Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Memory usage very high. Too many java process. Probably Distromatic infection.


  • This topic is locked This topic is locked
2 replies to this topic

#1 Account215

Account215

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 08 August 2016 - 02:04 PM

Just in case, this is the first post I make in this site and the computer I'm trying to clean is not mine.

 

My grandpa asked me to check his computer because it was slow. He also opens and runs every single email attachment, even though I tell him to not do so. So I check it, it took a lot of time to boot in the "Startting Windows" screen and it was nearly unusable since memory usage was around 90-99% because there were around 60-80 Java processes that showed up in the Task Manager, each process used between a few KB of memory to some MB. I booted up in safe mode. There were no java processes and it ran with the normal speed, downloaded Malwatebytes Chamaleon and tried to run it, but it didn't start. Clicking the help file opened a blank page. I tried to run the Chamaleon programs manually (their webpage said so) in the Program Files folder and not the downloaded one.

 

Anyways, I try to run it, MBAM tries to update (it was also horribly out of date) and it was blocked with an "Access Denied". The task killer in chamaleon also killed some tasks. The tasks were random characters, except for one "Distromatic Updater", which googling tells me its some sort of malware. Also the killer was blocked later. The MBAM update needed an install, since it was too old. During the install, the chamaleon files were blocked (Access Denied). I clicked to retry that file and the same thing happens. Only after some retries, the installer went on to the next file, which was also blocked and the same thing happened with retrying. It got to a point where it just stopped, no matter how much I spammed retry.

 

I also ra TSDD killer, but nothing showed up.

 

That is the limit of my abilities and don't know what else to do. Here is the FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 08-08-2016
Ran by Nelson Villalobos (administrator) on N_VILLALOBOS (08-08-2016 14:32:24)
Running from C:\Users\Nelson Villalobos\Downloads
Loaded Profiles: Nelson Villalobos (Available Profiles: Nelson Villalobos)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: Español (España, internacional)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_22_0_0_209.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_22_0_0_209.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [GwxControlPanelMonitor] => C:\Program Files (x86)\UltimateOutsider\GWX Control Panel\GWX_control_panel.exe [4596296 2016-04-02] (UltimateOutsider)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [8900328 2016-08-08] (AVAST Software)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporation)
HKU\S-1-5-21-1835442443-2831113296-2720391022-1000\...\Run: [Google Update] => C:\Users\Nelson Villalobos\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-08-31] (Google Inc.)
HKU\S-1-5-21-1835442443-2831113296-2720391022-1000\...\Run: [EPSON Stylus CX3900 Series] => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIBEP.EXE [213504 2007-10-09] (SEIKO EPSON CORPORATION)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-06-30] (AVAST Software)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 200.30.192.15 190.160.0.13 200.83.1.4
Tcpip\..\Interfaces\{0CC43CF0-48E7-4264-9A7B-B5A227BD6913}: [DhcpNameServer] 200.30.192.15 190.160.0.13 200.83.1.4

Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-1835442443-2831113296-2720391022-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1835442443-2831113296-2720391022-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.amazon.com/gp/bit/amazonserp/ref=bit_bds-p17_serp_ie_us_display?ie=UTF8&tagbase=bds-p17&tbrId=v1_abb-channel-17_4666ebe6_1201_1403_20160401_CL_ie_sp_
SearchScopes: HKU\S-1-5-21-1835442443-2831113296-2720391022-1000 -> {8D47969E-5C9C-4A2E-B93A-6C99EEBF685D} URL = hxxps://cl.search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
SearchScopes: HKU\S-1-5-21-1835442443-2831113296-2720391022-1000 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://www.amazon.com/gp/bit/amazonserp/ref=bit_bds-p17_serp_ie_us_display?ie=UTF8&tagbase=bds-p17&tbrId=v1_abb-channel-17_4666ebe6_1201_1403_20160401_CL_ie_ds_&tag=bds-p17-serp-us-ie-20&query={searchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-06-30] (AVAST Software)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-05-02] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-06-30] (AVAST Software)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-05-02] (Oracle Corporation)
BHO-x32: EpsonToolBandKicker Class -> {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} -> C:\Program Files (x86)\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-21] (SEIKO EPSON CORPORATION)
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKLM-x32 - EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files (x86)\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-21] (SEIKO EPSON CORPORATION)

FireFox:
========
FF ProfilePath: C:\Users\Nelson Villalobos\AppData\Roaming\Mozilla\Firefox\Profiles\4ojishpt.default-1453560502819
FF NewTab: hxxps://www.amazon.com/gp/bit/amazonserp/ref=bit_bds-p17_serp_ff_us_display?ie=UTF8&tagbase=bds-p17&tbrId=v1_abb-channel-17_4666ebe6_1201_1403_20160401_CL_ff_nt_
FF SearchEngineOrder.1: Amazon
FF Homepage: hxxps://www.google.cl/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-07-13] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-13] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1224194.dll [2016-02-19] (Adobe Systems, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-05-02] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-05-02] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1835442443-2831113296-2720391022-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Nelson Villalobos\AppData\Local\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin HKU\S-1-5-21-1835442443-2831113296-2720391022-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Nelson Villalobos\AppData\Local\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Nelson Villalobos\AppData\Roaming\mozilla\plugins\np-mswmp.dll [2009-09-25] (Microsoft Corporation)
FF Extension: Amazon Assistant for Firefox - C:\Users\Nelson Villalobos\AppData\Roaming\Mozilla\Firefox\Profiles\4ojishpt.default-1453560502819\Extensions\abb@amazon.com.xpi [2016-07-30]
FF Extension: Adblock Plus - C:\Users\Nelson Villalobos\AppData\Roaming\Mozilla\Firefox\Profiles\4ojishpt.default-1453560502819\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-08-08]
FF Extension: Nueva pestaña de Yahoo - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\jid1-G80Ec8LLEbK5fQ@jetpack.xpi [2015-11-23] [not signed]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-08-08]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-08-08]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF

Chrome:
=======
CHR HomePage: Profile 1 -> amazon.com/websearch/?ie=UTF8__PARAM__
CHR StartupUrls: Profile 1 -> "hxxp://google.cl/"
CHR DefaultSearchURL: Profile 1 -> hxxps://es.search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=orcl_default
CHR DefaultSearchKeyword: Profile 1 -> Yahoo
CHR DefaultSuggestURL: Profile 1 -> hxxps://es.search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Profile: C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Docs) - C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-07]
CHR Extension: (Google Drive) - C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-28]
CHR Extension: (Rapport) - C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bbjllphbppobebmjpjcijfbakobcheof [2016-03-02]
CHR Extension: (YouTube) - C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-28]
CHR Extension: (Adblock Plus) - C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-06-29]
CHR Extension: (Búsqueda de Google) - C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
CHR Extension: (Avast SafePrice) - C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-03-02]
CHR Extension: (Documentos de Google sin conexión) - C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-16]
CHR Extension: (Google) - C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\hjjmkiafnfnlgmhmaoebklbaekdefpke [2016-03-11]
CHR Extension: (Disconnect) - C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\jeoacafpbcihiomhlakheieifhpjdfeo [2016-03-02]
CHR Extension: (Sistema de pagos de Chrome Web Store) - C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Amazon Assistant for Chrome) - C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pbjikboenpfhbbejgkoklgkhjpfogcam [2016-08-08]
CHR Extension: (Gmail) - C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-15]
CHR Extension: (Chrome Media Router) - C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-02]
CHR HKU\.DEFAULT\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bbjllphbppobebmjpjcijfbakobcheof] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-1835442443-2831113296-2720391022-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bbjllphbppobebmjpjcijfbakobcheof] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-1835442443-2831113296-2720391022-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ooebgdicanjhnamfmdlmlbcnkgehkkmf] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-1835442443-2831113296-2720391022-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pbjikboenpfhbbejgkoklgkhjpfogcam] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eedgghdcpmmmilkmfpnklknlenbiolec] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx [2014-08-04]
CHR HKLM-x32\...\Chrome\Extension: [npdicihegicnhaangkdmcgbjceoemeoo] - hxxps://clients2.google.com/service/update2/crx
StartMenuInternet: Google Chrome.LBKUINGYTXU6JMHMD7NT3HRBNI - C:\Users\Nelson Villalobos\AppData\Local\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 Amazon 1Button App Service; C:\Program Files (x86)\Amazon\Amazon1ButtonApp\Amazon1ButtonService64.Exe [436032 2016-02-17] (Amazon Inc.)
S2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [365568 2011-03-09] (Advanced Micro Devices, Inc.) [File not signed]
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-06-30] (AVAST Software)
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135496 2016-05-11] (SurfRight B.V.)
U2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2383344 2016-07-11] (IBM Corp.)
S2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27760 2011-11-11] (VIA Technologies, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-06-30] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-06-30] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108304 2016-06-30] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-06-30] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-06-30] (AVAST Software)
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-06-30] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [473592 2016-07-13] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [162904 2016-06-30] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [292704 2016-08-08] (AVAST Software)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [46960 2016-08-08] ()
U3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] ()
S1 RapportCerberus_1609042; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_1609042.sys [1157960 2016-08-08] (IBM Corp.)
S1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [544360 2016-07-11] (IBM Corp.)
S0 RapportHades64; C:\Windows\System32\Drivers\RapportHades64.sys [215560 2016-07-11] (IBM Corp.)
S0 RapportKE64; C:\Windows\System32\Drivers\RapportKE64.sys [470056 2016-07-11] (IBM Corp.)
S1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [525992 2016-07-11] (IBM Corp.)
S3 SNPSTD3; C:\Windows\System32\DRIVERS\snpstd3.sys [10550272 2007-03-27] (Sonix Co. Ltd.)
S3 AODDriver4.0; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [X]
S1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-08 14:32 - 2016-08-08 14:32 - 02393600 _____ (Farbar) C:\Users\Nelson Villalobos\Downloads\FRST64.exe
2016-08-08 14:32 - 2016-08-08 14:32 - 00017087 _____ C:\Users\Nelson Villalobos\Downloads\FRST.txt
2016-08-08 14:32 - 2016-08-08 14:32 - 00000000 ____D C:\FRST
2016-08-08 14:21 - 2016-08-08 14:22 - 00200666 _____ C:\TDSSKiller.3.1.0.11_08.08.2016_14.21.08_log.txt
2016-08-08 13:58 - 2016-08-08 13:58 - 06705178 _____ C:\Users\Nelson Villalobos\Desktop\abc.zip
2016-08-08 13:09 - 2016-08-08 13:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-08-08 13:01 - 2016-08-08 13:01 - 00046960 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2016-08-08 11:59 - 2016-08-08 11:59 - 00000000 ____D C:\Users\Nelson Villalobos\AppData\Local\ElevatedDiagnostics
2016-08-08 11:44 - 2016-08-08 11:44 - 07065600 _____ C:\Program Files (x86)\GUTC986.tmp
2016-08-08 11:44 - 2016-08-08 11:44 - 00000000 ____D C:\Program Files (x86)\GUMC966.tmp
2016-08-08 11:43 - 2016-06-30 10:40 - 00390984 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2016-08-08 06:34 - 2016-08-08 06:34 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2016-08-08 06:27 - 2016-08-08 06:27 - 00000000 ___SD C:\Windows\system32\GWX
2016-08-07 22:28 - 2016-08-07 22:28 - 00022183 _____ C:\Users\Nelson Villalobos\Downloads\CertificadoAfpHabitat (2).pdf
2016-08-07 22:28 - 2016-08-07 22:28 - 00010381 _____ C:\Users\Nelson Villalobos\Downloads\comprobante (3).pdf
2016-08-07 22:27 - 2016-08-07 22:27 - 00022183 _____ C:\Users\Nelson Villalobos\Downloads\CertificadoAfpHabitat (1).pdf
2016-08-07 22:24 - 2016-08-07 22:24 - 00047361 _____ C:\Users\Nelson Villalobos\Downloads\comprobante (2).pdf
2016-08-07 22:24 - 2016-08-07 22:24 - 00047361 _____ C:\Users\Nelson Villalobos\Downloads\comprobante (1).pdf
2016-08-02 22:05 - 2016-08-02 22:05 - 01532416 _____ C:\Users\Nelson Villalobos\Downloads\COMPUTADOR O COMPUTADORA.pps
2016-08-02 22:00 - 2016-08-02 22:00 - 00653824 _____ C:\Users\Nelson Villalobos\Downloads\la-mentira-descubierta.pps
2016-08-01 13:17 - 2016-08-01 13:17 - 05854720 _____ C:\Users\Nelson Villalobos\Downloads\Un paseo por el mundo-19.pps
2016-08-01 13:03 - 2016-08-01 13:03 - 06528000 _____ C:\Users\Nelson Villalobos\Downloads\Australia_-_Grande_Barriera_Corallina.PPS
2016-08-01 12:58 - 2016-08-01 12:58 - 10060288 _____ C:\Users\Nelson Villalobos\Downloads\Turismo no apto para cardiacos v (2).pps
2016-07-31 13:24 - 2016-07-31 13:24 - 00032185 _____ C:\Users\Nelson Villalobos\Documents\libreria linda en portugal.htm
2016-07-31 13:23 - 2016-07-31 13:23 - 00022658 _____ C:\Users\Nelson Villalobos\Documents\turismo no apto para cardiacos.htm
2016-07-30 18:32 - 2016-07-30 18:32 - 03996672 _____ C:\Users\Nelson Villalobos\Downloads\Predicciones_Cientu00EDficas Lauta (1).pps
2016-07-30 18:03 - 2016-07-30 18:03 - 04773376 _____ C:\Users\Nelson Villalobos\Downloads\jg Vieux_souvenirs_rares112 (1).pps
2016-07-30 17:54 - 2016-07-30 17:54 - 10060288 _____ C:\Users\Nelson Villalobos\Downloads\Turismo no apto para cardiacos v (1).pps
2016-07-30 17:51 - 2016-07-30 17:51 - 03419136 _____ C:\Users\Nelson Villalobos\Downloads\ninos-diferentes (1).pps
2016-07-30 17:28 - 2016-07-30 17:28 - 10060288 _____ C:\Users\Nelson Villalobos\Downloads\Turismo no apto para cardiacos v.pps
2016-07-30 17:22 - 2016-07-30 17:22 - 00028143 _____ C:\Users\Nelson Villalobos\Documents\shalom.htm
2016-07-30 17:18 - 2016-07-30 17:18 - 04186112 _____ C:\Users\Nelson Villalobos\Downloads\shalom-milespowerpoints.com (1).pps
2016-07-30 12:35 - 2016-07-30 12:35 - 04186112 _____ C:\Users\Nelson Villalobos\Downloads\shalom-milespowerpoints.com.pps
2016-07-30 12:27 - 2016-07-30 12:27 - 03419136 _____ C:\Users\Nelson Villalobos\Downloads\ninos-diferentes.pps
2016-07-24 12:54 - 2016-07-24 12:54 - 00469504 _____ C:\Users\Nelson Villalobos\Downloads\LA-LINAZA.pps
2016-07-24 12:53 - 2016-07-24 12:53 - 00024986 _____ C:\Users\Nelson Villalobos\Documents\año 1957 para recordar.htm
2016-07-24 12:48 - 2016-07-24 12:48 - 03395584 _____ C:\Users\Nelson Villalobos\Downloads\Solo Para Recordar....pps
2016-07-24 12:42 - 2016-07-24 12:42 - 07054848 _____ C:\Users\Nelson Villalobos\Downloads\ano_1957.pps
2016-07-24 12:37 - 2016-07-24 12:37 - 17134314 _____ C:\Users\Nelson Villalobos\Downloads\-APRENDER A DECIR NO-.ppsx
2016-07-22 13:23 - 2016-07-22 13:23 - 02897408 _____ C:\Users\Nelson Villalobos\Downloads\66-Conflictos Generacionales [cr] (1).pps
2016-07-22 13:21 - 2016-07-22 13:21 - 00025841 _____ C:\Users\Nelson Villalobos\Documents\La sonrisa.htm
2016-07-22 13:16 - 2016-07-22 13:16 - 09314117 _____ C:\Users\Nelson Villalobos\Downloads\La Sonrisa.ppsx
2016-07-20 21:53 - 2016-07-20 21:53 - 08850944 _____ C:\Users\Nelson Villalobos\Downloads\Emerita Augusta & DOM.pps
2016-07-20 21:36 - 2016-07-20 21:36 - 00102682 _____ C:\Users\Nelson Villalobos\Downloads\informe estrategia de inversión (2).pdf
2016-07-20 21:24 - 2016-07-20 21:24 - 06299648 _____ C:\Users\Nelson Villalobos\Downloads\paseoporSanPetersburgoPt.pps
2016-07-20 21:16 - 2016-07-20 21:16 - 06459904 _____ C:\Users\Nelson Villalobos\Downloads\El arte de Pablo Picasso-Sus mujeres.pps
2016-07-20 21:06 - 2016-07-20 21:06 - 04773376 _____ C:\Users\Nelson Villalobos\Downloads\jg Vieux_souvenirs_rares112.pps
2016-07-18 13:30 - 2016-07-18 13:30 - 10281647 _____ C:\Users\Nelson Villalobos\Downloads\Decálogo de La Vida.ppsx
2016-07-17 21:53 - 2016-07-17 21:53 - 05692928 _____ C:\Users\Nelson Villalobos\Downloads\PauvreSyrie.pps
2016-07-16 12:40 - 2016-07-16 12:40 - 07335936 _____ C:\Users\Nelson Villalobos\Downloads\Les_plus_beaux_biens_francais.pps
2016-07-16 12:34 - 2016-07-16 12:34 - 06092288 _____ C:\Users\Nelson Villalobos\Downloads\BENSON1.pps
2016-07-16 12:21 - 2016-07-16 12:21 - 04993024 _____ C:\Users\Nelson Villalobos\Downloads\Palacio_Schonbrunn_-_Austria.pps
2016-07-15 11:57 - 2016-07-15 11:57 - 00087264 _____ C:\Users\Nelson Villalobos\Downloads\000371124000002218770030269706000520160714161406432.pdf
2016-07-13 21:58 - 2016-07-14 11:58 - 19527360 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2016-07-11 13:08 - 2016-07-11 13:08 - 02166642 _____ C:\Users\Nelson Villalobos\Downloads\Boleta_czyya9ymcb.pdf
2016-07-11 13:08 - 2016-07-11 13:08 - 02166642 _____ C:\Users\Nelson Villalobos\Downloads\Boleta_118y2j3udh.pdf
2016-07-11 13:06 - 2016-07-11 13:06 - 00005481 _____ C:\Users\Nelson Villalobos\Downloads\comprobante_pago.pdf

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-08 14:21 - 2015-09-05 13:46 - 00308504 _____ C:\Windows\ntbtlog.txt
2016-08-08 14:15 - 2014-11-15 19:32 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-08-08 14:05 - 2014-11-15 19:32 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-08-08 13:53 - 2012-07-23 20:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-08-08 13:23 - 2012-08-11 17:33 - 00001158 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1835442443-2831113296-2720391022-1000UA.job
2016-08-08 13:06 - 2009-07-14 00:45 - 00026544 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-08-08 13:06 - 2009-07-14 00:45 - 00026544 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-08-08 13:05 - 2013-05-24 20:19 - 00001100 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-08 13:01 - 2013-05-24 20:19 - 00001096 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-08 13:00 - 2016-05-09 15:29 - 00004638 _____ C:\Windows\System32\Tasks\DistromaticSearchProtect-hourly
2016-08-08 13:00 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-08-08 12:06 - 2014-09-04 21:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Trusteer Seguridad Terminal
2016-08-08 12:05 - 2015-12-22 17:23 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-08-08 11:48 - 2014-02-06 19:37 - 00000000 ____D C:\ProgramData\Skype
2016-08-08 11:44 - 2016-03-23 14:52 - 00003906 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1458759152
2016-08-08 11:44 - 2015-04-10 20:22 - 00001882 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2016-08-08 11:44 - 2013-03-15 21:41 - 00292704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswvmm.sys
2016-08-08 11:43 - 2013-03-15 21:41 - 00292704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswvmm.sys.147067104026607
2016-08-08 11:43 - 2012-07-23 19:59 - 00003922 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-08-08 11:41 - 2012-07-21 12:42 - 00000000 ____D C:\Users\Nelson Villalobos
2016-08-08 06:23 - 2016-01-23 10:48 - 00000000 ____D C:\Users\Nelson Villalobos\Desktop\Datos antiguos de Firefox
2016-08-08 06:23 - 2015-12-03 14:18 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-08-08 06:23 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2016-08-08 06:22 - 2016-04-01 12:59 - 00000000 ____D C:\Program Files (x86)\Amazon Browser Settings
2016-08-08 06:22 - 2014-10-26 20:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-08-08 06:22 - 2014-10-26 20:36 - 00000000 ____D C:\Program Files (x86)\Java
2016-08-08 06:22 - 2014-02-06 19:37 - 00000000 ____D C:\Users\Nelson Villalobos\AppData\Roaming\Skype
2016-08-08 06:22 - 2013-12-29 21:26 - 00000000 ____D C:\Program Files (x86)\Combined Community Codec Pack
2016-08-08 06:22 - 2013-09-25 22:05 - 00000000 ____D C:\ProgramData\Oracle
2016-08-08 06:22 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration
2016-07-29 11:49 - 2015-08-31 18:10 - 00000000 ____D C:\Users\Nelson Villalobos\.oracle_jre_usage
2016-07-14 22:06 - 2012-07-23 20:10 - 00000838 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-07-14 11:58 - 2012-07-23 20:10 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-07-14 11:58 - 2012-07-23 20:10 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-07-14 11:58 - 2012-07-23 20:10 - 00003776 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-07-13 22:20 - 2012-08-11 17:33 - 00001106 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1835442443-2831113296-2720391022-1000Core.job
2016-07-13 21:54 - 2012-07-23 19:59 - 00473592 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2016-07-12 11:58 - 2012-07-23 20:10 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-07-12 11:58 - 2012-07-23 20:10 - 00000000 ____D C:\Windows\system32\Macromed
2016-07-12 11:46 - 2014-12-23 11:46 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-07-12 11:45 - 2015-07-01 11:15 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-07-11 14:01 - 2015-06-09 21:39 - 00215560 _____ (IBM Corp.) C:\Windows\system32\Drivers\RapportHades64.sys
2016-07-11 14:01 - 2014-09-04 21:57 - 00470056 _____ (IBM Corp.) C:\Windows\system32\Drivers\RapportKE64.sys
2016-07-10 12:04 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache

==================== Files in the root of some directories =======

2016-08-08 11:44 - 2016-08-08 11:44 - 7065600 _____ () C:\Program Files (x86)\GUTC986.tmp
2014-01-07 15:40 - 2014-09-09 19:45 - 0008704 ___SH () C:\Users\Nelson Villalobos\AppData\Roaming\Thumbs.db
2012-08-01 22:57 - 2012-08-01 22:57 - 0033134 _____ () C:\Users\Nelson Villalobos\AppData\Roaming\UserTile.png
2013-12-30 08:19 - 2014-01-04 22:19 - 0000071 _____ () C:\Users\Nelson Villalobos\AppData\Roaming\WB.CFG
2013-01-23 22:13 - 2016-05-24 18:00 - 0007168 _____ () C:\Users\Nelson Villalobos\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-09-05 13:36 - 2015-09-05 13:36 - 0007635 _____ () C:\Users\Nelson Villalobos\AppData\Local\Resmon.ResmonCfg

Some files in TEMP:
====================
C:\Users\Nelson Villalobos\AppData\Local\Temp\jre-8u66-windows-au.exe
C:\Users\Nelson Villalobos\AppData\Local\Temp\jre-8u71-windows-au.exe
C:\Users\Nelson Villalobos\AppData\Local\Temp\jre-8u74-windows-au.exe
C:\Users\Nelson Villalobos\AppData\Local\Temp\jre-8u77-windows-au.exe
C:\Users\Nelson Villalobos\AppData\Local\Temp\ytb.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-07-10 11:56
==================== End of FRST.txt ============================

 

Attached File  Addition.txt   36.4KB   2 downloads


Edited by Account215, 08 August 2016 - 02:13 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 AM

Posted 13 August 2016 - 02:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/622756 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 AM

Posted 18 August 2016 - 02:10 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users