Jump to content

svchost.exe accessing malicious ip address


Recommended Posts

Hi!

Today I got multiple notifications from malwarebytes anti-malware(premium) blocking the windows process svchost.exe from accessing the ip address 89.28.26.217 , this ip address when trace came out to be of Moldova. 

As per the instructions I have pasted FRST.txt and Addition.txt

 

FRST.txt :-

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 20-04-2014 02
Ran by Kshitij (administrator) on KSHITIJ-PC on 21-04-2014 13:27:10
Running from C:\Users\Kshitij\Desktop
Windows 8 Single Language (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal
 
The only official download link for FRST:
Download link for 32-Bit version: http://www.wireshark.org)
 
==================== Restore Points  =========================
 
06-04-2014 08:07:18 Scheduled Checkpoint
10-04-2014 07:38:32 Windows Update
13-04-2014 08:20:19 Windows Update
20-04-2014 13:32:33 Scheduled Checkpoint
 
==================== Hosts content: ==========================
 
2012-07-26 10:56 - 2013-11-20 08:00 - 00000027 ____A C:\windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: {0B6EAC77-267E-4E62-B8A9-A297B5FECE75} - System32\Tasks\Lenovo\sysrun-28025 => C:\Users\Kshitij\AppData\Local\Temp\sysrun-28025.cmd <==== ATTENTION
Task: {0BA63BBA-6DDE-4B1D-A4A8-73F5A3EFBE9D} - System32\Tasks\Microsoft\Windows\Setup\Pre-staged GDR Notification => C:\Windows\system32\NotificationUI.exe [2014-01-31] (Microsoft Corporation)
Task: {1AAFF332-5C62-4558-9991-DAA649C4C9C5} - System32\Tasks\Microsoft\Windows\Sysmain\WsSwapAssessmentTask => Rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask
Task: {23A5D8BE-9196-40EB-BD89-794398B2B073} - System32\Tasks\Microsoft\Windows\WS\WSRefreshBannedAppsListTask => Rundll32.exe WSClient.dll,RefreshBannedAppsList
Task: {403B867D-609E-4391-9902-0F8341CC149B} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-4008833774-2699350555-1950638099-1002Core => C:\Users\Kshitij\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-01-09] (Facebook Inc.)
Task: {5D253B25-BC40-43D7-B79E-3FCEF8FFBDAA} - System32\Tasks\Lenovo\Lenovo-25760 => C:\ProgramData\Lenovo-25760.vbs [2013-05-11] ()
Task: {7E80AFDD-2D62-4946-A950-58F47D19AD49} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-01-21] (Piriform Ltd)
Task: {82EC6B04-6976-4729-816A-4E820263449A} - System32\Tasks\Auslogics\BoostSpeed\Scan and Repair => Rundll32.exe TaskSchedulerHelper.dll,RunTask "BoostSpeed.exe" "-UseTray -Schedule"
Task: {A0D572F0-99F4-4B07-AECC-2E2D96445708} - System32\Tasks\Dolby Selector => C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe [2012-09-01] (Dolby Laboratories Inc.)
Task: {A72208BF-7A49-4FB8-B684-252375F3443A} - System32\Tasks\Microsoft\Windows\WS\License Validation => Rundll32.exe WSClient.dll,WSpTLR licensing
Task: {A7FF707F-95C5-4646-A13A-B498C1CFEF80} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4008833774-2699350555-1950638099-1002UA => C:\Users\Kshitij\AppData\Local\Google\Update\GoogleUpdate.exe [2013-07-13] (Google Inc.)
Task: {BE312D34-9F75-4D97-8B29-26ED4E04F0E7} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-06-30] (Google Inc.)
Task: {C6A88F2D-53D2-4805-9D69-443738A1847C} - System32\Tasks\Microsoft\Windows\ApplicationData\CleanupTemporaryState => Rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState
Task: {DB7829ED-0156-4E9E-9FFC-E8345BC4F318} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-4008833774-2699350555-1950638099-1002UA => C:\Users\Kshitij\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-01-09] (Facebook Inc.)
