Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'This program is blocked by group policy' ... help please


  • This topic is locked This topic is locked
16 replies to this topic

#1 Ilovemywifebut

Ilovemywifebut

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 24 August 2015 - 10:16 AM

Have this on my wife's PC - not sure how long it's been on there, but it's stopping Avast (at least) running.

 

I've pulled the internet connection on it totally.

 

Have run FRST, addition.txt is attached and FRST log is below:

 

Thanks

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:23-08-2015
Ran by Stewart (administrator) on HOME-PC (24-08-2015 16:07:49)
Running from C:\Users\Stewart\Desktop
Loaded Profiles: Stewart (Available Profiles: Stewart)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Oki Data Corporation) C:\Windows\System32\spool\drivers\w32x86\3\OKHSLDCS.EXE
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS32.exe
(Canon Inc.) C:\Program Files\Canon\CAL\CALMAIN.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
() C:\Program Files\WLAN Technology Corporation\WLAN_802.11g_Utility\ZDWlan.exe
(SupportSoft, Inc.) C:\Program Files\Dell Support Center\bin\sprtsvc.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-21] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4452352 2007-05-11] (Realtek Semiconductor)
HKLM\...\Run: [LifeCam] => C:\Program Files\Microsoft LifeCam\LifeExp.exe [119152 2010-05-20] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [4085896 2014-08-19] (AVAST Software)
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION
Startup: C:\Users\Stewart\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZDWLan Utility.lnk [2009-04-24]
ShortcutTarget: ZDWLan Utility.lnk -> C:\Program Files\WLAN Technology Corporation\WLAN_802.11g_Utility\ZDWlan.exe ()
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2014-08-19] (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1299272057-2543773296-3063664486-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.co.uk/
HKU\S-1-5-21-1299272057-2543773296-3063664486-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/USCON/2
SearchScopes: HKLM -> {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
SearchScopes: HKU\.DEFAULT -> {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> DefaultScope {9932DFE4-9F24-4DF2-B891-AFE2A42C3A52} URL = hxxp://www.google.co.uk/search?hl=en&q={searchTerms}&meta=&rlz=1I7VSND_enGB581
SearchScopes: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> {4B31A162-CE26-494E-9AD4-07935CF8F6BE} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=DLCDF7&pc=MDDC&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxp://isearch.avg.com/search?cid={0B7575EC-0CDF-4C4C-84EB-EBCFDF94B759}&mid=1030cd4dfdbc2958f639281a392cd0c7-31ee1d2620d959c34ca8aff4e51ccdca8fb22d1f&lang=us&ds=AVG&pr=fr&d=2011-12-05 14:02:57&v=9.0.0.18&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> {9932DFE4-9F24-4DF2-B891-AFE2A42C3A52} URL = hxxp://www.google.co.uk/search?hl=en&q={searchTerms}&meta=&rlz=1I7VSND_enGB581
SearchScopes: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> {E28D7D52-5AFA-4C6B-8C23-D8451386AD82} URL = hxxp://www.search.ask.com/web?tpid=ORJ-SPE&o=APN11406&pf=V7&p2=%5EBBE%5EOSJ000%5EYY%5EGB&gct=&itbv=12.15.5.30&apn_uid=2CB131C9-7A45-4B62-8408-B2D9A9A1AD2B&apn_ptnrs=BBE&apn_dtid=%5EOSJ000%5EYY%5EGB&apn_dbr=ie_9.0.8112.16561&doi=2014-09-10&trgb=IE&q={searchTerms}&psv=&pt=tb
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2011-08-30] (Adobe Systems Incorporated)
BHO: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ->  No File
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2014-07-25] (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2014-08-19] (AVAST Software)
BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} ->  No File
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2014-07-25] (Oracle Corporation)
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKLM - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Toolbar: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-gb.cab
DPF: {A9CF3378-D60E-40A8-927D-7EA0D5B0AA98} hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-11-28] (Microsoft Corporation)
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll [2012-01-24] ()
Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{426A9A47-B39D-49B0-9E03-2E597ABE752B}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{4DC01DBD-376C-46B8-85B2-6ED0F457640D}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{795F009E-2F13-4F35-89B6-7A2038B2AE22}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{8FE5041C-42EB-442E-ADA9-2E0B94FAF5C6}: [DhcpNameServer] 163.244.4.254 163.244.76.254
Tcpip\..\Interfaces\{B163DB07-ACD6-44D1-9E53-894C30B34322}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{C7715E50-873D-4C0D-9ADE-83C34962B80B}: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF ProfilePath: C:\Users\Stewart\AppData\Roaming\Mozilla\Firefox\Profiles\v4h2im87.default
FF Homepage: hxxp://www.google.co.uk/
FF NetworkProxy: "no_proxies_on", "*.local"
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll [2013-05-08] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2012-04-05] ()
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-07-25] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-07-25] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8051.1204 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2008-12-04] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npnul32.dll [2012-06-28] (mozilla.org)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL [2007-03-22] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2011-08-30] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2007-05-02] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2007-05-02] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2007-05-02] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2007-05-02] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2007-05-02] (Apple Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\answers.xml [2012-06-28]
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml [2012-01-24]
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml [2012-06-28]
FF Extension: No Name - C:\Users\Stewart\AppData\Roaming\Mozilla\Firefox\Profiles\v4h2im87.default\Extensions\staged-xpis [2013-10-21]
FF Extension: No Name - C:\Users\Stewart\AppData\Roaming\Mozilla\Firefox\Profiles\v4h2im87.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2013-10-21]
FF HKLM\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG Secure Search\10.0.0.7
FF Extension: AVG Security Toolbar - C:\ProgramData\AVG Secure Search\10.0.0.7 [2012-01-24]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-05-07]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-04-24]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\firefox-branding.js [2010-10-01]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\firefox-l10n.js [2010-10-01]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\firefox.js [2010-10-01]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2012-06-06]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\reporter.js [2010-10-01]

