Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Girlfriend's roommate installed spyware

  • This topic is locked This topic is locked
6 replies to this topic

#1 Sismetic


  • Members
  • 15 posts
  • Local time:11:21 PM

Posted 26 August 2014 - 10:08 AM

Hello, first of all let me start by thanking the staff(or anyone else) in taking the time and effort, using their knowledge and expertise to freely helping us members out! I find that extremely admirable!

The problem is this, I stayed a couple of days with my girlfriend in her house(she lives half the country away) and she rents a room to a guy who said needed a place to stay in while he got a job. I wasn't thrilled about it, but they said the guy seemed very nice and harmless, plus really in need and they also needed extra money to help maintain the house. So, long story short they start having some problems and find out the guy has schizophrenia and takes meds, starts stalking behaviour and inappropiate comments. My girlfriend and her sister are both very strong and they train with the military so I know they could kick the bleep out of him, but still, I'm not comfortable with that. So, soon after I go to visit her and after one particular thing they decide to kick him out(apparently he has downloaded photos of her, has seen private photos and they find out a "magic" book under her bed that was supposed to make her sexually attracted to him) and asks me to remove his account on the computer(as soon as he got here he without permission made another account password-protected), so I, worried about all these and what else might he have of her I check his personal stuff(bad I know, but I was worried about them) and discover he has child porn links and overall has a weird sexuality that makes me more worried.

They decide not to kick him out until the end of the month, I tell them they need to kick him out now, while I'm around and to not give him time to plan things. Then I confront him about the porn, I tell him that maybe he needs someone to talk about, maybe it's an addiction for him and can't get out, I was willing to hear him out without judgement. He denies it, says it was for a school work(yeah, right, child porn is illegal and no way in hell any school gave him this homework), and I say ok and try to talk the girls into kicking him out soon. Soon after that he talks to me about a conversation I had with my brother on WhatsApp... I tell him, what's up with that? I've never given him my phone and it's pattern protected(a very simple, non secure pattern), how did he know about that? He tells me that as I was worried about the girls, he was worried about them for me, so he spied back. I work on my laptop and it has no password, so I'm pretty sure he also spied on mine. I started having some trouble with some websites and overall very suspicious behaviour in my laptop I had never had before, so I decided to format it when I got back. A member of the staff here helped me out afterwards in a very professional and knowledgeful manner, I was pretty impressed.


But now, my girlfriend's facebook was hacked, and she tells me she has this problem all of the time, people tell her they saw her online when she's not online, sometimes when I talk with her the facebook icon changes to 'Web' meaning she's connected to a Wi-fi network and likely to a computer, but she's out with no computer and no wi-fi. And then it goes back to mobile, and then back to web. She has said to me very confidently she's sure that guy logs into her facebook. And she has always been able to recover her password soon after the hack, but now she wasn't able. I tell her that it's most likely a keylogger he has installed on her computer(he has full access to it) and that whenever she changed her password he was able to see her new password and that's how she's getting continously hacked. And something I forgot to mention, when I was with her I tried to run an AV(Kaspersky, when it failed I tried with Lavasoft, when it failed with MBAM) but they all had problems, and running them in Safe Mode was impossible(they all said they required network connection) so I never really trusted the results when they came back with no malware or minimal not very risky stuff(when they did came back). So now she was really angry and frustrated and said forget facebook she hated fighting with whoever was hacking her, so I tried helping her out. I took control of her computer with Team Viewer and I ran the DDS but when I ran the MBAM it got stuck almost at the end having detected 1006 objects, so I couldn't get that log(or fix those problems) because it froze. Her new phone's AV also detected some objects on her Facebook, Messenger and What'sApp apps, but I guess that's out of the scope of this website :D

I also want to see if she has spyware for her to have some material to kick this dangerous guy out and to convince her it's not safe. She knows this but is adamant to kick him out because he has nowhere to go, nor money, but I tell her she has to think of her, her sister's and her new roommate(which is very vulnerable) from a guy who has a weird sexuality and mental problems(also, her other sister has schizophrenia, so they're sympathetic to him in this regard)

