• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.

All Activity

This stream auto-updates   

  1. Past hour
  2. Restart the computer normally. If the problem persists please download and run this scanning tool. Download the version of this tool for your operating system. Farbar Recovery Scan Tool (64 bit) Farbar Recovery Scan Tool (32 bit) and save it to a folder on your computer's Desktop. Double-click to run it. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. How to attach a file to your reply: In the Reply section in the bottom of the topic Click the "more reply Options" button. Attach the file. Select the "Choose a File" navigate to the location of the File. Click the file you wish to Attach. Click the Add reply button. === Please post the logs. === p.s. On Jan 10, 2017 the forum installed a new software version and has not been working to our satisfaction since. Tonight at 9pm Pacific time we will revert to the old version of the program. All posts submitted on or after that date will be lost. What I suggest is that you run the tool and save both logs. If all goes well we should be back in service sometime tomorrow Saturday the 25th. Wait until then to post your logs. Send me a personal message if you have any diffiiculties.
  3. Yesterday
  4. Hello lureum. For technical reasons the Forum will be offline in the next hours. Since any reply posted at the moment will be lost, I suggest that you print my previous post, carry out the instructions and come back to post your reply when the Forum is online again. Please read the following announcement: http://www.spywareinfoforum.com/announcement/74-please-read-reversing-upgrade/ We apologize for the inconvenience that this may cause. Thank you. Android 8888.
  5. Hello lureum and welcome to Spywareinfo Forum. I'm Android 8888 and I'll be helping you. Please ask questions if anything is unclear. I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed. You have not posted the content of the Addition.txt file. Please post it in your next reply for my review. I see you have User Accounts Control (UAC) disabled. This is an important security feature which helps prevent malware and other unwanted software from being installed on your computer. I strongly suggest you keep it enabled. See this link for instructions on how to enable it: https://www.sevenforums.com/tutorials/181426-user-account-enable-disable.html You have two anti-virus programs installed (Windows Defender and ESET NOD32 Antivirus) . It is not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". Please make sure that only one of the antivirus programs has its real-time protection enabled. Please download Malwarebytes (MBAM) from here Right-click on the Malwarebytes icon and select Run as administrator to run the tool. Click Yes to accept any security warnings that may appear. Once the MalwareBytes dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool´s database. On the left menu pane click on the Settings tab, and then select the Protection tab on the top. Under the Scan Options, turn on the button Scan for rootkits. Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button Note: The scan may take some time to finish, so please be patient. If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button. While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop. The log can also be viewed by clicking the log to select it, then clicking the View Report button. Please post the log for my review. Note: If asked to restart the computer, please do so immediately. Please post: The content of Addition.txt log produced by FRST. The content of MBAM log. How is the computer running?
  6. Last week
  7. FRST.txt SALog.txt Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 22-02-2017 01 Ran by Mike (administrator) on DESKTOP (22-02-2017 16:51:01) Running from D:\Desktop Loaded Profiles: Mike & NeroMediaHomeUser.4 (Available Profiles: Mike & NeroMediaHomeUser.4) Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: FF) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (AMD) C:\Windows\System32\atiesrxx.exe (AMD) C:\Windows\System32\atieclxx.exe (SEIKO EPSON CORPORATION) C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSvc.exe (ABBYY) C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe (Nero AG) C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe (Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe (Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe (Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe (TechSmith Corporation) C:\Program Files (x86)\Common Files\TechSmith Shared\Uploader\UploaderService.exe (Western Digital) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe (Western Digital ) C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Western Digital ) C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe (Microsoft Corporation) C:\Windows\System32\alg.exe (ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (Wondershare) C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe (Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe (Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe (Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe (NEC Electronics Corporation) C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe () D:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.5\bin\TrayPopupE\TrayTipAgentE.exe (CANON INC.) C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE (Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe (ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (Microsoft Corporation) C:\Windows\splwow64.exe (Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DeviceAgent.exe (CANON INC.) C:\Program Files (x86)\Canon\Quick Menu\CNQMUPDT.EXE (CANON INC.) C:\Program Files (x86)\Canon\Quick Menu\CNQMSWCS.EXE (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\Sensor\HMService\aaHM.exe (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\TurboV EVO\TurboVHelp.exe (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe (Bandoo Media Inc.) C:\Users\Mike\AppData\Local\iLivid\iLivid.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\AsAPHider\AsAPHider.exe ==================== Registry (Whitelisted) ==================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated) HKLM\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [1743136 2013-05-29] (Wondershare) HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2016-11-01] (Apple Inc.) HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [106496 2010-01-22] (NEC Electronics Corporation) HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642304 2013-04-29] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [AMD AVT] => Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml HKLM-x32\...\Run: [LTCM Client] => C:\Program Files (x86)\LTCM Client\ltcmClient.exe [2756864 2011-04-07] (Leader Technologies Inc.) HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated) HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3478392 2013-12-21] (Adobe Systems Inc.) HKLM-x32\...\Run: [Nikon Message Center 2] => C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe [570880 2013-12-27] (Nikon Corporation) HKLM-x32\...\Run: [EaseUS EPM tray] => D:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.5\bin\EpmNews.exe [2089056 2015-04-14] (CHENGDU YIWO Tech Development Co., Ltd) HKLM-x32\...\Run: [EaseUS EPM Tray Agent] => D:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.5\bin\TrayPopupE\TrayTipAgentE.exe [255072 2014-11-18] () HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [67384 2016-10-05] (Apple Inc.) HKLM-x32\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [324976 2010-05-21] (Flexera Software, Inc.) HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2137744 2016-10-08] (Wondershare) HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1282120 2013-05-02] (CANON INC.) HKLM-x32\...\Run: [Nero MediaHome 4] => C:\Program Files (x86)\Nero\Nero MediaHome 4\NeroMediaHome.exe [5178664 2010-10-26] (Nero AG) HKLM-x32\...\Run: [DBAgent] => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe [1563424 2016-06-28] (Seagate Technology LLC) HKLM-x32\...\Run: [DelaypluginInstall] => C:\ProgramData\Wondershare\Video Converter Ultimate\DelayPluginI.exe [1971856 2016-10-24] () HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation) HKU\S-1-5-21-3254762720-3357227884-2370198018-1001\...\Run: [AdobeBridge] => [X] HKU\S-1-5-21-3254762720-3357227884-2370198018-1001\...\Run: [GoogleChromeAutoLaunch_A9A28D217F0AF6C0AE66A9006030A09A] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [945496 2017-02-01] (Google Inc.) HKU\S-1-5-21-3254762720-3357227884-2370198018-1001\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [688984 2015-01-28] (Garmin Ltd or its subsidiaries) HKU\S-1-5-21-3254762720-3357227884-2370198018-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8358680 2015-06-01] (Piriform Ltd) HKU\S-1-5-21-3254762720-3357227884-2370198018-1001\...