Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Overwhelmed & think I am infected


  • This topic is locked This topic is locked
25 replies to this topic

#1 StarrieN1te

StarrieN1te

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:21 AM

Posted 05 October 2016 - 03:27 PM

Hi, I would like to make sure I don't have any security leaks, malware, viruses etc., but am not computer savvy or confident enough to do this this on my own. My anti-virus (Bitdefender Free Version) turned itself off a few days ago, I tried uninstalling then reinstalling it but I think some files were left behind. While trying to research the Bitdefender thing, I thought I turned on Windows Defender so I would have some protection - looks like Windows Defender is not on. I see 'Adware:MSIL/StrongVault' - Alert Level 'Unknown' - Date - '7/10/2013 10:19 PM' in Quarantine. I'm lost here. Is anyone able to help me? I would really appreciate it. Thanks.



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:21 AM

Posted 06 October 2016 - 08:58 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs and wait for further instructions.

#3 StarrieN1te

StarrieN1te
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:21 AM

Posted 06 October 2016 - 02:36 PM

Hello,  I attached the two scan results files as instructed. Apparently, I get a bit too excited sometimes . . . I downloaded & saved Farbar. Then in order to get it to my desktop, I opened Explorer, & did a right click to send the Application to my Desktop. Instead of closing Explorer, I ran the scan from Explorer, sorry, I feel so stupid, I'm just so frustrated & overwhelmed . . . I can re-run the scan from my desktop if I need to. I'm usually pretty good at following instructions - not today I guess . . . I really appreciate your help. I hope I attached the 2 files correctly. Thanks.

 

Attached File  FRST.txt   68.11KB   4 downloads

Attached File  Addition.txt   50.41KB   4 downloads



#4 StarrieN1te

StarrieN1te
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:21 AM

Posted 06 October 2016 - 03:11 PM

Oops, I saw on one of the scans that uTorrent was still on my computer, that should have been uninstalled a long time ago, I just uninstalled it and re-ran the scan & attached the results.  I'm sorry - things tend to appear on my computer, show up on my Desktop and/or multiply. Please forgive me, I never even knew how to use uTorrent . . . so sorry.

Attached File  FRST.txt   68.1KB   6 downloads

Attached File  Addition.txt   50.41KB   5 downloads

 

 

Is each Farbar scan suppose to overwrite the previous one?



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:21 AM

Posted 07 October 2016 - 09:07 AM

Hi,

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} =>  No File
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2153502096-686273406-2310252359-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Michele\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-05]
S4 MemeoBackgroundService; C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe [X]
S3 VIAHdAudAddService; system32\drivers\viahduaa.sys [X]
C:\Users\Michele\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-05]
CustomCLSID: HKU\S-1-5-21-2153502096-686273406-2310252359-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Michele\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2153502096-686273406-2310252359-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Michele\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2153502096-686273406-2310252359-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Michele\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2153502096-686273406-2310252359-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Michele\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2153502096-686273406-2310252359-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Michele\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2153502096-686273406-2310252359-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Michele\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2153502096-686273406-2310252359-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Michele\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2153502096-686273406-2310252359-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Michele\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2153502096-686273406-2310252359-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Michele\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2153502096-686273406-2310252359-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Michele\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2153502096-686273406-2310252359-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Michele\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
Task: {99ADB0CA-672E-4FEC-86C4-E8DC868BFA5F} - \Microsoft\Windows\MobilePC\HotStart -> No File <==== ATTENTION
AlternateDataStreams: C:\Windows\system32\EPE1C222:WORKFORCE 545 [0]
AlternateDataStreams: C:\Users\Michele\Desktop\AntiTwin.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Desktop\JRT.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\AdobeAIRInstaller(1).exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\AdobeAIRInstaller(2).exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\adwcleaner_5.201.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\audacity-win-2.1.2.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\ChromeSetup.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\ddmsetup.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\dds.com:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\edfSetup.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\epson14500.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\gpautobackup_setup.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\GwxControlPanelSetup.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\HijackThis.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\linkmagic2.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\MediaCreationTool.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\MicrosoftFixit.Printing.Run.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\MiniToolBox.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\QuickTimeInstaller.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\rcsetup152.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\rkill.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\RootkitBusterV5.0-1198x64.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\SecurityCheck.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\Setup.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\ShadowExplorer-0.9-setup(1).exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\tdsskiller.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\tweaking.com_windows_repair_aio_setup.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\uTorrent.exe:BDU [0]
AlternateDataStreams: C:\Users\Michele\Downloads\VSToolsForWindows1C.exe:BDU 

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problems you are having with this computer.

#6 StarrieN1te

StarrieN1te
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:21 AM

Posted 07 October 2016 - 05:11 PM

Hi nasdaq, first off, a big Thank You for responding.  I copied the contents in a new Notepad document & saved it in the Farbar folder like you said. I then pressed the windows logo + r to get the run box, typed  FRST in the box - there was no 'fix' to click so I hit OK thinking the 'click' option would show up but I got an error window that said "Windows cannot find FRST, make sure you typed the name correctly & try again" - I attached a copy of the error box - I don't know what I'm doing wrong. . . .

 

Attached File  Error box.rtf   421.83KB   0 downloads



#7 StarrieN1te

StarrieN1te
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:21 AM

Posted 07 October 2016 - 05:16 PM

nasdaq, Feeling really stupid here - you want me to run Farbar again, then when it's done & the dialog comes up at the end, I should choose click fix once - am I correct?



#8 StarrieN1te

StarrieN1te
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:21 AM

Posted 07 October 2016 - 08:11 PM

Ok, so I ran Farbar, clicked 'fix', after running for a long time, my screen went black, then computer re-booted itself & went to "Windows Error Recovery' screen, I chose Start Normally. Eventually it came to the login, I was able to logon as usual. I immediately checked for a Fixlog & surprise, it was there. Before running the fix, I didn't have very good luck finding my original Farbar files, finally found them, then the Farbar program wasn't in the file I created, just the other documents-I eventually located the exe & moved it to the Farbar file & ran it. I then noticed that a lot of my files in Explorer show they are "shared". I am the only one that uses this computer, I don't share my files. I have attached the fixlog. Regarding some of the problems I'm having, and this is by no means a complete list, just what I can remember at the moment (I'm sure I'll remember more later) are as follows:  

 

The big one lately is my antivirus keeps turning off, I tried uninstalling then re-installing but I can't get it to uninstall all of the files so I just reinstalled it, it won't turn on, I have no protection, can't get Windows defender to work either, files/documents tend to multiply- files documents are readable one day, then they are replaced with unreadable symbols or have chunks missing or replaced with other verbiage or in another language-when looking for help such as Windows Help (?) or other sites' help section, I'll get a message that I only have partial internet access, or no internet access- lots of goofy printer stuff, like I am not connected to a printer or the print will be huge or tiny or off center, or the font will be different - maybe darker & clearer then pale with a blank sheet separating each doc-when using the snipping tool, I'll often see a flash of another snip window briefly that has a very different font, bolder & thicker, or when using snip's hi-lighter or pen the pen /hi-lighter will be off by about 2-3 inches from where my cursor is-sometimes it looks like there is another window under mine (and not Aero)-my default settings will change-my icons will change-the notifications in my tray will be different, there will be more, and/or some will go away (some I don't even know what they are)-my Explorer files will be arranged differently, I like mine to show detail - but they will often change to large icons or something else-Explorer details columns will disappear & I'll have to set them again-there are a few things I am confused about in Event viewer, logs look like a backup was done when I don't have any scheduled backups, I do manual backups,references to fax & I don't use a fax machine, a lot of tasks done by svhost,logons by accounts I don't recognize, sometimes my screen will start scrolling & I don't even have my hands anywhere near my touchpad, there seems to be a lot of hidden usb and other devices connected to my laptop when I look at computer management devices, sometimes my computer will get very slow & I'll go to to services- sometimes it feels as though someone is watching/logging what I'm doing, my yahoo page was in a different language one morning ( my yahoo mail & Amazon accounts were also hacked)-this is a sampling of things I've noticed. If you could help me out I'd be very grateful, I try to research this stuff on my own but it as my subject line says - I'm overwhelmed.

 

Attached File  Fixlog.txt   12.44KB   1 downloads

 



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:21 AM

Posted 08 October 2016 - 08:53 AM


Remove Spybot via the Control Panel > Programs > Programs and Features.
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.1.21 - Safer-Networking Ltd.)


===

Go tjos Avast page and download the Free version.
https://www.avast.com/index

The installer will be downloaded.
You will get instructions on how to install the application.

When done scan your computer.

When completed please run the Farbar tool normally one more time.
Post fresh FRST and Addition.txt files for my review.

If you have problems with this computer enumerate them.
Use single paragraph for each issue.

#10 StarrieN1te

StarrieN1te
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:21 AM

Posted 08 October 2016 - 10:13 AM

Hi nasdaq, I'm about to install Avast, it wants to install Avast SafeZone browser. Should I do that or do a custom install without SafeZone browser? Thanks.



#11 StarrieN1te

StarrieN1te
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:21 AM

Posted 08 October 2016 - 10:39 AM

Hi nasdaq,  after reading more about Avast SafeZone, I'll go ahead & do a custom install without SafeZone so I can have protection and run FRST. If you want me to install it, I'll uninstall Avast & re-install with SafeZone. Just let me know. I hope that is okay with you. Thanks.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:21 AM

Posted 08 October 2016 - 12:31 PM

No need to install the Avast Safezone.

#13 StarrieN1te

StarrieN1te
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:21 AM

Posted 08 October 2016 - 05:19 PM

Thanks. I ran the Avast scan, do I go ahead & apply the fixes for the 'Threats'? What do I do with the multiple items in 'Warnings'? I didn't change any of the default settings.



#14 StarrieN1te

StarrieN1te
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:21 AM

Posted 08 October 2016 - 10:00 PM

Hi again,

 

Avast wants to do a 'Boot Time' scan & it 'needs to download additional components', do I want to do this? Also, the scan found 12 threats - 9 High Severity & 3 Medium Severity. I picked 'Move to Virus Chest''- 11 accepted the action & 1 had an error & would not move the item.



#15 StarrieN1te

StarrieN1te
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:21 AM

Posted 08 October 2016 - 10:26 PM

Sorry, I didn't complete my post. Here is info for the 12th item- 'Error: The request is not supported (50)'. The status of this item is 'Threat:Rootkit:hidden file'.There were also many items listed in the 'Warning' section. If you want me to send you any of the Avast scan results, I will. Apparently my computer wants to reboot & once it does, Avast will do the 'Boot-time' scan. Hopefully there will be no additional issues. After that I'll do the Farbar scan again post the FRST and Addition.txt files and list my computer issues as you requested. Thank you for your patience.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users