 101376 ----a-w- c:\windows\system32\inseng.dll
2014-11-22 01:14 . 2014-07-31 00:18 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-11-21 12:14 . 2014-07-07 17:04 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-21 12:14 . 2011-03-30 15:38 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-19 10:31 . 2014-11-19 10:31 1217192 ----a-w- c:\windows\SysWow64\FM20.DLL
2014-11-06 18:11 . 2014-11-19 17:39 769816 ----a-w- c:\windows\system32\drivers\Ext2Fsd.sys
2014-10-25 01:57 . 2014-11-15 01:12 77824 ----a-w- c:\windows\system32\packager.dll
2014-10-25 01:32 . 2014-11-15 01:12 67584 ----a-w- c:\windows\SysWow64\packager.dll
2014-10-18 02:05 . 2014-11-15 01:12 861696 ----a-w- c:\windows\system32\oleaut32.dll
2014-10-18 01:33 . 2014-11-15 01:12 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2014-10-17 22:48 . 2012-07-17 19:37 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-10-14 02:16 . 2014-11-15 01:15 155064 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-10-14 02:13 . 2014-11-15 01:15 683520 ----a-w- c:\windows\system32\termsrv.dll
2014-10-14 02:13 . 2014-11-15 01:14 3241984 ----a-w- c:\windows\system32\msi.dll
2014-10-14 02:12 . 2014-11-15 01:15 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-10-14 02:09 . 2014-11-15 01:15 146432 ----a-w- c:\windows\system32\msaudite.dll
2014-10-14 02:07 . 2014-11-15 01:15 681984 ----a-w- c:\windows\system32\adtschema.dll
2014-10-14 01:50 . 2014-11-15 01:15 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-10-14 01:50 . 2014-11-15 01:14 2363904 ----a-w- c:\windows\SysWow64\msi.dll
2014-10-14 01:49 . 2014-11-15 01:15 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-10-14 01:47 . 2014-11-15 01:15 146432 ----a-w- c:\windows\SysWow64\msaudite.dll
2014-10-14 01:46 . 2014-11-15 01:15 681984 ----a-w- c:\windows\SysWow64\adtschema.dll
2014-10-10 00:57 . 2014-11-15 01:13 3198976 ----a-w- c:\windows\system32\win32k.sys
2014-08-25 03:35 . 2014-08-21 19:46 6010880 ----a-w- c:\program files (x86)\GUT7DA9.tmp
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\11\ISUSPM.exe" [2008-09-26 210208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Nuance OmniPage 17-reminder"="c:\program files (x86)\Nuance\OmniPage17\Ereg\Ereg.exe" [2008-11-03 54560]
"SSBkgdUpdate"="c:\program files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PPort11reminder"="c:\program files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-12-29 336384]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-10-11 60712]
"navservice"="c:\users\DGK\Applications\NavService\eclipse\NavService.exe" [2013-07-26 61168]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"CanonQuickMenu"="c:\program files (x86)\Canon\Quick Menu\CNQMMAIN.EXE" [2012-09-27 1279120]
"IJNetworkScannerSelectorEX"="c:\program files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2012-08-31 452272]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-10-15 157480]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-10-02 421888]
"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 206240]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-10-07 507776]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files (x86)\APC\APC PowerChute Personal Edition\Display.exe [2011-3-13 267520]
NovaBACKUP Tray Control.lnk - c:\program files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe [2014-12-16 959088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"wave1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 Backup Client Agent Service;Backup Client Agent Service;c:\program files (x86)\NovaStor\NovaStor NovaBACKUP\ManagementServer.Agent.Service.exe;c:\program files (x86)\NovaStor\NovaStor NovaBACKUP\ManagementServer.Agent.Service.exe [x]
R3 CXPLRCAP;Capture Device;c:\windows\system32\drivers\CxPlrCap.sys;c:\windows\SYSNATIVE\drivers\CxPlrCap.sys [x]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 GenericMount Helper Service;GenericMount Helper Service;c:\program files (x86)\Norton Ghost\Shared\Drivers\GenericMountHelperx64.exe;c:\program files (x86)\Norton Ghost\Shared\Drivers\GenericMountHelperx64.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe;c:\windows\SYSNATIVE\dllhost.exe [x]
R3 SymSnapService;SymSnapService;c:\program files (x86)\Norton Ghost\Shared\Drivers\SymSnapServicex64.exe;c:\program files (x86)\Norton Ghost\Shared\Drivers\SymSnapServicex64.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys;c:\windows\SYSNATIVE\DRIVERS\vpcuxd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]
R4 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
R4 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
S0 oodisr;O&O DiskImage Snapshot/Restore Driver;c:\windows\system32\DRIVERS\oodisr.sys;c:\windows\SYSNATIVE\DRIVERS\oodisr.sys [x]
S0 oodisrh;oodisrh;c:\windows\system32\DRIVERS\oodisrh.sys;c:\windows\SYSNATIVE\DRIVERS\oodisrh.sys [x]
S0 oodivd;O&O DiskImage Virtual Devices Driver;c:\windows\system32\DRIVERS\oodivd.sys;c:\windows\SYSNATIVE\DRIVERS\oodivd.sys [x]
S0 oodivdh;oodivdh;c:\windows\system32\DRIVERS\oodivdh.sys;c:\windows\SYSNATIVE\DRIVERS\oodivdh.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\drivers\PxHlpa64.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1506000.020\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1506000.020\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1506000.020\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1506000.020\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\program files (x86)\Norton Internet Security\NortonData\21.0.1.3\Definitions\BASHDefs\20141209.001\BHDrvx64.sys;c:\program files (x86)\Norton Internet Security\NortonData\21.0.1.3\Definitions\BASHDefs\20141209.001\BHDrvx64.sys [x]