Chrome:
=======
CHR Profile: C:\Users\Stewart\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Stewart\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-06-16]
CHR Extension: (Google Wallet) - C:\Users\Stewart\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-16]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-08-19]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-08-19] (AVAST Software)
R2 CCALib8; C:\Program Files\Canon\CAL\CALMAIN.exe [96341 2005-09-30] (Canon Inc.) [File not signed]
R2 DCSLoader; C:\Windows\system32\spool\DRIVERS\W32X86\3\OKHSLDCS.EXE [24576 2011-11-14] (Oki Data Corporation) [File not signed]
R2 sprtsvc_DellSupportCenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2008-10-04] (SupportSoft, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-21] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24184 2014-08-19] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [67824 2014-08-19] (AVAST Software)
R1 AswRdr; C:\Windows\system32\drivers\aswRdr.sys [55112 2014-08-19] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49944 2014-08-19] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [779536 2014-11-24] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [414520 2014-08-19] (AVAST Software)
R1 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [57800 2014-08-19] (AVAST Software)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [192352 2014-08-19] ()
R1 ISODisk; C:\Windows\system32\Drivers\ISODisk.sys [9600 2006-04-26] () [File not signed]
R3 ZD1211BU(WLAN); C:\Windows\System32\DRIVERS\zd1211Bu.sys [402432 2005-10-28] (ZyDAS Technology Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 ZDPSp60; System32\Drivers\ZDPSp60.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-24 16:07 - 2015-08-24 16:08 - 00015541 _____ C:\Users\Stewart\Desktop\FRST.txt
2015-08-24 16:07 - 2015-08-24 16:07 - 00000000 ____D C:\FRST
2015-08-24 16:06 - 2015-08-24 16:04 - 01677824 _____ (Farbar) C:\Users\Stewart\Desktop\FRST.exe
2015-08-24 16:06 - 2015-08-24 15:34 - 12704885 _____ C:\Users\Stewart\Desktop\CopyTransv5.028_DLC.zip
2015-08-07 08:52 - 2009-08-04 09:02 - 00754688 _____ (Microsoft Corporation) C:\Windows\system32\webservices.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-24 16:08 - 2013-05-08 17:49 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-08-24 15:52 - 2010-08-24 09:23 - 00000000 ____D C:\Users\Stewart\AppData\Roaming\uTorrent
2015-08-24 15:52 - 2009-04-19 17:55 - 01845174 _____ C:\Windows\WindowsUpdate.log
2015-08-24 15:33 - 2006-11-02 11:33 - 00758370 _____ C:\Windows\system32\PerfStringBackup.INI
2015-08-24 15:29 - 2014-03-25 12:23 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-24 15:25 - 2014-03-25 12:25 - 00001933 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-08-24 15:23 - 2014-03-25 12:23 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-08-24 15:21 - 2006-11-02 13:47 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-24 15:21 - 2006-11-02 13:47 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-08-24 15:20 - 2006-11-02 14:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-07 09:45 - 2006-11-02 14:01 - 00032622 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-08-07 09:20 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\rescache
2015-08-07 08:49 - 2015-05-14 11:08 - 00020616 _____ C:\Windows\setupact.log
2015-08-07 08:47 - 2009-04-24 21:14 - 00000000 ____D C:\Users\Stewart

