Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by WinShell ... ?


  • This topic is locked This topic is locked
22 replies to this topic

#1 NinjAzure

NinjAzure

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 11 April 2016 - 04:33 PM

So I have someone ( so called friend) identifying me in each and every IRC channel I happen to visit last month. I am sure I got infected when I camed with my so called friend or I accepted some image or link by this so called friend.

 

My suspicion started getting stronger since I started noticing unusual behavior of my cursor. For example, if I want to type - " Today is a wonderful day, filled with joy and happiness. " So after I have typed - "Today is a wonderful " my cursor will jump in the typed word like "wonderful" and while typing the next word - "day" I won't be able to see such sudden change and some think like "Today is a wodaynderful... " will get typed. I have encountered this issue only when I am using my internet.

 

Although everyone here must be knowing about this, but for my uneducated self, I tried viewing a video on hacking. https://www.youtube.com/watch?v=ZrFeiEmhwJg&nohtml5=False

I am attaching two screen shots of the video, which explains most of the content in the video.

 

ijaBsij.jpg

 

 

VDptk9Q.jpg

 

So, as per the first screen shot, I proceeded with the start menu >run> msconfig

went to the start up tab , looked under manufacturer column ...

 

There I happen to see WinShell - which was like unknown stuff and so I unchecked it and restarted my PC.

 

After then I followed the second and the third way of finding if my PC is hacked as shown in the second screen shot of the video, I found that my PC is not hacked. But this was only after I unchecked WinShell and rebooted my PC.

 

Now when I go with the start menu >run> msconfig

go to the start up tab , look under manufacturer column ... I still see WinShell. Adding a screenshot of the same.

 

1fBz5od.jpg

 

I don't understand , why it is still showing Winshell. how can I be sure that it is completely disabled/ removed ?

I looked up for some online tools to remove this WinShell, but I am not sure which one is safe and reliable one to go for. More over, I am having quick heal Anti Virus Program install by someone on my PC. Not sure if running another malware tool will be safe with this anti virus program .

 

Few years back, I happen to run two anti virus programs together ( due to some reason ) getting my whole PC shut down.So, I am wondering if running any such tool to remove WinShell while I have this anti virus program is safe or not ? :mellow:

 

Sorry for the long text, I am not into computers and I try my best to educate myself on such matters since I have to use them anyhow.

Also this is my first post in here. Hope this is the right place to look up for the help which I am trying to look up for.

 

 

Attaching the related logs:Attached File  FRST.txt   18.66KB   5 downloadsAttached File  Addition.txt   21.37KB   2 downloads

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:10-04-2016 01
Ran by sony (administrator) on SONY-PC (12-04-2016 01:52:44)
Running from C:\Users\sony\Downloads
Loaded Profiles: sony (Available Profiles: sony)
Platform: Microsoft Windows 7 Ultimate  (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Internet Security\ARWSRVC.EXE
(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Internet Security\SCSECSVC.EXE
(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Internet Security\sapissvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Internet Security\ONLINENT.EXE
(WinZip Computing, Inc.) C:\Program Files\WinZip\WZQKPICK.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Internet Security\opssvc.exe
(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Internet Security\BDSSVC.EXE
(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Internet Security\EMLPROXY.EXE
() C:\ProgramData\MobileBrServ\mbbService.exe
(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Internet Security\QUHLPSVC.EXE
() C:\ProgramData\ZTEMT UDisk Service\Bin\MonServiceUDisk.exe
(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Internet Security\scanwscs.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe [978648 2013-08-05] (Realtek Semiconductor)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM\...\Run: [Quick Heal Core UI] => C:\Program Files\Quick Heal\Quick Heal Internet Security\strtupap.exe [172664 2014-07-31] (Quick Heal Technologies (P) Ltd.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [595480 2016-03-20] (Oracle Corporation)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\Program Files\Quick Heal\Quick Heal Internet Security\SFMDPRT.EXE
Lsa: [Notification Packages] scecli ScSecAuth
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk [2016-01-04]
ShortcutTarget: WinZip Quick Pick.lnk -> C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
Startup: C:\Users\sony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk [2016-01-27]
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Vaio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Skyscape SmartUpdate.lnk [2014-08-02]
ShortcutTarget: Skyscape SmartUpdate.lnk -> C:\Program Files\Common Files\Skyscape\SmartUpdate.exe (No File)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [S-1-5-21-2375415596-1697628194-511936792-1000] => Proxy is enabled.
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{2BAB2CF1-A404-4AC1-8BA1-4FBE2AAFDF95}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{56593009-2737-4461-B89C-F982FAD0FFFA}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{9178C888-8D62-453D-9E88-EF7E256DAF3E}: [DhcpNameServer] 192.168.1.1 192.168.1.1

Internet Explorer:
==================
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-01-03] (Adobe Systems Incorporated)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_77\bin\ssv.dll [2016-03-26] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_77\bin\jp2ssv.dll [2016-03-26] (Oracle Corporation)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2006-10-27] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\sony\AppData\Roaming\Mozilla\Firefox\Profiles\5idc7c1q.default
FF NetworkProxy: "ftp", "207.165.237.82"
FF NetworkProxy: "ftp_port", 3128
FF NetworkProxy: "socks", "207.165.237.82"
FF NetworkProxy: "socks_port", 3128
FF NetworkProxy: "socks_remote_dns", true
FF NetworkProxy: "ssl", "207.165.237.82"
FF NetworkProxy: "ssl_port", 3128
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_20_0_0_306.dll [2016-02-24] ()
FF Plugin: @java.com/DTPlugin,version=11.77.2 -> C:\Program Files\Java\jre1.8.0_77\bin\dtplugin\npDeployJava1.dll [2016-03-26] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.77.2 -> C:\Program Files\Java\jre1.8.0_77\bin\plugin2\npjp2.dll [2016-03-26] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @videolan.org/vlc,version=2.0.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2012-03-17] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2012-01-03] (Adobe Systems Inc.)

