Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Reply
 
Topic Tools
  #31  
Old May 2nd, 2018, 11:32 PM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
 
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 1,920
Quote:
Originally Posted by luzchurch View Post
When I try to run the Combofix program, partway through I get the message saying I have two virus programs (Security Essentials and Avast) running. But in one of your previous posts you had advised me to delete all anti virus programs except one and I did delete Avast. I looked in the Control panel but Avast is not listed. I did a search of Avast but nothing showed up. The why is this message asking me to disable Avast? The message also warns that I am taking a risk if I continue without disabling the anti virus. Please advise. Thanks.
Please run avastclear.exe.
https://www.avast.com/uninstall-utility
-----------------------

Disable Microsoft Security Essentials antivirüs software.

-----------------------

Restart your computer in Safe Mode. And please try run rkill and combofix again.
Reply With Quote


  #32  
Old May 3rd, 2018, 06:36 PM
luzchurch luzchurch is offline
Senior Member
 
Join Date: Nov 2004
Posts: 333
I used the uninstaller for Avast and uninstalled the Security essentials and in the safe mode ran the two scans.
The rkill scan went off without a hitch. But with the combofix scan I got the same message about Avast and Security essentials. Here are the two reports:

ComboFix 18-03-14.01 - owner 05/03/2018 12:57:48.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.635 [GMT -4:00]
Running from: c:\documents and settings\owner\My Documents\Downloads\ComboFix.exe
AV: Avast Antivirus *Enabled/Updated* {7591db91-41f0-48a3-b128-1a293fd8233d}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\autorun.inf
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\ntuser.pol
c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\documents and settings\All Users\Start Menu\Programs\WavePad Sound Editor.lnk
c:\documents and settings\owner\Application Data\Yahoo
c:\documents and settings\owner\Application Data\Yahoo\search.xml
c:\documents and settings\owner\Local Settings\Application Data\assembly\tmp
c:\documents and settings\owner\My Documents\~WRL0003.tmp
c:\documents and settings\owner\WINDOWS
C:\DSC03220.JPG
C:\DSC06199.jpg
C:\DSC07693A.jpg
C:\DSC07721.JPG
C:\Thumbs.db
c:\windows\inf\tabsfix.vbs
c:\windows\msdownld.tmp
c:\windows\system32\NEW1D4.tmp
c:\windows\system32\SET82.tmp
c:\windows\system32\SET86.tmp
c:\windows\system32\SET87.tmp
c:\windows\system32\SET8E.tmp
c:\windows\system32\SET97.tmp
c:\windows\system32\SET99.tmp
c:\windows\system32\SET9C.tmp
c:\windows\winhelp.ini
c:\windows\wininit.ini
E:\AUTORUN.INF
E:\install.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NETHFDRV
.
.
((((((((((((((((((((((((( Files Created from 2018-04-03 to 2018-05-03 )))))))))))))))))))))))))))))))
.
.
2018-04-25 20:07 . 2018-04-25 20:07 222648 ----a-w- c:\windows\system32\drivers\63246504.sys
2018-04-25 20:06 . 2018-04-25 20:06 150816 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2018-04-24 20:18 . 2018-04-24 20:19 -------- d-----w- c:\program files\RogueKiller
2018-04-24 20:10 . 2018-04-24 20:11 -------- d-----w- c:\program files\Common Files\Adobe
2018-04-23 22:12 . 2018-04-25 20:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2018-04-17 12:30 . 2006-11-02 14:46 39936 ----a-w- C:\dwmapi.dll
2018-04-13 11:36 . 2018-04-13 11:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Sun
2018-04-11 12:40 . 2018-04-11 12:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Zemana
2018-04-09 21:23 . 2018-04-09 21:21 1142072 ----a-w- c:\windows\ucrtbase.dll
2018-04-09 21:17 . 2018-05-03 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2018-04-08 14:12 . 2018-04-09 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Enigma Software Group
2018-04-08 14:11 . 2018-04-08 14:11 -------- d-----w- C:\sh4ldr
2018-04-08 14:08 . 2018-04-08 14:08 19984 ----a-w- c:\windows\system32\drivers\EsgScanner.sys
2018-04-08 14:08 . 2018-04-08 14:08 -------- d-----w- c:\program files\Enigma Software Group
2018-04-07 10:59 . 2018-04-12 12:42 -------- d-----w- c:\program files\frgtrh
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2018-04-29 22:09 . 2017-03-28 15:44 24688 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2018-04-25 20:03 . 2013-04-10 14:22 804864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2018-04-25 20:03 . 2013-04-10 14:22 144896 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2015-09-02 721504]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2018-04-09 12762872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Onboard"="c:\program files\Western Digital\WD SmartWare\BackupTask.exe" [2016-04-19 432488]
