Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Odd PC - Samsung Galaxy 8 Active Communications - Virus/Hacked?


  • This topic is locked This topic is locked
9 replies to this topic

#1 jbor1979

jbor1979

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 17 June 2018 - 04:14 PM

Hello,

 

I am really hoping someone can help me with this issue.  Recently my wife's phone has been acting very strange and there appears to be some link between the phone and the computer.  She has a Galaxy 8 active through ATT and we have an HP desktop with windows 7.  

 

She couldn't change any of her google passwords it kept asking for her Samsung account login even though the account was active.  She got on our computer later and she went on Internet Explorer and instead of the homepage it had a view that looked like her phone interface.

 

I have run Malwarebytes a few times with no results and even ran the Malwarebytes anti rootkit program and it did not find any malware.  

 

Friday early morning a phone call was interrupted and when  she looked at the phone the bluetooth signal up top (which she turns off) and  the  phone had a message that said "sending outbound  file".

 

In thinking there was a connection between the incidents she has been looking through the computer events files and found that right at about the  time there was a phone interruption, there was a device event similar to the below:

 

Event Properties - Event 300, Microsoft Office 16 Alerts

Event Data

               Microsoft Excel

               Sorry, we couldnt find C:\Users\Owner\Downloads\XXXXXXXXXX_TextDataDetails.xls. Is it                 possible it was moved, renamed or deleted? (XXXX's are her actual phone number)

 

This has caused concern that the computer is accessing the  information on her phone without her knowledge. She says that she has not connected to the computers bluetooth functionality ever.

 

I know this might sound small but this has been very alarming to us if anyone can help get to the bottom of how the phone seems to be linked to the computer it would be very much appreciated.

 

Thank you in advance for the help.

 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:10 PM

Posted 18 June 2018 - 06:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

It may be a Sync issue.
Refer to this artice.
https://answers.microsoft.com/en-us/mobiledevices/forum/mdlumia-mdtips/how-can-i-sync-internet-explorer-11-favorites/1bf4d16c-e467-4922-ad85-36c7bb44bcf7

If the phone is syncing with IE of other devices then turn it OFF

Restart the computer normally.
Do not turn the Syncing ON just yet.

====

Let me check your computer for malware.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

Let me know if you did anything on the Syncing option.

#3 jbor1979

jbor1979
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 18 June 2018 - 11:49 AM

See below for FRST file and attached for additional text.  This might be unrelated but when I plugged in my computer to do this while it was loading up the notification for device driver installation at the bottom right came up and got the following message "Bluetooth Device (Personal Area Network) #2 Device driver software installed successfully" 

 

