Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probably Malware and Bogus Repair Plan


  • This topic is locked This topic is locked
23 replies to this topic

#1 justignorehim

justignorehim

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Napa, CA
  • Local time:11:55 AM

Posted 26 July 2015 - 06:08 PM

I am new to this website and did a brief review of this problem; I apologize if it has already been reviewed.

 

Three days ago, my Chrome browser was blocked and displayed a popup from “traffikkim.xyz.” The malware consistently let Chrome work for about two minutes before stopping all activity and response. I could shut my browser down with Task Manager. A message advised me to call 877-540-3213. This number has no public listing according to my CIA Phone Tracker app.

 

I could not run McAfee because I was a very naughty boy; I did not have a current program and had not uploaded my current subscription version. (Believe me, that won’t happen again….) When I called McAfee, their very capable technician was unable to load it to my computer. Something kept telling us to shut down and reboot. After working an hour, I was referred to someone else. By downloading McAfee and using an adware software program, my computer is working fine.

 

I called the above phone number out of curiosity. Someone answered and quickly guided me through some referral screens, and gave me suspicious advice: I should not use McAfee anti-virus, Microsoft virus software was sufficient; my original version of Windows 8 was no longer under warranty and was defective, and Toshiba’s OEM program was unregistered. Finally, I was shown a bogus screen from pinpoint.microsoft.com; the screen represented a duplicate of the real Microsoft Pinpoint website but was slightly different.

 

The agent then offered to fix my computer for a $189 fee “plan” for one year, or $289 for two years, and asked which plan I would use. By this time I was convinced the website was bogus and terminated the call.

 

I would like to know if this is in fact a responsible company, if my computer was jeopardized, and what other users have experienced. I thank the forum community in advance and sincerely appreciate all serious replies.



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:55 PM

Posted 28 July 2015 - 07:51 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

You should not trust them.
These are malicious people. If you are using this computer for Banking or other personal matters you should change your passwords.

===

Let us look at it.

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===


How is the computer running now?
Wait for further instructions.

#3 justignorehim

justignorehim
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Napa, CA
  • Local time:11:55 AM

Posted 28 July 2015 - 10:47 AM

Thanks for you kind reply. As mentioned, computer working well, stupid popup is gone and Chrome works fine.

 

I watched McAfee technician run Adware cleaner; have run it again three times with no bad files showing up.

 

Question: McAfee once deleted Malwarebits from my computer a while ago. I assumed it competes somehow with McAfee (which I assume is a stronger program). So, should I reinstall Malwarebits and run it along with McAfee? I have not done so. My prior experience with Malwarebits was very positive.

 

Have not done Farbar. I suppose this is important.... :cowgirl:



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:55 PM

Posted 28 July 2015 - 12:51 PM


I'm not familiar with Malwarebits but it you are referring to Malwarebytes then the latter is a good programs.

You should download it from the Original site at http://www.malwarebytes.org/mbam-download.php

===

Have not done Farbar. I suppose this is important..


It will only show what is running. Nothing will be deleted.
I will review it and give you a fix if some malware or dead programs are found.

Your call.

#5 justignorehim

justignorehim
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Napa, CA
  • Local time:11:55 AM

Posted 28 July 2015 - 10:05 PM

Yes, Malwarebytes; sorry, running to get to work, apologies.
 
Question is: Are Malwarebytes and McAfee compatable? Any reason why they cannot both run? Don't know why the McAfee tech deleted Malwarebytes.
 
I will download Farbar tomorrow and run. Thanks ahead for your kind help and interest...
 
Wondering if is this specific invasion is common?  I would upload a screen shot of the popup but cannot find a way to paste my jpg into this forum.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:55 PM

Posted 29 July 2015 - 07:56 AM

Are Malwarebytes and McAfee compatable?

Yes! I see it running on many computers.
===

Wondering if is this specific invasion is common?
Post the Farbar logs and will take it from there.

#7 justignorehim

justignorehim
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Napa, CA
  • Local time:11:55 AM

Posted 29 July 2015 - 05:58 PM

Hey, thanks so very much for looking at this.

 

Malwarebytes did not find any malware.