"WD Quick View"="c:\program files\Western Digital\WD Quick View\WDDMStatus.exe" [2016-04-19 5571944]
"WD Drive Unlocker"="c:\program files\Western Digital\WD Security\WDDriveAutoUnlock.exe" [2014-10-23 1694048]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2016-12-10 295512]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"nwiz"="nwiz.exe" [2008-02-25 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-02-25 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2015-09-12 157456]
"EPSON Stylus CX5400 (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_ S4I2G1.EXE" [2003-05-26 99840]
"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\ 3\E_S4I2G1.EXE" [2003-05-26 99840]
"DWPersistentQueuedReporting"="c:\program files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE" [2013-03-06 520424]
"DLADiag"="c:\windows\DLADiag.EXE" [2005-08-25 57403]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2013-02-13 1263952]
"DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2013-03-28 450560]
"CDAServer"="c:\program files\Common Files\Common Desktop Agent\CDASrv.exe" [2014-09-08 351968]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-24 2516296]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2015-03-20 60712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2013-03-06 520424]
.
c:\documents and settings\owner\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2015-10-13 228552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders c:\windows\system32\MSAPSSPC.DLL, c:\windows\system32\SCHANNEL.DLL, c:\windows\system32\DIGEST.DLL, c:\windows\system32\MSNSSPC.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \SAGENT4.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Samsung\\Easy Printer Manager\\IDS.Application.exe"=
"c:\\Program Files\\Samsung\\Easy Printer Manager\\OrderSupplies.exe"=
"c:\\Program Files\\Samsung\\Easy Printer Manager\\IDSAlert.exe"=
"c:\\Program Files\\Samsung\\Easy Printer Manager\\uninstall.exe"=
"c:\\Program Files\\Samsung\\Easy Printer Manager\\CDAS2PC\\CDAS2PC.exe"=
"c:\\Program Files\\Samsung\\Easy Printer Manager\\CDAS2PC\\ScanProcess.exe"=
"c:\\Program Files\\Samsung\\Easy Printer Manager\\CDAS2PC\\Scan2PCNotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Nero\\Nero Blu-ray Player\\Blu-rayPlayer.exe"=
"c:\\Program Files\\Nero\\KM\\NMDllHost.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%SystemRoot%\\System32\\FTP.Exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
"500:UDP"= 500:UDP:*isabled:@%SystemRoot%\\System32\\XPSP2R es.Dll,-22017
"1701:UDP"= 1701:UDP:*isabled:@%SystemRoot%\\System32\\XPSP2 Res.Dll,-22016
"1723:TCP"= 1723:TCP:*isabled:@%SystemRoot%\\System32\\XPSP2 Res.Dll,-22015
"4500:UDP"= 4500:UDP:*isabled:@%SystemRoot%\\System32\\XPSP2 Res.Dll,-22018
"8501:TCP"= 8501:TCP:NovaPDFTCPPortException
"8501:UDP"= 8501:UDP:NovaPDFUDPPortException
.
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\RemoteAdminSettings]
"Enabled"= 1 (0x1)
"RemoteAddresses"= LocalSubnet
.
R1 DLADiagN;DLADiagN;c:\windows\system32\drivers\DLAD iagN.SYS [10/19/2017 5:22 PM 10908]
R1 DLAPMonN;DLAPMonN;c:\windows\system32\drivers\DLAP MonN.SYS [10/19/2017 5:22 PM 22812]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rs drv.sys [3/15/2016 12:21 PM 22312]
R2 Microsoft DirectX Configuration Service;Microsoft DirectX Configuration Service;c:\windows\system32\dxconfig.exe [4/6/2016 7:18 PM 64512]
R2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [7/7/2015 3:57 PM 785904]
R2 NovaPdfServer;novaPDF Server;c:\program files\Softland\novaPDF 8\Server\novapdfs.exe [8/16/2017 2:19 PM 53176]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc. exe [8/14/2013 4:19 PM 39056]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.s ys [7/19/2012 1:16 AM 5120]
R2 WDBackup;WD Backup;c:\program files\Western Digital\WD SmartWare\WDBackupEngine.exe [4/19/2016 12:19 PM 1049464]
R2 WDDriveService;WD Drive Manager;c:\program files\Western Digital\WD Drive Manager\WDDriveService.exe [4/19/2016 12:07 PM 314744]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam_prewin8. sys [7/13/2016 7:28 PM 20256]
S0 Cdr4vsd;Cdr4vsd;c:\windows\system32\drivers\CDR4VS D.SYS [8/26/2014 4:54 PM 72032]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [4/17/2017 10:48 AM 9472]