S1 ccSet_NIS;NIS Settings Manager;c:\windows\system32\drivers\NISx64\1506000.020\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\NISx64\1506000.020\ccSetx64.sys [x]
S1 IDSVia64;IDSVia64;c:\program files (x86)\Norton Internet Security\NortonData\21.0.1.3\Definitions\IPSDefs\20150101.001\IDSvia64.sys;c:\program files (x86)\Norton Internet Security\NortonData\21.0.1.3\Definitions\IPSDefs\20150101.001\IDSvia64.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1506000.020\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1506000.020\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1506000.020\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\NISx64\1506000.020\SYMNETS.SYS [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [x]
S2 CouponPrinterService;Coupon Printer Service;c:\program files (x86)\Coupons\CouponPrinterService.exe;c:\program files (x86)\Coupons\CouponPrinterService.exe [x]
S2 Disaster Recovery Imaging;Disaster Recovery Imaging;c:\program files (x86)\NovaStor\NovaStor NovaBACKUP\DR\x64\drdiag.exe;c:\program files (x86)\NovaStor\NovaStor NovaBACKUP\DR\x64\drdiag.exe [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [x]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\21.6.0.32\NIS.exe;c:\program files (x86)\Norton Internet Security\Engine\21.6.0.32\NIS.exe [x]
S2 nsService;NovaStor NovaBACKUP Backup/Copy Engine;c:\program files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe;c:\program files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe [x]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [x]
S2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);c:\program files (x86)\NovaStor\NovaStor NovaBACKUP\vmware\vstor2\vstor2-mntapi10-shared.sys;c:\program files (x86)\NovaStor\NovaStor NovaBACKUP\vmware\vstor2\vstor2-mntapi10-shared.sys [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys;c:\windows\SYSNATIVE\DRIVERS\amdiox64.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys;c:\windows\SYSNATIVE\DRIVERS\GenericMount.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2015-01-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 17:42]
.
2014-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-27 02:09]
.
2015-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-27 02:09]
.
2014-12-24 c:\windows\Tasks\HPCeeScheduleForDCOMPUTER$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 10:43]
.
2014-12-30 c:\windows\Tasks\HPCeeScheduleForDGK.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 10:43]
.
2011-04-04 c:\windows\Tasks\Registry Repair 5.job
- c:\program files (x86)\Migo Software\RegistryRepair5\Registry Repair.exe [2007-07-16 14:53]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-09-15 611896]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NCPluginUpdater"="c:\program files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" [2014-12-17 21720]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.cableone.net/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: amazonaws.com\*.s3
Trusted Zone: amikay.com\utm
Trusted Zone: cleverreach.com\novastor
Trusted Zone: desk.com
Trusted Zone: google-analytics.com
Trusted Zone: google.com
Trusted Zone: monitor-eqatec.com
Trusted Zone: netsuite.com
Trusted Zone: novabackup.com
Trusted Zone: novabackup.de
Trusted Zone: novastor.com
Trusted Zone: novastor.de
TCP: DhcpNameServer = 24.116.0.53 24.116.2.50
.
- - - - ORPHANS REMOVED - - - -
.
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\21.6.0.32\NIS.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\21.6.0.32\diMaster.dll\" /prefetch:1"
"ImagePath"="\SystemRoot\System32\Drivers\NISx64\1506000.020\SYMNETS.SYS"
"TrustedImagePaths"="c:\program files (x86)\Norton Internet Security\Engine\21.6.0.32;c:\program files (x86)\Norton Internet Security\Engine64\21.6.0.32"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.16"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-01-02  19:58:37
ComboFix-quarantined-files.txt  2015-01-03 01:58
.
Pre-Run: 777,621,676,032 bytes free
Post-Run: 776,967,028,736 bytes free
.
- - End Of File - - 87FE3FE3BB242A7B551A4032B7C78DE5
F4415F75E6791464B34AEDF1EE20AD54

 

I have re-enable Malwarebytes and Norton Internet Security.  Norton deleted ComboFix before I could uninstall it.  Will that leave files on my pc?

 

Are we done?

 

Link to post
Share on other sites

Looks Good.......

A little clean up to do....

Please Uninstall ComboFix: (------->if you used it<-------)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter. (it may look like CF is re-installing but it's not)

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot
Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:

If you used FRST and can't delete the quarantine folder:

Download the fixlist.txt to the same folder as FRST.exe.

Run FRST.exe and click Fix only once and wait

That will delete the quarantine folder created by FRST.

The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

All deleted and removed from the Recycle bin except FRST.  What is the location and filename of the FRST quarantine folder?

 

If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe

 

I cannot download fixlist.txt.  Get an error that I am not authorized on both the link in the email and the link in this post.

Link to post
Share on other sites

No.  It's still there.

 

Single click doesn't run it.  If I double click it opens the file. 

 

 

The FRST.exe was not in the FRST folder.  I moved it there an ran it.  It updated to  a new version and I ran it.  Clicking on the Fixlist.txt does nothing.  I looked and there are no files listed under the Quarantine folder.

 

So can I just delete the C:\FRST folder and other files, correct?

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.