 

Here's the Farbar log text:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:28-07-2015
Ran by Allan_2 (2015-07-29 15:51:32)
Running from C:\Users\Allan_2\Desktop\Allan-Files
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1502513018-239154773-2306305733-500 - Administrator - Disabled)
Allan (S-1-5-21-1502513018-239154773-2306305733-1001 - Administrator - Enabled) => C:\Users\Allan
Allan_2 (S-1-5-21-1502513018-239154773-2306305733-1002 - Limited - Enabled) => C:\Users\Allan_2
Guest (S-1-5-21-1502513018-239154773-2306305733-501 - Limited - Disabled)
SACNETDRIVEUSER01 (S-1-5-21-1502513018-239154773-2306305733-1004 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {DA9F8ED0-D0DE-39CC-F55A-51AB4CC1B556}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {61FE6F34-F6E4-3642-CFEA-6AD93746FFEB}
FW: McAfee Firewall (Enabled) {E2A40FF5-9AB1-3894-DE05-F89EB212F22D}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
ABBYY FineReader 9.0 Sprint (HKLM-x32\...\ABBYY FineReader 9.0 Sprint) (Version: 9.00.15.58233 - ABBYY)
ABBYY FineReader 9.0 Sprint (x32 Version: 9.00.15.58233 - ABBYY) Hidden
Accord CD Ripper Free 6.9.1.a (HKLM-x32\...\8BF2152B-6835-4FF3-A2EC-5BDAB46DCDFF_is1) (Version:  - Accmeware Corporation)
Adobe Photoshop Elements 11 (HKLM-x32\...\Adobe Photoshop Elements 11) (Version: 11.0 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.03)  MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.03 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Alcor Micro USB Card Reader (HKLM-x32\...\AmUStor) (Version: 4.8.1245.73583 - Alcor Micro Corp.)
Alcor Micro USB Card Reader (x32 Version: 4.8.1245.73583 - Alcor Micro Corp.) Hidden
Atheros Driver Installation Program (HKLM-x32\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 10.0 - Atheros)
Belarc Advisor 8.4 (HKLM-x32\...\Belarc Advisor) (Version: 8.4.0.0 - Belarc Inc.)
CD Ripper Freeware (HKLM-x32\...\{6224EC98-7FD6-42E1-8303-4F2EBAD7CC2D}_is1) (Version: 1.0 - WordAddin Studio)
Citrix Online Launcher (HKLM-x32\...\{DB014C85-A264-4BCA-A66F-6DD1FCF8EC36}) (Version: 1.0.335 - Citrix)
CyberLink PowerDVD 12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.3424.05 - CyberLink Corp.)
Dashlane (HKU\S-1-5-21-1502513018-239154773-2306305733-1002\...\Dashlane) (Version: 3.5.0.89717 - Dashlane SAS)
Dropbox (HKU\S-1-5-21-1502513018-239154773-2306305733-1002\...\Dropbox) (Version: 3.6.9 - Dropbox, Inc.)
DTS Studio Sound (HKLM-x32\...\{2DFA9084-CEB3-4A48-B9F7-9038FEF1B8F4}) (Version: 1.01.2700 - DTS, Inc.)
Easy Photo Scan (HKLM-x32\...\{F2132D5C-4C3F-41A9-865B-68966A06B01C}) (Version: 1.00.0000 - Seiko Epson Corporation)
Elements 11 Organizer (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
Epson Copy Utility 3.5 (HKLM-x32\...\{AA72FB28-73B4-49E5-B6B4-E78F44BBD0AD}) (Version: 3.5.0.0 - )
Epson Event Manager (HKLM-x32\...\{10144CFE-D76C-4CFA-81A1-37A1642349A3}) (Version: 3.01.0013 - Seiko Epson Corporation)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 44.0.2403.125 - Google Inc.)
Google Drive (HKLM-x32\...\{6EA8B94E-D869-4D96-88DF-5E1ECE1D6876}) (Version: 1.23.9648.8824 - Google, Inc.)
Google Earth (HKLM-x32\...\{817750FA-EC6A-485D-9901-0683AE6FFDF1}) (Version: 7.1.5.1557 - Google)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.28.1 - Google Inc.) Hidden
GoToAssist Corporate (HKLM-x32\...\GoToAssist) (Version: 11.3.0.1121 - Citrix Online, a division of Citrix Systems, Inc.)
IDT Audio Driver (HKLM\...\{588A747E-CFF6-46B3-9207-CD754F9473AF}) (Version: 6.10.6491.0 - IDT)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.14.1724 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3308 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.0.1016 - Intel Corporation)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
McAfee Total Protection (HKLM-x32\...\MSC) (Version: 14.0.1076 - McAfee, Inc.)
McAfee WebAdvisor (HKLM-x32\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.0.115 - McAfee, Inc.)
Microsoft Flight Simulator X (HKLM-x32\...\InstallShield_{9527A496-5DF9-412A-ADC7-168BA5379CA6}) (Version: 10.0.60905 - Microsoft Game Studios)
