Strongvault Residue

[pebkac1]

Strongvault snuck itself on via CNET. I've tried to remove it, and while it no longer appears in add/remove programs, I can see it in CCleaner and Microsoft FixIt, but neither can get rid of it.

Please help me fully remove Strongvault from my system.

OTL log is attached.

 

[Fiery]

Hi and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

---

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click delete
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

 

[pebkac1]

Thanks for your help. The files are attached.

 

[Fiery]

Please download Junkware Removal Tool to your desktop from here

• Turn off your antivirus software now to avoid potential conflicts
• Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
• The tool will open and start scanning your system
• Please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
• Post the contents of JRT.txt into your next reply

Let me know how your PC is running after.

 

[pebkac1]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.6.5 (02.18.2013:1)
OS: Windows 7 Professional x64
Ran by Michael on Tue 02/26/2013 at 17:05:03.32
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted: [File] "C:\Users\Michael\AppData\Roaming\mozilla\firefox\profiles\l3ogaao3.default\extensions\jid1-QpHD8URtZWJC2A@jetpack.xpi"
Successfully deleted: [File] "C:\Users\Michael\AppData\Roaming\mozilla\firefox\profiles\l3ogaao3.default\extensions\isreaditlater@ideashower.com.xpi"
Emptied folder: C:\Users\Michael\AppData\Roaming\mozilla\firefox\profiles\l3ogaao3.default\minidumps [33 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 02/26/2013 at 17:11:06.87
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[pebkac1]

My computer seems to be running fine. I haven't noticed any problems.
However, Strongvault still exists as a program within CCleaner and Microsoft's FixIt. It does not appear as a program in add/remove programs.

The fact that CCleaner and FixIt still see Strongvault is worrisome, even if there are no notable symptoms.

 

[Fiery]

Uninstall CCleaner and reinstall it again. Does it still detect Strongvault?

 

[pebkac1]

Yes. It still detects Strongvault, as does http://support.microsoft.com/mats/windows_file_and_folder_diag/, but neither can get rid of it.
It does not appear in Add/Remove programs or Revo Uninstaller.

 

[Fiery]

Ok, let's look for this.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

:filefind
*Strongvault*

:folderfind
*Strongvault*

:Regfind
*Strongvault*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[pebkac1]

SystemLook 30.07.11 by jpshortstuff
Log created at 19:50 on 26/02/2013 by Michael
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "*Strongvault*"
No files found.

========== folderfind ==========

Searching for "*Strongvault*"
No folders found.

========== Regfind ==========

Searching for "*Strongvault*"
No data found.

-= EOF =-

 

[pebkac1]

I ran SystemLook_x64:

SystemLook 30.07.11 by jpshortstuff
Log created at 19:53 on 26/02/2013 by Michael
Administrator - Elevation successful

========== filefind ==========

Searching for "*Strongvault*"
No files found.

========== folderfind ==========

Searching for "*Strongvault*"
No folders found.

========== Regfind ==========

Searching for "*Strongvault*"
No data found.

-= EOF =-

 

[pebkac1]

Unfortunately, Strongvault Online Backup still appears in CCleaner.

 

[Fiery]

Do you use a software name ThinPoint?

Upload a File to Virustotal
Please visit Virustotal.com

• Click the Browse... button
• Navigate to the file C:\Windows\SysWOW64\TPUserinit.exe
• Click the Open button
• Click the Send button
• Copy and paste the results back here please.

Then, upload another file:

• Click the Browse... button
• Navigate to the file C:\Program Files\ThinPoint\bin\Srv.exe
• Click the Open button
• Click the Send button
• Copy and paste the results back here please.

 

[pebkac1]

TPUserinit.exe

SHA256: d025f54cc2fffe5b973c44a2f1ca54734b8cf636fd404bf859455bad399b1d4a
SHA1: ef52502cfe7ac20b5962ac6ffabb397b6a4e6698
MD5: f5d867d6f592f8d7adc38eeee34995f6
File size: 616.8 KB ( 631624 bytes )
File name: TPUserinit.exe
File type: Win32 EXE
Detection ratio: 0 / 45

ssdeep
12288:maWzgMg7v3qnCiMErQohh0F4CCJ8lny/Qc:haHMv6Corjqny/Qc
TrID
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ExifTool

