Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC using unexpected data. Possible malware?


  • Please log in to reply
2 replies to this topic

#1 ozpoppy

ozpoppy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 09 April 2016 - 09:52 PM

I'm trying to help my neighbour with a Windows 8.1 (64 bit) PC issue. He only gets fixed wireless in his home and has a limited data plan so has to watch his internet usage like a hawk. He has noticed that the PC currently uses about 1-1.5 GB per day whereas it used to average about 300-500 MB. 

 

I've done a few simple things like changing the wifi password (using WPA2) to check someone else isn't using it. He's the only person in the house so he can't blame other family members. I uses MBAM Pro myself so I ran the free version on his PC and it didn't find any issues. He uses a free antivirus (Panda) which is kept up to date and didn't find anything wrong and I checked that he has Windows Firewall configured.

 

I've used a couple of guides for minimising data use. eg Windows updates prompt to install, not install automatically. I've gone into the installed programs and disabled auto updates.

 

I'm now wondering if there could be a virus/spyware etc on the PC? He hasn't noticed any slowness or excessive popups. I understand from the stickied topic that it may well not be an infection but thought it was the next thing to try and rule out.

 

Please find below the recommended FRST logs. Thanks for your time.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by username (administrator) on LAPTOP-TM (10-04-2016 10:46:32)
Running from C:\Users\username\Desktop\z
Loaded Profiles: username (Available Profiles: username)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
() C:\Program Files (x86)\Icoon\Icoon.exe
() C:\Program Files\ATI Technologies\ATI.ACE\a4\AdaptiveSleepService.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Schneider Electric (Australia) Pty Ltd) C:\Clipsal\C-Gate2\cgate.exe
(Sun Microsystems, Inc.) C:\Clipsal\C-Gate2\jre6\bin\java.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Clipsal Australia) C:\Clipsal\DALIcontrol\BMScheduler.exe
(SafeNet, Inc.) C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
(SafeNet, Inc) C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
(SafeNet, Inc.) C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe
(TOSHIBA Corporation) C:\Windows\System32\usernameSrv.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Toshiba Corporation) C:\Program Files\TOSHIBA\Teco\TecoService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe
(TODO: <Company name>) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
(Microsoft Corporation) C:\Windows\System32\wimserv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [] => [X]
HKLM\...\Run: [TSSSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSSSrv.exe [296520 2013-09-12] (TOSHIBA Corporation)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [31072 2008-10-25] (Microsoft Corporation)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [143360 2012-09-06] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [3076096 2012-06-06] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-20] (Adobe Systems Incorporated)
HKU\S-1-5-21-4221389110-836927709-4119758369-1001\...\MountPoints2: {024a1c43-19f2-11e4-826d-008cfa9154f9} - "E:\WD SmartWare.exe" autoplay=true
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FAH.lnk [2015-10-26]
ShortcutTarget: FAH.lnk -> C:\Program Files\WinZip\FAH\FAHConsole.exe (Nico Mak Computing)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Preloader.lnk [2015-10-26]
ShortcutTarget: WinZip Preloader.lnk -> C:\Program Files\WinZip\WzPreloader.exe (WinZip Computing, S.L.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{0AF7EF9B-3BA4-4C76-BE65-4C4A35FED14D}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{544AFAB4-2787-43D9-99E0-670ACDFE429C}: [DhcpNameServer] 192.168.0.3
Tcpip\..\Interfaces\{617DCC97-7FBF-48DF-A88C-06E9D0ACF66B}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=MSE1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=MSE1
HKU\S-1-5-21-4221389110-836927709-4119758369-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://search.msn.com/spbasic.htm
SearchScopes: HKLM-x32 -> DefaultScope {20B9D1AE-AD1A-38B4-87FE-AF278DA9861D} URL = 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-4221389110-836927709-4119758369-1001 -> DefaultScope {20B9D1AE-AD1A-38B4-87FE-AF278DA9861D} URL = 
SearchScopes: HKU\S-1-5-21-4221389110-836927709-4119758369-1001 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2016-03-31] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2016-03-31] (Microsoft Corporation)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\GROOVEEX.DLL [2016-03-31] (Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-03-31] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-03-31] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-03-31] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-03-31] (Microsoft Corporation)
 
