Jump to content

Recommended Posts

Hi,

I’m running Windows 7 Basic on my Netbook laptop.

The taskeng.exe window kept randomly appearing so I ran a few different virus scanners and they found the following:

 

Malwarebytes found:

C:\USERS\VINCE\APPDATA\ROAMING\MICROSOFT\WINDOWS\VETHFFSS\ERDCJHUI.EX

and flagged it as a virus and also found:

Trojan.Fileless.MTGen, C:\USERS\VINCE\APPDATA\LOCAL\B5FE\7DC9.BAT

Trojan.Fileless.MTGen, C:\USERS\VINCE\APPDATA\LOCAL\YJQICQIX\REDREKBUD.BAT

Trojan.MalPack, C:\WINDOWS\SYSTEM32\TASKS\Opera scheduled Autoupdate 874468711

Trojan.MalPack, C:\USERS\VINCE\APPDATA\ROAMING\MICROSOFT\WINDOWS\VETHFFSS\ERDCJHUI.EXE

 

ClamWin found:

C:\Users\Vince\AppData\Roaming\Thunderbird\Profiles\d9nrv8mw.default\Mail\mail.arielpress.com\Inbox: Vbs.Downloader.VBDownloader-6486516-0 

and flagged it as an infected file

 

Getting rid of them is easy enough by using the anti-virus software (or re-formatting the hard drive) but how do I find out what these things have actually been doing?

Many thanks,

Vince

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This one looks very suspicious.

C:\USERS\VINCE\APPDATA\ROAMING\MICROSOFT\WINDOWS\VETHFFSS\ERDCJHUI.EX

The others identified as Trojan.xxx, can be search on the net.

Such as: Trojan.Fileless.MTGen

===  

To give you more advice please execute the following instructions.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Let me know what problems persists.

Wait for further instructions


 

Link to post
Share on other sites

Hi nasdaq,

Here's the scan results:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 10.10.2018
Ran by Vince (administrator) on PC (10-10-2018 16:42:17)
Running from C:\Users\Vince\Desktop
Loaded Profiles: Vince (Available Profiles: Vince)
Platform: Microsoft Windows 7 Starter  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser not detected!)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(McAfee, LLC) C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
(McAfee, LLC) C:\Windows\System32\mfevtps.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe
(McAfee, LLC) C:\Windows\System32\mfevtps.exe
(McAfee, LLC) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\VSCore_15_8\mcapexe.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{0FA35256-5F93-478A-9A17-F901B7F7961B}: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{D5259CB0-6BF1-48D6-9C42-7966D7CDA75C}: [DhcpNameServer] 194.168.4.100 194.168.8.100

Internet Explorer:
==================
HKU\S-1-5-21-945316679-2229546352-3911709265-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.co.uk/
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll [2018-05-08] (McAfee, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\Vince\AppData\Roaming\Mozilla\Firefox\Profiles\rc909ch1.default-1472502461995 [2018-10-09]
FF Extension: (Avira Browser Safety) - C:\Users\Vince\AppData\Roaming\Mozilla\Firefox\Profiles\rc909ch1.default-1472502461995\Extensions\abs@avira.com [2018-10-09]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_27_0_0_170.dll [2017-10-16] ()
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2018-05-08] ()