\Run: [Uploader] => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe [127816 2016-06-28] (Seagate Technology LLC) HKU\S-1-5-21-3254762720-3357227884-2370198018-1001\...\MountPoints2: {571b5056-f7c2-11e2-a636-20cf3054361d} - J:\LaunchU3.exe -a HKU\S-1-5-21-3254762720-3357227884-2370198018-1001\...\MountPoints2: {7cfab43a-6a0f-11e4-9c0a-20cf3054361d} - I:\VZW_Software_upgrade_assistant.exe HKU\S-1-5-21-3254762720-3357227884-2370198018-1001\...\MountPoints2: {7fe0791e-e3f8-11e2-b86e-20cf3054361d} - "J:\WD Drive Unlock.exe" autoplay=true HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [688984 2015-01-28] (Garmin Ltd or its subsidiaries) IFEO\wddriveutilities.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe" ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\Mike\AppData\Local\Microsoft\OneDrive\17.3.6798.0207\amd64\FileSyncShell64.dll [2017-02-22] (Microsoft Corporation) ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\Mike\AppData\Local\Microsoft\OneDrive\17.3.6798.0207\amd64\FileSyncShell64.dll [2017-02-22] (Microsoft Corporation) ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\Mike\AppData\Local\Microsoft\OneDrive\17.3.6798.0207\amd64\FileSyncShell64.dll [2017-02-22] (Microsoft Corporation) ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\Mike\AppData\Local\Microsoft\OneDrive\17.3.6798.0207\FileSyncShell.dll [2017-02-22] (Microsoft Corporation) ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\Mike\AppData\Local\Microsoft\OneDrive\17.3.6798.0207\FileSyncShell.dll [2017-02-22] (Microsoft Corporation) ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\Mike\AppData\Local\Microsoft\OneDrive\17.3.6798.0207\FileSyncShell.dll [2017-02-22] (Microsoft Corporation) Startup: C:\Users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epson All-in-one Registration.lnk [2017-02-13] ShortcutTarget: Epson All-in-one Registration.lnk -> C:\Users\Mike\AppData\Roaming\Leadertech\PowerRegister\Epson All-in-one Registration.exe (Aviata/Epson) GroupPolicy\User: Restriction <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION CHR HKU\S-1-5-21-3254762720-3357227884-2370198018-1001\SOFTWARE\Policies\Google: Restriction <======= ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Winsock: Catalog9 01 C:\Windows\SysWOW64\LavasoftTcpService.dll [342016 2015-07-04] (Lavasoft Limited) Winsock: Catalog9 02 C:\Windows\SysWOW64\LavasoftTcpService.dll [342016 2015-07-04] (Lavasoft Limited) Winsock: Catalog9 03 C:\Windows\SysWOW64\LavasoftTcpService.dll [342016 2015-07-04] (Lavasoft Limited) Winsock: Catalog9 04 C:\Windows\SysWOW64\LavasoftTcpService.dll [342016 2015-07-04] (Lavasoft Limited) Winsock: Catalog9 15 C:\Windows\SysWOW64\LavasoftTcpService.dll [342016 2015-07-04] (Lavasoft Limited) Winsock: Catalog9-x64 01 C:\Windows\system32\LavasoftTcpService64.dll [422400 2015-07-04] (Lavasoft Limited) Winsock: Catalog9-x64 02 C:\Windows\system32\LavasoftTcpService64.dll [422400 2015-07-04] (Lavasoft Limited) Winsock: Catalog9-x64 03 C:\Windows\system32\LavasoftTcpService64.dll [422400 2015-07-04] (Lavasoft Limited) Winsock: Catalog9-x64 04 C:\Windows\system32\LavasoftTcpService64.dll [422400 2015-07-04] (Lavasoft Limited) Winsock: Catalog9-x64 15 C:\Windows\system32\LavasoftTcpService64.dll [422400 2015-07-04] (Lavasoft Limited) Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\Parameters: [DhcpNameServer] 209.18.47.62 209.18.47.61 Tcpip\..\Interfaces\{B37EA02F-0560-4466-BC64-C50CB00DD85B}: [DhcpNameServer] 209.18.47.62 209.18.47.61 Internet Explorer: ================== HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com HKU\S-1-5-21-3254762720-3357227884-2370198018-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.msn.com/?ocid=OIE9MSE&PC=UP09 SearchScopes: HKLM -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = SearchScopes: HKLM-x32 -> DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = SearchScopes: HKU\S-1-5-21-3254762720-3357227884-2370198018-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-3254762720-3357227884-2370198018-1001 -> {205EED0F-638B-47AB-AD4C-89DEDB9959A3} URL = hxxps://www.google.com/search?q={searchTerms} SearchScopes: HKU\S-1-5-21-3254762720-3357227884-2370198018-1001 -> {E9DB9E7B-A275-41D1-8158-D0423FBEBDEB} URL = hxxp://www.google.com/cse?cx=partner-pub-3540673482024757:xbhdw8hkfz5&cof=&q={searchTerms} BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll [2015-02-23] (CANON INC.) BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.) BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2013-12-20] (Adobe Systems Incorporated) BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2013-12-20] (Adobe Systems Incorporated) BHO-x32: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll [2015-02-23] (CANON INC.) BHO-x32: Wondershare Video Converter Ultimate 7.1.0 -> {451C804F-C205-4F03-B48E-537EC94937BF} -> C:\ProgramData\Wondershare\Video Converter Ultimate\WSBrowserAppMgr.dll [2016-10-24] (Wondershare) BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\ssv.dll [2017-01-30] (Oracle Corporation) BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.) BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2013-12-21] (Adobe Systems Incorporated) BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-01-30] (Oracle Corporation) BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2013-12-21] (Adobe Systems Incorporated) Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2013-12-20] (Adobe Systems Incorporated) Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2015-02-23] (CANON INC.) Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2013-12-21] (Adobe Systems Incorporated) Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll [2015-02-23] (CANON INC.) Toolbar: HKU\S-1-5-21-3254762720-3357227884-2370198018-1001 -> No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File Toolbar: HKU\S-1-5-21-3254762720-3357227884-2370198018-1001 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File Toolbar: HKU\S-1-5-21-3254762720-3357227884-2370198018-1001 -> Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2015-02-23] (CANON INC.) DPF: HKLM-x32 {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: HKLM-x32 {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} hxxp://quickscan.bitdefender.com/qsax/qsax.cab Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 - No File FireFox: ======== FF ProfilePath: C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\tt0oiw1d.default [2017-02-22] FF NewTab: Mozilla\Firefox\Profiles\tt0oiw1d.default -> hxxp://www.bing.com/?pc=COSP&ptag=D070515-A166D148A50&form=CONMHP&conlogo=CT3334470 FF DefaultSearchEngine: Mozilla\Firefox\Profiles\tt0oiw1d.default -> Bing FF DefaultSearchEngine.US: Mozilla\Firefox\Profiles\tt0oiw1d.default -> Google Default FF SelectedSearchEngine: Mozilla\Firefox\Profiles\tt0oiw1d.default -> Bing FF Homepage: Mozilla\Firefox\Profiles\tt0oiw1d.default -> hxxps://www.google.com/ FF Extension: (Adblock Plus) - C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\tt0oiw1d.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-23] FF Extension: (SHA-1 deprecation staged rollout) - C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\tt0oiw1d.default\features\{ea1af062-b7ce-4a1e-98b5-821cf6fd3ff2}\disableSHA1rollout@mozilla.org.xpi [2017-02-20] FF SearchPlugin: C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\tt0oiw1d.default\searchplugins\google-default.xml [2015-07-05] FF HKLM-x32\...\Firefox\Extensions: [{FFB96CC1-7EB3-449D-B827-DB661701C6BB}] - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker => not found FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn FF Extension: (Adobe Acrobat - Create PDF) - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2014-11-27] [not signed] FF HKLM-x32\...