FireFox:
========
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2016-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-05] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-05] (VideoLAN)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2013-07-13] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\username\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (YouTube) - C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-01]
CHR Extension: (Google Search) - C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-12-16]
CHR Extension: (Google Docs Offline) - C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-12-16]
CHR Extension: (Gmail) - C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-07-24]
CHR Extension: (e38324c56607a849663d4dbae4102007) - C:\Program Files (x86)\Google\Chrome\Application\e38324c56607a849663d4dbae4102007 [2016-02-11]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 A-Z Apps; C:\Program Files (x86)\Icoon\Icoon.exe [567296 2016-02-25] () [File not signed]
R2 AdaptiveSleepService; C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe [99328 2013-08-31] () [File not signed]
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [312448 2013-08-22] (Windows ® Win 7 DDK provider) [File not signed]
R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [266240 2012-06-05] (Brother Industries, Ltd.) [File not signed]
R2 CGateService; C:\Clipsal\C-Gate2\cgate.exe [3035416 2013-09-30] (Schneider Electric (Australia) Pty Ltd)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2823920 2016-03-20] (Microsoft Corporation)
R2 DALIBuildings Scheduler; C:\Clipsal\DALIcontrol\BMScheduler.exe [49152 2012-05-14] (Clipsal Australia) [File not signed]
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [235008 2013-07-17] (TODO: <Company name>) [File not signed]
S3 ose; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [203296 2016-03-19] (Microsoft Corporation) [File not signed]
R2 SentinelKeysServer; C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [369952 2009-09-17] (SafeNet, Inc.)
R2 SentinelProtectionServer; C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe [1246496 2009-09-17] (SafeNet, Inc)
R2 SentinelSecurityRuntime; C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe [292128 2009-09-17] (SafeNet, Inc.)
S4 THAccelSvc; C:\Program Files\TOSHIBA\HDD Accelerator\THAccelSvc.exe [216976 2013-07-17] (TOSHIBA CORPORATION)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 AmdAS4; C:\Windows\System32\drivers\AmdAS4.sys [17504 2013-02-07] (Advanced Micro Devices, INC.)
R2 APXACC; C:\Windows\system32\DRIVERS\appexDrv.sys [219360 2013-04-18] (AppEx Networks Corporation)
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3858944 2013-10-24] (Qualcomm Atheros Communications, Inc.)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [138240 2013-06-23] (Advanced Micro Devices)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S3 FlukeNetworksUSBLAN; C:\Windows\system32\DRIVERS\fnusblan.sys [102200 2015-11-05] (Belcarra Technologies 2005)
S3 FlukeUSBLAN; C:\Windows\system32\DRIVERS\fnusblan.sys [102200 2015-11-05] (Belcarra Technologies 2005)
S3 FnetUsbDrv; C:\Windows\System32\drivers\fnetusb64.sys [17280 2015-04-03] ()
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [41080 2015-10-26] ()
R1 MpKsl0b4e776f; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B7924C19-5E94-4E1B-97E3-A634F4B968B1}\MpKsl0b4e776f.sys [44928 2016-04-10] (Microsoft Corporation)
R2 Sentinel64; C:\Windows\System32\Drivers\Sentinel64.sys [145448 2009-09-17] (SafeNet, Inc.)
S3 SNTUSB64; C:\Windows\System32\drivers\SNTUSB64.SYS [58792 2009-09-17] (SafeNet, Inc.)
R0 THAccel; C:\Windows\System32\DRIVERS\THAccel.sys [110976 2013-03-26] (TOSHIBA Corporation)
R3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [32624 2013-08-20] (Windows ® Win 7 DDK provider)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-10-26] ()
U3 TrueSight; C:\Windows\SysWOW64\drivers\TrueSight.sys [29160 2014-08-02] ()
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
S3 SmbDrv; \SystemRoot\system32\DRIVERS\Smb_driver_AMDASF.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-10 10:46 - 2016-04-10 10:46 - 00000000 ____D C:\FRST
2016-04-10 10:03 - 2016-04-10 10:28 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-04-10 09:55 - 2016-04-10 10:46 - 00000000 ____D C:\Users\username\Desktop\z
2016-04-06 07:35 - 2016-04-06 07:35 - 00200530 _____ C:\Users\username\Documents\Supreme 060416.EUL
2016-04-05 11:23 - 2016-04-05 11:23 - 00036336 _____ C:\Users\username\Desktop\TIMESHEET 050416.xlsx
2016-04-05 10:00 - 2016-04-05 10:00 - 01089024 _____ C:\Users\username\Desktop\E.44 LEVEL 14 POWER & MISCELLANEOUS (05).pdf
2016-04-02 13:54 - 2016-04-02 13:54 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2016-04-02 13:51 - 2016-04-02 13:51 - 00007606 _____ C:\Users\username\AppData\Local\Resmon.ResmonCfg
2016-03-30 11:18 - 2016-03-30 11:18 - 00030279 _____ C:\Users\username\Desktop\U1225-CSV-Template TM.xltx
2016-03-15 15:20 - 2016-04-04 14:21 - 00010756 _____ C:\Users\username\Desktop\Day Sheet.xlsx
2016-03-15 07:44 - 2016-03-29 06:37 - 00010862 _____ C:\Users\username\Desktop\Time Sheet check List.xlsx
2016-03-12 09:59 - 2016-03-12 09:59 - 00594320 _____ C:\Windows\Minidump\031216-20718-01.dmp
2016-03-12 09:59 - 2016-03-12 09:59 - 00000000 ____D C:\Windows\SysWOW64\Icons
2016-03-12 09:59 - 2016-03-12 09:59 - 00000000 ____D C:\Windows\Minidump
2016-03-12 09:58 - 2016-03-12 09:58 - 690059310 _____ C:\Windows\MEMORY.DMP
2016-03-11 15:27 - 2016-03-11 15:27 - 00000000 ____D C:\Users\username\Documents\Custom Office Templates
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-10 10:35 - 2013-09-13 16:26 - 00863592 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-10 10:35 - 2013-08-22 21:36 - 00000000 ____D C:\Windows\Inf
2016-04-10 10:11 - 2015-10-26 21:54 - 00000926 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-10 09:54 - 2016-02-19 07:28 - 00003276 _____ C:\Windows\System32\Tasks\MightySoft Security Service
2016-04-10 09:54 - 2015-10-26 21:55 - 00002512 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-04-10 09:51 - 2015-10-26 21:54 - 00000922 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-10 09:51 - 2013-08-22 23:36 - 00000000 ____D C:\Windows\AppReadiness
2016-04-08 14:59 - 2013-12-09 19:48 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2016-04-08 14:20 - 2014-02-08 21:09 - 00003926 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{00E96D50-5AA1-4429-9035-A4587A315873}
2016-04-08 14:07 - 2014-05-22 13:10 - 00002376 ____H C:\Users\username\Documents\Default.rdp
2016-04-08 13:35 - 2013-08-22 23:36 - 00000000 ____D C:\Windows\system32\FxsTmp
2016-04-08 08:22 - 2013-09-14 08:56 - 00000000 ____D C:\Windows\Panther
2016-04-08 08:16 - 2016-02-13 22:21 - 00000000 ___HD C:\$WINDOWS.~BT
2016-04-08 08:03 - 2013-08-22 23:36 - 00000000 ____D C:\Windows\system32\NDF
2016-04-08 08:01 - 2014-04-11 10:09 - 00261120 ___SH C:\Users\username\Desktop\Thumbs.db
2016-04-07 15:25 - 2014-02-08 20:59 - 00000000 ____D C:\Users\username\AppData\Local\Packages
2016-04-07 14:40 - 2015-12-08 15:09 - 00000000 ____D C:\Users\username\Documents\Fluke Networks LinkWare Files
2016-04-07 13:35 - 2014-03-11 12:40 - 00757760 ___SH C:\Users\username\Documents\Thumbs.db
2016-04-06 15:14 - 2016-03-09 08:02 - 00000000 ____D C:\Users\username\Desktop\Time Sheets
2016-04-06 06:41 - 2014-10-29 08:25 - 00000000 ____D C:\Users\username\AppData\Local\CrashDumps
2016-04-02 15:08 - 2013-08-22 22:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-02 15:08 - 2013-08-22 21:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2016-04-02 14:33 - 2015-10-26 21:03 - 00000258 __RSH C:\ProgramData\ntuser.pol
2016-04-02 14:30 - 2013-08-22 23:36 - 00000000 ____D C:\Windows\tracing
2016-04-01 11:14 - 2015-11-27 15:18 - 00028660 _____ C:\Users\username\Documents\Supreme courts.EUL
2016-04-01 10:46 - 2015-12-09 10:03 - 00062999 _____ C:\Users\username\Documents\ICT Room Lvl 10 Final.EUL
2016-03-31 13:42 - 2016-02-23 09:05 - 00271798 _____ C:\Users\username\Documents\Supreme-03-16.EUL
2016-03-31 09:05 - 2014-02-08 21:04 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4221389110-836927709-4119758369-1001
2016-03-31 08:17 - 2015-10-26 21:55 - 00002346 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-03-31 07:34 - 2013-08-22 23:36 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-03-31 07:31 - 2014-03-25 09:03 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2016-03-24 11:52 - 2013-08-22 23:20 - 00000000 ____D C:\Windows\CbsTemp
2016-03-24 11:50 - 2015-04-05 20:02 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2016-03-24 11:50 - 2015-04-05 20:02 - 00000000 ___SD C:\Windows\system32\GWX
2016-03-19 10:36 - 2014-03-30 21:04 - 00000000 ____D C:\Users\username\AppData\Roaming\vlc
2016-03-14 08:41 - 2014-03-25 09:03 - 00000000 ____D C:\Users\username\AppData\Local\Microsoft Help
2016-03-14 06:34 - 2013-08-22 23:36 - 00000000 ____D C:\Windows\rescache
2016-03-11 14:55 - 2016-03-09 08:31 - 00003096 _____ C:\Windows\System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-4221389110-836927709-4119758369-1001
2016-03-11 14:55 - 2016-03-09 08:31 - 00000000 ___RD C:\Users\username\OneDrive
2016-03-11 14:49 - 2013-08-22 22:44 - 00481880 _____ C:\Windows\system32\FNTCACHE.DAT
2016-03-11 13:56 - 2015-01-20 11:27 - 00000000 ____D C:\Windows\system32\appraiser
2016-03-11 06:34 - 2014-03-29 12:00 - 143659408 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-03-11 06:34 - 2014-03-29 12:00 - 00000000 ____D C:\Windows\system32\MRT
 
==================== Files in the root of some directories =======
 
2016-02-28 13:29 - 2016-02-28 18:42 - 0004608 _____ () C:\Users\username\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-04-02 13:51 - 2016-04-02 13:51 - 0007606 _____ () C:\Users\username\AppData\Local\Resmon.ResmonCfg
2013-12-09 19:53 - 2013-12-09 19:53 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
Some files in TEMP:
====================
C:\Users\username\AppData\Local\Temp\GPUpd56BC90B70.exe
C:\Users\username\AppData\Local\Temp\GPUpd56CE44410.exe
C:\Users\username\AppData\Local\Temp\GPUpd56D0D3120.exe
C:\Users\username\AppData\Local\Temp\GPUpd56D23F430.exe
C:\Users\username\AppData\Local\Temp\GPUpd56D8B97A0.exe
C:\Users\username\AppData\Local\Temp\GPUpd56E88BE30.exe
C:\Users\username\AppData\Local\Temp\hp2_upd2_v1018.exe
C:\Users\username\AppData\Local\Temp\hp_u_0508.exe
C:\Users\username\AppData\Local\Temp\libeay32.dll
C:\Users\username\AppData\Local\Temp\msvcr120.dll
C:\Users\username\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-04-10 10:11
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:32 PM

Posted 10 April 2016 - 08:15 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\Program Files (x86)\Icoon\Icoon.exe
HKLM\...\Run: [] => [X]
CHR Extension: (e38324c56607a849663d4dbae4102007) - C:\Program Files (x86)\Google\Chrome\Application\e38324c56607a849663d4dbae4102007 [2016-02-11]
R2 A-Z Apps; C:\Program Files (x86)\Icoon\Icoon.exe [567296 2016-02-25] () [File not signed]
S3 SmbDrv; \SystemRoot\system32\DRIVERS\Smb_driver_AMDASF.sys [X]
CustomCLSID: HKU\S-1-5-21-4221389110-836927709-4119758369-1001_Classes\CLSID\{6D2F1438-5960-4CA8-9D82-9EF900B5758C}\InprocServer32 -> C:\Program Files (x86)\TNT2\Profiles\10953\passport64.dll => No File
Task: {2F17AA9E-7B8D-4878-9C4A-D66C4F9D0B7B} - \Security Updater -> No File <==== ATTENTION
Task: {669CEA4B-EBDC-4441-A3C8-ED9B351CD540} - \Fenix Installer -> No File <==== ATTENTION
Task: {79755880-2521-44C6-B684-C77834D81F86} - System32\Tasks\A-ZApps => C:\Program Files (x86)\Icoon\Icoon.exe [2016-02-25] ()
Task: {8F95ABD0-B334-43FE-B696-167FE129EC26} - System32\Tasks\MightySoft Security Service => C:\Program Files (x86)\MightySoft Security\amjob.exe [2016-04-07] () <==== ATTENTION
Task: {AFD3F3FE-5A01-42CF-B874-2EC4BFB3F4F0} - System32\Tasks\{E90FA48A-A395-4515-93AD-F2971022E248} => pcalua.exe -a C:\Users\username\AppData\Roaming\mystartsearch\UninstallManager.exe -c  -ptid=cmi
Task: {F9C3FD21-4665-495E-9BB2-E326275FD19E} - \Softcomp Software Viewer -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:373E1720 [118]
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [127]
C:\Program Files (x86)\Icoon
C:\Program Files (x86)\MightySoft Security
C:\Users\username\AppData\Roaming\mystartsearch
C:\Users\username\AppData\Local\Temp\GPUpd56BC90B70.exe
C:\Users\username\AppData\Local\Temp\GPUpd56CE44410.exe
C:\Users\username\AppData\Local\Temp\GPUpd56D0D3120.exe
C:\Users\username\AppData\Local\Temp\GPUpd56D23F430.exe
C:\Users\username\AppData\Local\Temp\GPUpd56D8B97A0.exe
C:\Users\username\AppData\Local\Temp\GPUpd56E88BE30.exe
C:\Program Files (x86)\Google\Chrome\Application\e38324c56607a849663d4dbae4102007

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Please Post the logs and let me know what problem persists with this computer.

#3 ozpoppy

ozpoppy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 12 April 2016 - 06:50 AM

Apologies for not replying sooner. My neighbour has been ill since the weekend. I'll hopefully be able to try this steps later this week and post the requested logs.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users