Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

emails are sent out using my domain but not by me


  • Please log in to reply
15 replies to this topic

#1 koolcat

koolcat

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 05 February 2016 - 09:15 AM

Each morning I have a list of 10-20 rejected emails that were sent out about a week ago using my domain.  I don't recognize any of the recipients (not from my email lists) nor do I recognize the email account in the From: field.  All of the emails contain a randomly named zip file that it tries to send (probably a virus).

 

This is an example of one of the emails.  The X-Sender is my actual email address, however the From address uses my domain but not my account name.

 

Is this a virus?  Is someone logging in to my account?

 

Note that I replaced my actual email address with ??? to avoid publicizing it.

 

X-Sender: ???admin@?????maskcentral.com
Message-ID: <0AC865AF8C0AE42AAD207D23A31057FF@smtpout.secureserver.net>
From: "violetfitch" <violetfitch@?????maskcentral.com>
To: "venere lu" <venere_lu@hotmail.it>, "sforza" <sforza@dmmm.uniroma1.it>,
"lorenzo picone" <lorenzo.picone@hotmail.it>,
"caccia7" <caccia7@hotmail.it>, "oldrogue" <oldrogue@hotmail.it>,
"desantis" <desantis@ing.uniroma1.it>, "g barbaro" <g.barbaro@mclink.net>,
"annamaria altobelli" <a.altobelli3@virgilio.it>,
"f santi" <f.santi@email.it>, "erika 90" <erika_90@hotmail.it>,
"agisscuola" <agisscuola@agisweb.it>,
"cristiana luzi" <cristiana.luzi@istruzione.it>
Subject: =?ISO-8859-1?Q?1=2F20=2F2016_8=3A49=3A46_PM?=
Date: Tue, 20 Jan 2016 08:49:46 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_5FD1_B3CDF58B.09755C23"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
X-MIMEOLE: Produced By Microsoft MimeOLE V16.4.3522.110

This is a multi-part message in MIME format.

------=_NextPart_000_5FD1_B3CDF58B.09755C23
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_2358_B3CDF59A.0F4EAA2C"

------=_NextPart_000_2358_B3CDF59A.0F4EAA2C
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable




DATE:1/20/2016 8:49:46 PM
------=_NextPart_000_2358_B3CDF59A.0F4EAA2C
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

=EF=BB=BF<HTML><HEAD><META http-equiv=3D"content-type" content: text/html;=
charset=3DUTF-8></HEAD><BODY><br><br><br> DATE:1/20/2016 8:49:46=
PM</BODY></HTML>

------=_NextPart_000_2358_B3CDF59A.0F4EAA2C--
------=_NextPart_000_5FD1_B3CDF58B.09755C23
Content-Type: application/ZIP; name="AiY.zip"
Content-Transfer-Encoding: Base64
Content-Disposition: attachment; FileName="AiY.zip"
Content-ID: <4de985a5c0a3b20097d42bbcaa74d0f6@?????maskcentral.com>

UEsDBBQACAAIALqwPUgAAAAAAAAAAAAAAAAWAAAAaW52b2ljZV9zY2FuX3plbEVjUC5qc31U
f2/aMBD9v1K/g4VUKSgo0NBqbIxJFNyCRgIi6YpGqygNBryFJItNgE397vMlcUlYu4Cwc+9+
PL87k7gxsuyufW8546+og/RGo31+lgirge3BuO/cYVuYK2KplAE8wz1A8J54EnpwrN50OLEd
a4BHI0AfLC+mEdesNfF96WZYM2OkO+JnYNsTcMssWm6Rft3+uH8DcLqRVsue4q4BZovHxN1I
u42NiYPNb4BcwMvF46PEBFkHz2xsWsOxCQ4a2RMJGkPTuR2OsGMNv2MBCg1SFTId7qcjSxjn
lTXn0ad6nf3cujvq+5oXbuofm2mi2in4TEv4Uy5dWsXsGlCleX3Zump+0ButVqupCwf4gPC7
VCvhIbXriVNyMn7+QTyulCWu5omB25T82hLG3wssiy4DWSrhezGp7mpFq6iZ6BCVkeSbqE9j
EZex1fA+coMFDhIah8GGBFz0hgYrpsiuHAuGMVncUp9MXL423Q0RSfJsKjoKpKJSz3J9lmGM
FBApEVGNtlg+I2iQ5pNgxdfCoKpV9Of8DImHxwe5hVcI28a+CISIeQJNATs8Bf20MCKBcpz+
GgTV0NL1GYFDZAHlEEaChVIE6RIpxZyMu3zLUKdzvGyvNGXCE7rSnHUoY1UscYLzQwRKXhYY
nnjsYspJiVVMWBQGjNyEi8NbqeEUeXlGfxP0BZWuyj8nkAWhOcWuHEWTHrDmmaOQUU7DIG3o
fz2ZmxA7hNERrE6nqIb0t47wUs74gpY0cH2/NBiSVE7I80NGSt0Eh0KifJsvnsu9NVLoKgBK
r5oIVHyz2zHPpwn+Mp+U12E3xAXQonCn6DV0dV2ttv8CUEsHCIbscnN1AgAAjQUAAFBLAQIt
AxQACAAIALqwPUiG7HJzdQIAAI0FAAAWAAAAAAAAAAAAIACkgQAAAABpbnZvaWNlX3NjYW5f
emVsRWNQLmpzUEsFBgAAAAABAAEARAAAALkCAAAAAA==
------=_NextPart_000_5FD1_B3CDF58B.09755C23--



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 05 February 2016 - 11:27 AM

Hi koolcat :)

It's possible that your email account have been compromised. Are you able to change the password on it, and enable 2FA to see if the sendings stops? Are you aware of any websites, services, etc. that you use that had a data breach lately? Do you use the same password a lot?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 koolcat

koolcat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 05 February 2016 - 12:02 PM

I did recently change the password on it.  However, looking at the emails that bounce back to me, they were sent at least a week and some 2 weeks back before I had changed the password.  I'm not sure what 2FA is though?  I use GoDaddy, would the option be there to set that and what does it do?

 

   thanks



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 05 February 2016 - 12:25 PM

2FA stands for Two-Factor Authenfication. It's a security mechanism that asks you for a second confirmation when you try to log in one of your account (approve the login request via an app, enter a code from an authenticator, etc.) It's almost impossible to get in an account that have 2FA enabled, because even if you have the password, you most likely don't have what it takes to go through the second step.

I'm not a webmaster, nor do I own any domains, so I couldn't say if GoDaddy provides 2FA for the webmail servers it hosts. It's something I would ask online or directly to their support.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 koolcat

koolcat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 05 February 2016 - 01:29 PM

Oh ok.  yes, it does have 2FA.  I didn't have it setup before, but I just added it.  Thanks!  I guess it's just a matter of waiting now to see if the emails keep coming back.  Since they were sent a week ago, they may still come in even though the password has changed and I just put in the 2FA since that time.



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 05 February 2016 - 01:32 PM

Does your server logs connection attempt? This way you could see if someone still tries to access your account even after adding 2FA and changing your password.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 koolcat

koolcat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 05 February 2016 - 02:39 PM

My bad, the hosting account has 2FA (which I enabled), but that doesn't apply to the email account.  In any case the pwd is changed.  I"ll check about server logs.



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 05 February 2016 - 02:52 PM

Meanwhile, we can do a quick check of your system to see if it has been compromised or not. Follow the instructions below please.

3Al62Pm.pngMiniToolBox
  • Download MiniToolBox and move the file to your Desktop;
  • Right-click on MiniToolBox.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options:
    • Flush DNS;
    • Report IE Proxy Settings;
    • Reset IE Proxy Settings;
    • Report FF Proxy Settings;
    • Reset FF Proxy Settings;
    • List content of Hosts;
    • List IP Configuration;
    • List Winsock Entries;
    • List Last 10 Event Viewer Errors;
    • List Installed Programs;
    • List Devices - Only Problems;
    • List Users, Partitions and Memory size;
      OQmAcqS.png
  • Once this is done, click on Go and wait for the scan to complete;
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 koolcat

koolcat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 06 February 2016 - 07:59 PM

MiniToolBox by Farbar  Version: 03-02-2016 01
Ran by neilg (administrator) on 06-02-2016 at 19:53:17
Running from "C:\Users\neilg\Downloads"
Microsoft Windows 8.1  (X64)
Model: Inspiron 3847 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
0.0.0.1    mssplus.mcafee.com
========================= IP Configuration: ================================

Realtek PCIe GBE Family Controller = Ethernet (Connected)
Dell Wireless 1705 802.11b/g/n (2.4GHZ) = Wi-Fi (Connected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 3" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Bluetooth Network Connection" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : office
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 54-35-30-BD-99-18
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 16-35-30-BD-99-17
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : F8-BC-12-5C-B5-4C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b50e:e9d5:aaa8:da16%3(Preferred)
   Autoconfiguration IPv4 Address. . : 169.254.218.22(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 66632722
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-97-E8-A5-F8-BC-12-5C-B5-4C
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Dell Wireless 1705 802.11b/g/n (2.4GHZ)
   Physical Address. . . . . . . . . : 54-35-30-BD-99-17
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::c0b9:5ca7:6040:69ab%4(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.14(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, January 16, 2016 9:52:24 AM
   Lease Expires . . . . . . . . . . : Sunday, February 7, 2016 9:52:26 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 72627504
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-97-E8-A5-F8-BC-12-5C-B5-4C
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{5795B1A6-4866-4B8B-A364-220562096CCB}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{500094B1-70CE-4CD7-8F0F-2FF3A85B24C1}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  192.168.1.1

Name:    google.com
Addresses:  2607:f8b0:4008:80b::200e
      216.58.219.142


Pinging google.com [216.58.192.110] with 32 bytes of data:
Reply from 216.58.192.110: bytes=32 time=22ms TTL=55
Reply from 216.58.192.110: bytes=32 time=64ms TTL=55

Ping statistics for 216.58.192.110:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 22ms, Maximum = 64ms, Average = 43ms
Server:  UnKnown
Address:  192.168.1.1

Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
      2001:4998:c:a06::2:4008
      2001:4998:58:c02::a9
      98.138.253.109
      98.139.183.24
      206.190.36.45


Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=102ms TTL=44
Reply from 206.190.36.45: bytes=32 time=94ms TTL=44

Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 94ms, Maximum = 102ms, Average = 98ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
  8...54 35 30 bd 99 18 ......Bluetooth Device (Personal Area Network)
  5...16 35 30 bd 99 17 ......Microsoft Wi-Fi Direct Virtual Adapter
  3...f8 bc 12 5c b5 4c ......Realtek PCIe GBE Family Controller
  4...54 35 30 bd 99 17 ......Dell Wireless 1705 802.11b/g/n (2.4GHZ)
  1...........................Software Loopback Interface 1
  6...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  9...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.14     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0         On-link    169.254.218.22    276
   169.254.218.22  255.255.255.255         On-link    169.254.218.22    276
  169.254.255.255  255.255.255.255         On-link    169.254.218.22    276
      192.168.1.0    255.255.255.0         On-link      192.168.1.14    281
     192.168.1.14  255.255.255.255         On-link      192.168.1.14    281
    192.168.1.255  255.255.255.255         On-link      192.168.1.14    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    169.254.218.22    276
        224.0.0.0        240.0.0.0         On-link      192.168.1.14    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    169.254.218.22    276
  255.255.255.255  255.255.255.255         On-link      192.168.1.14    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  3    276 fe80::/64                On-link
  4    281 fe80::/64                On-link
  3    276 fe80::b50e:e9d5:aaa8:da16/128
                                    On-link
  4    281 fe80::c0b9:5ca7:6040:69ab/128
                                    On-link
  1    306 ff00::/8                 On-link
  3    276 ff00::/8                 On-link
  4    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\napinsp.dll [55296] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\pnrpnsp.dll [70144] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [70144] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\NLAapi.dll [65536] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [23040] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\wshbth.dll [50688] (Microsoft Corporation)
Catalog5 08 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [286208] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [69120] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [88576] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [88576] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [30720] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [63488] (Microsoft Corporation)
x64-Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [339456] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (02/02/2016 11:56:02 AM) (Source: Application Error) (User: )
Description: Faulting application name: GWXUX.exe, version: 6.3.9600.18155, time stamp: 0x5661aa1f
Faulting module name: RPCRT4.dll, version: 6.3.9600.17919, time stamp: 0x558ef5ee
Exception code: 0xc0000005
Fault offset: 0x000000000000b636
Faulting process id: 0xd228
Faulting application start time: 0xGWXUX.exe0
Faulting application path: GWXUX.exe1
Faulting module path: GWXUX.exe2
Report Id: GWXUX.exe3
Faulting package full name: GWXUX.exe4
Faulting package-relative application ID: GWXUX.exe5

Error: (02/01/2016 02:54:22 PM) (Source: Application Hang) (User: )
Description: The program LiveComm.exe version 17.5.9600.20911 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: d414

Start Time: 01d15d299e22f653

Termination Time: 4294967295

Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exe

Report Id: 918a8201-c91d-11e5-828f-543530bd9918

Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe

Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1

Error: (01/28/2016 09:53:01 AM) (Source: Application Error) (User: )
Description: Faulting application name: mbamservice.exe, version: 3.2.19.0, time stamp: 0x55e84649
Faulting module name: mbamservice.exe, version: 3.2.19.0, time stamp: 0x55e84649
Exception code: 0x40000015
Fault offset: 0x000ad2a6
Faulting process id: 0x344
Faulting application start time: 0xmbamservice.exe0
Faulting application path: mbamservice.exe1
Faulting module path: mbamservice.exe2
Report Id: mbamservice.exe3
Faulting package full name: mbamservice.exe4
Faulting package-relative application ID: mbamservice.exe5

Error: (01/24/2016 10:53:23 AM) (Source: Application Hang) (User: )
Description: The program firefox.exe version 43.0.4.5848 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 4a24

Start Time: 01d1551c18e643d8

Termination Time: 4294967295

Application Path: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Report Id: 983e08c2-c2b2-11e5-828f-543530bd9918

Faulting package full name:

Faulting package-relative application ID:

Error: (01/24/2016 10:53:23 AM) (Source: Application Error) (User: )
Description: Faulting application name: plugin-container.exe, version: 43.0.4.5848, time stamp: 0x568c88bd
Faulting module name: mozglue.dll, version: 43.0.4.5848, time stamp: 0x568c7b16
Exception code: 0x80000003
Fault offset: 0x0000ed44
Faulting process id: 0xcc8
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3
Faulting package full name: plugin-container.exe4
Faulting package-relative application ID: plugin-container.exe5

Error: (01/22/2016 08:53:08 AM) (Source: Microsoft-Windows-LocationProvider) (User: NT AUTHORITY)
Description: There was an error with the Windows Location Provider database

Error: (01/20/2016 01:27:46 PM) (Source: Application Error) (User: )
Description: Faulting application name: plugin-container.exe, version: 43.0.4.5848, time stamp: 0x568c88bd
Faulting module name: mozglue.dll, version: 43.0.4.5848, time stamp: 0x568c7b16
Exception code: 0x80000003
Fault offset: 0x0000ed44
Faulting process id: 0x312c
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3
Faulting package full name: plugin-container.exe4
Faulting package-relative application ID: plugin-container.exe5

Error: (01/20/2016 01:27:43 PM) (Source: Application Error) (User: )
Description: Faulting application name: plugin-container.exe, version: 43.0.4.5848, time stamp: 0x568c88bd
Faulting module name: mozglue.dll, version: 43.0.4.5848, time stamp: 0x568c7b16
Exception code: 0x80000003
Fault offset: 0x0000ed44
Faulting process id: 0x3c18
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3
Faulting package full name: plugin-container.exe4
Faulting package-relative application ID: plugin-container.exe5

Error: (01/16/2016 10:21:26 AM) (Source: Application Error) (User: )
Description: Faulting application name: mbam.exe, version: 2.3.125.0, time stamp: 0x5612a56b
Faulting module name: MSVCR100.dll, version: 10.0.40219.325, time stamp: 0x4df2be1e
Exception code: 0x40000015
Fault offset: 0x0008d6fd
Faulting process id: 0x6d8
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3
Faulting package full name: mbam.exe4
Faulting package-relative application ID: mbam.exe5

Error: (01/11/2016 08:06:28 PM) (Source: Application Error) (User: )
Description: Faulting application name: Explorer.EXE, version: 6.3.9600.17667, time stamp: 0x54c6f7c2
Faulting module name: combase.dll, version: 6.3.9600.17415, time stamp: 0x545044f9
Exception code: 0xc0000005
Fault offset: 0x00000000001aa132
Faulting process id: 0xcb4
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3
Faulting package full name: Explorer.EXE4
Faulting package-relative application ID: Explorer.EXE5


System errors:
=============
Error: (02/05/2016 09:35:54 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 43. The Windows SChannel error state is 252.

Error: (02/05/2016 09:35:54 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 43. The Windows SChannel error state is 252.

Error: (02/01/2016 01:57:50 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.

Error: (02/01/2016 01:57:50 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.

Error: (02/01/2016 01:57:49 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.

Error: (02/01/2016 01:56:13 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.

Error: (02/01/2016 01:56:13 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.

Error: (02/01/2016 01:56:13 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.

Error: (02/01/2016 01:55:53 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.

Error: (02/01/2016 01:55:53 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.


Microsoft Office Sessions:
=========================
Error: (02/02/2016 11:56:02 AM) (Source: Application Error)(User: )
Description: GWXUX.exe6.3.9600.181555661aa1fRPCRT4.dll6.3.9600.17919558ef5eec0000005000000000000b636d22801d15dda931c7239C:\Windows\System32\GWX\GWXUX.exeC:\Windows\system32\RPCRT4.dlld7177c1d-c9cd-11e5-828f-543530bd9918

Error: (02/01/2016 02:54:22 PM) (Source: Application Hang)(User: )
Description: LiveComm.exe17.5.9600.20911d41401d15d299e22f6534294967295C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exe918a8201-c91d-11e5-828f-543530bd9918microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbweppleae38af2e007f4358a809ac99a64a67c1

Error: (01/28/2016 09:53:01 AM) (Source: Application Error)(User: )
Description: mbamservice.exe3.2.19.055e84649mbamservice.exe3.2.19.055e8464940000015000ad2a634401d1506d3580f8d2C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exeC:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exed326b319-c5ce-11e5-828f-543530bd9918

Error: (01/24/2016 10:53:23 AM) (Source: Application Hang)(User: )
Description: firefox.exe43.0.4.58484a2401d1551c18e643d84294967295C:\Program Files (x86)\Mozilla Firefox\firefox.exe983e08c2-c2b2-11e5-828f-543530bd9918

Error: (01/24/2016 10:53:23 AM) (Source: Application Error)(User: )
Description: plugin-container.exe43.0.4.5848568c88bdmozglue.dll43.0.4.5848568c7b16800000030000ed44cc801d1554b067a1d0eC:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Program Files (x86)\Mozilla Firefox\mozglue.dll9886aee5-c2b2-11e5-828f-543530bd9918

Error: (01/22/2016 08:53:08 AM) (Source: Microsoft-Windows-LocationProvider)(User: NT AUTHORITY)
Description: -2147024883

Error: (01/20/2016 01:27:46 PM) (Source: Application Error)(User: )
Description: plugin-container.exe43.0.4.5848568c88bdmozglue.dll43.0.4.5848568c7b16800000030000ed44312c01d1523eac174384C:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Program Files (x86)\Mozilla Firefox\mozglue.dll7ff06e76-bfa3-11e5-828f-543530bd9918

Error: (01/20/2016 01:27:43 PM) (Source: Application Error)(User: )
Description: plugin-container.exe43.0.4.5848568c88bdmozglue.dll43.0.4.5848568c7b16800000030000ed443c1801d15388d980ab42C:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Program Files (x86)\Mozilla Firefox\mozglue.dll7e650f05-bfa3-11e5-828f-543530bd9918

Error: (01/16/2016 10:21:26 AM) (Source: Application Error)(User: )
Description: mbam.exe2.3.125.05612a56bMSVCR100.dll10.0.40219.3254df2be1e400000150008d6fd6d801d1506d5820bd39C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exeC:\Program Files (x86)\Malwarebytes Anti-Malware\MSVCR100.dllce6edd81-bc64-11e5-828f-543530bd9918

Error: (01/11/2016 08:06:28 PM) (Source: Application Error)(User: )
Description: Explorer.EXE6.3.9600.1766754c6f7c2combase.dll6.3.9600.17415545044f9c000000500000000001aa132cb401d142a30fdc7a53C:\Windows\Explorer.EXEC:\Windows\SYSTEM32\combase.dllb4e6e2e5-b8c8-11e5-828e-543530bd9918


CodeIntegrity Errors:
===================================
  Date: 2015-09-12 12:47:33.867
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-09-12 12:47:33.711
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.


=========================== Installed Programs ============================

7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Flash Player 20 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 20.0.0.286 - Adobe Systems Incorporated)
Adobe Photoshop CS6 (HKLM-x32\...\{74EB3499-8B95-4B5C-96EB-7B342F3FD0C6}) (Version: 13.0 - Adobe Systems Incorporated)
Amazon 1Button App (HKLM-x32\...\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6}) (Version: 1.0.0.4 - Amazon)
Apple Application Support (32-bit) (HKLM-x32\...\{7FE25256-B7C1-480D-B736-10A67A833AEA}) (Version: 3.2 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{B255D495-4734-4E9B-B4F5-96702FD4A7B9}) (Version: 3.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{5D61F006-168C-4B8B-B7FD-F113C10AE0E4}) (Version: 8.2.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Arduino (HKLM-x32\...\Arduino) (Version: 1.0.6 - Arduino LLC)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
calibre (HKLM-x32\...\{0CF3C0FA-02EA-4E15-9495-1C441C0377B3}) (Version: 2.18.0 - Kovid Goyal)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CyberLink Media Suite Essentials (HKLM-x32\...\InstallShield_{8F14AA37-5193-4A14-BD5B-BDF9B361AEF7}) (Version: 10.0 - CyberLink Corp.)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Dell Backup and Recovery - Support Software (HKLM-x32\...\{A9668246-FB70-4103-A1E3-66C9BC2EFB49}) (Version: 1.6.1.2 - Dell Inc.)
Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.6.1.2 - Dell Inc.)
Dell Customer Connect (HKLM-x32\...\{124DE80C-9BFE-4D04-A8D9-69C5019DEEBF}) (Version: 1.3.28.0 - Dell Inc.)
Dell Data Vault (HKLM\...\{2E55EEFD-2162-4A7D-9158-EDB0305603A6}) (Version: 4.3.7.0 - Dell Inc.) Hidden
Dell Display Manager (HKLM-x32\...\{AC50C05D-9D57-40F5-B2EF-AC402F14312B}_is1) (Version:  - EnTech Taiwan)
Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.2.6745.47 - Dell)
Dell SupportAssistAgent (HKLM-x32\...\{A62A2F03-3006-40CA-A3FA-C1086B2FEF5D}) (Version: 1.2.0.94 - Dell)
Dell Update (HKLM-x32\...\{DB82968B-57A4-4397-81A5-ECAB21B5DFCD}) (Version: 1.7.1015.0 - Dell Inc.)
Dell WLAN and Bluetooth Client Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Dell Inc.)
DYMO Label v.8 (HKLM-x32\...\DYMO Label v.8) (Version: 8.5.1.1816 - Sanford, L.P.)
EAGLE 6.5.0 (HKLM-x32\...\EAGLE 6.5.0) (Version: 6.5.0 - CadSoft Computer GmbH)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 48.0.2564.103 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.29.5 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
HP ENVY 5640 series Basic Device Software (HKLM\...\{F829A359-6AE5-44E6-894C-D7D941A8615E}) (Version: 34.2.117.50647 - Hewlett-Packard Co.)
HP ENVY 5640 series Help (HKLM-x32\...\{B04B1DB6-0AA9-4790-95CE-5A45C8F647FD}) (Version: 34.0.0 - Hewlett Packard)
HP ENVY 5660 series Basic Device Software (HKLM\...\{2C0721C5-0CD8-46BC-9D7D-666D3B171CFF}) (Version: 34.2.117.50647 - Hewlett-Packard Co.)
HP ENVY 5660 series Help (HKLM-x32\...\{607F50D9-40BD-4F17-A584-152F563293B4}) (Version: 34.0.0 - Hewlett Packard)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Support Solutions Framework (HKLM-x32\...\{E35601C0-BA8E-4F32-919A-C7EF4CA81F67}) (Version: 11.51.0048 - Hewlett-Packard Company)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDiagnosticAlert (HKLM-x32\...\{B6465A32-8BE9-4B38-ADC5-4B4BDDC10B0D}) (Version: 1.00.0001 - Microsoft) Hidden
iCloud (HKLM\...\{709A2D23-C25E-47B5-9268-CB6FEE648504}) (Version: 4.1.1.53 - Apple Inc.)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.14.1724 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3262 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.0.1016 - Intel Corporation)
iTunes (HKLM\...\{BFEAB774-C7DC-4032-B05A-DA5F7CB7B365}) (Version: 12.2.2.25 - Apple Inc.)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.11.266.3 - McAfee, Inc.)
McAfee Virtual Technician (HKLM-x32\...\McAfee Virtual Technician) (Version: 7.5.0.3026 - McAfee, Inc.)
McAfee WebAdvisor (HKLM-x32\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.0.141 - McAfee, Inc.)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft Office Excel Viewer (HKLM-x32\...\{95120000-003F-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Word Viewer 2003 (HKLM-x32\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Movie Maker (HKLM-x32\...\{5BABDA39-61CF-41EE-992D-4054B6649A9B}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{ED6C77F9-4D7E-447C-9EC0-9A212D075535}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Mozilla Firefox 43.0.4 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 43.0.4 (x86 en-US)) (Version: 43.0.4 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 43.0.4.5848 - Mozilla)
Mozilla Thunderbird 38.5.0 (x86 en-GB) (HKLM-x32\...\Mozilla Thunderbird 38.5.0 (x86 en-GB)) (Version: 38.5.0 - Mozilla)
Mozilla Thunderbird 38.5.1 (x86 en-GB) (HKCU\...\Mozilla Thunderbird 38.5.1 (x86 en-GB)) (Version: 38.5.1 - Mozilla)
NETGEAR Genie (HKLM-x32\...\NETGEAR Genie) (Version: 2.4.16.00 - NETGEAR Inc.)
OpenOffice 4.1.2 (HKLM-x32\...\{E6AD67BB-1C33-4AB3-A387-E0D48137AB70}) (Version: 4.12.9782 - Apache Software Foundation)
PDF Settings CS6 (HKLM-x32\...\{BFEAAE77-BD7F-4534-B286-9C5CB4697EB1}) (Version: 11.0 - Adobe Systems Incorporated) Hidden
PocketCloud (HKLM-x32\...\{D9752C7D-A595-4687-A0D5-362E9C311C55}) (Version: 2.7.14 - Wyse Technology)
PokerStars (HKLM-x32\...\PokerStars) (Version:  - PokerStars)
Product Improvement Study for HP ENVY 5640 series (HKLM\...\{089E0E6F-52C2-4164-9A91-1A42BDBE47B0}) (Version: 34.2.117.50647 - Hewlett-Packard Co.)
Product Improvement Study for HP ENVY 5660 series (HKLM\...\{03EDBA70-A4E9-4AC9-A76A-8EE5172684BF}) (Version: 34.2.117.50647 - Hewlett-Packard Co.)
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.304 - Qualcomm Atheros Communications)
QuickTime 7 (HKLM-x32\...\{627FFC10-CE0A-497F-BA2B-208CAC638010}) (Version: 7.77.80.95 - Apple Inc.)
ReadySHARE Vault (HKLM-x32\...\ReadySHARE Vault) (Version: 3.0 - Genie9)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9200.30164 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7016 - Realtek Semiconductor Corp.)
Recuva (HKLM\...\Recuva) (Version: 1.51 - Piriform)
SKTimeStamp (HKLM\...\{AAD52EF2-3EEB-489C-9F93-B0C1EC1D21A8}) (Version: 1.3.3 - Stefans Tools)
Stellar Phoenix Windows Data Recovery - Technical (HKLM-x32\...\Stellar Phoenix Windows Data Recovery - Technical_is1) (Version: 6.0.0.0 - Stellar Information Systems Ltd)
TextPad 7 (HKLM\...\{6A86F18E-5464-449D-A82D-667974747F38}) (Version: 7.2.0 - Helios)
TurboTax 2014 (HKLM-x32\...\TurboTax 2014) (Version: 2014.0 - Intuit, Inc)
TurboTax 2015 (HKLM-x32\...\TurboTax 2015) (Version: 2015.0 - Intuit, Inc)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
WinZip 18.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240DF}) (Version: 18.0.10650 - WinZip Computing, S.L. )

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 60%
Total physical RAM: 8108.94 MB
Available physical RAM: 3212.37 MB
Total Virtual: 12317.49 MB
Available Virtual: 3170.76 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:922.84 GB) (Free:511.76 GB) NTFS
2 Drive e: (TurboTax 2015) (CDROM) (Total:0.44 GB) (Free:0 GB) CDFS
3 Drive x: (WINRETOOLS) (Fixed) (Total:0.48 GB) (Free:0.2 GB) NTFS
4 Drive y: (PBR Image) (Fixed) (Total:7.54 GB) (Free:0.74 GB) NTFS

========================= Users: ========================================

User accounts for \\OFFICE

Administrator            Guest                    neilg                    


**** End of log ****
 



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 06 February 2016 - 08:22 PM

Thank you :) Let's do a sweep using JRT, AdwCleaner and Malwarebytes.

lv0mVRW.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    CfdTLN1.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
aOpBoaQ.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
    L9PN4j1.png
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;
Your next reply(ies) should therefore contain:
  • Copy/pasted JRT log;
  • Copy/pasted AdwCleaner clean log;
  • Copy/pasted Malwarebytes clean log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 koolcat

koolcat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 06 February 2016 - 09:19 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows 8.1 x64
Ran by neilg (Administrator) on Sat 02/06/2016 at 20:47:37.14
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0


Deleted the following from C:\Users\neilg\AppData\Roaming\Mozilla\Firefox\Profiles\xeuix6vm.default\prefs.js
user_pref(browser.search.defaultenginename.US, Secure Search);



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 02/06/2016 at 20:48:43.15
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

# AdwCleaner v5.032 - Logfile created 06/02/2016 at 20:52:52
# Updated 31/01/2016 by Xplode
# Database : 2016-02-05.1 [Server]
# Operating system : Windows 8.1  (x64)
# Username : neilg - OFFICE
# Running from : C:\Users\neilg\Downloads\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{26B19FA4-E8A1-4A1B-A163-1A1E46F830DD}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\C3F6D7A0BA2FDE84EB329997B1FF786D
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\C3F6D7A0BA2FDE84EB329997B1FF786D
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C3F6D7A0BA2FDE84EB329997B1FF786D
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Installer\Products\C3F6D7A0BA2FDE84EB329997B1FF786D
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\en.softonic.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\magic-recovery-professional.en.softonic.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\softonic.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\winzip.en.softonic.com

***** [ Web browsers ] *****

[-] [C:\Users\neilg\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\neilg\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1931 bytes] ##########

 

 

 

 

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/6/2016
Scan Time: 1:44 AM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.02.06.01
Rootkit Database: v2016.01.20.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: neilg

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 369844
Time Elapsed: 11 min, 51 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)
 



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 06 February 2016 - 09:21 PM

It doesn't look like you're infected to me. Let's run a final scan using EEK to be sure :)

0Wrv6UC.pngEmsisoft Emergency Kit
Follow the instructions below to run a scan using the Emsisoft Emergency Kit.
  • Download the Emsisoft Emergency Kit and execute it. From there, click on the Extract button to extract the program in the EEK folder;
    UNSds6D.png
  • Once the extraction is complete, Emsisoft Emergency Kit will open, and suggest you to run an online update before using the program. Click on Yes to launch it.
  • After the update, click on Malware Scan under 2. Scan and accept to let Emsisoft Emergency Kit detect PUPs (click on Yes).
  • Once the scan is complete, make sure that every item in the list is checked, and click on Quarantine selected;
    Egla2gt.png
  • If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
  • After the restart, click on the Start Emsisoft Emergency Kit icon again on your desktop to open it;
  • This time, click on Logs;
    r1NTvJ5.png
  • From there, go under the Quarantine Log tab, and click on the Export button;
    IgfWDr3.png
  • Save the log on your desktop, then open it, and copy/paste its content in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 koolcat

koolcat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 06 February 2016 - 09:37 PM

I've been running Mbam Premium since I had the machine and that's done a really nice job of keeping it clean.

 

 

Emsisoft Emergency Kit - Version 11.0
Quarantine log

Date    Source    Event    Detection    
2/6/2016 9:35:12 PM    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR    Moved to quarantine    Setting.DisableTaskMgr (A)    
2/6/2016 9:35:11 PM    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS    Moved to quarantine    Setting.DisableRegistryTools (A)    
2/6/2016 9:35:11 PM    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN    Moved to quarantine    Setting.NoRun (A)    
2/6/2016 9:35:11 PM    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS    Moved to quarantine    Setting.NoFolderOptions (A)  



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 06 February 2016 - 10:09 PM

Well to me it looks like your system is pretty clean :) Since you changed your password, were there any other emails that got sent from it?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 koolcat

koolcat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 07 February 2016 - 01:50 AM

At this point, I'm not positive.  The reason being I only get the emails bounce back about a week after they are sent, so there could be some still bouncing around that might come back in the next few days.  I'll revisit if I do get some that were sent out in the last few days.

 

    thank you for all your help!  You've been very responsive.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users