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.3.188.0 - Microsoft Corporation)
Microsoft Office Home and Student 2013 - en-us (HKLM\...\HomeStudentRetail - en-us) (Version: 15.0.4737.1003 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1502513018-239154773-2306305733-1002\...\OneDriveSetup.exe) (Version: 17.3.5907.0716 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Preview Redistributable (x64) - 12.0.20617 (HKLM-x32\...\{448652c1-f5f3-4230-98c6-68c10c88b1fb}) (Version: 12.0.20617.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Preview Redistributable (x86) - 12.0.20617 (HKLM-x32\...\{1f407217-9aec-4146-8504-e64ac959c534}) (Version: 12.0.20617.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 (HKLM-x32\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4737.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4737.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4737.1003 - Microsoft Corporation) Hidden
Perfection V550 Photo Scanner Driver Update version 3.0.2.0 (HKLM-x32\...\ScannerDriverUpdatePerfection V550 Photo_is1) (Version: 3.0.2.0 - Epson America Inc.)
Perfection V550 User’s Guide version 1.0 (HKLM-x32\...\UsersGuidePerfection V550 User’s Guide_is1) (Version: 1.0 - )
PlayMemories Home (HKLM-x32\...\{1E5C7043-09C5-4974-A69F-A5271FD82BBC}) (Version: 7.0.00.11271 - Sony Corporation)
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
PSE11 STI Installer (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.300 - Qualcomm Atheros)
Qualcomm Atheros Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.1.0.21 - Qualcomm Atheros Inc.)
ReadCube (HKU\S-1-5-21-1502513018-239154773-2306305733-1002\...\ReadCube) (Version:  - Labtiva, Inc.)
SolveigMM AVI Trimmer (HKLM-x32\...\SolveigMM AVI Trimmer 2.1.1307.29) (Version: 2.1.1307.29 - Solveig Multimedia)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 17.0.10.51 - Synaptics Incorporated)
TOSHIBA Application Installer (HKLM\...\{21A63CA3-75C0-4E56-B602-B7CD2EF6B621}) (Version: 9.0.2.4 - Toshiba Corporation)
TOSHIBA Audio Enhancement (HKLM\...\{1515F5E3-29EA-4CD1-A981-032D88880F09}) (Version: 2.0.17.0 - Toshiba Corporation)
TOSHIBA Display Utility (HKLM\...\{11955FE2-CAC6-4C3B-AA68-F787D7405400}) (Version: 1.1.9.0 - Toshiba Corporation)
TOSHIBA eco Utility (HKLM\...\{5944B9D4-3C2A-48DE-931E-26B31714A2F7}) (Version: 2.2.0.6404 - Toshiba Corporation)
TOSHIBA Function Key (HKLM\...\{16562A90-71BC-41A0-B890-D91B0C267120}) (Version: 1.1.0001.6403 - Toshiba Corporation)
TOSHIBA Password Utility (HKLM-x32\...\InstallShield_{78931270-BC9E-441A-A52B-73ECD4ACFAB5}) (Version: 3.00.344 - Toshiba Corporation)
TOSHIBA Quality Application (HKLM-x32\...\{E69992ED-A7F6-406C-9280-1C156417BC49}) (Version: 1.0.9.3 - TOSHIBA)
TOSHIBA Recovery Media Creator (HKLM-x32\...\{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}) (Version: 3.1.02.55065006 - Toshiba Corporation)
TOSHIBA Service Station (HKLM\...\{FBFCEEA5-96EA-4C8E-9262-43CBBEBAE413}) (Version: 2.6.8 - Toshiba Corporation)
TOSHIBA System Driver (HKLM-x32\...\{1E6A96A1-2BAB-43EF-8087-30437593C66C}) (Version: 1.00.0030 - Toshiba Corporation)
TOSHIBA System Settings (HKLM-x32\...\{05A55927-DB9B-4E26-BA44-828EBFF829F0}) (Version: 1.1.2.32001 - Toshiba Corporation)
TOSHIBA User's Guide (HKLM-x32\...\{3384E1D9-3F18-4A98-8655-180FEF0DFC02}) (Version: 1.00.02 - TOSHIBA)
TOSHIBARegistration (HKLM-x32\...\{5AF550B4-BB67-4E7E-82F1-2C4300279050}) (Version: 1.1.6 - TOSHIBA)
Weeny Free PDF Merger 1.4 (HKLM-x32\...\Weeny Free PDF Merger_is1) (Version:  - Weeny Software)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1502513018-239154773-2306305733-1002Core.job => C:\Users\Allan_2\AppData\Local\Dropbox\Update\DropboxUpdate.exe
Task: C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1502513018-239154773-2306305733-1002UA.job => C:\Users\Allan_2\AppData\Local\Dropbox\Update\DropboxUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => 
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => 
