Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer still very slow


  • This topic is locked This topic is locked
37 replies to this topic

#1 KC13

KC13

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 09 April 2015 - 11:54 AM

As documented in this thread: http://www.bleepingcomputer.com/forums/t/571567/theres-slow-and-then-theres-slooooooooooooww/ many things were tried to no avail. As per the last message, I am opening this thread.


Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015

Ran by KC13 (administrator) on DV9010CA on 09-04-2015 12:39:12

Running from C:\Users\KC13\Desktop

Loaded Profiles: KC13 (Available profiles: KC13)

Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)

Internet Explorer Version 11 (Default browser: FF)

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(The Within Network, LLC) C:\Windows\UnsignedThemesSvc.exe

(Microsoft Corporation) C:\Windows\System32\rundll32.exe

(Microsoft Corporation) C:\Windows\System32\wlanext.exe

(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastSvc.exe

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

(Microsoft Corporation) C:\Windows\System32\rundll32.exe

(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

(Zemana Ltd.) C:\Program Files (x86)\AntiLogger\AntiLogger.exe

( Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe

(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastUI.exe

(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe

(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

 

==================== Registry (Whitelisted) ==================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

HKLM-x32\...\Run: [AntiLogger] => C:\Program Files (x86)\AntiLogger\AntiLogger.exe [14268328 2014-11-06] (Zemana Ltd.)

HKLM-x32\...\Run: [QlbCtrl.exe] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [323640 2009-11-24] ( Hewlett-Packard Development Company, L.P.)

HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5512912 2015-04-09] (Avast Software s.r.o.)

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]

HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun

HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun

HKU\S-1-5-21-2611907897-445250194-531414781-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7806744 2015-03-25] (SUPERAntiSpyware)

HKU\S-1-5-21-2611907897-445250194-531414781-1000\...\MountPoints2: {2472d489-5638-11e4-8105-001636e73440} - D:\HTC_Sync_Manager_PC.exe

HKU\S-1-5-21-2611907897-445250194-531414781-1000\...\MountPoints2: {51103a13-20c7-11e4-acdf-001636e73440} - E:\HWPcAssistant.exe

HKU\S-1-5-21-2611907897-445250194-531414781-1000\...\MountPoints2: {6d224345-e829-11e3-8a8e-806e6f6e6963} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.ultimatebootcd.com/

HKU\S-1-5-21-2611907897-445250194-531414781-1000\...\MountPoints2: {86228111-73ee-11e4-a800-001636e73440} - D:\HTC_Sync_Manager_PC.exe

HKU\S-1-5-21-2611907897-445250194-531414781-1000\...\MountPoints2: {9e23e6eb-0ec0-11e4-bb6b-001636e73440} - E:\HWPcAssistant.exe

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (Avast Software s.r.o.)

BootExecute: autocheck autochk *  BootDefrag.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

HKU\S-1-5-21-2611907897-445250194-531414781-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.

ProxyServer: [.DEFAULT] => http=127.0.0.1:50051;https=127.0.0.1:50051;

HKU\S-1-5-21-2611907897-445250194-531414781-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

HKU\S-1-5-21-2611907897-445250194-531414781-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?rd=1&ucc=CA&dcc=CA&opt=0&ocid=iehp

SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_40\bin\ssv.dll [2015-03-13] (Oracle Corporation)

BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-04-09] (Avast Software s.r.o.)

BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-13] (Oracle Corporation)

BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\ssv.dll [2015-03-13] (Oracle Corporation)

BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-04-09] (Avast Software s.r.o.)

BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-13] (Oracle Corporation)

DPF: HKLM-x32 {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1426457126988

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

 

FireFox:

========

FF ProfilePath: C:\Users\KC13\AppData\Roaming\Mozilla\Firefox\Profiles\baax4zsx.default

FF Homepage: file:///C:/Web/index.htm

FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_134.dll [2015-03-17] ()

FF Plugin: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-13] (Oracle Corporation)

FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-13] (Oracle Corporation)

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)

FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_134.dll [2015-03-17] ()

FF Plugin-x32: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-13] (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-13] (Oracle Corporation)

FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)

FF Plugin-x32: @Nero.com/KM -> C:\PROGRA~2\COMMON~1\Nero\BROWSE~1\NPBROW~1.DLL No File

FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)

FF Extension: Classic Theme Restorer - C:\Users\KC13\AppData\Roaming\Mozilla\Firefox\Profiles\baax4zsx.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2014-05-30]

FF Extension: Noia Fox options - C:\Users\KC13\AppData\Roaming\Mozilla\Firefox\Profiles\baax4zsx.default\Extensions\NoiaFoxoption@davidvincent.tld.xpi [2014-05-30]

FF Extension: Black Skin - C:\Users\KC13\AppData\Roaming\Mozilla\Firefox\Profiles\baax4zsx.default\Extensions\{2aa024bd-65c3-4256-8343-d32e1047acff}.xpi [2014-05-30]

FF Extension: Black Youtube Theme - C:\Users\KC13\AppData\Roaming\Mozilla\Firefox\Profiles\baax4zsx.default\Extensions\{2c93446d-612b-416d-9af0-b7355797b611}.xpi [2014-06-01]

FF Extension: Noia Fox - C:\Users\KC13\AppData\Roaming\Mozilla\Firefox\Profiles\baax4zsx.default\Extensions\{7b90e860-5d61-11e0-80e3-0800200c9a66}.xpi [2014-05-30]

FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF

FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-04-09]

 

Chrome:

=======

CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-04-09]

 

Opera:

=======

OPR Extension: (iWebar) - C:\Users\KC13\AppData\Roaming\Opera Software\Opera Stable\Extensions\hdhmofnopkgkpgnpggloijpbnaonhplc [2015-03-05]

 

==================== Services (Whitelisted) =================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-08-12] (SUPERAntiSpyware.com)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [343336 2015-04-09] (Avast Software s.r.o.)

S4 CLHNServiceForPowerDVD12; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe [87336 2012-01-12] (CyberLink Corp.)

S4 CyberLink PowerDVD 12 Media Server Monitor Service; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe [75048 2012-01-12] (CyberLink)

S4 CyberLink PowerDVD 12 Media Server Service; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe [296232 2012-01-12] (CyberLink)

S4 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]

S4 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-03-17] (Malwarebytes Corporation)

S4 MDM; C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed]

S3 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)

S3 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)

S3 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)

R2 UnsignedThemes; C:\Windows\UnsignedThemesSvc.exe [24168 2009-07-13] (The Within Network, LLC)

S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

 

==================== Drivers (Whitelisted) ====================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R1 AntiLog32; C:\Windows\system32\drivers\AntiLog64.sys [49752 2014-11-07] (Zemana Ltd.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29168 2015-04-09] ()

R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [88408 2015-04-09] (Avast Software s.r.o.)

R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-04-09] (Avast Software s.r.o.)

R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65736 2015-04-09] ()

R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1047320 2015-04-09] (Avast Software s.r.o.)

R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [442264 2015-04-09] (Avast Software s.r.o.)

R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [136752 2015-04-09] (Avast Software s.r.o.)

R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [271200 2015-04-09] ()

R0 BootDefragDriver; C:\Windows\System32\drivers\BootDefragDriver.sys [17600 2015-03-16] (Glarysoft Ltd)

R0 fsbts; C:\Windows\System32\Drivers\fsbts.sys [56016 2014-11-09] ()

R1 GUBootStartup; C:\Windows\System32\drivers\GUBootStartup.sys [20160 2015-03-17] (Glarysoft Ltd)

R3 HBtnKey; C:\Windows\System32\DRIVERS\cpqbttn.sys [19000 2010-02-25] (Hewlett-Packard Company)

S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-03-17] (Malwarebytes Corporation)

S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-03-17] (Malwarebytes Corporation)

R2 ntk_PowerDVD12; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\ntk_PowerDVD12_64.sys [82928 2011-10-27] (Cyberlink Corp.)

S3 RT73; C:\Windows\System32\DRIVERS\Dr71WU.sys [437248 2007-07-27] (Ralink Technology Corp.)

R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R2 uxpatch; C:\Windows\system32\drivers\uxpatch.sys [30568 2009-07-13] ()

R2 {329F96B6-DF1E-4328-BFDA-39EA953C1312}; C:\Program Files (x86)\CyberLink\PowerDVD12\Common\NavFilter\000.fcl [146928 2012-01-11] (CyberLink Corp.)

 

==================== NetSvcs (Whitelisted) ===================

 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-03-2015

Ran by KC13 at 2015-04-09 12:37:05

Running from C:\Users\KC13\Desktop

Boot Mode: Normal

==========================================================

 

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AS: Spybot - Search and Destroy (Disabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

 

==================== Installed Programs ======================

 

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

 

Adobe Flash Player 17 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 17.0.0.134 - Adobe Systems Incorporated)

Adobe Flash Player 17 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 17.0.0.134 - Adobe Systems Incorporated)

Adobe PageMaker 7.0 (HKLM-x32\...\Adobe PageMaker 7.0) (Version: 7.0.2 - Adobe Systems, Inc.)

Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)

Amiga Forever (HKLM-x32\...\{3C657235-E81F-4731-B50D-CD0DCB70DDBB}) (Version: 2013.0.1 - Cloanto)

AntiLogger (HKLM-x32\...\AntiLogger) (Version:  - Zemana Ltd.)

AntiLogger (x32 Version: 1.9.3.527 - Zemana Ltd.) Hidden

Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 10.2.2215 - AVAST Software)

Beyond Compare Version 2.5 (HKLM-x32\...\BC2_is1) (Version:  - Scooter Software)

Classic Menu 4.x for Office 2007 (HKLM-x32\...\{409ECFF1-9CC7-43A8-B28A-B7F0B7CB04D1}_is1) (Version:  - Addintools)

Conexant HD Audio (HKLM\...\CNXT_HDAUDIO) (Version:  - )

CPUID CPU-Z 1.72 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )

CyberLink PowerDVD 12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.1312.54 - CyberLink Corp.)

EverQuest (HKU\S-1-5-21-2611907897-445250194-531414781-1000\...\SOE-EverQuest) (Version:  - Sony Online Entertainment)

Glary Utilities 5.22 (HKLM-x32\...\Glary Utilities 5) (Version: 5.22.0.41 - Glarysoft Ltd)

HDAUDIO Soft Data Fax Modem with SmartCP (HKLM\...\CNXT_MODEM_HDA_HSF) (Version:  - )

HP Quick Launch Buttons (HKLM-x32\...\{34D2AB40-150D-475D-AE32-BD23FB5EE355}) (Version: 6.50.14.1 - Hewlett-Packard Company)

ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)

Java 8 Update 40 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418040F0}) (Version: 8.0.400 - Oracle Corporation)

Java 8 Update 40 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218040F0}) (Version: 8.0.400 - Oracle Corporation)

Legends of Norrath (HKU\S-1-5-21-2611907897-445250194-531414781-1000\...\SOE-Legends of Norrath) (Version:  - Sony Online Entertainment)

Lotus NotesSQL 3.01 driver (HKLM-x32\...\{113EECD6-9A04-11D4-811D-00805F923B86}) (Version:  - )

Lotus SmartSuite - English (HKLM-x32\...\{536D6172-7453-7569-7465-392E38300409}) (Version: 9.8.0 - Lotus Development Corporation)

Malwarebytes Anti-Malware version 2.1.4.1018 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.4.1018 - Malwarebytes Corporation)

Mappie 1.5.8 (HKLM-x32\...\Mappie) (Version: 1.5.8 - R&M Systems)

Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)

Microsoft .NET Framework 4.5.2 (suomi) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1035) (Version: 4.5.51209 - Microsoft Corporation)

Microsoft .NET Framework 4.5.2 (Русский) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1049) (Version: 4.5.51209 - Корпорация Майкрософт)

Microsoft .NET Framework 4.5.2 (العربية) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1025) (Version: 4.5.51209 - Microsoft Corporation)

Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)

Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)

Microsoft Office Professional Plus 2007 (HKLM-x32\...\PROPLUS) (Version: 12.0.6612.1000 - Microsoft Corporation)

Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)

Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)

Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)

Mozilla Firefox 37.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 37.0.1 (x86 en-US)) (Version: 37.0.1 - Mozilla)

Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 30.0 - Mozilla)

Mozilla Thunderbird 31.6.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 31.6.0 (x86 en-US)) (Version: 31.6.0 - Mozilla)

MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)

MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)

Nero 2015 (HKLM-x32\...\{763EF8DC-4CC0-47CA-BE1C-BDE731462250}) (Version: 16.0.02900 - Nero AG)

Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.7.5 - Notepad++ Team)

NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.3 - NVIDIA Corporation)

Pelles C Add-In SDK (HKLM-x32\...\PellesCAddIn) (Version: 8.00 - Pelle Orinius)

Pelles C for Windows (HKLM-x32\...\PellesC) (Version: 8.00 - Pelle Orinius)

Prerequisite installer (x32 Version: 16.0.0000 - Nero AG) Hidden

PSPad editor (HKLM-x32\...\PSPad editor_is1) (Version: 4.5.7.2450 - Jan Fiala)

QLBCASL (x32 Version: 6.40.17.2 - Hewlett-Packard) Hidden

Quark Update (HKLM-x32\...\{82154114-943B-4A6F-9B20-073C9573E93E}) (Version: 1.0.0.0 - Quark, Inc.)

QuarkXPress (HKLM-x32\...\{706EA4A8-97B5-4C29-A0F3-0B38C666F0C4}) (Version: 8.50.1.0 - Quark Inc.)

Registry Repair 5.0.1.67 (HKLM-x32\...\Registry Repair) (Version: 5.0.1.67 - Glarysoft Ltd)

Software Director (HKLM-x32\...\Cloanto Software Director) (Version: 3.8.14.0 - Cloanto Corporation)

Speccy (HKLM\...\Speccy) (Version: 1.28 - Piriform)

Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)

SpywareBlaster 5.0 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.0.0 - BrightFort LLC)

SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.7.1018 - SUPERAntiSpyware.com)

Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 11.0.7.0 - Synaptics)

Theme Resource Changer X64 v1.0 (HKLM\...\Theme Resource Changer X64 v1.0) (Version:  - Bad Ass Apps)

Tweaking.com - Hardware Identify (HKLM-x32\...\Tweaking.com - Hardware Identify) (Version: 1.5.0 - Tweaking.com)

Tweaking.com - Simple System Tweaker (HKLM-x32\...\Tweaking.com - Simple System Tweaker) (Version: 2.0.0 - Tweaking.com)

Tweaking.com - Windows Repair (All in One) (HKLM-x32\...\Tweaking.com - Windows Repair (All in One)) (Version: 2.11.2 - Tweaking.com)

Tweaking.com - Windows Repair (HKLM-x32\...\Tweaking.com - Windows Repair) (Version: 3.1.1 - Tweaking.com)

Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)

UxStyle Core Beta (HKLM\...\{8E363055-15E5-4D8A-9C69-A0A9DE9A3337}) (Version: 0.2.1.1 - The Within Network, LLC)

VCRedistSetup (x32 Version: 1.0.0 - Nero AG) Hidden

Visual dBASE 7.5 (HKLM-x32\...\Visual dBASE 7.5) (Version:  - )

WinRAR 4.11 (64-bit) (HKLM\...\WinRAR archiver) (Version: 4.11.0 - win.rar GmbH)

WinZip 18.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240E1}) (Version: 18.0.11023 - WinZip Computing, S.L. )

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

 

==================== Restore Points  =========================

 

03-04-2015 12:25:57 Tweaking.com - Windows Repair

05-04-2015 12:26:30 Windows Update

05-04-2015 14:14:14 Windows Update

08-04-2015 09:58:44 Removed Nero Info.

08-04-2015 21:29:59 avast! antivirus system restore point

08-04-2015 21:44:10 Windows Update

09-04-2015 00:57:40 avast! antivirus system restore point

 

==================== Hosts content: ==========================

 

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

 

2014-07-15 17:22 - 2015-04-03 13:28 - 00000855 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {6AFB66B6-5A8B-4F8A-9D75-4C7BA85FEF86} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2015-04-09] (Avast Software s.r.o.)

Task: {F385B6C9-F38F-459D-A078-A0D03ABAE06A} - System32\Tasks\GlaryInitialize 5 => C:\Program Files (x86)\Glary Utilities 5\Initialize.exe [2015-03-30] (Glarysoft Ltd)

Task: C:\Windows\Tasks\GlaryInitialize 5.job => C:\Program Files (x86)\Glary Utilities 5\Initialize.exe

==================== Loaded Modules (whitelisted) ==============

2014-05-31 11:04 - 2012-02-17 20:55 - 00193536 _____ () C:\Program Files\WinRAR\rarext.dll

2014-05-12 05:49 - 2014-05-12 05:49 - 00222720 _____ () C:\Program Files (x86)\Notepad++\NppShell_06.dll

2015-04-09 01:02 - 2015-04-09 01:02 - 00104400 _____ () C:\Program Files\AVAST Software\Avast\log.dll

2015-04-09 01:02 - 2015-04-09 01:02 - 00081728 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll

2015-04-09 01:02 - 2015-04-09 01:02 - 02925056 _____ () C:\Program Files\AVAST Software\Avast\defs\15040802\algo.dll

2015-04-09 12:21 - 2015-04-09 12:21 - 02925056 _____ () C:\Program Files\AVAST Software\Avast\defs\15040900\algo.dll

2015-04-09 01:02 - 2015-04-09 01:02 - 40540672 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll

2011-07-18 17:07 - 2011-07-18 17:07 - 00014336 _____ () C:\Program Files (x86)\Notepad++\plugins\NppExport.dll

2015-01-25 20:47 - 2015-01-25 20:47 - 02748416 _____ () C:\Program Files (x86)\Notepad++\plugins\NppFTP.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34

AlternateDataStreams: C:\ProgramData\TEMP:D282699C

 

==================== Safe Mode (whitelisted) ===================

 

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

 

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

 

==================== Other Areas ============================

 

(Currently there is no automatic fix for this section.)