\Firefox\Extensions: [WSVCU@Wondershare.com] - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com_xpi FF Extension: (Wondershare Video Converter Ultimate) - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com_xpi [2016-11-11] FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_24_0_0_221.dll [2017-02-14] () FF Plugin: @java.com/DTPlugin,version=10.7.2 -> C:\Windows\system32\npDeployJava1.dll [2013-08-18] (Oracle Corporation) FF Plugin: @microsoft.com/GENUINE -> disabled [No File] FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation) FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2012-09-20] (Adobe Systems) FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_221.dll [2017-02-14] () FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.) FF Plugin-x32: @checkpoint.com/FFApi -> C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\npFFApi.dll [No File] FF Plugin-x32: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-01-30] (Oracle Corporation) FF Plugin-x32: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-01-30] (Oracle Corporation) FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File] FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation) FF Plugin-x32: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 -> C:\ProgramData\Visan\plugins\npRLSecurePluginLayer.dll [2012-12-03] (RocketLife, LLP) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.) FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN) FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [2013-12-21] (Adobe Systems Inc.) FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.) FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2012-09-20] (Adobe Systems) FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation) FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2016-12-23] (Adobe Systems Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppluginrichmediaplayer.dll [2013-03-12] () FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\firefox.cfg [2013-10-19] <==== ATTENTION Chrome: ======= CHR DefaultProfile: Default CHR HomePage: Default -> hxxp://searchy.easylifeapp.com/?pid=878&src=ch1&r=2013/07/10&hid=4103723794&lg=EN&cc=US CHR StartupUrls: Default -> "hxxp://searchy.easylifeapp.com/?pid=878&src=ch1&r=2013/07/10&hid=4103723794&lg=EN&cc=US","hxxp://start.sweetpacks.com/?barid={22E4C354-E8CC-11E2-ADC8-20CF3054361D}&src=10&crg=3.5000006.10042&st=23" CHR Profile: C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default [2017-02-22] CHR Extension: (Google Slides) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-04] CHR Extension: (Google Docs) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-04] CHR Extension: (Google Drive) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-20] CHR Extension: (YouTube) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24] CHR Extension: (Google Search) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26] CHR Extension: (Adobe Acrobat) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-02-14] CHR Extension: (Google Sheets) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-04] CHR Extension: (Google Docs Offline) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-02] CHR Extension: (PushControl) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlimcdoaokfndjofnhhlhbnhkjjfkpob [2016-12-13] CHR Extension: (Chrome Web Store Payments) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-23] CHR Extension: (Gmail) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28] CHR Extension: (Chrome Media Router) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-14] CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2013-12-21] CHR HKLM-x32\...\Chrome\Extension: [ogccgbmabaphcakpiclgcnmcnimhokcj] - C:\Windows\SysWOW64\jmdp\SweetNT.crx <not found> ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY) R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.) R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [96896 2009-12-28] (ASUSTeK Computer Inc.) R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2770312 2016-11-22] (ESET) R2 EpsonBidirectionalService; C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION) [File not signed] S2 Garmin Core Update Service; C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [517464 2015-01-28] (Garmin Ltd or its subsidiaries) S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed] R2 LightScribeService; C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2011-03-04] (Hewlett-Packard Company) [File not signed] R3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes) R2 NeroMediaHomeService.4; C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe [517416 2010-10-26] (Nero AG) S3 RoxMediaDBVHS; C:\Program Files (x86)\Common Files\Roxio Shared\VHStoDVD\SharedCOM\RoxMediaDBVHS.exe [1112720 2012-07-30] (Corel Corporation) S3 SandraAgentSrv; D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2015.SP2\RpcAgentSrv.exe [73200 2015-05-20] (SiSoftware) [File not signed] R2 Seagate Dashboard Services; C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [16216 2016-06-28] (Seagate Technology LLC) R2 Seagate MobileBackup Service; C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe [143656 2016-06-28] (Seagate Technology LLC) S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed] R2 TechSmith Uploader Service; C:\Program Files (x86)\Common Files\TechSmith Shared\Uploader\UploaderService.exe [3408384 2015-01-26] (TechSmith Corporation) [File not signed] R2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1157056 2012-09-19] (Western Digital ) R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [248248 2012-09-19] (Western Digital) R2 WDRulesService; C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe [1177536 2012-09-19] (Western Digital ) R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation) ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-04-22] () R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-05] () S0 BsStor; C:\Windows\SysWOW64\DRIVERS\bsstor.sys [9344 2002-06-05] (B.H.A Co.,Ltd.) [File not signed] S2 BsUDF; C:\Windows\SysWow64\Drivers\BsUDF.sys [468480 2003-01-15] (ahead software) [File not signed] R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [262792 2016-11-22] (ESET) U5 edevmon; C:\Windows\System32\Drivers\edevmon.sys [251632 2015-07-13] (ESET) R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [197248 2016-11-22] (ESET) R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [181384 2016-11-22] (ESET) S3 epmntdrv; C:\Windows\system32\epmntdrv.sys [18528 2014-11-18] () S3 epmntdrv; C:\Windows\SysWOW64\epmntdrv.sys [14944 2014-11-18] () S3 EuGdiDrv; C:\Windows\system32\EuGdiDrv.sys [10848 2014-11-18] () S3 EuGdiDrv; C:\Windows\SysWOW64\EuGdiDrv.sys [10208 2014-11-18] () S3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [118160 2016-10-04] (Future Technology Devices International Ltd.) S3 FTSER2K; C:\Windows\System32\drivers\ftser2k.sys [88752 2016-10-04] () S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [32000 2013-07-21] () S1 incdrm; C:\Windows\SysWow64\Drivers\incdrm.sys [7582 2002-10-08] (Ahead Software AG) [File not signed] S3 ivusb; C:\Windows\System32\DRIVERS\ivusb.sys [29720 2010-07-28] () [File not signed] R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [251848 2017-02-22] (Malwarebytes) R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-15] () S3 OV550I; C:\Windows\System32\Drivers\ov550ivx.sys [196992 2008-02-22] (Omnivision Technologies, Inc.) S3 pfc; C:\Windows\SysWOW64\drivers\pfc.sys [10368 2004-04-01] (Padus, Inc.) [File not signed] R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-07-10] (Corel Corporation) S3 SANDRA; D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2015.SP2\WNt600x64\Sandra.sys [23112 2009-08-07] (SiSoftware) S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [13920 2017-02-22] () U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] () S3 USB28xxBGA; C:\Windows\System32\DRIVERS\emBDA64A.sys [738328 2012-05-04] (eMPIA Technology, Inc.) S3 USB28xxOEM; C:\Windows\System32\DRIVERS\emOEM64A.sys [1226136 2012-05-04] (eMPIA Technology, Inc.) R3 WsAudio_Device; C:\Windows\System32\drivers\VirtualAudio.sys [31080 2015-02-27] (Wondershare) S1 fypejfbj; \??\C:\Windows\system32\drivers\fypejfbj.sys [X] S2 npf; \??\C:\Windows\system32\drivers\npf.sys [X] U2 V2iMount; no ImagePath ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-02-22 16:50 - 2017-02-22 16:51 - 00000000 ____D C:\FRST 2017-02-22 15:07 - 2017-02-22 15:08 - 00081696 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys 2017-02-22 15:07 - 2017-02-22 15:07 - 00251848 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2017-02-22 15:07 - 2017-02-22 15:07 - 00176584 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys 2017-02-22 15:07 - 2017-02-22 15:07 - 00110536 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys 2017-02-22 15:07 - 2017-02-22 15:07 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys 2017-02-22 15:07 - 2017-02-22 15:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes 2017-02-22 15:07 - 2017-01-20 07:47 - 00077416 _____ C:\Windows\system32\Drivers\mbae64.sys 2017-02-22 15:06 - 2017-02-22 15:06 - 00000000 ____D C:\Program Files\Malwarebytes 2017-02-22 14:11 - 2017-02-22 14:11 - 00000000 ___HD C:\OneDriveTemp 2017-02-22 13:02 - 2017-02-22 13:42 - 00000364 _____ C:\Windows\Tasks\SlimCleaner Plus (Scheduled Scan - Mike).job 2017-02-22 13:02 - 2017-02-22 13:02 - 00003024 _____ C:\Windows\System32\Tasks\SlimCleaner Plus (Scheduled Scan - Mike) 2017-02-22 12:04 - 2017-02-22 12:04 - 00013920 _____ C:\Windows\system32\Drivers\SWDUMon.sys 2017-02-20 07:33 - 2017-02-20 07:33 - 00000000 ____D C:\Windows\SysWOW64\RTCOM 2017-02-20 07:33 - 2017-02-20 07:33 - 00000000 ____D C:\Program Files\Realtek ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-02-22 16:27 - 2015-01-21 10:16 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2017-02-22 