Sorry for the long post, so here's the log of DDS:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17239  BrowserJavaVersion: 10.65.2
Run by Yareli at 23:16:55 on 2014-08-25
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.52.3082.18.2675.1210 [GMT -6:00]
AV: Kaspersky Anti-Virus *Enabled/Updated* {179979E8-273D-D14E-0543-2861940E4886}
SP: Kaspersky Anti-Virus *Enabled/Updated* {ACF8980C-0107-DEC0-3FF3-1313EF89023B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ================
C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\avp.exe
C:\Program Files\HomeTab\WSearchDefender.exe
C:\Program Files\HomeTab\WConnectorHandler.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe
C:\Program Files\CyberLink\Shared files\brs.exe
C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\avpui.exe
C:\Program Files\HP\hp laserjet m2727\hppfaxprintersrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version9\TeamViewer.exe
C:\Program Files\TeamViewer\Version9\tv_w32.exe
c:\program files\teamviewer\version9\TeamViewer_Desktop.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
============== Pseudo HJT Report ===============
uStart Page = about:newtab
uSearch Bar = hxxp://search.certified-toolbar.com?si=46362&tid=3885&ver=6.5&ts=1.000000&tguid=46362-3885-1373258199780-A65BC495D123FEBB516C39E334438842&st=chrome&q=
uSearch Page = hxxp://search.certified-toolbar.com?si=46362&tid=3885&ver=6.5&ts=1.000000&tguid=46362-3885-1373258199780-A65BC495D123FEBB516C39E334438842&st=chrome&q=
uDefault_Search_URL = hxxp://search.certified-toolbar.com?si=46362&tid=3885&ver=6.5&ts=1.000000&tguid=46362-3885-1373258199780-A65BC495D123FEBB516C39E334438842&st=chrome&q=
mStart Page = about:newtab
mSearch Bar = hxxp://search.certified-toolbar.com?si=46362&tid=3885&ver=6.5&ts=1.000000&tguid=46362-3885-1373258199780-A65BC495D123FEBB516C39E334438842&st=chrome&q=
mSearch Page = hxxp://search.certified-toolbar.com?si=46362&tid=3885&ver=6.5&ts=1.000000&tguid=46362-3885-1373258199780-A65BC495D123FEBB516C39E334438842&st=chrome&q=
mDefault_Search_URL = hxxp://search.certified-toolbar.com?si=46362&tid=3885&ver=6.5&ts=1.000000&tguid=46362-3885-1373258199780-A65BC495D123FEBB516C39E334438842&st=chrome&q=
uSearchURL,(Default) = hxxp://search.certified-toolbar.com?si=46362&st=bs&tid=3885&ver=6.5&ts=1.000000&tguid=46362-3885-1373258199780-A65BC495D123FEBB516C39E334438842&q=%s
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: HomeTab: {19a395c9-823b-4700-b817-396fc84ffb16} - c:\users\yareli\appdata\roaming\hometab\HomeTab.dll
BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - c:\program files\kaspersky lab\kaspersky anti-virus 15.0.0\ieext\contentblocker\ie_content_blocker_plugin.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - c:\program files\kaspersky lab\kaspersky anti-virus 15.0.0\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
BHO: {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: HomeTab: {a238dd2d-4741-427a-b25e-22897b3cfe3a} - c:\program files\hometab\ie\HomeTab.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Click to Call for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky anti-virus 15.0.0\ieext\urladvisor\klwtbbho.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: HomeTab: {a238dd2d-4741-427a-b25e-22897b3cfe3a} - c:\program files\hometab\ie\HomeTab.dll
TB: HomeTab: {19a395c9-823b-4700-b817-396fc84ffb16} - c:\users\yareli\appdata\roaming\hometab\HomeTab.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - c:\program files\internet explorer\iedvtool.dll
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [Google Update] "c:\users\yareli\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [Facebook Update] "c:\users\yareli\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Spotify] "c:\users\yareli\appdata\roaming\spotify\Spotify.exe" /uri spotify:autostart
uRun: [Spotify Web Helper] "c:\users\yareli\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [RemoteControl10] "c:\program files\cyberlink\powerdvd10\PDVD10Serv.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
mRun: [HP LaserJet M2727 MFP Series Fax] c:\program files\hp\hp laserjet m2727\hppfaxprintersrv.exe "HP LaserJet M2727 MFP Series Fax"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xportar a Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - c:\program files\kaspersky lab\kaspersky anti-virus 15.0.0\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {a2a761d6-a395-468f-8fc0-5ad6a1d508b2} - {a238dd2d-4741-427a-b25e-22897b3cfe3a}