Task: {E6595081-A320-4466-92C9-F39659F10E30} - System32\Tasks\Synaptics TouchPad Enhancements => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2013-03-25] (Synaptics Incorporated)
Task: {E7F3AE69-7B1E-43E3-802B-7DBD82CC1A81} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-06-30] (Google Inc.)
Task: {EBF06DEC-4228-4813-AC0C-62821AE4E330} - System32\Tasks\Microsoft\Windows\Application Experience\StartupAppTask => Rundll32.exe Startupscan.dll,SusRunTask
Task: {EC49DB75-C0DA-4077-8AD8-8938D06ADB06} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4008833774-2699350555-1950638099-1002Core => C:\Users\Kshitij\AppData\Local\Google\Update\GoogleUpdate.exe [2013-07-13] (Google Inc.)
Task: {FD11945D-43C2-4FB8-8469-F066D4D52B33} - System32\Tasks\Lenovo\sysrun-27783 => C:\Users\Kshitij\AppData\Local\Temp\sysrun-27783.cmd <==== ATTENTION
Task: {FD8DDDC6-13AF-4F91-BFC7-BECFEFFB1612} - System32\Tasks\Lenovo\sysrun-3355 => C:\Users\Kshitij\AppData\Local\Temp\sysrun-3355.cmd <==== ATTENTION
Task: C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4008833774-2699350555-1950638099-1002Core.job => C:\Users\Kshitij\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4008833774-2699350555-1950638099-1002UA.job => C:\Users\Kshitij\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4008833774-2699350555-1950638099-1002Core.job => C:\Users\Kshitij\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4008833774-2699350555-1950638099-1002UA.job => C:\Users\Kshitij\AppData\Local\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2014-02-20 21:12 - 2014-02-09 00:04 - 00013088 _____ () C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
2014-02-20 21:19 - 2014-02-08 23:12 - 00117024 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2014-04-14 00:54 - 2014-04-14 00:54 - 00076888 _____ () C:\windows\SysWOW64\PnkBstrA.exe
2010-10-20 15:23 - 2010-10-20 15:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2013-09-05 00:17 - 2013-09-05 00:17 - 04300456 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2013-02-22 11:36 - 2012-12-13 06:08 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2012-11-01 02:34 - 2012-11-01 02:34 - 01260184 _____ () F:\VMWare9\libxml2.dll
2013-05-11 05:44 - 2012-06-25 23:11 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll
2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:45 - 2010-10-20 15:45 - 08801120 _____ () C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2014-04-10 12:32 - 2014-04-02 07:27 - 00065352 _____ () C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.116\chrome_elf.dll
2014-04-10 12:32 - 2014-04-02 07:27 - 00674632 _____ () C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.116\libglesv2.dll
2014-04-10 12:32 - 2014-04-02 07:27 - 00093000 _____ () C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.116\libegl.dll
2014-02-20 21:12 - 2014-02-09 00:04 - 00013088 _____ () C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll
2014-04-10 12:32 - 2014-04-02 07:27 - 04081480 _____ () C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.116\pdf.dll
2014-04-10 12:32 - 2014-04-02 07:28 - 00390472 _____ () C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.116\ppGoogleNaClPluginChrome.dll
2014-04-10 12:32 - 2014-04-02 07:27 - 01647432 _____ () C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.116\ffmpegsumo.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
 