16:21 - 2015-01-19 08:58 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2017-02-22 16:21 - 2013-07-12 12:09 - 00000000 ____D C:\Program Files (x86)\Conduit 2017-02-22 16:21 - 2013-04-09 20:26 - 00000000 ____D C:\ProgramData\APN 2017-02-22 16:21 - 2012-11-10 15:25 - 00000000 ____D C:\Users\Mike 2017-02-22 15:06 - 2013-07-21 14:11 - 00000000 ____D C:\ProgramData\Malwarebytes 2017-02-22 14:59 - 2016-11-18 19:01 - 00000000 ____D C:\Users\Mike\AppData\LocalLow\Mozilla 2017-02-22 14:48 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf 2017-02-22 14:21 - 2009-07-14 00:13 - 00782510 _____ C:\Windows\system32\PerfStringBackup.INI 2017-02-22 14:19 - 2009-07-13 23:45 - 00023584 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2017-02-22 14:19 - 2009-07-13 23:45 - 00023584 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2017-02-22 14:11 - 2016-11-04 18:15 - 00000412 _____ C:\Windows\Tasks\Nero TuneItUp PRO (Tray).job 2017-02-22 14:11 - 2016-10-20 14:23 - 00000000 ___RD C:\Users\Mike\OneDrive 2017-02-22 14:11 - 2015-10-09 07:21 - 00000433 _____ C:\Windows\system32\Drivers\etc\hosts.ics 2017-02-22 14:11 - 2015-01-21 10:16 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2017-02-22 14:11 - 2013-07-12 13:16 - 00065536 _____ C:\Windows\system32\Ikeext.etl 2017-02-22 14:11 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2017-02-22 14:11 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\tracing 2017-02-22 14:07 - 2012-11-10 15:27 - 00000000 ____D C:\ProgramData\EPSON 2017-02-22 14:05 - 2014-11-07 21:53 - 00000000 ____D C:\Program Files (x86)\Epson Software 2017-02-22 14:05 - 2012-11-10 15:50 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information 2017-02-22 14:04 - 2014-11-07 21:53 - 00000000 ____D C:\Program Files (x86)\epson 2017-02-22 06:51 - 2016-12-09 06:54 - 00003168 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task v2 2017-02-22 06:51 - 2016-10-20 14:23 - 00002156 _____ C:\Users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft OneDrive.lnk 2017-02-21 07:01 - 2013-07-07 06:56 - 00000000 ____D C:\Users\Mike\AppData\Roaming\Skype 2017-02-20 07:57 - 2013-07-07 06:56 - 00000000 ____D C:\ProgramData\Skype 2017-02-14 15:21 - 2015-07-09 07:21 - 20359768 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe 2017-02-14 15:21 - 2015-01-19 08:58 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater 2017-02-14 15:21 - 2014-11-28 14:56 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2017-02-14 15:21 - 2014-11-28 14:56 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2017-02-14 15:21 - 2012-11-10 20:06 - 00000000 ____D C:\Windows\SysWOW64\Macromed 2017-02-14 15:21 - 2012-11-10 20:04 - 00000000 ____D C:\Windows\system32\Macromed 2017-02-13 13:29 - 2015-01-21 10:17 - 00002074 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk 2017-02-13 13:24 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\system32\FxsTmp 2017-01-30 17:39 - 2016-05-25 19:06 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll 2017-01-30 17:39 - 2016-05-25 19:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java 2017-01-30 17:39 - 2016-05-25 19:06 - 00000000 ____D C:\Program Files (x86)\Java 2017-01-30 17:39 - 2016-05-25 19:01 - 00000000 ____D C:\ProgramData\Oracle 2017-01-30 15:43 - 2013-08-23 11:59 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service 2017-01-30 14:25 - 2016-11-18 18:51 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox 2017-01-25 10:02 - 2017-01-18 12:48 - 00000000 ____D C:\ES2WorkTemp 2017-01-24 15:48 - 2017-01-18 12:31 - 00000045 _____ C:\Windows\ET-3600.ini 2017-01-23 13:29 - 2012-12-06 14:34 - 00000000 ____D C:\Users\Mike\AppData\Roaming\vlc 2017-01-23 07:36 - 2015-07-08 08:11 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk ==================== Files in the root of some directories ======= 2013-02-03 11:03 - 2011-08-23 18:34 - 0465264 _____ (Corel) C:\Program Files (x86)\Common Files\AppFramework.dll 2013-02-03 11:03 - 2011-08-23 16:42 - 0148177 _____ () C:\Program Files (x86)\Common Files\BookViewer.xap 2013-02-03 11:03 - 2011-08-23 18:35 - 0402800 _____ () C:\Program Files (x86)\Common Files\facebook.dll 2013-02-03 11:03 - 2011-08-23 18:35 - 0033136 _____ (Corel-V1E) C:\Program Files (x86)\Common Files\FlickrProvider.dll 2013-02-03 11:03 - 2011-08-23 18:42 - 0332144 _____ (Corel) C:\Program Files (x86)\Common Files\MediaOrganizer.dll 2013-02-03 11:03 - 2011-08-23 18:35 - 0130416 _____ () C:\Program Files (x86)\Common Files\PluginCommon.dll 2015-11-07 14:19 - 2015-11-07 14:19 - 0000132 _____ () C:\Users\Mike\AppData\Roaming\Adobe PNG Format CS6 Prefs 2015-01-20 21:02 - 2015-01-20 21:02 - 0000268 ___RH () C:\Users\Mike\AppData\Roaming\Audio Unit Effect 2015-01-20 21:02 - 2015-01-20 21:02 - 0000268 ___RH () C:\Users\Mike\AppData\Roaming\Audio Units 2015-06-29 16:51 - 2015-06-30 05:07 - 14548992 _____ () C:\Users\Mike\AppData\Roaming\Sandra.mdb 2012-11-10 18:09 - 2012-11-10 18:09 - 0000268 ___RH () C:\Users\Mike\AppData\Roaming\Speech Enhancer 2015-01-03 06:45 - 2015-01-03 06:45 - 0000268 ___RH () C:\Users\Mike\AppData\Roaming\Sports 2012-11-10 18:13 - 2012-11-10 18:13 - 0000268 ___RH () C:\Users\Mike\AppData\Roaming\Standard 2015-01-03 06:43 - 2015-01-03 06:43 - 0000268 ___RH () C:\Users\Mike\AppData\Roaming\StatusSheet 2012-11-25 12:44 - 2016-12-26 17:56 - 0018944 _____ () C:\Users\Mike\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2012-11-10 15:50 - 2013-01-03 14:01 - 0000236 _____ () C:\Users\Mike\AppData\Local\LaunchHomeCenter.log 2013-04-28 15:40 - 2015-07-05 21:13 - 0007613 _____ () C:\Users\Mike\AppData\Local\Resmon.ResmonCfg 2015-12-22 19:08 - 2016-08-13 13:12 - 0025344 _____ () C:\Users\Mike\AppData\Local\rx_audio.Cache 2015-12-22 19:06 - 2015-12-22 19:06 - 0000000 _____ () C:\Users\Mike\AppData\Local\rx_image32.Cache 2015-01-20 21:02 - 2015-01-20 21:02 - 0000268 ___RH () C:\ProgramData\Automator 2015-01-20 21:02 - 2015-01-20 21:02 - 0000268 ___RH () C:\ProgramData\BSD 2012-11-25 12:43 - 2016-10-14 09:41 - 0001838 ___SH () C:\ProgramData\KGyGaAvL.sys 2016-11-10 14:28 - 2016-11-10 14:28 - 0004975 _____ () C:\ProgramData\kjiixkes.ghp 2016-10-14 09:24 - 2016-10-14 09:24 - 0000016 _____ () C:\ProgramData\mntemp 2016-10-14 09:24 - 2016-10-14 09:24 - 0004929 _____ () C:\ProgramData\mudtcpaz.vzs 2015-01-03 06:41 - 2016-04-22 06:21 - 0000020 ____H () C:\ProgramData\PKP_DLbx.DAT 2015-01-20 21:02 - 2015-01-20 21:02 - 0000020 ____H () C:\ProgramData\PKP_DLck.DAT 2012-11-10 18:09 - 2014-02-22 06:53 - 0000020 ____H () C:\ProgramData\PKP_DLdu.DAT 2012-11-10 18:13 - 2015-05-22 15:11 - 0000020 ____H () C:\ProgramData\PKP_DLdw.DAT 2015-01-03 06:45 - 2015-06-15 05:07 - 0000020 ____H () C:\ProgramData\PKP_DLdx.DAT 2015-01-03 06:43 - 2015-01-03 06:51 - 0000020 ____H () C:\ProgramData\PKP_DLeq.DAT 2012-11-10 18:09 - 2012-11-10 18:09 - 0000268 ___RH () C:\ProgramData\StartupItems 2015-01-03 06:45 - 2015-01-03 06:45 - 0000268 ___RH () C:\ProgramData\Static Library 2012-11-10 18:13 - 2012-11-10 18:13 - 0000268 ___RH () C:\ProgramData\StatusSheet 2012-11-10 18:09 - 2015-01-03 06:43 - 0000268 ___RH () C:\ProgramData\Strings 2015-01-03 06:45 - 2015-01-03 06:45 - 0000012 ___RH () C:\ProgramData\SupportPrinters 2012-11-10 18:13 - 2012-11-10 18:13 - 0000012 ___RH () C:\ProgramData\Sync Services 2015-01-03 06:43 - 2015-01-03 06:43 - 0000012 ___RH () C:\ProgramData\Techno Kit 2015-06-29 16:21 - 2015-06-29 16:21 - 0022188 _____ () C:\ProgramData\xml97EC.tmp 2015-06-29 16:21 - 2015-06-29 16:21 - 0000000 _____ () C:\ProgramData\xml99D0.tmp 2015-06-29 16:21 - 2015-06-29 16:21 - 0000000 _____ () C:\ProgramData\xml9C41.tmp ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2017-02-22 12:28 ==================== End of FRST.txt ============================ Result of Security Analysis by Rocket Grannie (x86) Updated: 5th February, 2017 Running from:D:\Desktop (16:53:16 - 02/22/2017) ***---------------------------------------------------------*** Microsoft Windows 7 Home Premium X64 Service Pack 1 UAC is *Disabled* Internet Explorer 11 Default Browser: Firefox ***------------Antivirus - Antispyware - Firewall-----------*** ESET NOD32 Antivirus 9.0.408.0's ProductState is indeterminate ESET NOD32 Antivirus 9.0.408.0's ProductState is indeterminate Windows Defender (Enabled - Up to Date) Windows Firewall (Enabled) *No other Firewall Installed* ***-------Security Programs - Browsers - Miscellaneous------*** Adobe Flash Player 24 NPAPI (version 24.0.0.221) Firefox (version 51.0.1) Google Chrome (version 55) Java (version 8.0.1210.13) Microsoft Silverlight (version 5.1) Windows Live Essentials (version 16.4) CCleaner (version 5.07) is *out of Date* ***----------------Analysis Complete-------------------------***
  8. FYI... Fake 'Secure Bank Comm' SPAM - delivers Trickbot - https://myonlinesecurity.co.uk/spoofed-canada-revenue-agency-important-secure-bank-communication-malspam-delivers-trickbot-banking-trojan/ 22 Feb 2017 - "An email with the subject of 'Important – Secure Bank Communication' coming from either Canada Revenue Agency <no-reply@ secure-gc .ca> or Canada Revenue Agency <no-reply@ securegcemail .ca> with a malicious word doc attachment delivers Trickbot banking Trojan... Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/canada-revenue-agaency-secure-doc.png 22 February 2017: SecureDoc.doc - Current Virus total detections 2/55[1] 2/55[2] Payload Security [1A] [2A] none of which are showing the download location of the actual Trickbot itself, although it is on Virus Total 20/58[3]. I am informed[4] the download location is www .TPSCI .COM/pngg/granionulos.png -or- http ://www .sungkrorsang .com/fileFTP/granionulos.png which of course is -not- an image file but a renamed .exe... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." 1] https://www.virustotal.com/en/file/fcd0eef7dec8141df9704da6fcf6543d6b18526ef2944b2a225b36883c7a0b4a/analysis/1487783258/ 2] https://www.virustotal.com/en/file/bea79c0a9445e48019cb65c494d90a366ae9f4f45ea3a330beb39dbddecb072b/analysis/ 1A] https://www.hybrid-analysis.com/sample/fcd0eef7dec8141df9704da6fcf6543d6b18526ef2944b2a225b36883c7a0b4a?environmentId=100 2A] https://www.hybrid-analysis.com/sample/bea79c0a9445e48019cb65c494d90a366ae9f4f45ea3a330beb39dbddecb072b?environmentId=100 3] https://www.virustotal.com/en/file/8dbddb55d22bff09a5286e10edc104e67dec8c864bc06a797183e9b898423427/analysis/ 4] https://twitter.com/GossiTheDog/status/834453695299518464 TPSCI .COM: 203.121.180.74: https://www.virustotal.com/en/ip-address/203.121.180.74/information/ > https://www.virustotal.com/en/url/8d2abb870d46dd468b8c01246ce20f2266da858215f65b960ff1e1960a1ce0cb/analysis/ sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/ > https://www.virustotal.com/en/url/773bfa543ee80ce5ca0db5dda59ec2002f0de997b3d2975fb071e258e1fda633/analysis/ ___ Dropbox phish - https://myonlinesecurity.co.uk/you-have-2-new-documents-dropbox-phishing/ 22 Feb 2017 - "Another phishing email, this time spoofing -Dropbox- where you land on a page with lots of different email providers and the evil scum doing these phishes will pop up the appropriate one for you to enter all your details, pretending that you can now sign into dropbox using your email address. After giving the details you get sent to the genuine DropBox site: Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/dropbox_phishing_email.png The -link- goes to http ://www.pedraforte .net/js/index/klnkjfe/dropbox/dropbox/ (there might be other sites, there usually are with these scams) where you see a page looking like: > https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/dropbox_phishing.png Select -any- of the links and you get: > https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/dropbox_phishing1.png " pedraforte .net: 192.185.217.111: https://www.virustotal.com/en/ip-address/192.185.217.111/information/ > https://www.virustotal.com/en/url/85c6b743832fca360807f9633efbab6f1ee415ab0ccafc0188e1d05ae6a5552e/analysis/
  9. FYI... Microsoft Security Bulletin MS17-005 - Critical Security Update for Adobe Flash Player (4010250) - https://technet.microsoft.com/en-us/library/security/MS17-005 Feb 21, 2017 - "This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016..." - https://support.microsoft.com/en-us/help/4010250/ms17-005-security-update-for-adobe-flash-player-february-21-2017 Last Review: Feb 21, 2017 - Rev: 28 - https://isc.sans.edu/diary.html?storyid=22097 2017-02-21 23:55:22 UTC - https://blogs.technet.microsoft.com/msrc/2017/02/21/adobe-flash-player-security-vulnerability-release/ Feb 21, 2017
  10. FYI... - https://support.apple.com/en-us/HT201222 Logic Pro X 10.3.1 - https://support.apple.com/en-us/HT207519 Feb 21, 2017 - "Available for: OS X Yosemite v10.10 and later (64 bit) Impact: Opening a maliciously crafted GarageBand project file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling." - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2374 ___ - https://www.us-cert.gov/ncas/current-activity/2017/02/21/Apple-Releases-Security-Update Feb 21, 2017
  11. I have 100GB of open space. That seems to work now. Aside from the space problem..I've got a new problem. I left my computer on all night and woke up ...what was in front of me on the monitor was a google page opened in firefox that said in the search bar "make too tne ziad spree" I have no clue what that even means but I know I didn't type it in. It's not something I would even see myself typing. I can only assume perhaps someone was using it remotely or something without me knowing. Any help on this is apreciated, Thanks! :-D
  12. FYI... Rogue Chrome extension - tech support scam - https://blog.malwarebytes.com/threat-analysis/2017/02/rogue-chrome-extension-pushes-tech-support-scam/ Feb 21, 2017 - "... Google Chrome... no surprise to see it being more and more targeted these days. In particular, less than reputable -ad- networks are contributing to the distribution of malicious Chrome extensions via very deceptive means... Google Chrome users are profiled based on the user-agent string they show whenever they visit a website. Rather than redirecting them to an exploit kit, they are often redirected to fake software updates, scams, or rogue browser extensions... Once installed, this extension ensures it stays in hiding by using a 1×1 pixel image as its logo... and by hooking chrome://extensions and chrome://settings such that any attempt to access those is automatically redirected to chrome://apps. That makes it much more difficult for the average user to see what extensions they have, let alone uninstalling one of them... 'wouldn’t be complete without a tech support scam which it seems one can’t avoid these days. If the user clicked on a new tab or typed a ‘forbidden’ keyword, the redirection chain would then deliver a -fake- Microsoft warning: > https://blog.malwarebytes.com/wp-content/uploads/2017/02/TSS1.png ... We detect and remove this one as Rogue.ForcedExtension. IOCs: Fake extension: pakistance .club: 104.27.185.37: https://www.virustotal.com/en/ip-address/104.27.185.37/information/ 104.27.184.37: https://www.virustotal.com/en/ip-address/104.27.184.37/information/ lfbmleejnobidmafhlihokngmlpbjfgo Backend server (ad fraud/malvertising): amserver .info: 104.31.70.128: https://www.virustotal.com/en/ip-address/104.31.70.128/information/ 104.31.71.128: https://www.virustotal.com/en/ip-address/104.31.71.128/information/ qma0.2dn .xyz: 173.208.199.163: https://www.virustotal.com/en/ip-address/173.208.199.163/information/ Tech support scam: microsoft-official-warning .info: 66.23.230.31: https://www.virustotal.com/en/ip-address/66.23.230.31/information/ ___ Fake 'Western Union' SPAM - delivers java adwind - https://myonlinesecurity.co.uk/more-spoofed-western-union-malspam-continues-to-deliver-java-adwind/ 21 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE[1]. We have been seeing these sort of emails almost every day... 1] https://myonlinesecurity.co.uk/?s=java+adwind The java Adwind versions are exactly the same as Yesterday’s versions detailed HERE[2]. The zip once again contains -2- different sized and named java files, although named differently to yesterday’s versions, they are identical. 2] https://myonlinesecurity.co.uk/spoofed-western-union-it-dept-wupos-agent-upgrade-delivers-java-adwind/ Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/Western-Union-rtra-rules.png DETAILS OF PROHIBITED INDIVIDUALS SCREENED FOR THIS TRANSACTION AND MTCN.jar (507kb) VirusTotal 8/58* Payload Security** WESTERN UNION RTRA RULES AND REFUND IN FULL..jar (333kb) VirusTotal 8/57*** | Payload Security[4] ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2/analysis/1487577130/\ ** https://www.hybrid-analysis.com/sample/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2?environmentId=100 *** https://www.virustotal.com/en/file/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303/analysis/1487577144/ 4] https://www.hybrid-analysis.com/sample/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303?environmentId=100 Contacted Hosts 83.243.41.200 ___ BoA 'Access Locked' - phish - https://myonlinesecurity.co.uk/bank-america-phishing-scam/ 21 Feb 2017 - "A slightly different phishing scam for a change. The phishing site is a FTP site which is very unusual... Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/Bank-of-America-Alert-Your-Online-Access-is-Temporarily-Locked.png The link-in-the-email goes to: ftp ://121.170.178.35 /License/logon.htm where you see a site looking like: > https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/BofA_FTP_signon.png " 121.170.178.35: https://www.virustotal.com/en/ip-address/121.170.178.35/information/ > https://www.virustotal.com/en/url/317ec9b5c767caf2f0697361e99c2f8fe2254e7ee51abb1779a2954dd63e2497/analysis/ ___ 'TurboTax' - phish - https://myonlinesecurity.co.uk/turbotax-important-notice-request-for-account-update-phishing/ 21 Feb 2017 - "Another phishing scam, this time TurboTax: Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/turbotax-Important-Notice-Request-for-Account-Update.png The link goes to http ://whitesandscampground .com/images/www.turbotax.com/index.html where you see this page, asking for all the usual details to steal your identity as well as all your bank and credit card accounts and all your money: > https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/turbotax-phishing-page.png " whitesandscampground .com: 205.204.89.214: https://www.virustotal.com/en/ip-address/205.204.89.214/information/ > https://www.virustotal.com/en/url/293b141852f722080d51e30d062d8f5703a1646296e460b0ede687cdb8fd26d6/analysis/