S1 ZAM;ZAM Helper Driver;\??\c:\windows\System32\drivers\zam32.sys --> c:\windows\System32\drivers\zam32.sys [?]
S1 ZAM_Guard;ZAM Guard Driver;\??\c:\windows\System32\drivers\zamguard32. sys --> c:\windows\System32\drivers\zamguard32.sys [?]
S2 SpyHunter 4 Service;SpyHunter4 Service;c:\program files\Enigma Software Group\SpyHunter\SH4Service.exe [4/8/2018 10:08 AM 685752]
S3 Apowersoft_AudioDevice;Apowersoft_AudioDevice;c:\w indows\system32\drivers\Apowersoft_AudioDevice.sys [6/28/2015 10:39 AM 26032]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [4/8/2018 10:08 AM 15920]
S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\ EsgScanner.sys [4/8/2018 10:08 AM 19984]
S3 uti0odgx;AVZ Kernel Driver;c:\windows\system32\drivers\uti0odgx.sys [4/11/2017 7:43 AM 7168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2018-05-03 16:39 1106072 ----a-w- c:\program files\Google\Chrome\Application\49.0.2623.112\Inst aller\chrmstp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CC83D544-1125-C7EE-8688-26B699B123B5}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2018-04-25 c:\windows\Tasks\Adobe Flash Player NPAPI Notifier.job
- c:\windows\system32\Macromed\Flash\FlashUtil32_29_ 0_0_140_Plugin.exe [2018-04-25 20:03]
.
2018-05-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpda teService.exe [2013-04-10 20:03]
.
2018-05-03 c:\windows\Tasks\CCleaner Update.job
- c:\program files\CCleaner\CCUpdate.exe [2018-04-09 21:24]
.
2018-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-04-09 14:03]
.
2018-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-04-09 14:03]
.
2018-05-02 c:\windows\Tasks\novaPDF Reactivation.job
- c:\program files\Softland\novaPDF 8\Driver\ActivationClient.exe [2017-08-16 18:18]
.
2018-05-01 c:\windows\Tasks\RealDownloaderDownloaderScheduled TaskS-1-5-21-507921405-1284227242-1417001333-1003.job
- c:\program files\RealNetworks\RealDownloader\recordingmanager .exe [2013-08-14 20:19]
.
2018-05-03 c:\windows\Tasks\RealDownloaderRealUpgradeLogonTas kS-1-5-21-507921405-1284227242-1417001333-1003.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14 20:19]
.
2018-05-03 c:\windows\Tasks\RealDownloaderRealUpgradeSchedule dTaskS-1-5-21-507921405-1284227242-1417001333-1003.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14 20:19]
.
2018-05-03 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-507921405-1284227242-1417001333-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 22:13]
.
2018-05-03 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTas kS-1-5-21-507921405-1284227242-1417001333-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 22:13]
.
2018-05-03 c:\windows\Tasks\User_Feed_Synchronization-{F0F3B82B-776E-484E-ADF4-E0E06392C8AE}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: DhcpNameServer = 192.168.0.1
Handler: intu-tt2013 - {9FF5EC07-1645-43BF-828F-C73CFA7BC1AF} - c:\program files\TurboTax 2013\ic2013pp.dll
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\roadneos.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-MBAMService
MSConfigStartUp-AvastUI - c:\program files\AVAST Software\Avast\AvLaunch.exe
.
.
.
************************************************** ************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2018-05-03 13:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3B F-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macrome d\\Flash\\FlashUtil32_23_0_0_207_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3B F-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3B F-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUt il32_23_0_0_207_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3B F-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299 817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299 817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299 817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3576)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\of fice.odf
c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResou rce.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\Microsoft Office\Office14\ONENOTEM.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
************************************************** ************************
.
Completion time: 2018-05-03 13:19:57 - machine was rebooted
ComboFix-quarantined-files.txt 2018-05-03 17:19
.
Pre-Run: 16,373,497,856 bytes free
Post-Run: 15,258,296,320 bytes free
.
- - End Of File - - 29F20808D6BEB9642D8EB658C25A0B9A
8F558EB6672622401DA993E1E865C861


Rkill 2.9.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2018 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/03/2018 12:49:24 PM in x86 mode. (Safe Mode)
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 05/03/2018 12:50:53 PM
Execution time: 0 hours(s), 1 minute(s), and 28 seconds(s)
Reply With Quote
  #33  
Old May 5th, 2018, 07:29 PM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
 
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 1,920
Please do this,

Please go to: VirusTotal
On the page you'll find a "Upload and scan file" button.
Click on the "Upload and scan file"button.
"Choose File"

C:\dwmapi.dll
c:\windows\ucrtbase.dll
Next, click the Open button.
This will scan the file. Please be patient.
Once scanned, copy and paste the link to the results page in your next reply.
You do one by one these operations for each file I give you.

Regards.
Reply With Quote
  #34  
Old May 6th, 2018, 02:48 AM
luzchurch luzchurch is offline
Senior Member
 
Join Date: Nov 2004
Posts: 333
Are these the two links?

SHA-256 e55b99d395b863d882e0a76f0004bf32e26c9f1332d918ec2b 5c8bc10c025e16
SHA-256 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94 389e8af2ceb7a9
Reply With Quote
  #35  
Old May 8th, 2018, 12:30 AM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
 
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 1,920
No.Did you do a VirusTotal scan, after you chose the files? Select the file and have VirusTotal scan.For both files and separately.
Reply With Quote
  #36  
Old May 8th, 2018, 08:53 PM
luzchurch luzchurch is offline
Senior Member
 
Join Date: Nov 2004
Posts: 333
OKay. This is what happens when I click on Virustotal. The next page I see does not have the Upload and scan button. It only has Choose file button which I clicked. It now took me to a page that had 4 columns - Detection, Details, Relations and community. This time I clicked on the Details and and posting the text below. It did not create any file on the desktop. Let me know if this is what you are looking for. If so I will scan the other file and post the details. Thanks.

0 / 67
File published by a trusted developer
SHA-256 e55b99d395b863d882e0a76f0004bf32e26c9f1332d918ec2b 5c8bc10c025e16
File name dwmapi.dll
File size 39 KB
Last analysis 2018-03-16 02:20:53 UTC
Detection
Details
Relations
Community
Basic Properties
MD5
5c8d22f3e0b49216c9d2e71bdf202218
SHA-1
ffa0693725e6925152c0111cace6e94c50fd46d6
Authentihash
b49b9b7e322ccc73959d9dcff758ade6111e539c2676597603 63a9a2c015ad36
Imphash
36c938b9c484948624ccab6704d352cc
File Type
Win32 DLL
Magic
PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
SSDeep
768:Ephkj+jYmMsHk8Z9QmIZjPqC72R9VuGfeFY2:EjcMhFIhP qCaVuGfeF
TRiD
Win64 Executable (generic) (61.7%)
Win32 Dynamic Link Library (generic) (14.7%)
Win32 Executable (generic) (10%)
OS/2 Executable (generic) (4.5%)
Generic Win/DOS Executable (4.4%)
File Size
39 KB
Tags
nsrlpedlltrusted
History
Creation Time
2006-11-02 09:40:52
First Seen In The Wild
2006-11-02 00:39:42
First Submission
2009-11-20 18:19:29
Last Submission
2016-06-05 13:38:13
Last Analysis
2018-03-16 02:20:53
Debug Artifacts
2006-11-02 12:39:42
File names

dwmapi.dll
x86_microsoft-windows-d..opwindowmanager-api_31bf3856ad364e35_6.0.6000.16386_none_ddd822914 3124a20_dwmapi.dll_2f4f8b34
5c8d22f3e0b49216c9d2e71bdf202218
file-2008649_dll
file-3572263_dll
E55B99D395B863D882E0A76F0004BF32E26C9F1332D918EC2B 5C8BC10C025E16

Trusted Source
Organization
Microsoft Corporation
File name
dwmapi.dll
Signature Info
Signature Verification
This file is not signed
File Version Information
Copyright
© Microsoft Corporation. All rights reserved.
Product
Microsoft® Windows® Operating System
Description
Microsoft Desktop Window Manager API
Original Name
dwmapi.dll
Internal Name
dwmapi.dll
File Version
6.0.6000.16386 (vista_rtm.061101-2205)
National Software Reference Library Info
Products

Installed Vista Ultimate (Microsoft)

File Names

dwmapi.dll, x86_microsoft-windows-d..opwindowmanager-api_31bf3856ad364e35_6.0.6000.16386_none_ddd822914 3124a20_dwmapi.dll_2f4f8b34

Portable Executable Info
Header
Target Machine
Intel 386 or later processors and compatible processors
Compilation Timestamp
2006-11-02 09:40:52
Entry Point
6928
Contained Sections
4
Sections
Name
Virtual Address
Virtual Size
Raw Size
Entropy
MD5
.text
4096
27827
28160
6.55
eb22cab150ea7f4259a7f6e97d28eed8
.data
32768
7360
7680
0.08
ecf9ec15aac095ec7f07968db8952fb4
.rsrc
40960
1048
1536
2.51
f372192cb20164c4968e26dd6165fa28
.reloc
45056
1284
1536
6.03
ae0a60d985391a7c9cd58fb7e874c257
Imports

ADVAPI32.dll
GDI32.dll
KERNEL32.dll
USER32.dll
msvcrt.dll

ntdll.dll

Exports

DwmAttachMilContent
DwmDefWindowProc
DwmDetachMilContent
DwmEnableBlurBehindWindow
DwmEnableComposition
DwmEnableMMCSS
DwmExtendFrameIntoClientArea
DwmFlush
DwmGetColorizationColor
DwmGetCompositionTimingInfo

Contained Resources By Type
RT VERSION
1
Contained Resources By Language
ENGLISH US
1
Contained Resources
SHA-256
File Type
Type
Language
8945f9eb4cdde6f2d35c10f11f133700395511a05ffbf7bd2b 7015a589ee614c
data
RT_VERSION
ENGLISH US
Debug Artifacts
Path
dwmapi.pdb
GUID
36e9264c-14de-4414-a771-1245a90f86b6
ExifTool File Metadata
CharacterSet
Unicode
CodeSize
28160
CompanyName
Microsoft Corporation
EntryPoint
0x1b10
FileDescription
Microsoft Desktop Window Manager API
FileFlagsMask
0x003f
FileOS
Windows NT 32-bit
FileSubtype
0
FileType
Win32 DLL
FileTypeExtension
dll
FileVersion
6.0.6000.16386 (vista_rtm.061101-2205)
FileVersionNumber
6.0.6000.16386
ImageVersion
6.0
InitializedDataSize
10752
InternalName
dwmapi.dll
LanguageCode
English (U.S.)
LegalCopyright
Microsoft Corporation. All rights reserved.
LinkerVersion
8.0
MIMEType
application/octet-stream
MachineType
Intel 386 or later, and compatibles
OSVersion
6.0
ObjectFileType
Dynamic link library
OriginalFileName
dwmapi.dll
PEType
PE32
ProductName
Microsoft Windows Operating System
ProductVersion
6.0.6000.16386
ProductVersionNumber
6.0.6000.16386
Subsystem
Windows GUI
SubsystemVersion
6.0
TimeStamp
2006:11:02 10:40:52+01:00
UninitializedDataSize
0
Reply With Quote
  #37  
Old May 8th, 2018, 09:48 PM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
 
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 1,920
Quote:
Let me know if this is what you are looking for. If so I will scan the other file and post the details. Thanks.
Yes. Thanks.
Please scan the other file now also.. After the scan, please share the link on the address window.
Reply With Quote
  #38  
Old May 8th, 2018, 10:53 PM
luzchurch luzchurch is offline
Senior Member
 
Join Date: Nov 2004
Posts: 333
Here is the second scan:

MD5
d6326267ae77655f312d2287903db4d3

SHA-1
1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f

Authentihash
4c046a25d7266b3f4d157128ffb91ca07d50e4e07eef360f55 6e82d5e2d90695

Imphash
1200ab27b3dc27748d0142a31f7a47c7

File Type
Win32 DLL

Magic
PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit

SSDeep
24576:bZBmnrh2YVAPROs7Bt/tX+/APcmcvIZPoy4TbK:FBmF2lIeaAPgb

TRiD
Win64 Executable (generic) (61.7%) Win32 Dynamic Link Library (generic) (14.7%) Win32 Executable (generic) (10%) OS/2 Executable (generic) (4.5%) Generic Win/DOS Executable (4.4%)

File Size
1.09 MB





Tags


pedllsignedtrustedoverlay


History


Creation Time
2054-02-08 16:22:31

First Seen In The Wild
2008-01-01 00:03:44

First Submission
2017-10-11 06:57:51

Last Submission
2018-05-03 21:51:53

Last Analysis
2018-05-03 21:51:53

Debug Artifacts
2054-02-08 21:22:31

Signature Date
2017-09-29 06:29:00





File names


  • ucrtbase.dll
  • 0bb8c77de80acf9c_ucrtbase.dll
  • ucrtbase.DLL
  • 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94 389e8af2ceb7a9.bin
  • ucrtbase.dll.1.0.0.35.new
  • D6326267AE77655F312D2287903DB4D3
  • 5ae45b87-3fb9-e711-80c0-0003ff7747d6.dll


Trusted Source


Organization
Microsoft Corporation

File name
5ae45b87-3fb9-e711-80c0-0003ff7747d6.dll





Signature Info


Signature Verification


Signed file, valid signature

File Version Information

Copyright
© Microsoft Corporation. All rights reserved.

Product
Microsoft® Windows® Operating System

Description
Microsoft® C Runtime Library

Original Name
ucrtbase.dll

Internal Name
ucrtbase.dll

File Version
10.0.16299.15 (WinBuild.160101.0800)

Date signed
6:29 AM 9/29/2017



Signers

<li class="style-scope vt-accordion-list">Microsoft Corporation<li class="style-scope vt-accordion-list">
<li class="style-scope vt-accordion-list">Microsoft Code Signing PCA<li class="style-scope vt-accordion-list">
  • Microsoft Root Certificate Authority
Counter Signers

<li class="style-scope vt-accordion-list">Microsoft Time-Stamp Service<li class="style-scope vt-accordion-list">
<li class="style-scope vt-accordion-list">Microsoft Time-Stamp PCA<li class="style-scope vt-accordion-list">
  • Microsoft Root Certificate Authority


