Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32/Kryptik.FBYR and Win32/Toolbar.Linkury.AP infection


  • Please log in to reply

#1
TrojanNoob

TrojanNoob

    New Member

  • Member
  • Pip
  • 5 posts

Hello there,

 

I've recently reformatted my hard drive and installed Windows because my computer was acting up and nothing seemed to help. There should be no hardware errors, as that has been checked before.

 

After I installed the new Windows, I went online (Internet Explorer) and visited a few pages before downloading Chrome and avast antivirus. The computer seemed to be acting slower than before I reformatted the drive, which was odd. Upon further review (I did the ESET Online Scan), there were over 20 viruses found. The ESET scan left 5 variants of 2 viruses - Win32/Toolbar.Linkury.AP and Win32/Kriptik.FBYR.

 

The problem is that the directory where the scan says the virus is (avast also had a pop-up that said it blocked a process from a file located in a folder I cannot see) looks like it doesn't exist. I can't access it at all. It says the virus is in Users->All Users, but there is no such folder in Users. 

 

So far, I've downloaded and scanned with Avast, as well as Malwarebytes Anti-Malware and Ad-Ware Cleaner. The computer is still running very slowly, and it seems the virus is still in place.

 

Would really appreciate any help I can on this.

 

Attaching the FRST log files below: 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-07-2016 02
Ran by Matej (administrator) on MATEJ-PC (14-07-2016 11:21:48)
Running from C:\Users\Matej\Desktop
Loaded Profiles: Matej (Available Profiles: Matej)
Platform: Microsoft Windows 7 Home Premium  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmplayer.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [8900328 2016-07-13] (AVAST Software)
HKU\S-1-5-21-4077201702-1070884018-4249685965-1000\...\Run: [Okfics] => C:\Windows\System32\regsvr32.exe C:\Users\Matej\AppData\Local\YmwbPack\qbbjahmz.dll
HKU\S-1-5-21-4077201702-1070884018-4249685965-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6775512 2016-06-10] (Piriform Ltd)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2016-07-13] (AVAST Software)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{1BDAA548-3CFF-45D2-B54E-BF7C01257568}: [DhcpNameServer] 192.168.0.1
 
Internet Explorer:
==================
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-07-13] (AVAST Software)
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-07-12] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-07-12] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-07-13]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-07-13]
 