  13. FYI... Fake 'Urgent Compliance' SPAM - delivers java adwind - https://myonlinesecurity.co.uk/spoofed-xpressmoney-western-union-urgent-compliance-status-of-transfer-malspam-delivers-java-adwind/ 20 Feb 2017 - "... previously mentioned many of these HERE[1]... a slightly different subject and email content to previous ones. They can’t seem to decide if it should be Xpress money or Western Union, so they decided to have an email body with a Western Union Content but pretend to send from Xpress money. I am also getting some from Spoofed Western Union Addresses... 1] https://myonlinesecurity.co.uk/?s=java+adwind ... The email looks like: From: elizabethst2 .mel@ xpressmoney .com Date: Mon 20/02/2017 00:47 Subject: Urgent Compliance, Status of transfer Attachment: Details.zip Dear agent, Please kindly check the status of this transaction. The remitter demands for the payment record, because the beneficiary denied the payment that He didn’t receive this money. So Please kindly check this transaction if it was paid,please arrange us the receipt of transaction Regards, Senzo Dlamini Regional Ops Executive WesternUnion International ... 20 February 2017: Urgent Compliance.jar - Current Virus total detections 6/58* Payload Security**.. The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/f766da864a8dfd5574d80c137e00ab698164fd444ba8ce18bc538dbc76a26f1b/analysis/1487576150/ ** https://www.hybrid-analysis.com/sample/f766da864a8dfd5574d80c137e00ab698164fd444ba8ce18bc538dbc76a26f1b?environmentId=100 ___ Fake 'Western Union' SPAM - delivers java adwind - https://myonlinesecurity.co.uk/spoofed-western-union-it-dept-wupos-agent-upgrade-delivers-java-adwind/ 20 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... previously mentioned many of these HERE[1]... 1] https://myonlinesecurity.co.uk/?s=java+adwind ... the email contains a genuine PDF file with an-embedded-link that downloads the java Adwind zip. The zip contains -2- different sized and named java files. The link in the pdf goes to: http ://www.greavy .com/wp-includes/certificates/CERTIFICATE%20DETAILS%20AND%20WUPOS%20UPDATE%20MANUAL.zip which extracts to -2- java.jar files hoping that if one fails the second will get you. Although both are detected as Java Adwind on Virus Total, the Payload Security reports does show different behaviour for each file... New E-maual and updated payout procedures.jar (507kb) VirusTotal 6/58* | Payload Security** WU certificate and agent updated branch details..jar (333kb) VirusTotal 8/57*** | Payload Security[4] The email looks like: From: Western Union IT Dept. <wu.it-dept@ outlook .com> Date: Mon 20/02/2017 02:37 Subject: WUPOS Agent Upgrade For All Branches. Attachment: Details.zip Dear All, Western Union ,IT Department data is posting upgrade for new version of WUPOS.Please download attachment by clicking the link.as seen below, run the file and go ahead of checking western union intermediate screen Before doing that please read directives in attachments then map the Western Union user ID in the Symex application and proceed. Please let me know if you face any issue. Thanks & Regards, IT Department Western Union... The pdf looks like: > https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/wupos-update.png ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2/analysis/1487577130/ ** https://www.hybrid-analysis.com/sample/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2?environmentId=100 *** https://www.virustotal.com/en/file/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303/analysis/1487577144/ 4] https://www.hybrid-analysis.com/sample/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303?environmentId=100 Contacted Hosts 83.243.41.200 greavy .com: 180.240.134.105: https://www.virustotal.com/en/ip-address/180.240.134.105/information/ > https://www.virustotal.com/en/url/059494b4e1a329645378d93c797dbdebe5e5c428f155f8c6bf9d69b3e3aa83b4/analysis/ ___ Fake 'Secure Bank Documents' SPAM - delivers Trickbot - https://myonlinesecurity.co.uk/spoofed-lloyds-bank-important-secure-bank-documents-malspam-delivers-trickbot-banking-trojan/ 20 Feb 2017 - "... an email with the subject of 'Important – Secure Bank Documents'... pretending to come from Lloyds Bank <no-reply@ lloydsbanksecuredocs .com> delivers Trickbot banking Trojan... Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/lloyds-bank-secure-documents.png 20 February 2017: BACs.doc - Current Virus total detections 7/55* I am informed about 2 known download locations for the Trickbot malware: www .sungkrorsang .com/hostelfrost.png and wp .pilbauer .com/wp-content/uploads/lordsofsteel.png There probably are many more. VirusTotal 11/57*... The sending email Address lloydsbanksecuredocs .com was registered by criminals -today- using Godaddy and Privacy protection. It is -not- a genuine Lloyds bank web site or web address.. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/2ba82eb83d32e55787f00b753be8d75b143e7a0984918010719a3ee0f0334743/analysis/1487606754/ ** https://www.virustotal.com/en/file/6356ed6ca05c8f87f1ae34aa1f3c4a119c5b6e811b00cb996ba688cc6695f683/analysis/1487607471/ lloydsbanksecuredocs .com: 45.55.36.38 159.203.126.233 159.203.117.63 159.203.115.143 159.203.170.214 sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/ > https://www.virustotal.com/en/url/27e7a98cde7df7094f20d32db75dcfa5d9625fa9e2a73bcf2e89e9fe32184e02/analysis/ pilbauer .com: 178.217.244.53: https://www.virustotal.com/en/ip-address/178.217.244.53/information/
  14. Hi XZY5. You're welcome. I'm glad that you were able to copy your data to the new computer and both machines are running well. The most important thing was the cleaning of both computers so you can safely copy your documents to the new computer. If everything is good, below I have included a number of recommendations for how to protect your computers in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can save off the vast majority of spyware problems. Keep your Antivirus program up-to-date. Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. Please uncheck them if you don't want or use them. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser. Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs: Keep Malwarebytes update and perform a regular scan to your system as it will make it harder for malware to reside on your computer. A tutorial on using Malwarebytes can be found here Please Note that only the paid for version has real time capabilities. A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster, available here Please note that the free version of SpywareBlaster needs manual updates. Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them. Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, DO NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here: Bleeping Computer LLC - Check the last post for the latest list. A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above. Another most feared threat at the moment is an infection by a Ransomware. A Ransomware infection is a program that ransoms the data or functionality of your computer until you perform an action. This action is typically to pay a ransom in the form of Bitcoins or another payment method. I advise you to read more info on this terrible threat here and here. Please keep your programs up to date. This applies to Adobe Flash Player, Adobe Reader, Java, Microsoft Silverlight, WinPatrol and all your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC. Visiting a prepared web page suffices to infect your system. Run a program like Personal Software Inspector (PSI) or FileHippo Update Checker to see what programs need to be updated. Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety. Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware. Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety. Don't click on links received in instant message programs. A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available here For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. Happy surfing and stay safe. Android 8888.