==================== Safe Mode (whitelisted) ===================
 
 
==================== Disabled items from MSCONFIG ==============
 
 
==================== Faulty Device Manager Devices =============
 
Name: VMware Virtual Ethernet Adapter for VMnet1
Description: VMware Virtual Ethernet Adapter for VMnet1
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: VMware, Inc.
Service: VMnetAdapter
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: VMware Virtual Ethernet Adapter for VMnet8
Description: VMware Virtual Ethernet Adapter for VMnet8
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: VMware, Inc.
Service: VMnetAdapter
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
Name: Qualcomm Atheros AR3012 Bluetooth 4.0 + HS
Description: Qualcomm Atheros AR3012 Bluetooth 4.0 + HS
Class Guid: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
Manufacturer: Qualcomm Atheros Communications
Service: BTHUSB
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (04/21/2014 11:15:07 AM) (Source: Application Error) (User: )
Description: Faulting application name: chrome.exe, version: 34.0.1847.116, time stamp: 0x533b63bd
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000008
Fault offset: 0x65cb4c39
Faulting process id: 0xe5c
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3
Faulting package full name: chrome.exe4
Faulting package-relative application ID: chrome.exe5
 
Error: (04/21/2014 06:23:14 AM) (Source: Steam Client Service) (User: )
Description: Error: Failed to poke open firewall
 
Error: (04/20/2014 08:28:08 PM) (Source: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe) (User: )
Description: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exeCan't get user token [1008]
 
Error: (04/20/2014 07:11:54 PM) (Source: Steam Client Service) (User: )
Description: Error: Failed to poke open firewall
 
Error: (04/20/2014 01:17:28 PM) (Source: Application Error) (User: )
Description: Faulting application name: GFExperience.exe, version: 11.10.11.1, time stamp: 0x52ddbf87
Faulting module name: KERNELBASE.dll, version: 6.2.9200.16815, time stamp: 0x52f2c887
Exception code: 0xe0434352
Fault offset: 0x00010f22
Faulting process id: 0xf80
Faulting application start time: 0xGFExperience.exe0
Faulting application path: GFExperience.exe1
Faulting module path: GFExperience.exe2
Report Id: GFExperience.exe3
Faulting package full name: GFExperience.exe4
Faulting package-relative application ID: GFExperience.exe5
 
Error: (04/20/2014 01:17:27 PM) (Source: .NET Runtime) (User: )
Description: Application: GFExperience.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Reflection.TargetInvocationException
Stack:
   at System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[])
   at System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo)
   at GalaSoft.MvvmLight.Helpers.WeakAction`1[[system.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Execute(System.__Canon)
   at GalaSoft.MvvmLight.Helpers.WeakAction`1[[system.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].ExecuteWithObject(System.Object)
   at GalaSoft.MvvmLight.Messaging.Messenger.SendToList[[system.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon, System.Collections.Generic.IEnumerable`1<WeakActionAndToken>, System.Type, System.Object)
   at GalaSoft.MvvmLight.Messaging.Messenger.SendToTargetOrType[[system.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon, System.Type, System.Object)
   at GalaSoft.MvvmLight.Messaging.Messenger.Send[[system.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at GFEClientCore.EasyAPI.Updatus.DaemonNotifier.ScanCompleted()
   at GFEClientCore.EasyAPI.Updatus.DaemonNotifier.DaemonCallbackFunction(GFEClientCore.EasyAPI.GFE.DaemonStatus)
 
Error: (04/20/2014 00:17:20 PM) (Source: Steam Client Service) (User: )
Description: Error: Failed to poke open firewall
 
Error: (04/20/2014 00:14:19 PM) (Source: Steam Client Service) (User: )
Description: Error: Failed to poke open firewall
 
Error: (04/20/2014 11:55:05 AM) (Source: Customer Experience Improvement Program) (User: )
Description: 80070005
 
Error: (04/19/2014 01:08:34 PM) (Source: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe) (User: )
Description: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exeCan't get user token [1008]
 
 
System errors:
=============
Error: (04/21/2014 06:22:17 AM) (Source: Service Control Manager) (User: )
Description: The VMware Workstation Server service terminated with the following service-specific error: 
%%4294967295
 
Error: (04/16/2014 04:25:38 PM) (Source: Service Control Manager) (User: )
Description: The Steam Client Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (04/15/2014 06:27:33 PM) (Source: Service Control Manager) (User: )
Description: The BitRaider Mini-Support Service service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (04/15/2014 11:45:08 AM) (Source: Service Control Manager) (User: )
Description: The VMware Workstation Server service terminated with the following service-specific error: 
%%4294967295
 
Error: (04/13/2014 07:00:14 PM) (Source: DCOM) (User: Kshitij-PC)
Description: App.AppX3kc2rkcysz3hxzhmjnfcm5yvfpxveqm7.mca
 
Error: (04/13/2014 07:00:14 PM) (Source: DCOM) (User: Kshitij-PC)
Description: App.AppX98wb6g77tn4g47pmhnngvex75z63bw5e.mca
 
Error: (04/13/2014 07:00:14 PM) (Source: DCOM) (User: Kshitij-PC)
Description: App.AppX1222w7mnscdhak8wye3bynztq2t5x6q9.mca
 
Error: (04/13/2014 07:00:14 PM) (Source: DCOM) (User: Kshitij-PC)
Description: App.AppX6v65ke6xy52mzp48tbdgqddy15h0mcbk.mca
 