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 arwsrvc; C:\Program Files\Quick Heal\Quick Heal Internet Security\arwsrvc.exe [269928 2016-01-05] (Quick Heal Technologies (P) Ltd.)
R2 Behavior Detection System; C:\Program Files\Quick Heal\Quick Heal Internet Security\bdssvc.exe [26728 2016-01-12] (Quick Heal Technologies (P) Ltd.)
R2 Core Mail Protection; C:\Program Files\Quick Heal\Quick Heal Internet Security\EMLPROXY.EXE [34424 2014-12-16] (Quick Heal Technologies (P) Ltd.)
R2 Core Scanning Server; C:\Program Files\Quick Heal\Quick Heal Internet Security\SAPISSVC.EXE [214632 2016-01-12] (Quick Heal Technologies (P) Ltd.)
S3 Core Scanning ServerEx; C:\Program Files\Quick Heal\Quick Heal Internet Security\SAPISSVC.EXE [214632 2016-01-12] (Quick Heal Technologies (P) Ltd.)
R2 Mobile Broadband HL Service; C:\ProgramData\MobileBrServ\mbbservice.exe [239696 2013-07-23] ()
R2 Online Protection System; C:\Program Files\Quick Heal\Quick Heal Internet Security\opssvc.exe [52864 2016-03-01] (Quick Heal Technologies (P) Ltd.)
R2 Quick Update Service; C:\Program Files\Quick Heal\Quick Heal Internet Security\quhlpsvc.exe [127608 2014-08-30] (Quick Heal Technologies (P) Ltd.)
R2 ScanWscS; C:\Program Files\Quick Heal\Quick Heal Internet Security\SCANWSCS.EXE [268152 2016-01-05] (Quick Heal Technologies (P) Ltd.)
R2 ScSecSvc; C:\Program Files\Quick Heal\Quick Heal Internet Security\ScSecSvc.exe [416888 2016-01-05] (Quick Heal Technologies (P) Ltd.)
R2 UDisk Monitor Tata; C:\ProgramData\ZTEMT UDisk Service\bin\MonServiceUDisk.exe [544768 2013-03-12] () [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)
S3 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 arwflt; C:\Windows\System32\DRIVERS\arwflt.sys [43096 2016-01-05] (Quick Heal Technologies (P) Ltd.)
R3 athr; C:\Windows\System32\DRIVERS\athr.sys [3211264 2013-07-19] (Qualcomm Atheros Communications, Inc.)
R1 bdsflt; C:\Windows\System32\DRIVERS\bdsflt.sys [236264 2016-01-12] (Quick Heal Technologies Ltd.)
R1 bdsnm; C:\Windows\System32\DRIVERS\bdsnm.sys [21096 2016-01-12] (Quick Heal Technologies Ltd.)
R1 bsfs; C:\Windows\System32\DRIVERS\bsfs.sys [43640 2016-01-05] (Quick Heal Technologies (P) Ltd.)
R3 BTWDPAN; C:\Windows\System32\DRIVERS\btwdpan.sys [71208 2010-11-15] (Broadcom Corporation.)
R2 catflt; C:\Windows\System32\DRIVERS\catflt.sys [68352 2015-07-13] (Quick Heal Technologies (P) Ltd.)
R2 EMLSS; C:\Windows\System32\drivers\emltdi.sys [32680 2015-07-13] (Quick Heal Technologies (P) Ltd.)
S3 Generalusbserialser20679; C:\Windows\System32\DRIVERS\CT_U_USBSER.sys [108544 2013-02-21] (Incorporated)
R1 ggc; C:\Windows\System32\DRIVERS\ggc.sys [60888 2015-07-13] (Quick Heal Technologies (P) Ltd.)
R0 iaStorA; C:\Windows\System32\DRIVERS\iaStorA.sys [505192 2013-08-01] (Intel Corporation)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [25448 2013-08-01] (Intel Corporation)
R0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [16880 2013-07-18] (Intel Corporation)
S3 llio; C:\Windows\system32\DRIVERS\llio.sys [58984 2016-01-12] (Quick Heal Technologies (P) Ltd.)
S0 mscank; C:\Windows\System32\DRIVERS\mscank.sys [35136 2015-07-13] (Quick Heal Technologies (P) Ltd.)
R2 risdsnpe; C:\Windows\System32\DRIVERS\risdsne86.sys [57856 2010-08-25] (REDC)
R3 RTHDMIAzAudService; C:\Windows\System32\drivers\RtHDMIV.sys [204432 2012-06-05] (Realtek Semiconductor Corp.)
S3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1760384 2009-08-20] ()
R2 webssx; C:\Windows\System32\DRIVERS\webssx.sys [47728 2015-07-13] (Quick Heal Technologies (P) Ltd.)
R1 wsnf; C:\Windows\System32\DRIVERS\wsnf.sys [65744 2015-07-13] (Quick Heal Technologies (P) Ltd.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-12 01:52 - 2016-04-12 01:53 - 00011137 _____ C:\Users\sony\Downloads\FRST.txt
2016-04-12 01:52 - 2016-04-12 01:52 - 00000000 ____D C:\FRST
2016-04-12 01:31 - 2016-04-12 01:31 - 00000000 ___HD C:\Users\sony\ScStore
2016-04-12 00:38 - 2016-04-12 00:39 - 01725952 _____ (Farbar) C:\Users\sony\Downloads\FRST.exe
2016-04-12 00:00 - 2016-04-12 00:02 - 07609152 _____ (Security Stronghold ) C:\Users\sony\Downloads\StrongholdAntiMalware.exe
2016-04-11 15:59 - 2016-04-11 15:59 - 00200294 ____N C:\Users\sony\Desktop\Sky Blue Uworld Notes.pdf
2016-04-11 15:49 - 2016-04-11 15:49 - 00969987 _____ C:\Users\sony\Downloads\Biostat-Usmle-World.pdf
2016-04-11 15:45 - 2016-04-11 15:45 - 00586229 _____ C:\Users\sony\Downloads\Step-2-Ck-High-Yield-Notes.pdf
2016-04-11 15:41 - 2016-04-11 23:46 - 00460382 _____ C:\Users\sony\Downloads\278215654-Uworld-Notes.pdf
2016-04-11 03:53 - 2016-04-11 03:53 - 00000000 ____D C:\Users\sony\Desktop\all
2016-04-11 03:51 - 2016-04-11 05:15 - 00000000 ____D C:\Users\sony\Desktop\ashu uworld
2016-04-09 19:55 - 2016-04-09 19:55 - 00000000 ____D C:\Users\sony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UWorld Qbank
2016-04-09 13:49 - 2016-04-09 01:38 - 00142543 _____ C:\Users\sony\Desktop\^9F1E13B82324D96B25C1208159F7A968129B1586B91A9FF070^pimgpsh_fullsize_distr.jpg
2016-04-08 14:26 - 2016-04-08 14:27 - 00000000 ____D C:\Users\sony\Desktop\New folder (2) - Copy
2016-04-08 14:05 - 2014-01-11 02:56 - 93192693 _____ C:\Users\sony\Desktop\Lippincott's Illustrated Reviews-Pharmacology 4th.CHM
2016-04-08 14:03 - 2016-04-08 14:16 - 00000000 ____D C:\Users\sony\Desktop\CS
2016-04-08 13:30 - 2016-04-08 13:30 - 00142784 _____ C:\Windows\Minidump\040816-15771-01.dmp
2016-04-08 13:30 - 2016-04-08 13:30 - 00000000 ____D C:\Windows\Minidump
2016-04-08 13:29 - 2016-04-08 13:30 - 490454590 _____ C:\Windows\MEMORY.DMP
2016-04-06 02:14 - 2016-04-06 03:09 - 192412265 _____ C:\Users\sony\Downloads\(First Aid USML) Tao Le, Vikas Bhushan, Vincent Chen, Michael King-First Aid for the USMLE Step 2 CK_ Clinical Knowledge-McGraw-Hill (2015).pdf
2016-04-05 20:44 - 2016-04-05 21:10 - 37219660 _____ C:\Users\sony\Downloads\(Master the boards) Conrad Fischer-Internal medicine_ the highest-yield review for the ABIM exam-Kaplan Publishing (2013).pdf
2016-04-02 15:00 - 2016-04-02 18:16 - 00000000 ____D C:\Users\sony\Desktop\kaplan qbank physiology
2016-04-02 14:33 - 2016-04-02 14:34 - 05918822 _____ C:\Users\sony\Downloads\Kaplan_Medical_USMLE_Medical_Ethics.pdf
2016-04-02 14:28 - 2016-03-20 19:33 - 00000000 ____D C:\Users\sony\Desktop\FA 2016 extra topics
2016-04-02 14:27 - 2016-04-02 14:27 - 03732293 _____ C:\Users\sony\Downloads\FA 2016 vs 2015 extra topics.rar
2016-04-02 14:06 - 2015-07-29 12:23 - 00000000 ____D C:\Users\sony\Desktop\UW slides
2016-04-02 13:38 - 2016-04-02 14:05 - 98691257 _____ C:\Users\sony\Downloads\step 1 UW slides.rar
2016-03-30 17:35 - 2016-03-30 17:43 - 16724738 _____ C:\Users\sony\Downloads\Patient safety - Kaplan behavioral.pdf
2016-03-26 14:20 - 2016-03-26 14:20 - 00000000 ____D C:\Program Files\Common Files\Java
2016-03-19 12:31 - 2016-03-21 13:02 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-03-18 19:13 - 2016-03-18 19:13 - 00000840 _____ C:\Users\sony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Tor Messenger.lnk
2016-03-18 19:13 - 2016-03-18 19:13 - 00000792 _____ C:\Users\sony\Desktop\Start Tor Messenger.lnk
2016-03-18 19:13 - 2016-03-18 19:13 - 00000000 ____D C:\Users\sony\Desktop\Tor Messenger
2016-03-18 11:19 - 2016-03-18 11:38 - 31565264 _____ C:\Users\sony\Downloads\tormessenger-install-0.1.0b5_en-US.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-12 01:31 - 2016-01-04 18:33 - 00000000 ____D C:\Users\sony
2016-04-12 01:31 - 2009-07-14 10:23 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-12 00:58 - 2016-01-05 20:58 - 00000476 _____ C:\Windows\Tasks\Quick Heal AntiMalware Scan.job
2016-04-12 00:58 - 2016-01-05 20:58 - 00000452 _____ C:\Windows\Tasks\Resume Quickup Download.job
2016-04-11 23:47 - 2016-01-05 20:52 - 00000000 ____D C:\Windows\system32\gprodat
2016-04-11 15:59 - 2016-02-07 19:19 - 00000060 _____ C:\Windows\wpd99.drv
2016-04-11 15:59 - 2016-02-07 19:19 - 00000000 ____D C:\ProgramData\pdf995
2016-04-11 04:53 - 2016-01-04 18:48 - 00000000 ____D C:\Users\sony\AppData\Roaming\vlc
2016-04-11 03:38 - 2016-01-05 07:59 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-11 03:38 - 2009-07-14 08:07 - 00000000 ____D C:\Windows\inf
2016-04-10 13:31 - 2016-02-22 15:55 - 00000000 ____D C:\Users\sony\AppData\Local\SkypePlugin
2016-04-10 13:31 - 2016-01-04 19:07 - 00000000 ____D C:\Windows\system32\appmgmt
2016-04-10 13:31 - 2016-01-04 19:00 - 00000000 ____D C:\ProgramData\Skype
2016-04-10 08:54 - 2016-01-04 19:00 - 00000000 ____D C:\Users\sony\AppData\Roaming\Skype
2016-04-09 19:55 - 2016-01-06 03:05 - 00002385 _____ C:\Users\sony\Desktop\UWorld Qbank.lnk
2016-04-08 23:39 - 2009-07-14 07:34 - 00000024 _____ C:\AUTOEXEC.BAT
2016-04-08 13:29 - 2009-07-14 08:07 - 00000000 ____D C:\Windows\LiveKernelReports
2016-03-28 11:35 - 2016-03-05 21:39 - 00000000 ____D C:\Users\sony\Desktop\UpToDate
2016-03-26 20:42 - 2016-01-14 18:23 - 00000000 ____D C:\temp
2016-03-26 14:21 - 2016-01-06 03:08 - 00002381 _____ C:\Users\sony\Desktop\UWorld SimExam.lnk
2016-03-26 14:21 - 2016-01-06 03:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-03-26 14:21 - 2016-01-06 03:02 - 00000000 ____D C:\ProgramData\Oracle
2016-03-26 14:21 - 2016-01-06 03:02 - 00000000 ____D C:\Program Files\Java
2016-03-26 14:20 - 2016-01-06 03:03 - 00095808 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2016-03-26 14:20 - 2016-01-06 03:03 - 00000000 ____D C:\Users\sony\.oracle_jre_usage
2016-03-23 14:07 - 2009-07-14 10:04 - 00016944 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-23 14:07 - 2009-07-14 10:04 - 00016944 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-21 13:02 - 2016-01-06 00:35 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-03-17 23:38 - 2016-01-08 16:32 - 00000000 ____D C:\Users\sony\Desktop\Tor Browser

==================== Files in the root of some directories =======

2016-01-06 03:09 - 2016-01-06 03:09 - 0033134 _____ () C:\Users\sony\AppData\Roaming\UserTile.png
2016-01-04 18:45 - 2016-01-04 18:45 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
C:\Users\sony\AppData\Local\Temp\jre-8u73-windows-au.exe
C:\Users\sony\AppData\Local\Temp\jre-8u77-windows-au.exe
C:\Users\sony\AppData\Local\Temp\ose00000.exe
C:\Users\sony\AppData\Local\Temp\pslist.exe
C:\Users\sony\AppData\Local\Temp\SkypeSetup.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-04-08 00:41

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version:10-04-2016 01
Ran by sony (2016-04-12 01:53:27)
Running from C:\Users\sony\Downloads
Microsoft Windows 7 Ultimate  (X86) (2016-01-04 13:03:34)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2375415596-1697628194-511936792-500 - Administrator - Disabled)
Guest (S-1-5-21-2375415596-1697628194-511936792-501 - Limited - Disabled)
sony (S-1-5-21-2375415596-1697628194-511936792-1000 - Administrator - Enabled) => C:\Users\sony

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Quick Heal Internet Security (Enabled - Up to date) {60EE5BF4-3309-ABA7-3A00-C88B68B340E6}
AS: Quick Heal Internet Security (Enabled - Up to date) {DB8FBA10-1533-A429-00B0-F3F913340A5B}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Quick Heal Firewall (Enabled) {58D5DAD1-7966-AAFF-115F-61BE9660079D}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 4.44 beta (HKLM\...\7-Zip) (Version:  - )
Acrobat.com (Version: 0.0.0 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 20 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 20.0.0.306 - Adobe Systems Incorporated)
Adobe Reader X (10.1.2) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.2 - Adobe Systems Incorporated)
Java 8 Update 77 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218077F0}) (Version: 8.0.770.3 - Oracle Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Mobile Broadband HL Service (HKLM\...\Mobile Broadband HL Service) (Version: 22.001.21.00.113 - Huawei Technologies Co.,Ltd)
Mozilla Firefox 45.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 45.0.1 (x86 en-US)) (Version: 45.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 45.0.1.5918 - Mozilla)
Pdf995 (HKLM\...\Pdf995) (Version: 16.0s - )
Photon Plus (HKLM\...\ZTEMTCardPhotonPlus_is1) (Version: 1.2.5 - ZTE Corporation)
Quick Heal Internet Security (HKLM\...\Quick Heal Internet Security) (Version: 16.00 - Quick Heal Technologies Pvt. Ltd.)
Quick Heal Internet Security (Version: 16.00 - Quick Heal) Hidden
Quip (HKU\S-1-5-21-2375415596-1697628194-511936792-1000\...\Quip) (Version: 4.4.12 - Quip)
Realtek HDMI Audio Driver for ATI (HKLM\...\{5449FB4F-1802-4D5B-A6D8-087DB1142147}) (Version: 6.0.1.6650 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7010 - Realtek Semiconductor Corp.)
VLC media player 2.0.1 (HKLM\...\VLC media player) (Version: 2.0.1 - VideoLAN)
WinRAR archiver (HKLM\...\WinRAR archiver) (Version:  - )
WinZip (HKLM\...\WinZip) (Version:  9.0 SR-1 (6224) - WinZip Computing, Inc.)
ZTEMTCardTataDriver (HKLM\...\ZTEMTDataCardDriver_is1) (Version:  - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {17F97303-2F8A-49A4-A053-0455F8B0CBAF} - System32\Tasks\Quick Heal AntiMalware Scan => C:\Program Files\Quick Heal\Quick Heal Internet Security\ASMAIN.EXE [2015-07-21] (Quick Heal Technologies (P) Ltd.)
Task: {D5A944B3-4DC6-414E-BB1A-FB9D0F5FF19D} - System32\Tasks\Resume Quickup Download => C:\Program Files\Quick Heal\Quick Heal Internet Security\ACAPPAA.EXE [2014-06-06] (Quick Heal Technologies (P) Ltd.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Quick Heal AntiMalware Scan.job => C:\Program Files\Quick Heal\Quick Heal Internet Security\ASMAIN.EXE
Task: C:\Windows\Tasks\Resume Quickup Download.job => C:\Program Files\Quick Heal\Quick Heal Internet Security\ACAPPAA.EXE

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

ShortcutWithArgument: C:\Users\sony\Desktop\UWorld Qbank.lnk -> C:\Program Files\Java\jre1.8.0_77\bin\javaws.exe (Oracle Corporation) -> -localfile -J-Djnlp.application.href=hxxp://www.uworld.com/clients/QbankClient.jnlp "C:\Users\sony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\4c0ff0eb-33944917"
ShortcutWithArgument: C:\Users\sony\Desktop\UWorld SimExam.lnk -> C:\Program Files\Java\jre1.8.0_77\bin\javaws.exe (Oracle Corporation) -> -localfile -J-Djnlp.application.href=hxxp://www.uworld.com/Clients/simclient.jnlp "C:\Users\sony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\414cfaaa-2de5e8f2"
ShortcutWithArgument: C:\Users\sony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UWorld SimExam\UWorld SimExam.lnk -> C:\Program Files\Java\jre1.8.0_77\bin\javaws.exe (Oracle Corporation) -> -localfile -J-Djnlp.application.href=hxxp://www.uworld.com/Clients/simclient.jnlp "C:\Users\sony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\414cfaaa-2de5e8f2"
ShortcutWithArgument: C:\Users\sony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UWorld Qbank\UWorld Qbank.lnk -> C:\Program Files\Java\jre1.8.0_77\bin\javaws.exe (Oracle Corporation) -> -localfile -J-Djnlp.application.href=hxxp://www.uworld.com/clients/QbankClient.jnlp "C:\Users\sony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\4c0ff0eb-33944917"

==================== Loaded Modules (Whitelisted) ==============

2016-02-07 19:19 - 2016-02-07 19:20 - 00036864 _____ () C:\Windows\System32\pdf995mon.dll
2014-09-09 14:30 - 2014-09-09 14:30 - 00065624 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\scanapi.dll
2015-08-04 23:34 - 2016-04-07 19:56 - 00532621 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\scansdk.dll
2015-08-06 17:11 - 2016-04-11 23:41 - 00315534 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\platform.dll
2015-05-28 19:58 - 2016-03-25 19:11 - 00041101 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\filesdk.dll
2012-03-02 14:02 - 2012-03-02 14:02 - 00020480 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\DRVCOMM.DLL
2014-10-20 12:19 - 2016-03-25 19:11 - 00036954 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\mbfswrap.dll
2015-01-07 22:09 - 2016-03-25 19:11 - 00221270 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\disasm.dll
2016-01-05 22:24 - 2016-04-11 23:41 - 00118926 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\dataproc.dll
2015-08-05 22:39 - 2016-04-07 19:56 - 00204938 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\scan.dll
2012-03-02 14:02 - 2012-03-02 14:02 - 00020480 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\VIRLIST.DLL
2015-07-16 23:20 - 2016-03-25 19:11 - 00180306 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\boot.dll
2015-06-12 22:43 - 2016-04-07 19:56 - 00270473 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\mltiscan.dll
2015-07-30 15:47 - 2016-04-11 23:41 - 00557196 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\pescan.dll
2016-01-05 22:23 - 2016-04-11 23:41 - 00213128 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\pepoly1.dll
2015-07-20 22:34 - 2016-04-07 19:56 - 00757900 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\lzesdk.dll
2015-08-05 22:39 - 2016-04-11 23:41 - 03182727 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\pepoly.dll
2015-08-01 18:03 - 2016-04-11 23:41 - 00340109 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\arcvsdk.dll
2016-01-05 22:24 - 2016-04-11 23:41 - 00032909 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\pepoly2.dll
2016-01-05 22:24 - 2016-04-11 23:41 - 00675977 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\heurscn1.dll
2015-08-09 13:15 - 2016-04-11 23:41 - 07970953 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\heurscan.dll
2016-01-05 22:24 - 2016-04-11 23:41 - 00282766 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\heurscn2.dll
2015-07-29 16:38 - 2016-04-07 19:56 - 00270472 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\dospoly.dll
2015-07-29 16:38 - 2016-04-07 19:56 - 00237709 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\vbsscan.dll
2015-08-06 22:44 - 2016-04-11 23:41 - 01159305 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\miscscan.dll
2015-08-01 03:09 - 2016-04-07 19:56 - 00159884 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\olesdk.dll
2012-03-02 14:01 - 2012-03-02 14:01 - 00020480 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\ARJSDK.DLL
2015-05-27 02:18 - 2016-03-25 19:11 - 00032856 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\unarj32.dll
2016-01-12 22:53 - 2016-01-12 22:53 - 00025704 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\bdsres.dll
2014-09-09 14:30 - 2014-09-09 14:30 - 00065624 _____ () C:\Program Files\Quick Heal\Quick Heal Internet Security\SCANAPI.DLL
2016-01-16 16:48 - 2013-07-23 09:17 - 00239696 _____ () C:\ProgramData\MobileBrServ\mbbservice.exe
2016-01-21 15:24 - 2013-03-12 14:54 - 00544768 _____ () C:\ProgramData\ZTEMT UDisk Service\bin\MonServiceUDisk.exe

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 07:34 - 2016-04-12 00:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2375415596-1697628194-511936792-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\sony\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.2.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: WinShell => C:\WinShell\WinSeven.exe

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{438A36D2-C842-4DB9-AC2F-8BEA6DC4B571}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{F1F28E20-CF88-4DA2-9F0D-CF976A8C31EE}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{7C142881-D436-4076-A140-9B99605A6313}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

==================== Restore Points =========================

06-03-2016 21:22:50 Scheduled Checkpoint
14-03-2016 14:13:08 Scheduled Checkpoint
21-03-2016 19:54:47 Scheduled Checkpoint
30-03-2016 14:17:04 Scheduled Checkpoint
08-04-2016 00:36:59 Scheduled Checkpoint
10-04-2016 13:30:37 Removed Skype™ 7.21

==================== Faulty Device Manager Devices =============

Name: mscank
Description: mscank
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: mscank
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Sony Visual Communication Camera
Description: Sony Visual Communication Camera
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Sonix
Service: SNP2UVC
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (04/10/2016 05:45:34 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (04/10/2016 09:15:02 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (04/09/2016 03:54:31 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (04/05/2016 04:17:32 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/30/2016 02:12:42 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/30/2016 06:26:00 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Skype.exe, version: 7.21.85.100, time stamp: 0x56d60a29
Faulting module name: Skype.exe, version: 7.21.85.100, time stamp: 0x56d60a29
Exception code: 0xc0000005
Fault offset: 0x0000beb2
Faulting process id: 0x668
Faulting application start time: 0xSkype.exe0
Faulting application path: Skype.exe1
Faulting module path: Skype.exe2
Report Id: Skype.exe3

Error: (03/30/2016 06:24:02 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Skype.exe, version: 7.21.85.100, time stamp: 0x56d60a29
Faulting module name: jscript.dll, version: 5.8.7600.16385, time stamp: 0x4a5bda08
Exception code: 0xc0000005
Fault offset: 0x00024b5a
Faulting process id: 0x668
Faulting application start time: 0xSkype.exe0
Faulting application path: Skype.exe1
Faulting module path: Skype.exe2
Report Id: Skype.exe3

Error: (03/27/2016 02:58:16 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/25/2016 07:09:37 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/21/2016 07:48:41 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.


System errors:
=============
Error: (04/11/2016 12:21:52 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 192.168.2.4.
The computer with the IP address 192.168.2.3 did not allow the name to be claimed by
this computer.

Error: (04/10/2016 05:19:41 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Windows Update service hung on starting.

Error: (04/08/2016 10:36:10 PM) (Source: BTHUSB) (EventID: 17) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (04/08/2016 01:36:04 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Windows Update service hung on starting.

Error: (04/08/2016 01:30:43 PM) (Source: BugCheck) (EventID: 1001) (User: )
Description: 0x000000ea (0xa09bfd48, 0x00000000, 0x00000000, 0x00000000)C:\Windows\MEMORY.DMP040816-15771-01

Error: (04/08/2016 01:30:37 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 1:29:27 PM on ‎4/‎8/‎2016 was unexpected.

Error: (04/08/2016 08:36:05 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Core Scanning ServerEx service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Run the configured recovery program.

Error: (04/08/2016 08:28:10 AM) (Source: BTWDPAN) (EventID: 5001) (User: )
Description: \Device\NDMP24Bluetooth Personal Area Network

Error: (04/08/2016 08:28:03 AM) (Source: BTHUSB) (EventID: 17) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (04/08/2016 08:28:03 AM) (Source: BTWDPAN) (EventID: 5001) (User: )
Description: \Device\NDMP23Bluetooth Personal Area Network


==================== Memory info ===========================

Processor: Intel® Core™ i3 CPU M 350 @ 2.27GHz
Percentage of memory in use: 45%
Total physical RAM: 2990.1 MB
Available physical RAM: 1616.13 MB
Total Virtual: 5978.47 MB
Available Virtual: 4365.25 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:226.87 GB) (Free:124.96 GB) NTFS
Drive d: (New Volume) (Fixed) (Total:225.77 GB) (Free:67.13 GB) NTFS
Drive f: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 8C60CBD8)
Partition 1: (Not Active) - (Size=13 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=226.9 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=225.8 GB) - (Type=OF Extended)

==================== End of Addition.txt ============================

 



BC AdBot (Login to Remove)

 


#2 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:06:09 PM

Posted 12 April 2016 - 04:09 AM

Hello NinjAzure  and welcome to BleepingComputer!                         :)

 

My name is Sirawit and I'm here to help you.

 

Please note that I'm currently in training and my fixes need to be approved first, that may delay our fix a bit, but I will normally reply back in 24 hours.

 

If I don't reply after 3 days, feel free to PM me.                          :)

==========================================================================

Some points for you to keep in mind:

  • Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • Periodically update me on the condition of your computer, and provide detail in every post.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 3 days I will bump the topic, if you didn't reply in next 3 days we assume it has been abandoned and I will close it.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end with some additional information on how to stay malware-free.
  • Lastly, I would like to remind you that most members here are volunteers, and sometimes "real life" can get in the way of our malware hunt. I will notify you if I know I will need to be away for longer than 48 hours.

==========================================================================

 

I've submitted by reports to the instructor and will reply as soon as possible.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#3 NinjAzure

NinjAzure
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 12 April 2016 - 10:13 AM

Hi Sirawit ! Thanks for replying and taking time to look up those logs.

 

 

On a side note, I would like to say that I have noticed that my online activities are being monitored. Example, this person (so called friend) - who supposedly infected my PC- can identify me on my throwaway account on reddit. Last week, it was a whole new level, when I found myself being traced in one of my social groups on my facebook where this person (so called friend) was trying to interact with me via some fake facebook account.

 

 

I am very noob into this whole computer hacking thingy, I know I should have not interacted with such kind of people online, I understand it now. I am thankful that this so called friend is just having fun and not messing up with my PC which could have been possible given that this person has this kind of access to my PC.

 

 

My PC is working fine, I am able to use my PC without getting panicking. But, just because something isn't happening the other way, doesn't make my PC secure.

The idea that someone is monitoring your PC and your being traced socially is very objectionable.

 

 

I don't know if my PC is having any key logger installed or any desktop viewing software like TeamViewer sort of thing. :(

I would be very grateful for any feedback you might be able to provide regarding such doubts.

 

 

NinjAzure



#4 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:06:09 PM

Posted 12 April 2016 - 12:13 PM

Hi NinjAzure.

 

Your suspicious is right, Winshell is a worm in variant Dumpy.B, which I will guide you to remove it.

 

We need to run a fix with FRST:

  • Please download the attached fixlist.txt file and save it to the same location as FRST
    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
    Attached File  fixlist.txt   680bytes   6 downloads
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt and export.reg) in the same location the tool was run, please post it to your reply

==========

 

We need to search for a file with FRST:

  • Double-click on FRST.exe to open it, in the search box, type the following: user32.dll
  • Press the Search Files button, allow FRST to run
  • A log file Search.txt will appear when complete, please post this in your next reply

---------------

 

After above steps are done, please create a new FRST with addition.txt box checked for me. 

 

To summarize, in your next reply please include:

  • fixlog.txt
  • search.txt
  • FRST.txt
  • addition.txt
  • export.reg

 

How's your computer running now?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#5 NinjAzure

NinjAzure
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 12 April 2016 - 02:57 PM

So Sirawit, hereby attaching the required files.

 

Attached File  Fixlog.txt   2.71KB   6 downloads

Attached File  Search.txt   654bytes   2 downloads

Attached File  FRST.txt   18.32KB   4 downloads

Attached File  Addition.txt   21.55KB   2 downloads

Attached File  export.reg   990bytes   2 downloads

 

 

My computer was running fine. The problem what I understand is that my online social activities are being checked by someone, my computer getting monitored and myself not being able to see my facebook the way I want it to - like if I share anything on fb and make it public and then try to view it as public - I won't see my shared post as public would view it. Also regarding the erratic behavior of my cursor I mentioned in my very first post.

 

 

I can imagine worse things could have happen, but somehow they didn't. That might be due to some personal element involved in this whole issue. Whatever the reason, I don't think it's appropriate to have such worms/ bugs/ virus for any reason in anybody's computer in this age and time. That being said, I hope no one else has access to my computer and I am safe to do some online bank transactions. :warrior:

 

 

Thank you for your time for looking up all these logs.

Let me know what else I can provide to get this problem solve.

 

 

NinjAzure



#6 NinjAzure

NinjAzure
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 13 April 2016 - 11:45 AM

Update : No difference in my PC after running the fix.



#7 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:06:09 PM

Posted 14 April 2016 - 09:09 AM

Hi NinjAzure.

 

This step will take quite a long time to finish. Be sure to spare at least 15 minutes for it to run.

 

We need to run the SFC /SCANNOW Command

The sfc /scannow command (System File Checker) scans the integrity of all protected Windows system files and replaces incorrect corrupted, changed/modified, or damaged versions with the correct versions if possible.

Note: Be aware that if you have modified your system files as in theming explorer/system files, running sfc /scannow will revert the system files such as explorer.exe back to it's default state.

Note: Make the appropriate backups of your system files that you have modified for theming if you wish to save them before running sfc /scannow.


For Windows Vista / 7:
 

  • Click the Windows "Orb" button.
  • Type cmd.
  • Right click on the search result cmd.exe and click Run as Administrator.

 

Next:

  • Copy the following line of text and paste it into the black box.
    (right-click in the black box and choose paste)

    sfc /scannow
  • Press Enter to run the command. 
    Note: This may take a while to finish.
  • If SFC could not fix something, then run the command again to see if it may be able to the next time. Sometimes it may take running the sfc /scannow command 3 or more times to completely fix everything that it's able to.

 

============

 

We need to run a fix with FRST:

  • Please download the attached fixlist.txt file and save it to the same location as FRST
    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
    Attached File  fixlist.txt   187bytes   3 downloads
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt and sfcdetails.txt) in the same location the tool was run, please post it to your reply

==========

After the fix has been completed, please create a new FRST log for me.

 

After checking your log files, I found no evidence of info stealing malware. But to make sure no one can get to your account please change all of your account passwords, including your email, social networks, online banking, etc.

 

Also, please check if your weird typing issue still occur or not. It might be a hardware issue.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#8 NinjAzure

NinjAzure
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 14 April 2016 - 09:53 AM

 

Hi NinjAzure.

 

This step will take quite a long time to finish. Be sure to spare at least 15 minutes for it to run.

 

We need to run the SFC /SCANNOW Command

The sfc /scannow command (System File Checker) scans the integrity of all protected Windows system files and replaces incorrect corrupted, changed/modified, or damaged versions with the correct versions if possible.

Note: Be aware that if you have modified your system files as in theming explorer/system files, running sfc /scannow will revert the system files such as explorer.exe back to it's default state.

Note: Make the appropriate backups of your system files that you have modified for theming if you wish to save them before running sfc /scannow.


For Windows Vista / 7:
 

  • Click the Windows "Orb" button.
  • Type cmd.
  • Right click on the search result cmd.exe and click Run as Administrator.

 

Next:

  • Copy the following line of text and paste it into the black box.
    (right-click in the black box and choose paste)

    sfc /scannow
  • Press Enter to run the command. 
    Note: This may take a while to finish.
  • If SFC could not fix something, then run the command again to see if it may be able to the next time. Sometimes it may take running the sfc /scannow command 3 or more times to completely fix everything that it's able to.

 

 

Hi Sirawit

 

When I got this device some 5 years back I was told I have legal Windows 7 version . Then during my warranty period my hard disk crashed. After I recovered my data, I got some cheap illegal version of windows installed by some local IT tech.

 

 

This Jan, by mistake I sent report to microsoft and my illegal version of windows was found out and my windows crashed. So I went to the same IT tech and he said he got some Windows 7 Ultimate installed and this time again it was cheaper and some illegal copy and told me not to update and new stuff and so I made such changes in my control panel about updates. So, am wondering whether running the SFC /SCANNOW Command will detect my illegal version of windows !?

 

NinjAzure



#9 NinjAzure

NinjAzure
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 14 April 2016 - 10:04 AM

 

Hi NinjAzure.

 

After checking your log files, I found no evidence of info stealing malware. But to make sure no one can get to your account please change all of your account passwords, including your email, social networks, online banking, etc.

 

Also, please check if your weird typing issue still occur or not. It might be a hardware issue.

 

Thank you.

 

 

 

Hi Sirawit,

 

 

Well, I am supposed in dec 2014, my device was actually hacked via some port established through cam and yes it seems whatever was on my device at that time was stolen :(

 

 

I am changing my passwords of my accounts.

 

 

Well, I still feel that my facebook has gotten hold by someone. More than facebook I feel its my laptop/computer.

The cursor issue might be a hardware one, but the way it was happening doesn't make me feel that it has anything to do with hardware.

 

 

I have blocked my so called friend on my yahoo and skype. Not sure why this all happened. :/

 

 

NinjAzure



#10 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:06:09 PM

Posted 14 April 2016 - 10:23 AM

Hi NinjAzure.

 

 

 

So, am wondering whether running the SFC /SCANNOW Command will detect my illegal version of windows !?

 

To be honest, that's likely, since Windows crack most of the time modified system files to custom ones. But if that's the case there's nothing to worry, Windows won't completely locked you out, in the worst case it will just displaying a message box in regular intervals, but nothing more than that.

 

Again, we at Bleeping Computer encourage users to use legal Windows installation since cracked one may poses problems in system stability, security and even legal troubles. Maybe your initial problem is caused by cracked Windows as well.

 

 

 

 

 

Well, I am supposed in dec 2014, my device was actually hacked via some port established through cam and yes it seems whatever was on my device at that time was stolen  :(

 

 

Could you please clarify this for me? That seems strange. What is "Established through cam"?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#11 NinjAzure

NinjAzure
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 14 April 2016 - 10:48 AM

Hi Sirawit,

 

 

 

Maybe your initial problem is caused by cracked Windows as well.

 

 

I guess no. There was weird behavior in my text conversations on yahoo and skype long before my windows crashed in January. And even before I got this cracked version I was already using a cracked version long back, I mean before meeting such online vulnerable people. I was not commenting on this weird behavior of text messages in my yahoo and skype since I had already asked about it before in the computer help chat couple of months back and all I was told that such thing is not possible.

 

 

So, what use to happen is - I would see the sequence of text messages changed and certain "particular" messages getting deleted and then reappearing. What I was told when I tried asking - how could someone do that - is that a person need to have access to actual server or a person should be at my ISP to do such tricky things.

 

 

People even said that it might be because of the time setting in my computer that I am seeing changes in the sequence of the messages.

 

 

One month back I started texting on skype with this same - so called friend - and while typing I could see that my sequence of messages is getting altered. And even after I login back and see I could see changed sequence of messages.

 

 

Yes, yahoo account is easy to get hold on and this - so called friend - had my skype password since long time.

So, all in all, I feel this has something to do with my laptop rather than any server or ISP.

 

 

 

Could you please clarify this for me? That seems strange. What is "Established through cam"?

 

 

I don't know myself much about all this. It was my this - so called friend - once tried telling me that a good hacker can hack via a webcam. :(  So, I figured out I was hacked in Dec 2014 in the last few weeks and all my suspicion was not wrong, since I am now understanding what all happened.

 

 

Okay, so I will run that command and follow your instructions to check my system.

 

Thank you.

 

 

NinjAzure



#12 NinjAzure

NinjAzure
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 14 April 2016 - 03:25 PM

Okay Sirawit, so I ran sfc /scannow command thrice.

 

 

After the first run, the message was:

Windows Resourse Protection found corrupt files and successfully repaired them.

Details are included in the CBS.Log

The system file repair changes will take effect after the next repair.

 

 

So, the restarted my computer and ran the sfc /scannow command twice.

In these next two runs, the message was:

Windows Resourse Protection did not find any integrity violations.

 

 

=================

 

 

After running the fix with FRST, only Attached File  Fixlog.txt   72.18KB   2 downloads was generated. There was no file named sfcdetails.txt.

 

 

=================

 

 

New FRST log files:

 

Attached File  FRST.txt   17.96KB   4 downloads Attached File  Addition.txt   21.66KB   3 downloads

 

 

=================

 

 

So, after this I tried attaching CBS.Log file, but my computer denied access to it. Guess it changed after the reboot or it cannot be uploaded. Although you have not asked for this file I was thinking may be it might be substitute in place of the sfcdetails.log file which I didn't find after the fix.

 

 

=================

 

 

I changed my fb password. Then tried uploading a pic as my profile photo on my fb, I could change and control it's visibility setting. But still after changing my password, I have no control on visibility settings on the posts after a post of April 5th. Also, what I have noticed is that it's me who can't see my shared posts as public when I set them as public and try to view my account through my account, but when I asked my friend to see how my profile looks , my friend could see the posts which I set public. This again tells me something is wrong with my laptop.

 

 

NinjAzure



#13 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:06:09 PM

Posted 15 April 2016 - 12:41 PM

Hi NinjAzure.
 
Great, the last fix corrected the corrupted system files successfully.  :)
 
Now about your last reply:
 
 

I don't know myself much about all this. It was my this - so called friend - once tried telling me that a good hacker can hack via a webcam.   :(  So, I figured out I was hacked in Dec 2014 in the last few weeks and all my suspicion was not wrong, since I am now understanding what all happened.

 
Yes, hacker could hack and see images from your webcam, but hacking your computer "via" webcam seems to be nonsense. And that should be shown in our log files, since I couldn't find any evidence about that we can concluded this didn't happened.
 
 

So, what use to happen is - I would see the sequence of text messages changed and certain "particular" messages getting deleted and then reappearing. What I was told when I tried asking - how could someone do that - is that a person need to have access to actual server or a person should be at my ISP to do such tricky things.

 
I found proxy settings on your computer and we already removed them. If that's the cause changing your password after the settings were removed will hopefully revoked hacker's access. (If someone really hacked you.)

 

To be honest, I think this could be a syncing issues. Skype is known to do something like this.
 
 

So, after this I tried attaching CBS.Log file, but my computer denied access to it. Guess it changed after the reboot or it cannot be uploaded. Although you have not asked for this file I was thinking may be it might be substitute in place of the sfcdetails.log file which I didn't find after the fix.

 
That's normal, CBS.log is restricted from normal user access.
 
Also, somehow FRST put data which should be in sfcdetails.log inside fixlog.txt instead so you couldn't find it.
 

But still after changing my password, I have no control on visibility settings on the posts after a post of April 5th. Also, what I have noticed is that it's me who can't see my shared posts as public when I set them as public and try to view my account through my account, but when I asked my friend to see how my profile looks , my friend could see the posts which I set public. This again tells me something is wrong with my laptop.

 
After changing password, be sure to remove all current sessions as well.
Go here and select End all sessions.
 
I think you should contact Facebook support on this issue since I cannot do anything to your Facebook account. And I don't think your laptop can changed those settings as well. 
 
Link: https://www.facebook.com/help/
 
Now, please run these tools for me so that we can make sure there is no malware remaining on your computer.

 
----------------
 
Please download Malwarebytes Anti-Malware photo.jpg?sz=48 and save it to your desktop.

  • Double-click on the setup file (mbam-setup.exe), then click on Run to install.
  • Malwarebytes will automatically open to its Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system"
  • Click on Update Now to download the current database definitions, then click the Scan Now >> but
  • If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".
  • You will be prompted to update Malwarebytes...click on the Update Now button.
  • The THREAT SCAN will automatically begin.
  • When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.
  • To complete any actions taken you will be prompted to restart your computer...click on YesFailure to reboot normally will prevent Malwarebytes from removing all the malware.
  • After rebooting the computer, copy and paste the mbam.log in your next reply.

.
To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 1)

  • Open Malwarebytes Anti-Malware.
  • Click the History Tab at the top and select Application Logs.
  • Select (check) the box next to Scan Log. Choose the most current scan.
  • Click the View button.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 2)

  • Open Malwarebytes Anti-Malware.
  • Click the Scan Tab at the top.
  • Click the View detailed log link on the right.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:
-- Vista, Windows 7/8: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd

 
===============
 
Emsisoft Emergency Kit
 
Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually C:\).

  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When update is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning.
  • When the scan is completed click Quarantine selected objectsNote, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop and post the contents in your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

==========
 
Be sure to include these log files with your next reply:

  • Malwarebytes log
  • Emsisoft Emergency Kit log

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#14 NinjAzure

NinjAzure
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 15 April 2016 - 07:12 PM

Hi Sirawit,

 

 

Great, the last fix corrected the corrupted system files successfully.  :)

 

 

Probably, since I don't see WinShell under startup tab in sys configuration.

 

 

 

Yes, hacker could hack and see images from your webcam, but hacking your computer "via" webcam seems to be nonsense.

 

 

I really don't know much about all this and hence I am here. I tried looking up and I found some articles on what I want to say:

 

https://www.learn2crack.com/2013/06/hack-a-computer-only-with-just-a-ip-address-in-easy-steps.html

http://cerockers.blogspot.in/2012/02/hacking-any-pc-using-ip-address.html

 

 

 

And that should be shown in our log files, since I couldn't find any evidence about that we can concluded this didn't happened.

 

 

As what I came to know in last week, my laptop was hacked in Dec 2014 when I cammed / was online on skype with someone who happen to be associated with the - so called friend - of mine who is trying to monitor my laptop/ fb/ finding me online in IRC channels.

 

Those were the days when anyone could find ip address of any skype user who are not using proxy network or VPN - like me.

 

Now, one cannot find anyone's ip address. Thanks to microsoft.

http://blogs.skype.com/2016/01/21/to-our-gamers-ip-will-now-be-hidden-by-default-in-latest-update/

 

 

Also since, I had my windows installed in this Jan, I don't think all these logs will be able to show up what happened in Dec 2014.

 

 

 

If that's the cause changing your password after the settings were removed will hopefully revoked hacker's access. (If someone really hacked you.)

 

I don't understand what your trying to say here.

 

 

To be honest, I think this could be a syncing issues. Skype is known to do something like this.

 

Well, skype can be acting like it has syncing issue. The whole deal is that after my laptop got hacked in Dec 2014, which we can assume, since that is what this - so called friend - tried to tell me before I blocked this person, I had a word document of some of my usernames and passwords including gmail and yahoo and other places like skype and forums. I know this is the most lame thing anybody can do with their account security to keep a word document in any folder in their PC. But, as I said, I suspected it the least that such thing can happen with me, like any regular victims and so now I understand this - so called friend - had all access to whatever I was doing since one whole year. 

 

And the sequence of change of text messages were happening not just on skype but even on yahoo messenger.

 

 

But still I don't understand how can someone track you in every IRC channel or any of your throwaway reddit account ?

I found myself tracked even when I was using Tor browser which changes your ip address. (In the last month or this month)

This makes me think - something has to do with my laptop.

 

 

 

 After changing password, be sure to remove all current sessions as well.
Go here and select End all sessions.

 

YnOQMi6.jpg

 

 

As you can see, when I tried to go over the the link to end all login sessions, it's showing my location - unknown. Usually I remember - an ip address or location name is shown.

 

Infact, I am login into this forum via my fb. I just changed my password of fb, but this visibility control issue hasn't resolved.

 

 

To be honest, I haven't found any sort of unusual activity anywhere - although given the fact that this - so called friend - had access to many things.

 

Just this fb visibility of my shared posts which I can't see by myself, altering the sequence of the text messages, tracking me online and yes the cursor issue. All these issues are the same.

 

 

 

Anyways I think, it is beyond the reach of the tools which we used.

Seems that there were some PUPs after I ran Malware bytes.

 

n2qTatd.jpg

 

So, here are the logs:

 

Attached File  Malwarebytes log.txt   1.01KB   3 downloads

Attached File  Emsisoft Emergency Kit log.txt   868bytes   1 downloads

 

Thank you.

 

 

NinjAzure



#15 NinjAzure

NinjAzure
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 16 April 2016 - 06:39 AM

Update: After posting the above reply, I logged off my PC. Today, when I logged back in and tried running a Java software for my studies I couldn't start the app/ software, instead got this message

 

Tioqz5X.jpg

 

I uninstalled and installed Java. Still I am getting the same message and I am not able to use the Java app.

I tried looking up "java web start 11.77.2.03-fcs" in google search and I saw this link :

https://bugs.openjdk.java.net/browse/JDK-8152827

 

I have no Idea of what that meant and what it is.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users