Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help, computer's acting weird


  • This topic is locked This topic is locked
87 replies to this topic

#1 santare

santare

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 15 December 2015 - 12:44 PM

I think my computer is being controlled by something. I'd like your help in getting rid of it.

 

I cannot use Combofix, because I have a shared internet connection. That means, if Combofix fails to restore the internet connection,

you won't be able to hear about my progress or bettering that progress.

 

 



BC AdBot (Login to Remove)

 


#2 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 16 December 2015 - 08:31 AM

Windows Explorer is acting funny, sometimes unable to transfer files, mouse is sometimes out of control. Pops appear on certain websites in Chrome and Explorer on websites that don't have ads.



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:35 AM

Posted 16 December 2015 - 01:40 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===


Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Wait for further instructions.

#4 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 16 December 2015 - 04:28 PM

I already have mbam installed, do I need to download it again. I have an extension that I wish to keep.

#5 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 16 December 2015 - 04:53 PM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 16.12.2015
Scan Time: 22:42
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.12.16.06
Rootkit Database: v2015.12.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7
CPU: x86
File System: NTFS
User: Bojan

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 312951
Time Elapsed: 8 min, 3 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 4
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\images, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\_metadata, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb, , [a620bfe69cef8da9642db1ffcb39df21],

Files: 9
PUP.Optional.BestPriceNinja, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.bestpriceninja.com_0.localstorage, , [d3f37035fa91e155285c1fe78282ff01],
PUP.Optional.BestPriceNinja, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.bestpriceninja.com_0.localstorage-journal, , [5d69f8aded9e47ef087c828411f32ed2],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\manifest.json, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\app.js, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\icon_128.png, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\images\off_32.png, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\images\on_32.png, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\_metadata\computed_hashes.json, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\_metadata\verified_contents.json, , [a620bfe69cef8da9642db1ffcb39df21],

Physical Sectors: 0
(No malicious items detected)

(end)



#6 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 16 December 2015 - 04:59 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:16-12-2015 01
Ran by Bojan (administrator) on BOJAN-PC (16-12-2015 22:58:13)
Running from C:\Users\Bojan\Desktop
Loaded Profiles: Bojan (Available Profiles: Bojan)
Platform: Microsoft Windows 7 Ultimate  (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(www.shadowexplorer.com) C:\Program Files\ShadowExplorer\sesvc.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.29.1\GoogleCrashHandler.exe
(VIA) C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Wondershare) C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
(Spotify Ltd) C:\Users\Bojan\AppData\Roaming\Spotify\SpotifyWebHelper.exe
() C:\Users\Bojan\Program Files\DNA\btdna.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(hxxp://www.emule-project.net) D:\eMule\emule.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-21] (Microsoft Corporation)
HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2009-11-10] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [HDAudDeck] => C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe [1728512 2009-12-04] (VIA)
HKLM\...\Run: [VIAAUD] => C:\Program Files\VIA\VIAudioi\VDeck\VIAAUD.exe
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [1980416 2013-12-18] (Wondershare)
HKLM\...\Run: [BrowserPlugInHelper] => C:\Program Files\Wondershare\Video Converter Ultimate\BrowserPlugInHelper.exe [1962896 2014-02-12] ()
HKU\S-1-5-21-3418898318-3579430007-511159314-1000\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [717696 2010-01-16] (Microsoft Corporation)
HKU\S-1-5-21-3418898318-3579430007-511159314-1000\...\Run: [Spotify Web Helper] => C:\Users\Bojan\AppData\Roaming\Spotify\SpotifyWebHelper.exe [2346096 2015-12-15] (Spotify Ltd)
HKU\S-1-5-21-3418898318-3579430007-511159314-1000\...\Run: [BitTorrent DNA] => C:\Users\Bojan\Program Files\DNA\btdna.exe [290112 2014-12-05] ()
HKU\S-1-5-21-3418898318-3579430007-511159314-1000\...\Run: [Spotify] => C:\Users\Bojan\AppData\Roaming\Spotify\Spotify.exe [8387696 2015-12-15] (Spotify Ltd)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2013-07-25] (Microsoft Corporation)
Startup: C:\Users\Bojan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2013-04-22]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.0.0.1
Tcpip\..\Interfaces\{EAF3F816-D0FD-474C-AB41-178F73628579}: [DhcpNameServer] 10.0.0.1

Internet Explorer:
==================
HKU\S-1-5-21-3418898318-3579430007-511159314-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ncr
SearchScopes: HKU\.DEFAULT -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-3418898318-3579430007-511159314-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3418898318-3579430007-511159314-1000 -> {B2717064-23C2-41B7-BA22-9AE5CCB5368D} URL =
BHO: Wondershare Video Converter Ultimate -> {65DEE40A-3E93-4cae-9F98-B8E06DCEE2BF} -> C:\Program Files\Wondershare\Video Converter Ultimate\SVRIEPlugin.dll [2014-02-12] (Wondershare Software Co., Ltd.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2013-07-25] (Oracle Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-20] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-07-25] (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-20] (Google Inc.)
Toolbar: HKU\S-1-5-21-3418898318-3579430007-511159314-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-20] (Google Inc.)
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll [2013-03-29] (Belarc, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\Bojan\AppData\Roaming\Mozilla\Firefox\Profiles\k14jo04l.default
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_20_0_0_235.dll [2015-12-08] ()
FF Plugin: @bittorrent.com/BitTorrentDNA -> C:\Program Files\DNA\plugins\npbtdna.dll [2014-12-04] (BitTorrent, Inc.)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2013-04-09] (Foxit Corporation)
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2010-09-01] (Google)
FF Plugin: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\system32\npDeployJava1.dll [2013-07-25] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-07-25] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll [2013-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-04] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-04] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.7 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npbittorrent.dll [2007-08-29] (BitTorrent, Inc.)
FF Extension: Media Hint - C:\Users\Bojan\AppData\Roaming\Mozilla\Firefox\Profiles\k14jo04l.default\Extensions\mediahint@jetpack.xpi [2014-06-18] [not signed]
FF HKLM\...\Firefox\Extensions: [{8D150B8F-EFE8-45a3-A4A3-053020F48FAC}] - C:\Program Files\Wondershare\Video Converter Ultimate\SVRFirefoxExt
FF Extension: Wondershare Video Converter Ultimate - C:\Program Files\Wondershare\Video Converter Ultimate\SVRFirefoxExt [2014-02-17] [not signed]

Chrome:
=======
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.824\_platform_specific\win_x86\widevinecdmadapter.dll (Google Inc.)
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\47.0.2526.80\PepperFlash\pepflashplayer.dll ()
CHR Profile: C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Media Hint) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb [2014-06-17]
CHR Extension: (Google Docs) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-16]
CHR Extension: (Google Drive) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-07]
CHR Extension: (YouTube) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (Wondershare Video Converter Ultimate) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\chgdeabpmphfhkoemjjglmilajldekbp [2014-02-17]
CHR Extension: (Webpage Screenshot) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckibcdccnfeookdmbahgiakhnjcddpki [2015-10-06]
CHR Extension: (Google Search) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-07]
CHR Extension: (Google Docs Offline) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-12-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-09]
CHR Extension: (Gmail) - C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-01]
CHR HKLM\...\Chrome\Extension: [chgdeabpmphfhkoemjjglmilajldekbp] - C:\Program Files\Wondershare\Video Converter Ultimate\SVRChromePlugin.crx [2014-02-12]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 sesvc; C:\Program Files\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 UCORESYS; D:\H55M-LE(1.80)WIN\UCORESYS.SYS [15432 2009-08-21] ()
S3 VASDeviceDrm; C:\Windows\System32\drivers\vasdDev.sys [1451312 2012-03-19] (ShiningMorning Inc.)
R3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1108480 2009-11-25] (VIA Technologies, Inc.)
S3 ALSysIO; \??\C:\Users\Bojan\AppData\Local\Temp\ALSysIO.sys [X]
S3 SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2013.SP2\WNt500x86\Sandra.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-16 22:57 - 2015-12-16 22:57 - 01721344 _____ (Farbar) C:\Users\Bojan\Desktop\FRST.exe
2015-12-16 22:54 - 2015-12-16 22:54 - 00003549 _____ C:\Users\Bojan\Documents\abc.txt
2015-12-16 22:40 - 2015-12-16 22:39 - 22908888 _____ (Malwarebytes ) C:\Users\Bojan\Desktop\mbam-setup-2.2.0.1024.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-16 22:58 - 2015-03-10 18:33 - 00012967 _____ C:\Users\Bojan\Desktop\FRST.txt
2015-12-16 22:58 - 2014-04-21 13:00 - 00000000 ____D C:\FRST
2015-12-16 22:52 - 2014-12-04 19:38 - 00000000 ____D C:\Users\Bojan\AppData\Roaming\DNA
2015-12-16 22:42 - 2014-12-23 00:26 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-12-16 22:42 - 2014-12-23 00:26 - 00001060 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-12-16 22:42 - 2014-12-23 00:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-12-16 22:42 - 2014-12-23 00:26 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-12-16 22:23 - 2013-03-29 13:43 - 00001044 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-16 22:10 - 2013-03-27 08:43 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-16 21:52 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\tracing
2015-12-16 21:25 - 2013-03-29 13:44 - 00002129 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-12-16 17:23 - 2013-03-29 13:43 - 00001040 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-16 16:16 - 2013-06-28 15:42 - 00000000 ____D C:\Users\Bojan\AppData\Roaming\Spotify
2015-12-16 15:46 - 2009-07-14 05:34 - 00024112 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-16 15:46 - 2009-07-14 05:34 - 00024112 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-16 15:45 - 2010-02-10 06:43 - 00726316 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-16 15:45 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\inf
2015-12-16 15:41 - 2013-06-28 15:42 - 00000000 ____D C:\Users\Bojan\AppData\Local\Spotify
2015-12-16 15:41 - 2013-04-01 13:05 - 00065536 _____ C:\Windows\system32\Ikeext.etl
2015-12-16 15:41 - 2009-07-14 05:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-15 22:12 - 2013-04-01 23:23 - 00000000 ____D C:\Users\Bojan\AppData\Roaming\SolSuite
2015-12-14 20:46 - 2015-10-10 15:16 - 00002938 _____ C:\Users\Bojan\Desktop\smh123.txt
2015-12-13 02:40 - 2013-03-27 08:47 - 00000000 ____D C:\Users\Bojan\AppData\Roaming\vlc
2015-12-12 19:49 - 2014-12-04 19:12 - 00000000 ____D C:\Users\Bojan\AppData\Roaming\BitTorrent
2015-12-08 21:10 - 2013-03-27 08:43 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-12-08 21:10 - 2013-03-27 08:43 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2015-10-06 14:11 - 2015-10-06 14:11 - 0008628 _____ () C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.HTML
2015-10-06 14:11 - 2015-10-06 14:11 - 0046248 _____ () C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.PNG
2015-10-06 14:11 - 2015-10-06 14:11 - 0004254 _____ () C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.TXT
2015-10-06 14:11 - 2015-10-06 14:11 - 0000292 _____ () C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.URL
2015-10-06 14:10 - 2015-10-06 14:10 - 0008628 _____ () C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.HTML
2015-10-06 14:10 - 2015-10-06 14:10 - 0046248 _____ () C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.PNG
2015-10-06 14:10 - 2015-10-06 14:10 - 0004254 _____ () C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.TXT
2015-10-06 14:10 - 2015-10-06 14:10 - 0000292 _____ () C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.URL
2015-10-06 14:09 - 2015-10-06 14:09 - 0008628 _____ () C:\Users\Bojan\AppData\Local\HELP_DECRYPT.HTML
2015-10-06 14:09 - 2015-10-06 14:09 - 0046248 _____ () C:\Users\Bojan\AppData\Local\HELP_DECRYPT.PNG
2015-10-06 14:09 - 2015-10-06 14:09 - 0004254 _____ () C:\Users\Bojan\AppData\Local\HELP_DECRYPT.TXT
2015-10-06 14:09 - 2015-10-06 14:09 - 0000292 _____ () C:\Users\Bojan\AppData\Local\HELP_DECRYPT.URL
2013-04-04 13:15 - 2014-04-17 23:52 - 0007605 _____ () C:\Users\Bojan\AppData\Local\Resmon.ResmonCfg
2014-09-16 14:23 - 2014-09-16 14:23 - 0008176 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-09-16 14:23 - 2014-09-16 14:23 - 0004132 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-09-16 14:23 - 2014-09-16 14:23 - 0000252 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.URL
2015-10-06 14:06 - 2015-10-06 14:06 - 0008628 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-10-06 14:06 - 2015-10-06 14:06 - 0046248 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-10-06 14:06 - 2015-10-06 14:06 - 0004254 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-10-06 14:06 - 2015-10-06 14:06 - 0000292 _____ () C:\ProgramData\HELP_DECRYPT.URL

Some files in TEMP:
====================
C:\Users\Bojan\AppData\Local\Temp\13-1_vista_win7_win8_32_dd_ccc_whql.exe
C:\Users\Bojan\AppData\Local\Temp\13-4_vista_win7_win8_32_dd_ccc_whql.exe
C:\Users\Bojan\AppData\Local\Temp\1365166199194_DriverUtils.dll
C:\Users\Bojan\AppData\Local\Temp\a.exe
C:\Users\Bojan\AppData\Local\Temp\DivXInstaller.exe
C:\Users\Bojan\AppData\Local\Temp\i4jdel0.exe
C:\Users\Bojan\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Bojan\AppData\Local\Temp\SpotifyUninstall.exe
C:\Users\Bojan\AppData\Local\Temp\utt7692.tmp.exe
C:\Users\Bojan\AppData\Local\Temp\uttF047.tmp.exe
C:\Users\Bojan\AppData\Local\Temp\vlc-2.2.1-win32.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-12-10 00:59

==================== End of FRST.txt ============================



#7 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 16 December 2015 - 05:06 PM

Additional scan result of Farbar Recovery Scan Tool (x86) Version:16-12-2015 01
Ran by Bojan (2015-12-16 23:03:17)
Running from C:\Users\Bojan\Desktop
Microsoft Windows 7 Ultimate  (X86) (2013-03-26 10:19:04)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-3418898318-3579430007-511159314-500 - Administrator - Disabled)
Bojan (S-1-5-21-3418898318-3579430007-511159314-1000 - Administrator - Enabled) => C:\Users\Bojan
Guest (S-1-5-21-3418898318-3579430007-511159314-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 20 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 20.0.0.228 - Adobe Systems Incorporated)
Adobe Flash Player 20 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 20.0.0.235 - Adobe Systems Incorporated)
Akoff Music Composer Demo 3.2 (HKLM\...\Akoff Music Composer Demo) (Version: 3.2 - Akoff Sound Labs)
AMD Catalyst Install Manager (HKLM\...\{0BD03BF6-3A66-EC7F-5155-28A8D6C69409}) (Version: 8.0.911.0 - Advanced Micro Devices, Inc.)
Any Video Converter 3.3.4 (HKLM\...\Any Video Converter_is1) (Version:  - Any-Video-Converter.com)
ATI AVIVO Codecs (Version: 10.11.0.41110 - ATI Technologies Inc.) Hidden
ATI Problem Report Wizard (Version: 3.0.750.0 - ATI Technologies) Hidden
BBC iPlayer Downloads (HKLM\...\{D4DBE0A6-4984-4A1C-8911-388BC9AB533B}) (Version: 1.13.1 - BBC)
Belarc Advisor 8.3 (HKLM\...\Belarc Advisor) (Version: 8.3.2.0 - Belarc Inc.)
BitTorrent 6.0 (HKU\S-1-5-21-3418898318-3579430007-511159314-1000\...\BitTorrent) (Version: 6.0 - BitTorrent, Inc)
ccc-core-static (Version: 2009.1110.2225.40230 - ATI) Hidden
DNA (HKU\S-1-5-21-3418898318-3579430007-511159314-1000\...\BitTorrent DNA) (Version: 2.0.0 (6132) - BitTorrent Inc.)
ffdshow v1.3.4504 [2013-03-12] (HKLM\...\ffdshow_is1) (Version: 1.3.4504.0 - )
File Repair (HKLM\...\File Repair_is1) (Version:  - File Repair)
Foxit Reader (HKLM\...\Foxit Reader) (Version: 4.3.0.1110 - Foxit Corporation)
Google Chrome (HKLM\...\Google Chrome) (Version: 47.0.2526.106 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.6904.2028 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.29.1 - Google Inc.) Hidden
Google Zemlja (HKLM\...\{4286E640-B5FB-11DF-AC4B-005056C00008}) (Version: 5.2.1.1588 - Google)
Guitar Pro 5.2 (HKLM\...\Guitar Pro 5_is1) (Version:  - Arobas Music)
HydraVision (Version: 4.2.116.0 - ATI Technologies Inc.) Hidden
Impro-Visor 6.0 (HKLM\...\6140-2535-4985-4395) (Version: 6.0 - Robert Keller)
i-Sound Recorder Pro 7.1.5.0 (HKLM\...\i-Sound Recorder for Windows 7_is1) (Version: 7.1.5.0 - AbyssMedia.com)
Java 7 Update 25 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.250 - Oracle)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.4734.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20513.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Mozilla Firefox 42.0 (x86 en-US) (HKLM\...\Mozilla Firefox 42.0 (x86 en-US)) (Version: 42.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 42.0.0.5780 - Mozilla)
OCCT 4.4.0 (HKLM\...\OCCT) (Version: 4.4.0 - Ocbase.com)
Platform (Version: 1.34 - VIA Technologies, Inc.) Hidden
Replay Video Capture 6 (HKLM\...\Replay Video Capture6.0.6.1) (Version: 6.0.6.1 - Applian Technologies Inc.)
Riffstation Trial version 1.53 (HKLM\...\{710868FC-1DCC-4A88-8823-DF8293B051E1}_is1) (Version: 1.53 - Sonic Ladder Ltd)
ShadowExplorer 0.9 (HKLM\...\ShadowExplorer_is1) (Version: 0.9.462.0 - ShadowExplorer.com)
Skype™ 7.0 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
Slovarji (HKLM\...\Slovarji) (Version:  - )
SolSuite 2012 v12.1 (HKLM\...\SolSuite_is1) (Version:  - TreeCardGames)
Sonic Visualiser (HKLM\...\{0B606763-0C0F-48B2-805E-39E247B0C618}) (Version: 2.4.1 - Queen Mary, University of London)
Sound Forge Pro 10.0 (HKLM\...\{B8A817D7-AE0F-42BA-AEB9-B5F1F3EFB7AF}) (Version: 10.0.425 - Sony)
Spotify (HKU\S-1-5-21-3418898318-3579430007-511159314-1000\...\Spotify) (Version: 1.0.20.94.g8f8543b3 - Spotify AB)
Subtitle Workshop 2.51 (HKLM\...\SubtitleWorkshop) (Version:  - )
VIA Platform Device Manager (HKLM\...\InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.34 - VIA Technologies, Inc.)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.1 - VideoLAN)
WinRAR 4.20 (32-bit) (HKLM\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)
Wondershare Video Converter Ultimate(Build 6.8.0.2) (HKLM\...\Wondershare Video Converter Ultimate_is1) (Version: 6.8.0.2 - Wondershare Software)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Restore Points =========================

27-11-2015 17:56:02 Scheduled Checkpoint
05-12-2015 00:00:02 Scheduled Checkpoint
12-12-2015 00:41:26 Scheduled Checkpoint

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:04 - 2009-06-10 22:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {903B693C-69C7-464A-AF16-9AB4BDE962D2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {D2C051C4-23B3-4B9A-9CA3-E6F01D2D1044} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-12-08] (Adobe Systems Incorporated)
Task: {EFF97C7B-E25C-452D-B47C-55711FEA4EBD} - System32\Tasks\{61767830-408C-43CE-A537-D2EF79793278} => C:\Program Files\Realtek\Audio\InstallShield\Rtkupd.exe
Task: {F84E1026-B886-41CD-85CC-58A7E4904202} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2010-01-09 20:18 - 2010-01-09 20:18 - 04254560 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-01-21 01:34 - 2010-01-21 01:34 - 08793952 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2014-02-17 17:37 - 2013-08-07 14:31 - 00214528 _____ () C:\Windows\System32\WSCM32.dll
2013-04-05 15:11 - 2009-05-07 15:50 - 00073728 _____ () C:\Program Files\VIA\VIAudioi\VDeck\QsApoApi.dll
2013-04-05 15:11 - 2009-05-07 15:53 - 00106496 _____ () C:\Program Files\VIA\VIAudioi\VDeck\Dts2ApoApi.dll
2013-04-05 15:11 - 2008-02-14 12:57 - 00094208 _____ () C:\Program Files\VIA\VIAudioi\VDeck\VMicApi.dll
2013-04-05 15:11 - 2009-11-03 10:11 - 47628288 _____ () C:\Program Files\VIA\VIAudioi\VDeck\Skin.dll
2014-02-17 17:37 - 2013-07-24 09:24 - 00137728 _____ () C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll
2014-12-05 14:38 - 2014-12-05 14:38 - 00290112 _____ () C:\Users\Bojan\Program Files\DNA\btdna.exe
2009-11-24 13:36 - 2009-11-24 13:36 - 00016384 ____R () C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll
2013-03-26 13:12 - 2013-03-26 13:12 - 00270336 _____ () C:\Windows\assembly\GAC_MSIL\CLI.Aspect.CrossDisplay.Graphics.Dashboard\1.0.0.0__90ba9c70f846762e\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3418898318-3579430007-511159314-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Bojan\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 10.0.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Users^Bojan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^A1230B056.lnk => C:\Windows\pss\A1230B056.lnk.Startup
MSCONFIG\startupfolder: C:^Users^Bojan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^kwzeab.lnk => C:\Windows\pss\kwzeab.lnk.Startup
MSCONFIG\startupreg: kwzeab => C:\Users\Bojan\baezwk\kwzeab.exe /k
MSCONFIG\startupreg: pigtedahacas => C:\Users\Bojan\pigtedahacas.exe

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [TCP Query User{E139C38D-9C9F-4B15-A67F-E0C5BF95491B}C:\program files\bittorrent\bittorrent.exe] => (Allow) C:\program files\bittorrent\bittorrent.exe
FirewallRules: [UDP Query User{9DDAE9F9-2103-4A94-B1FA-7D4F82F61A1D}C:\program files\bittorrent\bittorrent.exe] => (Allow) C:\program files\bittorrent\bittorrent.exe
FirewallRules: [TCP Query User{5C6B9E1A-054C-4FCE-B439-2238F97F0F81}D:\emule\emule.exe] => (Allow) D:\emule\emule.exe
FirewallRules: [UDP Query User{B0F0A68B-AC01-43E2-8E94-6D5D4535D341}D:\emule\emule.exe] => (Allow) D:\emule\emule.exe
FirewallRules: [{0B1E001D-13BF-434D-928D-739EA6F83BA4}] => (Allow) C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2013.SP2\WNt500x86\RpcSandraSrv.exe
FirewallRules: [{276D386D-7827-486A-8F87-D69E4E491354}] => (Allow) C:\Program Files\DNA\btdna.exe
FirewallRules: [{5DC84CA4-A504-45F0-A705-5A59BD022EA4}] => (Allow) C:\Program Files\DNA\btdna.exe
FirewallRules: [{5B2189C1-5492-4E55-98BC-E3D2414AF6A6}] => (Allow) C:\Program Files\Skype\Phone\Skype.exe
FirewallRules: [{13A85DE6-07B3-4500-895E-439BBB92BFFF}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{B2A7C8BB-71E3-4327-B24D-2523DCF9A541}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{3B9C9E2E-2023-46B9-828E-8CB090463DAB}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{CBC1F0A6-FC98-4F53-A357-F8BFBB08BD40}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{D6709FAD-8646-496F-9FCC-61FD80E566FF}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\BitTorrent\bittorrent.exe] => Enabled:BitTorrent

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (12/12/2015 02:14:12 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16476, time stamp: 0x5126e7ac
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0xf6331c40
Faulting process id: 0x1160
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (12/10/2015 07:47:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: DivFix++.exe, version: 0.0.0.0, time stamp: 0x4ad8005d
Faulting module name: ntdll.dll, version: 6.1.7600.16915, time stamp: 0x4ec49caf
Exception code: 0xc0000374
Fault offset: 0x000c33bb
Faulting process id: 0xa0c
Faulting application start time: 0xDivFix++.exe0
Faulting application path: DivFix++.exe1
Faulting module path: DivFix++.exe2
Report Id: DivFix++.exe3

Error: (12/10/2015 07:35:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: DivFix++.exe, version: 0.0.0.0, time stamp: 0x4ad8005d
Faulting module name: DivFix++.exe, version: 0.0.0.0, time stamp: 0x4ad8005d
Exception code: 0xc0000005
Fault offset: 0x0002b693
Faulting process id: 0x13e0
Faulting application start time: 0xDivFix++.exe0
Faulting application path: DivFix++.exe1
Faulting module path: DivFix++.exe2
Report Id: DivFix++.exe3

Error: (11/28/2015 10:45:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16476, time stamp: 0x5126e7ac
Faulting module name: ntdll.dll, version: 6.1.7600.16915, time stamp: 0x4ec49caf
Exception code: 0xc0000005
Fault offset: 0x0002f963
Faulting process id: 0xb0c
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (11/07/2015 01:35:13 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16476, time stamp: 0x5126e7ac
Faulting module name: ntdll.dll, version: 6.1.7600.16915, time stamp: 0x4ec49caf
Exception code: 0xc0000005
Fault offset: 0x00046850
Faulting process id: 0x1190
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (11/02/2015 10:50:07 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: KMPlayer.exe, version: 2.9.3.1214, time stamp: 0x2a425e19
Faulting module name: bass.dll, version: 2.3.0.1, time stamp: 0x448daadd
Exception code: 0xc0000005
Fault offset: 0x0001d084
Faulting process id: 0xb7c
Faulting application start time: 0xKMPlayer.exe0
Faulting application path: KMPlayer.exe1
Faulting module path: KMPlayer.exe2
Report Id: KMPlayer.exe3

Error: (11/01/2015 01:16:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16476, time stamp: 0x5126e7ac
Faulting module name: Flash32_19_0_0_226.ocx, version: 19.0.0.226, time stamp: 0x561f2c93
Exception code: 0xc0000005
Fault offset: 0x007fb26a
Faulting process id: 0x1618
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (10/31/2015 11:12:49 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]

Error: (10/31/2015 02:22:45 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16476, time stamp: 0x5126e7ac
Faulting module name: MSHTML.dll, version: 9.0.8112.16476, time stamp: 0x5126ee6c
Exception code: 0xc0000005
Fault offset: 0x002cd1d6
Faulting process id: 0x1c58
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (10/29/2015 10:58:52 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 9.0.8112.16476 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 13c0

Start Time: 01d11294bdb53a2b

Termination Time: 144

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id:

System errors:
=============
Error: (12/15/2015 01:37:55 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (12/15/2015 01:37:55 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (12/15/2015 01:37:54 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (12/15/2015 01:37:54 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (12/14/2015 01:29:40 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (12/14/2015 01:29:39 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (12/14/2015 01:29:38 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (12/08/2015 01:51:20 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (12/08/2015 01:51:19 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (12/08/2015 01:51:18 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

==================== Memory info ===========================

Processor: Intel® Core™ i3 CPU 550 @ 3.20GHz
Percentage of memory in use: 42%
Total physical RAM: 3255.05 MB
Available physical RAM: 1876.19 MB
Total Virtual: 6506.33 MB
Available Virtual: 5028.77 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:130.19 GB) (Free:77.61 GB) NTFS
Drive d: () (Fixed) (Total:1732.47 GB) (Free:241.23 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 1863 GB) (Disk ID: EA5316F0)
Partition 1: (Active) - (Size=356 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=130.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=1732.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



#8 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 16 December 2015 - 05:13 PM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 16.12.2015
Scan Time: 22:42
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.12.16.06
Rootkit Database: v2015.12.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7
CPU: x86
File System: NTFS
User: Bojan

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 312951
Time Elapsed: 8 min, 3 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 4
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\images, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\_metadata, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb, , [a620bfe69cef8da9642db1ffcb39df21],

Files: 9
PUP.Optional.BestPriceNinja, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.bestpriceninja.com_0.localstorage, , [d3f37035fa91e155285c1fe78282ff01],
PUP.Optional.BestPriceNinja, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.bestpriceninja.com_0.localstorage-journal, , [5d69f8aded9e47ef087c828411f32ed2],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\manifest.json, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\app.js, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\icon_128.png, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\images\off_32.png, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\images\on_32.png, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\_metadata\computed_hashes.json, , [a620bfe69cef8da9642db1ffcb39df21],
PUP.Optional.MediaHint.ChrPRST, C:\Users\Bojan\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.3_0\_metadata\verified_contents.json, , [a620bfe69cef8da9642db1ffcb39df21],

Physical Sectors: 0
(No malicious items detected)

(end)

In this log I see Rootkits disabled but under Protection and Detection scan for rootkits is checked and the processes show that scan for rootkits was done.



#9 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 16 December 2015 - 05:20 PM

This is how it is installed.Attached File  Untitled.png   376.41KB   0 downloads



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:35 AM

Posted 17 December 2015 - 10:43 AM

I already have mbam installed, do I need to download it again. I have an extension that I wish to keep.

What extension are you talking about?

You were infected by - CryptoWall and HELP_DECRYPT Ransomware.
Information Guide at:
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

SearchScopes: HKU\.DEFAULT -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-3418898318-3579430007-511159314-1000 -> {B2717064-23C2-41B7-BA22-9AE5CCB5368D} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
S3 ALSysIO; \??\C:\Users\Bojan\AppData\Local\Temp\ALSysIO.sys [X]
S3 SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2013.SP2\WNt500x86\Sandra.sys [X]
C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.HTML
C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.PNG
C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.TXT
C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.URL
C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.HTML
C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.PNG
C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.TXT
C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.URL
C:\Users\Bojan\AppData\Local\HELP_DECRYPT.HTML
C:\Users\Bojan\AppData\Local\HELP_DECRYPT.PNG
C:\Users\Bojan\AppData\Local\HELP_DECRYPT.TXT
C:\Users\Bojan\AppData\Local\HELP_DECRYPT.URL
C:\Users\Bojan\AppData\Local\Resmon.ResmonCfg
C:\ProgramData\DECRYPT_INSTRUCTION.HTML
C:\ProgramData\DECRYPT_INSTRUCTION.TXT
C:\ProgramData\DECRYPT_INSTRUCTION.URL
C:\ProgramData\HELP_DECRYPT.HTML
C:\ProgramData\HELP_DECRYPT.PNG
C:\ProgramData\HELP_DECRYPT.TXT
C:\ProgramData\HELP_DECRYPT.URL

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Lets see what is left over of this infection.

You will need to temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Click the Options in bold the following options are available to you.
Select only the check boxes for the options in bold.

Running Processes
Installed Programs
Startup Information
FireFox look
Chrome Look
Auto Clean


Do a Quick Scan
HijackThis log
Uninstall list
Shortcut Fix
Do a Deep Scan
Installer List
IE Default
Silent Runner
System Restore Info
Symlink Check
Reset Chrome
System Specs
Recently created
Empty Temp
Auto Clean



Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.
Do
Please attach the zoek-results.log in your reply. It's probably too long to post.

How to:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.

Make sure you Enable your AV Program.

What are the current issues with this computer.

#11 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 17 December 2015 - 12:29 PM

I'm talking about MediaHint. Yes, but Cryptowall will not take over your computer just lock your files.



#12 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 17 December 2015 - 12:40 PM

Fix result of Farbar Recovery Scan Tool (x86) Version:16-12-2015 01
Ran by Bojan (2015-12-17 18:31:27) Run:2
Running from C:\Users\Bojan\Desktop
Loaded Profiles: Bojan (Available Profiles: Bojan)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

SearchScopes: HKU\.DEFAULT -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-3418898318-3579430007-511159314-1000 -> {B2717064-23C2-41B7-BA22-9AE5CCB5368D} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
S3 ALSysIO; \??\C:\Users\Bojan\AppData\Local\Temp\ALSysIO.sys [X]
S3 SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2013.SP2\WNt500x86\Sandra.sys [X]
C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.HTML
C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.PNG
C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.TXT
C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.URL
C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.HTML
C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.PNG
C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.TXT
C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.URL
C:\Users\Bojan\AppData\Local\HELP_DECRYPT.HTML
C:\Users\Bojan\AppData\Local\HELP_DECRYPT.PNG
C:\Users\Bojan\AppData\Local\HELP_DECRYPT.TXT
C:\Users\Bojan\AppData\Local\HELP_DECRYPT.URL
C:\Users\Bojan\AppData\Local\Resmon.ResmonCfg
C:\ProgramData\DECRYPT_INSTRUCTION.HTML
C:\ProgramData\DECRYPT_INSTRUCTION.TXT
C:\ProgramData\DECRYPT_INSTRUCTION.URL
C:\ProgramData\HELP_DECRYPT.HTML
C:\ProgramData\HELP_DECRYPT.PNG
C:\ProgramData\HELP_DECRYPT.TXT
C:\ProgramData\HELP_DECRYPT.URL

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
"HKU\S-1-5-21-3418898318-3579430007-511159314-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2717064-23C2-41B7-BA22-9AE5CCB5368D}" => key removed successfully.
HKCR\CLSID\{B2717064-23C2-41B7-BA22-9AE5CCB5368D} => key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully.
ALSysIO => service removed successfully.
SANDRA => service removed successfully.
C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.HTML => moved successfully
C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.PNG => moved successfully
C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.TXT => moved successfully
C:\Users\Bojan\AppData\Roaming\HELP_DECRYPT.URL => moved successfully
C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.HTML => moved successfully
C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.PNG => moved successfully
C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.TXT => moved successfully
C:\Users\Bojan\AppData\Roaming\Microsoft\HELP_DECRYPT.URL => moved successfully
C:\Users\Bojan\AppData\Local\HELP_DECRYPT.HTML => moved successfully
C:\Users\Bojan\AppData\Local\HELP_DECRYPT.PNG => moved successfully
C:\Users\Bojan\AppData\Local\HELP_DECRYPT.TXT => moved successfully
C:\Users\Bojan\AppData\Local\HELP_DECRYPT.URL => moved successfully
C:\Users\Bojan\AppData\Local\Resmon.ResmonCfg => moved successfully
C:\ProgramData\DECRYPT_INSTRUCTION.HTML => moved successfully
C:\ProgramData\DECRYPT_INSTRUCTION.TXT => moved successfully
C:\ProgramData\DECRYPT_INSTRUCTION.URL => moved successfully
C:\ProgramData\HELP_DECRYPT.HTML => moved successfully
C:\ProgramData\HELP_DECRYPT.PNG => moved successfully
C:\ProgramData\HELP_DECRYPT.TXT => moved successfully
C:\ProgramData\HELP_DECRYPT.URL => moved successfully
EmptyTemp: => 5.1 GB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 18:33:51 ====



#13 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 17 December 2015 - 01:06 PM

This program is weird. First after reboot I got a message that an unknown program wants to change my search settings to google.com, then I see some of the programs deleted.

 

After the first reboot of Farbar, computer got a bit slower and I had to reregister. I'm not allowed to ask, but what exactly is the function of the program?

 

Then I see zoek back up folder and restore.txt file.

Attached Files



#14 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 17 December 2015 - 03:37 PM

There are some errors on my computer. Homepage of bleepingcomputer looks like a  html script with no flash. Former thumbnails that were on chrome page were deleted. I used to be able to duplicate the tab if something looked like a html script with no flash. I see xs on some avatars.

 

It took a long time for Farbar to perform the cleanup and after the cleanup it restarted, computer is now a bit slower. How can I get back to a previous state, before it was shut down and restarted.



#15 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 17 December 2015 - 04:14 PM

I think I've screwed up somewhere, what have I done wrong if I didn't run it as an administrator.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users