Error: (04/13/2014 07:00:14 PM) (Source: DCOM) (User: Kshitij-PC)
Description: App.AppX98wb6g77tn4g47pmhnngvex75z63bw5e.mca
 
Error: (04/11/2014 00:00:24 PM) (Source: Service Control Manager) (User: )
Description: The Software Protection service failed to start due to the following error: 
%%1053
 
 
Microsoft Office Sessions:
=========================
Error: (04/21/2014 11:15:07 AM) (Source: Application Error)(User: )
Description: chrome.exe34.0.1847.116533b63bdunknown0.0.0.000000000c000000865cb4c39e5c01cf5d24d7f982afC:\Program Files (x86)\Google\Chrome\Application\chrome.exeunknown17a86f22-c918-11e3-bfa8-20898496b1e2
 
Error: (04/21/2014 06:23:14 AM) (Source: Steam Client Service)(User: )
Description: Failed to poke open firewall
 
Error: (04/20/2014 08:28:08 PM) (Source: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe)(User: )
Description: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exeCan't get user token [1008]
 
Error: (04/20/2014 07:11:54 PM) (Source: Steam Client Service)(User: )
Description: Failed to poke open firewall
 
Error: (04/20/2014 01:17:28 PM) (Source: Application Error)(User: )
Description: GFExperience.exe11.10.11.152ddbf87KERNELBASE.dll6.2.9200.1681552f2c887e043435200010f22f8001cf5c6c949e6694C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\GFExperience.exeC:\windows\SYSTEM32\KERNELBASE.dll049f5c2d-c860-11e3-bfa7-20898496b1e2
 
Error: (04/20/2014 01:17:27 PM) (Source: .NET Runtime)(User: )
Description: Application: GFExperience.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Reflection.TargetInvocationException
Stack:
   at System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[])
   at System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo)
   at GalaSoft.MvvmLight.Helpers.WeakAction`1[[system.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Execute(System.__Canon)
   at GalaSoft.MvvmLight.Helpers.WeakAction`1[[system.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].ExecuteWithObject(System.Object)
   at GalaSoft.MvvmLight.Messaging.Messenger.SendToList[[system.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon, System.Collections.Generic.IEnumerable`1<WeakActionAndToken>, System.Type, System.Object)
   at GalaSoft.MvvmLight.Messaging.Messenger.SendToTargetOrType[[system.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon, System.Type, System.Object)
   at GalaSoft.MvvmLight.Messaging.Messenger.Send[[system.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at GFEClientCore.EasyAPI.Updatus.DaemonNotifier.ScanCompleted()
   at GFEClientCore.EasyAPI.Updatus.DaemonNotifier.DaemonCallbackFunction(GFEClientCore.EasyAPI.GFE.DaemonStatus)
 
Error: (04/20/2014 00:17:20 PM) (Source: Steam Client Service)(User: )
Description: Failed to poke open firewall
 
Error: (04/20/2014 00:14:19 PM) (Source: Steam Client Service)(User: )
Description: Failed to poke open firewall
 
Error: (04/20/2014 11:55:05 AM) (Source: Customer Experience Improvement Program)(User: )
Description: 80070005
 
Error: (04/19/2014 01:08:34 PM) (Source: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe)(User: )
Description: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exeCan't get user token [1008]
 
 
CodeIntegrity Errors:
===================================
  Date: 2014-04-20 03:25:23.461
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-20 03:25:16.221
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-20 03:25:08.916
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-20 03:25:04.027
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-20 03:24:49.633
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-20 03:24:42.624
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-20 03:24:36.367
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-20 03:24:29.714
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-20 03:24:23.317
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-20 03:24:16.630
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 32%
Total physical RAM: 5999.52 MB
Available physical RAM: 4039.57 MB
Total Pagefile: 6959.52 MB
Available Pagefile: 4821.76 MB
Total Virtual: 8192 MB
Available Virtual: 8191.79 MB
 
==================== Drives ================================
 
Drive c: (Windows8_OS) (Fixed) (Total:442.98 GB) (Free:349.54 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive d: (LENOVO) (Fixed) (Total:25 GB) (Free:22.22 GB) NTFS
Drive f: (MyDrive) (Fixed) (Total:441.2 GB) (Free:247.07 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 932 GB) (Disk ID: C9B798BE)
 
Partition: GPT Partition Type.
 
==================== End Of Log ============================

 

Link to post
Share on other sites

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.


Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).

Link to post
Share on other sites

Hi Marius , thanks for helping me. I did exactly as you said

 

aswMBR.txt :-

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-04-21 20:57:28
-----------------------------
20:57:28.448    OS Version: Windows x64 6.2.9200 
20:57:28.448    Number of processors: 4 586 0x3A09
20:57:28.449    ComputerName: KSHITIJ-PC  UserName: Kshitij
20:57:28.495    Initialze error 1 
21:30:34.475    AVAST engine defs: 14042100
21:39:09.289    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000003b
21:39:09.291    Disk 0 Vendor: ST1000LM024_HN-M101MBB 2AR20002 Size: 953869MB BusType: 11
21:39:09.317    Disk 0 MBR read successfully
21:39:09.318    Disk 0 MBR scan
21:39:09.323    Disk 0 unknown MBR code
21:39:09.325    Disk 0 Partition 1 00     EE          GPT           2097151 MB offset 1
21:39:09.331    Disk 0 scanning C:\windows\system32\drivers
21:39:09.333    Service scanning
21:39:10.139    Modules scanning
21:39:10.144    Disk 0 trace - called modules:
21:39:10.153    ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80056a52c0]<<sptd.sys storport.sys hal.dll iaStorA.sys 
21:39:10.159    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007b46060]
21:39:10.164    3 CLASSPNP.SYS[fffff88000f89e0a] -> nt!IofCallDriver -> \Device\0000003b[0xfffffa80062867f0]
21:39:10.173    \Driver\iaStorA[0xfffffa80061b0060] -> IRP_MJ_CREATE -> 0xfffffa80056a52c0
21:39:10.180    AVAST engine scan C:\windows
21:39:10.185    AVAST engine scan C:\windows\system32
21:39:10.190    AVAST engine scan C:\windows\system32\drivers
21:39:10.194    AVAST engine scan C:\Users\Kshitij
21:39:10.198    AVAST engine scan C:\ProgramData
21:39:10.201    Scan finished successfully
21:39:21.733    Disk 0 MBR has been saved successfully to "C:\Users\Kshitij\Desktop\MBR.dat"
21:39:21.737    The log file has been saved successfully to "C:\Users\Kshitij\Desktop\aswMBR.txt"
Link to post
Share on other sites

Looks like your torrent clinet gets some pirated files from an untrusted host somewhere... :rolleyes:

 

 

Going over your logs I noticed that you have uTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

 

 

 

 

Disable CD Emulation with DeFogger

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
 

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

 

 

 

 

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

fixlist.txt

Link to post
Share on other sites

Yes sir I do use Utorrent but I only use it to download movies or TV shows , I have never downloaded any pirated software or games through the torrent network , I am aware that hackers use these kind of networks to distribute malware so I keep myself away from pirated softwares/games all the softwares/games I have are perfectly legit , I have either bought them or they are freely available on their official websites  ;) . Also yesterday the process svchost.exe tried to access the remote ip only twice , after that I didn't get any notification from malwarebytes , that's really weird because even after restarting my laptop I didn't get any notification besides that  , the scan result of malwarebytes also says that my system is clean then why was svchost.exe trying to access that remote ip? Anyway here are the logs you required :)  :

 

Fixlog.txt :

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 22-04-2014
Ran by Kshitij at 2014-04-22 15:26:05 Run:1
Running from C:\Users\Kshitij\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
Task: {FD11945D-43C2-4FB8-8469-F066D4D52B33} - System32\Tasks\Lenovo\sysrun-27783 => C:\Users\Kshitij\AppData\Local\Temp\sysrun-27783.cmd <==== ATTENTION
Task: {FD8DDDC6-13AF-4F91-BFC7-BECFEFFB1612} - System32\Tasks\Lenovo\sysrun-3355 => C:\Users\Kshitij\AppData\Local\Temp\sysrun-3355.cmd <==== ATTENTION
Task: {0B6EAC77-267E-4E62-B8A9-A297B5FECE75} - System32\Tasks\Lenovo\sysrun-28025 => C:\Users\Kshitij\AppData\Local\Temp\sysrun-28025.cmd <==== ATTENTION
Task: {5D253B25-BC40-43D7-B79E-3FCEF8FFBDAA} - System32\Tasks\Lenovo\Lenovo-25760 => C:\ProgramData\Lenovo-25760.vbs [2013-05-11] ()
CHR HKCU\...\Chrome\Extension: [ckiffeoeeefajohcpadlcdnkiahkmdfp] - C:\Users\Kshitij\AppData\Local\CRE\ckiffeoeeefajohcpadlcdnkiahkmdfp.crx [2013-05-03]
CHR HKLM-x32\...\Chrome\Extension: [ckiffeoeeefajohcpadlcdnkiahkmdfp] - C:\Users\Kshitij\AppData\Local\CRE\ckiffeoeeefajohcpadlcdnkiahkmdfp.crx [2013-05-03]
 
