Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

worried that there may be a rootkit or virus


  • This topic is locked This topic is locked
5 replies to this topic

#1 scratch that

scratch that

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 15 June 2017 - 02:17 AM

Several windows on the computer crashed and then web pages automatically popped up that had not necessarily been accessed before and were not previously open.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-06-2017
Ran by Brian W Jones (administrator) on BRIANWJONES-PC (14-06-2017 23:11:40)
Running from C:\Users\Brian W Jones\Downloads
Loaded Profiles: Brian W Jones (Available Profiles: Brian W Jones & mommy & Guest)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Logitech Inc.) C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft) C:\Program Files\Heimdal\HeimdalSecureDNS\DNSService.exe
(CSIS Security Group) C:\Program Files\Heimdal\Service\HeimdalAgentService.exe
(Hewlett-Packard Company) C:\Program Files\Hp\Common\HPSupportSolutionsFrameworkService.exe
(Logitech Inc.) C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
(SlimWare Utilities, Inc.) C:\Program Files\SlimService\SlimServiceFactory.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Google Inc.) C:\Program Files\Google\Update\1.3.33.5\GoogleCrashHandler.exe
() C:\Program Files\MalwareProtectionLive\MalwareProtectionClient.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Zemana Ltd.) C:\Program Files\Zemana AntiLogger Free\AntiLogger Free.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
() C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Wondershare) C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(© 2015 Microsoft Corporation) C:\Users\Brian W Jones\AppData\Local\Microsoft\BingSvc\BingSvc.exe
(Slimware Utilities Holdings, Inc.) C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe
(Logitech Inc.) C:\Program Files\Logitech\Logitech Vid\Vid.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
(CSIS Security Group) C:\Program Files\Heimdal\Client\HeimdalAgent.exe
() C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe
(SlimWare Utilities, Inc.) C:\Program Files\SlimService\SlimService.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Malwarebytes                                                ) C:\Users\Brian W Jones\Downloads\mb3-setup-1878.1878-3.1.2.1733-10139.exe
() C:\Users\Brian W Jones\AppData\Local\temp\is-1FUTH.tmp\mb3-setup-1878.1878-3.1.2.1733-10139.tmp
(Malwarebytes                                                ) C:\Users\Brian W Jones\Downloads\mb3-setup-1878.1878-3.1.2.1733-10139.exe
() C:\Users\Brian W Jones\AppData\Local\temp\is-TT6O6.tmp\mb3-setup-1878.1878-3.1.2.1733-10139.tmp
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Acrobat Reader DC\Reader\reader_sl.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SoundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1314816 2009-08-03] (Analog Devices, Inc.)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [986872 2016-01-29] (Microsoft Corporation)
HKLM\...\Run: [ZALFree] => C:\Program Files\Zemana AntiLogger Free\AntiLogger Free.exe [8980016 2015-11-05] (Zemana Ltd.)
HKLM\...\Run: [LogitechQuickCamRibbon] => C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] ()
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [594992 2016-01-29] (Oracle Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [164152 2016-05-11] (Apple Inc.)
HKLM\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2137744 2016-10-08] (Wondershare)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [3146704 2017-05-09] (Malwarebytes)
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\...\Run: [BingSvc] => C:\Users\Brian W Jones\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-12] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\...\Run: [SlimCleaner Plus] => C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe [26179864 2015-12-15] (Slimware Utilities Holdings, Inc.)
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\...\Run: [Logitech Vid] => C:\Program Files\Logitech\Logitech Vid\vid.exe [5458704 2009-07-16] (Logitech Inc.)
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\...\Run: [iCloudServices] => C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [67384 2017-01-17] (Apple Inc.)
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE ->
AppInit_DLLs: C:\PROGRA~1\KEYCRY~1\KeyCrypt32(2).dll => C:\Program Files\KeyCryptSDK\KeyCrypt32(2).dll [86936 2015-11-05] (Zemana Ltd.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Heimdal.lnk [2016-08-09]
ShortcutTarget: Heimdal.lnk -> C:\Program Files\Heimdal\Client\HeimdalAgent.exe (CSIS Security Group)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [122128 2015-08-12] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{1F29BA10-A4CF-48F4-A5FE-664EDF4EE939}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
SearchScopes: HKU\S-1-5-21-2464184963-834174080-3986742318-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.palikan.com/results.php?f=4&q={searchTerms}&a=plk_ggbg_15_52&cd=2XzuyEtN2Y1L1QzutDtDtBtCyBtDyC0FtA0F0EtCyCyC0A0FtN0D0Tzu0StCyEyDyCtN1L2XzutAtFtCyDtFtAtFtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyE0EtB0EyE0A0CtGtBzztAtDtGyCzy0A0BtGyC0EzyyEtGtA0ByEzztA0D0CtAtD0EyC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtCyDzztByCzz0AtG0C0EtCtAtGyEyC0EyEtG0B0E0CtAtGzy0EyByCyEzyyCyDtCtAtDyC2QtN0A0LzutB&cr=78652286&ir=
SearchScopes: HKU\S-1-5-21-2464184963-834174080-3986742318-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.palikan.com/results.php?f=4&q={searchTerms}&a=plk_ggbg_15_52&cd=2XzuyEtN2Y1L1QzutDtDtBtCyBtDyC0FtA0F0EtCyCyC0A0FtN0D0Tzu0StCyEyDyCtN1L2XzutAtFtCyDtFtAtFtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyE0EtB0EyE0A0CtGtBzztAtDtGyCzy0A0BtGyC0EzyyEtGtA0ByEzztA0D0CtAtD0EyC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtCyDzztByCzz0AtG0C0EtCtAtGyEyC0EyEtG0B0E0CtAtGzy0EyByCyEzyyCyDtCtAtDyC2QtN0A0LzutB&cr=78652286&ir=
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_101\bin\ssv.dll [2016-07-21] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-07-21] (Oracle Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Brian W Jones\AppData\Roaming\Mozilla\Firefox\Profiles\fj3tt9wu.default-1469400670379 [2017-06-14]
FF Extension: (Firefox Hotfix) - C:\Users\Brian W Jones\AppData\Roaming\Mozilla\Firefox\Profiles\fj3tt9wu.default-1469400670379\Extensions\firefox-hotfix@mozilla.org.xpi [2017-03-09]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-13] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2015-12-18] ()
FF Plugin: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files\Google\Picasa3\npPicasa3.dll [2015-07-10] (Google, Inc.)
FF Plugin: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-07-21] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-07-21] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-27] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-27] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-09-30] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2464184963-834174080-3986742318-1000: @nsroblox.roblox.com/launcher -> C:\Users\Brian W Jones\AppData\Local\Roblox\Versions\version-29af4e59992d47ba\\NPRobloxProxy.dll [2013-01-01] ( ROBLOX Corporation)
FF Plugin HKU\S-1-5-21-2464184963-834174080-3986742318-1000: @nsroblox.roblox.com/launcher64 -> C:\Users\Brian W Jones\AppData\Local\Roblox\Versions\version-29af4e59992d47ba\\NPRobloxProxy64.dll [2013-01-01] ( ROBLOX Corporation)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2016-04-27]