Chrome: 
=======
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ClientAnalyticsService; C:\Program Files\Common Files\McAfee\ClientAnalytics\Legacy\McClientAnalytics.exe [1117144 2018-05-03] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\Common Files\McAfee\VSCore_15_8\McApExe.exe [596544 2018-05-16] (McAfee, Inc.)
S3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [323024 2018-02-23] (McAfee, LLC)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe [477136 2018-02-23] (McAfee, LLC)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [457680 2018-02-23] (McAfee, LLC)
R2 ModuleCoreService; C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe [1332008 2018-05-01] (McAfee, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72096 2018-05-15] (McAfee, LLC)
R3 L1C; C:\Windows\System32\DRIVERS\L1C62x86.sys [110280 2013-11-29] (Qualcomm Atheros Co., Ltd.)
R3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [380832 2018-05-15] (McAfee, LLC)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [282528 2018-05-15] (McAfee, LLC)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [408480 2018-05-15] (McAfee, LLC)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [734120 2018-05-15] (McAfee, LLC)
R3 mfeplk; C:\Windows\System32\drivers\mfeplk.sys [99232 2018-05-15] (McAfee, LLC)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [210336 2018-05-15] (McAfee, LLC)
S1 ZAM; \??\C:\Windows\System32\drivers\zam32.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard32.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-10-10 16:31 - 2018-10-10 16:44 - 000005363 _____ C:\Users\Vince\Desktop\FRST.txt
2018-10-10 16:31 - 2018-10-10 16:31 - 000000000 ____D C:\FRST
2018-10-10 16:30 - 2018-10-10 16:26 - 001774592 _____ (Farbar) C:\Users\Vince\Desktop\FRST.exe
2018-10-10 15:45 - 2018-10-10 15:45 - 000000000 ____D C:\Snort
2018-10-10 14:00 - 2018-10-10 15:16 - 000000000 ____D C:\Users\Vince\AppData\Local\DiskDrill
2018-10-10 14:00 - 2018-10-10 14:00 - 000000000 ____D C:\Users\Vince\AppData\Local\CrashRpt
2018-10-09 19:47 - 2018-10-10 16:02 - 000000000 ____D C:\Users\Vince\Desktop\Files to Check
2018-10-09 18:38 - 2018-10-09 19:07 - 000000000 ____D C:\Users\Vince\AppData\Local\Avg
2018-10-09 18:33 - 2018-10-09 18:33 - 000000000 ____D C:\Program Files\Common Files\AVG
2018-10-09 18:30 - 2018-10-09 18:33 - 000000000 ____D C:\ProgramData\AVG
2018-10-09 18:08 - 2018-10-09 18:08 - 000000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_avusbflt_01011.Wdf
2018-10-09 18:02 - 2018-10-09 18:29 - 000000000 ____D C:\Program Files\Avira
2018-10-09 17:46 - 2018-10-09 18:29 - 000000000 ____D C:\Program Files\MalwareFox AntiMalware
2018-10-09 17:46 - 2018-10-09 18:28 - 000024356 _____ C:\Windows\ZAM_Guard.krnl.trace
2018-10-09 17:46 - 2018-10-09 18:01 - 000028090 _____ C:\Windows\ZAM.krnl.trace
2018-10-09 17:46 - 2018-10-09 17:46 - 000000000 ____D C:\Users\Vince\AppData\Local\Wolf of Webstreet OPC Private Limited
2018-10-09 17:24 - 2018-10-09 17:24 - 000000000 ____D C:\Users\Vince\AppData\Local\Zemana
2018-10-09 16:22 - 2018-10-09 18:38 - 000000000 ____D C:\Users\Vince\AppData\Local\AVAST Software
2018-10-09 16:18 - 2018-10-09 17:18 - 000000000 ____D C:\Program Files\Common Files\AVAST Software
2018-10-09 16:18 - 2018-10-09 16:18 - 001142072 _____ (Microsoft Corporation) C:\Windows\ucrtbase.dll
2018-10-09 15:01 - 2018-10-08 21:01 - 047240080 _____ (Microsoft Corporation) C:\Users\Vince\Desktop\Windows-KB890830-V5.64.exe
2018-10-08 20:22 - 2018-10-08 20:22 - 000000000 ____D C:\Program Files\McAfee.com
2018-10-08 20:19 - 2018-10-08 20:24 - 000000000 ____D C:\Program Files\McAfee
2018-10-08 20:19 - 2018-10-08 20:19 - 000000000 ____D C:\Program Files\Common Files\AV
2018-10-08 20:16 - 2018-10-08 20:25 - 000000000 ____D C:\Program Files\Common Files\McAfee
2018-10-08 20:16 - 2018-02-23 21:32 - 000457680 _____ (McAfee, LLC) C:\Windows\system32\mfevtps.exe
2018-10-08 20:15 - 2018-10-08 20:15 - 000000000 ____D C:\Users\Vince\AppData\Local\CEF
2018-10-08 19:49 - 2018-10-08 20:46 - 000000000 _____ C:\Users\Vince\AppData\Roaming\MCVi2UserDetail.ini
2018-10-08 19:48 - 2018-10-08 20:34 - 000000000 ____D C:\ProgramData\McAfee
2018-10-08 19:16 - 2018-10-09 08:40 - 000763082 _____ C:\Windows\ntbtlog.txt
2018-10-08 18:42 - 2018-10-08 18:42 - 000082572 _____ C:\Users\Vince\Desktop\Root Scan.txt
2018-10-08 17:26 - 2018-10-08 17:26 - 000000000 ____D C:\Users\Vince\Desktop\New folder
2018-10-08 17:24 - 2018-10-08 17:24 - 000082129 _____ C:\Users\Vince\Desktop\Scan.txt
2018-10-08 16:14 - 2018-10-08 16:14 - 000000000 ____D C:\Users\Vince\AppData\Local\mbamtray
2018-10-08 16:14 - 2018-10-08 16:14 - 000000000 ____D C:\Users\Vince\AppData\Local\mbam
2018-10-08 16:10 - 2018-10-08 19:31 - 000000000 ____D C:\Users\Vince\AppData\Local\Jyvygcoru
2018-10-08 16:09 - 2018-10-08 16:09 - 081176816 _____ (Malwarebytes ) C:\Users\Vince\Downloads\mb3-setup-consumer-3.6.1.2711-1.0.463-1.0.7197.exe
2018-09-19 18:56 - 2018-09-19 18:56 - 000000000 ____D C:\d74a03cc4176272f0eebee481407ee92
2018-09-13 20:05 - 2018-09-13 20:05 - 000000000 ____D C:\f577eae4cb760c27047d05838e44
2018-09-11 21:00 - 2018-08-23 22:27 - 020279296 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2018-09-11 20:59 - 2018-08-31 16:08 - 001311744 _____ (Microsoft Corporation) C:\Windows\system32\msjet40.dll
2018-09-11 20:59 - 2018-08-31 16:08 - 000340480 _____ (Microsoft Corporation) C:\Windows\system32\msexcl40.dll
