Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Credit Card hacked online - virus at fault?


  • This topic is locked This topic is locked
7 replies to this topic

#1 LadyS

LadyS

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:51 PM

Posted 26 October 2016 - 08:48 PM

Hi everyone,

 

I have just been told today that my credit card has been hacked and made fraudulent purchases yesterday online. Although the bank say the staff is investigating what happened to my card, they mentioned that the credit card info was probably stolen from a website I visited that had been compromised or from my browser if I have a virus.

 

I have Avaast Internet Security, up to date, that I never close and it didn't report any infection...I was told however that I should double check with this community in case the antivirus missed something...  

 

I have not noticed any suspicious activities, pop-ups, any delays in processing or basically any changes from my usual activity. The hacking is taking me entirely by surprise. I do order online, but in the past month only from Amazon and Sephora websites.

 

I'd much appreciate another opinion on my computer's safety from your end before I set up the information of a new credit card anywhere.

 

Many thanks!

 

Attached File  Addition.txt   30.79KB   2 downloads

Attached File  FRST.txt   102bytes   4 downloads



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:51 PM

Posted 29 October 2016 - 10:37 AM

Additional scan result of Farbar Recovery Scan Tool (x64) Version:20-12-2015
Ran by Lix (2016-10-26 21:32:15)
Running from C:\Users\Lix\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2014-03-28 00:08:18)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-9550187-3546826477-2711852638-500 - Administrator - Disabled)
Guest (S-1-5-21-9550187-3546826477-2711852638-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-9550187-3546826477-2711852638-1002 - Limited - Enabled)
Lix (S-1-5-21-9550187-3546826477-2711852638-1000 - Administrator - Enabled) => C:\Users\Lix

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AV: AVG AntiVirus Free Edition (Disabled - Up to date) {4D41356F-32AD-7C42-C820-63775EE4F413}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition (Disabled - Up to date) {F620D48B-1497-73CC-F290-58052563BEAE}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus (Enabled) {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 15.12 (x64) (HKLM\...\7-Zip) (Version: 15.12 - Igor Pavlov)
Adblock Plus for IE (32-bit and 64-bit) (HKLM\...\{0F347A49-E36C-4639-8D2E-003AD408B8B2}) (Version: 1.5 - Eyeo GmbH)
Adobe Flash Player 23 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 23.0.0.162 - Adobe Systems Incorporated)
Adobe Photoshop CC 2015 (HKLM-x32\...\{793C2BF7-A4FE-4608-91C9-9282C5801C21}) (Version: 16.0 - Adobe Systems Incorporated)
Adobe Photoshop CS2 (HKLM-x32\...\Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}) (Version: 9.0 - Adobe Systems, Inc.)
Adobe Reader XI (11.0.18) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.18 - Adobe Systems Incorporated)
Alien Skin Exposure 7 (HKLM\...\Alien Skin Exposure 7) (Version: - Alien Skin)
Antidote HD (HKLM-x32\...\{56CDB4FE-895F-4E0D-8BB4-9A8D4310898D}) (Version: 7.6.7022 - Druide informatique inc.)
Apple Application Support (HKLM-x32\...\{D9DAD0FF-495A-472B-9F10-BAE430A26682}) (Version: 3.0.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{787136D2-F0F8-4625-AA3F-72D7795AC842}) (Version: 7.1.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Assassin's Creed® III v1.02 (HKLM-x32\...\{9D15E813-0C26-41E7-ABC5-3EB06FF1B3CF}) (Version: 1.02 - Ubisoft)
Avast Internet Security (HKLM-x32\...\Avast) (Version: 11.2.2262 - AVAST Software)
Avi to Dvd Free Converter v6.7.0.225 (HKLM-x32\...\Avi to Dvd Free Converter_is1) (Version: - AviToDvdFree.com Inc.)
BlackBerry Backup Extractor (HKU\S-1-5-21-9550187-3546826477-2711852638-1000\...\BlackBerry Backup Extractor) (Version: 2.0.4.0 - Reincubate Ltd)
BlackBerry Desktop Software 7.1 (HKLM-x32\...\BlackBerry_Desktop) (Version: 7.1.0.41 - Research In Motion Ltd.)
BlackBerry Desktop Software 7.1 (x32 Version: 7.1.0.41 - Research In Motion Ltd.) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
DVDStyler v3.0 (HKLM\...\DVDStyler_is1) (Version: - Thüring IT-Consulting)
Free Dailymotion Download (HKLM-x32\...\Free Dailymotion Download_is1) (Version: 1.0.57.1211 - DVDVideoSoft Ltd.)
Free Studio version 6.4.3.128 (HKLM-x32\...\Free Studio_is1) (Version: 6.4.3.128 - DVDVideoSoft Ltd.)
Free YouTube Download (HKLM-x32\...\Free YouTube Download_is1) (Version: 4.0.10.1211 - DVDVideoSoft Ltd.)
Free YouTube to MP3 Converter version 3.12.39.604 (HKLM-x32\...\Free YouTube to MP3 Converter_is1) (Version: 3.12.39.604 - DVDVideoSoft Ltd.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 54.0.2840.71 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.7619.1252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
iCare Data Recovery Pro (HKLM-x32\...\{F7EAB243-4D0C-47F5-A4F1-74D350E45489}_is1) (Version: 7.9.0 - iCare Recovery)
iTunes (HKLM\...\{1CF5754A-545B-4360-BFDE-2847BC728DFC}) (Version: 11.2.0.115 - Apple Inc.)
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
La boucle d'argent (HKLM-x32\...\{77BBC8EA-C602-4138-83EC-712E9FB03874}) (Version: 0.0 - Frogwares)
LauncherMA (HKLM-x32\...\{C06EFB22-B5DB-46C5-9215-BCB5C19C0858}) (Version: 1.00.0000 - Micro Application)
Leawo PowerPoint to Video Pro version 2.7.4.0 (HKLM-x32\...\{5D5CB188-F9B1-4103-B2AD-07FB33068377}_is1) (Version: 2.7.4.0 - Leawo Software)
LightScribe System Software 1.14.17.1 (HKLM-x32\...\{0E7DBD52-B097-4F2B-A7C7-F105B0D20FDB}) (Version: 1.14.17.1 - LightScribe)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office XP Professional with FrontPage (HKLM-x32\...\{90280409-6000-11D3-8CFE-0050048383C9}) (Version: 10.0.4330.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ Run Time Lib Setup (HKLM-x32\...\{AAF4238F-7C29-451D-9925-C753271A5728}) (Version: 1.0.0 - Microsoft)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Nero 7 Essentials (HKLM-x32\...\{3134052E-B1F0-465C-B320-5042095B1033}) (Version: 7.03.1188 - Nero AG)
NVIDIA 3D Vision Driver 341.44 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 341.44 - NVIDIA Corporation)
NVIDIA GAME System Software 2.8.1 (HKLM-x32\...\{4F0C7CCF-5666-474B-B02E-AC514A95EC93}) (Version: 2.8.1 - NVIDIA Corporation)
NVIDIA Graphics Driver 341.44 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 341.44 - NVIDIA Corporation)
NVIDIA PhysX (HKLM-x32\...\{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}) (Version: 9.09.0814 - NVIDIA Corporation)
NVIDIA Update 10.4.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 10.4.0 - NVIDIA Corporation)
ON1 Photo 10 (HKLM\...\ON1 Photo 10 PE) (Version: 10.0.0 - ON1)
photoFXlab (HKLM-x32\...\photoFXlab) (Version: 1.2.8 - Topaz Labs)
PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.991 - Even Balance, Inc.)
RecoveRx version 3.2 (HKLM-x32\...\{3DE055DA-690F-43B8-9B7B-54E7D70806F9}_is1) (Version: 3.2 - Transcend Information, Inc.)
SafeZone Stable 1.48.2066.101 (x32 Version: 1.48.2066.101 - Avast Software) Hidden
Sherlock Holmes - la Nuit des Sacrifies - Remasterisee (HKLM-x32\...\{760BF94F-4FAF-4EF6-96D9-B55B12993992}) (Version: 1.00.0777 - Frogwares)
Sherlock Holmes contre Arsene Lupin (HKLM-x32\...\{63686BEF-04CA-461C-B364-53BBC322F7BF}) (Version: 1.00.0777 - Frogwares)
Sherlock Holmes contre Jack l'Éventreur (HKLM-x32\...\{3F64C088-9A45-41B3-8B99-71AFAB720A56}) (Version: 1.00.0777 - Frogwares)
TomTom MyDrive Connect 4.1.1.2797 (HKLM-x32\...\MyDriveConnect) (Version: 4.1.1.2797 - TomTom)
Topaz Adjust 5 (HKLM-x32\...\Topaz Adjust 5) (Version: 5.1.0 - Topaz Labs, LLC)
Topaz B&W Effects (HKLM-x32\...\Topaz BW Effects 2) (Version: 2.1.0 - Topaz Labs, LLC)
Topaz Clarity (HKLM-x32\...\Topaz Clarity) (Version: 1.0.0 - Topaz Labs, LLC)
Topaz Clean 3 (HKLM-x32\...\Topaz Clean 3) (Version: 3.1.0 - Topaz Labs, LLC)
Topaz DeJpeg 4 (HKLM-x32\...\Topaz DeJpeg 4) (Version: 4.0.2 - Topaz Labs, LLC)
Topaz DeNoise 5 (HKLM-x32\...\Topaz DeNoise 5) (Version: 5.1.0 - Topaz Labs, LLC)
Topaz Detail 3 (HKLM-x32\...\Topaz Detail 3) (Version: 3.2.0 - Topaz Labs, LLC)
Topaz Fusion Express 2 (HKLM-x32\...\Topaz Fusion Express 2) (Version: 2.1.3 - Topaz Labs, LLC)
Topaz InFocus (HKLM-x32\...\Topaz InFocus) (Version: 1.0.0 - Topaz Labs, LLC)
Topaz Lens Effects (HKLM-x32\...\Topaz Lens Effects) (Version: 1.2.0 - Topaz Labs, LLC)
Topaz ReMask 5 (HKLM-x32\...\Topaz ReMask 5) (Version: 5.0.0 - Topaz Labs, LLC)
Topaz ReStyle (HKLM-x32\...\Topaz ReStyle) (Version: 1.0.0 - Topaz Labs, LLC)
Topaz Simplify 4 (HKLM-x32\...\Topaz Simplify 4) (Version: 4.1.1 - Topaz Labs, LLC)
Topaz Star Effects (HKLM-x32\...\Topaz Star Effects) (Version: 1.1.0 - Topaz Labs, LLC)
Ubisoft Game Launcher (HKLM-x32\...\{888F1505-C2B3-4FDE-835D-36353EBD4754}) (Version: 1.0.0.0 - UBISOFT)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Visual Studio C++ 10.0 Runtime (HKLM-x32\...\{4412F224-3849-4461-A3E9-DEEF8D252790}) (Version: 10.0.0 - TomTom International B.V.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
WinDirStat 1.1.2 (HKU\S-1-5-21-9550187-3546826477-2711852638-1000\...\WinDirStat) (Version: - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-9550187-3546826477-2711852638-1000_Classes\CLSID\{1E34E625-BCA6-4D5D-9B25-0743004509D8}\InprocServer32 -> C:\Program Files (x86)\Druide\Antidote 7\Texteurs\Word\Antidote.Word.MT.P300_64.dll (Druide informatique inc.)
CustomCLSID: HKU\S-1-5-21-9550187-3546826477-2711852638-1000_Classes\CLSID\{24C8712C-6370-43cd-B94A-00FD7ED0F949}\InprocServer32 -> C:\Program Files (x86)\Druide\Antidote 7\Texteurs\PowerPoint\Antidote.PowerPoint.P110_64.dll (Druide informatique inc.)
CustomCLSID: HKU\S-1-5-21-9550187-3546826477-2711852638-1000_Classes\CLSID\{31C16B42-5454-4514-A68A-C2C33284AA80}\InprocServer32 -> C:\Program Files (x86)\Druide\Antidote 7\Texteurs\Word\Antidote.Word.Interface.P200_64.dll (Druide informatique inc.)
CustomCLSID: HKU\S-1-5-21-9550187-3546826477-2711852638-1000_Classes\CLSID\{A502EEBE-5071-4486-9646-EEE59C8FC937}\InprocServer32 -> C:\Program Files (x86)\Druide\Antidote 7\Texteurs\Word\Antidote.Word.MT.P200_64.dll (Druide informatique inc.)
CustomCLSID: HKU\S-1-5-21-9550187-3546826477-2711852638-1000_Classes\CLSID\{B5CC9A6D-5083-4DBD-B886-E55D621CBBC6}\InprocServer32 -> C:\Program Files (x86)\Druide\Antidote 7\Texteurs\PowerPoint\Antidote.PowerPoint.P100_64.dll (Druide informatique inc.)
CustomCLSID: HKU\S-1-5-21-9550187-3546826477-2711852638-1000_Classes\CLSID\{B7B25711-9DB1-4280-AE2C-EFBFB2B4B7EC}\InprocServer32 -> C:\Program Files (x86)\Druide\Antidote 7\Texteurs\Word\Antidote.Word.Interface.P110_64.dll (Druide informatique inc.)
CustomCLSID: HKU\S-1-5-21-9550187-3546826477-2711852638-1000_Classes\CLSID\{CDE998F1-84D8-479c-8C1D-646FFFB2972F}\InprocServer32 -> C:\Program Files (x86)\Druide\Antidote 7\Texteurs\Word\Antidote.Word.Interface.P100_64.dll (Druide informatique inc.)

==================== Restore Points =========================

20-10-2016 21:53:07 Installé Sherlock Holmes contre Jack l'Éventreur
20-10-2016 21:53:27 Installé Sherlock Holmes contre Jack l'Éventreur
20-10-2016 21:56:15 Installed NVIDIA GAME System Software 2.8.1
20-10-2016 22:01:51 Installed DirectX
20-10-2016 22:34:30 Installé La boucle d'argent
20-10-2016 22:37:59 Installed DirectX
20-10-2016 22:39:55 Windows Update
20-10-2016 22:48:19 Installé Sherlock Holmes contre Arsene Lupin
20-10-2016 22:51:14 Installed DirectX
26-10-2016 19:25:29 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2015-11-30 20:18 - 00001132 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 lmlicenses.wip4.adobe.com
127.0.0.1 lm.licenses.adobe.com
127.0.0.1 na1r.services.adobe.com
127.0.0.1 hlrcv.stage.adobe.com

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {16DA5474-2CB7-41F0-9627-35D09B131FCF} - System32\Tasks\{E02CB057-6B7B-4398-9F6A-26E9481485F8} => C:\Program Files (x86)\Focus\Frogwares\Sherlock Holmes contre Jack l'Éventreur\game.exe [2009-04-14] ()
Task: {1DD2D031-44F1-40DB-8124-C0541C420875} - System32\Tasks\{F3ED5D1F-B6E0-452F-AC1D-D932DC01820E} => C:\Users\Lix\Photoshop CS2\Setup.exe [2004-08-02] (Adobe Systems Incorporated)
Task: {1F94C451-841E-4C77-A8F1-642AE451D70A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {4123967C-185E-4249-96A0-DE0DF5F8C9BB} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-09-16] (Adobe Systems Incorporated)
Task: {41E68A16-63B1-475E-90FE-8E19B46D91FE} - System32\Tasks\{62F85D3F-56A7-40C5-9BA0-C632CB5CE87B} => C:\Users\Lix\Photoshop CS2\Setup.exe [2004-08-02] (Adobe Systems Incorporated)
Task: {4BA4AA07-5482-4F26-92B0-A43A042E5852} - System32\Tasks\{6D8D36B0-3721-4A3F-9EC8-F56EBE9393B9} => pcalua.exe -a "C:\Users\Lix\Photoshop CS2\Setup.exe" -d "C:\Users\Lix\Photoshop CS2"
Task: {5E24E7AC-1982-4997-9DCF-958218C54246} - System32\Tasks\AdobeAAMUpdater-1.0-Lix-PC-Lix => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2015-05-26] (Adobe Systems Incorporated)
Task: {6CF894BF-DD12-4810-BBF8-6B935D75DE98} - System32\Tasks\{4A143910-9E5A-4E4C-9AF5-2DA5892DF82A} => C:\Users\Lix\Photoshop CS2\Setup.exe [2004-08-02] (Adobe Systems Incorporated)
Task: {9D6DB8C1-8BB4-415A-9599-6A7E16C4A10E} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-06-06] (AVAST Software)
Task: {AD07B018-21AD-408A-87B3-E68DC5AECC15} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => C:\Windows\system32\GWX\GWXUXWorker.exe [2016-05-20] (Microsoft Corporation)
Task: {B6880B29-CEA9-497F-B4C2-A675DFE128DF} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime => C:\Windows\system32\GWX\GWXUXWorker.exe [2016-05-20] (Microsoft Corporation)
Task: {C4E194A4-3AC8-4C28-92D1-B6D741823ED4} - System32\Tasks\0414bUpdateInfo => C:\ProgramData\Avg_Update_0414b\0414b_AVG-Secure-Search-Update.exe
Task: {D3A77B69-DE3C-4A8E-8BDF-95406903506D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {E4BF65E6-6F7A-4187-8CC9-C78F2BBC771D} - System32\Tasks\Microsoft\Windows\Setup\gwx\rundetector => C:\Windows\system32\GWX\GWXDetector.exe [2016-05-20] (Microsoft Corporation)
Task: {EDD6486D-E421-470E-8D5E-D5B404D8BA76} - System32\Tasks\SafeZone scheduled Autoupdate 1451343627 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2016-04-15] (Avast Software)
Task: {EE026326-52A7-41A9-98C5-128F201AC094} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-05-04] (AVAST Software)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-06-07 20:24 - 2016-08-25 15:37 - 00075136 _____ () C:\Windows\SysWOW64\PnkBstrA.exe
2014-05-06 22:37 - 2015-02-03 22:21 - 00115400 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2016-05-04 06:43 - 2016-05-04 06:43 - 00123344 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2016-05-04 06:43 - 2016-05-04 06:43 - 00135816 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-10-21 11:07 - 2016-10-21 11:07 - 03121496 _____ () C:\Program Files\AVAST Software\Avast\defs\16102100\algo.dll
2016-05-04 06:43 - 2016-05-04 06:43 - 00309912 _____ () C:\Program Files\AVAST Software\Avast\browser_pass.dll
2016-05-04 06:43 - 2016-05-04 06:43 - 00479680 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2016-10-26 13:58 - 2016-10-26 13:58 - 03123088 _____ () C:\Program Files\AVAST Software\Avast\defs\16102601\algo.dll
2014-02-12 20:58 - 2014-02-12 20:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-12 20:58 - 2014-02-12 20:58 - 01044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2015-02-03 21:11 - 2015-12-11 02:34 - 00110952 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\zlib1.dll
2015-02-03 21:11 - 2015-12-11 02:34 - 00104296 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\boost_filesystem-vc120-mt-1_56.dll
2015-02-03 21:11 - 2015-12-11 02:34 - 00020328 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\boost_system-vc120-mt-1_56.dll
2015-02-03 21:11 - 2015-12-11 02:34 - 00253800 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\collector.dll
2015-02-03 21:11 - 2015-12-11 02:34 - 00295272 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\stat.dll
2015-02-03 21:11 - 2015-12-11 02:34 - 00044392 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\boost_date_time-vc120-mt-1_56.dll
2007-07-12 13:55 - 2007-07-12 13:55 - 01581056 _____ () C:\Program Files (x86)\Common Files\LightScribe\QtCore4.dll
2007-08-14 13:59 - 2007-08-14 13:59 - 06365184 _____ () C:\Program Files (x86)\Common Files\LightScribe\QtGui4.dll
2007-07-12 13:55 - 2007-07-12 13:55 - 00131072 _____ () C:\Program Files (x86)\Common Files\LightScribe\plugins\imageformats\qjpeg4.dll
2015-12-28 19:10 - 2015-12-28 19:10 - 40539648 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2016-07-20 21:17 - 2013-07-24 09:24 - 00137728 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll
2016-07-20 21:17 - 2014-02-15 11:48 - 00295936 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-9550187-3546826477-2711852638-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Lix\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: agentantidote.exe => "C:\Program Files (x86)\Druide\Antidote 7\Programmes32\agentantidote.exe" /LancementSession
MSCONFIG\startupreg: agentantidote64.exe => "C:\Program Files (x86)\Druide\Antidote 7\Programmes64\agentantidote64.exe" /LancementSession
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: P17RunE => RunDll32 P17RunE.dll,RunDLLEntry

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{AFA57A36-87AE-4E88-93E8-8602894F2A84}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{F15E1E1F-2400-434F-962E-872D0C41DF1D}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{566133B6-4604-48C9-8D45-2678F318CBB7}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{B1815F7D-7F8C-4697-B8BF-AB65E4BACCB5}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{045EB5AE-F4C3-4C2B-AC2F-749D57ECAC81}] => (Allow) C:\Program Files (x86)\iTunes\iTunes.exe
FirewallRules: [{B17B29B5-278E-4BD1-B87E-507EFC04B2BA}] => (Allow) H:\Music & Video\DVDVideoSoft\Free Torrent Download\FreeTorrentDownload.exe
FirewallRules: [{A63D82C0-C910-4B09-B6BE-522F83C9B641}] => (Allow) H:\Music & Video\DVDVideoSoft\Free Torrent Download\FreeTorrentDownload.exe
FirewallRules: [TCP Query User{22F55C70-3BA4-4F28-A6A2-788B920CBB07}C:\program files\on1\on1 photo 10\on1 photo 10.exe] => (Allow) C:\program files\on1\on1 photo 10\on1 photo 10.exe
FirewallRules: [UDP Query User{FBF1E421-4F87-4767-AF2D-7AF52069E339}C:\program files\on1\on1 photo 10\on1 photo 10.exe] => (Allow) C:\program files\on1\on1 photo 10\on1 photo 10.exe
FirewallRules: [{FC3AE660-5BC9-4102-B126-2A7569D97885}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{2FD7010C-7907-4EB1-972D-52403ECE8D2A}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{194220F5-CB2D-4C76-8216-AA09793FF478}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{D0D4E219-FDBF-4D61-BCF1-43CA4C8649E2}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{84E69194-99B7-417B-A311-E1DAC70AFF5D}] => (Allow) D:\BB\Rim.Desktop.exe
FirewallRules: [{C30F0544-88F6-4F80-BC61-2AF88E585AC2}] => (Allow) D:\BB\Rim.Desktop.exe
FirewallRules: [{B482BDD7-101F-4467-BF1E-B0FD3BFF729F}] => (Allow) LPort=4481
FirewallRules: [{2273A16C-8F31-4726-A3F2-C8C3A26F2FD4}] => (Allow) LPort=4481
FirewallRules: [{AF668C17-DFF2-47C9-8A1F-4FAE5DC4E69D}] => (Allow) LPort=4482
FirewallRules: [{E9E48A88-E1FA-41F4-BEB1-74BE51ED3605}] => (Allow) LPort=4482
FirewallRules: [{81229C64-4481-411E-87D4-8F7816C77621}] => (Allow) C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe
FirewallRules: [{E7D9E7D7-2BC0-408F-87E3-AB5C94C1C461}] => (Allow) C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe
FirewallRules: [{FF3CCB63-2E1E-4591-A9B0-A1EAD6BA8DA2}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{571A707C-010B-426C-B9DD-264AA415717D}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{30417D8B-9DC0-426E-B5E9-9427F51DB800}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{70A406FB-2CD2-4DAA-99B4-D68559200344}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{1FF099ED-5B00-4A44-ADD2-23D359E0CD78}] => (Allow) C:\Program Files (x86)\Ubisoft\Assassin's Creed III\AC3SP.exe
FirewallRules: [{2CC463FA-96A4-4A1E-930D-97E3B156F51A}] => (Allow) C:\Program Files (x86)\Ubisoft\Assassin's Creed III\AC3SP.exe
FirewallRules: [{34AB336F-60A3-4003-9E17-F28D3FDBFDE9}] => (Allow) C:\Program Files (x86)\Ubisoft\Assassin's Creed III\AC3MP.exe
FirewallRules: [{39E09F82-1433-4FE8-8DBB-1A6B982E2BC1}] => (Allow) C:\Program Files (x86)\Ubisoft\Assassin's Creed III\AC3MP.exe
FirewallRules: [{825FB907-FF57-4D9E-BFC4-63ECA4257879}] => (Allow) C:\Program Files (x86)\Ubisoft\Assassin's Creed III\AssassinsCreed3.exe
FirewallRules: [{F7AFEC53-D75A-4997-AFC5-BB70E25159FC}] => (Allow) C:\Program Files (x86)\Ubisoft\Assassin's Creed III\AssassinsCreed3.exe
FirewallRules: [{9AEC0B76-301B-4A8D-AE6C-89CFFDFC2210}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================


==================== End of Addition.txt ============================

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:51 PM

Posted 29 October 2016 - 10:45 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This is probably the cause of the infection.

2016-07-20 21:17 - 2013-07-24 09:24 - 00137728 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll
2016-07-20 21:17 - 2014-02-15 11:48 - 00295936 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll

https://www.reasoncoresecurity.com/cbscreatevc.dll-745dfec77fed0ecb4e3d74ce4c6d6da420f12484.aspx

I suggest you change all you passwords if not already done.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Task: {C4E194A4-3AC8-4C28-92D1-B6D741823ED4} - System32\Tasks\0414bUpdateInfo => C:\ProgramData\Avg_Update_0414b\0414b_AVG-Secure-Search-Update.exe
2016-07-20 21:17 - 2013-07-24 09:24 - 00137728 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll
2016-07-20 21:17 - 2014-02-15 11:48 - 00295936 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your FRST log is incomplete.

Please post again and make sure you include all the data.

Wait for further instructions.

#4 LadyS

LadyS
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:51 PM

Posted 30 October 2016 - 10:56 AM

Thank you Nasdaq,
 
I believe I have done as you asked:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:20-12-2015
Ran by Lix (2016-10-30 11:42:33) Run:2
Running from C:\Users\Lix\Desktop
Loaded Profiles: Lix (Available Profiles: Lix)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Task: {C4E194A4-3AC8-4C28-92D1-B6D741823ED4} - System32\Tasks\0414bUpdateInfo => C:\ProgramData\Avg_Update_0414b\0414b_AVG-Secure-Search-Update.exe
2016-07-20 21:17 - 2013-07-24 09:24 - 00137728 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll
2016-07-20 21:17 - 2014-02-15 11:48 - 00295936 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact

End
*****************

Restore point was successfully created.
Processes closed successfully.
Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C4E194A4-3AC8-4C28-92D1-B6D741823ED4}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C4E194A4-3AC8-4C28-92D1-B6D741823ED4}" => key removed successfully
C:\Windows\System32\Tasks\0414bUpdateInfo => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\0414bUpdateInfo" => key removed successfully
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll => moved successfully
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll => moved successfully
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact => moved successfully
EmptyTemp: => 6.3 GB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 11:43:53 ====

Attached Files

  • Attached File  FRST.txt   60.07KB   1 downloads


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:51 PM

Posted 30 October 2016 - 01:28 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
CloseProcesses:

FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.2.3\\npsitesafety.dll [No File]
CHR Extension: (Avast Online Security) - C:\Users\Lix\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-07-18]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Lix\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-08]
CHR Extension: (Chrome Media Router) - C:\Users\Lix\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-25]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx
C:\Users\Lix\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Lix\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Any pending issues?

#6 LadyS

LadyS
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:51 PM

Posted 30 October 2016 - 05:09 PM

Hi again Nasdaq,

 

Hard to tell in terms of issues - since I had noticed no changes on my computer.

I'm not sure how I could know if some other personal information has been compromised in the meanwhile?

 

Please see attached fixlog.

 

Should I download a free malware to go along with Aavast to help prevent this type of problem?

 

Thank you,

 

Lady S

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:51 PM

Posted 31 October 2016 - 08:29 AM

Read these instructions.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


==

If connected Wifi to a router make sure it's secure.
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

#8 LadyS

LadyS
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:51 PM

Posted 03 November 2016 - 08:14 PM

Thanks for your help Nasdaq!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users