Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected Computer [Closed]


  • This topic is locked This topic is locked

#1
largemarje

largemarje

    New Member

  • Member
  • Pip
  • 3 posts

My mom was using this computer and said something to me about it, and i told her she had a virus because i saw this "Driver Max" program running and it looked like a virus. So I gave her my laptop to do her bills on. I think my sister got this computer infected by googling for games she could play, like flash games or something. Norton is on here, but it's not doing anything. I want to uninstall it once this cleanup is done. i installaed Avast and did a scan, i'm assuming it was a quick scan because it was quick compared to the other scans. it found nothing. Then I manually did a full system scan, which took forever, found nothing, and prompted me to do a boot up scan. The boot up scan also took ages and a half, and i don't think it found anything because once it was done it restarted the computer and acted like nothing happened. (I think? i was asleep when this happened.) But the DriverMax on this has been completely unaffected. Also, before I even installed Avast I tried to uninstall the virus through the control panel, but that honestly just activated it further. It slowed the computer down, didn't finish the uninstallation process, and simply won't close. Task manager can't kill the process either. This is what definitively told me it was a virus, after brushing aside my hunch.
 

I'm a tech person in case that makes communicating with me easier. (:
(Like you won't need to tell me how to copy/paste log files like the Start Here thread does lol, or anything like that probably.)

This year actually marks the 10 year anniversary since my first time coming to this website. Congrats for being online so long, and thanks to everyone who has ever helped anyone out! >.> Dang... ten years though... okay I'm getting off topic sorry lol.

But here are my scan results.

I'm guessing the infection originated in the Owner or Sabrina accounts.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 26-10-2016
Ran by Owner (administrator) on HOME (27-10-2016 21:05:38)
Running from C:\Users\Owner\Desktop
Loaded Profiles: Owner (Available Profiles: Owner & Boopers & Sabrina & Guest)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
(Acer Incorporated) C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe
(Acer Incorporated) C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\n360.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
() C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Acer Incorporated) C:\Program Files\eMachines\eMachines Power Management\ePowerEvent.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.11.427\McCHSvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\n360.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [AmIcoSinglun64] => C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [324608 2010-06-10] (Alcor Micro Corp.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11046504 2010-07-13] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2097960 2010-04-22] (Synaptics Incorporated)
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe [860040 2011-01-05] (Acer Incorporated)
HKLM\...\Run: [Monitor] => C:\Windows\PixArt\PAC207\Monitor.exe [319488 2006-11-03] (PixArt Imaging Incorporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [975952 2010-08-10] (Dritek System Inc.)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [143360 2012-09-06] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [3076096 2012-06-06] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9083840 2016-10-19] (AVAST Software)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1156824 2016-09-16] (Adobe Systems Incorporated)
HKLM-x32\...\RunOnce: [20161024] => "C:\Program Files\AVAST Software\Avast\aswRunDll.exe" "C:\Program Files\AVAST Software\Avast\dbbf6669-19b7-4f68-8765-744d69234541\adb78ef3-e1d5-4c5a-9ee2-6f458c5f49e1.dll",[email protected]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-149484379-1133455542-3790709413-1000\...\Run: [cdloader] => C:\Users\Owner\AppData\Roaming\mjusbsp\cdloader2.exe [51592 2014-07-04] (magicJack L.P.)
HKU\S-1-5-21-149484379-1133455542-3790709413-1000\...\Run: [Norton Download Manager{N360REMEXE-SHPD-FSD5183}] => C:\Users\Owner\AppData\Local\Temp\{43A32389-59A8-450F-921F-28B68E4F112C}\Upgrade.exe [2034040 2015-07-27] (Symantec Corporation) <===== ATTENTION
HKU\S-1-5-21-149484379-1133455542-3790709413-1000\...\Run: [DriverMax_RESTART] => [X]
HKU\S-1-5-21-149484379-1133455542-3790709413-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-149484379-1133455542-3790709413-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-149484379-1133455542-3790709413-1000\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKU\S-1-5-21-149484379-1133455542-3790709413-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> 
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton 360\Engine64\22.5.4.24\buShell.dll [2015-08-27] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton 360\Engine64\22.5.4.24\buShell.dll [2015-08-27] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton 360\Engine64\22.5.4.24\buShell.dll [2015-08-27] (Symantec Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-10-19] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2016-10-27]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.427\SSScheduler.exe (McAfee, Inc.)
GroupPolicy\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-149484379-1133455542-3790709413-1002\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-149484379-1133455542-3790709413-1001\User: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: 0.0.0.1 mssplus.mcafee.com
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{33992560-137A-49CE-8676-44362F28D0F3}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{716727F8-4D4F-4777-9F1E-482E08FC9FD2}: [DhcpNameServer] 209.18.47.61 209.18.47.62
 