2018-09-11 20:59 - 2018-08-30 02:47 - 001230848 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2018-09-11 20:59 - 2018-08-28 06:41 - 000190976 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ks.sys
2018-09-11 20:59 - 2018-08-24 19:47 - 000350296 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2018-09-11 20:59 - 2018-08-23 22:25 - 002724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2018-09-11 20:59 - 2018-08-23 22:25 - 000004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2018-09-11 20:59 - 2018-08-23 22:15 - 000497664 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2018-09-11 20:59 - 2018-08-23 22:14 - 000341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2018-09-11 20:59 - 2018-08-23 22:14 - 000062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2018-09-11 20:59 - 2018-08-23 22:14 - 000047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2018-09-11 20:59 - 2018-08-23 22:13 - 000064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2018-09-11 20:59 - 2018-08-23 22:12 - 002295808 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2018-09-11 20:59 - 2018-08-23 22:09 - 000047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2018-09-11 20:59 - 2018-08-23 22:09 - 000030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2018-09-11 20:59 - 2018-08-23 22:07 - 000476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2018-09-11 20:59 - 2018-08-23 22:06 - 000662016 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2018-09-11 20:59 - 2018-08-23 22:06 - 000620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2018-09-11 20:59 - 2018-08-23 22:06 - 000115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2018-09-11 20:59 - 2018-08-23 22:06 - 000104960 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2018-09-11 20:59 - 2018-08-23 22:02 - 000668160 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2018-09-11 20:59 - 2018-08-23 22:00 - 000416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2018-09-11 20:59 - 2018-08-23 21:56 - 000073216 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2018-09-11 20:59 - 2018-08-23 21:56 - 000060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2018-09-11 20:59 - 2018-08-23 21:55 - 000091136 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2018-09-11 20:59 - 2018-08-23 21:54 - 000168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2018-09-11 20:59 - 2018-08-23 21:53 - 000076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2018-09-11 20:59 - 2018-08-23 21:52 - 000279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2018-09-11 20:59 - 2018-08-23 21:51 - 004494848 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2018-09-11 20:59 - 2018-08-23 21:51 - 000130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2018-09-11 20:59 - 2018-08-23 21:48 - 013679616 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2018-09-11 20:59 - 2018-08-23 21:46 - 000230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2018-09-11 20:59 - 2018-08-23 21:44 - 002059776 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2018-09-11 20:59 - 2018-08-23 21:44 - 001155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2018-09-11 20:59 - 2018-08-23 21:44 - 000696320 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2018-09-11 20:59 - 2018-08-23 21:44 - 000692224 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2018-09-11 20:59 - 2018-08-23 21:30 - 004037632 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2018-09-11 20:59 - 2018-08-23 21:27 - 001329664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2018-09-11 20:59 - 2018-08-23 21:24 - 000710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2018-09-11 20:59 - 2018-08-13 16:40 - 012880896 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2018-09-11 20:59 - 2018-08-13 16:40 - 001499648 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2018-09-11 20:59 - 2018-08-13 16:40 - 001390080 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2018-09-11 20:59 - 2018-08-13 16:40 - 001241088 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2018-09-11 20:59 - 2018-08-13 16:40 - 000306688 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2018-09-11 20:59 - 2018-08-13 16:40 - 000043008 _____ (Microsoft Corporation) C:\Windows\system32\mf3216.dll
2018-09-11 20:59 - 2018-08-13 16:40 - 000004608 _____ (Microsoft Corporation) C:\Windows\system32\msimg32.dll
2018-09-11 20:59 - 2018-08-13 16:40 - 000002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml6r.dll
2018-09-11 20:59 - 2018-08-13 16:40 - 000002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2018-09-11 20:59 - 2018-08-12 21:18 - 000240808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2018-09-11 20:59 - 2018-08-12 21:17 - 001311400 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2018-09-11 20:59 - 2018-08-12 21:17 - 000187560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
2018-09-11 20:59 - 2018-08-12 21:14 - 000018944 _____ (Microsoft Corporation) C:\Windows\system32\netevent.dll
2018-09-11 20:59 - 2018-08-10 16:45 - 004054192 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2018-09-11 20:59 - 2018-08-10 16:45 - 000309424 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2018-09-11 20:59 - 2018-08-10 16:45 - 000139360 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2018-09-11 20:59 - 2018-08-10 16:45 - 000067248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2018-09-11 20:59 - 2018-08-10 16:44 - 003961440 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2018-09-11 20:59 - 2018-08-10 16:44 - 000191072 _____ (Microsoft Corporation) C:\Windows\system32\halmacpi.dll
2018-09-11 20:59 - 2018-08-10 16:44 - 000191072 _____ (Microsoft Corporation) C:\Windows\system32\hal.dll
2018-09-11 20:59 - 2018-08-10 16:44 - 000136368 _____ (Microsoft Corporation) C:\Windows\system32\halacpi.dll
2018-09-11 20:59 - 2018-08-10 16:43 - 001311928 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000564736 _____ (Microsoft Corporation) C:\Windows\system32\MPSSVC.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000261120 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000254464 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000223232 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000141312 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000111616 _____ (Microsoft Corporation) C:\Windows\system32\t2embed.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000099840 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000070144 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000050176 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2018-09-11 20:59 - 2018-08-10 16:41 - 000022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2018-09-11 20:59 - 2018-08-10 16:40 - 001063424 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2018-09-11 20:59 - 2018-08-10 16:40 - 000554496 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2018-09-11 20:59 - 2018-08-10 16:40 - 000463360 _____ (Microsoft Corporation) C:\Windows\system32\FirewallAPI.dll
2018-09-11 20:59 - 2018-08-10 16:40 - 000089088 _____ (Microsoft Corporation) C:\Windows\system32\icfupgd.dll
2018-09-11 20:59 - 2018-08-10 16:40 - 000082432 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2018-09-11 20:59 - 2018-08-10 16:40 - 000071680 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2018-09-11 20:59 - 2018-08-10 16:40 - 000050688 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2018-09-11 20:59 - 2018-08-10 16:40 - 000038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2018-09-11 20:59 - 2018-08-10 16:40 - 000026112 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2018-09-11 20:59 - 2018-08-10 16:40 - 000017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2018-09-11 20:59 - 2018-08-10 16:40 - 000010240 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2018-09-11 20:59 - 2018-08-10 16:40 - 000006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2018-09-11 20:59 - 2018-08-10 16:39 - 000690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2018-09-11 20:59 - 2018-08-10 16:39 - 000644096 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2018-09-11 20:59 - 2018-08-10 16:20 - 000060416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mpsdrv.sys
2018-09-11 20:59 - 2018-08-10 16:20 - 000018944 _____ (Microsoft Corporation) C:\Windows\system32\wfapigp.dll
2018-09-11 20:59 - 2018-08-10 16:16 - 000097792 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2018-09-11 20:59 - 2018-08-10 16:16 - 000050688 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2018-09-11 20:59 - 2018-08-10 16:16 - 000029696 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2018-09-11 20:59 - 2018-08-10 16:16 - 000016896 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2018-09-11 20:59 - 2018-08-10 16:15 - 000050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2018-09-11 20:59 - 2018-08-10 16:13 - 000262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2018-09-11 20:59 - 2018-08-10 16:13 - 000107008 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\videoprt.sys
2018-09-11 20:59 - 2018-08-10 16:13 - 000034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2018-09-11 20:59 - 2018-08-10 16:10 - 000226304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2018-09-11 20:59 - 2018-08-10 16:10 - 000124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2018-09-11 20:59 - 2018-08-10 16:10 - 000098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2018-09-11 20:59 - 2018-08-10 16:09 - 000069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2018-09-11 20:59 - 2018-08-10 16:09 - 000055296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\amdk8.sys
2018-09-11 20:59 - 2018-08-10 16:09 - 000053760 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\intelppm.sys
2018-09-11 20:59 - 2018-08-10 16:09 - 000053248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\viac7.sys
2018-09-11 20:59 - 2018-08-10 16:09 - 000052736 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\amdppm.sys
2018-09-11 20:59 - 2018-08-10 16:09 - 000052224 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\processr.sys
2018-09-11 20:59 - 2018-08-10 16:09 - 000036352 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2018-09-11 20:59 - 2018-08-10 16:09 - 000022016 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2018-09-11 20:59 - 2018-08-10 16:09 - 000015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2018-09-11 20:59 - 2018-07-29 16:40 - 000751104 _____ (Microsoft Corporation) C:\Windows\system32\schedsvc.dll
2018-09-11 20:59 - 2018-07-18 16:14 - 000068608 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\bowser.sys
2018-09-11 20:59 - 2018-06-27 14:20 - 000419648 _____ C:\Windows\system32\locale.nls

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-10-10 16:41 - 2009-07-14 05:53 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-10-10 16:35 - 2016-05-26 18:50 - 000000000 ____D C:\Windows\system32\MRT
2018-10-10 16:34 - 2016-05-26 18:50 - 133674168 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2018-10-10 15:33 - 2016-05-29 19:29 - 000000000 ____D C:\Program Files\Google
2018-10-10 15:30 - 2016-05-29 19:28 - 000000000 ____D C:\Users\Vince\AppData\Local\Google
2018-10-10 14:05 - 2009-07-14 05:34 - 000011168 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-10-10 14:05 - 2009-07-14 05:34 - 000011168 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-10-09 17:47 - 2016-05-25 04:27 - 000000000 ____D C:\Users\Vince
2018-10-09 09:08 - 2016-11-15 22:15 - 000000000 ____D C:\Users\Vince\AppData\LocalLow\Mozilla
2018-10-08 20:17 - 2009-07-14 03:37 - 000000000 ____D C:\Windows\inf
2018-10-08 19:47 - 2017-07-28 20:47 - 000000000 ____D C:\Users\Vince\AppData\Local\Yjqicqix
2018-10-08 19:47 - 2017-07-28 20:47 - 000000000 ____D C:\Users\Vince\AppData\Local\Utyfhuka
2018-10-08 19:47 - 2017-04-06 20:45 - 000000000 ____D C:\Users\Vince\AppData\Local\b5fe
2018-10-07 12:35 - 2016-05-25 04:33 - 000781790 _____ C:\Windows\system32\PerfStringBackup.INI
2018-09-21 20:19 - 2009-07-14 05:33 - 000267016 _____ C:\Windows\system32\FNTCACHE.DAT