Chrome: 
=======
CHR StartupUrls: Default -> "hxxp://google.com/"
CHR Profile: C:\Users\Matej\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Matej\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-07-12]
CHR Extension: (Google Docs) - C:\Users\Matej\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-07-12]
CHR Extension: (Google Drive) - C:\Users\Matej\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-07-12]
CHR Extension: (YouTube) - C:\Users\Matej\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-07-12]
CHR Extension: (Avast SafePrice) - C:\Users\Matej\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-07-13]
CHR Extension: (Google Sheets) - C:\Users\Matej\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-07-12]
CHR Extension: (Google Docs Offline) - C:\Users\Matej\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-07-12]
CHR Extension: (Avast Online Security) - C:\Users\Matej\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-07-13]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Matej\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-07-12]
CHR Extension: (Gmail) - C:\Users\Matej\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-07-12]
CHR Extension: (Chrome Media Router) - C:\Users\Matej\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-07-12]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-07-13] (AVAST Software)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2015-05-17] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [34008 2016-07-13] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [35096 2016-07-13] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [91680 2016-07-13] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [91232 2016-07-13] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [60424 2016-07-13] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [816304 2016-07-13] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [438296 2016-07-13] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [118152 2016-07-13] (AVAST Software)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [222056 2016-07-13] (AVAST Software)
S3 eapihdrv; C:\Users\Matej\AppData\Local\Temp\ehdrv.sys [135760 2016-07-13] (ESET)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [170200 2016-07-14] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [53120 2016-03-10] (Malwarebytes Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-07-14 11:21 - 2016-07-14 11:22 - 00008301 _____ C:\Users\Matej\Desktop\FRST.txt
2016-07-14 11:19 - 2016-07-14 11:21 - 00000000 ____D C:\FRST
2016-07-14 11:17 - 2016-07-14 11:18 - 01741312 _____ (Farbar) C:\Users\Matej\Desktop\FRST.exe
2016-07-13 20:54 - 2016-07-14 10:53 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-07-13 20:50 - 2016-07-13 21:19 - 00001058 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-07-13 20:50 - 2016-07-13 20:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-07-13 20:49 - 2016-07-13 20:50 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-07-13 20:49 - 2016-07-13 20:49 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-07-13 20:49 - 2016-03-10 14:09 - 00053120 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-07-13 20:49 - 2016-03-10 14:08 - 00126336 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-07-13 20:49 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-07-13 20:45 - 2016-07-13 20:47 - 22851472 _____ (Malwarebytes ) C:\Users\Matej\Downloads\mbam-setup-2.2.1.1043.exe
2016-07-13 20:44 - 2016-07-13 20:52 - 00000000 ____D C:\AdwCleaner
2016-07-13 20:43 - 2016-07-13 20:44 - 03712064 _____ C:\Users\Matej\Downloads\adwcleaner_5.201.exe
2016-07-13 20:29 - 2016-07-13 20:29 - 00005642 _____ C:\Users\Matej\Desktop\eset.txt
2016-07-13 18:25 - 2016-07-13 18:25 - 00000000 ____D C:\Program Files\ESET
2016-07-13 18:24 - 2016-07-13 18:24 - 02870984 _____ (ESET) C:\Users\Matej\Downloads\esetsmartinstaller_sky.exe
2016-07-13 18:12 - 2016-07-13 21:20 - 00001202 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-07-13 18:12 - 2016-07-13 21:19 - 00001196 _____ C:\Users\Public\Desktop\Avast SafeZone Browser.lnk
2016-07-13 18:10 - 2016-07-13 21:19 - 00000963 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-07-13 18:10 - 2016-07-13 18:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-07-13 18:10 - 2016-07-13 18:10 - 00000000 ____D C:\Program Files\CCleaner
2016-07-13 18:09 - 2016-07-13 18:08 - 00035096 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2016-07-13 18:06 - 2016-07-13 18:06 - 07991656 _____ (Piriform Ltd) C:\Users\Matej\Downloads\ccsetup519.exe
2016-07-13 18:05 - 2016-07-13 18:05 - 04479336 _____ (globalpcworks.com ) C:\Users\Matej\Downloads\gpcwfhposcwg.exe
2016-07-13 18:01 - 2016-07-13 18:01 - 00000000 ____D C:\Users\Matej\AppData\Local\CEF
2016-07-13 18:00 - 2016-07-13 18:00 - 00000000 ____D C:\Users\Matej\AppData\Roaming\AVAST Software
2016-07-13 17:58 - 2016-07-13 21:19 - 00002073 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2016-07-13 17:58 - 2016-07-13 17:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2016-07-13 17:57 - 2016-07-13 17:57 - 00000000 ____D C:\Program Files\Common Files\AV
2016-07-13 17:56 - 2016-07-13 17:57 - 00438296 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys
2016-07-13 17:56 - 2016-07-13 17:54 - 00222056 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2016-07-13 17:56 - 2016-07-13 17:54 - 00118152 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2016-07-13 17:56 - 2016-07-13 17:54 - 00091680 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2016-07-13 17:56 - 2016-07-13 17:54 - 00091232 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2016-07-13 17:56 - 2016-07-13 17:54 - 00060424 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2016-07-13 17:56 - 2016-07-13 17:54 - 00034008 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2016-07-13 17:56 - 2016-07-13 17:52 - 00816304 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2016-07-13 17:54 - 2016-07-13 17:53 - 00921280 _____ (Microsoft Corporation) C:\Windows\ucrtbase.dll