Internet Explorer:
==================
HKU\S-1-5-21-149484379-1133455542-3790709413-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/
HKU\S-1-5-21-149484379-1133455542-3790709413-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://emachines.msn.com
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AEMTDF&pc=MAEM&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AEMTDF&pc=MAEM&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-149484379-1133455542-3790709413-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-149484379-1133455542-3790709413-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360\Engine64\22.5.4.24\coIEPlg.dll [2015-09-23] (Symantec Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-10-19] (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-05-04] (Google Inc.)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\coIEPlg.dll [2015-09-23] (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\20.6.0.27\IPS\IPSBHO.DLL => No File
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-10-19] (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-05-04] (Google Inc.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine64\22.5.4.24\coIEPlg.dll [2015-09-23] (Symantec Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-05-04] (Google Inc.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\coIEPlg.dll [2015-09-23] (Symantec Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-05-04] (Google Inc.)
Toolbar: HKU\S-1-5-21-149484379-1133455542-3790709413-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-05-04] (Google Inc.)
DPF: HKLM-x32 {5DC5B8C0-EB2F-4364-B316-F8290B72F172} hxxps://vp.crossmark.com/SalesTrakNG/setsurge/include/App/SetSurgeGrid.CAB
 
FireFox:
========
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-10-19]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-10-19]
FF HKLM-x32\...\Firefox\Extensions: [{EBA722F5-038F-4CAF-9EE2-545A221628BC}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFPlgn
FF Extension: (Norton Toolbar) - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFPlgn [2015-11-12]
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_23_0_0_205.dll [2016-10-27] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_205.dll [2016-10-27] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll [2012-03-29] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [2012-09-09] (Pando Networks)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-10-01] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-149484379-1133455542-3790709413-1000: pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [2012-09-09] (Pando Networks)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default [2016-10-27]
CHR Extension: (Google Search) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-02-25]
CHR Extension: (Avast Online Security) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-10-19]
CHR Extension: (Norton Identity Safe) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2016-02-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-10-27]
CHR Extension: (Chrome Media Router) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-27]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\Exts\Chrome.crx [2015-10-20]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\Exts\Chrome.crx [2015-10-20]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-10-19] (AVAST Software)
R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [266240 2012-06-05] (Brother Industries, Ltd.) [File not signed]
R2 ePowerSvc; C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe [867712 2011-01-05] (Acer Incorporated)
R2 GREGService; C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [23584 2010-01-08] (Acer Incorporated)
R2 Live Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [244624 2011-01-31] (Acer Incorporated)
R3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.427\McCHSvc.exe [329480 2016-10-13] (McAfee, Inc.)
