Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer suddenly restarts & more


  • This topic is locked This topic is locked
2 replies to this topic

#1 CRussum

CRussum

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 19 November 2015 - 05:57 PM

Windows 7 based desktop that is used by multiple people.  For the last couple of weeks, the computer has suddenly restarted after showing a blue screen of death with a memory error (sorry don't remember the error code).  At times the browsers (Chrome & IE 11) have also refused to work by not loading or not connecting.  In general, we are not able to keep the machine running without it restarting multiple times a day and certain programs are working less consistently.

 

Have run Malware Bytes every/every other day and some days it comes up clean and others it has not.  Trojan.Miuref, Backdoor.bot, Rootkit.Fileless.MTGen are a couple of issue that have been found. 

 

Have run MSE and it found some of the same programs.

 

FRST results:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:19-11-2015
Ran by Elevation Sales 2 (administrator) on ELEVATIONSALES2 (19-11-2015 15:28:41)
Running from C:\Users\Elevation Sales 2\Desktop
Loaded Profiles: Elevation Sales 2 (Available Profiles: Elevation Sales 2)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
() C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EPuras\EPurasLog.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EPuras\EPuras.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(UPEK Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
(Microsoft Corporation) C:\Windows\WindowsMobile\wmdc.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe [2907240 2010-10-04] (Realtek Semiconductor Corp.)
HKLM\...\Run: [TdmNotify] => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe [381296 2011-12-08] (Wave Systems Corp.)
HKLM\...\Run: [Windows Mobile Device Center] => C:\Windows\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1337000 2015-04-30] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [112408 2011-08-08] (Intel Corporation)
HKLM-x32\...\Run: [RemoteControl9] => C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD9LanguageShortcut] => C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [402432 2010-07-22] (Adobe Systems Incorporated)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist Corporate\1055\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
HKU\S-1-5-21-139741244-3834428195-1143620282-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-139741244-3834428195-1143620282-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Ribbons.scr [241664 2010-11-20] (Microsoft Corporation)
Lsa: [Authentication Packages] msv1_0 wvauth
ShellIconOverlayIdentifiers: [EnabledUnlockedFDEIconOverlay] -> {30D3C2AF-9709-4D05-9CF4-13335F3C1E4A} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll [2011-12-08] (Wave Systems Corp.)
ShellIconOverlayIdentifiers: [UninitializedFdeIconOverlay] -> {CF08DA3E-C97D-4891-A66B-E39B28DD270F} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll [2011-12-08] (Wave Systems Corp.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TM-T88V Utility(Automatic Restore).lnk [2012-04-26]
ShortcutTarget: TM-T88V Utility(Automatic Restore).lnk -> C:\Program Files (x86)\EPSON\TM-T88V Software\TM88VUTL\TMRESTOREAPP.exe (SEIKO EPSON CORPORATION)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.1.10.1
Tcpip\..\Interfaces\{343639B7-64A7-4CE6-A346-CCE64D6A1C6C}: [DhcpNameServer] 10.1.10.1

Internet Explorer:
==================
HKU\S-1-5-21-139741244-3834428195-1143620282-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.dexdealer.com/
HKU\S-1-5-21-139741244-3834428195-1143620282-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/USREL/1
HKU\S-1-5-21-139741244-3834428195-1143620282-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://online2.qbp.com/
hxxp://www.jbimporters.com/
hxxp://www.trekbikes.com/
hxxp://www.bikes.com/
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0E27C41B-7DD3-4B7C-BB7B-B41B0420CF1B} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0E27C41B-7DD3-4B7C-BB7B-B41B0420CF1B} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-139741244-3834428195-1143620282-1000 -> {0E27C41B-7DD3-4B7C-BB7B-B41B0420CF1B} URL =
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2015-09-29] (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [2015-10-30] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2015-10-30] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll => No File
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2015-10-30] (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-139741244-3834428195-1143620282-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)

FireFox:
========
FF Plugin: @garmin.com/GpsControl -> C:\Program Files\Garmin GPS Plugin\npGarmin.dll [2013-10-09] (GARMIN Corp.)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @garmin.com/GpsControl -> C:\Program Files (x86)\Garmin GPS Plugin\npGarmin.dll [2013-10-09] (GARMIN Corp.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.38 -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIIPT.dll [2012-05-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIUpdater.dll [2012-05-21] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2013-11-19] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-139741244-3834428195-1143620282-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Elevation Sales 2\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2014-10-24] (Citrix Online)

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.trekbikes.com/","hxxp://www.dexdealer.com/"
CHR Profile: C:\Users\Elevation Sales 2\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Elevation Sales 2\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-06]
CHR Extension: (Google Drive) - C:\Users\Elevation Sales 2\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\Elevation Sales 2\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Google Search) - C:\Users\Elevation Sales 2\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-29]
CHR Extension: (Google Docs Offline) - C:\Users\Elevation Sales 2\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-03]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Elevation Sales 2\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-30]
CHR Extension: (Gmail) - C:\Users\Elevation Sales 2\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-29]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2780856 2015-10-07] (Microsoft Corporation)
R2 EmbassyService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe [218504 2012-01-17] ()
R2 EpsonPuras; C:\Program Files\EPSON\EPuras\EPuras.exe [769536 2011-03-27] (SEIKO EPSON CORPORATION) [File not signed]
R2 EpsonPurasLog; C:\Program Files\EPSON\EPuras\EPurasLog.exe [444928 2011-03-27] (SEIKO EPSON CORPORATION) [File not signed]
S3 GoToAssist; C:\Program Files (x86)\Citrix\GoToAssist Corporate\1055\G2AC_Service.exe [309568 2014-10-24] (Citrix Online, a division of Citrix Systems, Inc.)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2015-04-30] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366544 2015-04-30] (Microsoft Corporation)
S2 tcsd_win32.exe; C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1637888 2011-10-08] () [File not signed]
R2 Wave Authentication Manager Service; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [1679872 2012-01-05] (Wave Systems Corp.) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S3 WvPCR; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe [198144 2012-01-16] (Wave Systems Corp.) [File not signed]
S4 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S2 EPSON TM Parallel Port Driver; C:\Windows\system32\drivers\tmlpt.sys [21640 2011-03-27] (SEIKO EPSON CORPORATION)
R3 Ingenico_cdc_acm; C:\Windows\System32\DRIVERS\Ingenico_cdc_acm.sys [86528 2013-02-14] (Jungo)
R3 Ingenico_enum; C:\Windows\System32\DRIVERS\Ingenico_enum.sys [79872 2013-02-14] (Jungo)
R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHD64.sys [1980648 2010-10-04] (Realtek Semiconductor Corp.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [280376 2015-03-04] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124568 2015-03-04] (Microsoft Corporation)
R3 TMUSB; C:\Windows\System32\DRIVERS\TMUSB64.SYS [61088 2009-11-24] (SEIKO EPSON CORPORATION)
S3 umpusbvista; C:\Windows\System32\DRIVERS\umpusbvista.sys [56320 2012-05-29] (Texas Instruments Inc)
S1 cdjqucve; \??\C:\Windows\system32\drivers\cdjqucve.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-19 15:28 - 2015-11-19 15:28 - 00016661 _____ C:\Users\Elevation Sales 2\Desktop\FRST.txt
2015-11-19 15:27 - 2015-11-19 15:28 - 00000000 ____D C:\FRST
2015-11-19 15:23 - 2015-11-19 15:23 - 02020352 _____ (Farbar) C:\Users\Elevation Sales 2\Desktop\FRST64.exe
2015-11-19 15:04 - 2015-11-19 15:05 - 00281176 _____ C:\Windows\Minidump\111915-20514-01.dmp
2015-11-19 11:52 - 2015-11-19 11:53 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-11-19 00:06 - 2015-11-19 00:06 - 00281176 _____ C:\Windows\Minidump\111915-17706-01.dmp
2015-11-17 14:52 - 2015-11-17 14:52 - 00001344 _____ C:\Users\Elevation Sales 2\Desktop\Logs.lnk
2015-11-17 11:29 - 2015-11-17 11:29 - 00002119 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-11-17 11:29 - 2015-11-17 11:29 - 00000000 ____D C:\Program Files\Microsoft Security Client
2015-11-17 11:29 - 2015-11-17 11:29 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2015-11-16 22:27 - 2015-10-29 10:50 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\apphelp.dll
2015-11-16 22:27 - 2015-10-29 10:50 - 00072192 _____ (Microsoft Corporation) C:\Windows\system32\aelupsvc.dll
2015-11-16 22:27 - 2015-10-29 10:50 - 00023552 _____ (Microsoft Corporation) C:\Windows\system32\sdbinst.exe
2015-11-16 22:27 - 2015-10-29 10:50 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\shimeng.dll
2015-11-16 22:27 - 2015-10-29 10:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shimeng.dll
2015-11-16 22:27 - 2015-10-29 10:49 - 00295936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apphelp.dll
2015-11-16 22:27 - 2015-10-29 10:49 - 00020992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sdbinst.exe
2015-11-13 10:33 - 2015-11-13 10:33 - 00029883 _____ C:\Users\Public\Documents\Pivot Inventory as of 11.11.15.xlsx
2015-11-03 10:25 - 2015-11-06 10:17 - 00000000 ____D C:\Users\Elevation Sales 2\AppData\Local\Osgmics
2015-11-03 10:25 - 2015-11-03 12:33 - 00000000 ____D C:\Users\Elevation Sales 2\AppData\Local\Uvbxmedia
2015-10-30 12:45 - 2015-10-30 12:45 - 00004096 _____ C:\Users\Elevation Sales 2\Downloads\TrekBicycleCorporation_10204.69620ERIC BJORLING_10-31-2015_48576.xls
2015-10-23 13:58 - 2015-10-23 13:58 - 00037200 _____ C:\Users\Public\Documents\Copy of Pivot Inventory as of 10.23.15.xlsx
2015-10-23 09:26 - 2015-10-23 09:26 - 00038851 _____ C:\Users\Public\Documents\Bikes Availability RMB Summary USA 2016 102315.xlsx
2015-10-20 09:13 - 2015-10-20 09:13 - 00025961 _____ C:\Users\Public\Documents\PIVOT Open Inventory 2015.10.20.xlsx

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-19 15:28 - 2009-07-13 21:45 - 00031312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-11-19 15:28 - 2009-07-13 21:45 - 00031312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-11-19 15:24 - 2013-10-07 10:19 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-11-19 15:16 - 2012-03-15 21:22 - 01214687 _____ C:\Windows\WindowsUpdate.log
2015-11-19 15:16 - 2009-07-13 22:13 - 00006506 _____ C:\Windows\system32\PerfStringBackup.INI
2015-11-19 15:09 - 2012-04-26 11:43 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-11-19 15:09 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-11-19 15:09 - 2009-07-13 21:51 - 00063870 _____ C:\Windows\setupact.log
2015-11-19 15:04 - 2015-06-27 12:31 - 00000000 ____D C:\Windows\Minidump
2015-11-19 15:04 - 2015-06-27 12:30 - 479048156 _____ C:\Windows\MEMORY.DMP
2015-11-19 14:56 - 2010-11-20 20:47 - 00799736 _____ C:\Windows\PFRO.log
2015-11-19 14:38 - 2012-04-26 11:43 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-11-19 14:10 - 2014-09-13 10:12 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-11-19 11:53 - 2015-01-02 09:16 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-11-19 11:52 - 2012-04-26 11:42 - 00000000 ____D C:\ProgramData\Adobe
2015-11-19 11:52 - 2012-04-26 11:42 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-11-19 00:06 - 2012-04-26 11:43 - 00000000 ____D C:\Program Files\Google
2015-11-19 00:06 - 2012-04-26 11:43 - 00000000 ____D C:\Program Files (x86)\Google
2015-11-18 09:48 - 2012-04-26 11:43 - 00000000 ____D C:\Users\Elevation Sales 2\AppData\Local\Google
2015-11-18 09:21 - 2012-04-26 09:29 - 00000000 ____D C:\Users\Elevation Sales 2
2015-11-17 11:30 - 2014-01-31 10:30 - 00001945 _____ C:\Windows\epplauncher.mif
2015-11-12 03:03 - 2014-10-23 17:16 - 00775546 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2015-11-11 16:44 - 2009-07-13 22:08 - 00032614 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-11-05 12:23 - 2014-02-04 14:49 - 00000000 ____D C:\Users\Elevation Sales 2\Desktop\DESKTOP ITEMS NEW
2015-11-03 12:33 - 2014-09-13 10:11 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-11-03 12:33 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\Resources
2015-11-03 11:48 - 2015-09-30 12:05 - 00001104 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-11-03 11:48 - 2014-09-13 10:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-30 05:48 - 2013-11-19 12:25 - 00000000 ____D C:\Program Files\Microsoft Office 15

==================== Files in the root of some directories =======

2012-05-21 13:00 - 2012-05-21 13:00 - 0020984 _____ (Intel Corporation) C:\Users\Elevation Sales 2\AppData\Roaming\JomCap.dll
2013-03-28 08:56 - 2013-03-28 08:56 - 0005003 _____ () C:\Users\Elevation Sales 2\AppData\Roaming\UserTile.png

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-11-10 00:53

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:55 PM

Posted 22 November 2015 - 09:14 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This is just a cleanup of empty entries. Nothing suspicious was found on your logs.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-139741244-3834428195-1143620282-1000\...\Run: [AdobeBridge] => [X]
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll => No File
Toolbar: HKU\S-1-5-21-139741244-3834428195-1143620282-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S4 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [X]
AlternateDataStreams: C:\Users\Elevation Sales 2\Desktop\keystone deal.jpeg:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Elevation Sales 2\Desktop\keystone deal.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===


Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • List Installed Programs
  • List Users, Partitions and Memory size
  • List Devices (problems only)
  • List Minidump Files
  • List Restore Points
  • Click Go and copy/paste the log (Result.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
p.s.
If you could make a note of the Exact error message it could help to identify the problem.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:55 PM

Posted 27 November 2015 - 11:03 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users