Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer hacked


  • This topic is locked This topic is locked
8 replies to this topic

#1 santare

santare

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 09 February 2015 - 11:55 AM

I think my computer is hacked. It's slower than usual and Internet Explorer gets renamed. This is my FRST log.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-02-2015 01
Ran by Bojan (administrator) on BOJAN-PC on 07-02-2015 13:26:27
Running from C:\Users\Bojan\Desktop
Loaded Profiles: Bojan &  (Available profiles: Bojan)
Platform: Windows 7 Ultimate (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(www.shadowexplorer.com) C:\Program Files\ShadowExplorer\sesvc.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.26.9\GoogleCrashHandler.exe
(VIA) C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Wondershare) C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
(Spotify Ltd) C:\Users\Bojan\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
() C:\Users\Bojan\Program Files\DNA\btdna.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\audiodg.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-21] (Microsoft Corporation)
HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2009-11-10] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [HDAudDeck] => C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe [1728512 2009-12-04] (VIA)
HKLM\...\Run: [VIAAUD] => C:\Program Files\VIA\VIAudioi\VDeck\VIAAUD.exe
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [1980416 2013-12-18] (Wondershare)
HKLM\...\Run: [BrowserPlugInHelper] => C:\Program Files\Wondershare\Video Converter Ultimate\BrowserPlugInHelper.exe [1962896 2014-02-12] ()
HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2013-07-25] (Microsoft Corporation)
HKU\S-1-5-21-3418898318-3579430007-511159314-1000\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [717696 2010-01-16] (Microsoft Corporation)
HKU\S-1-5-21-3418898318-3579430007-511159314-1000\...\Run: [Spotify Web Helper] => C:\Users\Bojan\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1676344 2014-12-12] (Spotify Ltd)
HKU\S-1-5-21-3418898318-3579430007-511159314-1000\...\Run: [Spotify] => C:\Users\Bojan\AppData\Roaming\Spotify\spotify.exe [6737976 2014-12-12] (Spotify Ltd)
HKU\S-1-5-21-3418898318-3579430007-511159314-1000\...\Run: [BitTorrent DNA] => C:\Users\Bojan\Program Files\DNA\btdna.exe [290112 2014-12-05] ()
HKU\S-1-5-21-3418898318-3579430007-511159314-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [717696 2010-01-16] (Microsoft Corporation)
HKU\S-1-5-21-3418898318-3579430007-511159314-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Spotify Web Helper] => C:\Users\Bojan\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1676344 2014-12-12] (Spotify Ltd)
HKU\S-1-5-21-3418898318-3579430007-511159314-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Spotify] => C:\Users\Bojan\AppData\Roaming\Spotify\spotify.exe [6737976 2014-12-12] (Spotify Ltd)
HKU\S-1-5-21-3418898318-3579430007-511159314-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [BitTorrent DNA] => C:\Users\Bojan\Program Files\DNA\btdna.exe [290112 2014-12-05] ()
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2013-07-25] (Microsoft Corporation)
Startup: C:\Users\Bojan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3418898318-3579430007-511159314-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ncr
HKU\S-1-5-21-3418898318-3579430007-511159314-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ncr
SearchScopes: HKU\.DEFAULT -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-3418898318-3579430007-511159314-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3418898318-3579430007-511159314-1000 -> {B2717064-23C2-41B7-BA22-9AE5CCB5368D} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3225826&CUI=UN36360137431596315&UM=1
SearchScopes: HKU\S-1-5-21-3418898318-3579430007-511159314-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3418898318-3579430007-511159314-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {B2717064-23C2-41B7-BA22-9AE5CCB5368D} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3225826&CUI=UN36360137431596315&UM=1
BHO: Wondershare Video Converter Ultimate -> {65DEE40A-3E93-4cae-9F98-B8E06DCEE2BF} -> C:\Program Files\Wondershare\Video Converter Ultimate\SVRIEPlugin.dll (Wondershare Software Co., Ltd.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKU\S-1-5-21-3418898318-3579430007-511159314-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKU\S-1-5-21-3418898318-3579430007-511159314-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} http://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1

FireFox:
========
FF ProfilePath: C:\Users\Bojan\AppData\Roaming\Mozilla\Firefox\Profiles\k14jo04l.default
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin: @bittorrent.com/BitTorrentDNA -> C:\Program Files\DNA\plugins\npbtdna.dll (BitTorrent, Inc.)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npbittorrent.dll (BitTorrent, Inc.)
FF Extension: Media Hint - C:\Users\Bojan\AppData\Roaming\Mozilla\Firefox\Profiles\k14jo04l.default\Extensions\mediahint@jetpack.xpi [2014-06-18]
FF HKLM\...\Firefox\Extensions: [{8D150B8F-EFE8-45a3-A4A3-053020F48FAC}] - C:\Program Files\Wondershare\Video Converter Ultimate\SVRFirefoxExt
FF Extension: Wondershare Video Converter Ultimate - C:\Program Files\Wondershare\Video Converter Ultimate\SVRFirefoxExt [2014-02-17]