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 15.0.0\ieext\urladvisor\klwtbbho.dll
TCP: NameServer =
TCP: Interfaces\{98DA319B-D102-4D05-8BBB-82AA6A742F4C} : DHCPNameServer =
TCP: Interfaces\{9A32266C-8275-43D9-BB44-E1FA3D067B26} : DHCPNameServer =
TCP: Interfaces\{9A32266C-8275-43D9-BB44-E1FA3D067B26}\94E46494E4944555D416036366 : DHCPNameServer =
TCP: Interfaces\{9A32266C-8275-43D9-BB44-E1FA3D067B26}\C696E6B6379737 : DHCPNameServer =
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
============= SERVICES / DRIVERS ===============
R1 klhk;klhk;c:\windows\system32\drivers\klhk.sys [2014-8-11 34400]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2014-2-25 25696]
R1 klpd;klpd;c:\windows\system32\drivers\klpd.sys [2013-4-12 14432]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2014-3-25 45024]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2014-3-26 145888]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2012/04/17 13:52:49];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-3-13 87536]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-4-17 176128]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2010-11-10 284160]
R2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ati technologies\ati.ace\reservation manager\AMD Reservation Manager.exe [2010-6-17 140224]
R2 AVP15.0.0;Kaspersky Anti-Virus Service 15.0.0;c:\program files\kaspersky lab\kaspersky anti-virus 15.0.0\avp.exe [2014-4-20 233552]
R2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files\skype\toolbars\autoupdate\SkypeC2CAutoUpdateSvc.exe [2014-7-14 1390176]
R2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files\skype\toolbars\pnrsvc\SkypeC2CPNRSvc.exe [2014-7-14 1767520]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2009-11-12 136192]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2012-10-2 3064000]
R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2012-4-17 37944]
R3 klflt;Kaspersky Lab Kernel DLL;c:\windows\system32\drivers\klflt.sys [2014-8-11 111168]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2014-3-28 24672]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2013-8-8 25696]
R3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\drivers\netr28.sys [2010-11-4 909664]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-12-28 327784]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-8-14 108032]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-4-17 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-4-18 52224]
S3 WatAdminSvc;Servicio de tecnologías de activación de Windows;c:\windows\system32\wat\WatAdminSvc.exe [2012-4-17 1343400]
S4 SrvUpdater;Software Updater;c:\program files\softwareupdater\UpdaterService.exe [2013-4-12 31744]
=============== Created Last 30 ================
2014-08-23 03:20:30    8581864    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{181c5f7d-88e1-4d20-8fc4-0e12e68b7674}\mpengine.dll
2014-08-23 03:10:04    317440    ----a-w-    c:\windows\system32\spoolsv.exe
2014-08-23 03:02:33    --------    d-----w-    c:\windows\Migration
2014-08-15 01:57:59    1792512    ----a-w-    c:\windows\system32\wininet.dll
2014-08-15 01:44:35    99480    ----a-w-    c:\windows\system32\infocardapi.dll
2014-08-15 01:44:32    8856    ----a-w-    c:\windows\system32\icardres.dll
2014-08-15 01:44:27    619672    ----a-w-    c:\windows\system32\icardagt.exe
2014-08-15 01:44:23    35480    ----a-w-    c:\windows\system32\TsWpfWrp.exe
2014-08-15 01:43:05    12625408    ----a-w-    c:\windows\system32\wmploc.DLL
2014-08-15 01:43:04    164864    ----a-w-    c:\program files\windows media player\wmplayer.exe
2014-08-14 22:28:49    400896    ----a-w-    c:\windows\system32\srcore.dll
2014-08-14 22:28:41    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2014-08-14 20:25:48    712048    ----a-w-    c:\windows\system32\drivers\ndis.sys
2014-08-14 20:25:48    33280    ----a-w-    c:\windows\system32\drivers\RNDISMP.sys
2014-08-14 20:25:07    152576    ----a-w-    c:\windows\system32\SmartcardCredentialProvider.dll
2014-08-14 20:25:06    168960    ----a-w-    c:\windows\system32\credui.dll
2014-08-14 20:24:18    301568    ----a-w-    c:\windows\system32\msieftp.dll
2014-08-14 20:23:48    196328    ----a-w-    c:\windows\system32\drivers\fvevol.sys
2014-08-14 20:21:45    417792    ----a-w-    c:\windows\system32\WMPhoto.dll
2014-08-14 20:20:32    245760    ----a-w-    c:\windows\system32\OxpsConverter.exe
