Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

1-866-291-9960 Pop-Up Scam


  • Please log in to reply
22 replies to this topic

#1 ruasonidome

ruasonidome

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 12 June 2016 - 05:55 AM

Just an average computer user.

 

Let someone I know borrow my laptop without being there personally; a pop-up shows up and convinces them to call the number in the title above in order to sort out a Microsoft "server compromising" issue, or something to that effect. I was told that full control of my laptop was given to the individual on the other line while they "diagnosed the issue", for who knows how long. It was only after fixes were proposed that would've cost hundreds of dollars did it occur to my acquaintance that it was most likely a scam. I know for a fact that I was infected with malware before the connection was cut, for I did have a short instance of credit fraud that has since been resolved. This was all a few weeks back.

 

After I got my laptop's charger port functioning again, which was the main reason for my delay, I decided that a full factory reset wouldn't hurt since there wasn't really anything of personal value on the hard drive. Even so, I'm aware that if registry files have been altered, a factory reset isn't enough. After still seeing a couple of COM Surrogate tasks running in Task Manager after resetting (these are the same applications that were used to induce false computer performance issues in the first place), I am wary to use this laptop for any activity that might jeopardize my identity again. I'd like to check everything one last time so I don't have to waste any more energy due to paranoia.

 

(Also, I'm not fully aware if this is possible, but: since control was given to the individual on the other line, does this mean that they still have access to information through the router and anything still connected to it? Do I need to get my router replaced or checked?)

 

In any case, here's the log info. Thanks in advance!

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-06-2016
Ran by Matthew (administrator) on IDEA-PC (12-06-2016 09:07:42)
Running from C:\Users\Matthew\Downloads
Loaded Profiles: UpdatusUser & Matthew (Available Profiles: UpdatusUser & Matthew)
Platform: Windows 8 (X64) Language: English (United States)
Internet Explorer Version 10 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Diskeeper Corporation) C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16.4.4406.1205_x64__8wekyb3d8bbwe\LiveComm.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics) C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Realtek semiconductor) C:\Windows\RTFTrack.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Lenovo) C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(McAfee, Inc.) C:\Program Files\mcafee.com\agent\mcagent.exe
(CyberLink) C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.2.9200.16384_none_622908ad510eb05b\TiWorker.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corporation) C:\Windows10Upgrade\Windows10UpgraderApp.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\$GetCurrent\media\setup.exe
(Microsoft Corporation) C:\$GetCurrent\media\sources\setupprep.exe
(Microsoft Corporation) C:\$WINDOWS.~BT\Sources\SetupHost.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13260944 2012-11-19] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1253520 2012-11-19] (Realtek Semiconductor)
HKLM\...\Run: [SynLenovoGestureMgr] => C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe [665400 2012-11-29] (Synaptics)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [RtsFT] => C:\WINDOWS\RTFTrack.exe [6346464 2012-12-21] (Realtek semiconductor)
HKLM\...\Run: [OnekeyStudio] => C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe [4196432 2012-08-10] (Lenovo)
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [17080376 2013-04-15] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [191544 2013-04-15] (Lenovo(beijing) Limited)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [285240 2012-09-01] (Intel Corporation)
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [136488 2012-07-27] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] => C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe [167024 2012-07-27] (CyberLink Corp.)
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe [91432 2012-03-28] (CyberLink Corp.)
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [1527896 2012-06-22] (McAfee, Inc.)
HKLM-x32\...\Run: [Intel AppUp(SM) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [155488 2012-07-12] (Intel Corporation)
HKLM\...\RunOnce: [!GetCurrentRollback] => C:\Windows10Upgrade\GetCurrentRollback.exe [73416 2016-06-06] (Microsoft Corporation)
HKU\S-1-5-21-2756909288-3414364554-1844949731-1002\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\System32\ScreenSaver.scr [36864 2012-10-29] (Lenovo)
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{A7BEA028-4E41-4ED0-8C11-4490DCF6A8D6}: [DhcpNameServer] 150.201.1.2
Tcpip\..\Interfaces\{D4A3F5A5-E2A0-4657-BAC4-57953CD3DCFF}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-2756909288-3414364554-1844949731-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://lenovo13.msn.com
HKU\S-1-5-21-2756909288-3414364554-1844949731-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com
HKU\S-1-5-21-2756909288-3414364554-1844949731-1002\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://home.lenovo.com
HKU\S-1-5-21-2756909288-3414364554-1844949731-1002\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://home.lenovo.com
SearchScopes: HKU\S-1-5-21-2756909288-3414364554-1844949731-1002 -> DefaultScope {FC595BEC-CAAD-46FC-BBB5-3564A86D82E8} URL = 
DPF: HKLM-x32 {4FF78044-96B4-4312-A5B7-FDA3CB328095} 
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll [2012-05-13] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll [2012-05-13] (McAfee, Inc.)
 
FireFox:
========
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2012-05-13] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\progra~2\mcafee\msc\npmcsn~1.dll [2012-05-13] ()
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-02-14] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-02-14] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-06-12] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-06-12] (Google Inc.)
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2016-06-11] [not signed]
 
Chrome: 
=======
CHR Profile: C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-06-12]
CHR Extension: (Google Docs) - C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-06-12]
CHR Extension: (Google Drive) - C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-06-12]
CHR Extension: (YouTube) - C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-06-12]
CHR Extension: (Google Sheets) - C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-06-12]
CHR Extension: (Google Docs Offline) - C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-06-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-12]
CHR Extension: (Gmail) - C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-06-12]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ExpressCache; C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe [79664 2012-03-30] (Diskeeper Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
S3 McAWFwk; c:\Program Files\mcafee\msc\McAWFwk.exe [332080 2012-01-26] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [200728 2012-05-11] (McAfee, Inc.)
R2 mcmscsvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [200728 2012-05-11] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [200728 2012-05-11] (McAfee, Inc.)
R2 McNASvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [200728 2012-05-11] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [383608 2012-05-22] (McAfee, Inc.)
S4 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [200728 2012-05-11] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [200728 2012-05-11] (McAfee, Inc.)
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [237920 2012-06-22] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218320 2012-06-22] (McAfee, Inc.)
R2 mfevtp; C:\windows\system32\mfevtps.exe [177144 2012-06-22] (McAfee, Inc.)
R2 MSK80Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [200728 2012-05-11] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273136 2013-08-28] ()
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [15440 2012-07-25] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3378416 2013-08-28] (Intel® Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 btmaux; C:\Windows\system32\DRIVERS\btmaux.sys [132480 2012-10-01] (Motorola Solutions, Inc.)
S3 btmhsf; C:\Windows\system32\DRIVERS\btmhsf.sys [1337216 2012-10-01] (Motorola Solutions, Inc.)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [69672 2012-06-22] (McAfee, Inc.)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3265256 2012-09-20] (Broadcom Corporation)
R1 excfs; C:\Windows\System32\DRIVERS\excfs.sys [23344 2012-03-30] (Diskeeper Corporation)
R0 excsd; C:\Windows\System32\DRIVERS\excsd.sys [95024 2012-03-30] (Diskeeper Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [169320 2012-06-22] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [300392 2012-06-22] (McAfee, Inc.)
U3 mfeavfk01; no ImagePath
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [66712 2012-06-18] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [513456 2012-06-22] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [752672 2012-06-22] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106112 2012-06-22] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [335784 2012-06-22] (McAfee, Inc.)
R3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew00.sys [3345376 2013-10-08] (Intel Corporation)
R3 rtsuvc; C:\Windows\system32\DRIVERS\rtsuvc.sys [8236512 2012-12-21] (Realtek Semiconductor Corp.)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [31032 2012-11-29] (Synaptics Incorporated)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [34216 2012-07-26] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [258288 2012-07-26] (Microsoft Corporation)
S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-13] ("CyberLink)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-12 09:07 - 2016-06-12 09:08 - 00016111 _____ C:\Users\Matthew\Downloads\FRST.txt
2016-06-12 09:06 - 2016-06-12 09:07 - 00000000 ____D C:\FRST
2016-06-12 09:06 - 2016-06-12 09:06 - 02385408 _____ (Farbar) C:\Users\Matthew\Downloads\FRST64.exe
2016-06-12 09:06 - 2016-06-12 09:06 - 00001890 _____ C:\WINDOWS\diagwrn.xml
2016-06-12 09:06 - 2016-06-12 09:06 - 00001890 _____ C:\WINDOWS\diagerr.xml
2016-06-12 09:06 - 2016-06-12 09:06 - 00000000 ___HD C:\$WINDOWS.~BT
2016-06-12 09:02 - 2016-06-12 09:06 - 00000036 _____ C:\WINDOWS\progress.ini
2016-06-12 08:49 - 2016-06-12 09:03 - 00000922 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-12 08:49 - 2016-06-12 09:03 - 00000918 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-12 08:49 - 2016-06-12 08:58 - 00003894 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2016-06-12 08:49 - 2016-06-12 08:58 - 00003658 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2016-06-12 08:49 - 2016-06-12 08:49 - 00002282 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-12 08:49 - 2016-06-12 08:49 - 00002270 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-06-12 08:49 - 2016-06-12 08:49 - 00000000 ____D C:\Users\Matthew\AppData\Local\Google
2016-06-12 08:49 - 2016-06-12 08:49 - 00000000 ____D C:\Program Files (x86)\Google
2016-06-12 08:47 - 2016-06-12 08:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2016-06-12 08:46 - 2016-06-12 08:48 - 00000000 ____D C:\Users\Matthew\AppData\Local\Deployment
2016-06-12 08:46 - 2016-06-12 08:46 - 00000000 ____D C:\Users\Matthew\AppData\Local\Apps\2.0
2016-06-12 08:44 - 2016-06-12 08:59 - 00000000 ___HD C:\$GetCurrent
2016-06-12 08:44 - 2016-06-12 08:58 - 00000000 ____D C:\Windows10Upgrade
2016-06-12 08:44 - 2016-06-12 08:44 - 00000705 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows 10 Upgrade Assistant.lnk
2016-06-12 08:44 - 2016-06-12 08:44 - 00000693 _____ C:\Users\Matthew\Desktop\Windows 10 Upgrade Assistant.lnk
2016-06-11 13:29 - 2016-06-11 13:34 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-06-11 13:29 - 2016-06-11 13:29 - 139319312 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-06-11 13:28 - 2015-10-01 09:10 - 00869568 _____ (Microsoft Corporation) C:\WINDOWS\system32\msvcr120_clr0400.dll
2016-06-11 13:28 - 2015-10-01 09:09 - 00875720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msvcr120_clr0400.dll
2016-06-11 13:26 - 2014-06-10 18:44 - 00035480 _____ (Microsoft Corporation) C:\WINDOWS\system32\TsWpfWrp.exe
2016-06-11 13:26 - 2014-06-10 18:43 - 00035480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TsWpfWrp.exe
2016-06-11 13:20 - 2016-06-11 13:20 - 00000000 ____D C:\Users\Matthew\AppData\Roaming\Macromedia
2016-06-11 12:51 - 2016-06-11 12:51 - 00000000 _____ C:\Recovery.txt
2016-06-11 12:45 - 2016-06-11 12:46 - 00000000 ____D C:\Users\ADMINI~1
2016-06-11 12:45 - 2016-06-11 12:45 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel PROSet Wireless
2016-06-11 12:45 - 2016-06-11 12:45 - 00000000 ____D C:\Program Files\Common Files\Intel
2016-06-11 12:45 - 2016-06-11 12:45 - 00000000 ____D C:\Program Files (x86)\Cisco
2016-06-11 12:44 - 2016-06-11 12:44 - 00000000 ____D C:\ProgramData\Package Cache
2016-06-11 12:35 - 2016-06-12 08:48 - 00003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2756909288-3414364554-1844949731-1002
2016-06-11 12:31 - 2016-06-11 12:31 - 00000000 ____D C:\Users\Matthew\AppData\Roaming\Intel Corporation
2016-06-11 12:29 - 2016-06-11 12:29 - 00001445 _____ C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-06-11 12:29 - 2016-06-11 12:29 - 00000000 ____D C:\Users\Matthew\AppData\Roaming\Adobe
2016-06-11 12:29 - 2016-06-11 12:29 - 00000000 ____D C:\ProgramData\eBay
2016-06-11 12:28 - 2016-06-11 12:59 - 00000000 ____D C:\Users\Matthew\AppData\Local\Packages
2016-06-11 12:28 - 2016-06-11 12:29 - 00000000 ____D C:\Users\Matthew
2016-06-11 12:28 - 2016-06-11 12:28 - 00000020 ___SH C:\Users\Matthew\ntuser.ini
2016-06-11 12:28 - 2016-06-11 12:28 - 00000000 _SHDL C:\Users\Matthew\My Documents
2016-06-11 12:28 - 2016-06-11 12:28 - 00000000 _SHDL C:\Users\Matthew\Documents\My Videos
2016-06-11 12:28 - 2016-06-11 12:28 - 00000000 _SHDL C:\Users\Matthew\Documents\My Pictures
2016-06-11 12:28 - 2016-06-11 12:28 - 00000000 _SHDL C:\Users\Matthew\Documents\My Music
2016-06-11 12:28 - 2016-06-11 12:28 - 00000000 ____D C:\Users\Matthew\AppData\Roaming\Intel
2016-06-11 12:28 - 2016-06-11 12:28 - 00000000 ____D C:\Users\Matthew\AppData\Local\VirtualStore
2016-06-11 12:24 - 2016-06-11 12:24 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-06-11 12:22 - 2016-06-11 12:23 - 00564122 _____ C:\WINDOWS\ntbtlog.txt
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-12 09:08 - 2012-07-26 03:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-06-12 09:06 - 2012-10-09 20:08 - 00000000 ____D C:\WINDOWS\Panther
2016-06-12 08:49 - 2012-07-26 03:28 - 00850046 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-06-12 08:49 - 2012-07-26 01:37 - 00000000 ____D C:\WINDOWS\Inf
2016-06-12 08:48 - 2012-07-26 01:26 - 00262144 ___SH C:\WINDOWS\system32\config\ELAM
2016-06-12 08:47 - 2013-04-15 21:54 - 00000000 ____D C:\WINDOWS\System32\Tasks\Lenovo
2016-06-12 08:42 - 2013-04-15 21:16 - 00000000 ____D C:\ProgramData\NVIDIA
2016-06-12 08:42 - 2012-07-26 03:22 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-06-11 14:02 - 2012-07-26 04:12 - 00000000 ____D C:\WINDOWS\rescache
2016-06-11 13:35 - 2013-04-15 21:53 - 00000000 ____D C:\Program Files (x86)\McAfee
2016-06-11 13:35 - 2013-04-15 21:21 - 00281088 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-06-11 13:34 - 2012-07-26 01:26 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2016-06-11 13:20 - 2013-04-15 21:53 - 00000000 ____D C:\ProgramData\McAfee
2016-06-11 12:59 - 2012-07-26 04:12 - 00000000 ____D C:\WINDOWS\AUInstallAgent
2016-06-11 12:51 - 2012-07-26 04:13 - 00262144 _____ C:\WINDOWS\system32\config\BCD-Template
2016-06-11 12:47 - 2013-04-15 21:46 - 00000000 ____D C:\Program Files (x86)\Lenovo
2016-06-11 12:47 - 2013-04-15 21:12 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-06-11 12:46 - 2013-04-15 21:15 - 00000000 ____D C:\ProgramData\Intel
2016-06-11 12:45 - 2013-04-15 21:25 - 00000000 ____D C:\ProgramData\Intel.sav
2016-06-11 12:45 - 2013-04-15 21:14 - 00000000 ____D C:\Program Files\Intel
2016-06-11 12:45 - 2013-04-15 21:09 - 00000000 ____D C:\Program Files (x86)\Intel
2016-06-11 12:45 - 2012-07-26 04:12 - 00000000 ___SD C:\WINDOWS\Downloaded Program Files
2016-06-11 12:28 - 2012-07-26 04:12 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2016-06-11 12:28 - 2012-07-26 04:12 - 00000000 ____D C:\WINDOWS\WinStore
 
==================== Files in the root of some directories =======
 
2013-04-15 21:52 - 2013-04-15 21:52 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2013-04-15 21:54 - 2013-04-15 21:54 - 0000198 ____H () C:\ProgramData\Lenovo-30821.vbs
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2012-10-09 19:08
 
==================== End of FRST.txt ============================

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 12 June 2016 - 06:37 PM

Hello ruasonidome and Welcome to the BleepingComputer. :welcome: 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
  
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
Sincerely
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 12 June 2016 - 07:37 PM

Hi ruasonidome,

Windows Firewall is enabled.
McAfee Firewall (Enabled)

Multiple Firewall Programs installed!
I do not recommend that you have more than one anti-virus product installed and running on your computer at a time.
It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause.  Firewall programs take up an enormous amount of your computer's resources when they are actively scanning your computer.  Having two     Firewall programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
======================================================================================

Run FRST fixlist

  • Please open notepad (Start > All Programs > Accessories > Notepad)
  • Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
  • Save it to the Desktop, and name it: fixlist.txt
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
U3 mfeavfk01; no ImagePath
C:\ProgramData\DP45977C.lfl

NOTICE: This script is written specifically for this computer!!!

  • Running this on another computer may cause damage to the Operating System.
  • Now, please run FRST, and press the Fix button, just once, and wait.
  • When done, the tool creates a report on the Desktop called: Fixlog.txt

>> Please post the Fixlog.txt in your reply.

============================================================================

Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Next >>>

  • Click on the HISTORY tab > APPLICATION LOGS.
  • Double-click on the SCAN LOG which shows the date and time of the scan just performed (or the one you are asked to post), OR on the PROTECTION LOG showing the detection you are reporting (or the one that you are asked to post).
  • Click EXPORT.
  • Click TEXT FILE (*.txt)
  • In the "Save File" dialog box which appears, click on DESKTOP.
  • In the FILE NAME box, type a name for your scan log.
  • A message box named "File Saved" should appear, stating that "Your file has been successfully exported".
  • Click OK.
  • Please attach the saved log to your next reply here in this thread.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 ruasonidome

ruasonidome
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 13 June 2016 - 12:01 AM

Thank you for your quick response, olgun52!
 
Before I did anything from your post, I uninstalled McAfee's firewall program from my computer. It was bloatware reinstalled during the factory reset anyway.
 
After this, I created the Fixlog file and saved to to my Desktop. I moved the FRST64 program from my Downloads folder to my Desktop as well. I ran FRST, but before I hit the Fix button it updated itself and put the older version of FRST in a separate Desktop folder labeled "FRST-OlderVersion".
 
Once I hit the Fix button, FRST gave a dialogue window saying that it needed to restart my computer to perform the fix; however, Windows apparently also updated itself during the restart. There doesn't seem to be any issues from the update, though. (It is also possible that the entire update process was just FRST running the file commands. I don't know.)
 
Here is what was on the Fixlog.txt file after the reboot:
 
 
 
Fix result of Farbar Recovery Scan Tool (x64) Version:12-06-2016 01
Ran by Matthew (2016-06-13 00:02:08) Run:1
Running from C:\Users\Matthew\Desktop
Loaded Profiles: UpdatusUser & Matthew (Available Profiles: UpdatusUser & Matthew)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
U3 mfeavfk01; no ImagePath
C:\ProgramData\DP45977C.lfl
*****************
 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\SugarSyncBackedUp" => key removed successfully
"HKCR\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\SugarSyncPending" => key removed successfully
"HKCR\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\SugarSyncRoot" => key removed successfully
"HKCR\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\SugarSyncShared" => key removed successfully
"HKCR\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}" => key removed successfully
mfeavfk01 => service removed successfully
Could not move "C:\ProgramData\DP45977C.lfl" => Scheduled to move on reboot.
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2016-06-13 00:20:48)
 
C:\ProgramData\DP45977C.lfl => Is moved successfully
 
==== End of Fixlog 00:20:48 ====
 
 
 
After downloading MBAM, I disabled Windows Firewall and had everything installed into a new folder labeled "Malwarebytes" on the Desktop, instead of the Program Files (x86) folder.
 
Malwarebytes is now running. I tried to update the software from the Dashboard, but after it searched for an update, it said there are no updates available. The current version is "v2016.06.13.01".
 
After hitting "Scan", no issues were found and no restart prompt appeared. Here is the scan log:
 
 
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 6/13/2016
Scan Time: 12:46 AM
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.06.13.01
Rootkit Database: v2016.05.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 8
CPU: x64
File System: NTFS
User: Matthew
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 321857
Time Elapsed: 3 min, 25 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

 

Attached Files



#5 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 13 June 2016 - 07:16 PM

Hi again,

 

Thank you for the detailed information

I don't see PROTECTION LOG. Please post. I guess, you forgot.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#6 ruasonidome

ruasonidome
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 13 June 2016 - 09:41 PM

Sorry, I thought I was only required to post the scan log. Here's the protection log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
 
Error, 6/13/2016 12:37 AM, SYSTEM, IDEA-PC, Protection, ServiceCanRun, 13, 
Protection, 6/13/2016 12:37 AM, SYSTEM, IDEA-PC, Protection, Malware Protection, Stopping, 
Protection, 6/13/2016 12:37 AM, SYSTEM, IDEA-PC, Protection, Malware Protection, Stopped, 
Protection, 6/13/2016 12:37 AM, SYSTEM, IDEA-PC, Protection, Malware Protection, Starting, 
Protection, 6/13/2016 12:37 AM, SYSTEM, IDEA-PC, Protection, Malware Protection, Started, 
Protection, 6/13/2016 12:37 AM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Starting, 
Protection, 6/13/2016 12:37 AM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Started, 
Update, 6/13/2016 12:38 AM, SYSTEM, IDEA-PC, Manual, Remediation Database, 2016.2.12.1, 2016.5.25.1, 
Update, 6/13/2016 12:38 AM, SYSTEM, IDEA-PC, Manual, Rootkit Database, 2016.2.8.1, 2016.5.27.1, 
Update, 6/13/2016 12:38 AM, SYSTEM, IDEA-PC, Manual, IP Database, 2016.2.8.1, 2016.6.12.2, 
Update, 6/13/2016 12:38 AM, SYSTEM, IDEA-PC, Manual, Domain Database, 2016.2.16.8, 2016.6.12.6, 
Update, 6/13/2016 12:38 AM, SYSTEM, IDEA-PC, Manual, Malware Database, 2016.2.16.6, 2016.6.13.1, 
Protection, 6/13/2016 12:38 AM, SYSTEM, IDEA-PC, Protection, Refresh, Starting, 
Protection, 6/13/2016 12:38 AM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Stopping, 
Protection, 6/13/2016 12:38 AM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Stopped, 
Protection, 6/13/2016 12:38 AM, SYSTEM, IDEA-PC, Protection, Refresh, Success, 
Protection, 6/13/2016 12:38 AM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Starting, 
Protection, 6/13/2016 12:38 AM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Started, 
Scan, 6/13/2016 12:50 AM, SYSTEM, IDEA-PC, Manual, Start:6/13/2016 12:46 AM, Duration:3 min 25 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections, 
Update, 6/13/2016 4:36 AM, SYSTEM, IDEA-PC, Scheduler, Malware Database, 2016.6.13.1, 2016.6.13.2, 
Protection, 6/13/2016 4:36 AM, SYSTEM, IDEA-PC, Protection, Refresh, Starting, 
Protection, 6/13/2016 4:36 AM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Stopping, 
Protection, 6/13/2016 4:36 AM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Stopped, 
Protection, 6/13/2016 4:36 AM, SYSTEM, IDEA-PC, Protection, Refresh, Success, 
Protection, 6/13/2016 4:36 AM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Starting, 
Protection, 6/13/2016 4:36 AM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Started, 
Update, 6/13/2016 7:02 AM, SYSTEM, IDEA-PC, Scheduler, Domain Database, 2016.6.12.6, 2016.6.13.1, 
Protection, 6/13/2016 7:02 AM, SYSTEM, IDEA-PC, Protection, Refresh, Starting, 
Protection, 6/13/2016 7:02 AM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Stopping, 
Protection, 6/13/2016 7:02 AM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Stopped, 
Protection, 6/13/2016 7:02 AM, SYSTEM, IDEA-PC, Protection, Refresh, Success, 
Protection, 6/13/2016 7:02 AM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Starting, 
Protection, 6/13/2016 7:02 AM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Started, 
Protection, 6/13/2016 10:35 PM, SYSTEM, IDEA-PC, Protection, Malware Protection, Starting, 
Protection, 6/13/2016 10:35 PM, SYSTEM, IDEA-PC, Protection, Malware Protection, Started, 
Protection, 6/13/2016 10:35 PM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Starting, 
Protection, 6/13/2016 10:35 PM, SYSTEM, IDEA-PC, Protection, Malicious Website Protection, Started, 
 
(end)

Attached Files



#7 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 14 June 2016 - 10:01 AM

Thank you.

Please do the following

 

ComboFix run:

Please be sure to run our tools with administrator rights.

* IMPORTAN: 1   Place ComboFix.exe on your Desktop

* IMPORTAN: 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.

 

Have a nice day.
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 ruasonidome

ruasonidome
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 14 June 2016 - 01:29 PM

Here is the ComboFix report:

 

 

 

ComboFix 16-06-01.01 - Matthew 06/14/2016  14:21:05.1.8 - x64
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.12235.9679 [GMT -4:00]
Running from: c:\users\Matthew\Desktop\ComboFix.exe
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Lenovo-30821.vbs
c:\programdata\Roaming
.
.
(((((((((((((((((((((((((   Files Created from 2016-05-14 to 2016-06-14  )))))))))))))))))))))))))))))))
.
.
2016-06-14 18:24 . 2016-06-14 18:24 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2016-06-14 18:24 . 2016-06-14 18:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2016-06-13 04:37 . 2016-06-14 18:02 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-06-13 04:37 . 2016-06-13 04:37 -------- d-----w- c:\programdata\Malwarebytes
2016-06-13 04:37 . 2016-03-10 18:09 65408 ----a-w- c:\windows\system32\drivers\mwac.sys
2016-06-13 04:37 . 2016-03-10 18:08 140672 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2016-06-13 04:37 . 2016-03-10 18:08 27008 ----a-w- c:\windows\system32\drivers\mbam.sys
2016-06-13 04:17 . 2016-01-05 20:16 826328 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2016-06-13 04:17 . 2016-01-05 20:16 176088 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2016-06-13 04:12 . 2016-06-13 04:12 -------- d-s---w- c:\windows\system32\CompatTel
2016-06-13 04:12 . 2016-06-13 04:12 -------- d-----w- c:\windows\system32\appraiser
2016-06-13 04:12 . 2016-06-13 04:12 -------- d-----w- c:\windows\Migration
2016-06-13 03:08 . 2016-06-13 03:08 -------- d-----w- c:\program files\Common Files\AV
2016-06-12 23:44 . 2012-11-26 02:15 16114176 ----a-w- c:\program files\Common Files\Microsoft Shared\Microsoft Camera Codec Pack\MicrosoftRawCodec.dll
2016-06-12 23:44 . 2012-11-26 02:14 15541248 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\Microsoft Camera Codec Pack\MicrosoftRawCodec.dll
2016-06-12 23:09 . 2014-10-09 04:00 1484288 ----a-w- c:\windows\system32\VSSVC.exe
2016-06-12 23:09 . 2014-10-09 04:00 69632 ----a-w- c:\windows\system32\vsstrace.dll
2016-06-12 23:09 . 2014-10-09 04:00 1519104 ----a-w- c:\windows\system32\vssapi.dll
2016-06-12 23:09 . 2014-10-09 03:59 52224 ----a-w- c:\windows\SysWow64\vsstrace.dll
2016-06-12 23:09 . 2014-10-09 03:59 1195520 ----a-w- c:\windows\SysWow64\vssapi.dll
2016-06-12 22:34 . 2015-01-09 05:03 601088 ----a-w- c:\windows\SysWow64\Windows.Globalization.dll
2016-06-12 22:34 . 2015-01-09 06:43 951808 ----a-w- c:\windows\system32\Windows.Globalization.dll
2016-06-12 21:44 . 2014-04-16 18:20 29888 ----a-w- c:\windows\system32\aspnet_counters.dll
2016-06-12 21:43 . 2014-04-16 18:20 28352 ----a-w- c:\windows\SysWow64\aspnet_counters.dll
2016-06-12 14:03 . 2015-11-16 16:10 1821192 ----a-w- c:\windows\system32\ntdll.dll
2016-06-12 14:02 . 2013-03-02 02:43 1933312 ----a-w- c:\windows\system32\wbem\cimwin32.dll
2016-06-12 14:01 . 2013-08-16 05:41 58200 ----a-w- c:\windows\system32\drivers\dam.sys
2016-06-12 14:00 . 2015-07-30 13:11 124624 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2016-06-12 14:00 . 2015-07-30 13:10 103120 ----a-w- c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2016-06-12 14:00 . 2015-02-24 07:58 861696 ----a-w- c:\windows\system32\drivers\http.sys
2016-06-12 14:00 . 2013-06-22 05:45 785624 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2016-06-12 14:00 . 2013-06-22 05:45 54488 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2016-06-12 14:00 . 2013-07-05 22:02 99328 ----a-w- c:\windows\system32\drivers\usbcir.sys
2016-06-12 14:00 . 2013-07-05 22:01 210560 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2016-06-12 14:00 . 2014-02-05 23:41 1257984 ----a-w- c:\windows\system32\kernel32.dll
2016-06-12 14:00 . 2014-12-08 06:48 391168 ----a-w- c:\windows\system32\scesrv.dll
2016-06-12 14:00 . 2014-12-08 05:04 318464 ----a-w- c:\windows\SysWow64\scesrv.dll
2016-06-12 13:58 . 2013-04-23 23:13 1013248 ----a-w- c:\windows\SysWow64\certutil.exe
2016-06-12 13:57 . 2015-04-13 05:32 417280 ----a-w- c:\windows\system32\services.exe
2016-06-12 13:57 . 2015-08-05 13:52 1287680 ----a-w- c:\windows\system32\schedsvc.dll
2016-06-12 13:57 . 2015-12-15 00:00 19349504 ----a-w- c:\windows\system32\mshtml.dll
2016-06-12 13:57 . 2015-12-15 00:00 15422976 ----a-w- c:\windows\system32\ieframe.dll
2016-06-12 13:54 . 2013-04-09 04:51 14267904 ----a-w- c:\windows\system32\wmp.dll
2016-06-12 13:50 . 2013-05-04 06:59 13644288 ----a-w- c:\windows\system32\Windows.UI.Xaml.dll
2016-06-12 13:43 . 2013-07-01 01:42 79192 ----a-w- c:\windows\system32\drivers\usbehci.sys
2016-06-12 13:43 . 2013-07-01 01:42 623448 ----a-w- c:\windows\system32\drivers\usbhub.sys
2016-06-12 13:43 . 2013-07-01 01:42 498008 ----a-w- c:\windows\system32\drivers\usbport.sys
2016-06-12 13:43 . 2013-07-01 01:42 21848 ----a-w- c:\windows\system32\drivers\usbd.sys
2016-06-12 13:43 . 2013-06-29 03:07 32256 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2016-06-12 13:43 . 2013-06-29 03:06 120832 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2016-06-12 13:42 . 2015-05-08 23:39 981504 ----a-w- c:\windows\system32\KernelBase.dll
2016-06-12 13:42 . 2015-05-08 20:05 668160 ----a-w- c:\windows\SysWow64\KernelBase.dll
2016-06-12 13:42 . 2015-10-11 06:45 1160192 ----a-w- c:\windows\system32\IKEEXT.DLL
2016-06-12 13:42 . 2015-10-11 06:45 723968 ----a-w- c:\windows\system32\BFE.DLL
2016-06-12 13:42 . 2014-12-18 08:51 96576 ----a-w- c:\windows\system32\drivers\wfplwfs.sys
2016-06-12 13:42 . 2014-12-18 06:52 889344 ----a-w- c:\windows\system32\nshwfp.dll
2016-06-12 13:42 . 2014-12-18 06:20 702464 ----a-w- c:\windows\SysWow64\nshwfp.dll
2016-06-12 13:42 . 2013-06-10 19:15 381952 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2016-06-12 13:42 . 2013-06-10 19:10 245248 ----a-w- c:\windows\SysWow64\FWPUCLNT.DLL
2016-06-12 13:40 . 2014-12-06 07:52 384000 ----a-w- c:\windows\system32\ncsi.dll
2016-06-12 13:40 . 2014-12-06 07:52 72192 ----a-w- c:\windows\system32\nlaapi.dll
2016-06-12 13:40 . 2014-12-06 07:52 357376 ----a-w- c:\windows\system32\nlasvc.dll
2016-06-12 13:40 . 2014-12-06 06:09 55296 ----a-w- c:\windows\SysWow64\nlaapi.dll
2016-06-12 13:40 . 2014-12-06 07:53 458240 ----a-w- c:\windows\system32\wer.dll
2016-06-12 13:40 . 2013-07-09 06:18 439488 ----a-w- c:\windows\system32\WerFault.exe
2016-06-12 13:40 . 2014-12-06 07:53 26112 ----a-w- c:\windows\system32\WerFaultSecure.exe
2016-06-12 13:40 . 2014-12-06 07:51 370688 ----a-w- c:\windows\system32\Faultrep.dll
2016-06-12 13:40 . 2014-12-06 06:10 23552 ----a-w- c:\windows\SysWow64\WerFaultSecure.exe
2016-06-12 13:40 . 2014-12-06 06:10 355840 ----a-w- c:\windows\SysWow64\wer.dll
2016-06-12 13:40 . 2014-12-06 06:09 332800 ----a-w- c:\windows\SysWow64\Faultrep.dll
2016-06-12 13:40 . 2013-07-09 04:25 385768 ----a-w- c:\windows\SysWow64\WerFault.exe
2016-06-12 13:38 . 2015-03-04 07:29 361280 ----a-w- c:\windows\system32\drivers\clfs.sys
2016-06-12 13:38 . 2015-03-04 06:39 74752 ----a-w- c:\windows\system32\clfsw32.dll
2016-06-12 13:38 . 2015-03-04 04:52 57856 ----a-w- c:\windows\SysWow64\clfsw32.dll
2016-06-12 13:38 . 2015-06-15 15:20 2886144 ----a-w- c:\windows\system32\msi.dll
2016-06-12 13:38 . 2014-06-12 23:29 2146304 ----a-w- c:\windows\system32\actxprxy.dll
2016-06-12 13:38 . 2015-06-15 15:22 2416640 ----a-w- c:\windows\SysWow64\msi.dll
2016-06-12 13:38 . 2014-10-11 07:44 393216 ----a-w- c:\windows\system32\msihnd.dll
2016-06-12 13:38 . 2014-06-12 23:34 754176 ----a-w- c:\windows\SysWow64\actxprxy.dll
2016-06-12 13:38 . 2014-06-05 17:56 112984 ----a-w- c:\windows\system32\consent.exe
2016-06-12 13:38 . 2015-06-15 15:22 62976 ----a-w- c:\windows\SysWow64\msiexec.exe
2016-06-12 13:38 . 2015-06-15 15:21 124416 ----a-w- c:\windows\system32\msiexec.exe
2016-06-12 13:38 . 2014-10-11 05:57 295424 ----a-w- c:\windows\SysWow64\msihnd.dll
2016-06-12 13:36 . 2015-12-05 22:20 319488 ----a-w- c:\windows\SysWow64\schannel.dll
2016-06-12 13:36 . 2015-12-05 14:49 416768 ----a-w- c:\windows\system32\schannel.dll
2016-06-12 13:36 . 2015-12-05 14:49 89088 ----a-w- c:\windows\system32\ncryptsslp.dll
2016-06-12 13:36 . 2015-12-05 14:49 130560 ----a-w- c:\windows\system32\ncrypt.dll
2016-06-12 13:36 . 2015-12-05 22:19 73728 ----a-w- c:\windows\SysWow64\ncryptsslp.dll
2016-06-12 13:36 . 2015-12-05 22:19 89088 ----a-w- c:\windows\SysWow64\ncrypt.dll
2016-06-12 13:36 . 2014-11-26 06:43 778240 ----a-w- c:\windows\system32\oleaut32.dll
2016-06-12 13:36 . 2014-11-26 04:50 567808 ----a-w- c:\windows\SysWow64\oleaut32.dll
2016-06-12 13:35 . 2014-03-11 00:38 684032 ----a-w- c:\windows\system32\objsel.dll
2016-06-12 13:35 . 2014-03-11 00:41 559104 ----a-w- c:\windows\SysWow64\objsel.dll
2016-06-12 13:35 . 2014-03-11 00:38 179712 ----a-w- c:\windows\system32\dpapisrv.dll
2016-06-12 13:35 . 2014-03-11 00:41 38400 ----a-w- c:\windows\SysWow64\dimsroam.dll
2016-06-12 13:35 . 2014-03-11 00:38 45056 ----a-w- c:\windows\system32\dimsroam.dll
2016-06-12 13:35 . 2015-09-02 13:48 46080 ----a-w- c:\windows\system32\atmlib.dll
2016-06-12 13:35 . 2015-09-02 13:38 35328 ----a-w- c:\windows\SysWow64\atmlib.dll
2016-06-12 13:35 . 2015-08-28 21:59 304128 ----a-w- c:\windows\SysWow64\atmfd.dll
2016-06-12 13:35 . 2015-08-27 18:41 366592 ----a-w- c:\windows\system32\atmfd.dll
2016-06-12 13:33 . 2015-09-23 13:10 377552 ----a-w- c:\windows\system32\bcryptprimitives.dll
2016-06-12 13:32 . 2013-07-13 06:18 337408 ----a-w- c:\windows\system32\wintrust.dll
2016-06-12 13:31 . 2013-08-23 07:22 2062848 ----a-w- c:\windows\system32\d3d11.dll
2016-06-12 13:31 . 2013-08-23 01:44 1711616 ----a-w- c:\windows\SysWow64\d3d11.dll
2016-06-12 13:31 . 2013-12-04 23:43 583680 ----a-w- c:\windows\system32\msdrm.dll
2016-06-12 13:31 . 2013-12-04 23:37 451072 ----a-w- c:\windows\SysWow64\msdrm.dll
2016-06-12 13:31 . 2013-03-22 03:49 2382336 ----a-w- c:\windows\SysWow64\esent.dll
2016-06-12 13:31 . 2013-03-21 22:47 2851840 ----a-w- c:\windows\system32\esent.dll
2016-06-12 13:31 . 2014-10-23 12:47 79872 ----a-w- c:\windows\system32\packager.dll
2016-06-12 13:31 . 2014-10-23 11:04 68096 ----a-w- c:\windows\SysWow64\packager.dll
2016-06-12 13:31 . 2014-11-08 11:22 238080 ----a-w- c:\windows\system32\pku2u.dll
2016-06-12 13:31 . 2014-11-08 06:57 187904 ----a-w- c:\windows\SysWow64\pku2u.dll
2016-06-12 13:31 . 2015-12-08 15:16 897024 ----a-w- c:\windows\system32\advapi32.dll
2016-06-12 13:31 . 2015-12-08 15:43 703488 ----a-w- c:\windows\SysWow64\advapi32.dll
2016-06-12 13:30 . 2015-01-24 06:43 420864 ----a-w- c:\windows\system32\WMPhoto.dll
2016-06-12 13:30 . 2015-01-24 05:00 368640 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2016-06-12 13:30 . 2015-04-25 03:41 541696 ----a-w- c:\windows\SysWow64\comctl32.dll
2016-06-12 13:30 . 2015-04-24 23:13 652288 ----a-w- c:\windows\system32\comctl32.dll
2016-06-12 13:30 . 2015-08-01 13:56 19778048 ----a-w- c:\windows\system32\shell32.dll
2016-06-12 13:30 . 2015-07-09 21:47 243712 ----a-w- c:\windows\system32\notepad.exe
2016-06-12 13:30 . 2015-07-09 21:47 243712 ----a-w- c:\windows\notepad.exe
2016-06-12 13:30 . 2015-07-09 20:18 233984 ----a-w- c:\windows\SysWow64\notepad.exe
2016-06-12 13:30 . 2013-03-02 09:59 411880 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2016-06-12 13:30 . 2013-04-02 23:37 25088 ----a-w- c:\windows\SysWow64\cryptdlg.dll
2016-06-12 13:30 . 2013-04-02 23:12 30720 ----a-w- c:\windows\system32\cryptdlg.dll
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-06-11 16:36 . 2012-07-26 08:13 24800 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe" [2012-09-12 56128]
"YouCam Mirage"="c:\program files (x86)\Lenovo\YouCam\YCMMirage.exe" [2012-07-27 136488]
"YouCam Tray"="c:\program files (x86)\Lenovo\YouCam\YouCamTray.exe" [2012-07-27 167024]
"RemoteControl10"="c:\program files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe" [2012-03-29 91432]
"Intel AppUp(SM) center"="c:\program files (x86)\Intel\IntelAppStore\bin\ismagent.exe" [2012-07-12 155488]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
R2 MBAMScheduler;MBAMScheduler;c:\users\Matthew\Desktop\Malwarebytes\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\users\Matthew\Desktop\Malwarebytes\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\users\Matthew\Desktop\Malwarebytes\Malwarebytes Anti-Malware\mbamservice.exe;c:\users\Matthew\Desktop\Malwarebytes\Malwarebytes Anti-Malware\mbamservice.exe [x]
R3 BthLEEnum;Bluetooth Low Energy Driver;c:\windows\system32\DRIVERS\BthLEEnum.sys;c:\windows\SYSNATIVE\DRIVERS\BthLEEnum.sys [x]
R3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys;c:\windows\SYSNATIVE\DRIVERS\btmaux.sys [x]
R3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys;c:\windows\SYSNATIVE\DRIVERS\btmhsf.sys [x]
R3 iaStorA;iaStorA;c:\windows\System32\drivers\iaStorA.sys;c:\windows\SYSNATIVE\drivers\iaStorA.sys [x]
R3 ibtfltcoex;ibtfltcoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys;c:\windows\SYSNATIVE\DRIVERS\iBtFltCoex.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys;c:\windows\SYSNATIVE\DRIVERS\wsvd.sys [x]
S0 excsd;ExpressCache Storage Filter Driver;c:\windows\system32\DRIVERS\excsd.sys;c:\windows\SYSNATIVE\DRIVERS\excsd.sys [x]
S0 LHDmgr;LHDmgr;c:\windows\System32\DRIVERS\LhdX64.sys;c:\windows\SYSNATIVE\DRIVERS\LhdX64.sys [x]
S1 excfs;ExpressCache File System Filter Driver;c:\windows\system32\DRIVERS\excfs.sys;c:\windows\SYSNATIVE\DRIVERS\excfs.sys [x]
S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [x]
S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [x]
S2 ExpressCache;ExpressCache;c:\program files\Diskeeper Corporation\ExpressCache\ExpressCache.exe;c:\program files\Diskeeper Corporation\ExpressCache\ExpressCache.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\System32\drivers\AcpiVpc.sys;c:\windows\SYSNATIVE\drivers\AcpiVpc.sys [x]
S3 JMCR;JMCR;c:\windows\System32\drivers\jmcr.sys;c:\windows\SYSNATIVE\drivers\jmcr.sys [x]
S3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C63x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C63x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
S3 NETwNe64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 8 - 64 Bit;c:\windows\system32\DRIVERS\NETwew00.sys;c:\windows\SYSNATIVE\DRIVERS\NETwew00.sys [x]
S3 rtsuvc;Lenovo EasyCamera;c:\windows\system32\DRIVERS\rtsuvc.sys;c:\windows\SYSNATIVE\DRIVERS\rtsuvc.sys [x]
S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x]
S3 WUDFWpdMtp;WUDFWpdMtp;c:\windows\system32\DRIVERS\WUDFRd.sys;c:\windows\SYSNATIVE\DRIVERS\WUDFRd.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2016-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2016-06-12 12:49]
.
2016-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2016-06-12 12:49]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-11-19 13260944]
"RtHDVBg_Dolby"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2012-11-19 1253520]
"BTMTrayAgent"="c:\program files (x86)\Intel\Bluetooth\btmshellex.dll" [2012-09-30 11582848]
"RtsFT"="RTFTrack.exe" [2012-12-21 6346464]
"OnekeyStudio"="c:\program files\Lenovo\Onekey Theater\OnekeyStudio.exe" [2012-08-10 4196432]
"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2013-04-16 17080376]
"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\Utility.exe" [2013-04-16 191544]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 3933496]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://lenovo13.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Send to Bluetooth - c:\program files (x86)\Intel\Bluetooth\btSendToObject.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {4FF78044-96B4-4312-A5B7-FDA3CB328095} - 
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-mcui_exe - c:\program files\McAfee.com\Agent\mcagent.exe
Toolbar-Locked - (no file)
HKLM-Run-SynLenovoGestureMgr - c:\program files (x86)\Synaptics\SynTP\SynLenovoGestureMgr.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
Completion time: 2016-06-14  14:25:50
ComboFix-quarantined-files.txt  2016-06-14 18:25
.
Pre-Run: 888,085,815,296 bytes free
Post-Run: 887,946,665,984 bytes free
.
- - End Of File - - 588EB90B465CDCB9A8C7675211FBE35E
A36C5E4F47E84449FF07ED3517B43A31



Thank you for all your help so far!


#9 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 14 June 2016 - 01:53 PM

Good Job :thumbup2:

 

How is your PC running now and any issue ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 ruasonidome

ruasonidome
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 14 June 2016 - 02:11 PM

Because to the amount of time between the initial scam and now (due to my issues with the laptop's charger port), it is difficult for me to recall acutely how much my computer's performance had declined after infection. It seems to be running okay, but the two COM Surrogate tasks are still listed in a high spot under Task Manager and quickly disappear from the list if the window is left open.

 

I understand that COM Surrogate is a real Windows file, but I am also told that having multiple of them is sometimes a sign of tampered files.

 

My computer's total memory usage rests at around 24%; the CPU fluctuates between 0% and 1%, and the Disk moves up and down between 0% and 4%. In the end, I am unable to anecdotally diagnose my laptop.

 

I think I am just justifiably afraid of having my information disclosed again. If there doesn't seem to be any issues, I'll take your word for it.



#11 ruasonidome

ruasonidome
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 14 June 2016 - 02:15 PM

Sorry, by "I'll take your word for it" I meant "I'll trust your judgement".



#12 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 14 June 2016 - 03:09 PM

Hi again,

My computer's total memory usage rests at around 24%; the CPU fluctuates between 0% and 1%, and the Disk moves up and down between 0% and 4%. In the end, I am unable to anecdotally diagnose my laptop.

This is normal and no problem here

=============================================================================

Please go to: VirusTotal
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.
 
C:\ProgramData\Microsoft\Windows\OFFICEICON.vbs
 
Next, click the Open button.
Then click the "Scan It!" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 ruasonidome

ruasonidome
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 14 June 2016 - 03:17 PM

Here is the link:

 

https://www.virustotal.com/en/file/3f9f89e8d06b68c7329af898a6bde3d12423c2e3041409fb118fd14066ac0d98/analysis/1465935283/



#14 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 14 June 2016 - 03:56 PM

Hi,
Please do the following

Step 1:
MalwareBytes Anti-Rootkit scan:
  • Close all the running processes
  • Be sure to temporarily disable all antivirus/anti-spyware softwares
  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Note: Malwarebytes Anti-Rootkit requires administrative privileges to function properly.
:step1: Download MalwareBytes Anti-Rootkit software from here to your desktop.
  • Right-click on Mbar 1.09.1.1004.exe and select Run As Administrator  to launch the application.
:step2: Open a folder with MBAR name on desktop.
:step3: The MBAR folder in the list you find.
:step4: Click once. :step5:  Now click the OK button. :step6: Click the OK button again.

Ashampoo_Snap_2015.05.21_21h16m53s_002__
 
:step7: Then Next and click on the Uptade button
:step8: Now click on the scan button
  • When finished updating, click 'Next' then 'Scan'.
  • If you are told you have the 'AppInit_Dlls rootkit', choose not to fix it and proceed with the scan.
  • With some infections, you may see two messages boxes:
  • Could not load protection driver'. Click 'OK'.
  • Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart, then continue with the rest of these instructions.
  • If malware is found, do NOT press the 'Cleanup' button yet. Click 'Exit'.
  • Please  attach the two log files created by the tool within the folder from which it was run.
  • The logs will be named mbar-log-YYYY-MM-DD (##-##-##).txt and system-log.txt
Step 2:
RogueKiller scan:
  • Please download and run RogueKiller  32/64 bit to your desktop
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  • Click Scan to scan the system.
  • When the scan completes > Close out the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!
  • Post back the report which should be located on your desktop.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 ruasonidome

ruasonidome
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 14 June 2016 - 05:31 PM

I did as instructed with the beta MBAM program and it detected no malware. The log files have been attached.

 

With RogueKiller, no log file was automatically placed on the Desktop. So, I went to the History tab and found the Scan Report manually instead. Here is the RK log:

 

 

 

RogueKiller V12.3.3.0 [Jun 13 2016] (Free) by Adlice Software
 
Operating System : Windows 8 (6.2.9200) 64 bits version
Started in : Normal mode
User : Matthew [Administrator]
Started from : C:\Users\Matthew\Desktop\RogueKiller.exe
Mode : Scan -- Date : 06/14/2016 18:22:19
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 3 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\ComboFix\catchme.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2756909288-3414364554-1844949731-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://lenovo13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2756909288-3414364554-1844949731-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://lenovo13.msn.com  -> Found
 
¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] \Lenovo\Lenovo-30821 -- C:\ProgramData\Lenovo-30821.vbs -> Found
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB ATA Device +++++
--- User ---
[MBR] 68891372af5deb7df3a2253ff7b14f9b
[BSP] c12358766aa55c4b92ebf9fce365efb0 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 1000 MB
1 - [SYSTEM][MAN-MOUNT] EFI system partition | Offset (sectors): 2050048 | Size: 260 MB
2 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2582528 | Size: 1000 MB
3 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 4630528 | Size: 128 MB
4 - Basic data partition | Offset (sectors): 4892672 | Size: 904950 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1858230272 | Size: 450 MB
6 - Basic data partition | Offset (sectors): 1859151872 | Size: 25600 MB
7 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1911580672 | Size: 20480 MB
User = LL1 ... OK
User = LL2 ... OK
 

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users