2016-07-13 17:54 - 2016-07-13 17:53 - 00319248 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2016-07-13 17:53 - 2016-07-13 17:53 - 00053208 _____ (AVAST Software) C:\Windows\avastSS.scr
2016-07-13 17:49 - 2016-07-13 18:08 - 00000000 ____D C:\Program Files\AVAST Software
2016-07-13 17:48 - 2016-07-13 18:08 - 00000000 ____D C:\ProgramData\AVAST Software
2016-07-12 16:08 - 2016-07-12 16:09 - 06253800 _____ (AVAST Software) C:\Users\Matej\Downloads\avast_free_antivirus_setup_online.exe
2016-07-12 14:50 - 2016-06-21 12:13 - 00400552 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-07-12 14:27 - 2016-07-13 21:20 - 00002205 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-07-12 14:27 - 2016-07-13 21:19 - 00002199 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-07-12 14:24 - 2016-07-14 10:50 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-07-12 14:24 - 2016-07-13 20:37 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-07-12 14:24 - 2016-07-12 16:19 - 00000000 ____D C:\Users\Matej\AppData\Local\Google
2016-07-12 14:24 - 2016-07-12 14:26 - 00000000 ____D C:\Program Files\Google
2016-07-12 14:23 - 2016-07-12 14:24 - 00000000 ____D C:\Users\Matej\AppData\Local\Deployment
2016-07-12 14:23 - 2016-07-12 14:23 - 00058016 _____ C:\Users\Matej\AppData\Local\GDIPFONTCACHEV1.DAT
2016-07-12 14:23 - 2016-07-12 14:23 - 00000000 ____D C:\Users\Matej\AppData\Local\Apps\2.0
2016-07-12 14:21 - 2016-07-12 14:21 - 00000000 ____D C:\Users\Matej\AppData\Roaming\Mozilla
2016-07-12 06:30 - 2016-07-13 18:13 - 00000000 ____D C:\Windows\Panther
2016-07-12 05:55 - 2016-07-13 21:20 - 00001333 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2016-07-12 05:55 - 2016-07-13 21:20 - 00001314 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2016-07-12 05:53 - 2016-07-12 05:53 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2016-07-11 21:13 - 2016-07-11 21:13 - 07101952 _____ C:\Users\Matej\AppData\Roaming\agent.dat
2016-07-11 21:13 - 2016-07-11 21:13 - 06451784 _____ C:\Users\Matej\Downloads\Windows Loader 2.2.2-Daz.rar
2016-07-11 21:13 - 2016-07-11 21:13 - 00018432 _____ C:\Users\Matej\AppData\Roaming\Main.dat
2016-07-11 21:11 - 2016-07-11 21:11 - 00128512 _____ C:\Users\Matej\AppData\Roaming\Installer.dat
2016-07-11 21:10 - 2016-07-13 20:32 - 00000000 ____D C:\Users\Matej\AppData\Local\Okhics
2016-07-11 21:06 - 2016-07-11 21:06 - 00000000 __SHD C:\Users\Matej\AppData\LocalLow\EmieUserList
2016-07-11 21:06 - 2016-07-11 21:06 - 00000000 __SHD C:\Users\Matej\AppData\LocalLow\EmieSiteList
2016-07-11 21:06 - 2016-07-11 21:06 - 00000000 __SHD C:\Users\Matej\AppData\LocalLow\EmieBrowserModeList
2016-07-11 21:06 - 2016-07-11 21:05 - 01611944 _____ (Secure Download Ltd. ) C:\Users\Matej\Downloads\Registry_Activation
2016-07-11 21:05 - 2016-07-11 21:05 - 00000000 __SHD C:\Users\Matej\AppData\Local\EmieUserList
2016-07-11 21:05 - 2016-07-11 21:05 - 00000000 __SHD C:\Users\Matej\AppData\Local\EmieSiteList
2016-07-11 21:05 - 2016-07-11 21:05 - 00000000 __SHD C:\Users\Matej\AppData\Local\EmieBrowserModeList
2016-07-11 21:04 - 2016-07-13 20:32 - 00000000 ____D C:\Users\Matej\AppData\Local\YmwbPack
2016-07-11 21:04 - 2016-07-13 19:06 - 00000000 ____D C:\Program Files\Windows Loader
2016-07-11 21:03 - 2016-07-13 21:19 - 00001417 _____ C:\Users\Matej\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-07-11 21:03 - 2016-07-11 21:10 - 00000000 ____D C:\Users\Matej\AppData\Local\VirtualStore
2016-07-11 21:03 - 2016-07-11 21:03 - 00000020 ___SH C:\Users\Matej\ntuser.ini
2016-07-11 21:03 - 2016-07-11 21:03 - 00000000 _SHDL C:\Users\Matej\My Documents
2016-07-11 21:03 - 2016-07-11 21:03 - 00000000 _SHDL C:\Users\Matej\Documents\My Videos
2016-07-11 21:03 - 2016-07-11 21:03 - 00000000 _SHDL C:\Users\Matej\Documents\My Pictures
2016-07-11 21:03 - 2016-07-11 21:03 - 00000000 _SHDL C:\Users\Matej\Documents\My Music
2016-07-11 21:03 - 2016-07-11 21:03 - 00000000 ____D C:\Users\Matej\AppData\Roaming\Adobe
2016-07-11 21:03 - 2016-07-11 21:03 - 00000000 ____D C:\Users\Matej
2016-07-11 21:03 - 2011-04-12 04:24 - 00000000 ____D C:\Users\Matej\AppData\Roaming\Media Center Programs
2016-07-11 21:02 - 2014-12-11 19:47 - 00074240 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-07-14 10:59 - 2010-11-20 23:01 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2016-07-14 10:59 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\inf
2016-07-14 10:50 - 2009-07-14 06:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-07-13 21:26 - 2009-07-14 06:34 - 00016832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-07-13 21:26 - 2009-07-14 06:34 - 00016832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-07-13 21:20 - 2009-07-14 06:46 - 00001479 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-07-13 21:20 - 2009-07-14 06:42 - 00001340 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
2016-07-13 21:20 - 2009-07-14 06:42 - 00001292 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
2016-07-13 21:20 - 2009-07-14 06:42 - 00001234 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
2016-07-13 21:20 - 2009-07-14 06:42 - 00001198 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
2016-07-13 21:19 - 2009-07-14 06:46 - 00001218 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
2016-07-13 21:19 - 2009-07-14 06:37 - 00001246 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
2016-07-13 21:17 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\L2Schemas
2016-07-12 06:29 - 2009-07-14 06:52 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2016-07-12 05:56 - 2009-07-14 06:52 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2016-07-12 05:55 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\system32\sysprep
2016-07-12 05:50 - 2009-07-14 06:33 - 00267016 _____ C:\Windows\system32\FNTCACHE.DAT
2016-07-11 21:03 - 2009-07-14 06:34 - 00000000 ____D C:\Windows\Setup
2016-07-11 21:01 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\rescache
 
==================== Files in the root of some directories =======
 
2016-07-11 21:13 - 2016-07-11 21:13 - 7101952 _____ () C:\Users\Matej\AppData\Roaming\agent.dat
2016-07-11 21:11 - 2016-07-11 21:11 - 0128512 _____ () C:\Users\Matej\AppData\Roaming\Installer.dat
2016-07-11 21:13 - 2016-07-11 21:13 - 0018432 _____ () C:\Users\Matej\AppData\Roaming\Main.dat
 
Some files in TEMP:
====================
C:\Users\Matej\AppData\Local\Temp\libeay32.dll
C:\Users\Matej\AppData\Local\Temp\msvcr120.dll
C:\Users\Matej\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-07-12 05:49
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 13-07-2016 02
Ran by Matej (2016-07-14 11:24:02)
Running from C:\Users\Matej\Desktop
Microsoft Windows 7 Home Premium  Service Pack 1 (X86) (2016-07-11 19:02:54)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-4077201702-1070884018-4249685965-500 - Administrator - Disabled)
Guest (S-1-5-21-4077201702-1070884018-4249685965-501 - Limited - Disabled)
Matej (S-1-5-21-4077201702-1070884018-4249685965-1000 - Administrator - Enabled) => C:\Users\Matej
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Avast Free Antivirus (HKLM\...\Avast) (Version: 12.1.2272 - AVAST Software)
CCleaner (HKLM\...\CCleaner) (Version: 5.19 - Piriform)
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
Google Chrome (HKLM\...\Google Chrome) (Version: 51.0.2704.106 - Google Inc.)
Google Update Helper (Version: 1.3.30.3 - Google Inc.) Hidden
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
SafeZone Stable 1.48.2066.114 (Version: 1.48.2066.114 - Avast Software) Hidden
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {01A47669-9095-49A7-BA31-329950F226AC} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-07-13] (AVAST Software)
Task: {2BB8ED0F-FF85-475B-A37E-EB9037674186} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-07-13] (AVAST Software)
Task: {6EC683AC-F0B6-4338-8DC2-31B2C2617AF7} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-06-10] (Piriform Ltd)
Task: {9D73418C-8C22-42CD-94FD-2DB22ED1E795} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2016-07-12] (Google Inc.)
Task: {BA54F7D8-51C3-4608-9919-C13A470B462A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2016-07-12] (Google Inc.)
Task: {EDE56AB7-8181-4528-A07C-D3935DE5A5DC} - System32\Tasks\SafeZone scheduled Autoupdate 1468426315 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2016-06-17] (Avast Software)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-07-13 17:53 - 2016-07-13 17:53 - 00146232 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-07-13 17:53 - 2016-07-13 17:53 - 00479288 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2016-07-14 10:52 - 2016-07-14 10:52 - 03000320 _____ () C:\Program Files\AVAST Software\Avast\defs\16071400\algo.dll
2016-07-13 17:54 - 2016-07-13 17:54 - 48936448 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2016-07-12 16:20 - 2014-02-10 13:44 - 04592128 _____ () C:\Users\Matej\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libglesv2.dll
2016-07-12 16:20 - 2014-02-10 13:44 - 00112128 _____ () C:\Users\Matej\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libegl.dll
2016-07-13 18:07 - 2016-07-06 18:01 - 17602240 _____ () C:\Users\Matej\AppData\Local\Google\Chrome\User Data\PepperFlash\22.0.0.209\pepflashplayer.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 04:04 - 2009-06-10 23:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-4077201702-1070884018-4249685965-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Matej\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{FD68F25A-0075-4A94-BAFB-9BB7228CBDF8}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
11-07-2016 21:02:04 Windows Update
 
==================== Faulty Device Manager Devices =============
 
Name: Base System Device
Description: Base System Device
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: Biometric Coprocessor
Description: Biometric Coprocessor
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: Base System Device
Description: Base System Device
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: Base System Device
Description: Base System Device
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/14/2016 10:51:08 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/13/2016 09:18:05 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/13/2016 08:54:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/13/2016 08:32:40 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/13/2016 05:43:12 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/12/2016 03:42:50 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/12/2016 02:20:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/11/2016 09:11:25 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/11/2016 09:07:49 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program NOTEPAD.EXE version 6.1.7600.16385 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: af8
 
Start Time: 01d1dba76ce6fef2
 
Termination Time: 0
 
Application Path: C:\Windows\system32\NOTEPAD.EXE
 
Report Id: b74be44a-479a-11e6-bc3c-00219bd4ef2c
 
Error: (07/12/2016 06:01:45 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (07/13/2016 08:53:04 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Print Spooler service failed to start due to the following error: 
%%3 = The system cannot find the path specified.
 
 
Error: (07/13/2016 08:52:33 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: 
%%1056 = An instance of the service is already running.
 
 
Error: (07/13/2016 08:52:07 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMService service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (07/13/2016 08:52:07 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMScheduler service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (07/13/2016 08:52:04 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Software Protection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
 
Error: (07/13/2016 08:52:03 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
 
Error: (07/13/2016 08:52:02 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
 
Error: (07/13/2016 08:32:19 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Ronzap service failed to start due to the following error: 
%%2 = The system cannot find the file specified.
 
 
Error: (07/13/2016 08:32:18 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CloudPrinter service failed to start due to the following error: 
%%2 = The system cannot find the file specified.
 
 
Error: (07/13/2016 06:13:09 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {F9717507-6651-4EDB-BFF7-AE615179BCCF}
 
 
CodeIntegrity:
===================================
  Date: 2016-07-14 10:52:33.770
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-07-14 10:50:22.978
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\aswKbd.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-07-14 10:50:22.853
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\aswSnx.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-07-13 21:21:53.305
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-07-13 21:18:26.545
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-07-13 21:17:22.491
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\aswKbd.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-07-13 21:17:22.304
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\aswSnx.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-07-13 20:54:44.645
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-07-13 20:53:27.688
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\aswKbd.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-07-13 20:53:27.501
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\aswSnx.sys because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™2 Duo CPU T8300 @ 2.40GHz
Percentage of memory in use: 82%
Total physical RAM: 2038.04 MB
Available physical RAM: 364.73 MB
Total Virtual: 4076.09 MB
Available Virtual: 1949.97 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:297.99 GB) (Free:284.44 GB) NTFS
Drive e: (MATO'S IPOD) (Removable) (Total:74.41 GB) (Free:38.99 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 5175BD52)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=298 GB) - (Type=07 NTFS)
Attempted reading MBR returned 0 bytes.
 Could not read MBR for disk 1.
 
==================== End of Addition.txt ============================

 


  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
 
Download the attached fixlist.txt to the same location as FRST
 
 
Run FRST and press Fix
A fix log will be generated please post that 
 
To see All Users you need to tell Windows to unhide the files:
 
 
Let Avast do a boot-time scan tonight as follows (takes about 6 hours so best to let it run while you sleep):
 
Open Avast, Scan, Scan for Viruses, Change the Quick Scan (in the box in the center of the page) to Boot-time Scan.  Then at the bottom of the page click on Scan Settings.
 
Make sure both boxes are checked and click on the gray box to the right of the orange ones.  It should turn orange.  Change where it says "Fix Automatically" to "Move to
Chest."  OK.  Now click on Start and then close Avast.  Mute your speakers so it doesn't wake you up when Windows boots.
 
When you reboot you will see the scan start.  It will tell you where it saves its log.  Usually it's C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt but it might change so verify the location.   This is a hidden location so you will need to tell Windows to let you see it:
 
 
Copy and paste the text from the log to a Reply when done.

 


  • 0

#3
TrojanNoob

TrojanNoob

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

HI there,

 

Thanks for the reply. Here's the log you mentioned:

 

07/15/2016 09:15
Scan of C:
 
Scan of *STARTUP
 
File C:\AdwCleaner\FileQuarantine\C\ProgramData\Ronzap\U-tom.exe.vir is infected by Win32:Malware-gen, Moved to chest
File C:\hiberfil.sys is infected by MSIL:Banker-DO [Trj], Move to chest: Error 0xC000007F {An operation failed because the disk was full.}
Number of searched folders: 12905
Number of tested files: 84724
Number of infected files: 2

  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

File C:\hiberfil.sys is infected by MSIL:Banker-DO [Trj], Move to chest: Error 0xC000007F {An operation failed because the disk was full.}

 

 

 

Copy the next line:

powercfg -h off

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied line should appear.

Hit Enter.
 
Reboot.
 
That should delete the C:\hiberfil.sys.  If you want to use hibernation you can turn it back on:
 
powercfg -h on

Did you get the Fixlist to work?  There should be a fixlog.txt.  Please post it.

 

 


  • 0

#5
TrojanNoob

TrojanNoob

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

Hi there,

 

Sorry, forgot about the fixlog. Here it is:

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 13-07-2016 02
Ran by Matej (2016-07-15 09:00:06) Run:1
Running from C:\Users\Matej\Desktop
Loaded Profiles: Matej &  (Available Profiles: Matej)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
HKU\S-1-5-21-4077201702-1070884018-4249685965-1000\...\Run: [Okfics] => C:\Windows\System32\regsvr32.exe C:\Users\Matej\AppData\Local\YmwbPack\qbbjahmz.dll
C:\Users\Matej\AppData\Local\YmwbPack
*****************
 
HKU\S-1-5-21-4077201702-1070884018-4249685965-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Okfics => value removed successfully.
C:\Users\Matej\AppData\Local\YmwbPack => moved successfully
 
==== End of Fixlog 09:00:09 ====
 
I've also put in the lines you mentioned and rebooted my PC. 

  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
 
Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.
 
Reboot. 
 
Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator.  Then type (with an Enter after each line).
 
sfc  /scannow
 
(This will check your critical system files. Does this finish without complaint?  IF it says it couldn't fix everything then:
 
Copy the next two lines:
 
findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  \windows\logs\cbs\junk.txt 
notepad \windows\logs\cbs\junk.txt 
 
Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied line should appear.
Hit Enter. Copy and paste the text from notepad or if it is too big, just attach the file.)
 
 
1. Please download the Event Viewer Tool by Vino Rosso
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:
 
* System
4. Under 'Select type to list', select:
* Error
* Warning
 
 
Then use the 'Number of events' as follows:
 
 
1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.
 
 
Please post the Output log in your next reply then repeat but select Application.  (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)
 
 FRST said you were missing some drivers.  Right click on Computer and select Manage then Device Manager.  View Show Hidden Devices then look for any yellow flagged devices.  For each one right click and select Properties then Details.  Change Property from Device Description to Hardware IDs.  Select the top one and right click and Copy.  Move to a Reply and Paste (Ctrl + v).  Repeat for all yellow flagged devices.

  • 0

#7
TrojanNoob

TrojanNoob

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi there,
 
Thanks for the reply. 
 
I'll start at the bottom - here are the 4 drivers with a yellow warning/flag on them. All of them were under "Other Devices", with 3 of them being a "base system device" while the last one is a "Biometric Coprocessor". It says the drivers are not installed.
 
PCI\VEN_1180&DEV_0852&SUBSYS_02091028&REV_12
PCI\VEN_1180&DEV_0592&SUBSYS_02091028&REV_12
PCI\VEN_1180&DEV_0843&SUBSYS_02091028&REV_12
USB\VID_0483&PID_2016&REV_0001
 
Here is the Event Viewer log:
 
Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 15/07/2016 7:54:47 PM
 
Note: All dates below are in the format dd/mm/yyyy
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 15/07/2016 5:14:59 PM
Type: Error Category: 0
Event: 7011 Source: Service Control Manager
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
 
Log: 'System' Date/Time: 15/07/2016 10:05:44 AM
Type: Error Category: 0
Event: 7011 Source: Service Control Manager
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the avast! Antivirus service.
 
Log: 'System' Date/Time: 15/07/2016 10:05:35 AM
Type: Error Category: 2
Event: 55 Source: Ntfs
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.
 
Log: 'System' Date/Time: 15/07/2016 9:28:43 AM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {995C996E-D918-4A8C-A302-45719A6F4EA7} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 15/07/2016 9:28:43 AM
Type: Error Category: 0
Event: 7011 Source: Service Control Manager
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
 
Log: 'System' Date/Time: 15/07/2016 7:00:07 AM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {F9717507-6651-4EDB-BFF7-AE615179BCCF} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 15/07/2016 6:54:06 AM
Type: Error Category: 0
Event: 7031 Source: Service Control Manager
The Avast Antivirus service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
 
Log: 'System' Date/Time: 15/07/2016 6:52:50 AM
Type: Error Category: 0
Event: 7011 Source: Service Control Manager
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
 
Log: 'System' Date/Time: 13/07/2016 6:53:04 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Print Spooler service failed to start due to the following error:  The system cannot find the path specified.
 
Log: 'System' Date/Time: 13/07/2016 6:52:33 PM
Type: Error Category: 0
Event: 7032 Source: Service Control Manager
The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:  An instance of the service is already running.
 
Log: 'System' Date/Time: 13/07/2016 6:52:07 PM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The MBAMService service terminated unexpectedly.  It has done this 1 time(s).
 
Log: 'System' Date/Time: 13/07/2016 6:52:07 PM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The MBAMScheduler service terminated unexpectedly.  It has done this 1 time(s).
 
Log: 'System' Date/Time: 13/07/2016 6:52:04 PM
Type: Error Category: 0
Event: 7031 Source: Service Control Manager
The Software Protection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
 
Log: 'System' Date/Time: 13/07/2016 6:52:03 PM
Type: Error Category: 0
Event: 7031 Source: Service Control Manager
The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
 
Log: 'System' Date/Time: 13/07/2016 6:52:02 PM
Type: Error Category: 0
Event: 7031 Source: Service Control Manager
The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
 
Log: 'System' Date/Time: 13/07/2016 6:32:19 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Ronzap service failed to start due to the following error:  The system cannot find the file specified.
 
Log: 'System' Date/Time: 13/07/2016 6:32:18 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The CloudPrinter service failed to start due to the following error:  The system cannot find the file specified.
 
Log: 'System' Date/Time: 13/07/2016 4:13:09 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {F9717507-6651-4EDB-BFF7-AE615179BCCF} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 13/07/2016 3:53:17 PM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The Ronzap service terminated unexpectedly.  It has done this 1 time(s).
 
Log: 'System' Date/Time: 13/07/2016 3:52:32 PM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The CloudPrinter service terminated unexpectedly.  It has done this 1 time(s).
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 15/07/2016 2:22:28 PM
Type: Warning Category: 7
Event: 37 Source: Microsoft-Windows-Kernel-Processor-Power
The speed of processor 1 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
 
Log: 'System' Date/Time: 15/07/2016 2:22:28 PM
Type: Warning Category: 7
Event: 37 Source: Microsoft-Windows-Kernel-Processor-Power
The speed of processor 0 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
 
Log: 'System' Date/Time: 15/07/2016 2:21:59 PM
Type: Warning Category: 212
Event: 219 Source: Microsoft-Windows-Kernel-PnP
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_APPLE&PROD_IPOD&REV_1.62#000A2700152F98A9&0#.
 
Log: 'System' Date/Time: 15/07/2016 2:21:32 PM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
 
Log: 'System' Date/Time: 15/07/2016 2:21:21 PM
Type: Warning Category: 0
Event: 4 Source: b57nd60x
Broadcom NetLink ™ Fast Ethernet: The network link is down.  Check to make sure the network cable is properly connected.
 
Log: 'System' Date/Time: 15/07/2016 2:20:41 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped. 
 
Log: 'System' Date/Time: 15/07/2016 7:58:31 AM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
 
Log: 'System' Date/Time: 15/07/2016 7:16:29 AM
Type: Warning Category: 7
Event: 37 Source: Microsoft-Windows-Kernel-Processor-Power
The speed of processor 0 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
 
Log: 'System' Date/Time: 15/07/2016 7:16:29 AM
Type: Warning Category: 7
Event: 37 Source: Microsoft-Windows-Kernel-Processor-Power
The speed of processor 1 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
 
Log: 'System' Date/Time: 15/07/2016 7:15:22 AM
Type: Warning Category: 0
Event: 4 Source: b57nd60x
Broadcom NetLink ™ Fast Ethernet: The network link is down.  Check to make sure the network cable is properly connected.
 
Log: 'System' Date/Time: 15/07/2016 7:14:42 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped. 
 
Log: 'System' Date/Time: 14/07/2016 2:32:38 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name wpad.local timed out after none of the configured DNS servers responded.
 
Log: 'System' Date/Time: 14/07/2016 8:51:34 AM
Type: Warning Category: 7
Event: 37 Source: Microsoft-Windows-Kernel-Processor-Power
The speed of processor 1 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
 
Log: 'System' Date/Time: 14/07/2016 8:51:34 AM
Type: Warning Category: 7
Event: 37 Source: Microsoft-Windows-Kernel-Processor-Power
The speed of processor 0 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
 
Log: 'System' Date/Time: 14/07/2016 8:50:46 AM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
 
Log: 'System' Date/Time: 14/07/2016 8:50:28 AM
Type: Warning Category: 0
Event: 4 Source: b57nd60x
Broadcom NetLink ™ Fast Ethernet: The network link is down.  Check to make sure the network cable is properly connected.
 
Log: 'System' Date/Time: 13/07/2016 7:26:46 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped. 
 
Log: 'System' Date/Time: 13/07/2016 7:18:34 PM
Type: Warning Category: 7
Event: 37 Source: Microsoft-Windows-Kernel-Processor-Power
The speed of processor 0 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
 
Log: 'System' Date/Time: 13/07/2016 7:18:34 PM
Type: Warning Category: 7
Event: 37 Source: Microsoft-Windows-Kernel-Processor-Power
The speed of processor 1 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
 
Log: 'System' Date/Time: 13/07/2016 7:17:45 PM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
 
As for the check disc, that finished without any errors (though it only did the "verification phase" and then said it was finished, not sure if that's everything.
 
