Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird unknown programs asking for administrator privileges


  • This topic is locked This topic is locked
11 replies to this topic

#1 Finko

Finko

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 17 September 2015 - 11:04 AM

Hi!

 

I have problem with my fathers computer. I set him limited user account to prevent him to install malware. I also installed bitdefender and malwarebytes anti exploit for better protection. But something weird happens usually when he uses facebook from Internet Explorer. Some unknown programs are asking for administrator password to install. Every time they have different name but all start with "setup" ( setup2519.exe, setup4D62.exe for example). I already cleaned virus from his computer few months ago with malwarebytes-antimalware, and until then everything worked without problems. Bitdefender also didn't detect anything.

 

Please, can you help me with this problem or tell me what is going on?

 

I ran FRST as administrator, please tell me if I have to run it as basic user, here is the log:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:15-09-2015
Ran by Miš (administrator) on MIŠ-PC (17-09-2015 13:45:15)
Running from C:\Users\Zare\Desktop
Loaded Profiles: Miš & Zare (Available Profiles: Miš & Zare)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Bitdefender) C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Popcorn Time) C:\Program Files\Popcorn Time\Updater.exe
(Bitdefender) C:\Program Files\Bitdefender\Antivirus Free Edition\gziface.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(MyCity) C:\Program Files\MCShield\MCShieldRTM.exe
() C:\Program Files\Popcorn Time\PopcornTimeDesktop.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Windows\System32\CompatTelRunner.exe
(Bitdefender) C:\Program Files\Bitdefender\Antivirus Free Edition\update.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2620728 2015-07-22] (Malwarebytes Corporation)
HKLM\...\Policies\Explorer: [NoAutorun] 1
HKU\S-1-5-21-4040565097-3838673650-1384290283-1000\...\Run: [MCShield Monitor] => C:\Program Files\MCShield\MCShieldRTM.exe [650816 2014-04-11] (MyCity)
HKU\S-1-5-21-4040565097-3838673650-1384290283-1001\...\Run: [MCShield Monitor] => C:\Program Files\MCShield\mcshieldrtm.exe [650816 2014-04-11] (MyCity)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2014-09-06] (Microsoft Corporation)
GroupPolicyScripts: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{593D8071-A5B0-4E7A-B46F-9422B9873BFE}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{BC1B2A39-AF21-4B5F-A3BC-236BA2885DE4}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-4040565097-3838673650-1384290283-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.hr/?gfe_rd=cr&ei=ZCgLVM69JuqI8QfqpoGYDQ&gws_rd=ssl
HKU\S-1-5-21-4040565097-3838673650-1384290283-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.hr/
HKU\S-1-5-21-4040565097-3838673650-1384290283-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/
SearchScopes: HKU\S-1-5-21-4040565097-3838673650-1384290283-1000 -> DefaultScope {6EF2B902-C661-499F-AE07-41F4E43643CA} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-4040565097-3838673650-1384290283-1000 -> {6EF2B902-C661-499F-AE07-41F4E43643CA} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-4040565097-3838673650-1384290283-1001 -> DefaultScope {ED38311A-0AA1-4BCB-BA6A-71C5C6E9721F} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-4040565097-3838673650-1384290283-1001 -> {ED38311A-0AA1-4BCB-BA6A-71C5C6E9721F} URL = hxxps://www.google.com/search?q={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4040565097-3838673650-1384290283-1001: www.aviion.tv/AviionAuthTokenMaker -> C:\Users\Zare\AppData\Roaming\AVIIONMediadoo\AviionAuthTokenMaker\1.0.0.2\npAviionAuthTokenMaker.dll [2013-11-20] (AVIION Media d.o.o.)
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\eudict.xml [2015-05-26]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 gzserv; C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe [57520 2013-10-23] (Bitdefender)
R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [713016 2015-07-22] (Malwarebytes Corporation)
R2 Update service; C:\Program Files\Popcorn Time\Updater.exe [339968 2015-07-17] (Popcorn Time) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [633344 2013-04-17] (BitDefender)
S3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [486536 2013-04-17] (BitDefender)
R1 bdfwfpf; C:\Program Files\Bitdefender\Antivirus Free Edition\bdfwfpf.sys [108008 2013-07-02] (Bitdefender SRL)
R1 bdselfpr; C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys [135472 2013-07-16] (BitDefender LLC)
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [47928 2015-07-22] ()
R1 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [164952 2013-04-22] (BitDefender LLC)
R0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [355744 2013-05-28] (BitDefender S.R.L.)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [48128 2009-07-14] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-09-17 13:45 - 2015-09-17 13:45 - 00007513 _____ C:\Users\Zare\Desktop\FRST.txt
2015-09-17 13:43 - 2015-09-17 13:45 - 00000000 ____D C:\FRST
2015-09-17 13:42 - 2015-09-17 13:13 - 01695232 _____ (Farbar) C:\Users\Zare\Desktop\FRST.exe
2015-09-15 14:12 - 2015-08-18 03:14 - 00344168 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-09-15 14:12 - 2015-08-15 07:53 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-09-15 14:12 - 2015-08-15 07:53 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-09-15 14:12 - 2015-08-15 07:40 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-09-15 14:12 - 2015-08-15 07:39 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-09-15 14:12 - 2015-08-15 07:33 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-09-15 14:12 - 2015-08-15 07:32 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-09-15 14:12 - 2015-08-15 07:30 - 00479232 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-09-15 14:12 - 2015-08-15 07:29 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-09-15 14:12 - 2015-08-15 07:29 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-09-15 14:12 - 2015-08-15 07:29 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-09-15 14:12 - 2015-08-15 07:24 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-09-15 14:12 - 2015-08-15 07:21 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-09-15 14:12 - 2015-08-15 07:16 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-09-15 14:12 - 2015-08-15 07:14 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-09-15 14:12 - 2015-08-15 07:11 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-09-15 14:12 - 2015-08-15 07:04 - 12857344 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-09-15 14:12 - 2015-08-15 07:02 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-09-15 14:12 - 2015-08-15 07:02 - 00685568 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-09-15 14:12 - 2015-08-15 07:01 - 02052608 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-09-15 14:12 - 2015-08-15 06:43 - 01951232 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-09-15 14:12 - 2015-08-15 06:39 - 01310720 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-09-15 14:12 - 2015-08-15 06:37 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-09-15 14:12 - 2015-08-05 19:41 - 00751104 _____ (Microsoft Corporation) C:\Windows\system32\schedsvc.dll
2015-09-15 14:11 - 2015-09-02 04:48 - 00070656 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2015-09-15 14:11 - 2015-09-02 04:48 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-09-15 14:11 - 2015-09-02 04:48 - 00026624 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2015-09-15 14:11 - 2015-09-02 04:48 - 00010240 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2015-09-15 14:11 - 2015-09-02 03:36 - 02384896 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-09-15 14:11 - 2015-09-02 03:33 - 00299520 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-09-15 14:11 - 2015-08-27 19:58 - 01391104 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2015-09-15 14:11 - 2015-08-27 19:58 - 01241088 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2015-09-15 14:11 - 2015-08-27 19:51 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml6r.dll
2015-09-15 14:11 - 2015-08-27 19:51 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2015-09-15 14:11 - 2015-08-26 19:56 - 02953728 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-09-15 14:11 - 2015-08-26 19:56 - 02061824 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-09-15 14:11 - 2015-08-26 19:56 - 00566784 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-09-15 14:11 - 2015-08-26 19:56 - 00173056 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-09-15 14:11 - 2015-08-26 19:56 - 00093184 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-09-15 14:11 - 2015-08-26 19:56 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-09-15 14:11 - 2015-08-26 19:56 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-09-15 14:11 - 2015-08-26 19:55 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-09-15 14:11 - 2015-08-26 19:55 - 00073728 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-09-15 14:11 - 2015-08-26 19:55 - 00034816 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-09-15 14:11 - 2015-08-26 19:55 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-09-15 14:11 - 2015-08-15 08:06 - 19856896 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-09-15 14:11 - 2015-08-15 07:40 - 00504832 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-09-15 14:11 - 2015-08-15 07:39 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-09-15 14:11 - 2015-08-15 07:38 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-09-15 14:11 - 2015-08-15 07:35 - 02279424 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-09-15 14:11 - 2015-08-15 07:29 - 00665600 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-09-15 14:11 - 2015-08-15 07:12 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-09-15 14:11 - 2015-08-15 07:10 - 04520448 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-09-15 14:11 - 2015-08-15 07:01 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-09-15 14:11 - 2015-08-05 19:40 - 00216064 _____ (Microsoft Corporation) C:\Windows\system32\InkEd.dll
2015-09-15 14:11 - 2015-08-05 19:40 - 00019968 _____ (Microsoft Corporation) C:\Windows\system32\jnwmon.dll
2015-09-15 14:11 - 2015-08-04 19:48 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-09-15 14:11 - 2015-08-04 19:47 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-09-15 14:11 - 2015-08-04 19:47 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-09-15 14:11 - 2015-08-04 19:46 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2015-09-15 14:11 - 2015-08-04 19:46 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2015-09-15 14:11 - 2015-08-04 18:53 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2015-09-14 21:41 - 2015-09-14 21:41 - 00000218 _____ C:\Users\Zare\AppData\Local\recently-used.xbel
2015-09-14 20:53 - 2015-09-14 21:41 - 00368415 _____ C:\Users\Zare\Desktop\A006.xcf
2015-09-14 06:20 - 2015-09-14 06:20 - 01169420 _____ C:\Users\Zare\Desktop\ČEK.xcf
2015-09-09 18:54 - 2015-09-09 18:54 - 00721039 _____ C:\Users\Zare\Documents\ZET.xcf
2015-08-30 01:39 - 2015-09-16 21:55 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2015-08-30 01:39 - 2015-08-30 01:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2015-08-30 01:39 - 2015-08-30 01:41 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Exploit
2015-08-30 01:36 - 2015-08-30 01:36 - 02967032 _____ (Malwarebytes ) C:\Users\Zare\Downloads\mbae-setup.exe
2015-08-30 00:29 - 2015-09-15 22:29 - 00000000 ____D C:\Users\Zare\Downloads\PopcornTime
2015-08-30 00:29 - 2015-08-30 00:29 - 00001083 _____ C:\Users\Public\Desktop\Popcorn Time.lnk
2015-08-30 00:29 - 2015-08-30 00:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Popcorn Time
2015-08-30 00:28 - 2015-08-30 00:29 - 00000000 ____D C:\Program Files\Popcorn Time
2015-08-30 00:07 - 2015-08-30 00:08 - 51551760 _____ (Popcorn Time ) C:\Users\Zare\Downloads\PopcornTime-latest.exe
2015-08-29 23:31 - 2015-08-29 23:32 - 21547816 _____ (Malwarebytes Corporation ) C:\Users\Miš\Desktop\mbam-setup.exe
2015-08-29 23:04 - 2015-07-22 19:57 - 03989952 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-08-29 23:04 - 2015-07-22 19:57 - 03934656 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-08-29 23:04 - 2015-07-22 19:57 - 00137664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-08-29 23:04 - 2015-07-22 19:57 - 00067520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-08-29 23:04 - 2015-07-22 19:54 - 01308160 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 01061376 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00937984 _____ (Microsoft Corporation) C:\Windows\system32\diagtrack.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00641536 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00635392 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00552960 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-08-29 23:04 - 2015-07-22 19:53 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-08-29 23:04 - 2015-07-22 19:52 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-08-29 23:04 - 2015-07-22 19:52 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-08-29 23:04 - 2015-07-22 19:52 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-08-29 23:04 - 2015-07-22 19:52 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-08-29 23:04 - 2015-07-22 19:47 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-08-29 23:04 - 2015-07-22 19:46 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-08-29 23:04 - 2015-07-22 19:42 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-08-29 23:04 - 2015-07-22 19:42 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-08-29 23:04 - 2015-07-22 18:38 - 00041984 _____ (Microsoft Corporation) C:\Windows\system32\UtcResources.dll
2015-08-29 23:04 - 2015-07-22 18:34 - 00225792 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-08-29 23:04 - 2015-07-22 18:34 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-08-29 23:04 - 2015-07-22 18:33 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-08-29 23:04 - 2015-07-15 04:54 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2015-08-29 23:04 - 2015-07-09 19:42 - 01372160 _____ (Microsoft Corporation) C:\Windows\system32\dwmcore.dll
2015-08-29 23:04 - 2015-07-09 19:42 - 00067584 _____ (Microsoft Corporation) C:\Windows\system32\dwmapi.dll
2015-08-29 23:04 - 2015-06-25 11:48 - 00105408 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2015-08-29 23:04 - 2015-06-25 11:44 - 01805824 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2015-08-29 23:04 - 2015-06-25 11:44 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\appinfo.dll
2015-08-29 22:25 - 2015-07-30 15:13 - 00103120 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-08-29 22:23 - 2015-07-15 19:59 - 00078784 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mountmgr.sys
2015-08-29 22:23 - 2015-07-15 19:55 - 01159168 _____ (Microsoft Corporation) C:\Windows\system32\sysmain.dll
2015-08-29 22:23 - 2015-07-15 19:54 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msmmsp.dll
2015-08-29 22:23 - 2015-07-04 19:48 - 01414656 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2015-08-29 22:22 - 2015-07-30 19:57 - 01987584 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2015-08-29 22:22 - 2015-07-30 19:57 - 01251328 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-08-29 22:22 - 2015-07-30 19:57 - 00909824 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-08-29 22:22 - 2015-07-28 22:04 - 00015808 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2015-08-29 22:22 - 2015-07-28 22:00 - 00952832 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-08-29 22:22 - 2015-07-28 22:00 - 00635904 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-08-29 22:22 - 2015-07-28 22:00 - 00598528 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-08-29 22:22 - 2015-07-28 22:00 - 00346112 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-08-29 22:22 - 2015-07-28 22:00 - 00202752 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-08-29 22:22 - 2015-07-28 22:00 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2015-08-29 22:22 - 2015-07-28 21:54 - 00934400 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-08-29 22:22 - 2015-07-16 21:12 - 06131200 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2015-08-29 22:22 - 2015-07-16 21:12 - 00856064 _____ (Microsoft Corporation) C:\Windows\system32\rdvidcrl.dll
2015-08-29 22:22 - 2015-07-16 21:12 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll
2015-08-29 22:22 - 2015-07-16 17:14 - 00355840 _____ (Microsoft Corporation) C:\Windows\system32\wksprt.exe
2015-08-29 22:22 - 2015-07-15 04:55 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\basesrv.dll
2015-08-29 22:22 - 2015-07-10 19:34 - 12875776 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-08-29 22:22 - 2015-07-09 19:42 - 00179712 _____ (Microsoft Corporation) C:\Windows\system32\notepad.exe
2015-08-29 22:22 - 2015-07-09 19:42 - 00179712 _____ (Microsoft Corporation) C:\Windows\notepad.exe
2015-08-29 22:22 - 2015-07-01 22:30 - 00206848 _____ (Microsoft Corporation) C:\Windows\system32\WebClnt.dll
2015-08-29 22:22 - 2015-07-01 22:30 - 00082432 _____ (Microsoft Corporation) C:\Windows\system32\davclnt.dll
2015-08-29 22:22 - 2015-06-17 19:39 - 00305664 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2015-08-29 22:22 - 2015-06-15 23:43 - 02364416 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2015-08-29 22:22 - 2015-06-15 23:43 - 00337408 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2015-08-29 22:22 - 2015-06-15 23:42 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\msiexec.exe
2015-08-29 22:22 - 2015-06-15 23:37 - 00025088 _____ (Microsoft Corporation) C:\Windows\system32\msimsg.dll
2015-08-29 22:22 - 2015-06-02 01:47 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\cewmdm.dll
2015-08-29 22:21 - 2015-06-09 21:35 - 02745856 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2015-08-29 22:21 - 2015-06-09 21:35 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\RdpGroupPolicyExtension.dll
2015-08-29 20:45 - 2015-08-29 20:45 - 00000028 _____ C:\Users\Zare\Desktop\joza epizoda.txt
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-09-17 13:42 - 2014-09-06 02:01 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2015-09-17 13:40 - 2015-06-27 18:44 - 00000000 ____D C:\ProgramData\MCShield
2015-09-17 13:40 - 2009-07-14 06:39 - 00030410 _____ C:\Windows\setupact.log
2015-09-17 13:39 - 2014-09-08 20:23 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-09-17 00:17 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\rescache
2015-09-16 21:50 - 2014-09-06 01:50 - 01086493 _____ C:\Windows\WindowsUpdate.log
2015-09-16 05:40 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\Microsoft.NET
2015-09-15 21:10 - 2009-07-14 06:34 - 00016944 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-09-15 21:10 - 2009-07-14 06:34 - 00016944 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-09-15 14:43 - 2009-07-14 06:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-09-15 14:29 - 2009-07-14 06:33 - 00408064 _____ C:\Windows\system32\FNTCACHE.DAT
2015-09-15 14:27 - 2009-07-14 09:50 - 00000000 ____D C:\Program Files\Windows Journal
2015-09-15 14:25 - 2014-09-06 15:38 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-09-15 14:20 - 2014-09-06 02:32 - 00000000 ____D C:\Windows\system32\MRT
2015-09-14 21:41 - 2014-09-07 09:45 - 00000000 ____D C:\Users\Zare\.gimp-2.8
2015-09-14 21:14 - 2014-09-17 20:12 - 00000000 ____D C:\Users\Zare\AppData\Local\gtk-2.0
2015-09-13 20:24 - 2014-09-06 17:39 - 00000000 ____D C:\Users\Zare\AppData\Roaming\Adobe
2015-09-12 15:54 - 2014-09-06 05:35 - 00038810 _____ C:\Windows\PFRO.log
2015-09-11 22:39 - 2015-06-14 16:07 - 00000000 ____D C:\Users\Zare\AppData\Roaming\tixati
2015-09-09 18:57 - 2014-09-07 09:26 - 00000000 ____D C:\Users\Zare\Documents\Outlook Files
2015-08-29 23:24 - 2014-09-08 19:48 - 00000000 ____D C:\Windows\system32\appmgmt
2015-08-29 22:44 - 2015-06-14 14:54 - 00000000 ___SD C:\Windows\system32\CompatTel
2015-08-29 22:44 - 2015-06-14 14:54 - 00000000 ____D C:\Windows\system32\appraiser
2015-08-29 22:26 - 2009-07-14 04:04 - 00000478 _____ C:\Windows\win.ini
2015-08-29 21:09 - 2014-09-07 19:03 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-08-26 18:36 - 2014-09-06 02:32 - 132039072 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-08-26 09:03 - 2015-04-20 23:20 - 00000000 ____D C:\Users\Zare\Desktop\DORA
2015-08-26 09:02 - 2015-07-07 18:39 - 00000000 ____D C:\Users\Zare\Desktop\ŽIVI ZID
2015-08-26 07:20 - 2015-01-05 17:29 - 00000000 ____D C:\Users\Zare\Desktop\slike sa mobitela
2015-08-24 18:54 - 2014-09-08 20:22 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-08-24 18:54 - 2014-09-08 20:22 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
 
==================== Files in the root of some directories =======
 
2015-06-28 03:09 - 2015-06-28 03:09 - 0139819 _____ () C:\Users\Miš\AppData\Local\ars.cache
2015-06-28 03:09 - 2015-06-28 03:09 - 0335481 _____ () C:\Users\Miš\AppData\Local\census.cache
2015-06-28 01:44 - 2015-06-28 01:44 - 0000036 _____ () C:\Users\Miš\AppData\Local\housecall.guid.cache
2014-10-09 16:05 - 2014-10-09 16:05 - 0000218 _____ () C:\Users\Miš\AppData\Local\recently-used.xbel
2015-06-28 01:54 - 2015-06-28 01:54 - 0000010 _____ () C:\Users\Miš\AppData\Local\sponge.last.runtime.cache
2015-06-27 21:20 - 2015-06-27 21:20 - 0256564 _____ () C:\ProgramData\1435432291.bdinstall.bin
 
Some files in TEMP:
====================
C:\Users\Zare\AppData\Local\Temp\cdo1493525127.dll
C:\Users\Zare\AppData\Local\Temp\cdo2450499901.dll
C:\Users\Zare\AppData\Local\Temp\cdo3366763840.dll
C:\Users\Zare\AppData\Local\Temp\cdo3582012831.dll
C:\Users\Zare\AppData\Local\Temp\cdo4115573727.dll
C:\Users\Zare\AppData\Local\Temp\setup_018A.exe
C:\Users\Zare\AppData\Local\Temp\setup_0767.exe
C:\Users\Zare\AppData\Local\Temp\setup_09A4.exe
C:\Users\Zare\AppData\Local\Temp\setup_0F26.exe
C:\Users\Zare\AppData\Local\Temp\setup_1297.exe
C:\Users\Zare\AppData\Local\Temp\setup_1C2F.exe
C:\Users\Zare\AppData\Local\Temp\setup_1E34.exe
C:\Users\Zare\AppData\Local\Temp\setup_2519.exe
C:\Users\Zare\AppData\Local\Temp\setup_254B.exe
C:\Users\Zare\AppData\Local\Temp\setup_2D15.exe
C:\Users\Zare\AppData\Local\Temp\setup_2F48.exe
C:\Users\Zare\AppData\Local\Temp\setup_2FFD.exe
C:\Users\Zare\AppData\Local\Temp\setup_32FF.exe
C:\Users\Zare\AppData\Local\Temp\setup_3A56.exe
C:\Users\Zare\AppData\Local\Temp\setup_3C6A.exe
C:\Users\Zare\AppData\Local\Temp\setup_4121.exe
C:\Users\Zare\AppData\Local\Temp\setup_42D8.exe
C:\Users\Zare\AppData\Local\Temp\setup_42DF.exe
C:\Users\Zare\AppData\Local\Temp\setup_4374.exe
C:\Users\Zare\AppData\Local\Temp\setup_4729.exe
C:\Users\Zare\AppData\Local\Temp\setup_4800.exe
C:\Users\Zare\AppData\Local\Temp\setup_4A65.exe
C:\Users\Zare\AppData\Local\Temp\setup_4C7F.exe
C:\Users\Zare\AppData\Local\Temp\setup_50E4.exe
C:\Users\Zare\AppData\Local\Temp\setup_5E3D.exe
C:\Users\Zare\AppData\Local\Temp\setup_5F52.exe
C:\Users\Zare\AppData\Local\Temp\setup_60CC.exe
C:\Users\Zare\AppData\Local\Temp\setup_643A.exe
C:\Users\Zare\AppData\Local\Temp\setup_7348.exe
C:\Users\Zare\AppData\Local\Temp\setup_7EAE.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-09-12 19:32
 
==================== End of FRST.txt ============================

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:56 PM

Posted 18 September 2015 - 09:54 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#3 Finko

Finko
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 19 September 2015 - 04:39 AM

Hi!

 

I ran zoek and followed your instructions. For now computer is running fine, but the problem I mentioned occured randomly, usually at evening while using internet.

I will let you know if problem reappears.

 

I am attaching zoek-results log.

 

Thank you for helping!

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:56 PM

Posted 19 September 2015 - 09:14 AM

If the problem returns and you are still using IE.

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141

For IE 10, 11 follow the following instructions.
http://refreshyourcache.com/en/internet-explorer-11/
===

How to clear cache and browsing history with Microsoft Edge
http://www.techulator.com/resources/14556-How-to-clear-cache-and-browsing-history-with-Microsoft-Edge.aspx
<<<>>>

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 Finko

Finko
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 19 September 2015 - 09:40 AM

Can you tell me what was the problem infact? Was it virus/trojan, did someone hack computer or something else?

Sorry, I don't want to be a nuisance but it never happened before...



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:56 PM

Posted 20 September 2015 - 06:47 AM

I cannot tell you what caused it.
I looked at the Zoek log and did not find any indication of malware.
Possibly one of the files in the \temp folder was the culprit.


Did this happen after you installed [/b]C:\Program Files\Popcorn Time\Updater.exe[/b]
That was my only concerned when I checked your FRST log. It may have been installed without your consent.
Zoek did not target the file but clean a lot of temporary folders.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#7 Finko

Finko
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 20 September 2015 - 07:12 AM

It happened again half an hour ago, setup program with some numbers after the name asking administrator password to run...

 

I followed your instructions for cleaning IE cache.

 

With regard to Popcorn Time, I can definitely remove it since father doesn't use it any more.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:56 PM

Posted 20 September 2015 - 07:29 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Popcorn Time) C:\Program Files\Popcorn Time\Updater.exe
() C:\Program Files\Popcorn Time\PopcornTimeDesktop.exe
GroupPolicyScripts: Restriction <======= ATTENTION
R2 Update service; C:\Program Files\Popcorn Time\Updater.exe [339968 2015-07-17] (Popcorn Time) [File not signed]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Program Files\Popcorn Time

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists or return please run this tool.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

#9 Finko

Finko
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 21 September 2015 - 04:22 AM

Hi!

 

I ran FIRST again following your instructions. Problem did not appear since then so I didn't run RogueKiller. Please tell me if I should run it however.

 

Here is the Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:15-09-2015
Ran by Miš (2015-09-20 16:12:24) Run:1
Running from C:\Users\Zare\Desktop
Loaded Profiles: Miš & Zare (Available Profiles: Miš & Zare)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
(Popcorn Time) C:\Program Files\Popcorn Time\Updater.exe
() C:\Program Files\Popcorn Time\PopcornTimeDesktop.exe
GroupPolicyScripts: Restriction <======= ATTENTION
R2 Update service; C:\Program Files\Popcorn Time\Updater.exe [339968 2015-07-17] (Popcorn Time) [File not signed]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Program Files\Popcorn Time
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Program Files\Popcorn Time\Updater.exe
C:\Program Files\Popcorn Time\Updater.exe => No running process found
C:\Program Files\Popcorn Time\PopcornTimeDesktop.exe
C:\Program Files\Popcorn Time\PopcornTimeDesktop.exe => No running process found
"C:\Windows\system32\GroupPolicy\Machine" => File/Folder not found.
Update service => service removed successfully.
Synth3dVsc => service removed successfully.
tsusbhub => service removed successfully.
VGPU => service removed successfully.
C:\Program Files\Popcorn Time => moved successfully
EmptyTemp: => 6.8 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 16:13:04 ====


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:56 PM

Posted 21 September 2015 - 06:16 AM

Work with the computer for a day or two and if all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#11 Finko

Finko
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 25 September 2015 - 07:07 AM

Hi!

 

The problem didn't show up again and all is well now!

 

Thank you very much for your help!



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:56 PM

Posted 25 September 2015 - 08:10 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users