R2 N360; C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\N360.exe [282016 2015-09-24] (Symantec Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [166912 2013-10-17] () [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-10-19] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-10-19] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108816 2016-10-19] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-10-19] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-10-19] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [969184 2016-10-19] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [513632 2016-10-19] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [163416 2016-10-19] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [293352 2016-10-19] (AVAST Software)
S1 BHDrvx64; C:\Program Files (x86)\Norton 360\NortonData\22.5.2.15\Definitions\BASHDefs\20150821.001\BHDrvx64.sys [1650936 2015-07-23] (Symantec Corporation)
S3 cmnxusbser; C:\Windows\System32\DRIVERS\cmnxusbser.sys [146424 2015-11-24] (Wireless Data Device)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [498512 2015-07-27] (Symantec Corporation)
R1 IDSVia64; C:\Program Files (x86)\Norton 360\NortonData\22.5.2.15\Definitions\IPSDefs\20150906.001\IDSvia64.sys [767224 2015-09-08] (Symantec Corporation)
S3 NAVENG; C:\Program Files (x86)\Norton 360\NortonData\22.5.2.15\Definitions\VirusDefs\20150908.006\ENG64.SYS [138488 2015-08-24] (Symantec Corporation)
S3 NAVEX15; C:\Program Files (x86)\Norton 360\NortonData\22.5.2.15\Definitions\VirusDefs\20150908.006\EX64.SYS [2146040 2015-08-24] (Symantec Corporation)
S3 PAC207; C:\Windows\System32\DRIVERS\PFC027.SYS [572416 2006-12-05] (PixArt Imaging Inc.)
S3 SRTSP; C:\Windows\System32\Drivers\N360x64\1605040.018\SRTSP64.SYS [930024 2015-09-23] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360x64\1605040.018\SRTSPX64.SYS [50936 2015-07-10] (Symantec Corporation)
R0 SymEFASI; C:\Windows\System32\drivers\N360x64\1605040.018\SYMEFASI64.SYS [1620720 2015-07-10] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [111344 2015-08-02] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\N360x64\1605040.018\Ironx64.SYS [297720 2015-07-10] (Symantec Corporation)
S1 SymNetS; C:\Windows\System32\Drivers\N360x64\1605040.018\SYMNETS.SYS [577768 2015-09-23] (Symantec Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-10-27 21:05 - 2016-10-27 21:09 - 00019829 _____ C:\Users\Owner\Desktop\FRST.txt
2016-10-27 20:59 - 2016-10-27 21:05 - 00000000 ____D C:\FRST
2016-10-27 20:34 - 2016-10-27 20:35 - 02407936 _____ (Farbar) C:\Users\Owner\Desktop\FRST64.exe
2016-10-27 20:09 - 2016-10-27 20:09 - 00000000 ____D C:\Users\Owner\AppData\Local\{6C54AC21-BB15-4DCB-B4EC-7EDD93195E64}
2016-10-27 20:01 - 2016-10-27 20:01 - 00001973 _____ C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2016-10-27 20:01 - 2016-10-27 20:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus
2016-10-23 18:50 - 2016-10-23 18:50 - 00000000 ____D C:\Users\Owner\Tracing
2016-10-23 18:49 - 2016-10-23 18:49 - 00002697 _____ C:\Users\Public\Desktop\Skype.lnk
2016-10-23 18:49 - 2016-10-23 18:49 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-10-23 18:49 - 2016-10-23 18:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2016-10-19 21:55 - 2016-10-19 21:55 - 00000000 ____D C:\Users\Owner\AppData\Local\CEF
2016-10-19 21:54 - 2016-10-23 19:20 - 00003882 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1476928394
2016-10-19 21:54 - 2016-10-19 21:54 - 00001052 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-10-19 21:51 - 2016-10-19 21:50 - 00037144 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2016-10-19 21:44 - 2016-10-19 21:44 - 00000000 ____D C:\Users\Owner\AppData\Roaming\AVAST Software
2016-10-19 21:43 - 2016-10-23 18:31 - 00002084 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2016-10-19 21:43 - 2016-10-19 21:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2016-10-19 21:41 - 2016-10-19 21:41 - 00044952 _____ () C:\Windows\system32\Drivers\staport.sys
2016-10-19 21:41 - 2016-10-19 21:41 - 00003922 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-10-19 21:41 - 2016-10-19 21:41 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-10-19 21:40 - 2016-10-19 21:41 - 00969184 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2016-10-19 21:40 - 2016-10-19 21:41 - 00513632 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys
2016-10-19 21:40 - 2016-10-19 21:41 - 00293352 _____ (AVAST Software) C:\Windows\system32\Drivers\aswvmm.sys