C:\ProgramData\Lenovo-25760.vbs
C:\Users\Kshitij\jagex_cl_runescape_LIVE.dat
C:\Users\Kshitij\random.dat
*****************
 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FD11945D-43C2-4FB8-8469-F066D4D52B33} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FD11945D-43C2-4FB8-8469-F066D4D52B33} => Key deleted successfully.
C:\Windows\System32\Tasks\Lenovo\sysrun-27783 => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Lenovo\sysrun-27783 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FD8DDDC6-13AF-4F91-BFC7-BECFEFFB1612} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FD8DDDC6-13AF-4F91-BFC7-BECFEFFB1612} => Key deleted successfully.
C:\Windows\System32\Tasks\Lenovo\sysrun-3355 => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Lenovo\sysrun-3355 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0B6EAC77-267E-4E62-B8A9-A297B5FECE75} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0B6EAC77-267E-4E62-B8A9-A297B5FECE75} => Key deleted successfully.
C:\Windows\System32\Tasks\Lenovo\sysrun-28025 => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Lenovo\sysrun-28025 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5D253B25-BC40-43D7-B79E-3FCEF8FFBDAA} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5D253B25-BC40-43D7-B79E-3FCEF8FFBDAA} => Key deleted successfully.
C:\Windows\System32\Tasks\Lenovo\Lenovo-25760 => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Lenovo\Lenovo-25760 => Key deleted successfully.
HKCU\SOFTWARE\Google\Chrome\Extensions\ckiffeoeeefajohcpadlcdnkiahkmdfp => Key deleted successfully.
C:\Users\Kshitij\AppData\Local\CRE\ckiffeoeeefajohcpadlcdnkiahkmdfp.crx => Moved successfully.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ckiffeoeeefajohcpadlcdnkiahkmdfp => Key deleted successfully.
"C:\Users\Kshitij\AppData\Local\CRE\ckiffeoeeefajohcpadlcdnkiahkmdfp.crx" => File/Directory not found.
C:\ProgramData\Lenovo-25760.vbs => Moved successfully.
C:\Users\Kshitij\jagex_cl_runescape_LIVE.dat => Moved successfully.
C:\Users\Kshitij\random.dat => Moved successfully.
 
==== End of Fixlog ====
 
Malwarebytes log:
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 22-04-2014
Scan Time: 03:38:39 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.1.1004
Malware Database: v2014.04.22.02
Rootkit Database: v2014.03.27.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Enabled
 
OS: Windows 8
CPU: x64
File System: NTFS
User: Kshitij
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 274397
Time Elapsed: 10 min, 55 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Warn
PUM: Warn
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to post
Share on other sites

The IP protection is preventing your computer from accessing malicious hosts - it means not always that your computer is infected.

Torrent software connects your computer with the torrent network and this s a place where criminals set up hosts to spread unwanted software.

 

So even if your computer is clean IP protections blocks connections to or from hosts that have beent detected as malicious in the past.

 

Please disable your torrent client temporarily.

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Link to post
Share on other sites

Yes sir I completely disabled my torrent client the time I made my this thread.

I feel that there has been a mistake from my side , I guess I was not able to explain you my problem properly , I should tell you what exactly happened in detail now :

Before I came here for help my torrent client was open and malwarebytes was constantly blocking malicious IPs with the process name utorrent.exe , this is common because I knew that there are malicious hosts set up in the torrent network so I just ignored this.After some time I disabled my torrent client and the notifications from malwarebytes stopped and after 5 mins I got a notification saying that svchost.exe was trying to access a malicious host and I got the same notification again after 2 mins. 