  15. Hi Android 8888 Thank you so much for all your help. I've cleaned my old laptop and transferred my data to my new one. They're both running as normal. Again apologies for the gaps in my replies, and for how long this turned out to be. You guys are awesome! =D
  16. FYI... Fake 'Company Complaint' SPAM - delivers Trickbot - https://myonlinesecurity.co.uk/spoofed-companies-house-id-8d6ba737-775e8bdc-f95f16f3-1b460259-company-complaint-malspam-delivers-trickbot/ 16 Feb 2017 - "An email with the subject of 'ID 8d6ba737-775e8bdc-f95f16f3-1b460259 – Company Complaint' pretending to come from Companies House <no-reply@ companieshousecomplaints .uk> with a malicious word doc attachment delivers Trickbot... Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/ID-8d6ba737-775e8bdc-f95f16f3-1b460259-Company-Complaint.png If you open the word doc you see a screen looking like this*. DO NOT enable macros or content or enable editing, you -will- be infected: * https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/spoofed-companies-house-complaint-secure-document.png 16 February 2017: 8d6ba737-775e8bdc-f95f16f3-1b460259.doc - Current Virus total detections 4/55* Payload Security**.. Neither shows the download but it looks like the download location for the trickbot payload is http ://www.sungkrorsang .com/hustonweare.png which is -not- an image file but a renamed .exe (VirusTotal 12/57***) (Payload Security[4])... As usual the domain sending these was registered by criminals today 16 February 2017 using Godaddy, with what are certain to be -fake- details: canonical name: companieshousecomplaints .uk addresses: 104.130.246.14 23.253.233.18 104.130.246.9 .. 104.239.201.9 ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/d93ffc25e757c4d7dcec4573427d3e13609e963c1b491b06cb9513980c97ccc2/analysis/1487245555/ ** https://www.hybrid-analysis.com/sample/d93ffc25e757c4d7dcec4573427d3e13609e963c1b491b06cb9513980c97ccc2?environmentId=100 *** https://www.virustotal.com/en/file/1107257bb6b724ca634f31088235a0919f8c18808f424a317f87d03aa9b1f665/analysis/1487246635/ 4] https://www.hybrid-analysis.com/sample/1107257bb6b724ca634f31088235a0919f8c18808f424a317f87d03aa9b1f665?environmentId=100 Contacted Hosts 78.47.139.102 58.52.155.163 217.29.220.255 200.120.214.150 77.222.42.240 sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/ > https://www.virustotal.com/en/url/47ea3703624f7191b559848afef5f956cbd563ed86ba13c0ede6b3c956b0bb92/analysis/
  17. FYI... PHP 7.1.2, 7.0.16 released - https://secure.php.net/ 17 Feb 2017 - "The PHP development team announces the immediate availability of PHP 7.1.2. Several bugs have been fixed. All PHP 7.1 users are encouraged to upgrade to this version..." ChangeLog - http://www.php.net/ChangeLog-7.php#7.1.2 ___ PHP 7.0.16 - https://secure.php.net/ 16 Feb 2017 - "The PHP development team announces the immediate availability of PHP 7.0.16. Several bugs have been fixed. All PHP 7.0 users are encouraged to upgrade to this version..." ChangeLog - http://www.php.net/ChangeLog-7.php#7.0.16 ___ Downloads - http://www.php.net/downloads.php Windows: - http://windows.php.net/download/
  18. Earlier
  19. FYI... MS Patches delayed - https://isc.sans.edu/diary.html?storyid=22066 Feb 14, 2017 - "Microsoft delayed the release of all bulletins* scheduled for today. Today was supposed to be the first month of Microsoft using its new update process, which meant that we would no longer see a bulletin summary, and patches would be released as monolithic updates vs. individually. It is possible that this change in process caused the delay... we do not know when Microsoft will release it's February patches. There is still the unpatched SMB 3 DoS vulnerability... hoped to be addressed in this round..." * https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-update-release/ Feb 14, 2017 - "... This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today. After considering all options, we made the decision to delay this month’s updates..."
  20. FYI... Flash 24.0.0.221 released - https://helpx.adobe.com/security/products/flash-player/apsb17-04.html Feb 14, 2017 CVE number: CVE-2017-2982,CVE-2017-2984, CVE-2017-2985, CVE-2017-2986, CVE-2017-2987, CVE-2017-2988,CVE-2017- 2990, CVE-2017-2991, CVE-2017-2992, CVE-2017-2993, CVE-2017-2994, CVE-2017-2995, CVE-2017-2996 Platform: Windows, Macintosh, Linux and Chrome OS Summary: Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system... Solution: ... Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 24.0.0.221 via the update mechanism within the product [1] or by visiting the Adobe Flash Player Download Center. - Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 24.0.0.221 for Windows, Macintosh, Linux and Chrome OS. - Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 24.0.0.221. - Please visit the Flash Player Help page for assistance in installing Flash Player. [1] Users of Flash Player 11.2.x or later for Windows, or Flash Player 11.3.x or later for Macintosh, who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted... For I/E - some versions get 'Automatic' updates: - https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_ax.exe For Firefox and other Plugin-based browsers: - https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player.exe For Chrome: - https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_ppapi.exe Flash test site: https://www.adobe.com/software/flash/about/ ___ Adobe Digital Editions 4.5.4 released - https://helpx.adobe.com/security/products/Digital-Editions/apsb17-05.html Feb 14, 2017 CVE numbers: CVE-2017-2973, CVE-2017-2974, CVE-2017-2975, CVE-2017-2976, CVE-2017-2977, CVE-2017-2978, CVE-2017-2979, CVE-2017-2980, CVE-2017-2981 Platform: Windows, Macintosh and Android Summary: Adobe has released a security update for Adobe Digital Editions for Windows, Macintosh and Android. This update resolves a critical heap buffer overflow vulnerability that could lead to code execution and important buffer overflow vulnerabilities that could lead to a memory leak... Customers using Adobe Digital Editions 4.5.3 can download the update from the Adobe Digital Editions download page*, or utilize the product’s update mechanism when prompted. * https://www.adobe.com/solutions/ebook/digital-editions/download.html For more information, please reference the release notes**." ** http://www.adobe.com/solutions/ebook/digital-editions/release-notes.html ___ Adobe Campaign updates released - https://helpx.adobe.com/security/products/campaign/apsb17-06.html Feb 14, 2017 CVE number: CVE-2017-2968, CVE-2017-2969 Platform: Windows and Linux Summary: Adobe has released a security update for Adobe Campaign v6.11 for Windows and Linux. This update resolves a moderate security bypass affecting the Adobe Campaign client console. An authenticated user with access to the client console could upload and execute a malicious file, potentially resulting in read and write access to the system (CVE-2017-2968). This update also resolves a moderate input validation issue that could be used in cross-site scripting attacks (CVE-2017-2969)... Solution: Adobe categorizes these updates with the following priority rating and recommends users update their installation to the newest version... Release Notes: https://docs.campaign.adobe.com/doc/AC6.1/en/RN.html#8757 - Customers may refer to the FAQ* for instructions on downloading the latest build. * https://docs.campaign.adobe.com/doc/AC6.1/en/FAQ/FAQ.html#AdobeCampaignFAQ-PublishedinHelpX-WherecanIfindthelatestbuildand%2Forthelistofrelatedchanges(changelog)%3F For customers with Adobe Campaign 16.4 Build 8724 and earlier, please refer to the documentation page** for instructions to resolve CVE-2017-2968 by restricting uploads by file type. ** http://docs.campaign.adobe.com/doc/AC6.1/en/INS_Additional_configurations__Server_side_configurations.html#Limiting_uploadable_files Please refer to this documentation page*** for assistance in upgrading Adobe Campaign server, and this documentation page for assistance in upgrading the Client Console. *** https://docs.campaign.adobe.com/doc/AC6.1/en/INS_Installation_for_Windows__Installing_the_client_console.html
  21. FYI... Fake 'Xpress Money' SPAM - delivers java adwind - https://myonlinesecurity.co.uk/spoofed-xpress-money-compliant-report-malspam-delivers-java-adwind/ 14 Feb 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments... previously mentioned many of these HERE[1]... 1] https://myonlinesecurity.co.uk/?s=java+adwind ... The email looks like: From: elizabethst2.mel@ xpressmoney .com Date: Mon 13/02/2017 23:45 Subject: Fwd: Reference: Xpress Money compliant report Attachment: XPRESS MONEY UPTHRONI DATA.zip (contains 2 identical although differently named java.jar files) Dear Agent, The attached Compliant report was issued yesterday online by a customer about you. We will need your feedback as soon as possible before 24hours or your terminal will be blocked. Regards Nasir Usuman Regional Compliance Manager Pakistan & Afghanistan Global Compliance, Xpress Money ... 14 February 2017: XPRESS MONEY REFERENCES FOLLOW UP.jar.jar (287 kb) - Current Virus total detections 8/57* Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/fdc45122dd010da0b460acd822b0fcf7bfedbc62ffad3c67a91a639c100825af/analysis/1487047920/ ** https://www.hybrid-analysis.com/sample/fdc45122dd010da0b460acd822b0fcf7bfedbc62ffad3c67a91a639c100825af?environmentId=100 ___ Fake 'Secure Message' SPAM - delivers malware - https://myonlinesecurity.co.uk/rbc-royal-bank-secure-message-malspam-delivers-malware/ 14 Feb 2017 - "An email with the subject of 'Secure Message' pretending to come from RBC Royal Bank but actually coming from a -fake- domain imitating the RBC <service@ rbcroyalbanksecuremessage .com> with a malicious word doc attachment delivers an unknown malware... The domain in the email address rbcroyalbanksecuremessage .com was registered today by criminals using privacy protection by Godaddy and hosted on Rackspace... rbcroyalbanksecuremessage .com: 104.130.159.40: https://www.virustotal.com/en/ip-address/104.130.159.40/information/ 23.253.233.16: https://www.virustotal.com/en/ip-address/23.253.233.16/information/ The email looks like: From: RBC Royal Bank <service@rbcroyalbanksecuremessage .com> Date: Tue 14/02/2017 17:13 Subject: Secure Message Attachment: SecureMessage.doc Secure Message This is an automated message send by Royal Bank Secure Messaging Server. To ensure both you and the RBC Royal Bank comply with current legislation, this message has been encrypted. Please check attached documents for more information. Note: You should not store confidential information unless it is encrypted. CONFIDENTIALITY NOTICE:The contents of this email message and any attachments are intended solely for the addressee(s)and may contain confidential and/or privileged information and may be legally protected from disclosure... 14 February 2017: SecureMessage.doc - Current Virus total detections 4/55* Payload Security**.. neither give any real indication what it downloads.. Update: Thanks to help from another researcher***.. It downloads http ://sungkrorsang .com/jerohnimo.png which of course is -not- a png (image file) but a renamed .exe that the macro will rename & autorun. VirusTotal 10/59[4] | Payload Security[5]... sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/ > https://www.virustotal.com/en/url/a1b3d6504fbe577145c86b7191d5d4bd9a0486ba2c1d36145c37d4c4ff101b8e/analysis/ ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/e144c16fa6397a2e73fdc69c65c754a3d8d955b4a04ed4aacd7e93fbe59fcfaa/analysis/1487094048/ ** https://www.hybrid-analysis.com/sample/e144c16fa6397a2e73fdc69c65c754a3d8d955b4a04ed4aacd7e93fbe59fcfaa?environmentId=100 *** 4] https://www.virustotal.com/en/file/b8d2aea697f53294e4102643ab9424fb0684f2b0a0b3b45a7d76cf7d9a42e0e3/analysis/1487095755/ 5] https://www.hybrid-analysis.com/sample/b8d2aea697f53294e4102643ab9424fb0684f2b0a0b3b45a7d76cf7d9a42e0e3?environmentId=100 Contacted Hosts 78.47.139.102 47.18.17.114 213.25.134.75 219.93.24.2 192.189.25.143 ___ Safeguard Account Update – phish - https://myonlinesecurity.co.uk/hsbc-safeguard-account-update-phishing/ 14 Feb 2017 - "Another Banking phish. This time HSBC. What makes this “slightly” more believable is the url the phishing email leads to http ://hsbc-verify .org.uk/ - which is a very plausible web address... Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/hsbc-safeguard-phishing-email.png The link goes to http ://hsbc-verify .org.uk/ where you see a webpage like this*, which leads to a typical set of phishing pages asking for all your bank, credit card and personal details, so they can empty your bank and credit card accounts and take over your identity completely: * https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/hsbc_verify.png ... registrars are not taking enough precautions and allowing dodgy domain names to be registered to non existent people..." hsbc-verify .org.uk: 91.218.247.93: https://www.virustotal.com/en/ip-address/91.218.247.93/information/ > https://www.virustotal.com/en/url/7f9c17276c63fe0e02de98f7ac20f058e88c3b61e507ea81d7842c425d7952f2/analysis/
  22. FYI... - https://support.apple.com/en-us/HT201222 GarageBand 10.1.6 - https://support.apple.com/en-us/HT207518 Feb 13, 2017 - "Available for: OS X Yosemite v10.10 and later Impact: Opening a maliciously crafted GarageBand project file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling." - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2374 ___ - https://www.us-cert.gov/ncas/current-activity/2017/02/14/Apple-Releases-Security-Update Feb 14, 2017
  23. Hi XZY5. No problem at all. Okay, it's your choice. Just in case you still think of updating the following outdated programs I leave you the respective links: Adobe Flash Player Plugin Mozilla Firefox Google Chrome Java Malwarebytes (3.0.4) WinPatrol Next, Please download DelFix (by Xplode) and save it to your Desktop. Close all running programs and start delfix.exe. Make sure that all available options are checked. Click on Run. DelFix should remove all our tools and delete itself afterwards. I don't need the log file. Now you can proceed with confidence to the transfer of your data files from your old laptop to the new one. Please let me know if there are any issues or concerns on these computers.
  24. Hi Android 8888 Sorry about only being able to reply on weekends. The SAL log is below Result of Security Analysis by Rocket Grannie (x86) Updated: 17th December, 2016 Running from:C:\Users\upoma-efti\Desktop (21:06:57 - 01/14/2017) ***---------------------------------------------------------*** Microsoft Windows 10 Home X64 UAC is Enabled! Internet Explorer 11 Default Browser: Google Chrome ***------------Antivirus - Antispyware - Firewall-----------*** Kaspersky Internet Security (Enabled - Up to Date) Windows Defender's ProductState is indeterminate Kaspersky Internet Security (Enabled - Up to Date) Windows Defender (Disabled - Up to Date) Kaspersky Internet Security (Enabled) ***-------Security Programs - Browsers - Miscellaneous------*** Adobe Flash Player Plugin (version 24.0.0.186) Firefox (version 50) Google Chrome (version 54) Java (version 8.0.1110.14) Malwarebytes Anti-Malware (version 2.2.1.1043) Microsoft Silverlight (version 5.1) SpywareBlaster (version 5.5) SUPERAntiSpyware (version 6) WinPatrol (version 33.6) I haven't updated a couple of programs on my old laptop as I plan on resetting it before giving it to my father who wants to use it
  25. Thank you for the info needed to boot from the rescue disk. I appreciate your clarity and patience in working with someone without a high level of technical skill. Per your urging, I have arranged to get help from friends who are highly qualified professionals in this area of computing. They have been following the progress of our work here in the forum, and now have offered to continue the effort to eliminate the virus and restore the computer at deeper levels. I have packed the computer, along with the flash drives with the previous logs and a copy of the post above, and will be sending them off to Seattle in the next few days. When the situation is resolved I will post the outcome and any logs to the appropriate forums here and on BleepingComputer. I will continue to read and learn at both forums. Right now I will make a donation to the SpywareInfo Forum to express my thanks for all the good work you do for me and others. Best, Jan
  26. Try to boot with this Rescue Disk for Windows 10. Kaspersky Rescue Disk 10 CD -------------- To complete this process you will need a USB device and a blank CD. On a clean computer download Kaspersky Rescue Disk 10 and save it to your desktop Now go to the ISO Recorder site and download the version for your operating system (do not download the command line version) Save the file to your desktop Double click the icon to start the program Select Run, then continue to select Next until you receive a notification that the installation was complete Close the installation window Insert a blank CD into your CD ROM drive Right click on the kav_rescue_10.iso file on your desktop and select Copy image to CD/DVD Make sure Image File is selected and it shows the kavrescue_10.iso file In the Recorder section make sure it shows your CD ROM drive Select the lowest recording speed Click Next Click Finish on the Operation has been completed screen Remove the CD and insert it, and your USB device into the infected computer Reboot the infected computer As the computer boots up gently tap F12 (you may need to tap a different key like Del, Esc, F2.....) and choose to boot from CD/DVD When the Kaspersky Rescue Disk screen appears press any key within 10 seconds Press Enter on English which should be highlighted by default Press 1 to accept the agreement Press Enter on Kaspersky Rescue Disk. Graphic Mode which should be highlighted by default Allow the program to load and mount the disks Select your operating system then click OK Place a check mark in each box except for sda1 Click Start Objects Scan Upon completion do not Quarantine any items yet, simply click Report, save it to your USB device, then from your clean computer copy and paste the results in your reply Test your overall computer behavior =================================================== Refer to this article for Useful References. http://support.kaspersky.com/8093 If you need additional information or expertise I suggest you start a new topic in the Windows 10 Forum at BleepingComputer. https://www.bleepingcomputer.com/forums/f/229/windows-10-support/ This is not my forte and you should seek the help of an expert. After the Start Object Scan you get a Report you should paste that report in you new topic in the Windows 10 Forum. Good luck.
  27. I could not access Safe Mode. At the login screen Shift+power, then choosing the reset option went to the start screen and back to the log screen. Shift +(power then reset while still holding shift) led to a screen with Troubleshoot and Shut down your PC options. Choosing Troubleshoot led to a UEFI screen which led to a TPM screen, with many setting options. I chose Exit without Saving. Nowhere did I encounter a screen with a Start in Safe Mode option. I read at the MS Surface Support site that UEFI and TPM are features which are limited to Surface 3 (and some other Surface models).
  1. Load more activity