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-02-22 09:02 - 2015-01-27 08:29 - 08898720 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2012-07-18 19:38 - 2012-07-18 19:38 - 00020904 _____ () C:\Program Files\TOSHIBA\Hotkey\SmoothView.dll
2014-05-12 12:05 - 2015-07-22 06:18 - 00227512 _____ () C:\Users\Allan_2\AppData\Roaming\Dashlane\Dashlane.exe
2014-05-12 12:05 - 2015-07-22 06:18 - 00285880 _____ () C:\Users\Allan_2\AppData\Roaming\Dashlane\DashlanePlugin.exe
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Users\Allan\SkyDrive:ms-properties
AlternateDataStreams: C:\Users\Allan_2\SkyDrive:ms-properties
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfemms => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMPCHelper => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tvnserver => ""=""
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1502513018-239154773-2306305733-1002\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{1BD51CC0-5C21-4C1F-9D18-631C66A3E661}] => (Allow) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
FirewallRules: [{14739D29-827B-485F-80E3-43C72C6FB82C}] => (Allow) C:\Users\Allan\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [{39C79AF4-656B-49D0-BD37-F1BF517CD674}] => (Allow) C:\Users\Allan_2\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [{0CD312D5-B507-4C22-9695-E91570353A6C}] => (Allow) C:\Users\Allan_2\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [{44CB7285-EA0F-479E-9506-C1CA6C3EEAEA}] => (Allow) C:\ProgramData\OfficeGuardianV2N35\Reminder\SacNetAgent.exe
FirewallRules: [{D9438E9C-9EB9-4D05-87DC-4FF8F7C21B88}] => (Allow) C:\ProgramData\OfficeGuardianV2N35\Reminder\SacNetAgent.exe
FirewallRules: [TCP Query User{3AD6B272-B9CC-47F9-A01C-C4B76F9D788C}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [UDP Query User{FFDCB8F4-3AAC-4A83-81A3-7B2A419C2F77}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [{7BFBF333-0D65-4569-B380-EB79FBA3CC07}] => (Allow) C:\Users\Allan\AppData\Roaming\McAfee\Supportability\MVTLogs\ProductDetection64.exe
FirewallRules: [{AFB5D107-66AC-425F-8745-A6DA4C09B0AE}] => (Allow) C:\Users\Allan\AppData\Roaming\McAfee\Supportability\MVTLogs\ProductDetection64.exe
FirewallRules: [TCP Query User{FB187AD9-3FF3-4C0F-9AE5-FFAECA2D2BE8}C:\users\allan_2\appdata\roaming\dropbox\bin\dropbox.exe] => (Block) C:\users\allan_2\appdata\roaming\dropbox\bin\dropbox.exe
FirewallRules: [UDP Query User{AED92C8A-D235-49B9-BE89-BFD5737F8B42}C:\users\allan_2\appdata\roaming\dropbox\bin\dropbox.exe] => (Block) C:\users\allan_2\appdata\roaming\dropbox\bin\dropbox.exe
FirewallRules: [TCP Query User{8673001D-2E38-4418-A9F4-83079F051B11}C:\users\allan_2\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe] => (Block) C:\users\allan_2\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe
FirewallRules: [UDP Query User{68F349A0-18DD-4598-A20D-FB0E1AE2E7C1}C:\users\allan_2\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe] => (Block) C:\users\allan_2\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe
FirewallRules: [TCP Query User{2DCEAA9C-29A3-4A32-B5DA-6215714E22A3}C:\users\allan\appdata\local\temp\showmypc\smpc3160\smpcph.exe] => (Allow) C:\users\allan\appdata\local\temp\showmypc\smpc3160\smpcph.exe
FirewallRules: [UDP Query User{9BB60B23-3DB7-49DE-ABD4-E98C22315E52}C:\users\allan\appdata\local\temp\showmypc\smpc3160\smpcph.exe] => (Allow) C:\users\allan\appdata\local\temp\showmypc\smpc3160\smpcph.exe
FirewallRules: [{3115D10C-66A9-45AB-B102-5E6C7223F459}] => (Block) C:\users\allan\appdata\local\temp\showmypc\smpc3160\smpcph.exe
FirewallRules: [{61B7621B-8757-478A-A874-6ECE2432805C}] => (Block) C:\users\allan\appdata\local\temp\showmypc\smpc3160\smpcph.exe
FirewallRules: [{FA00E7CB-5590-4547-B7A9-C061D6375F55}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/28/2015 09:22:46 AM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2007) (User: ALLAN-PC)
Description: There was an error communicating to the Orion inference server
 