Chrome:
=======
CHR Profile: C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Media Hint) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb [2014-06-17]
CHR Extension: (Google Docs) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-03-29]
CHR Extension: (Google Drive) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-03-29]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-29]
CHR Extension: (YouTube) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-03-29]
CHR Extension: (Wondershare Video Converter Ultimate) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\chgdeabpmphfhkoemjjglmilajldekbp [2014-02-17]
CHR Extension: (Webpage Screenshot) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckibcdccnfeookdmbahgiakhnjcddpki [2013-04-18]
CHR Extension: (Google Search) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-03-29]
CHR Extension: (Google Wallet) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-30]
CHR Extension: (Gmail) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-03-29]
CHR HKLM\...\Chrome\Extension: [chgdeabpmphfhkoemjjglmilajldekbp] - C:\Program Files\Wondershare\Video Converter Ultimate\SVRChromePlugin.crx [2014-02-17]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 sesvc; C:\Program Files\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)
S2 Winmgmt; C:\PROGRA~2\650B0321A.cpp [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-02-07] (Malwarebytes Corporation)
S3 UCORESYS; D:\H55M-LE(1.80)WIN\UCORESYS.SYS [15432 2009-08-21] ()
S3 VASDeviceDrm; C:\Windows\System32\drivers\vasdDev.sys [1451312 2012-03-19] (ShiningMorning Inc.)
R3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1108480 2009-11-25] (VIA Technologies, Inc.)
S3 ALSysIO; \??\C:\Users\Bojan\AppData\Local\Temp\ALSysIO.sys [X]
S3 SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2013.SP2\WNt500x86\Sandra.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-31 20:38 - 2015-01-31 20:38 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-01-17 21:45 - 2015-01-17 21:45 - 00020397 _____ () C:\Users\Bojan\Desktop\[Sound-Park.ru] Night Demon - Curse of the Damned.torrent
2015-01-17 21:45 - 2015-01-17 21:45 - 00017685 _____ () C:\Users\Bojan\Desktop\[Sound-Park.ru] MotorFire - Rising Fire.torrent
2015-01-17 21:44 - 2015-01-17 21:44 - 00015047 _____ () C:\Users\Bojan\Desktop\[Sound-Park.ru] Howling Black Soul - Howling Black Soul.torrent
2015-01-11 14:09 - 2015-01-11 14:46 - 00000000 ____D () C:\Program Files\Vamp Plugins
2015-01-11 14:09 - 2015-01-11 14:16 - 00000000 ____D () C:\Program Files\Sonic Visualiser
2015-01-11 14:09 - 2015-01-11 14:09 - 00002931 _____ () C:\Users\Bojan\Desktop\Sonic Visualiser.lnk
2015-01-11 14:09 - 2015-01-11 14:09 - 00000000 ____D () C:\Users\Bojan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sonic Visualiser
2015-01-11 14:09 - 2015-01-11 14:09 - 00000000 ____D () C:\Users\Bojan\AppData\Local\sonic-visualiser
2015-01-11 14:08 - 2015-01-11 14:08 - 25411584 _____ () C:\Users\Bojan\Desktop\sonic-visualiser-2.4.1.msi
2015-01-09 20:35 - 2015-01-09 20:38 - 00000000 ____D () C:\Users\Bojan\impro-visor-version-6.0-files
2015-01-09 20:35 - 2015-01-09 20:35 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Impro-Visor
2015-01-09 20:35 - 2015-01-09 20:35 - 00000000 ____D () C:\Program Files\Impro-Visor6.0
2015-01-09 20:34 - 2015-01-09 20:34 - 06894592 _____ (Robert Keller) C:\Users\Bojan\Desktop\Impro-Visor_windows_6_0.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-07 13:26 - 2014-09-16 14:52 - 00014330 _____ () C:\Users\Bojan\Desktop\FRST.txt
2015-02-07 13:26 - 2014-04-21 13:00 - 00000000 ____D () C:\FRST
2015-02-07 13:17 - 2014-12-04 19:38 - 00000000 ____D () C:\Users\Bojan\AppData\Roaming\DNA
2015-02-07 13:10 - 2013-03-27 08:43 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-07 13:00 - 2014-12-23 00:26 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-07 12:54 - 2013-03-29 13:43 - 00001044 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-07 11:06 - 2009-07-14 05:34 - 00024112 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-07 11:06 - 2009-07-14 05:34 - 00024112 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-07 11:02 - 2013-03-26 11:16 - 01239563 _____ () C:\Windows\WindowsUpdate.log
2015-02-07 10:48 - 2013-06-28 15:42 - 00000000 ____D () C:\Users\Bojan\AppData\Roaming\Spotify
2015-02-07 10:47 - 2013-04-01 13:05 - 00065536 _____ () C:\Windows\system32\Ikeext.etl
2015-02-07 10:47 - 2013-03-29 13:43 - 00001040 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-07 10:47 - 2009-07-14 05:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-07 10:47 - 2009-07-14 05:39 - 00549881 _____ () C:\Windows\setupact.log
2015-02-06 21:18 - 2013-04-01 23:23 - 00000000 ____D () C:\Users\Bojan\AppData\Roaming\SolSuite
2015-02-06 00:55 - 2013-03-29 13:44 - 00002129 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-05 21:10 - 2013-03-27 08:43 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-02-05 21:10 - 2013-03-27 08:43 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-02-05 16:01 - 2014-04-22 15:43 - 00000000 ____D () C:\Users\Bojan\Desktop\FRST-OlderVersion
2015-02-05 16:01 - 2014-04-21 13:00 - 01123328 _____ (Farbar) C:\Users\Bojan\Desktop\FRST.exe
2015-02-04 21:51 - 2014-12-04 19:12 - 00000000 ____D () C:\Users\Bojan\AppData\Roaming\BitTorrent
2015-02-04 14:38 - 2013-06-28 15:42 - 00000000 ____D () C:\Users\Bojan\AppData\Local\Spotify
2015-02-04 14:37 - 2014-06-18 18:38 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-01-29 02:13 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-10 19:52 - 2014-12-16 21:04 - 00000000 ____D () C:\Users\Bojan\AppData\Roaming\Skype
2015-01-09 20:35 - 2013-03-26 11:19 - 00000000 ____D () C:\Users\Bojan

==================== Files in the root of some directories =======

2013-04-04 13:15 - 2014-04-17 23:52 - 0007605 _____ () C:\Users\Bojan\AppData\Local\Resmon.ResmonCfg
2014-09-16 14:23 - 2014-09-16 14:23 - 0008176 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-09-16 14:23 - 2014-09-16 14:23 - 0004132 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-09-16 14:23 - 2014-09-16 14:23 - 0000252 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.URL

Some content of TEMP:
====================
C:\Users\Bojan\AppData\Local\Temp\13-1_vista_win7_win8_32_dd_ccc_whql.exe
C:\Users\Bojan\AppData\Local\Temp\13-4_vista_win7_win8_32_dd_ccc_whql.exe
C:\Users\Bojan\AppData\Local\Temp\1365166199194_DriverUtils.dll
C:\Users\Bojan\AppData\Local\Temp\DivXInstaller.exe
C:\Users\Bojan\AppData\Local\Temp\i4jdel0.exe
C:\Users\Bojan\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Bojan\AppData\Local\Temp\SpotifyUninstall.exe
C:\Users\Bojan\AppData\Local\Temp\tbBitT.dll
C:\Users\Bojan\AppData\Local\Temp\utt3A3D.tmp.exe
C:\Users\Bojan\AppData\Local\Temp\utt7692.tmp.exe
C:\Users\Bojan\AppData\Local\Temp\uttF047.tmp.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-02-03 01:46

==================== End Of Log ============================



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:16 AM

Posted 10 February 2015 - 06:49 AM

:welcome:

Hello santare,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Logs can take a while to research, so please be patient.
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Scan your system for malware
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
    When the scan has finished, the actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 10 February 2015 - 11:35 AM

  • Can mbar be replaced with RogueKill or TDSSKiller? What are the chances of my entire hard drive being wiped if I don't back up the files during the use of mbar? I guess my FRST looks clean, although some of the processes look weird to me.  What do you mean by the contents of the log may be confusing.  MBAM recognized two Hijack.WMI in registry data and it said it replaced it. I cannot export the log because the window is too large.

Edited by santare, 10 February 2015 - 11:35 AM.


#4 Jo*

Jo*

  • Malware Response Team
  • 3,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:16 AM

Posted 10 February 2015 - 12:02 PM


backup your data is needed anyway if you want to get help here at BC.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

I've used MBAR on more then 100 pc without any data damage.

What would you do if your hard disk crashes one day?

At this point I need MBAR, not RogueKill or TDSSKiller.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 10 February 2015 - 02:57 PM

 Results of screen317's Security Check version 0.99.96 
 Windows 7  x86 (UAC is enabled) 
 Out of date service pack!!
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 Windows Firewall Disabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 25 
 Java version 32-bit out of Date!
  Java 64-bit 8 Update 31 
 Adobe Flash Player  16.0.0.305 
 Mozilla Firefox (35.0.1)
 Google Chrome (40.0.2214.111)
 Google Chrome (40.0.2214.94)
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbam.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 

 

Do you think that only mbar will solve my problem? Or do you plan to use Rogue and TDSS as a last resort?



#6 Jo*

Jo*

  • Malware Response Team
  • 3,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:16 AM

Posted 10 February 2015 - 06:25 PM

mbar is my starter tool, others will follow.

Please let me know if you want to follow my instructions now or if you prefer to start another Topic (with another helper then).

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 11 February 2015 - 03:27 AM

I've never intended to cause disrespect here. I was only curious as to the usage of programs. Maybe I shouldn't have asked what I asked. Just because

I asked if these two programs can be replaced, that does not mean that I don't want your help. 



#8 Jo*

Jo*

  • Malware Response Team
  • 3,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:16 AM

Posted 14 February 2015 - 04:31 AM

still waiting for mbar and AdwCleaner logs.

Please post with 36 hours, otherwise this Topic will be closed.


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 Jo*

Jo*

  • Malware Response Team
  • 3,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:16 AM

Posted 17 February 2015 - 03:56 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users