SubsystemVersion.........: 5.0
Comments.................: ThinPoint Session Userinit
InitializedDataSize......: 98304
ImageVersion.............: 0.0
ProductName..............: ThinPoint Session Userinit
FileVersionNumber........: 5.0.0.2
UninitializedDataSize....: 0
LanguageCode.............: English (Australian)
FileFlagsMask............: 0x0000
CharacterSet.............: Unicode
LinkerVersion............: 9.0
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 5.0.0.2
TimeStamp................: 2010:04:16 08:47:33+01:00
FileType.................: Win32 EXE
PEType...................: PE32
ProductVersion...........: 5,0,0,2
FileDescription..........: ThinPoint Session Userinit
OSVersion................: 5.0
FileOS...................: Win32
LegalCopyright...........: Copyright (C) 2010 NetLeverage.
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Net Leverage Pty Ltd.
CodeSize.................: 524800
FileSubtype..............: 0
ProductVersionNumber.....: 3.3.6.1
EntryPoint...............: 0x16310
ObjectFileType...........: Unknown

Sigcheck

publisher................: Net Leverage Pty Ltd.
product..................: ThinPoint Session Userinit
copyright................: Copyright (C) 2010 NetLeverage.
file version.............: 5.0.0.2
signing date.............: 3:03 AM 11/4/2010
comments.................: ThinPoint Session Userinit
signers..................: Net Leverage Pty Ltd.; UTN-USERFirst-Object
description..............: ThinPoint Session Userinit

Portable Executable structural information

Compilation timedatestamp.....: 2010-04-16 07:47:33
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00016310

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 524311 524800 6.63 be1208f841dc92012d5f6bbdd832e6d9
.rdata 532480 55644 55808 4.88 d6ee3d7f33205828a9d70ce744d3d4bb
.data 589824 107800 26624 2.20 e5d77411f751d28c6eee48a743606795
.rsrc 700416 15516 15872 4.67 385d33e79b3cc7c0d835eaf6c14020d1

PE Imports....................:

[[MPR.dll]]
WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W

[[COMDLG32.dll]]
GetSaveFileNameW, GetOpenFileNameW

[[COMCTL32.dll]]
ImageList_BeginDrag, ImageList_Destroy, ImageList_Create, ImageList_Remove, ImageList_DragEnter, ImageList_DragMove, ImageList_DragLeave, InitCommonControlsEx, ImageList_ReplaceIcon, ImageList_SetDragCursorImage, ImageList_EndDrag

[[VERSION.dll]]
VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW

[[WINMM.dll]]
waveOutSetVolume, timeGetTime, mciSendStringW

[[WININET.dll]]
HttpQueryInfoW, FtpOpenFileW, InternetQueryDataAvailable, InternetQueryOptionW, InternetConnectW, FtpGetFileSize, InternetReadFile, InternetCloseHandle, InternetCrackUrlW, InternetSetOptionW, HttpSendRequestW, InternetOpenUrlW, InternetOpenW, HttpOpenRequestW

[[GDI32.dll]]
CreatePen, EndPath, GetPixel, Rectangle, PolyDraw, LineTo, DeleteDC, SetBkMode, CreateFontW, SetPixel, CreateDCW, GetObjectW, AngleArc, SetTextColor, GetDeviceCaps, GetTextFaceW, GetTextExtentPoint32W, MoveToEx, GetStockObject, SetViewportOrgEx, StrokePath, GetDIBits, RoundRect, CreateCompatibleDC, StrokeAndFillPath, StretchBlt, CloseFigure, SelectObject, CreateCompatibleBitmap, CreateSolidBrush, ExtCreatePen, SetBkColor, BeginPath, DeleteObject, Ellipse

[[ADVAPI32.dll]]
RegCreateKeyExW, RegCloseKey, CopySid, GetAce, AdjustTokenPrivileges, InitializeAcl, LookupPrivilegeValueW, RegDeleteKeyW, UnlockServiceDatabase, RegQueryValueExW, SetSecurityDescriptorDacl, CloseServiceHandle, GetAclInformation, OpenProcessToken, RegConnectRegistryW, RegOpenKeyExW, GetTokenInformation, DuplicateTokenEx, GetUserNameW, GetSecurityDescriptorDacl, RegDeleteValueW, LockServiceDatabase, RegEnumKeyExW, OpenThreadToken, GetLengthSid, CreateProcessAsUserW, InitializeSecurityDescriptor, RegEnumValueW, LogonUserW, RegSetValueExW, OpenSCManagerW, InitiateSystemShutdownExW, CreateProcessWithLogonW, AddAce