Error: (07/28/2015 09:22:16 AM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2007) (User: NT AUTHORITY)
Description: There was an error communicating to the Orion inference server
 
Error: (07/28/2015 08:57:13 AM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2007) (User: NT AUTHORITY)
Description: There was an error communicating to the Orion inference server
 
Error: (07/28/2015 08:56:38 AM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2007) (User: ALLAN-PC)
Description: There was an error communicating to the Orion inference server
 
Error: (07/28/2015 08:56:08 AM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2007) (User: NT AUTHORITY)
Description: There was an error communicating to the Orion inference server
 
Error: (07/28/2015 08:42:46 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: ALLAN-PC)
Description: Activation of app OpenTable.OpenTable_r44en0zefym0a!App failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (07/28/2015 08:27:55 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: ALLAN-PC)
Description: Activation of app OpenTable.OpenTable_r44en0zefym0a!App failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (07/28/2015 08:26:08 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program LiveComm.exe version 17.5.9600.20911 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 23e0
 
Start Time: 01d0c8ede2e2bf73
 
Termination Time: 4294967295
 
Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exe
 
Report Id: eb74fce5-353c-11e5-8289-28e347966682
 
Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe
 
Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1
 
Error: (07/27/2015 11:27:34 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail (3996) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.
 
Error: (07/27/2015 11:27:30 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail (4544) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.
 
 
System errors:
=============
Error: (07/29/2015 03:47:53 PM) (Source: DCOM) (EventID: 10016) (User: Allan-PC)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}Allan-PCAllanS-1-5-21-1502513018-239154773-2306305733-1001LocalHost (Using LRPC)UnavailableS-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394
 
Error: (07/29/2015 03:18:47 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "ALLAN-PC       :20" could not be registered on the interface with IP address 10.0.0.10.
The computer with the IP address 10.0.0.8 did not allow the name to be claimed by
this computer.
 
Error: (07/29/2015 03:18:47 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "ALLAN-PC       :0" could not be registered on the interface with IP address 10.0.0.10.
The computer with the IP address 10.0.0.8 did not allow the name to be claimed by
this computer.
 
Error: (07/29/2015 03:18:47 PM) (Source: Server) (EventID: 2505) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{EC2334D4-F606-4F14-91FC-4D17619DF1B8} because another computer on the network has the same name.  The server could not start.
 
Error: (07/29/2015 02:50:56 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "ALLAN-PC       :0" could not be registered on the interface with IP address 10.0.0.5.
The computer with the IP address 10.0.0.11 did not allow the name to be claimed by
this computer.
 
Error: (07/29/2015 02:50:55 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "ALLAN-PC       :20" could not be registered on the interface with IP address 10.0.0.5.
The computer with the IP address 10.0.0.11 did not allow the name to be claimed by
this computer.
 
Error: (07/29/2015 02:50:55 PM) (Source: Server) (EventID: 2505) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{5B6C83FB-38A8-4247-96D0-5F60D3DE61CE} because another computer on the network has the same name.  The server could not start.
 
Error: (07/29/2015 01:34:10 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "ALLAN-PC       :0" could not be registered on the interface with IP address 10.0.0.5.
The computer with the IP address 10.0.0.11 did not allow the name to be claimed by
this computer.
 
Error: (07/29/2015 01:34:10 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "ALLAN-PC       :20" could not be registered on the interface with IP address 10.0.0.5.
The computer with the IP address 10.0.0.11 did not allow the name to be claimed by
this computer.
 