==================== Files in the root of some directories =======

2013-05-07 20:47 - 2013-10-26 20:29 - 0000159 _____ () C:\Users\Stewart\AppData\Roaming\Opusbext.dat
2013-02-26 15:21 - 2013-02-27 13:38 - 0000680 _____ () C:\Users\Stewart\AppData\Local\d3d9caps.dat
2009-04-24 21:35 - 2015-05-24 21:53 - 0039936 _____ () C:\Users\Stewart\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-03-03 16:40 - 2011-03-03 16:40 - 0000056 ____H () C:\ProgramData\ezsidmv.dat

Some files in TEMP:
====================
C:\Users\Stewart\AppData\Local\Temp\converter.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-08-24 15:26

==================== End of log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:03 AM

Posted 24 August 2015 - 10:36 AM

Hello Ilovemywifebut and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Run AVG removal tool

There are some remnants on your computer even though it is no longer installed so please download and run AVG Removal Tool from here.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.


  • run AdwCleaner
  • when it has finished, select Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Farbar Recovery Scan Tool

Please run FRST again and post the new log.

Logs to include with next post:

AdwCleaner log
JRT.txt
Frst.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 Ilovemywifebut

Ilovemywifebut
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 24 August 2015 - 11:12 AM

Nina, 

 

Thanks for your help with this.

 

I think that the AVG fragments were from an add-in to Firefox, but have run the removal tool:

 

Adwcleaner - attached

JRT log - attached

FRST addition.txt - attached

FRST log below.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:23-08-2015
Ran by Stewart (administrator) on HOME-PC (24-08-2015 17:07:40)
Running from C:\Users\Stewart\Desktop
Loaded Profiles: Stewart (Available Profiles: Stewart)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-21] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4452352 2007-05-11] (Realtek Semiconductor)
HKLM\...\Run: [LifeCam] => C:\Program Files\Microsoft LifeCam\LifeExp.exe [119152 2010-05-20] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [4085896 2014-08-19] (AVAST Software)
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION
Startup: C:\Users\Stewart\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZDWLan Utility.lnk [2009-04-24]
ShortcutTarget: ZDWLan Utility.lnk -> C:\Program Files\WLAN Technology Corporation\WLAN_802.11g_Utility\ZDWlan.exe ()
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2014-08-19] (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1299272057-2543773296-3063664486-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.co.uk/
HKU\S-1-5-21-1299272057-2543773296-3063664486-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/USCON/2
SearchScopes: HKU\.DEFAULT -> {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> DefaultScope {9932DFE4-9F24-4DF2-B891-AFE2A42C3A52} URL = hxxp://www.google.co.uk/search?hl=en&q={searchTerms}&meta=&rlz=1I7VSND_enGB581
SearchScopes: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> {4B31A162-CE26-494E-9AD4-07935CF8F6BE} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=DLCDF7&pc=MDDC&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> {9932DFE4-9F24-4DF2-B891-AFE2A42C3A52} URL = hxxp://www.google.co.uk/search?hl=en&q={searchTerms}&meta=&rlz=1I7VSND_enGB581
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2011-08-30] (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2014-07-25] (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2014-08-19] (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2014-07-25] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-gb.cab
DPF: {A9CF3378-D60E-40A8-927D-7EA0D5B0AA98} hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-11-28] (Microsoft Corporation)
Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{426A9A47-B39D-49B0-9E03-2E597ABE752B}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{4DC01DBD-376C-46B8-85B2-6ED0F457640D}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{795F009E-2F13-4F35-89B6-7A2038B2AE22}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{8FE5041C-42EB-442E-ADA9-2E0B94FAF5C6}: [DhcpNameServer] 163.244.4.254 163.244.76.254
Tcpip\..\Interfaces\{B163DB07-ACD6-44D1-9E53-894C30B34322}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{C7715E50-873D-4C0D-9ADE-83C34962B80B}: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF ProfilePath: C:\Users\Stewart\AppData\Roaming\Mozilla\Firefox\Profiles\v4h2im87.default
FF Homepage: hxxp://www.google.co.uk/
FF NetworkProxy: "no_proxies_on", "*.local"
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll [2013-05-08] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2012-04-05] ()
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-07-25] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-07-25] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8051.1204 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2008-12-04] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npnul32.dll [2012-06-28] (mozilla.org)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL [2007-03-22] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2011-08-30] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2007-05-02] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2007-05-02] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2007-05-02] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2007-05-02] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2007-05-02] (Apple Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\answers.xml [2012-06-28]
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml [2012-06-28]
FF Extension: No Name - C:\Users\Stewart\AppData\Roaming\Mozilla\Firefox\Profiles\v4h2im87.default\Extensions\staged-xpis [2013-10-21]
FF Extension: No Name - C:\Users\Stewart\AppData\Roaming\Mozilla\Firefox\Profiles\v4h2im87.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2013-10-21]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-05-07]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-04-24]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\firefox-branding.js [2010-10-01]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\firefox-l10n.js [2010-10-01]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\firefox.js [2010-10-01]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2012-06-06]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\reporter.js [2010-10-01]