In short it was svchost.exe that was trying to access a malicious host when utorrent.exe was completely disabled.

I have completely disabled utorrent and I will not enable it until further instructed by you  :)

 

I have followed all your steps and here is the log of ESET online scan:

C:\Users\Kshitij\Downloads\Programs\MediaInfo_GUI_0.7.67_Windows.exe Win32/OpenCandy potentially unsafe application
Link to post
Share on other sites

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[s1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.





SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

Link to post
Share on other sites

AdwCleaner[s0].txt :

# AdwCleaner v3.201 - Report created 23/04/2014 at 16:09:48

# Updated 22/04/2014 by Xplode
# Operating System : Windows 8 Single Language  (64 bits)
# Username : Kshitij - KSHITIJ-PC
# Running from : C:\Users\Kshitij\Desktop\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\windows\SysWOW64\AI_RecycleBin
File Deleted : C:\END
File Deleted : C:\Users\Kshitij\AppData\Roaming\Mozilla\Firefox\Profiles\3lufnsmi.default\user.js
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKLM\Software\PIP
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16537
 
 
-\\ Mozilla Firefox v25.0.1 (en-US)
 
[ File : C:\Users\Kshitij\AppData\Roaming\Mozilla\Firefox\Profiles\3lufnsmi.default\prefs.js ]
 
 
-\\ Google Chrome v34.0.1847.116
 
[ File : C:\Users\Kshitij\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [1256 octets] - [23/04/2014 16:07:45]
AdwCleaner[s0].txt - [1150 octets] - [23/04/2014 16:09:48]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1210 octets] ##########
 
 
 
JRT.txt :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 8 Single Language x64
Ran by Kshitij on 23-04-2014 at 16:14:39.88
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 23-04-2014 at 16:22:52.12
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
checkup.txt:
 Results of screen317's Security Check version 0.99.82  
   x64 (UAC is enabled)  
 Internet Explorer 10 Out of date! 
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Windows Defender   
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Java 7 Update 55  
 Adobe Reader XI  
 Mozilla Firefox 25.0.1 Firefox out of Date!  
 Google Chrome 33.0.1750.154  
 Google Chrome 34.0.1847.116  
````````Process Check: objlist.exe by Laurent````````  
 Windows Defender MSMpEng.exe 
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
 Windows Defender MsMpEng.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 
 
Link to post
Share on other sites

Your system is clean now! :)

 

 

Internet Explorer out of date

Your version of Internet Explorer is outdated.

  1. Please download IE 10 from http://windows.microsoft.com/en-US/internet-explorer/downloads/ie-10/worldwide-languages
  2. Save it to your desktop.
  3. Double click on the file on your desktop to start the installation process.
  4. Reboot

 

 

 

Mozilla Firefox out of date

Your Firefox browser is outdated. Please follow these instructions to update it:

  • Get the actual firefox from here.
  • Run setup and follow the instructions on your monitor.
  • Report any problems you have with the update.

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  1. In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  2. In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  3. In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process

[*] If there is still something left please delete it manualy.





Delete System Restore Points

To ensure your System Restore Points are free of malware, we will delete all of them but the most recent or create a new one.

On Windows Vista: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows 7/8: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows XP: Please follow these instructions to delete all but the most common System Protection Restore Points.

 

 

 

Recommendations: How to protect yourself

  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.


    [*]Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:

    [*]Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system. [*]Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.

    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.



Link to post
Share on other sites

Thanx a lot sir for helping me , was there any malware in my system or there were only adwares?

 

Also may I ask , how did you learn how to clean such systems? I am a computer science student and look forward to make a career in the field of cyber security just like you , I would be really grateful to you if you could point me in the right direction and tell me how I could gain knowledge like you  :) .

 

Thanx a lot sir

Link to post
Share on other sites

As far as I can say that from the distance, the blokcings were caused by adware on your system.

I´m an IT specialist on duty for the German Army and I´ve trained for nearly two years to be allowed to help in international forums like this one.

 

Have a look at techsupportforum.com, bleepingcomputer.com or whatthetech.com - they have their own malware removal schools and you may take part in their training program.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.