Chrome:
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> msn.com/?pc=__PARAM__&ocid=__PARAM__DHP&osmkt=en-us
CHR StartupUrls: Default -> "hxxp://www.palikan.com/?f=7&a=plk_ggbg_15_52&cd=2XzuyEtN2Y1L1QzutDtDtBtCyBtDyC0FtA0F0EtCyCyC0A0FtN0D0Tzu0StCyEyDyCtN1L2XzutAtFtCyDtFtAtFtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyE0EtB0EyE0A0CtGtBzztAtDtGyCzy0A0BtGyC0EzyyEtGtA0ByEzztA0D0CtAtD0EyC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtCyDzztByCzz0AtG0C0EtCtAtGyEyC0EyEtG0B0E0CtAtGzy0EyByCyEzyyCyDtCtAtDyC2QtN0A0LzutB&cr=78652286&ir="
CHR DefaultSearchURL: Default -> hxxp://www.palikan.com/results.php?f=4&q={searchTerms}&a=plk_ggbg_15_52&cd=2XzuyEtN2Y1L1QzutDtDtBtCyBtDyC0FtA0F0EtCyCyC0A0FtN0D0Tzu0StCyEyDyCtN1L2XzutAtFtCyDtFtAtFtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyE0EtB0EyE0A0CtGtBzztAtDtGyCzy0A0BtGyC0EzyyEtGtA0ByEzztA0D0CtAtD0EyC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtCyDzztByCzz0AtG0C0EtCtAtGyEyC0EyEtG0B0E0CtAtGzy0EyByCyEzyyCyDtCtAtDyC2QtN0A0LzutB&cr=78652286&ir=
CHR DefaultSearchKeyword: Default -> palikan.com
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR Profile: C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default [2016-03-13]
CHR Extension: (Google Slides) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-04-07]
CHR Extension: (Google Docs) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-04-07]
CHR Extension: (Google Drive) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-16]
CHR Extension: (YouTube) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-13]
CHR Extension: (Google Search) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-16]
CHR Extension: (Bing) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2015-07-09]
CHR Extension: (Google Sheets) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-04-07]
CHR Extension: (Google Docs Offline) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-12-13]
CHR Extension: (Yahoo Web) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\gihfmmedoddijgnhkgfgnkeohkpbipol [2015-12-13]
CHR Extension: (Pixlr Touch Up) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\jklljiahjgoglchglekebfljnmbaleig [2015-07-14]
CHR Extension: (Palikan New Tab) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljibkigjccbegnbeojkoafejpoiachej [2016-01-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-28]
CHR Extension: (Gmail) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-07]
CHR HKLM\...\Chrome\Extension: [gihfmmedoddijgnhkgfgnkeohkpbipol] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2464184963-834174080-3986742318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2464184963-834174080-3986742318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ljibkigjccbegnbeojkoafejpoiachej] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 FlexNet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService.exe [1104176 2016-01-22] (Flexera Software LLC)
R2 HeimdalSecureDNS; C:\Program Files\Heimdal\HeimdalSecureDNS\DnsService.exe [88064 2016-07-26] (Microsoft) [File not signed]
R2 HeimdalService; C:\Program Files\Heimdal\Service\HeimdalAgentService.exe [162816 2016-07-26] (CSIS Security Group) [File not signed]
R2 HPSupportSolutionsFrameworkService; C:\Program Files\Hp\Common\HPSupportSolutionsFrameworkService.exe [89840 2015-03-28] (Hewlett-Packard Company)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [3398608 2017-05-09] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2016-01-29] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2009-05-14] (Hewlett-Packard) [File not signed]
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [292816 2016-01-29] (Microsoft Corporation)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2009-05-14] (Hewlett-Packard) [File not signed]
R2 SlimService; C:\Program Files\SlimService\SlimServiceFactory.exe [222488 2015-12-15] (SlimWare Utilities, Inc.)
R2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-18] (Logitech Inc.)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)
S3 WsDrvInst; C:\Program Files\Wondershare\MobileTrans\DriverInstall.exe [115856 2016-10-18] (Wondershare)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae.sys [59936 2017-06-14] ()
R3 keycrypt; C:\Windows\System32\DRIVERS\KeyCrypt32.sys [127936 2015-11-05] (Zemana Ltd.)
R3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25752 2009-10-07] ()
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [162208 2017-06-14] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [97208 2017-06-14] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [39840 2017-06-14] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [220576 2017-06-14] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [65824 2017-06-14] (Malwarebytes)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [253704 2015-11-13] (Microsoft Corporation)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [11232 2016-02-18] ()
R3 catchme; \??\C:\Users\BRIANW~1\AppData\Local\Temp\catchme.sys [X]
R1 MpKslf8ed2289; \??\C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B6C38576-F8E0-45C8-BB7B-E21CD8E020A7}\MpKslf8ed2289.sys [X]
S3 TSUSB2; system32\DRIVERS\TSUSB2.sys [X]
U3 mbr; \??\C:\Users\BRIANW~1\AppData\Local\Temp\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-14 23:11 - 2017-06-14 23:12 - 00018811 _____ C:\Users\Brian W Jones\Downloads\FRST.txt
2017-06-14 23:11 - 2017-06-14 23:11 - 01777152 _____ (Farbar) C:\Users\Brian W Jones\Downloads\FRST.exe
2017-06-14 23:11 - 2017-06-14 23:11 - 00000000 ____D C:\FRST
2017-06-14 23:06 - 2017-06-14 23:10 - 00065824 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-06-14 23:06 - 2017-06-14 23:09 - 00220576 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-06-14 23:06 - 2017-06-14 23:09 - 00097208 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-06-14 23:06 - 2017-06-14 23:09 - 00059936 _____ C:\Windows\system32\Drivers\mbae.sys
2017-06-14 23:06 - 2017-06-14 23:09 - 00039840 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-06-14 23:06 - 2017-06-14 23:06 - 00162208 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-06-14 23:06 - 2017-06-14 23:06 - 00002027 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-06-14 23:06 - 2017-06-14 23:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-06-14 23:06 - 2017-06-14 23:06 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-06-14 23:06 - 2017-06-14 23:06 - 00000000 ____D C:\Program Files\Malwarebytes
2017-06-14 23:00 - 2017-06-14 23:00 - 00012340 _____ C:\ComboFix.txt
2017-06-14 22:15 - 2017-06-14 22:15 - 05659652 ____R (Swearware) C:\Users\Brian W Jones\Downloads\ComboFix.exe
2017-06-14 22:04 - 2017-06-14 22:14 - 00208636 _____ C:\TDSSKiller.3.1.0.15_14.06.2017_22.04.13_log.txt
2017-06-14 22:03 - 2017-06-14 22:04 - 04922400 _____ (AO Kaspersky Lab) C:\Users\Brian W Jones\Downloads\tdsskiller.exe
2017-06-14 22:03 - 2017-06-14 22:03 - 64025992 _____ (Malwarebytes ) C:\Users\Brian W Jones\Downloads\mb3-setup-1878.1878-3.1.2.1733-10139.exe
2017-06-14 21:53 - 2017-06-14 21:54 - 00002122 _____ C:\Users\Brian W Jones\Desktop\Rkill.txt
2017-06-14 21:52 - 2017-06-14 21:52 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Brian W Jones\Downloads\rkill.exe
2017-06-14 20:58 - 2017-06-14 20:58 - 00033674 _____ C:\Users\mommy\Desktop\Janet Lyn Doc.odt
2017-06-11 10:21 - 2017-06-11 10:21 - 00180586 _____ C:\Users\Brian W Jones\Downloads\Marin_sections.zip
2017-06-11 10:21 - 2017-06-11 10:21 - 00117517 _____ C:\Users\Brian W Jones\Downloads\Marin_townships.zip
2017-06-10 10:58 - 2017-06-10 10:58 - 00000742 _____ C:\Users\Brian W Jones\Downloads\download.csv
2017-06-10 10:25 - 2017-06-10 10:30 - 00003389 _____ C:\Users\Brian W Jones\Downloads\Transactions-Download-06-10-2017.csv
2017-06-02 15:01 - 2017-06-02 15:01 - 19983549 _____ C:\Users\Brian W Jones\Downloads\Dropbox(5).zip
2017-06-02 15:00 - 2017-06-02 15:00 - 19983549 _____ C:\Users\Brian W Jones\Downloads\Dropbox(4).zip
2017-05-28 16:57 - 2017-05-28 16:57 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-05-28 16:57 - 2017-05-28 16:57 - 00002024 _____ C:\Users\Public\Desktop\Acrobat Reader DC.lnk
2017-05-28 16:57 - 2017-05-28 16:57 - 00000000 ____D C:\Program Files\Adobe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-14 23:07 - 2015-08-11 17:12 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-06-14 23:04 - 2016-11-19 07:37 - 00000000 ____D C:\Users\Brian W Jones\AppData\LocalLow\Mozilla
2017-06-14 23:03 - 2009-07-13 21:34 - 00021696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-06-14 23:03 - 2009-07-13 21:34 - 00021696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-06-14 23:00 - 2017-02-19 14:15 - 00000000 ____D C:\Program Files\MalwareProtectionLive
2017-06-14 23:00 - 2015-09-11 19:24 - 00000000 ____D C:\Qoobox
2017-06-14 22:58 - 2009-07-13 19:04 - 00000215 _____ C:\Windows\system.ini
2017-06-14 22:35 - 2010-11-20 14:01 - 00778834 _____ C:\Windows\system32\PerfStringBackup.INI
2017-06-14 22:35 - 2009-07-13 19:37 - 00000000 ____D C:\Windows\inf
2017-06-14 22:30 - 2009-07-13 21:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-06-14 20:57 - 2016-11-15 18:47 - 00000000 ____D C:\Users\mommy\AppData\LocalLow\Mozilla
2017-06-14 14:49 - 2015-12-28 15:49 - 00000382 _____ C:\Windows\Tasks\SlimCleaner Plus (Scheduled Scan - Brian W Jones).job
2017-06-13 23:08 - 2017-03-02 17:18 - 00000000 ___RD C:\Users\mommy\iCloudDrive
2017-06-13 23:08 - 2016-12-06 14:45 - 00000000 ____D C:\Users\mommy\AppData\Local\Spotify
2017-06-13 23:08 - 2016-12-06 14:44 - 00000000 ____D C:\Users\mommy\AppData\Roaming\Spotify
2017-05-30 13:45 - 2014-12-19 19:12 - 00456360 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2017-05-28 16:57 - 2015-03-04 20:58 - 00000000 ____D C:\Program Files\Common Files\Adobe
2017-05-28 16:57 - 2015-03-04 20:57 - 00000000 ____D C:\ProgramData\Adobe
2017-05-24 06:50 - 2016-11-15 13:05 - 00000000 ____D C:\Program Files\Mozilla Firefox
2017-05-24 06:50 - 2014-12-19 19:19 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2017-05-22 08:42 - 2015-09-29 09:19 - 00014934 ____H C:\Users\mommy\Downloads\.picasa.ini

==================== Files in the root of some directories =======

2015-12-28 16:15 - 2016-03-13 01:15 - 0000181 _____ () C:\Users\Brian W Jones\AppData\Roaming\WB.CFG
2015-06-27 09:36 - 2015-06-27 09:51 - 0000819 _____ () C:\ProgramData\hpzinstall.log

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-06-12 05:31

==================== End of FRST.txt ============================

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 AM

Posted 15 June 2017 - 09:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
Malware Protection Live (HKLM\...\MalwareProtectionLive) (Version: - ) <==== ATTENTION
SlimCleaner Plus (HKLM\...\{B4061DDF-7078-4CBE-BC1B-9E5F0AFF609E}) (Version: 2.5.1 - Slimware Utilities Holdings, Inc.)
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(SlimWare Utilities, Inc.) C:\Program Files\SlimService\SlimServiceFactory.exe
() C:\Program Files\MalwareProtectionLive\MalwareProtectionClient.exe
(© 2015 Microsoft Corporation) C:\Users\Brian W Jones\AppData\Local\Microsoft\BingSvc\BingSvc.exe
(Slimware Utilities Holdings, Inc.) C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe
(SlimWare Utilities, Inc.) C:\Program Files\SlimService\SlimService.exe
(Malwarebytes                                                ) C:\Users\Brian W Jones\Downloads\mb3-setup-1878.1878-3.1.2.1733-10139.exe
() C:\Users\Brian W Jones\AppData\Local\temp\is-1FUTH.tmp\mb3-setup-1878.1878-3.1.2.1733-10139.tmp
(Malwarebytes                                                ) C:\Users\Brian W Jones\Downloads\mb3-setup-1878.1878-3.1.2.1733-10139.exe
() C:\Users\Brian W Jones\AppData\Local\temp\is-TT6O6.tmp\mb3-setup-1878.1878-3.1.2.1733-10139.tmp
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\...\Run: [BingSvc] => C:\Users\Brian W Jones\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-12] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\...\Run: [SlimCleaner Plus] => C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe [26179864 2015-12-15] (Slimware Utilities Holdings, Inc.)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-2464184963-834174080-3986742318-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.palikan.com/results.php?f=4&q={searchTerms}&a=plk_ggbg_15_52&cd=2XzuyEtN2Y1L1QzutDtDtBtCyBtDyC0FtA0F0EtCyCyC0A0FtN0D0Tzu0StCyEyDyCtN1L2XzutAtFtCyDtFtAtFtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyE0EtB0EyE0A0CtGtBzztAtDtGyCzy0A0BtGyC0EzyyEtGtA0ByEzztA0D0CtAtD0EyC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtCyDzztByCzz0AtG0C0EtCtAtGyEyC0EyEtG0B0E0CtAtGzy0EyByCyEzy... (long line)
CHR StartupUrls: Default -> "hxxp://www.palikan.com/?f=7&a=plk_ggbg_15_52&cd=2XzuyEtN2Y1L1QzutDtDtBtCyBtDyC0FtA0F0EtCyCyC0A0FtN0D0Tzu0StCyEyDyCtN1L2XzutAtFtCyDtFtAtFtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyE0EtB0EyE0A0CtGtBzztAtDtGyCzy0A0BtGyC0EzyyEtGtA0ByEzztA0D0CtAtD0EyC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtCyDzztByCzz0AtG0C0EtCtAtGyEyC0EyEtG0B0E0CtAtGzy0EyByCyEzyyCyDtCtAtDyC2QtN0A0LzutB&cr=78652286&ir="
CHR DefaultSearchKeyword: Default -> palikan.com
CHR Extension: (Bing) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2015-07-09]
CHR Extension: (Palikan New Tab) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljibkigjccbegnbeojkoafejpoiachej [2016-01-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-28]
CHR HKU\S-1-5-21-2464184963-834174080-3986742318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
R2 SlimService; C:\Program Files\SlimService\SlimServiceFactory.exe [222488 2015-12-15] (SlimWare Utilities, Inc.)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [11232 2016-02-18] ()
R3 catchme; \??\C:\Users\BRIANW~1\AppData\Local\Temp\catchme.sys [X]
R1 MpKslf8ed2289; \??\C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B6C38576-F8E0-45C8-BB7B-E21CD8E020A7}\MpKslf8ed2289.sys [X]
S3 TSUSB2; system32\DRIVERS\TSUSB2.sys [X]
U3 mbr; \??\C:\Users\BRIANW~1\AppData\Local\Temp\mbr.sys [X]
Task: {7AB245D0-3543-4D33-90B7-2AE516C96B03} - System32\Tasks\{45D6E152-98A2-441C-9B55-0A0C7F13F559} => pcalua.exe -a "C:\Users\Brian W Jones\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H3H0M32N\JavaSetup8u40[1].exe" -d "C:\Users\Brian W Jones\Desktop"
Task: {B41E55BF-4C9E-4526-AC97-837134635A4B} - System32\Tasks\MPLClient => C:\Program Files\MalwareProtectionLive\MalwareProtectionClient.exe [2017-02-06] ()
Task: {F95C2D62-CC8E-456E-98E8-3E2FEC1E3545} - System32\Tasks\SlimCleaner Plus (Scheduled Scan - Brian W Jones) => C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe [2015-12-15] (Slimware Utilities Holdings, Inc.)
Task: C:\Windows\Tasks\SlimCleaner Plus (Scheduled Scan - Brian W Jones).job => C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe
2017-02-06 09:16 - 2017-02-06 09:16 - 01596448 _____ () C:\Program Files\MalwareProtectionLive\MalwareProtectionClient.exe
2016-11-21 10:46 - 2016-10-08 17:48 - 01506304 _____ () C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll
2016-11-21 10:46 - 2016-07-21 11:54 - 00137728 _____ () C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll
C:\Windows\System32\Tasks\{45D6E152-98A2-441C-9B55-0A0C7F13F559}
C:\Windows\System32\Tasks\MPLClient
C:\Program Files\MalwareProtectionLive
C:\Windows\System32\Tasks\SlimCleaner Plus (Scheduled Scan - Brian W Jones)
C:\Program Files\SlimCleaner Plus
C:\Windows\Tasks\SlimCleaner Plus (Scheduled Scan - Brian W Jones).job

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset the browsers that you use and have been compromised.

How To:
https://www.howtogeek.com/171924/how-to-reset-your-web-browser-to-its-default-settings/
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 101 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
===

Please let me know what problem persists with this computer.

#3 scratch that

scratch that
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 15 June 2017 - 09:35 PM

Fix result of Farbar Recovery Scan Tool (x86) Version: 15-06-2017
Ran by Brian W Jones (15-06-2017 18:47:45) Run:1
Running from C:\Users\Brian W Jones\Downloads
Loaded Profiles: Brian W Jones (Available Profiles: Brian W Jones & mommy & Guest)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(SlimWare Utilities, Inc.) C:\Program Files\SlimService\SlimServiceFactory.exe
() C:\Program Files\MalwareProtectionLive\MalwareProtectionClient.exe
(© 2015 Microsoft Corporation) C:\Users\Brian W Jones\AppData\Local\Microsoft\BingSvc\BingSvc.exe
(Slimware Utilities Holdings, Inc.) C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe
(SlimWare Utilities, Inc.) C:\Program Files\SlimService\SlimService.exe
(Malwarebytes                                                ) C:\Users\Brian W Jones\Downloads\mb3-setup-1878.1878-3.1.2.1733-10139.exe
() C:\Users\Brian W Jones\AppData\Local\temp\is-1FUTH.tmp\mb3-setup-1878.1878-3.1.2.1733-10139.tmp
(Malwarebytes                                                ) C:\Users\Brian W Jones\Downloads\mb3-setup-1878.1878-3.1.2.1733-10139.exe
() C:\Users\Brian W Jones\AppData\Local\temp\is-TT6O6.tmp\mb3-setup-1878.1878-3.1.2.1733-10139.tmp
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\...\Run: [BingSvc] => C:\Users\Brian W Jones\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-12] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\...\Run: [SlimCleaner Plus] => C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe [26179864 2015-12-15] (Slimware Utilities Holdings, Inc.)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-2464184963-834174080-3986742318-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.palikan.com/results.php?f=4&q={searchTerms}&a=plk_ggbg_15_52&cd=2XzuyEtN2Y1L1QzutDtDtBtCyBtDyC0FtA0F0EtCyCyC0A0FtN0D0Tzu0StCyEyDyCtN1L2XzutAtFtCyDtFtAtFtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyE0EtB0EyE0A0CtGtBzztAtDtGyCzy0A0BtGyC0EzyyEtGtA0ByEzztA0D0CtAtD0EyC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtCyDzztByCzz0AtG0C0EtCtAtGyEyC0EyEtG0B0E0CtAtGzy0EyByCyEzy... (long line)
CHR StartupUrls: Default -> "hxxp://www.palikan.com/?f=7&a=plk_ggbg_15_52&cd=2XzuyEtN2Y1L1QzutDtDtBtCyBtDyC0FtA0F0EtCyCyC0A0FtN0D0Tzu0StCyEyDyCtN1L2XzutAtFtCyDtFtAtFtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyE0EtB0EyE0A0CtGtBzztAtDtGyCzy0A0BtGyC0EzyyEtGtA0ByEzztA0D0CtAtD0EyC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtCyDzztByCzz0AtG0C0EtCtAtGyEyC0EyEtG0B0E0CtAtGzy0EyByCyEzyyCyDtCtAtDyC2QtN0A0LzutB&cr=78652286&ir="
CHR DefaultSearchKeyword: Default -> palikan.com
CHR Extension: (Bing) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2015-07-09]
CHR Extension: (Palikan New Tab) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljibkigjccbegnbeojkoafejpoiachej [2016-01-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-28]
CHR HKU\S-1-5-21-2464184963-834174080-3986742318-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
R2 SlimService; C:\Program Files\SlimService\SlimServiceFactory.exe [222488 2015-12-15] (SlimWare Utilities, Inc.)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [11232 2016-02-18] ()
R3 catchme; \??\C:\Users\BRIANW~1\AppData\Local\Temp\catchme.sys [X]
R1 MpKslf8ed2289; \??\C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B6C38576-F8E0-45C8-BB7B-E21CD8E020A7}\MpKslf8ed2289.sys [X]
S3 TSUSB2; system32\DRIVERS\TSUSB2.sys [X]
U3 mbr; \??\C:\Users\BRIANW~1\AppData\Local\Temp\mbr.sys [X]
Task: {7AB245D0-3543-4D33-90B7-2AE516C96B03} - System32\Tasks\{45D6E152-98A2-441C-9B55-0A0C7F13F559} => pcalua.exe -a "C:\Users\Brian W Jones\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H3H0M32N\JavaSetup8u40[1].exe" -d "C:\Users\Brian W Jones\Desktop"
Task: {B41E55BF-4C9E-4526-AC97-837134635A4B} - System32\Tasks\MPLClient => C:\Program Files\MalwareProtectionLive\MalwareProtectionClient.exe [2017-02-06] ()
Task: {F95C2D62-CC8E-456E-98E8-3E2FEC1E3545} - System32\Tasks\SlimCleaner Plus (Scheduled Scan - Brian W Jones) => C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe [2015-12-15] (Slimware Utilities Holdings, Inc.)
Task: C:\Windows\Tasks\SlimCleaner Plus (Scheduled Scan - Brian W Jones).job => C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe
2017-02-06 09:16 - 2017-02-06 09:16 - 01596448 _____ () C:\Program Files\MalwareProtectionLive\MalwareProtectionClient.exe
2016-11-21 10:46 - 2016-10-08 17:48 - 01506304 _____ () C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll
2016-11-21 10:46 - 2016-07-21 11:54 - 00137728 _____ () C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll
C:\Windows\System32\Tasks\{45D6E152-98A2-441C-9B55-0A0C7F13F559}
C:\Windows\System32\Tasks\MPLClient
C:\Program Files\MalwareProtectionLive
C:\Windows\System32\Tasks\SlimCleaner Plus (Scheduled Scan - Brian W Jones)
C:\Program Files\SlimCleaner Plus
C:\Windows\Tasks\SlimCleaner Plus (Scheduled Scan - Brian W Jones).job

End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Program Files\SlimService\SlimServiceFactory.exe
C:\Program Files\SlimService\SlimServiceFactory.exe => No running process found
C:\Program Files\MalwareProtectionLive\MalwareProtectionClient.exe
C:\Program Files\MalwareProtectionLive\MalwareProtectionClient.exe => No running process found
C:\Users\Brian W Jones\AppData\Local\Microsoft\BingSvc\BingSvc.exe
C:\Users\Brian W Jones\AppData\Local\Microsoft\BingSvc\BingSvc.exe => No running process found
C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe
C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe => No running process found
C:\Program Files\SlimService\SlimService.exe
C:\Program Files\SlimService\SlimService.exe => No running process found
C:\Users\Brian W Jones\Downloads\mb3-setup-1878.1878-3.1.2.1733-10139.exe
C:\Users\Brian W Jones\Downloads\mb3-setup-1878.1878-3.1.2.1733-10139.exe => No running process found
C:\Users\Brian W Jones\AppData\Local\temp\is-1FUTH.tmp\mb3-setup-1878.1878-3.1.2.1733-10139.tmp
C:\Users\Brian W Jones\AppData\Local\temp\is-1FUTH.tmp\mb3-setup-1878.1878-3.1.2.1733-10139.tmp => No running process found
C:\Users\Brian W Jones\Downloads\mb3-setup-1878.1878-3.1.2.1733-10139.exe
C:\Users\Brian W Jones\Downloads\mb3-setup-1878.1878-3.1.2.1733-10139.exe => No running process found
C:\Users\Brian W Jones\AppData\Local\temp\is-TT6O6.tmp\mb3-setup-1878.1878-3.1.2.1733-10139.tmp
C:\Users\Brian W Jones\AppData\Local\temp\is-TT6O6.tmp\mb3-setup-1878.1878-3.1.2.1733-10139.tmp => No running process found
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\Software\Microsoft\Windows\CurrentVersion\Run\\BingSvc => value removed successfully.
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\Software\Microsoft\Windows\CurrentVersion\Run\\SlimCleaner Plus => value not found.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully.
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully.
HKU\S-1-5-21-2464184963-834174080-3986742318-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
Chrome StartupUrls => removed successfully.
Chrome DefaultSearchKeyword => removed successfully.
C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd => moved successfully
C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljibkigjccbegnbeojkoafejpoiachej => moved successfully
C:\Users\Brian W Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
SlimService => service not found.
HKLM\System\CurrentControlSet\Services\SWDUMon => key removed successfully.
SWDUMon => service removed successfully.
HKLM\System\CurrentControlSet\Services\catchme => key removed successfully.
catchme => service removed successfully.
MpKslf8ed2289 => service not found.
HKLM\System\CurrentControlSet\Services\TSUSB2 => key removed successfully.
TSUSB2 => service removed successfully.
mbr => service not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7AB245D0-3543-4D33-90B7-2AE516C96B03} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7AB245D0-3543-4D33-90B7-2AE516C96B03} => key removed successfully.
C:\Windows\System32\Tasks\{45D6E152-98A2-441C-9B55-0A0C7F13F559} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{45D6E152-98A2-441C-9B55-0A0C7F13F559} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{B41E55BF-4C9E-4526-AC97-837134635A4B} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B41E55BF-4C9E-4526-AC97-837134635A4B} => key removed successfully.
C:\Windows\System32\Tasks\MPLClient => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MPLClient => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F95C2D62-CC8E-456E-98E8-3E2FEC1E3545} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F95C2D62-CC8E-456E-98E8-3E2FEC1E3545} => key removed successfully.
C:\Windows\System32\Tasks\SlimCleaner Plus (Scheduled Scan - Brian W Jones) => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SlimCleaner Plus (Scheduled Scan - Brian W Jones) => key removed successfully.
C:\Windows\Tasks\SlimCleaner Plus (Scheduled Scan - Brian W Jones).job => moved successfully
C:\Program Files\MalwareProtectionLive\MalwareProtectionClient.exe => moved successfully
C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll => moved successfully
C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll => moved successfully
"C:\Windows\System32\Tasks\{45D6E152-98A2-441C-9B55-0A0C7F13F559}" => not found.
"C:\Windows\System32\Tasks\MPLClient" => not found.
C:\Program Files\MalwareProtectionLive => moved successfully
"C:\Windows\System32\Tasks\SlimCleaner Plus (Scheduled Scan - Brian W Jones)" => not found.
"C:\Program Files\SlimCleaner Plus" => not found.
"C:\Windows\Tasks\SlimCleaner Plus (Scheduled Scan - Brian W Jones).job" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 21591275 B
Java, Flash, Steam htmlcache => 5990 B
Windows/system/drivers => 2291466 B
Edge => 0 B
Chrome => 137186473 B
Firefox => 384138536 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 59789 B
Public => 0 B
ProgramData => 0 B
systemprofile => 83519 B
LocalService => 66228 B
NetworkService => 5099958 B
Brian W Jones => 26054738 B
mommy => 73322617 B
Guest => 77353 B

RecycleBin => 0 B
EmptyTemp: => 627.9 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 18:49:29 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 AM

Posted 16 June 2017 - 08:09 AM

Has your problem been solved?

#5 scratch that

scratch that
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 17 June 2017 - 01:22 AM

now each time i log in after starting the computer I get a box that is tittled "WSHelper.exe-system error" that says program could not run because DAQexp.dll is missing.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 AM

Posted 17 June 2017 - 09:36 AM


now each time i log in after starting the computer I get a box that is tittled "WSHelper.exe-system error" that says program could not run because DAQexp.dll is missing.

I apologize it my mistake.

I should not have removed these items.

2016-11-21 10:46 - 2016-10-08 17:48 - 01506304 _____ () C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll
2016-11-21 10:46 - 2016-07-21 11:54 - 00137728 _____ () C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\CBSCreate

VC.dll

Under an other circumstance the DAQExp.dll is malware. Not this time.

The good news is that a restore point was created by the fix.

If you wish you can restore it. This will also restore the other malware items.

Your easier method would be to just reinstall the Wondershare program in the same folder.

p.s.
If you decide to restore the fix then please run the Farbar tool and post the logs for my review.

Again I' sorry for your inconvenience.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users