 
 
 

  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
PCI\VEN_1180&DEV_0852&SUBSYS_02091028&REV_12   Ricoh® xD-Picture Card Controller Drivers  The next two are also Ricoh.
 
USB\VID_0483&PID_2016&REV_0001  STMicroelectronics® Fingerprint Reader
 
Look on your PC maker's site for the drivers.

Log: 'System' Date/Time: 15/07/2016 10:05:35 AM
Type: Error Category: 2
Event: 55 Source: Ntfs
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.

 

 

 
1. Double-click My Computer, and then right-click the hard disk that you want to check. E:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You may receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check,  Reboot.  The disk check will run and take an hour or more if it's a big disk.
 
 
Log: 'System' Date/Time: 13/07/2016 7:18:34 PM
Type: Warning Category: 7
Event: 37 Source: Microsoft-Windows-Kernel-Processor-Power
The speed of processor 0 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.

 

 

Let's run Speccy to make sure this is not caused by heat:

 

 
Get the free version of Speccy:
 
http://www.filehippo...download_speccy(Look in the upper right for the Download
Latest Version button  - Do NOT press the large Start Download button on the upper left!)  Download, Save and Install it.  Run Speccy.  When it finishes (the little icon in the bottom left will stop moving), File, Save as Text File,  (to your desktop) note the name it gives. OK.  Open the file in notepad and delete the line that gives the serial number of your Operating System.  (It will be near the top about 10 lines down.) Attach the file to your next post. (More Reply Options, Choose File, Open, Attach This File.)

  • 0

#9
TrojanNoob

TrojanNoob

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

Attached File  MATEJ-PC.txt   97.93KB   305 downloads

 

Hi!

 

I ran the scan you mentioned. The E: is an old external HD that I have my old files on (I reinstalled Windows recently). I've also updated all my drivers. 

 

Yesterday, my computer was working great. I could actually watch videos on my browser and work normally. But it's back to being slow again (some sites take over a minute to load, they're constantly refreshing and reloading). I've ran the TDSSKiller tool from Kaspersky to see if there are any rootkits, but it says my system is clean.

 

As I'm writing this, the PC is working decently enough. 5 minutes ago (and the entire morning), Task Manager said the CPU was at 100%, and it was hard to function with it. 

 

Attached I'm sending over the Speccy log file. And thanks again for all your help. 


  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Speccy says you have several updates in progress.  These might be causing the problem.

 

 
/18/2016  Update for Windows 7 (KB3080079)
Installation Status In Progress
Install this update to resolve issues in Windows. For a complete
listing of the issues that are included in this update, see the
associated Microsoft Knowledge Base article for more information.
After you install this item, you may have to restart your computer.
7/18/2016  Update for Windows 7 (KB3102429)
Installation Status In Progress
Install this update to resolve issues in Windows. For a complete
listing of the issues that are included in this update, see the
associated Microsoft Knowledge Base article for more information.
After you install this item, you may have to restart your computer.
7/18/2016  Update for Windows 7 (KB3161608)
Installation Status In Progress
Install this update to resolve issues in Windows. For a complete
listing of the issues that are included in this update, see the
associated Microsoft Knowledge Base article for more information.
After you install this item, you may have to restart your computer.
7/18/2016  Windows Malicious Software Removal Tool - July 2016 (KB890830)
Installation Status Failed
After the download, this tool runs one time to check your computer
for infection by specific, prevalent malicious software (including
Blaster, Sasser, and Mydoom) and helps remove any infection that
is found. If an infection is found, the tool will display a status
report the next time that you start your computer. A new version
of the tool will be offered every month. If you want to manually
run the tool on your computer, you can download a copy from the
Microsoft Download Center, or you can run an online version from
microsoft.com. This tool is not a replacement for an antivirus
product. To help protect your computer, you should use an antivirus
product.
7/17/2016  Definition Update for Windows Defender - KB915597 (Definition 1.225.1529.0)
Installation Status Failed
Install this update to revise the definition files used to detect
spyware and other potentially unwanted software. Once you have
installed this item, it cannot be removed.

 

 

 

 

Your hard drive is starting to get old and showing read errrors and reallocated sectors:

1
Attribute name Read Error Rate
Real value 0
Current 200
Worst 200
Threshold 51
Raw Value 0000000232
Status Good
...
05
Attribute name Reallocated Sectors Count
Real value 41
Current 194
Worst 194
Threshold 140
Raw Value 0000000029
Status Good

 

 

 

The first will slow it down a bit since it has to reread the drive.  The second slows it down too sort of like fragmentation.  The remapped sectors are not in the same place as the original so it has to take extra time to read them.  It's not critical yet but should be watched.  You may want to consider cloning the drive if it gets worse.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP