Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Allowed Remote Control Access by an Unverified Source


  • Please log in to reply
5 replies to this topic

#1 yoitsmosh

yoitsmosh

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia (Newberry)
  • Local time:04:45 PM

Posted 30 August 2016 - 12:34 PM

This past Sunday (08.28) I allowed a technician remote control access to my computer.  The technician identified himself as a MS engineer.  I quickly realized that this was malware and severed internet access.  Also, I suspect that I may have other malware as I've never gotten a clean scan log from MBAM.

 

Below is the Farbar scan and I've attached Addition.txt.

 

Thanks in advance for you help.

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-08-2016
Ran by Admin (administrator) on HPLAPTOP1 (30-08-2016 12:08:27)
Running from C:\Users\Admin\Desktop
Loaded Profiles: Admin (Available Profiles: Rich &  Janet & Admin & Guest1 & Guest)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\stacsv64.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Andrea Electronics Corporation) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe
(LSI Corporation) C:\Program Files\LSI SoftModem\agr64svc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ccsvchst.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\SDP\Ceement\HPCEE.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apoint.exe
() C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
(Sony Corporation) C:\Program Files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PCM4Everio\EverioService.exe
(Nikon Corporation) C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ccsvchst.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApntEx.exe
() C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
(CyberLink Corp.) C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
(CyberLink) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Apoint] => C:\Program Files\Apoint2K\Apoint.exe [318464 2009-05-14] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610872 2009-07-21] ()
HKLM\...\Run: [IntelliPoint] => C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2320752 2009-11-11] (Microsoft Corporation)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-03-23] (IDT, Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-07] (Apple Inc.)
HKLM-x32\...\Run: [HPCam_Menu] => c:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe [218408 2009-02-25] (CyberLink Corp.)
HKLM-x32\...\Run: [QlbCtrl.exe] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [320056 2009-06-24] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [UpdatePRCShortCut] => C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-20] (CyberLink Corp.)
HKLM-x32\...\Run: [WirelessAssistant] => C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM-x32\...\Run: [EverioService] => C:\Program Files (x86)\CyberLink\PCM4Everio\EverioService.exe [151552 2007-11-01] (CyberLink Corp.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.)
HKLM-x32\...\Run: [Nikon Message Center 2] => C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe [571392 2011-10-30] (Nikon Corporation)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2413278550-3837374015-2046980096-1001\...\Run: [LightScribe Control Panel] => C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2009-06-17] (Hewlett-Packard Company)
HKU\S-1-5-21-2413278550-3837374015-2046980096-1001\...\Policies\system: [WallpaperStyle] 2
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2012-07-14] (Microsoft Corporation)
HKU\S-1-5-18\...\Policies\system: [WallpaperStyle] 2
ShellIconOverlayIdentifiers: [OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security Suite\Engine64\4.4.0.12\buShell.dll [2010-03-18] (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security Suite\Engine64\4.4.0.12\buShell.dll [2010-03-18] (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security Suite\Engine64\4.4.0.12\buShell.dll [2010-03-18] (Symantec Corporation)
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Photosmart 6510 series (Network).lnk [2013-12-07]
ShortcutTarget: Monitor Ink Alerts - HP Photosmart 6510 series (Network).lnk -> C:\Program Files\HP\HP Photosmart 6510 series\bin\HPStatusBL.dll (No File)
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PMB Media Check Tool.lnk [2009-12-12]
ShortcutTarget: PMB Media Check Tool.lnk -> C:\Program Files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{067647EF-C98F-4745-851D-EFAD1ABC82E9}: [DhcpNameServer] 172.20.10.1
Tcpip\..\Interfaces\{AF82CA5A-019D-4BE5-A09C-6604DC276402}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{BEF3B72A-690F-4DEC-9FE1-21E83CC23E7A}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKU\S-1-5-21-2413278550-3837374015-2046980096-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.comcast.net/
HKU\S-1-5-21-2413278550-3837374015-2046980096-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {3EF4DC3F-0F8E-4CAC-B1B3-13EECC1A005C} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM -> {CE2F2F60-9349-47F5-908A-1D25D0204B94} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {3EF4DC3F-0F8E-4CAC-B1B3-13EECC1A005C} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM-x32 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
SearchScopes: HKLM-x32 -> {CE2F2F60-9349-47F5-908A-1D25D0204B94} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\.DEFAULT -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
SearchScopes: HKU\S-1-5-19 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
SearchScopes: HKU\S-1-5-20 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
SearchScopes: HKU\S-1-5-21-2413278550-3837374015-2046980096-1001 -> {3EF4DC3F-0F8E-4CAC-B1B3-13EECC1A005C} URL =
SearchScopes: HKU\S-1-5-21-2413278550-3837374015-2046980096-1001 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://www.ask.com/web?q={SEARCHTERMS}&o=15527&l=dis&prt=NSS&chn=retail&geo=US&ver=4
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-05-07] (Google Inc.)
BHO-x32: Symantec NCO BHO -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\coIEPlg.dll [2011-07-13] (Symantec Corporation)
BHO-x32: Symantec Intrusion Prevention -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\IPSBHO.DLL [2009-11-16] (Symantec Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-05-07] (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-05-07] (Google Inc.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\coIEPlg.dll [2011-07-13] (Symantec Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-05-07] (Google Inc.)
Toolbar: HKU\S-1-5-21-2413278550-3837374015-2046980096-1001 -> No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
Toolbar: HKU\S-1-5-21-2413278550-3837374015-2046980096-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-2413278550-3837374015-2046980096-1001 -> No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Toolbar: HKU\S-1-5-21-2413278550-3837374015-2046980096-1001 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-05-07] (Google Inc.)
Toolbar: HKU\S-1-5-21-2413278550-3837374015-2046980096-1001 -> No Name - {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} -  No File
DPF: HKLM-x32 {8100D56A-5661-482C-BEE8-AFECE305D968} hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: HKLM-x32 {BEA7310D-06C4-4339-A784-DC3804819809} hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: HKLM-x32 {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} hxxps://access.ceu.heidelberg.com/dana-cached/sc/JuniperSetupClient.cab

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-07-16] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-16] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn
FF Extension: (Norton IPS) - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn [2011-07-27] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn_2010_9_0_6
FF Extension: (Norton Toolbar) - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn_2010_9_0_6 [2016-08-30] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: (SmartPrintButton) - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension [2011-01-26] [not signed]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
R2 HP Health Check Service; C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe [124928 2009-07-09] (Hewlett-Packard) [File not signed]
R2 LightScribeService; C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2009-06-17] (Hewlett-Packard Company) [File not signed]
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 N360; C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe [126400 2011-08-04] (Symantec Corporation)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-01-21] ()
R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\STacSV64.exe [247808 2010-03-23] (IDT, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20160810.001\BHDrvx64.sys [1832176 2016-05-12] (Symantec Corporation)
R1 ccHP; C:\Windows\system32\drivers\N360x64\0404000.00C\ccHPx64.sys [593544 2011-08-04] (Symantec Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [497392 2016-05-06] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [156912 2016-05-06] (Symantec Corporation)
R1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20160826.001\IDSvia64.sys [876760 2016-07-06] (Symantec Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-08-30] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
R3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20160828.002\ENG64.SYS [138456 2016-05-19] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20160828.002\EX64.SYS [2148056 2016-05-19] (Symantec Corporation)
R3 SRTSP; C:\Windows\System32\Drivers\N360x64\0404000.00C\SRTSP64.SYS [505392 2010-04-21] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360x64\0404000.00C\SRTSPX64.SYS [32304 2010-04-21] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\N360x64\0404000.00C\SYMDS64.SYS [433200 2009-10-14] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\N360x64\0404000.00C\SYMEFA64.SYS [221304 2011-08-21] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [173104 2010-11-26] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\N360x64\0404000.00C\Ironx64.SYS [150064 2010-04-29] (Symantec Corporation)
R1 SYMTDIv; C:\Windows\System32\Drivers\N360x64\0404000.00C\SYMTDIV.SYS [451704 2011-08-21] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-30 12:08 - 2016-08-30 12:09 - 00019330 _____ C:\Users\Admin\Desktop\FRST.txt
2016-08-30 12:07 - 2016-08-30 12:08 - 00000000 ____D C:\FRST
2016-08-30 12:06 - 2016-08-30 12:03 - 02397696 _____ (Farbar) C:\Users\Admin\Desktop\FRST64.exe
2016-08-30 11:49 - 2016-08-30 11:49 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\{E160EA0F-C354-46D9-947E-B5CF2ED67B3B}
2016-08-28 13:20 - 2016-08-28 13:20 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\LogMeIn Rescue Applet
2016-08-28 11:47 - 2016-08-28 11:48 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\{FCB9EE78-A9A8-473C-A0D4-05FD88620D2F}
2016-08-27 20:17 - 2016-08-27 20:17 - 00001845 _____ C:\Users\Public\Desktop\QuickTime Player.lnk
2016-08-27 20:17 - 2016-08-27 20:17 - 00000000 ____D C:\Windows\System32\Tasks\Apple
2016-08-27 20:17 - 2016-08-27 20:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2016-08-27 20:17 - 2016-08-27 20:17 - 00000000 ____D C:\Program Files (x86)\QuickTime
2016-08-27 20:17 - 2016-08-27 20:17 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2016-08-27 15:16 - 2016-08-27 15:16 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\{1757AC5F-7D46-4D3C-8E3C-92A2344727E0}
2016-08-22 01:44 - 2016-08-22 01:44 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\{3D834044-914C-4449-8263-020987F577F6}
2016-08-21 10:10 - 2016-08-21 10:10 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\{A3B29835-088B-4FE7-AA0F-C95DCDBBB0FE}
2016-08-20 12:08 - 2016-08-20 12:08 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\{25E1F63D-0665-4826-BC2E-93610F828A5F}
2016-08-14 20:18 - 2016-08-14 20:18 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\{DE052BA4-B316-445C-A72A-5DEB10E11484}
2016-08-14 08:18 - 2016-08-14 08:18 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\{9D46194E-B71D-4BFF-B058-E7CB57DD0828}
2016-08-13 11:12 - 2016-08-13 11:12 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\{F4BFB6B9-31A5-47B3-91F0-0299EC88942F}
2016-08-07 07:52 - 2016-08-07 07:52 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\{E287D3BA-1166-4D0A-9300-958CA2DAFF25}
2016-08-06 22:52 - 2016-08-06 22:52 - 00075054 _____ C:\Users\Rich &  Janet\Desktop\2016-17_Year-at-a-Glance_Revised_ConferenceWeek.pdf
2016-08-06 22:51 - 2016-08-06 22:51 - 00073692 _____ C:\Users\Rich &  Janet\Desktop\2017-18_Year-at-a-Glance_Revised_EarlyRelease_20160303.pdf
2016-08-06 22:37 - 2016-08-06 22:39 - 00000000 ____D C:\Users\Rich &  Janet\Iphone Rich download date Aug 2016
2016-08-06 13:59 - 2016-08-06 14:02 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\{93135F74-9C84-4479-A3EC-1F8F9445A731}
2016-08-01 19:07 - 2016-08-02 13:09 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\{145B170A-FDC7-4196-8DF8-95C31FC6B013}
2016-08-01 01:26 - 2016-08-01 01:26 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\{B7CABB0E-B3CA-4314-AB02-15C4FAE636BF}
2016-07-31 13:24 - 2016-07-31 13:24 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\{3FCCAAA2-DFC3-4ED9-858D-2B4B7C5E7D2D}

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-30 12:08 - 2009-07-14 01:13 - 00794178 _____ C:\Windows\system32\PerfStringBackup.INI
2016-08-30 12:08 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2016-08-30 12:02 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\Help
2016-08-30 12:00 - 2011-02-06 19:50 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-30 11:59 - 2015-01-31 18:42 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-08-30 11:54 - 2009-12-19 23:45 - 00000000 ____D C:\Users\Rich &  Janet\Tracing
2016-08-30 11:54 - 2009-11-28 17:41 - 00000189 _____ C:\ProgramData\HPWALog.txt
2016-08-30 11:46 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-08-28 13:28 - 2012-08-12 09:38 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-08-28 11:52 - 2009-07-14 00:45 - 00026192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-08-28 11:52 - 2009-07-14 00:45 - 00026192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-08-27 20:17 - 2010-02-12 16:20 - 00002519 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2016-08-27 13:24 - 2016-04-25 15:30 - 00000000 ____D C:\Users\Guest1\AppData\LocalLow\RbxLogs
2016-08-27 13:13 - 2016-04-25 15:31 - 00001354 _____ C:\Users\Guest1\Desktop\ROBLOX Player.lnk
2016-08-27 13:13 - 2016-04-25 15:30 - 00001173 _____ C:\Users\Guest1\Desktop\ROBLOX Studio.lnk
2016-08-27 13:13 - 2016-04-25 15:30 - 00000000 ____D C:\Users\Guest1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox
2016-08-21 11:03 - 2009-12-05 20:59 - 00000000 ____D C:\Users\Admin
2016-08-20 14:20 - 2009-11-28 17:32 - 00000000 ____D C:\Users\Rich &  Janet
2016-08-20 12:48 - 2012-09-23 09:55 - 00000000 ____D C:\Program Files\Common Files\Nikon
2016-08-20 12:35 - 2014-10-26 17:13 - 00000000 __SHD C:\Users\Admin\AppData\LocalLow\EmieUserList
2016-08-20 12:35 - 2014-10-26 16:13 - 00000000 __SHD C:\Users\Admin\AppData\LocalLow\EmieSiteList
2016-08-20 12:34 - 2009-07-14 01:32 - 00000000 ____D C:\Windows\Downloaded Program Files
2016-08-20 12:26 - 2010-02-12 16:16 - 00000000 __RSD C:\Users\Rich &  Janet\Documents\My Stationery
2016-08-19 20:34 - 2015-10-26 16:01 - 00001136 _____ C:\Users\Guest1\Desktop\nativelog.txt
2016-08-14 17:52 - 2011-05-12 20:07 - 00000000 ____D C:\Users\Rich &  Janet\AppData\Local\CrashDumps
2016-08-13 10:48 - 2012-12-02 17:27 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

==================== Files in the root of some directories =======

2015-09-30 19:49 - 2015-09-30 19:49 - 6420480 _____ () C:\Program Files (x86)\GUT7C32.tmp
2010-05-14 18:01 - 2010-05-14 18:01 - 0002917 _____ () C:\Program Files (x86)\uninstal.log
2012-09-23 09:55 - 2012-09-23 09:55 - 0000268 ___RH () C:\Users\Admin\AppData\Roaming\Mail
2012-09-23 09:55 - 2012-09-23 09:55 - 0000268 ___RH () C:\Users\Admin\AppData\Roaming\MIDI Patch Names
2012-09-23 09:54 - 2014-10-26 16:27 - 0000000 _____ () C:\Users\Admin\AppData\Roaming\Organs
2009-12-05 21:00 - 2009-12-05 21:00 - 0000000 _____ () C:\Users\Admin\AppData\Local\AtStart.txt
2009-12-13 16:02 - 2009-12-13 16:02 - 0003584 _____ () C:\Users\Admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2009-12-05 21:00 - 2009-12-05 21:00 - 0000000 _____ () C:\Users\Admin\AppData\Local\DSwitch.txt
2009-12-05 21:00 - 2009-12-05 21:00 - 0000000 _____ () C:\Users\Admin\AppData\Local\QSwitch.txt
2015-02-22 15:21 - 2015-02-22 15:21 - 0007599 _____ () C:\Users\Admin\AppData\Local\Resmon.ResmonCfg
2012-05-26 20:55 - 2012-05-26 20:55 - 0000057 _____ () C:\ProgramData\Ament.ini
2011-02-06 19:53 - 2011-02-06 19:53 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2009-11-28 17:41 - 2016-08-30 11:54 - 0000189 _____ () C:\ProgramData\HPWALog.txt
2014-10-26 16:27 - 2014-10-26 16:27 - 0000000 _____ () C:\ProgramData\Organic
2012-09-23 09:54 - 2014-10-26 16:27 - 0000000 ____H () C:\ProgramData\PKP_DLeo.DAT
2012-09-23 09:56 - 2014-10-26 16:26 - 0000000 ____H () C:\ProgramData\PKP_DLes.DAT
2012-09-23 09:55 - 2014-10-26 16:25 - 0000000 ____H () C:\ProgramData\PKP_DLet.DAT
2012-09-23 09:55 - 2014-10-26 16:25 - 0000000 ____H () C:\ProgramData\PKP_DLev.DAT
2009-10-19 13:50 - 2009-10-19 13:50 - 0000032 _____ () C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
2009-08-24 20:27 - 2009-08-24 20:27 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2009-10-19 13:49 - 2009-10-19 13:49 - 0000032 _____ () C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
2009-08-24 20:20 - 2009-08-24 20:22 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2009-10-19 13:49 - 2009-10-19 13:49 - 0000032 _____ () C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
2009-10-19 13:50 - 2009-10-19 13:50 - 0000032 _____ () C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
2009-08-24 20:20 - 2009-08-24 20:20 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
2009-08-24 20:22 - 2009-08-24 20:27 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
2009-10-19 13:50 - 2009-10-19 13:50 - 0000105 _____ () C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-06-19 06:36

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:45 PM

Posted 30 August 2016 - 03:41 PM

hi,

​At a glance dont see anything that looks out of place. Usually only online here once or twice per day so you may not get a reply back from me until the following day.

 

Can you post one of the scan logs from malwarebytes that you say isnt clean:

​Should be able to get to a log File like this:

​    open MBAM
    Click on the History tab > Application Logs.
    Double click on the scan log which shows the Date and time of the scan just performed.
    Click 'Copy to Clipboard'
    Paste the contents of the clipboard into your reply.
 


How Can I Reduce My Risk to Malware?


#3 yoitsmosh

yoitsmosh
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia (Newberry)
  • Local time:04:45 PM

Posted 02 September 2016 - 07:23 PM

Hi shelf life,

 

My apologies for the late response, going forward I will be punctual.

 

I submitted this request on behalf of a friend who relies on me to maintain his home network and home computers.  He called me for my opinion while the was on the phone with the person he allowed entry when he became uncomfortable with the questions he was being asked and the scare technique being used to buy software to solve the issues they were purportedly finding.  Since you have found no malware, now I'm even more curious as to the method that was used to allow an unknown party access to his computer.  Is it possible that they used resources that were already available?  I've checked and Windows Remote Assistance is turned off.  I know that they use a source for internet coupons for which they have installed BHOs and/or software with other payload.

 

Below are the contents of the scan:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/4/2016
Scan Time: 6:37 PM
Logfile: log.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.06.04.06
Rootkit Database: v2016.05.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Admin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 449537
Time Elapsed: 1 hr, 38 min, 32 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 20
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\BringMeSports_1c, Quarantined, [dd191ddb0d8c45f1703bb7e05ea5649c],
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\CouponXplorer_5z, Quarantined, [ea0c0cec8316c0768c272c6bca39f010],
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\InternetSpeedTracker_9t, Quarantined, [6c8abc3ca8f155e1da09cccb1ee5d030],
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{01907012-88BD-4A1E-9E60-9F4D3E5FFC28}, Quarantined, [8175797f891074c2ffed60375ea5dd23],
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{131A1F72-5C50-43CF-BA3E-3AC75DF1188B}, Quarantined, [5e9828d075242016a349692e9c67a060],
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{1B4CF49B-8B69-4A90-8B51-D2088E1EC1BA}, Quarantined, [12e449afc1d8241220cc0691659e6898],
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{342C5CA1-0A51-476E-BEBB-923BDB3309B8}, Quarantined, [7680d127980179bd3eae65327c8706fa],
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{481DD1D9-2619-4136-BEAD-8766AE46542D}, Quarantined, [9d59b8402376c472f1fbe1b6a45ffe02],
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{499A1BF0-AFF3-48E8-9333-C4A4567AB59D}, Quarantined, [d91d17e12e6b5dd9e8048b0c8a79d32d],
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{63AD0951-229A-4F3B-9E96-B4891811A156}, Quarantined, [e214cd2bebae47ef13d93265a85b46ba],
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{81FDA3B2-1023-4131-8055-29CE1560C12A}, Quarantined, [3bbba7518b0e67cf49a3a5f22bd8619f],
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{968E8731-8549-4289-AD46-B9A9EAC1D302}, Quarantined, [01f5da1eb6e347ef727abadd5ea5bf41],
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{B0F55B80-947D-4BA0-AD42-3F3923A87ED9}, Quarantined, [6393fdfb2871221412dad1c68b788977],
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{D0584866-E0CD-41C8-93EC-5CD3E02E0F9D}, Quarantined, [46b0bd3bf8a1f244529ab7e0699a3bc5],
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{EAD4279D-844B-4E80-A125-BE6A16647F18}, Quarantined, [1ed851a74158c47212da99fe2fd4ca36],
PUP.Optional.ASK, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8C9EF753-BEB6-4582-B653-93AC59274437}, Quarantined, [92647880495004322d61862430d3cb35],
PUP.Optional.MindSpark, HKU\S-1-5-21-2413278550-3837374015-2046980096-1001\SOFTWARE\BringMeSports_1c, Quarantined, [ed090fe96c2d3402ce4d9106cd36629e],
PUP.Optional.MindSpark, HKU\S-1-5-21-2413278550-3837374015-2046980096-1001\SOFTWARE\APPDATALOW\SOFTWARE\BringMeSports_1c, Quarantined, [da1cbe3aafeac076396efb9bec179a66],
PUP.Optional.ASK, HKU\S-1-5-21-2413278550-3837374015-2046980096-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8C9EF753-BEB6-4582-B653-93AC59274437}, Quarantined, [f5012fc95e3b043297f5bcee5fa4649c],
PUP.Optional.MindSpark, HKU\S-1-5-21-2413278550-3837374015-2046980096-501\SOFTWARE\APPDATALOW\SOFTWARE\BringMeSports_1c, Quarantined, [0ee8d8207326eb4b2483e0b615ee7987],

Registry Values: 17
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|BringMeSports_1cbar Uninstall, rundll32 C:\PROGRA~2\1CUNIN~1.DLL,O -3 uninstalltype=IE, Quarantined, [a84e7d7b5544b77fbb065f1c57adfb05]
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{01907012-88bd-4a1e-9e60-9f4d3e5ffc28}|AppPath, C:\Program Files (x86)\InternetSpeedTracker_9t\bar\1.bin, Quarantined, [8175797f891074c2ffed60375ea5dd23]
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{131a1f72-5c50-43cf-ba3e-3ac75df1188b}|AppPath, C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin, Quarantined, [5e9828d075242016a349692e9c67a060]
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{1b4cf49b-8b69-4a90-8b51-d2088e1ec1ba}|AppPath, C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin, Quarantined, [12e449afc1d8241220cc0691659e6898]
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{342c5ca1-0a51-476e-bebb-923bdb3309b8}|AppPath, C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin, Quarantined, [7680d127980179bd3eae65327c8706fa]
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{481dd1d9-2619-4136-bead-8766ae46542d}|AppPath, C:\Program Files (x86)\InternetSpeedTracker_9t\bar\1.bin, Quarantined, [9d59b8402376c472f1fbe1b6a45ffe02]
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{499a1bf0-aff3-48e8-9333-c4a4567ab59d}|AppPath, C:\Program Files (x86)\InternetSpeedTracker_9t\bar\1.bin, Quarantined, [d91d17e12e6b5dd9e8048b0c8a79d32d]
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{63ad0951-229a-4f3b-9e96-b4891811a156}|AppPath, C:\Program Files (x86)\InternetSpeedTracker_9t\bar\1.bin, Quarantined, [e214cd2bebae47ef13d93265a85b46ba]
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{81fda3b2-1023-4131-8055-29ce1560c12a}|AppPath, C:\Program Files (x86)\InternetSpeedTracker_9t\bar\1.bin, Quarantined, [3bbba7518b0e67cf49a3a5f22bd8619f]
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{968e8731-8549-4289-ad46-b9a9eac1d302}|AppPath, C:\Program Files (x86)\InternetSpeedTracker_9t\bar\1.bin, Quarantined, [01f5da1eb6e347ef727abadd5ea5bf41]
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{b0f55b80-947d-4ba0-ad42-3f3923a87ed9}|AppPath, C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin, Quarantined, [6393fdfb2871221412dad1c68b788977]
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{d0584866-e0cd-41c8-93ec-5cd3e02e0f9d}|AppPath, C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin, Quarantined, [46b0bd3bf8a1f244529ab7e0699a3bc5]
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{ead4279d-844b-4e80-a125-be6a16647f18}|AppPath, C:\Program Files (x86)\CouponXplorer_5z\bar\1.bin, Quarantined, [1ed851a74158c47212da99fe2fd4ca36]
PUP.Optional.ASK, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8c9ef753-beb6-4582-b653-93ac59274437}|DisplayName, Ask Web Search, Quarantined, [92647880495004322d61862430d3cb35]
PUP.Optional.ASK, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8c9ef753-beb6-4582-b653-93ac59274437}|URL, http://search.tb.ask.com/search/GGmain.jhtml?p2=^YL^man000^YYA^&ptb=C3E4F9B2-D71C-4011-8033-D1ACCBF9AFEE&psa=&ind=2015061315&st=sb&n=781b6543&searchfor={searchTerms}, Quarantined, [45b1f9ff663376c06528a703dd26b24e]
PUP.Optional.ASK, HKU\S-1-5-21-2413278550-3837374015-2046980096-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8c9ef753-beb6-4582-b653-93ac59274437}|DisplayName, Ask Web Search, Quarantined, [f5012fc95e3b043297f5bcee5fa4649c]
PUP.Optional.ASK, HKU\S-1-5-21-2413278550-3837374015-2046980096-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8c9ef753-beb6-4582-b653-93ac59274437}|URL, http://search.tb.ask.com/search/GGmain.jhtml?p2=^YL^man000^YYA^&ptb=C3E4F9B2-D71C-4011-8033-D1ACCBF9AFEE&psa=&ind=2015061315&st=sb&n=781b6543&searchfor={searchTerms}, Quarantined, [4ea840b8eeabf34305869c0e44bf7c84]

Registry Data: 0
(No malicious items detected)

Folders: 12
PUP.Optional.MindSpark, C:\Program Files (x86)\CouponXplorer_5z, Quarantined, [599dc236841537ffea87990c758da15f],
PUP.Optional.MindSpark, C:\Program Files (x86)\CouponXplorer_5z\bar, Quarantined, [599dc236841537ffea87990c758da15f],
PUP.Optional.MindSpark, C:\Program Files (x86)\CouponXplorer_5z\bar\assists, Quarantined, [599dc236841537ffea87990c758da15f],
PUP.Optional.MindSpark, C:\Program Files (x86)\CouponXplorer_5z\bar\gen1, Quarantined, [599dc236841537ffea87990c758da15f],
PUP.Optional.MindSpark, C:\Program Files (x86)\CouponXplorer_5z\bar\Message, Quarantined, [599dc236841537ffea87990c758da15f],
PUP.Optional.MindSpark, C:\Program Files (x86)\CouponXplorer_5z\bar\Settings, Quarantined, [599dc236841537ffea87990c758da15f],
PUP.Optional.MindSpark, C:\Program Files (x86)\InternetSpeedTracker_9t, Quarantined, [8571bc3cf9a061d50f95871e808201ff],
PUP.Optional.MindSpark, C:\Program Files (x86)\InternetSpeedTracker_9t\bar, Quarantined, [8571bc3cf9a061d50f95871e808201ff],
PUP.Optional.MindSpark, C:\Program Files (x86)\InternetSpeedTracker_9t\bar\assists, Quarantined, [8571bc3cf9a061d50f95871e808201ff],
PUP.Optional.MindSpark, C:\Program Files (x86)\InternetSpeedTracker_9t\bar\gen1, Quarantined, [8571bc3cf9a061d50f95871e808201ff],
PUP.Optional.MindSpark, C:\Program Files (x86)\InternetSpeedTracker_9t\bar\Message, Quarantined, [8571bc3cf9a061d50f95871e808201ff],
PUP.Optional.MindSpark, C:\Program Files (x86)\InternetSpeedTracker_9t\bar\Settings, Quarantined, [8571bc3cf9a061d50f95871e808201ff],

Files: 10
PUP.Optional.MindSpark, C:\Program Files (x86)\1cUninstall BringMeSports.dll, Quarantined, [a84e7d7b5544b77fbb065f1c57adfb05],
PUP.Optional.MindSpark, C:\Program Files (x86)\1cres.dll, Quarantined, [16e083756930bd79efd2f784ba4a956b],
PUP.Optional.MindSpark, C:\Program Files (x86)\CouponXplorer_5z\bar\assists\COMMON.T8S, Quarantined, [599dc236841537ffea87990c758da15f],
PUP.Optional.MindSpark, C:\Program Files (x86)\CouponXplorer_5z\bar\gen1\COMMON.T8S, Quarantined, [599dc236841537ffea87990c758da15f],
PUP.Optional.MindSpark, C:\Program Files (x86)\CouponXplorer_5z\bar\Message\COMMON.T8S, Quarantined, [599dc236841537ffea87990c758da15f],
PUP.Optional.MindSpark, C:\Program Files (x86)\CouponXplorer_5z\bar\Settings\s_pid.dat, Quarantined, [599dc236841537ffea87990c758da15f],
PUP.Optional.MindSpark, C:\Program Files (x86)\InternetSpeedTracker_9t\bar\assists\COMMON.T8S, Quarantined, [8571bc3cf9a061d50f95871e808201ff],
PUP.Optional.MindSpark, C:\Program Files (x86)\InternetSpeedTracker_9t\bar\gen1\COMMON.T8S, Quarantined, [8571bc3cf9a061d50f95871e808201ff],
PUP.Optional.MindSpark, C:\Program Files (x86)\InternetSpeedTracker_9t\bar\Message\COMMON.T8S, Quarantined, [8571bc3cf9a061d50f95871e808201ff],
PUP.Optional.MindSpark, C:\Program Files (x86)\InternetSpeedTracker_9t\bar\Settings\s_pid.dat, Quarantined, [8571bc3cf9a061d50f95871e808201ff],

Physical Sectors: 0
(No malicious items detected)

(end)



#4 shelf life

shelf life

  • Malware Response Team
  • 2,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:45 PM

Posted 05 September 2016 - 07:42 AM

hi,

 

Sorry for the delay in replying. Maybe the scammer didnt get far enough to have remote access turned on. First they BS and try to gain your trust. hopefully he disconnected by then.

 

Since MBAM found some PUPs you can run adwcleaner as a follow up. It may drag something up.

 

Please download adwcleaner and save to your desktop.

    http://www.bleepingcomputer.com/download/adwcleaner/

    Right click AdwCleaner.exe and select "run as admin"
    Accept the disclaimer
    Click on the Scan button.
    Once the scan is done, Click the Clean button
    Press OK when asked to close all programs and follow the onscreen prompts.
    Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically
    Copy and paste the contents of that logfile in your next reply.
    A copy of that logfile will also be saved in the C:\AdwCleaner folder


How Can I Reduce My Risk to Malware?


#5 yoitsmosh

yoitsmosh
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia (Newberry)
  • Local time:04:45 PM

Posted 13 September 2016 - 12:20 AM

Shelf Life,

 

Following are the contents of the AdwCleaner log file:

 

# AdwCleaner v6.010 - Logfile created 13/09/2016 at 00:26:09
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-08-24.2 [Local]
# Operating System : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Admin - HPLAPTOP1
# Running from : F:\AdwCleaner.exe
# Mode: Scan
# Support : https://toolslib.net/forum

 

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

Folder Found:  C:\Users\Rich &  Janet\AppData\Local\iac
Folder Found:  C:\Users\Rich &  Janet\AppData\Local\IAC
Folder Found:  C:\Users\Rich &  Janet\AppData\LocalLow\HPAppData
Folder Found:  C:\Users\Rich &  Janet\AppData\LocalLow\iac
Folder Found:  C:\Users\Rich &  Janet\AppData\LocalLow\ShopAtHome
Folder Found:  C:\Users\Rich &  Janet\AppData\LocalLow\IAC
Folder Found:  C:\Users\Admin\AppData\LocalLow\HPAppData
Folder Found:  C:\Users\Admin\AppData\LocalLow\ShopAtHome
Folder Found:  C:\Users\Guest1\AppData\LocalLow\HPAppData
Folder Found:  C:\Users\Guest\AppData\LocalLow\HPAppData

***** [ Files ] *****

File Found:  C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\Search_ask.com.xml

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious keys found.

***** [ Shortcuts ] *****

No infected shortcut found.

***** [ Scheduled Tasks ] *****

No malicious task found.

***** [ Registry ] *****

Key Found:  HKLM\SOFTWARE\Classes\protector_dll.Protector
Key Found:  HKLM\SOFTWARE\Classes\protector_dll.Protector.1
Key Found:  HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho
Key Found:  HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho.1
Key Found:  HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
Key Found:  HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\Interface\{30CBDB40-5B21-481B-A09B-F87CEF73F020}
Key Found:  [x64] HKLM\SOFTWARE\Classes\Interface\{952EEDFD-A98B-4670-9BDD-3634C8846FC1}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{76C45B18-A29E-43EA-AAF8-AF55C2E1AE17}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{7CD74AFF-3433-4E34-92E2-D98DFDB30754}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{96EF404C-24C7-43D0-9096-4CCC8BB7CCAC}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{97720195-206A-42AE-8E65-260B9BA5589F}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{986F7A5A-9676-47E1-8642-F41F8C3FCF82}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{B18788A4-92BD-440E-A4D1-380C36531119}
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2F4D7835-42B0-4BA7-9587-1B01393F78EE}
Key Found:  HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Value Found:  HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}]
Value Found:  HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Key Found:  HKU\S-1-5-21-2413278550-3837374015-2046980096-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Found:  HKU\S-1-5-21-2413278550-3837374015-2046980096-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShopAtHome.com Helper
Key Found:  HKU\S-1-5-21-2413278550-3837374015-2046980096-1001\Software\YahooPartnerToolbar
Key Found:  HKCU\Software\YahooPartnerToolbar
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3EF4DC3F-0F8E-4CAC-B1B3-13EECC1A005C}
Key Found:  HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found:  HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found:  HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found:  HKU\S-1-5-21-2413278550-3837374015-2046980096-1000\Software\Microsoft\Internet Explorer\SearchScopes\{3EF4DC3F-0F8E-4CAC-B1B3-13EECC1A005C}
Key Found:  HKU\S-1-5-21-2413278550-3837374015-2046980096-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found:  HKU\S-1-5-21-2413278550-3837374015-2046980096-1001\Software\Microsoft\Internet Explorer\SearchScopes\{3EF4DC3F-0F8E-4CAC-B1B3-13EECC1A005C}
Key Found:  HKU\S-1-5-21-2413278550-3837374015-2046980096-1001\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found:  HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found:  HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3EF4DC3F-0F8E-4CAC-B1B3-13EECC1A005C}
Key Found:  HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found:  HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3EF4DC3F-0F8E-4CAC-B1B3-13EECC1A005C}
Key Found:  HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Activities\Search\ask.com

***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Rich &  Janet\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\Rich &  Janet\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found:  [C:\Users\Guest1\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\Guest1\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com

*************************

\AdwCleaner\AdwCleaner[S0].txt - [5996 Bytes] - [13/09/2016 00:26:09]

########## EOF - \AdwCleaner\AdwCleaner[S0].txt - [6067 Bytes] ##########



#6 shelf life

shelf life

  • Malware Response Team
  • 2,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:45 PM

Posted 13 September 2016 - 04:00 PM

ok great. Just about done. So after the scan was done you clicked the Clean button to have it all removed? Why dont you post one more FRST log same way you did before for some general clean up of items.   Then we can call it quits.


How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users