==================== Files in the root of some directories =======

2017-10-22 20:10 - 2017-10-22 20:10 - 000000000 _____ () C:\Program Files\GUT427D.tmp
2018-10-08 19:49 - 2018-10-08 20:46 - 000000000 _____ () C:\Users\Vince\AppData\Roaming\MCVi2UserDetail.ini

Some files in TEMP:
====================
2017-04-06 21:13 - 2017-04-06 21:13 - 000000272 _____ () C:\Users\Vince\AppData\Local\Temp\install_flash_player_24_active_x.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-10-09 16:14

==================== End of FRST.txt ============================

I've attached the Addition.txt document

Thanks again,

Vince

Addition_10-10-2018 16.46.49.txt

Addition_10-10-2018 16.46.49.txt

Link to post
Share on other sites

Hi,

These files are left over from an old infection.
This fix will remove the Folders and files.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

After the Restart of the computer run Malwarebytes to see if it's all clean.

fixlist.txt

Edited by nasdaq
Link to post
Share on other sites

Hi Nasdaq,

When you say the files are left over from an old infection, is it possible to determine what the  infection was doing?

 

Here's the Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 10.10.2018
Ran by Vince (13-10-2018 12:43:50) Run:1
Running from C:\Users\Vince\Desktop
Loaded Profiles: Vince (Available Profiles: Vince)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

C:\USERS\VINCE\APPDATA\ROAMING\MICROSOFT\WINDOWS\VETHFFSS
C:\WINDOWS\SYSTEM32\TASKS\Opera scheduled Autoupdate 874468711
2018-?10-08 19:47 - 2017-07-28 20:47 - 000000000 ____D C:\Users\Vince\AppData\Local\Yjqicqix
2018-10-08 19:47 - 2017-07-28 20:47 - 000000000 ____D C:\Users\Vince\AppData\Local\Utyfhuka
2018-10-08 19:47 - 2017-04-06 20:45 - 000000000 ____D C:\Users\Vince\AppData\Local\b5fe
2017-?10-22 20:10 - 2017-10-22 20:10 - 000000000 _____ () C:\Program Files\GUT427D.tmp
2017-?04-06 21:13 - 2017-04-06 21:13 - 000000272 _____ () C:\Users\Vince\AppData\Local\Temp\install_flash_player_24_active_x.exe

Reboot:
End

*****************

Restore point was successfully created.
Processes closed successfully.
C:\USERS\VINCE\APPDATA\ROAMING\MICROSOFT\WINDOWS\VETHFFSS => moved successfully
"C:\WINDOWS\SYSTEM32\TASKS\Opera scheduled Autoupdate 874468711" => not found
2018-?10-08 19:47 - 2017-07-28 20:47 - 000000000 ____D C:\Users\Vince\AppData\Local\Yjqicqix => Error: No automatic fix found for this entry.
C:\Users\Vince\AppData\Local\Utyfhuka => moved successfully
C:\Users\Vince\AppData\Local\b5fe => moved successfully
2017-?10-22 20:10 - 2017-10-22 20:10 - 000000000 _____ () C:\Program Files\GUT427D.tmp => Error: No automatic fix found for this entry.
2017-?04-06 21:13 - 2017-04-06 21:13 - 000000272 _____ () C:\Users\Vince\AppData\Local\Temp\install_flash_player_24_active_x.exe => Error: No automatic fix found for this entry.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 9553587 B
Java, Flash, Steam htmlcache => 512 B
Windows/system/drivers => 425896964 B
Edge => 0 B
Chrome => 0 B
Firefox => 56361426 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 66356 B
LocalService => 66228 B
NetworkService => 67004 B
Vince => 10561749281 B

RecycleBin => 692292020 B
EmptyTemp: => 10.9 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 12:51:51 ====

 

Thanks again for all your help.

Cheers,

Vince

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.