2014-08-14 20:18:50    77144    ----a-w-    c:\windows\system32\mcupdate_AuthenticAMD.dll
2014-08-14 20:18:36    73216    ----a-w-    c:\windows\system32\WUDFSvc.dll
2014-08-14 20:18:36    66560    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2014-08-14 20:18:36    155136    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2014-08-14 20:18:35    38912    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2014-08-14 20:18:35    196608    ----a-w-    c:\windows\system32\WUDFHost.exe
2014-08-14 20:18:35    172032    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2014-08-14 20:18:34    613888    ----a-w-    c:\windows\system32\WUDFx.dll
2014-08-14 20:18:09    24576    ----a-w-    c:\windows\system32\cryptdlg.dll
2014-08-14 20:12:29    40960    ----a-w-    c:\windows\system32\wwanprotdim.dll
2014-08-14 20:12:29    185344    ----a-w-    c:\windows\system32\wwansvc.dll
2014-08-14 20:11:46    434688    ----a-w-    c:\windows\system32\scavengeui.dll
2014-08-14 20:10:51    27072    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2014-08-14 20:10:51    234432    ----a-w-    c:\windows\system32\drivers\msiscsi.sys
2014-08-14 20:10:51    2048    ----a-w-    c:\windows\system32\iologmsg.dll
2014-08-14 20:10:51    149440    ----a-w-    c:\windows\system32\drivers\storport.sys
2014-08-14 20:10:06    52224    ----a-w-    c:\windows\system32\nlaapi.dll
2014-08-14 20:10:06    499712    ----a-w-    c:\windows\system32\iphlpsvc.dll
2014-08-14 20:10:06    35328    ----a-w-    c:\windows\system32\drivers\tcpipreg.sys
2014-08-14 20:10:06    242176    ----a-w-    c:\windows\system32\nlasvc.dll
2014-08-14 20:10:06    175104    ----a-w-    c:\windows\system32\netcorehc.dll
2014-08-14 20:10:06    156672    ----a-w-    c:\windows\system32\ncsi.dll
2014-08-14 20:10:05    18944    ----a-w-    c:\windows\system32\netevent.dll
2014-08-14 19:45:54    1212352    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2014-08-14 19:39:23    65536    ----a-w-    c:\windows\system32\TSpkg.dll
2014-08-14 19:39:23    550912    ----a-w-    c:\windows\system32\kerberos.dll
2014-08-14 19:39:23    259584    ----a-w-    c:\windows\system32\msv1_0.dll
2014-08-14 19:39:23    247808    ----a-w-    c:\windows\system32\schannel.dll
2014-08-14 19:39:23    220160    ----a-w-    c:\windows\system32\ncrypt.dll
2014-08-14 19:39:23    172032    ----a-w-    c:\windows\system32\wdigest.dll
2014-08-14 19:39:22    17408    ----a-w-    c:\windows\system32\credssp.dll
2014-08-14 19:38:16    81920    ----a-w-    c:\windows\system32\davclnt.dll
2014-08-14 19:38:16    205824    ----a-w-    c:\windows\system32\WebClnt.dll
2014-08-14 19:38:16    115712    ----a-w-    c:\windows\system32\drivers\mrxdav.sys
2014-08-14 19:37:12    164352    ----a-w-    c:\windows\system32\profsvc.dll
2014-08-14 19:36:27    133056    ----a-w-    c:\windows\system32\drivers\ataport.sys
2014-08-14 19:30:47    44032    ----a-w-    c:\windows\system32\dhcpcsvc6.dll
2014-08-14 19:30:47    193536    ----a-w-    c:\windows\system32\dhcpcore6.dll
2014-08-14 19:29:09    594944    ----a-w-    c:\windows\system32\RMActivate_isv.exe
2014-08-14 19:29:09    572416    ----a-w-    c:\windows\system32\RMActivate.exe
2014-08-14 19:29:09    508928    ----a-w-    c:\windows\system32\RMActivate_ssp_isv.exe
2014-08-14 19:29:08    87040    ----a-w-    c:\windows\system32\secproc_ssp_isv.dll
2014-08-14 19:29:08    87040    ----a-w-    c:\windows\system32\secproc_ssp.dll
2014-08-14 19:29:08    510976    ----a-w-    c:\windows\system32\RMActivate_ssp.exe
2014-08-14 19:29:08    428032    ----a-w-    c:\windows\system32\secproc.dll
2014-08-14 19:29:08    423936    ----a-w-    c:\windows\system32\secproc_isv.dll
2014-08-14 19:29:08    390144    ----a-w-    c:\windows\system32\msdrm.dll
2014-08-14 19:27:41    6144    ----a-w-    c:\windows\system32\KBDYAK.DLL
2014-08-14 19:27:41    6144    ----a-w-    c:\windows\system32\KBDBASH.DLL
2014-08-14 19:11:45    654336    ----a-w-    c:\windows\system32\rpcrt4.dll
2014-08-14 19:11:01    730048    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2014-08-14 19:11:01    219072    ----a-w-    c:\windows\system32\drivers\dxgmms1.sys
2014-08-14 19:11:01    107520    ----a-w-    c:\windows\system32\cdd.dll
2014-08-14 19:00:15    305152    ----a-w-    c:\windows\system32\gdi32.dll
2014-08-14 19:00:15    2352640    ----a-w-    c:\windows\system32\win32k.sys
2014-08-14 18:59:38    2048    ----a-w-    c:\windows\system32\tzres.dll
2014-08-14 18:58:54    2363392    ----a-w-    c:\windows\system32\msi.dll
2014-08-14 18:58:53    337408    ----a-w-    c:\windows\system32\msihnd.dll
2014-08-14 18:58:53    1805824    ----a-w-    c:\windows\system32\authui.dll
2014-08-14 18:58:53    101824    ----a-w-    c:\windows\system32\consent.exe
2014-08-11 22:18:15    --------    d-----w-    c:\windows\ELAMBKUP
2014-08-11 22:18:12    --------    d-----w-    c:\program files\Kaspersky Lab
2014-08-11 22:18:11    --------    d-----w-    c:\programdata\Kaspersky Lab
2014-08-11 22:17:55    34400    ----a-w-    c:\windows\system32\drivers\klhk.sys
2014-08-11 22:17:55    111168    ----a-w-    c:\windows\system32\drivers\klflt.sys
2014-08-11 21:10:22    --------    d-----w-    c:\windows\pss
2014-08-11 18:59:17    260007    ----a-w-    c:\programdata\1407779889.bdinstall.bin
2014-08-11 17:38:56    279574    ----a-w-    c:\programdata\1407778508.bdinstall.bin
2014-08-11 17:32:10    63341    ----a-w-    c:\programdata\1407778318.bdinstall.bin
2014-08-11 17:31:34    284302    ----a-w-    c:\programdata\1407778208.bdinstall.bin
2014-08-11 17:30:23    --------    d-----w-    c:\programdata\Bitdefender
2014-08-11 17:29:15    --------    d-----w-    c:\program files\common files\Bitdefender
2014-08-10 20:35:07    2120    ----a-w-    c:\programdata\1407702892.5380.bin
2014-08-10 20:35:04    9129    ----a-w-    c:\programdata\1407702892.2948.bin
2014-08-10 20:35:04    507    ----a-w-    c:\programdata\1407702892.5152.bin
2014-08-10 20:35:04    --------    d-----w-    c:\program files\Bitdefender
2014-08-10 20:35:02    14299    ----a-w-    c:\programdata\1407702892.5980.bin
2014-08-10 20:34:57    8987    ----a-w-    c:\programdata\1407702892.2532.bin
2014-08-10 20:34:56    3443    ----a-w-    c:\programdata\1407702892.3148.bin
2014-08-10 20:34:52    49065    ----a-w-    c:\programdata\1407702892.1184.bin
2014-08-10 20:34:52    --------    d-----w-    c:\users\yareli\appdata\roaming\QuickScan
2014-08-04 21:47:38    452440    ----a-w-    c:\windows\system32\d3dx10_40.dll
2014-08-04 21:47:38    2036576    ----a-w-    c:\windows\system32\D3DCompiler_40.dll
2014-08-04 21:47:37    4379984    ----a-w-    c:\windows\system32\D3DX9_40.dll
2014-08-01 23:57:54    2425856    ----a-w-    c:\windows\system32\wucltux.dll
2014-08-01 23:57:02    92672    ----a-w-    c:\windows\system32\wudriver.dll
2014-08-01 23:56:30    33792    ----a-w-    c:\windows\system32\wuapp.exe
2014-08-01 23:56:30    179656    ----a-w-    c:\windows\system32\wuwebv.dll
2014-07-31 18:57:19    --------    d-----w-    c:\program files\common files\Steam
2014-07-31 18:57:16    --------    d-----w-    c:\program files\Steam
==================== Find3M  ====================
2014-08-05 15:20:02    231584    ------w-    c:\windows\system32\MpSigStub.exe
2014-07-25 13:04:40    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-07-25 13:03:54    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-07-25 12:34:49    61952    ----a-w-    c:\windows\system32\iesetup.dll
2014-07-25 12:34:03    455168    ----a-w-    c:\windows\system32\vbscript.dll
2014-07-25 12:33:08    51200    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-07-25 12:30:32    61952    ----a-w-    c:\windows\system32\MshtmlDac.dll
2014-07-25 12:10:15    112128    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-07-25 12:10:12    108032    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-07-25 12:08:47    597504    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-07-25 12:06:47    4204032    ----a-w-    c:\windows\system32\jscript9.dll
2014-07-25 11:59:29    646144    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-07-25 11:43:16    60416    ----a-w-    c:\windows\system32\JavaScriptCollectionAgent.dll
2014-07-25 11:07:49    2001920    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-07-25 11:07:10    1068032    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2014-07-11 09:02:10    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-07-09 00:00:41    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 00:00:41    699056    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-06-18 01:51:32    646144    ----a-w-    c:\windows\system32\osk.exe
2014-06-06 09:44:17    509440    ----a-w-    c:\windows\system32\qedit.dll
2014-06-05 14:26:50    1059840    ----a-w-    c:\windows\system32\lsasrv.dll
2014-05-30 06:36:07    338944    ----a-w-    c:\windows\system32\drivers\afd.sys
============= FINISH: 23:20:28.31 ===============

Is there any other log-creating tool it might be useful to run? Thanks for taking the time to read the long post

Edited by Sismetic, 26 August 2014 - 10:11 AM.

BC AdBot (Login to Remove)


#2 nasdaq


  • Malware Response Team
  • 40,190 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:21 PM

Posted 26 August 2014 - 03:45 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 Sismetic

  • Topic Starter

  • Members
  • 15 posts
  • Local time:11:21 PM

Posted 26 August 2014 - 04:07 PM

Thanks nasdaq for helping me out again. I'm waiting for my girlfriend to come back with a new modem(they've been having connection issues) in order to Skype with her and use Team Viewer in order to perform these tasks and will update as soon as possible

Edited by Sismetic, 27 August 2014 - 10:49 AM.

#4 nasdaq


  • Malware Response Team
  • 40,190 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:21 PM

Posted 01 September 2014 - 07:25 AM

Are you still with me?

#5 Sismetic

  • Topic Starter

  • Members
  • 15 posts
  • Local time:11:21 PM

Posted 01 September 2014 - 09:10 AM

Oh sorry man... I've been waiting for my girlfriend to fix her internet but now she has given up on it. I talked to her and only her sister can make the ISP provider technicians to come(as she has the contract and everything) but they have a busy schedchule so she says it will take a long time. So it looks like the situation's stalled. Sorry for that, it is best if the topic's closed and I'll reopen one with the steps followed as instructed when she has her internet back, that way you don't lose any more time. I appreciate the time and effort

#6 nasdaq


  • Malware Response Team
  • 40,190 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:21 PM

Posted 01 September 2014 - 10:39 AM

You can ask me to reopened the topic when ready.

#7 nasdaq


  • Malware Response Team
  • 40,190 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:21 PM

Posted 01 September 2014 - 10:39 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users