2016-10-19 21:40 - 2016-10-19 21:39 - 00163416 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2016-10-19 21:40 - 2016-10-19 21:39 - 00108816 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2016-10-19 21:40 - 2016-10-19 21:39 - 00103064 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2016-10-19 21:40 - 2016-10-19 21:39 - 00074544 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2016-10-19 21:40 - 2016-10-19 21:39 - 00037656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2016-10-19 21:39 - 2016-10-19 21:39 - 00391496 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2016-10-19 21:37 - 2016-10-19 21:37 - 00053208 _____ (AVAST Software) C:\Windows\avastSS.scr
2016-10-19 21:33 - 2016-10-19 21:51 - 00000000 ____D C:\ProgramData\AVAST Software
2016-10-19 21:33 - 2016-10-19 21:50 - 00000000 ____D C:\Program Files\AVAST Software
2016-10-19 21:32 - 2016-10-19 21:32 - 06334656 _____ (AVAST Software) C:\Users\Owner\Downloads\avast_free_antivirus_setup_online.exe
2016-10-19 21:32 - 2016-10-19 21:32 - 06334656 _____ (AVAST Software) C:\Users\Owner\Downloads\avast_free_antivirus_setup_online (2).exe
2016-10-19 21:32 - 2016-10-19 21:32 - 06334656 _____ (AVAST Software) C:\Users\Owner\Downloads\avast_free_antivirus_setup_online (1).exe
2016-10-17 19:59 - 2016-10-27 19:41 - 00003376 _____ C:\Windows\System32\Tasks\DriverMaxAgent
2016-10-17 19:59 - 2016-10-17 19:59 - 00003388 _____ C:\Windows\System32\Tasks\DriverMax Notification
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-10-27 21:21 - 2013-04-15 15:16 - 00000936 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-149484379-1133455542-3790709413-1002UA.job
2016-10-27 21:03 - 2012-11-15 19:58 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-10-27 21:03 - 2012-11-15 19:58 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-10-27 21:02 - 2016-01-16 22:46 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-10-27 21:02 - 2012-11-15 19:58 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-10-27 21:02 - 2012-11-15 19:58 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-10-27 21:01 - 2012-11-15 19:57 - 00000000 ____D C:\Windows\system32\Macromed
2016-10-27 21:00 - 2011-08-10 05:35 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-10-27 20:38 - 2009-07-14 00:45 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-10-27 20:38 - 2009-07-14 00:45 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-10-27 20:00 - 2015-11-07 11:20 - 00000000 ____D C:\Program Files\McAfee Security Scan
2016-10-27 19:39 - 2016-01-16 22:46 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-10-27 19:39 - 2011-08-10 05:36 - 00000000 ____D C:\ProgramData\Norton
2016-10-27 19:38 - 2016-09-21 10:27 - 00003456 _____ C:\Windows\System32\Tasks\Application Starter - f1375f225883e83d52e8db9690775c3c
2016-10-27 19:37 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-10-23 20:02 - 2014-08-22 15:59 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2016-10-23 19:20 - 2012-09-08 22:16 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-10-23 19:19 - 2015-01-04 23:05 - 00001035 _____ C:\Users\Public\Desktop\VLC media player.lnk
2016-10-23 18:54 - 2012-07-14 15:39 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Skype
2016-10-23 18:50 - 2011-12-21 23:02 - 00000000 ____D C:\Users\Owner
2016-10-23 18:50 - 2011-08-10 05:26 - 00000000 ____D C:\ProgramData\Skype
2016-10-23 18:37 - 2014-01-31 13:43 - 00371320 _____ C:\Windows\ntbtlog.txt
2016-10-23 18:28 - 2013-04-15 15:16 - 00000914 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-149484379-1133455542-3790709413-1002Core.job
2016-10-19 21:41 - 2015-08-02 13:51 - 00000000 ____D C:\Program Files\Common Files\AV
2016-10-18 19:22 - 2014-02-14 14:56 - 00000000 ____D C:\Users\Sabrina\AppData\Local\Microsoft Games
2016-10-16 13:58 - 2015-01-03 17:23 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-10-10 16:55 - 2014-02-12 12:52 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2016-10-10 16:55 - 2012-09-12 17:07 - 00000000 ____D C:\Users\Guest
2016-10-10 16:55 - 2011-12-24 00:37 - 00000000 ____D C:\Users\Sabrina
2016-10-10 16:55 - 2011-12-23 12:16 - 00000000 ____D C:\Users\Boopers
2016-10-10 16:55 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration
2016-10-10 16:55 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2016-10-07 22:35 - 2016-01-16 22:47 - 00002164 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-10-07 22:35 - 2016-01-16 22:47 - 00002152 _____ C:\Users\Public\Desktop\Google Chrome.lnk
 