Thank you for the help.  See requested information below:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06.06.2018 01
Ran by Owner (administrator) on OWNER-PC (18-06-2018 12:38:18)
Running from C:\Users\Owner\Desktop
Loaded Profiles: Owner & UpdatusUser (Available Profiles: Owner & UpdatusUser & LogMeInRemoteUser)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
() C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\AVGSvc.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Hewlett-Packard Development Company, LP) C:\Program Files\HP\HP Officejet 4630 series\Bin\ScanToPCActivationApp.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.11.717\SSScheduler.exe
(Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
() C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
(Andrea Electronics Corporation) C:\Windows\System32\AEADISRV.EXE
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Hewlett-Packard Company) C:\Program Files (x86)\HP\Common\HPSupportSolutionsFrameworkService.exe
(Microsoft Corporation) C:\Windows\System32\printfilterpipelinesvc.exe
(Hewlett-Packard Development Company, LP) C:\Program Files\HP\HP Officejet 4630 series\Bin\HPNetworkCommunicatorCom.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(McAfee, LLC.) C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe
(McAfee, LLC.) C:\Program Files\TrueKey\McTkSchedulerService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Microsoft Corporation) C:\Windows\SysWOW64\msiexec.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [445928 2018-05-24] (LogMeIn, Inc.)
HKLM\...\Run: [AVGUI.exe] => C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe [291568 2018-05-17] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [SoundMAXPnP] => C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1314816 2009-06-22] (Analog Devices, Inc.)
HKLM-x32\...\Run: [Conime] => %windir%\system32\conime.exe
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [2187336 2017-12-22] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM-x32\...\Run: [AvgUi] => "C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe" /lps=fmw
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-2009172207-452234045-2801871795-1000\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3201312 2018-06-08] (Valve Corporation)
HKU\S-1-5-21-2009172207-452234045-2801871795-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [8887216 2018-06-14] (SUPERAntiSpyware)
HKU\S-1-5-21-2009172207-452234045-2801871795-1000\...\Run: [HP Officejet 4630 series (NET)] => C:\Program Files\HP\HP Officejet 4630 series\Bin\ScanToPCActivationApp.exe [3487240 2014-07-21] (Hewlett-Packard Development Company, LP)
HKU\S-1-5-21-2009172207-452234045-2801871795-1000\...\RunOnce: [Application Restart #4] => C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe [383488 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-2009172207-452234045-2801871795-1000\...\RunOnce: [Application Restart #2] => C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe [383488 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-2009172207-452234045-2801871795-1000\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKU\S-1-5-21-2009172207-452234045-2801871795-1001\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
Lsa: [Notification Packages] scecli C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter "C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter"
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: 0.0.0.1 mssplus.mcafee.com
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{778A2C40-C16C-4E8D-9E3F-6963F3234491}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{C59A4104-271F-41E2-A0D4-7EA3E340E297}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
HKU\S-1-5-21-2009172207-452234045-2801871795-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2014-05-24] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2014-05-24] (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-07-25] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-07-25] (Oracle Corporation)
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\3.5.0\ViProtocol.dll [2015-12-11] (AVG Secure Search)
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_23_0_0_207.dll [2016-12-04] ()
FF Plugin: @java.com/DTPlugin,version=10.55.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-05-24] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.55.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-05-24] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_207.dll [2016-12-04] ()
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.3.8\\npsitesafety.dll [No File]
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2015-10-13] (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-07-25] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-07-25] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3522.0110 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-01-10] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-16] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2018-05-10] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default [2018-06-18]
CHR Extension: (Slides) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-06-18]
CHR Extension: (Docs) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-06-18]
CHR Extension: (Google Drive) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-06-18]
CHR Extension: (YouTube) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-06-18]
CHR Extension: (Sheets) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-06-18]
CHR Extension: (Google Docs Offline) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-06-18]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-06-18]
CHR Extension: (Gmail) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-06-18]
CHR Extension: (Chrome Media Router) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-06-18]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2018-01-11] (SUPERAntiSpyware.com)
R2 AEADIFilters; C:\Windows\system32\AEADISRV.EXE [111616 2008-07-15] (Andrea Electronics Corporation)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
R2 AVG Antivirus; C:\Program Files (x86)\AVG\Antivirus\AVGSvc.exe [318328 2018-05-17] (AVG Technologies CZ, s.r.o.)
S3 avgbIDSAgent; C:\Program Files (x86)\AVG\Antivirus\x64\aswidsagenta.exe [7670672 2018-05-17] (AVG Technologies CZ, s.r.o.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [89864 2014-12-11] (Hewlett-Packard Company)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [419304 2018-05-24] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [585704 2018-05-24] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2015-02-16] (LogMeIn, Inc.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6541008 2018-05-09] (Malwarebytes)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.717\McCHSvc.exe [405392 2018-03-27] (McAfee, Inc.)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [11293936 2018-04-03] (TeamViewer GmbH)
R2 TrueKey; C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe [1000824 2018-05-14] (McAfee, LLC.)
R2 TrueKeyScheduler; C:\Program Files\TrueKey\McTkSchedulerService.exe [16928 2018-05-14] (McAfee, LLC.)
S3 TrueKeyServiceHelper; C:\Program Files\TrueKey\McAfee.TrueKey.ServiceHelper.exe [87760 2018-05-14] (McAfee, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 WtuSystemSupport; C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe [981576 2017-12-22] ()
S2 avgsvc; "C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe" [X]
S2 InstallerService; "C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe" [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 ACPIService; C:\Windows\System32\DRIVERS\OSDACPI.SYS [17992 2009-06-17] ()
R3 AVerBDA6x_x64; C:\Windows\System32\DRIVERS\AVerBDA716x_x64.sys [1353600 2009-04-30] (AVerMedia TECHNOLOGIES, Inc.)
R1 avgArPot; C:\Windows\System32\drivers\avgArPot.sys [189032 2018-05-17] (AVG Technologies CZ, s.r.o.)
R1 avgbidsdriver; C:\Windows\System32\drivers\avgbidsdrivera.sys [220600 2018-05-17] (AVG Technologies CZ, s.r.o.)
R0 avgbidsh; C:\Windows\System32\drivers\avgbidsha.sys [192536 2018-05-17] (AVG Technologies CZ, s.r.o.)
R0 avgblog; C:\Windows\System32\drivers\avgbloga.sys [336848 2018-05-17] (AVG Technologies CZ, s.r.o.)
R0 avgbuniv; C:\Windows\System32\drivers\avgbuniva.sys [50776 2018-05-17] (AVG Technologies CZ, s.r.o.)
S3 avgHwid; C:\Windows\System32\drivers\avgHwid.sys [39352 2018-05-17] (AVG Technologies CZ, s.r.o.)
R2 avgMonFlt; C:\Windows\System32\drivers\avgMonFlt.sys [151504 2018-05-17] (AVG Technologies CZ, s.r.o.)
R1 avgRdr; C:\Windows\System32\drivers\avgRdr2.sys [103744 2018-05-17] (AVG Technologies CZ, s.r.o.)
R0 avgRvrt; C:\Windows\System32\drivers\avgRvrt.sys [78352 2018-05-17] (AVG Technologies CZ, s.r.o.)
R1 avgSnx; C:\Windows\System32\drivers\avgSnx.sys [1020112 2018-05-17] (AVG Technologies CZ, s.r.o.)
R1 avgSP; C:\Windows\System32\drivers\avgSP.sys [452904 2018-05-17] (AVG Technologies CZ, s.r.o.)
R2 avgStm; C:\Windows\System32\drivers\avgStm.sys [198368 2018-05-17] (AVG Technologies CZ, s.r.o.)
R0 avgVmm; C:\Windows\System32\drivers\avgVmm.sys [373944 2018-05-17] (AVG Technologies CZ, s.r.o.)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [152184 2018-06-14] (Malwarebytes)
R2 LMIInfo; C:\Windows\system32\drivers\LMIInfo.sys [30432 2017-01-11] (LogMeIn, Inc.)
S4 LMIRfsClientNP; no ImagePath
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [190696 2018-06-14] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [112872 2018-06-18] (Malwarebytes)
R3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [44768 2018-06-18] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253664 2018-06-18] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [94840 2018-06-18] (Malwarebytes)
S3 PcaSp60; C:\Windows\SysWOW64\DRIVERS\PcaSp60.sys [38912 2010-09-07] (Printing Communications Assoc., Inc. (PCAUSA))
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 vuhub; C:\Windows\System32\DRIVERS\vuhub.sys [47616 2007-12-16] ()
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-06-18 12:38 - 2018-06-18 12:42 - 000018362 _____ C:\Users\Owner\Desktop\FRST.txt
2018-06-18 12:38 - 2018-06-18 12:38 - 000000000 ____D C:\FRST
2018-06-18 12:37 - 2018-06-18 12:37 - 002413056 _____ (Farbar) C:\Users\Owner\Desktop\FRST64.exe
2018-06-18 12:31 - 2018-06-18 12:31 - 000000000 ____D C:\Users\Owner\AppData\Local\CEF
2018-06-18 12:26 - 2018-06-18 12:26 - 000112184 _____ C:\Users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2018-06-18 12:24 - 2018-06-18 12:24 - 000000000 ____D C:\Users\Owner\AppData\Local\VirtualStore
2018-06-18 12:23 - 2018-06-18 12:23 - 000000000 ____D C:\Users\Owner\AppData\Roaming\SUPERAntiSpyware.com
2018-06-18 12:22 - 2018-06-18 12:22 - 000000020 ___SH C:\Users\Owner\ntuser.ini
2018-06-18 12:22 - 2018-06-18 12:22 - 000000000 ____D C:\Users\Owner\AppData\Local\LogMeIn
2018-06-17 18:37 - 2018-06-18 12:23 - 000000000 ____D C:\Users\Owner\AppData\Local\AVG Web TuneUp
2018-06-17 11:42 - 2018-06-17 12:01 - 000000000 ____D C:\Windows\System32\Tasks\Event Viewer Tasks
2018-06-16 19:47 - 2018-06-16 19:47 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\5454E440.sys
2018-06-16 19:46 - 2018-06-16 20:34 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2018-06-15 08:07 - 2018-06-15 08:07 - 000000000 __SHD C:\found.000
2018-06-14 10:01 - 2018-06-18 12:25 - 000112872 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-06-14 10:01 - 2018-06-18 12:25 - 000094840 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-06-14 10:01 - 2018-06-18 12:25 - 000044768 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-06-14 10:01 - 2018-06-18 12:24 - 000253664 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-06-14 10:01 - 2018-06-14 10:01 - 000190696 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-06-14 08:57 - 2018-06-14 10:00 - 000152184 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae64.sys
2018-06-14 08:57 - 2018-06-14 08:57 - 000001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-06-14 08:57 - 2018-06-14 08:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-06-09 14:17 - 2018-06-09 14:17 - 000000971 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 13.lnk
2018-06-09 14:17 - 2018-06-09 14:17 - 000000959 _____ C:\Users\Public\Desktop\TeamViewer 13.lnk
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-06-18 12:40 - 2015-01-16 04:28 - 000004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2018-06-18 12:37 - 2017-12-20 18:35 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2018-06-18 12:37 - 2009-07-14 01:13 - 000786578 _____ C:\Windows\system32\PerfStringBackup.INI
2018-06-18 12:37 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\inf
2018-06-18 12:33 - 2009-07-14 00:45 - 000029152 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-06-18 12:33 - 2009-07-14 00:45 - 000029152 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-06-18 12:26 - 2013-04-09 11:36 - 000000000 ____D C:\Users\UpdatusUser
2018-06-18 12:24 - 2015-04-13 18:56 - 000000988 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2018-06-18 12:23 - 2015-04-29 21:06 - 000000000 ____D C:\Program Files (x86)\TeamViewer
2018-06-18 12:22 - 2013-04-10 19:58 - 000000000 ____D C:\Program Files (x86)\Steam
2018-06-18 12:22 - 2013-04-09 08:24 - 000000000 ____D C:\Users\Owner
2018-06-18 12:22 - 2009-07-14 01:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-06-18 04:00 - 2013-04-12 05:12 - 000000000 ____D C:\ProgramData\LogMeIn
2018-06-17 18:41 - 2015-12-08 11:06 - 000000000 ____D C:\Users\Owner\AppData\Roaming\AVG
2018-06-17 18:21 - 2014-11-09 09:55 - 000000000 ____D C:\Users\Owner\AppData\Local\Google
2018-06-17 18:14 - 2014-11-25 11:05 - 000000000 ____D C:\Users\Owner\AppData\Local\Avg
2018-06-17 18:14 - 2013-07-02 19:05 - 000000000 ____D C:\Users\Owner\AppData\Local\Adobe
2018-06-17 14:10 - 2017-04-21 11:54 - 000004174 _____ C:\Windows\System32\Tasks\Antivirus Emergency Update
2018-06-16 19:47 - 2014-04-26 08:05 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-06-16 00:10 - 2018-03-30 22:33 - 000000000 ____D C:\ProgramData\McAfee Security Scan
2018-06-15 05:56 - 2013-08-03 03:03 - 000000000 ____D C:\Windows\system32\MRT
2018-06-15 05:52 - 2018-03-06 16:15 - 133315992 ____C (Microsoft Corporation) C:\Windows\system32\MRT-KB890830.exe
2018-06-15 05:51 - 2013-04-09 14:46 - 133315992 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2018-06-15 05:19 - 2013-08-05 21:51 - 000778700 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2018-06-15 05:15 - 2013-08-03 10:44 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
2018-06-14 12:49 - 2016-06-26 20:04 - 000000000 ____D C:\OSTotoFolder
2018-06-14 10:05 - 2016-11-20 12:10 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-06-14 10:05 - 2014-05-24 14:54 - 000000000 ____D C:\Program Files\SUPERAntiSpyware
2018-06-14 10:05 - 2013-04-10 19:41 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-06-14 00:31 - 2017-04-25 11:59 - 000002224 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-06-14 00:31 - 2017-04-25 11:59 - 000002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-06-12 18:01 - 2016-07-23 22:42 - 000000000 ____D C:\Program Files (x86)\McAfee
2018-06-12 18:00 - 2009-07-14 00:45 - 000443960 _____ C:\Windows\system32\FNTCACHE.DAT
2018-06-12 17:59 - 2016-07-23 22:32 - 000000000 ____D C:\Program Files\TrueKey
2018-06-11 15:32 - 2016-07-23 22:42 - 000003312 _____ C:\Windows\System32\Tasks\McAfee Remediation (Prepare)
2018-05-24 06:08 - 2015-04-13 18:56 - 000000000 ____D C:\Program Files (x86)\LogMeIn
2018-05-24 06:07 - 2015-04-13 18:56 - 000114688 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIRfsClientNP.dll
2018-05-24 06:07 - 2015-04-13 18:56 - 000108512 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIinit.dll
2018-05-22 14:29 - 2016-07-23 22:46 - 000001165 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\True Key.lnk
2018-05-22 14:29 - 2016-07-23 22:46 - 000001151 _____ C:\Users\Public\Desktop\True Key.lnk
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2016-03-09 01:05
 
==================== End of FRST.txt ============================


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:10 PM

Posted 18 June 2018 - 12:50 PM

Hi,

The Addition.txt log was not attached.

It's a 2 steps function.
Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

#5 jbor1979

jbor1979
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 18 June 2018 - 02:22 PM

Ok sorry not sure what I did wrong.  I'll attach the file again tonight when I get off work.

 

Some more information that I realized after sending you the logs.  After turning the computer on there were a number of the desktop shortcuts missing.  In addition to this it appears that Microsoft Office is no longer on the computer.  When you click on the start button there is still something that says "Microsoft Excel" but with only a white logo instead of the green excel logo and when you click it is says cant find the file.

 

There are other missing files/programs as well.  The only other one I remember for sure was a folder that had a few skateboarding videos taken with my phone.

 

I'll post the additional text file ASAP.

 

Thanks,



#6 jbor1979

jbor1979
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 18 June 2018 - 05:55 PM

See attached additional text file.

 

Thanks.

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:10 PM

Posted 19 June 2018 - 08:49 AM

Hi,

Nothing supicious was found in your logs.

===

As I have suggested in my first reply could this be a Syncing issue?
===

If you Google these strings (include the double quotes" you will see that the Bluetooth was updated.

"Bluetooth Device (Personal Area Network)"

or

"bluetooth device (personal area network)" #2

===

On the office issue Google this string.
Microsoft Office 16 Alerts
Do you have problems running Excell?

Try to repair Microsoft Office.
https://support.office.com/en-us/article/repair-an-office-application-7821d4b6-7c1d-4205-aa0e-a6b40c5bb88b

#8 jbor1979

jbor1979
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 19 June 2018 - 09:15 AM

I tried to follow the instructions you sent on the syncing issue.  I was not able to get far as when i pressed Control + c all it did was highlight the my computer shortcut.  I went to my computer and tried to follow the remaining instructions but none matched the options on the computer exactly.  I played around with it and found somewhere it listed the option to sync devices and it was not activated but I cant say for sure if I was looking in the right place.

 

I'll try the Microsoft Office repair tool.  None of the office programs work at all now since they went missing.

 

Any ideas on the missing files in addition to Word?  They were literally there one day and gone the next.

 

I will admit that we have had to pull the plug on the computer recently because it gets hung up trying to do a windows update, then tries to revert the updates and it takes a ridiculous amount of time.  Not sure if that corrupted the Office files but wouldn't think files would just disappear from that.

 

Thanks,



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:10 PM

Posted 25 June 2018 - 08:54 AM

Sorry for this delay.

Are you still in need for some help?

#10 jbor1979

jbor1979
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 25 June 2018 - 09:30 AM

No thanks.  Out of an abundance of caution I ended up having the computer factory reset.

 

I appreciate your help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users