 

HKU\S-1-5-21-2611907897-445250194-531414781-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\KC13\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

DNS Servers: 192.168.2.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: AdobeARMservice => 2

MSCONFIG\Services: IDriverT => 3

MSCONFIG\Services: MBAMService => 2

MSCONFIG\Services: MozillaMaintenance => 3

MSCONFIG\Services: NAUpdate => 3

MSCONFIG\Services: Nero BackItUp Scheduler 3 => 2

MSCONFIG\Services: NMIndexingService => 3

MSCONFIG\Services: WPCSvc => 3

MSCONFIG\startupreg: GUDelayStartup => "C:\Program Files (x86)\Glary Utilities 5\StartupManager.exe" -delayrun

==================== Accounts: =============================

Administrator (S-1-5-21-2611907897-445250194-531414781-500 - Administrator - Disabled)

Guest (S-1-5-21-2611907897-445250194-531414781-501 - Limited - Enabled)

KC13 (S-1-5-21-2611907897-445250194-531414781-1000 - Administrator - Enabled) => C:\Users\KC13

==================== Faulty Device Manager Devices =============

Name: HDAUDIO Soft Data Fax Modem with SmartCP

Description: HDAUDIO Soft Data Fax Modem with SmartCP

Class Guid: {4d36e96d-e325-11ce-bfc1-08002be10318}

Manufacturer: CXT

Service: Modem

Problem: : This device is disabled. (Code 22)

Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

 

==================== Event log errors: =========================

 

Application errors:

==================

Error: (04/04/2015 10:43:37 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: Faulting application name: StartupManager.exe, version: 5.10.0.101, time stamp: 0x54b33351

Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x53159a86

Exception code: 0xe06d7363

Fault offset: 0x0000c42d

Faulting process id: 0x424

Faulting application start time: 0xStartupManager.exe0

Faulting application path: StartupManager.exe1

Faulting module path: StartupManager.exe2

Report Id: StartupManager.exe3

Error: (04/03/2015 01:38:37 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 257) (User: )

Description: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -528.

 

Error: (04/03/2015 01:38:37 PM) (Source: ESENT) (EventID: 455) (User: )

Description: Catalog Database (1260) Catalog Database: Error -1811 (0xfffff8ed) occurred while opening logfile C:\Windows\system32\CatRoot2\edb.log.

Error: (04/03/2015 01:38:20 PM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )

Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

 

Error: (04/03/2015 01:38:20 PM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )

Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (04/03/2015 01:34:22 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3009) (User: DV9010CA)

Description: Installing the performance counter strings for service .NET Data Provider for Oracle () failed. The first DWORD in the Data section contains the error code.

 

Error: (04/03/2015 01:34:10 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3009) (User: DV9010CA)

Description: Installing the performance counter strings for service RemoteAccess () failed. The first DWORD in the Data section contains the error code.

Error: (04/03/2015 01:21:57 PM) (Source: WinMgmt) (EventID: 4) (User: )

Description: 0x8004401eC:\WINDOWS\SYSTEM32\WBEM\AR-SA\AACLIENT.MFL

 

Error: (04/03/2015 01:21:48 PM) (Source: WinMgmt) (EventID: 4) (User: )

Description: 0x8004401eC:\WINDOWS\SYSTEM32\WBEM\EN-US\AACLIENT.MFL

Error: (04/03/2015 01:21:41 PM) (Source: WinMgmt) (EventID: 4) (User: )

Description: 0x8004401eC:\WINDOWS\SYSTEM32\WBEM\AACLIENT.MOF

 

System errors:

=============

Error: (04/09/2015 00:23:32 PM) (Source: Service Control Manager) (EventID: 7022) (User: )

Description: The Windows Update service hung on starting.

 

Error: (04/08/2015 09:17:54 PM) (Source: DCOM) (EventID: 10005) (User: )

Description: 1053hpqwmiex{F5539356-2F02-40D4-999E-FA61F45FE12E}

Error: (04/08/2015 09:17:54 PM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The hpqwmiex service failed to start due to the following error:

%%1053

Error: (04/08/2015 09:17:54 PM) (Source: Service Control Manager) (EventID: 7009) (User: )

Description: A timeout was reached (30000 milliseconds) while waiting for the hpqwmiex service to connect.

 

Error: (04/08/2015 09:16:48 PM) (Source: EventLog) (EventID: 6008) (User: )

Description: The previous system shutdown at 9:14:43 PM on ‎4/‎8/‎2015 was unexpected.

Error: (04/08/2015 09:37:14 AM) (Source: Service Control Manager) (EventID: 7006) (User: )

Description: The ScRegSetValueExW call failed for Start with the following error:

%%5

Error: (04/07/2015 03:58:10 PM) (Source: EventLog) (EventID: 6008) (User: )

Description: The previous system shutdown at 3:55:46 PM on ‎4/‎7/‎2015 was unexpected.

 

Error: (04/07/2015 11:49:37 AM) (Source: Service Control Manager) (EventID: 7001) (User: )

Description: The Computer Browser service depends on the Server service which failed to start because of the following error:

%%1068

 

Error: (04/07/2015 11:49:37 AM) (Source: Service Control Manager) (EventID: 7001) (User: )

Description: The Computer Browser service depends on the Server service which failed to start because of the following error:

%%1068

 

Error: (04/07/2015 11:49:37 AM) (Source: Service Control Manager) (EventID: 7001) (User: )

Description: The Computer Browser service depends on the Server service which failed to start because of the following error:

%%1068

 

Microsoft Office Sessions:

=========================

 

==================== Memory info ===========================

 

Processor: AMD Turion™ 64 X2 Mobile Technology TL-56

Percentage of memory in use: 85%

Total physical RAM: 1918.61 MB

Available physical RAM: 269.39 MB

Total Pagefile: 4990.61 MB

Available Pagefile: 3071 MB

Total Virtual: 8192 MB

Available Virtual: 8191.81 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:149.05 GB) (Free:80.24 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: 282D282D)

Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)

==================== End Of Log ============================


Edited by KC13, 09 April 2015 - 11:59 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 10 April 2015 - 07:41 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2611907897-445250194-531414781-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:50051;https=127.0.0.1:50051;
FF Plugin-x32: @Nero.com/KM -> C:\PROGRA~2\COMMON~1\Nero\BROWSE~1\NPBROW~1.DLL No File
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-04-09]
OPR Extension: (iWebar) - C:\Users\KC13\AppData\Roaming\Opera Software\Opera Stable\Extensions\hdhmofnopkgkpgnpggloijpbnaonhplc [2015-03-05]
C:\Users\KC13\AppData\Roaming\Opera Software\Opera Stable\Extensions\hdhmofnopkgkpgnpggloijpbnaonhplc
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
AlternateDataStreams: C:\ProgramData\TEMP:D282699C

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#3 KC13

KC13
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 10 April 2015 - 12:49 PM

The system is still running like a snail.... For example, Firefox took almost a full minute to run..... Typing this text goes in fits and starts. Freezing often. Here is the result of FRST:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015

Ran by KC13 at 2015-04-10 13:39:44 Run:1

Running from C:\Users\KC13\Desktop

Loaded Profiles: KC13 (Available profiles: KC13)

Boot Mode: Normal

==============================================

Content of fixlist:

*****************

start

CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

HKU\S-1-5-21-2611907897-445250194-531414781-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.

ProxyServer: [.DEFAULT] => http=127.0.0.1:50051;https=127.0.0.1:50051;

FF Plugin-x32: @Nero.com/KM -> C:\PROGRA~2\COMMON~1\Nero\BROWSE~1\NPBROW~1.DLL No File

CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-04-09]

OPR Extension: (iWebar) - C:\Users\KC13\AppData\Roaming\Opera Software\Opera Stable\Extensions\hdhmofnopkgkpgnpggloijpbnaonhplc [2015-03-05]

C:\Users\KC13\AppData\Roaming\Opera Software\Opera Stable\Extensions\hdhmofnopkgkpgnpggloijpbnaonhplc

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34

AlternateDataStreams: C:\ProgramData\TEMP:D282699C

 

End

*****************

Processes closed successfully.

"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => Key deleted successfully.

"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.

"HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.

"HKU\S-1-5-21-2611907897-445250194-531414781-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.

"HKLM\Software\Wow6432Node\MozillaPlugins\@Nero.com/KM" => Key deleted successfully.

"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => Key deleted successfully.

Could not move "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Scheduled to move on reboot.

C:\Users\KC13\AppData\Roaming\Opera Software\Opera Stable\Extensions\hdhmofnopkgkpgnpggloijpbnaonhplc => Moved successfully.

"C:\Users\KC13\AppData\Roaming\Opera Software\Opera Stable\Extensions\hdhmofnopkgkpgnpggloijpbnaonhplc" => File/Directory not found.

C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully.

C:\ProgramData\TEMP => ":D282699C" ADS removed successfully.

 

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-04-10 13:42:04)<=

 

"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => File could not move.

 

==== End of Fixlog 13:42:04 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 11 April 2015 - 06:44 AM

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

#5 KC13

KC13
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 11 April 2015 - 08:28 AM

I checked everything and clicked "Delete" even though some (UnsignedThemesSvc.exe for one) I had installed back when I put Windows 7 on this machine. It had run without causing any of the current symptoms.

 

RogueKiller V10.5.9.0 [Apr  7 2015] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : KC13 [Administrator]

Started from : C:\Users\KC13\Desktop\RogueKiller.exe

Mode : Delete -- Date : 04/11/2015  09:24:47

 

¤¤¤ Processes : 1 ¤¤¤

[Suspicious.Path] UnsignedThemesSvc.exe(520) -- C:\Windows\UnsignedThemesSvc.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 27 ¤¤¤

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnsignedThemes (C:\Windows\UnsignedThemesSvc.exe) -> Deleted

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UnsignedThemes (C:\Windows\UnsignedThemesSvc.exe) -> Deleted

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\UnsignedThemes (C:\Windows\UnsignedThemesSvc.exe) -> Deleted

[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)

[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)

[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)

[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)

[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:50051;https=127.0.0.1:50051;  -> Deleted

[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:50051;https=127.0.0.1:50051;  -> ERROR [2]

[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:50051;https=127.0.0.1:50051;  -> ERROR [2]

[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:50051;https=127.0.0.1:50051;  -> ERROR [2]

[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)

[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)

[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2611907897-445250194-531414781-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 0  -> Replaced (1)

[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2611907897-445250194-531414781-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> Replaced (1)

[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2611907897-445250194-531414781-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRun : 0  -> Replaced (1)

[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2611907897-445250194-531414781-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 0  -> Replaced (1)

[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2611907897-445250194-531414781-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 0  -> Replaced (1)

[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2611907897-445250194-531414781-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> Replaced (1)

[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2611907897-445250194-531414781-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRun : 0  -> Replaced (1)

[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2611907897-445250194-531414781-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 0  -> Replaced (1)

[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2611907897-445250194-531414781-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Replaced (0)

[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2611907897-445250194-531414781-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Replaced (0)

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Replaced (0)

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Replaced (0)

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Replaced (0)

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Replaced (0)

 

¤¤¤ Tasks : 0 ¤¤¤

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ Hosts File : 1 ¤¤¤

[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost -> Deleted

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤

[PUM.HomePage][FIREFX:Config] baax4zsx.default : user_pref("browser.startup.homepage", "file:///C:/Web/index.htm"); -> Not selected

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: WDC WD16 00BEVT-22ZCT SCSI Disk Device +++++

--- User ---

[MBR] 48840ac66ece709e90d43db0894c8f30

[BSP] 49d76dca7a9b7e85c26d52902f76b7ce : Windows Vista/7/8 MBR Code

Partition table:

User = LL1 ... OK

Error reading LL2 MBR! ([1] Incorrect function. )

 

============================================

RKreport_SCN_04112015_092219.log



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 11 April 2015 - 08:36 AM

How is the computer running now?

#7 KC13

KC13
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 11 April 2015 - 09:59 AM

It's much worse now. It just took Firefox over 2 minutes to load. It feels like I'm typing this in slow motion. That last sentence didn't complete, I had to retype last two words.

 

If it helps, it looks like programs are not terminating.When I load Task Manager, it shows Thunderbird running when it had been closed a while ago. This happens often with Firefox and Thunderbird. The computer is still randomly freezing. This does not happen with Live Linux DVD's or if I put the Windows XP HD back in.........



#8 KC13

KC13
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 11 April 2015 - 10:20 AM

There is another symptom I just encountered. Windows Update again offered an important update to Internet Explorer 11 for 64bit systems and again it failed with error code 9C48, unknown error.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 11 April 2015 - 01:24 PM

Windows Update again offered an important update to Internet Explorer 11 for 64bit systems and again it failed with error code 9C48, unknown error.


Refer to this Microsoft page.

http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_update/error-code-9c48-while-installing-update-for/dfaf53c1-894d-42da-87f1-5363ea9ef91a


As suggested please check if you have the Prerequisite updates for Internet Explorer.

The list will be found here.
http://support.microsoft.com/kb/2847882

If some are missing please get update.

Keep me posted.

#10 KC13

KC13
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 11 April 2015 - 04:10 PM

I have solved the IE11 MS Update error. As per IE11_main.log in C:\Windows, it appears that for some reason, MS Update is offering a version earlier than the version installed.

 

 

00:00.000: ====================================================================

00:00.063: Started: 2015/04/11 (Y/M/D) 12:05:14.705 (local)

00:00.078: Time Format in this log: MM:ss.mmm (minutes:seconds.milliseconds)

00:00.094: Command line: "C:\Windows\SoftwareDistribution\Download\Install\IE11-Windows6.1-x64-en-us.exe" /WU-SILENT

00:00.094: INFO:    Setup installer for Internet Explorer: 11.0.9600.16428

00:00.125: INFO:    Previous version of Internet Explorer: 11.0.9600.17041

00:00.141: INFO:    Checking if iexplore.exe's current version is between 11.0.9600.0...

00:00.188: INFO:    ...and 11.1.0.0...

00:00.188: INFO:    Maximum version on which to run IEAK branding is: 11.1.0.0...

00:00.188: ERROR:   A newer version of Internet Explorer is already installed on the system.

00:00.188: ERROR:   Internet Explorer version check failed.

00:00.188: INFO:    Setup exit code: 0x00009C48 (40008) - A more recent version of Internet Explorer is installed.

00:00.375: INFO:    Cleaning up temporary files in: C:\Windows\TEMP\IE1393B.tmp

00:00.422: INFO:    Unable to remove directory C:\Windows\TEMP\IE1393B.tmp, marking for deletion on reboot.

00:00.422: INFO:    Released Internet Explorer Installer Mutex



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 12 April 2015 - 07:17 AM

Please run the Windows Update normally.

Does it suggest that you install important updates?

If yes what are the KB article number.

How is the computer running now?

#12 KC13

KC13
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 12 April 2015 - 09:29 AM

The only important update offered is "Internet Explorer 11 for Windows 7 for x64-based Systems" That is the one that is older than the version installed on my system. There are also many optional language updates offered.

 

When running IE11 to access Windows Update, I noticed that the menus (File, Edit, View etc.) showed up but were not clickable, and when I just ran it again a second ago, the menus were no longer there..........

 

The system was almost unusable on the first three boots. It is not good at the moment, but at least I can do some things.

 

Just ran IE11 again and the menus are back and accessible. Sheesh, the machine IS possessed......


Edited by KC13, 12 April 2015 - 09:33 AM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 12 April 2015 - 01:12 PM

Try this.

Please Download Tweaking.com - Windows Repair from Here
  • Install and then run the program
  • Click Next at the Welcome Screen, Click Next on Step 1 Screen
  • Click Next on Step 2 Screen, Click Do it on Step 3 Screen, After is has completed click Next
  • On Step 4 Under System Restore Click Create, Then under registry back-up Click Backup When you have completed this click Next
  • Click on Repairs
  • Click Open repairs - Icon in the bottom right corner
  • Click the Unselect All button then select just the item(s) below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    07 - Repair Internet Explorer
    10 - Remove Policies Set By Infections
    14 - Removed Temp Files
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    How is it now?


#14 KC13

KC13
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 12 April 2015 - 02:56 PM

I had already run this tool is the previous thread mentioned in the first post in this thread. Do you want me to run it again?

 

EDIT: I ran the tool again, and many errors appeared in the last two command prompt windows, but I could not copy them and they didn't appear in the log files. On the first run in the previous thread, there were no error messages, so whatever errors these were, they were created by the various tools run since as that's all I have been doing these past many days. :smash: :hysterical:


Edited by KC13, 12 April 2015 - 03:46 PM.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 13 April 2015 - 06:34 AM

If IE 11 is still compromised I think you should remove it using the Add/Remove Programs applet.

This will restore the previous version.

Test it and if all is well you can re-install the New version using the Windows Updates.

Keep me posted.

Edited by nasdaq, 13 April 2015 - 06:34 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users