Portable Executable Info


Header


Target Machine
Intel 386 or later processors and compatible processors

Compilation Timestamp
2054-02-08 16:22:31

Entry Point
146928

Contained Sections
5



Sections

Name
Virtual Address
Virtual Size
Raw Size
Entropy
MD5


.text
4096
1071616
1071616
6.73
392a73508d65d940d4569c8e96504b98

.data
1077248
6940
3584
2.22
0ebd0b0b9d08b860f6a58ea8d023003b

.idata
1085440
5430
5632
5.16
0003146566c49753569babcad6f2a9fe

.rsrc
1093632
1040
1536
2.47
45e6daf0dcc219f0c68f9459189fa0bb

.reloc
1097728
42532
43008
6.78
9cbfaf288b503bfd14544ffc76f97ff9



Imports

<li class="style-scope vt-accordion-list">api-ms-win-core-console-l1-1-0.dll<li class="style-scope vt-accordion-list">
<li class="style-scope vt-accordion-list">api-ms-win-core-datetime-l1-1-0.dll<li class="style-scope vt-accordion-list">
<li class="style-scope vt-accordion-list">api-ms-win-core-debug-l1-1-0.dll<li class="style-scope vt-accordion-list">
<li class="style-scope vt-accordion-list">api-ms-win-core-errorhandling-l1-1-0.dll<li class="style-scope vt-accordion-list">
<li class="style-scope vt-accordion-list">api-ms-win-core-file-l1-1-0.dll<li class="style-scope vt-accordion-list">
<li class="style-scope vt-accordion-list">api-ms-win-core-file-l1-2-0.dll<li class="style-scope vt-accordion-list">
<li class="style-scope vt-accordion-list">api-ms-win-core-file-l2-1-0.dll<li class="style-scope vt-accordion-list">
<li class="style-scope vt-accordion-list">api-ms-win-core-handle-l1-1-0.dll<li class="style-scope vt-accordion-list">
<li class="style-scope vt-accordion-list">api-ms-win-core-heap-l1-1-0.dll<li class="style-scope vt-accordion-list">
  • api-ms-win-core-interlocked-l1-1-0.dll
Exports

  • _CIacos
  • _CIasin
  • _CIatan
  • _CIatan2
  • _CIcos
  • _CIcosh
  • _CIexp
  • _CIfmod
  • _CIlog
  • _CIlog10
Contained Resources By Type

RT VERSION
1



Contained Resources By Language

ENGLISH US
1



Contained Resources

SHA-256
File Type
Type
Language


435960793d6c91d9ff4e0e9a2ae73b957ed0c3b2060f993c4a 85ed1f132d6aff
data
RT_VERSION
ENGLISH US



Debug Artifacts

Path
ucrtbase.pdb

GUID
b5c7653-6dff-6ba3-ccfc-a199c0a1ac98





ExifTool File Metadata


CharacterSet
Unicode

CodeSize
1071616

CompanyName
Microsoft Corporation

EntryPoint
0x23df0

FileDescription
Microsoft C Runtime Library

FileFlagsMask
0x003f

FileOS
Windows NT 32-bit

FileSubtype
0

FileType
Win32 DLL

FileTypeExtension
dll

FileVersion
10.0.16299.15 (WinBuild.160101.0800)

FileVersionNumber
10.0.16299.15

ImageVersion
10.0

InitializedDataSize
57344

InternalName
ucrtbase.dll

LanguageCode
English (U.S.)

LegalCopyright
Microsoft Corporation. All rights reserved.

LinkerVersion
14.1

MIMEType
application/octet-stream

MachineType
Intel 386 or later, and compatibles

OSVersion
10.0

ObjectFileType
Dynamic link library

OriginalFileName
ucrtbase.dll

PEType
PE32

ProductName
Microsoft Windows Operating System

ProductVersion
10.0.16299.15

ProductVersionNumber
10.0.16299.15

Subsystem
Windows command line

SubsystemVersion
5.1

TimeStamp
2054:02:08 17:22:31+01:00

UninitializedDataSize
0

Warning
Possibly corrupt Version resource
Reply With Quote
  #39  
Old May 12th, 2018, 10:35 PM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
 
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 1,920
Thanks luzchurch,

Please scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
================================================== =======================
How is the machine running now and any issues ? Please let me know.

Have a nice day.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 02:07 AM.