==================== Files in the root of some directories =======
 
2016-07-29 17:53 - 2016-07-29 17:53 - 7065600 _____ () C:\Program Files (x86)\GUT75EC.tmp
2016-02-09 22:00 - 2016-02-09 22:00 - 6871040 _____ () C:\Program Files (x86)\GUTCFDD.tmp
2011-12-22 17:35 - 2011-12-22 17:36 - 0004608 _____ () C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-12-22 16:07 - 2011-12-22 16:07 - 0007602 _____ () C:\Users\Owner\AppData\Local\Resmon.ResmonCfg
 
Files to move or delete:
====================
C:\Users\Owner\AppData\Local\Temp\{43A32389-59A8-450F-921F-28B68E4F112C}\Upgrade.exe
 
 
Some files in TEMP:
====================
C:\Users\Owner\AppData\Local\Temp\tmp-drivermax10907469.exe
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-10-23 18:28
 
==================== End of FRST.txt ============================

Edited by largemarje, 28 October 2016 - 05:13 PM.

  • 0

Advertisements


#2
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts
Hello and welcome to Geeks To Go! My nickname is Pystryker :) , and I will be helping you with your issue today.


Before we get started, I have a few things I need to go over with you
  • If you are receiving help for this issue at another forum, please let me know so I can close this thread.
  • Please download to and run all requested tools from your Desktop.
  • Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process.
  • At the top of your post, please click on the "Follow this topic" button and make sure that the "Received notification" box is checked and set to "Instantly" This will send an email to you as soon as I reply to your topic, allowing us to solve your problem faster.
  • If any of your security programs give you a warning about any tool I ask you to use, please do not worry. All the links and tools I provide to you will be safe.
  • Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  • This is a complicated process. It requires several steps, patience, and careful following of my instructions in the order they are given to diagnose your problems to get your machine back in working order.
  • Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. I promise to do the same for you.
  • It is impossible for me to know what interactions may happen between your computer's software and the tools we will use to clean your machine. Therefore, I highly recommend you backup any critical personal files on your machine before we start.
  • If you have any questions at all, please don't hesitate to ask. There's no such thing as a stupid question when dealing with malware.
  • If you are unsure of an instruction I give you, or if something unexpected occurs, Do NOT proceed! Stop and ask for clarification of the instruction or tell me what occurred.
  • Please remember, the fixes are for your machine and your machine ONLY! Do not use these fixes on any other machine, each fix is tailor made for your system only. Using a fix on another machine can and will cause serious damage.
  • Once we have cleaned your machine, we'll have some cleanup and prevention steps to go through. We will also provide you with some information about how to reduce your chances of infection and get some protections in place to help defend you against this in the future
  • Please be patient while I am analyzing your logs. I know you are probably scared and very frustrated with this problem, but I am a volunteer and sometimes life does get in the way. :)
Special note: Please know that I am against pirating software in any form. Having pirated software on your machine is a direct violation of the Terms of Service you agreed to when creating your account.

If pirated software, key gens, or programs like KMS are found on your machine, you will be asked to remove it. Refusing to do so will result in termination of assistance with your malware issues.


Now, let's get started, shall we? :thumbsup:


Please disable your antivirus for the duration of my instructions. Don't forget to re-enable it after you have completed the steps.


Step 1: Fix with FRST
  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Save it on the desktop as fixlist.txt

    NOTE: It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-149484379-1133455542-3790709413-1000\...\Run: [Norton Download Manager{N360REMEXE-SHPD-FSD5183}] => C:\Users\Owner\AppData\Local\Temp\{43A32389-59A8-450F-921F-28B68E4F112C}\Upgrade.exe [2034040 2015-07-27] (Symantec Corporation) <===== ATTENTION
HKU\S-1-5-21-149484379-1133455542-3790709413-1000\...\Run: [DriverMax_RESTART] => [X]
GroupPolicy\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-149484379-1133455542-3790709413-1002\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-149484379-1133455542-3790709413-1001\User: Restriction <======= ATTENTION
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\20.6.0.27\IPS\IPSBHO.DLL => No File
C:\Users\Owner\AppData\Local\Temp\{43A32389-59A8-450F-921F-28B68E4F112C}\Upgrade.exe
C:\Users\Owner\AppData\Local\Temp\tmp-drivermax10907469.exe
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:
End


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.


Run FRST and press the Fix button just once and wait. The tool will make a log on the desktop (Fixlog.txt) please post it in your next reply.


Step 2: Junkware Removal Tool

junkware-removal-tool_zpspjolgpuh.png Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 3: AdwCleaner

Download ADWcleaner by clicking here. Please save it to your Desktop


adwcleanerscreen_zpsm6wq1ei9.jpg
  • Double click (Vista and 7 Users)right click the adwcleaner.exe file and click Run as Adminstrator and accept the UAC prompt to run AdwCleaner
  • Once AdwCleaner's control panel is open and it says "Waiting for Action", click on Options at the top of the control panel.
  • Please Check the following options:
    • Reset Proxy Settings
    • Reset Winsock Settings
    • Reset TCP/IP Settings
    • Reset Firewall Settings
    • Reset IPSec Settings
    • Reset BITS Queue
    • Reset Internet Explorer Policies
    • Reset Chrome Policies
  • Close any open windows or browsers.
  • Pause your Anti-Virus program if it is running.
  • Once it starts, click on the Scan button.
  • Let the scan complete itself. This may take a few minutes.
  • Once the scan has finished, it will say "Pending, uncheck elements you don't want to remove.", don't worry about unchecking anything and then click the Cleaning button. When finished, it will ask to reboot. Please reboot.
  • When the machine has rebooted, a log will be produced. Please copy/paste that in your next reply. Here's how:
    • Click the Logfile button and the log will open. Copy and Paste the contents of the log file into your next reply.
    This report is also saved at C:\Adwcleaner
Step 4: Fresh FRST Scans
  • Start Farbar's Recovery Scan Tool, place a check in the Addition.txt box and press the Scan button.
  • FRST will scan your system and produce two logs: FRST.txt and Addition.txt. Please post them in your next reply.
Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

Fixlog.txt Log

Junkware Removal Tool Log

AdwCleaner Log

Fresh FRST.txt Log

Fresh Addition.txt Log

  • 0

#3
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP