Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Grandma's email address sending out spam


  • This topic is locked This topic is locked
6 replies to this topic

#1 mgoug252

mgoug252

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 10 June 2017 - 06:59 PM

Hi there,

 

My grandma has been notified by several people recently that she has been sending out a lot of spam. It appears that the emails actually get sent to her as well and are not actually from her email address but are made to look like they are from her. They get sent out to various people in her contact list. She's also getting pop ups on the internet from "Firefox" saying that there is a "critical update" and it prompts you to download something from a sketchy website immediately (which I have told her not to do and she has assured me she just exits out of the internet when it happens). Just looking to see if anyone can help me figure out what's going on here.

 

Thanks,

 

Madison

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 10-06-2017
Ran by Owner (administrator) on LAPTOP (10-06-2017 17:45:11)
Running from C:\Users\Owner\Downloads
Loaded Profiles: Owner (Available Profiles: Owner)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\tbaseprovisioning.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
() C:\Program Files\ATI Technologies\ATI.ACE\a4\AdaptiveSleepService.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe
(Toshiba Corporation) C:\Program Files\TOSHIBA\Teco\TecoService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Teco\TecoResident.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
(TOSHIBA) C:\Program Files\TOSHIBA\TOSHIBA Smart View Utility\TDUSrv64.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avscan.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avscan.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.17.420.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsStore_11703.1001.45.0_x64__8wekyb3d8bbwe\WinStore.App.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
() C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8218.40507.0_x64__8wekyb3d8bbwe\HxMail.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8218.40507.0_x64__8wekyb3d8bbwe\HxTsr.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3873000 2016-06-02] (ELAN Microelectronics Corp.)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2556768 2013-10-08] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [354144 2013-08-13] (TOSHIBA Corporation)
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [179288 2014-04-17] (TOSHIBA Corporation)
HKLM\...\Run: [TSSSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSSSrv.exe [296008 2013-10-21] (TOSHIBA Corporation)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [KeNotify] => C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe [34160 2013-08-05] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [TSVU] => c:\Program Files\TOSHIBA\TOSHIBA Smart View Utility\TosSmartViewLauncher.exe [516512 2013-07-23] (TOSHIBA)
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [61944 2017-04-11] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [912768 2017-05-04] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-03-15] (Oracle Corporation)
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk [2014-10-03]
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 75.153.171.114
Tcpip\..\Interfaces\{2b08ff22-c949-4e0d-b089-74e80ef5e936}: [DhcpNameServer] 192.168.1.254 75.153.171.114

Internet Explorer:
==================
HKU\S-1-5-21-54563714-2800511886-420183195-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.ca/
HKU\S-1-5-21-54563714-2800511886-420183195-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://toshiba13.msn.com/?pc=TNJB
SearchScopes: HKU\S-1-5-21-54563714-2800511886-420183195-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssv.dll [2017-06-02] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-06-02] (Oracle Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ww4x5Cbx.default [2017-06-10]
FF Homepage: Mozilla\Firefox\Profiles\ww4x5Cbx.default -> www.yahoo.ca
FF Extension: (Avira Browser Safety) - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ww4x5Cbx.default\Extensions\abs@avira.com.xpi [2017-06-06]
FF Extension: (Follow-on Search Telemetry) - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ww4x5Cbx.default\features\{b6fe77af-0673-4030-8c57-7642bc34ad84}\followonsearch@mozilla.com.xpi [2017-06-06]
FF Plugin-x32: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-06-02] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-06-02] (Oracle Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2015-08-13] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2013-12-21] (Adobe Systems Inc.)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AdaptiveSleepService; C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe [140288 2015-02-12] () [File not signed]
S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [1119712 2017-05-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [488920 2017-05-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [488920 2017-05-04] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1520680 2017-05-04] (Avira Operations GmbH & Co. KG)
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [319104 2014-03-19] (Windows ® Win 7 DDK provider) [File not signed]
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [350120 2017-04-11] (Avira Operations GmbH & Co. KG)
R2 ETDService; C:\Program Files\Elantech\ETDService.exe [144608 2016-06-02] (ELAN Microelectronics Corp.)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [349728 2015-08-13] (WildTangent)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 tbaseprovisioning; C:\WINDOWS\SysWOW64\tbaseprovisioning.exe [60432 2015-06-23] (Advanced Micro Devices, Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2017-03-28] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2017-03-28] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AmdAS4; C:\WINDOWS\System32\drivers\AmdAS4.sys [17640 2013-10-24] (Advanced Micro Devices, INC.)
S3 amdkmcsp; C:\WINDOWS\system32\DRIVERS\amdkmcsp.sys [101104 2015-06-23] (Advanced Micro Devices, Inc. )
R0 amdkmpfd; C:\WINDOWS\System32\drivers\amdkmpfd.sys [36608 2013-12-14] (Advanced Micro Devices, Inc.)
R0 amdpsp; C:\WINDOWS\System32\DRIVERS\amdpsp.sys [277240 2015-06-23] (Advanced Micro Devices, Inc. )
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [102912 2015-05-28] (Advanced Micro Devices)
R2 avgntflt; C:\WINDOWS\System32\DRIVERS\avgntflt.sys [161824 2017-03-25] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [163976 2017-03-25] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\WINDOWS\system32\DRIVERS\avkmgr.sys [44488 2017-03-25] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\WINDOWS\system32\DRIVERS\avnetflt.sys [88488 2017-03-25] (Avira Operations GmbH & Co. KG)
S3 dot4; C:\WINDOWS\system32\DRIVERS\Dot4.sys [151968 2012-10-19] (Windows ® Win 7 DDK provider)
S3 Dot4Print; C:\WINDOWS\System32\drivers\Dot4Prt.sys [27040 2012-10-19] (Windows ® Win 7 DDK provider)
S3 ETDSMBus; C:\WINDOWS\system32\DRIVERS\ETDSMBus.sys [24904 2014-02-06] (ELAN Microelectronic Corp.)
R2 MBAMChameleon; C:\WINDOWS\system32\drivers\MBAMChameleon.sys [176584 2017-02-27] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [251832 2017-06-04] (Malwarebytes)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 RSP2STOR; C:\WINDOWS\system32\DRIVERS\RtsP2Stor.sys [310528 2015-06-09] (Realtek Semiconductor Corp.)
R3 SmbDrv; C:\WINDOWS\system32\DRIVERS\Smb_driver_AMDASF.sys [30448 2013-10-30] (Synaptics Incorporated)
R3 Thotkey; C:\WINDOWS\System32\drivers\Thotkey.sys [54424 2015-07-29] (Toshiba Corporation)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-10 17:45 - 2017-06-10 17:47 - 00012838 _____ C:\Users\Owner\Downloads\FRST.txt
2017-06-10 17:43 - 2017-06-10 17:45 - 00000000 ____D C:\FRST
2017-06-10 17:41 - 2017-06-10 17:43 - 00001518 _____ C:\Users\Owner\Desktop\FRST64 - Shortcut.lnk
2017-06-10 17:40 - 2017-06-10 17:43 - 02437120 _____ (Farbar) C:\Users\Owner\Downloads\FRST64.exe
2017-06-09 10:46 - 2017-06-09 10:49 - 00000000 ____D C:\Program Files\UNP
2017-06-09 10:46 - 2017-06-09 10:46 - 00000000 ____D C:\WINDOWS\system32\UNP
2017-06-04 21:36 - 2017-06-04 21:36 - 00000000 ___HD C:\OneDriveTemp
2017-06-02 12:32 - 2017-06-02 12:32 - 00738368 _____ (Oracle Corporation) C:\Users\Owner\Downloads\JavaSetup8u131.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-10 17:38 - 2016-07-16 05:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-06-10 17:33 - 2016-09-10 20:02 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-06-10 15:17 - 2016-11-18 18:29 - 00000000 ____D C:\Users\Owner\AppData\LocalLow\Mozilla
2017-06-09 19:27 - 2016-07-16 05:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-06-09 19:27 - 2016-07-16 05:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-06-09 10:48 - 2016-07-16 05:47 - 00000000 ____D C:\WINDOWS\system32\appraiser
2017-06-05 11:52 - 2016-09-10 20:10 - 00000000 ____D C:\Users\Owner
2017-06-04 21:36 - 2014-10-07 15:23 - 00000000 ___RD C:\Users\Owner\OneDrive
2017-06-04 21:35 - 2017-02-27 21:24 - 00251832 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-06-04 21:35 - 2014-06-18 07:03 - 03031334 _____ C:\WINDOWS\SysWOW64\rootpa.e2e
2017-06-04 21:34 - 2016-09-10 20:28 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-06-04 21:33 - 2016-09-10 20:05 - 00065536 _____ C:\WINDOWS\system32\spu_storage.bin
2017-06-04 21:33 - 2016-07-16 00:04 - 00786432 _____ C:\WINDOWS\system32\config\BBI
2017-06-03 12:04 - 2016-08-08 17:46 - 00000481 _____ C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\(40) Facebook.website
2017-06-02 12:35 - 2015-11-09 21:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-06-02 12:35 - 2015-11-09 21:08 - 00000000 ____D C:\ProgramData\Oracle
2017-06-02 12:35 - 2014-10-03 20:43 - 00000000 ____D C:\Program Files (x86)\Java
2017-06-02 12:33 - 2015-11-09 21:09 - 00097856 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2017-06-02 12:18 - 2016-04-13 20:22 - 01507862 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-06-01 19:27 - 2016-11-18 09:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-06-01 19:27 - 2016-09-18 16:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-05-31 19:12 - 2016-07-16 05:47 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-05-22 20:55 - 2014-10-03 14:49 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-05-22 20:51 - 2014-10-03 14:49 - 132223576 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe

==================== Files in the root of some directories =======

2016-09-10 20:04 - 2016-09-10 20:04 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
2016-09-13 10:33 - 2016-09-13 10:33 - 0000000 ____D () C:\Users\Owner\AppData\Local\Temp\avgnt.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-06-02 12:51

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:43 PM

Posted 11 June 2017 - 12:28 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
Task: {0BAD4A8A-9D97-4DB1-9577-AF0B880458DA} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {146E870A-B706-4AFE-AB28-6CCA01C4A659} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {44605937-296D-4027-8205-DBD012BDB8B6} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {5D944BF5-1263-44F1-9DC0-171960061304} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {73965ACE-130C-47A8-B9CE-6644CA753872} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {7F02634B-02F4-403F-A569-7583E8B6FE80} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {8E6889F1-85D4-42E7-8646-8EDD2D051B06} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {A062D40D-EABB-459A-AD94-A9859377D861} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {A826FB3B-D27D-4BEF-BE4B-6F4E47575C44} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {A9EA0EDF-0555-42F0-9123-113C622E72B4} - System32\Tasks\Microsoft\Windows\Setup\UpgradeTriggers\UpgradeNowTask => C:\WINDOWS\System32\GWX\GWXUXWorker.exe
Task: {BAB22010-5771-4E56-93D0-68558AC5101A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {CAD98419-0AD9-442C-BE2B-5DE901507357} - \WPD\SqmUpload_S-1-5-21-54563714-2800511886-420183195-1001 -> No File <==== ATTENTION
Task: {D086883B-4E36-4DA4-8358-3ABD10701411} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {DE5137F4-7320-404D-9C2C-AA16C3B6B1BB} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {EC12B5F8-8E7A-43A9-8BAA-A248E8DC7CFF} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {FE5C767A-B048-4738-9DDB-9F32ED9F2CD1} - System32\Tasks\Microsoft\Windows\Setup\UpgradeTriggers\UpgradeReminderTask => C:\WINDOWS\System32\GWX\GWX.exe
AlternateDataStreams: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\(40) Facebook.website:TASKICON_0news-1751121550 [2302]
AlternateDataStreams: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\(40) Facebook.website:TASKICON_1messages-431041656 [2302]
AlternateDataStreams: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\(40) Facebook.website:TASKICON_2events-250898981 [2302]
AlternateDataStreams: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\(40) Facebook.website:TASKICON_3friends-215113587 [2302]
C:\Windows\System32\Tasks\Microsoft\Windows\Setup\UpgradeTriggers\UpgradeNowTask
C:|Windows\System32\Tasks\Microsoft\Windows\Setup\UpgradeTriggers\UpgradeReminderTask
C:\WINDOWS\System32\GWX

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

As for the E-mail spofing I can only suggest that your Change The Password for the Email used.

It is very easy to SPOOF or FORGE the FROM: address on emails. It is like the return address on an envelope, you can write anything in that position. Your friends/family just need to be aware of this and delete any suspicious, unexpected messages. They should not even open the messages. They should increase the sensitivity of their spam filters if possible.

Once spammers have a valid address, they will continue to use it. If the forged messages bother you enough, I would recommend that you get a new email address and let all your contacts know to expect communications from the new email address ONLY and ignore messages from your old email.

p.s.
Make sure that the Password is strong. It should be at least 8 characters.
Check with the e-mail provider.

Please let me know what problem persists with this computer.

#3 mgoug252

mgoug252
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 11 June 2017 - 04:49 PM

Hi nasdaq,

 

Thanks for all your help. So I went to go run FRST with that fixlist and it unfortunately froze when it got to something to do with Firefox Profiles in User/Local/AppData. I just ended the program and didn't click fix again because I wasn't sure what would happen. I also noticed that during this, a bunch of notifications popped about something being wrong with the sound and opened Firefox to take me to a Microsoft page on ways to troubleshoot the sound.

 

I did reset the default settings for Firefox and cleared the cache.

 

In regards to my grandma's email, we have already changed her password once. I will try that again and if it doesn't work, I will suggest to her that she get a new email address or to let those contacts that receive the spam know to just delete the messages.

 

Thanks,

 

Madison



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:43 PM

Posted 12 June 2017 - 07:36 AM


Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Please run the Farbar tool Normally and post only a Fresh FRST log for my review.

===

Do you have any problems with the Windows sound?

#5 mgoug252

mgoug252
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 12 June 2017 - 10:33 PM

Hi there,

 

Here are the logs that you requested. And no, I have no issues with the sound, this only popped up when I started running the fixlist that froze.

 

# AdwCleaner v6.047 - Logfile created 12/06/2017 at 21:18:31
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-06-13.2 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Owner - LAPTOP
# Running from : C:\Users\Owner\Downloads\adwcleaner_6.047.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

No malicious folders found.


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

No malicious registry entries found.


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [990 Bytes] - [12/06/2017 21:18:31]

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-06-2017
Ran by Owner (administrator) on LAPTOP (12-06-2017 21:24:03)
Running from C:\Users\Owner\Downloads
Loaded Profiles: Owner (Available Profiles: Owner)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.17.420.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1051_none_7f2bf7ea21d201b2\TiWorker.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3873000 2016-06-02] (ELAN Microelectronics Corp.)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2556768 2013-10-08] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [354144 2013-08-13] (TOSHIBA Corporation)
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [179288 2014-04-17] (TOSHIBA Corporation)
HKLM\...\Run: [TSSSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSSSrv.exe [296008 2013-10-21] (TOSHIBA Corporation)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [KeNotify] => C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe [34160 2013-08-05] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [TSVU] => c:\Program Files\TOSHIBA\TOSHIBA Smart View Utility\TosSmartViewLauncher.exe [516512 2013-07-23] (TOSHIBA)
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [61944 2017-04-11] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [912768 2017-05-04] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-03-15] (Oracle Corporation)
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk [2014-10-03]
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 75.153.171.114
Tcpip\..\Interfaces\{2b08ff22-c949-4e0d-b089-74e80ef5e936}: [DhcpNameServer] 192.168.1.254 75.153.171.114

Internet Explorer:
==================
HKU\S-1-5-21-54563714-2800511886-420183195-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.ca/
HKU\S-1-5-21-54563714-2800511886-420183195-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://toshiba13.msn.com/?pc=TNJB
SearchScopes: HKU\S-1-5-21-54563714-2800511886-420183195-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssv.dll [2017-06-02] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-06-02] (Oracle Corporation)

FireFox:
========
FF DefaultProfile: iknxp7j9.default-1497217101019
FF ProfilePath: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\iknxp7j9.default-1497217101019 [2017-06-12]
FF Homepage: Mozilla\Firefox\Profiles\iknxp7j9.default-1497217101019 -> www.yahoo.ca
FF Extension: (Follow-on Search Telemetry) - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\iknxp7j9.default-1497217101019\features\{33b9dd7d-2cb3-4f01-ac46-2b2e7178e17e}\followonsearch@mozilla.com.xpi [2017-06-11]
FF Plugin-x32: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-06-02] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-06-02] (Oracle Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2015-08-13] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2013-12-21] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AdaptiveSleepService; C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe [140288 2015-02-12] () [File not signed]
S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [1119712 2017-05-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [488920 2017-05-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [488920 2017-05-04] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1520680 2017-05-04] (Avira Operations GmbH & Co. KG)
S2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [319104 2014-03-19] (Windows ® Win 7 DDK provider) [File not signed]
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [350120 2017-04-11] (Avira Operations GmbH & Co. KG)
S2 ETDService; C:\Program Files\Elantech\ETDService.exe [144608 2016-06-02] (ELAN Microelectronics Corp.)
S2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [349728 2015-08-13] (WildTangent)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
S2 tbaseprovisioning; C:\WINDOWS\SysWOW64\tbaseprovisioning.exe [60432 2015-06-23] (Advanced Micro Devices, Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2017-03-28] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2017-03-28] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AmdAS4; C:\WINDOWS\System32\drivers\AmdAS4.sys [17640 2013-10-24] (Advanced Micro Devices, INC.)
S3 amdkmcsp; C:\WINDOWS\system32\DRIVERS\amdkmcsp.sys [101104 2015-06-23] (Advanced Micro Devices, Inc. )
R0 amdkmpfd; C:\WINDOWS\System32\drivers\amdkmpfd.sys [36608 2013-12-14] (Advanced Micro Devices, Inc.)
R0 amdpsp; C:\WINDOWS\System32\DRIVERS\amdpsp.sys [277240 2015-06-23] (Advanced Micro Devices, Inc. )
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [102912 2015-05-28] (Advanced Micro Devices)
R2 avgntflt; C:\WINDOWS\System32\DRIVERS\avgntflt.sys [161824 2017-03-25] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [163976 2017-03-25] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\WINDOWS\system32\DRIVERS\avkmgr.sys [44488 2017-03-25] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\WINDOWS\system32\DRIVERS\avnetflt.sys [88488 2017-03-25] (Avira Operations GmbH & Co. KG)
S3 dot4; C:\WINDOWS\system32\DRIVERS\Dot4.sys [151968 2012-10-19] (Windows ® Win 7 DDK provider)
S3 Dot4Print; C:\WINDOWS\System32\drivers\Dot4Prt.sys [27040 2012-10-19] (Windows ® Win 7 DDK provider)
S3 ETDSMBus; C:\WINDOWS\system32\DRIVERS\ETDSMBus.sys [24904 2014-02-06] (ELAN Microelectronic Corp.)
R2 MBAMChameleon; C:\WINDOWS\system32\drivers\MBAMChameleon.sys [176584 2017-02-27] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [251832 2017-06-10] (Malwarebytes)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 RSP2STOR; C:\WINDOWS\system32\DRIVERS\RtsP2Stor.sys [310528 2015-06-09] (Realtek Semiconductor Corp.)
R3 SmbDrv; C:\WINDOWS\system32\DRIVERS\Smb_driver_AMDASF.sys [30448 2013-10-30] (Synaptics Incorporated)
R3 Thotkey; C:\WINDOWS\System32\drivers\Thotkey.sys [54424 2015-07-29] (Toshiba Corporation)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-12 21:07 - 2017-06-12 21:18 - 00000000 ____D C:\AdwCleaner
2017-06-12 21:06 - 2017-06-12 21:06 - 00001610 _____ C:\Users\Owner\Desktop\adwcleaner_6.047 - Shortcut.lnk
2017-06-12 21:04 - 2017-06-12 21:07 - 04110280 _____ C:\Users\Owner\Downloads\adwcleaner_6.047.exe
2017-06-11 15:38 - 2017-06-11 15:38 - 00000000 ____D C:\Users\Owner\Desktop\Old Firefox Data
2017-06-11 15:30 - 2017-06-11 15:32 - 00012136 _____ C:\Users\Owner\Downloads\Fixlog.txt
2017-06-11 15:30 - 2017-06-11 15:30 - 00000000 ____D C:\Users\Owner\Downloads\FRST-OlderVersion
2017-06-11 15:29 - 2017-06-11 15:29 - 00003151 _____ C:\Users\Owner\Downloads\fixlist.txt
2017-06-11 15:23 - 2017-06-11 15:23 - 00001259 _____ C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Update and Privacy Settings.lnk
2017-06-11 15:23 - 2017-06-11 15:23 - 00000000 ____D C:\Users\Owner\AppData\Local\UNP
2017-06-10 17:49 - 2017-06-10 17:51 - 00024829 _____ C:\Users\Owner\Downloads\Addition.txt
2017-06-10 17:45 - 2017-06-12 21:26 - 00010335 _____ C:\Users\Owner\Downloads\FRST.txt
2017-06-10 17:43 - 2017-06-12 21:24 - 00000000 ____D C:\FRST
2017-06-10 17:41 - 2017-06-10 17:43 - 00001518 _____ C:\Users\Owner\Desktop\FRST64 - Shortcut.lnk
2017-06-10 17:40 - 2017-06-11 15:30 - 02438656 _____ (Farbar) C:\Users\Owner\Downloads\FRST64.exe
2017-06-09 10:46 - 2017-06-09 10:49 - 00000000 ____D C:\Program Files\UNP
2017-06-09 10:46 - 2017-06-09 10:46 - 00000000 ____D C:\WINDOWS\system32\UNP
2017-06-04 21:36 - 2017-06-04 21:36 - 00000000 ___HD C:\OneDriveTemp
2017-06-02 12:32 - 2017-06-02 12:32 - 00738368 _____ (Oracle Corporation) C:\Users\Owner\Downloads\JavaSetup8u131.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-12 21:23 - 2016-07-16 05:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-06-12 21:07 - 2016-11-18 18:29 - 00000000 ____D C:\Users\Owner\AppData\LocalLow\Mozilla
2017-06-12 21:03 - 2016-07-16 05:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-06-12 21:02 - 2016-07-16 05:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-06-12 21:01 - 2016-09-10 20:02 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-06-11 15:31 - 2014-10-07 15:23 - 00000000 ___RD C:\Users\Owner\OneDrive
2017-06-10 18:54 - 2016-07-16 05:47 - 00000000 ____D C:\WINDOWS\system32\appraiser
2017-06-10 18:22 - 2017-02-27 21:24 - 00251832 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-06-10 18:22 - 2014-06-18 07:03 - 03062817 _____ C:\WINDOWS\SysWOW64\rootpa.e2e
2017-06-10 18:21 - 2016-09-10 20:28 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-06-10 17:51 - 2016-07-16 05:45 - 00000000 ____D C:\WINDOWS\INF
2017-06-05 11:52 - 2016-09-10 20:10 - 00000000 ____D C:\Users\Owner
2017-06-04 21:33 - 2016-09-10 20:05 - 00065536 _____ C:\WINDOWS\system32\spu_storage.bin
2017-06-04 21:33 - 2016-07-16 00:04 - 00786432 _____ C:\WINDOWS\system32\config\BBI
2017-06-03 12:04 - 2016-08-08 17:46 - 00000481 _____ C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\(40) Facebook.website
2017-06-02 12:35 - 2015-11-09 21:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-06-02 12:35 - 2015-11-09 21:08 - 00000000 ____D C:\ProgramData\Oracle
2017-06-02 12:35 - 2014-10-03 20:43 - 00000000 ____D C:\Program Files (x86)\Java
2017-06-02 12:33 - 2015-11-09 21:09 - 00097856 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2017-06-02 12:18 - 2016-04-13 20:22 - 01507862 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-06-01 19:27 - 2016-11-18 09:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-06-01 19:27 - 2016-09-18 16:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-05-31 19:12 - 2016-07-16 05:47 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-05-22 20:55 - 2014-10-03 14:49 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-05-22 20:51 - 2014-10-03 14:49 - 132223576 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe

==================== Files in the root of some directories =======

2016-09-10 20:04 - 2016-09-10 20:04 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
2016-09-13 10:33 - 2016-09-13 10:33 - 0000000 ____D () C:\Users\Owner\AppData\Local\Temp\avgnt.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-06-02 12:51

==================== End of FRST.txt ============================



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:43 PM

Posted 13 June 2017 - 08:10 AM

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#7 mgoug252

mgoug252
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 14 June 2017 - 03:03 PM

Yes, thank you for all your help, I appreciate it.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users