Error: (07/29/2015 01:34:10 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "ALLAN-PC       :0" could not be registered on the interface with IP address 10.0.0.5.
The computer with the IP address 10.0.0.11 did not allow the name to be claimed by
this computer.
 
 
Microsoft Office:
=========================
Error: (07/28/2015 09:22:46 AM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2007) (User: ALLAN-PC)
Description: -2143485946
 
Error: (07/28/2015 09:22:16 AM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2007) (User: NT AUTHORITY)
Description: -2143485936
 
Error: (07/28/2015 08:57:13 AM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2007) (User: NT AUTHORITY)
Description: -2143485946
 
Error: (07/28/2015 08:56:38 AM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2007) (User: ALLAN-PC)
Description: -2143485946
 
Error: (07/28/2015 08:56:08 AM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2007) (User: NT AUTHORITY)
Description: -2143485936
 
Error: (07/28/2015 08:42:46 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: ALLAN-PC)
Description: OpenTable.OpenTable_r44en0zefym0a!App-2144927142
 
Error: (07/28/2015 08:27:55 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: ALLAN-PC)
Description: OpenTable.OpenTable_r44en0zefym0a!App-2144927142
 
Error: (07/28/2015 08:26:08 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: LiveComm.exe17.5.9600.2091123e001d0c8ede2e2bf734294967295C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exeeb74fce5-353c-11e5-8289-28e347966682microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbweppleae38af2e007f4358a809ac99a64a67c1
 
Error: (07/27/2015 11:27:34 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail3996WindowsMail0:
 
Error: (07/27/2015 11:27:30 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail4544WindowsMail0:
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-4700MQ CPU @ 2.40GHz
Percentage of memory in use: 34%
Total physical RAM: 8104.03 MB
Available physical RAM: 5336.07 MB
Total Virtual: 9384.03 MB
Available Virtual: 6180.82 MB
 
==================== Drives ================================
 
Drive c: (TI10684700A) (Fixed) (Total:689.07 GB) (Free:546.02 GB) NTFS
 
==================== MBR & Partition Table ==================
 
==================== End of log ============================


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:55 PM

Posted 30 July 2015 - 09:15 AM

ATTENTION: System Restore is disabled

Turn System Restore on
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7

Restart the computer normally when restored.

Check if the action as succeeded.
===

The Farbar tool has also created a FRST.TXT file please post it.

#9 justignorehim

justignorehim
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Napa, CA
  • Local time:11:55 AM

Posted 30 July 2015 - 10:32 AM

I checked System Settings and System Restore dialogue box, and it looks like it’s ON. I only have one point to restore to (3 days ago). I realized Restore as an option but the malware didn't appear terribly critical, so I decided not to go through the restore process.

 

I downloaded Silverlight but there doesn’t seem to be any video on that link.

 

On opening FRST.txt, I found one verrrrrrry loooooong file. Do you wanna see it all, or is there one part more important?

 

Thanks ahead, again, for your help.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:55 PM

Posted 30 July 2015 - 01:37 PM

I downloaded Silverlight but there doesn’t seem to be any video on that link.

I was prompted also to install Silverlight. I did to find out that I already have the latest.
Something is wrong with the link.
===

Post the FRSt log. If too long attach it.

#11 justignorehim

justignorehim
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Napa, CA
  • Local time:11:55 AM

Posted 30 July 2015 - 09:43 PM

I cannot figure out how to attach a file. There is no "paperclip" icon, and I don't see any other option on the above menu. Sorry...



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:55 PM

Posted 31 July 2015 - 07:05 AM

After this post you can reply by adding some words in the Reply to this topic

Click the More Reply button on the bottom right.

This will give you an option to select the file and when selected press the attach button.


Post the result.

#13 justignorehim

justignorehim
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Napa, CA
  • Local time:11:55 AM

Posted 31 July 2015 - 10:33 AM

Gotcha. Thanks. Not very intuitive, though.

FRST.txt attached.  Thanks ahead....

(BTW, computer works fine. Reading tutorials, rather fascinating.)



#14 justignorehim

justignorehim
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Napa, CA
  • Local time:11:55 AM

Posted 31 July 2015 - 10:34 AM

...and here's a jpg of the original malware popup.

Attached Files



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:55 PM

Posted 31 July 2015 - 12:32 PM

The blue screen is a scam.
Do not reply to it.

===

Ran by Allan_2 (ATTENTION!: The logged in user is not administrator)


The tool must be run by an Administrator.

Is Allan"s profile the Administrator of this computer?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users