[[KERNEL32.dll]]
GetStdHandle, GetDriveTypeW, GetConsoleOutputCP, FileTimeToSystemTime, WaitForSingleObject, GetPrivateProfileSectionNamesW, GetFileAttributesW, GetLocalTime, DeleteCriticalSection, GetCurrentProcess, GetConsoleMode, GetLocaleInfoA, UnhandledExceptionFilter, SetErrorMode, FreeEnvironmentStringsW, SetStdHandle, WideCharToMultiByte, GetStringTypeA, GetDiskFreeSpaceW, InterlockedExchange, WriteFile, GetSystemTimeAsFileTime, GlobalMemoryStatusEx, HeapReAlloc, GetStringTypeW, GetExitCodeProcess, FormatMessageW, ResumeThread, GetTimeZoneInformation, LoadResource, FindClose, InterlockedDecrement, MoveFileW, SetFileAttributesW, GetCurrentThread, GetEnvironmentVariableW, SetLastError, DeviceIoControl, TlsGetValue, CopyFileW, WriteProcessMemory, OutputDebugStringW, RemoveDirectoryW, Beep, IsDebuggerPresent, HeapAlloc, GetModuleFileNameA, LoadLibraryA, RaiseException, WritePrivateProfileSectionW, GetVolumeInformationW, LoadLibraryExW, MultiByteToWideChar, SetFilePointerEx, GetPrivateProfileStringW, GetModuleHandleA, GetFullPathNameW, CreateThread, SetEnvironmentVariableW, GetSystemDirectoryW, CreatePipe, SetUnhandledExceptionFilter, MulDiv, GetDateFormatA, ExitThread, SetEnvironmentVariableA, SetPriorityClass, TerminateProcess, WriteConsoleA, SetCurrentDirectoryW, GlobalAlloc, LocalFileTimeToFileTime, GetDiskFreeSpaceExW, SetEndOfFile, GetCurrentThreadId, InterlockedIncrement, WriteConsoleW, CreateToolhelp32Snapshot, InitializeCriticalSectionAndSpinCount, HeapFree, EnterCriticalSection, SetHandleCount, TerminateThread, LoadLibraryW, GetVersionExW, SetEvent, QueryPerformanceCounter, GetTickCount, TlsAlloc, FlushFileBuffers, lstrcmpiW, RtlUnwind, FreeLibrary, GetStartupInfoA, GetProcessIoCounters, GetWindowsDirectoryW, GetFileSize, OpenProcess, GetStartupInfoW, ReadProcessMemory, CreateDirectoryW, DeleteFileW, GlobalLock, GetProcessHeap, GetTempFileNameW, GetComputerNameW, EnumResourceNamesW, CompareStringW, GetModuleFileNameW, FindNextFileW, CreateHardLinkW, FindFirstFileW, DuplicateHandle, GetProcAddress, SetVolumeLabelW, GetPrivateProfileSectionW, CreateEventW, CreateFileW, GetFileType, TlsSetValue, CreateFileA, ExitProcess, LeaveCriticalSection, GetLastError, SystemTimeToFileTime, LCMapStringW, GetShortPathNameW, VirtualAllocEx, GetSystemInfo, GlobalFree, GetConsoleCP, FindResourceW, LCMapStringA, GetEnvironmentStringsW, GlobalUnlock, Process32NextW, CreateProcessW, FileTimeToLocalFileTime, SizeofResource, GetCurrentDirectoryW, VirtualFreeEx, GetCurrentProcessId, LockResource, SetFileTime, GetCommandLineW, GetCPInfo, HeapSize, SetSystemPowerState, Process32FirstW, WritePrivateProfileStringW, QueryPerformanceFrequency, TlsFree, SetFilePointer, ReadFile, CloseHandle, GetTimeFormatA, GetACP, GetModuleHandleW, IsValidCodePage, HeapCreate, GetTempPathW, VirtualFree, Sleep, VirtualAlloc, GetOEMCP, CompareStringA

[[OLEAUT32.dll]]
Ord(8), Ord(37), Ord(10), Ord(24), Ord(23), Ord(77), Ord(220), Ord(39), Ord(38), Ord(185), Ord(35), Ord(162), Ord(9), Ord(41), Ord(2), Ord(418)

[[SHELL32.dll]]
SHGetFolderPathW, SHEmptyRecycleBinW, SHBrowseForFolderW, DragQueryFileW, SHFileOperationW, ShellExecuteW, SHGetPathFromIDListW, DragQueryPoint, ExtractIconExW, ShellExecuteExW, SHGetDesktopFolder, Shell_NotifyIconW, SHGetMalloc, DragFinish

[[PSAPI.DLL]]
GetProcessMemoryInfo, EnumProcesses, EnumProcessModules, GetModuleBaseNameW

[[USERENV.dll]]
CreateEnvironmentBlock, LoadUserProfileW, UnloadUserProfile, DestroyEnvironmentBlock

[[ole32.dll]]
CreateStreamOnHGlobal, CreateBindCtx, CoUninitialize, CoInitialize, CoTaskMemAlloc, StringFromCLSID, OleSetContainedObject, StringFromIID, CoCreateInstance, OleUninitialize, CoInitializeSecurity, CLSIDFromProgID, CLSIDFromString, OleSetMenuDescriptor, CoCreateInstanceEx, IIDFromString, MkParseDisplayName, CoTaskMemFree, CoSetProxyBlanket, OleInitialize

[[USER32.dll]]
RedrawWindow, GetForegroundWindow, UnregisterHotKey, DrawTextW, SetUserObjectSecurity, DestroyMenu, PostQuitMessage, SetWindowPos, IsWindow, EndPaint, OpenWindowStationW, WindowFromPoint, CharUpperBuffW, VkKeyScanW, SetMenuItemInfoW, SetActiveWindow, GetDC, GetCursorPos, ReleaseDC, GetMenuStringW, GetMenu, IsWindowEnabled, GetClientRect, CreateAcceleratorTableW, SetMenuDefaultItem, IsClipboardFormatAvailable, LoadImageW, CountClipboardFormats, BlockInput, GetActiveWindow, RegisterHotKey, OpenClipboard, GetWindowTextW, LockWindowUpdate, GetWindowTextLengthW, GetKeyState, PtInRect, GetParent, GetCursorInfo, AttachThreadInput, EnumWindows, GetMessageW, ShowWindow, GetCaretPos, DrawFrameControl, GetDesktopWindow, IsCharAlphaW, PeekMessageW, InsertMenuItemW, TranslateMessage, BeginPaint, SetClipboardData, GetMenuItemID, DestroyWindow, OpenDesktopW, IsZoomed, LoadStringW, DrawMenuBar, IsCharLowerW, IsIconic, TrackPopupMenuEx, DrawFocusRect, CreateMenu, IsDialogMessageW, FlashWindow, EnumThreadWindows, MonitorFromPoint, CopyRect, GetSysColorBrush, CreateWindowExW, GetWindowLongW, CharNextW, SetFocus, RegisterWindowMessageW, GetMonitorInfoW, EmptyClipboard, IsCharAlphaNumericW, DefWindowProcW, GetKeyboardLayoutNameW, KillTimer, MapVirtualKeyW, CheckMenuRadioItem, GetClipboardData, GetSystemMetrics, SetWindowLongW, GetWindowRect, InflateRect, SetCapture, ReleaseCapture, EnumChildWindows, SetProcessWindowStation, SendDlgItemMessageW, SetKeyboardState, MonitorFromRect, CreatePopupMenu, GetSubMenu, GetClassLongW, SetWindowTextW, SetTimer, GetDlgItem, SendInput, ClientToScreen, PostMessageW, CloseWindowStation, GetKeyboardState, GetMenuItemCount, IsDlgButtonChecked, DestroyAcceleratorTable, CreateIconFromResourceEx, LoadCursorW, LoadIconW, FindWindowExW, DispatchMessageW, FillRect, SetForegroundWindow, GetProcessWindowStation, ExitWindowsEx, GetMenuItemInfoW, GetAsyncKeyState, EnableWindow, CharLowerBuffW, SetLayeredWindowAttributes, EndDialog, FindWindowW, GetDlgCtrlID, ScreenToClient, MessageBeep, GetWindowThreadProcessId, MessageBoxW, SendMessageW, RegisterClassExW, SetMenu, MoveWindow, DialogBoxParamW, MessageBoxA, IsCharUpperW, GetWindowDC, AdjustWindowRectEx, mouse_event, SendMessageTimeoutW, GetSysColor, keybd_event, CopyImage, DestroyIcon, IsWindowVisible, SystemParametersInfoW, FrameRect, SetRect, DeleteMenu, InvalidateRect, GetUserObjectSecurity, GetClassNameW, CloseDesktop, IsMenu, GetFocus, wsprintfW, CloseClipboard, TranslateAcceleratorW, DefDlgProcW, SetCursor

[[WSOCK32.dll]]
Ord(3), Ord(1), Ord(111), Ord(115), Ord(18), Ord(11), Ord(20), Ord(17), Ord(15), Ord(52), Ord(13), Ord(151), Ord(116), Ord(4), Ord(19), Ord(2), Ord(10), Ord(57), Ord(23), Ord(21), Ord(16), Ord(9)

PE Resources..................:

Resource type Number of resources
RT_STRING 7
RT_ICON 4
RT_GROUP_ICON 4
RT_DIALOG 1
RT_MANIFEST 1
RT_MENU 1
RT_VERSION 1

Resource language Number of resources
ENGLISH UK 16
ENGLISH US 2
ENGLISH AUS 1

---

SHA256: a7d335cd1db264bcee139f807ecf8b0e5da34613a5dc85292c77105c0a21a781
File name: Srv.exe
Detection ratio: 0 / 46
ssdeep
49152:31Bqb4ZUhQwKDdzr+DlK9jZXWsLcS3b2ZA8jRl99IFmZxqt:lM8ZwY+QJZXJLR3b2ZA8jRlfI8ct
TrID
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ExifTool

CodeSize.................: 60416
SubsystemVersion.........: 5.2
InitializedDataSize......: 1560576
ImageVersion.............: 0.0
ProductName..............: ThinPoint
FileVersionNumber........: 5.5.0.17
UninitializedDataSize....: 0
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x0017
CharacterSet.............: Unicode
LinkerVersion............: 9.0
OriginalFilename.........: Srv.exe
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 5, 5, 0, 17
TimeStamp................: 2012:07:02 07:56:08+01:00
FileType.................: Win64 EXE
PEType...................: PE32+
InternalName.............: Srv
ProductVersion...........: 5, 5, 0, 0
FileDescription..........: ThinPoint Multisession Service
OSVersion................: 5.2
FileOS...................: Win32
LegalCopyright...........: Copyright (C) 2010 Net Leverage Pty Ltd
MachineType..............: AMD AMD64
CompanyName..............: Net Leverage Pty Ltd
LegalTrademarks..........: NetLeverage, ThinPoint
FileSubtype..............: 0
ProductVersionNumber.....: 5.5.0.0
EntryPoint...............: 0x9d9c
ObjectFileType...........: Executable application

Sigcheck

publisher................: Net Leverage Pty Ltd
product..................: ThinPoint
internal name............: Srv
copyright................: Copyright (C) 2010 Net Leverage Pty Ltd
original name............: Srv.exe
signing date.............: 6:57 AM 7/2/2012
signers..................: Net Leverage Pty. Ltd.; COMODO Code Signing CA 2; UTN-USERFirst-Object; AddTrust External CA Root
file version.............: 5, 5, 0, 17
description..............: ThinPoint Multisession Service

Portable Executable structural information

Compilation timedatestamp.....: 2012-07-02 06:56:08
Target machine................: 0x8664 (x64)
Entry point address...........: 0x00009D9C

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 60158 60416 6.28 53960f249eec764becbd508a61eb7188
.rdata 65536 22446 22528 5.06 ea639ba9e2d03b9cd7f1a59d85ea35d4
.data 90112 20896 7680 3.74 48b91fa8cf585402c48ac310dbde84dc
.pdata 114688 2616 3072 4.34 0954e3daaa75f911c826e1f3f009e837
.rsrc 118784 1523856 1524224 8.00 32090f3bfea022b7c1eb1cf093be155e
.reloc 1646592 2628 3072 0.76 cd96e6e9f86dfce4f9514300e5ba470c

PE Imports....................:

[[KERNEL32.dll]]
GetStdHandle, WaitForSingleObject, EncodePointer, FlsGetValue, GetFileAttributesW, FreeEnvironmentStringsA, DisconnectNamedPipe, GetCurrentProcess, GetLocaleInfoA, LocalAlloc, FreeEnvironmentStringsW, GetCPInfo, GetStringTypeA, WriteFile, GetSystemTimeAsFileTime, HeapReAlloc, GetStringTypeW, SetEvent, LocalFree, ConnectNamedPipe, LoadResource, MoveFileW, GetEnvironmentVariableW, SetLastError, GetModuleFileNameW, IsDebuggerPresent, ExitProcess, FlushFileBuffers, GetModuleFileNameA, HeapSetInformation, RtlVirtualUnwind, UnhandledExceptionFilter, MultiByteToWideChar, RegisterWaitForSingleObject, CreateThread, DeleteCriticalSection, SetNamedPipeHandleState, SetUnhandledExceptionFilter, DecodePointer, TerminateProcess, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, HeapFree, EnterCriticalSection, SetHandleCount, LoadLibraryW, GetVersionExW, FreeLibrary, QueryPerformanceCounter, GetTickCount, FlsSetValue, LoadLibraryA, GetStartupInfoA, GetEnvironmentStrings, GetFileSize, CreateDirectoryW, DeleteFileW, GetProcAddress, WaitNamedPipeW, ExpandEnvironmentStringsW, RtlLookupFunctionEntry, RtlUnwindEx, CreateEventW, CreateFileW, GetFileType, HeapAlloc, LeaveCriticalSection, GetNativeSystemInfo, GetLastError, LCMapStringW, CreateNamedPipeW, FindResourceW, LCMapStringA, GetEnvironmentStringsW, SizeofResource, GetCurrentProcessId, LockResource, WideCharToMultiByte, HeapSize, FlsAlloc, GetCommandLineA, FlsFree, ReadFile, RtlCaptureContext, CloseHandle, GetACP, GetModuleHandleW, GetLongPathNameW, IsValidCodePage, HeapCreate, GetTempPathW, Sleep, GetOEMCP

[[WTSAPI32.dll]]
WTSSendMessageW, WTSFreeMemory, WTSQuerySessionInformationW, WTSLogoffSession, WTSEnumerateSessionsW, WTSDisconnectSession

[[ADVAPI32.dll]]
RegCreateKeyExW, RegCloseKey, RegRestoreKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegDeleteKeyW, RegQueryValueExW, SetSecurityDescriptorDacl, ConvertStringSidToSidW, OpenProcessToken, RegOpenKeyExW, SetServiceStatus, RegEnumKeyExW, SetEntriesInAclW, RegSetValueExW, FreeSid, AllocateAndInitializeSid, InitializeSecurityDescriptor, RegisterServiceCtrlHandlerExW, RegSaveKeyExW, StartServiceCtrlDispatcherW, SetNamedSecurityInfoW

[[RPCRT4.dll]]
RpcMgmtSetServerStackSize

[[ole32.dll]]
CoInitializeEx, CoInitializeSecurity

[[WS2_32.dll]]
Ord(3), Ord(11), Ord(10), Ord(22), Ord(23), Ord(111), Ord(16), Ord(116), Ord(4), Ord(115), Ord(19), Ord(9)

[[USER32.dll]]
wsprintfA, GetSystemMetrics, wvsprintfA, wsprintfW

PE Resources..................:

Resource type Number of resources
RT_MANIFEST 1
TPB 1
RT_VERSION 1

Resource language Number of resources
ENGLISH US 3

----
I don't know for sure that I use ThinPoint, but I do RDP quite often.

 

[Fiery]

Strange.. none of your logs show any residue of Strongvault. Let see if it shows up here. My guess is that a registry entry remains somewhere but the actual program files have been removed.

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A notepad document should open automatically called checkup.txt.
• Please post or attach the contents of that document in your next reply.

Then download DDS from here

• Temporarily disable any script blocker or Anti-Virus/Anti-Malware
• Double click dds.scr to run the tool (On Vista or Win 7 or Win 8 right click and select Run as administrator)
• Click the Run button if prompted with an Open File - Security Warning dialog box.
• A black DOS console should open and run for a moment.
• Once completed, DDS.txt and attach.txt will be created.
• Save both reports and attach them in your next reply

 

[pebkac1]

The attempted installations and removals of the Strongvault Online Backup are me attempting to repair the install so that maybe the uninstaller would work properly. Strongvault was installed originally on 2/21.

 

[Fiery]

I would suggest doing a system restore to an earlier date before 2/21 since it's not showing in any log. That would be the quickest solution.