Chrome:
=======
CHR Profile: C:\Users\Stewart\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Stewart\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-06-16]
CHR Extension: (Google Wallet) - C:\Users\Stewart\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-16]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-08-19]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-08-19] (AVAST Software)
S2 CCALib8; C:\Program Files\Canon\CAL\CALMAIN.exe [96341 2005-09-30] (Canon Inc.) [File not signed]
S2 DCSLoader; C:\Windows\system32\spool\DRIVERS\W32X86\3\OKHSLDCS.EXE [24576 2011-11-14] (Oki Data Corporation) [File not signed]
S2 sprtsvc_DellSupportCenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2008-10-04] (SupportSoft, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-21] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24184 2014-08-19] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [67824 2014-08-19] (AVAST Software)
R1 AswRdr; C:\Windows\system32\drivers\aswRdr.sys [55112 2014-08-19] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49944 2014-08-19] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [779536 2014-11-24] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [414520 2014-08-19] (AVAST Software)
R1 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [57800 2014-08-19] (AVAST Software)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [192352 2014-08-19] ()
R1 ISODisk; C:\Windows\system32\Drivers\ISODisk.sys [9600 2006-04-26] () [File not signed]
S3 ZD1211BU(WLAN); C:\Windows\System32\DRIVERS\zd1211Bu.sys [402432 2005-10-28] (ZyDAS Technology Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 ZDPSp60; System32\Drivers\ZDPSp60.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-24 17:07 - 2015-08-24 17:08 - 00012847 _____ C:\Users\Stewart\Desktop\FRST.txt
2015-08-24 17:06 - 2015-08-24 17:06 - 00001508 _____ C:\Users\Stewart\Desktop\JRT.txt
2015-08-24 16:58 - 2015-08-24 16:58 - 00005077 _____ C:\Users\Stewart\Desktop\AdwCleaner[C1].txt
2015-08-24 16:48 - 2015-08-24 16:51 - 00000000 ____D C:\AdwCleaner
2015-08-24 16:42 - 2015-08-24 16:46 - 00459884 _____ C:\Users\Stewart\Desktop\avgremover.log
2015-08-24 16:42 - 2015-08-24 16:41 - 01605632 _____ C:\Users\Stewart\Desktop\adwcleaner_5.003.exe
2015-08-24 16:42 - 2015-08-24 16:40 - 03681088 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Stewart\Desktop\avg_remover_stf_x86_2015_5501.exe
2015-08-24 16:42 - 2015-08-24 16:40 - 01798576 _____ (Malwarebytes Corporation) C:\Users\Stewart\Desktop\JRT.exe
2015-08-24 16:24 - 2015-08-24 16:24 - 00000000 ____D C:\Users\Stewart\AppData\Roaming\WindSolutions
2015-08-24 16:18 - 2015-08-24 16:18 - 00000000 ____D C:\ProgramData\WindSolutions
2015-08-24 16:07 - 2015-08-24 17:07 - 00000000 ____D C:\FRST
2015-08-24 16:06 - 2015-08-24 16:04 - 01677824 _____ (Farbar) C:\Users\Stewart\Desktop\FRST.exe
2015-08-24 16:06 - 2015-08-24 15:34 - 12704885 _____ C:\Users\Stewart\Desktop\CopyTransv5.028_DLC.zip
2015-08-07 08:52 - 2009-08-04 09:02 - 00754688 _____ (Microsoft Corporation) C:\Windows\system32\webservices.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-24 17:08 - 2013-05-08 17:49 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-08-24 17:07 - 2006-11-02 13:47 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-24 17:07 - 2006-11-02 13:47 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-08-24 17:02 - 2009-04-19 17:55 - 01064508 _____ C:\Windows\WindowsUpdate.log
2015-08-24 17:00 - 2006-11-02 11:33 - 00758370 _____ C:\Windows\system32\PerfStringBackup.INI
2015-08-24 16:56 - 2014-03-25 12:23 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-24 16:56 - 2006-11-02 14:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-24 16:52 - 2006-11-02 14:01 - 00032622 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-08-24 16:45 - 2015-01-06 11:07 - 00051084 _____ C:\Windows\PFRO.log
2015-08-24 16:23 - 2014-03-25 12:23 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-08-24 15:52 - 2010-08-24 09:23 - 00000000 ____D C:\Users\Stewart\AppData\Roaming\uTorrent
2015-08-24 15:25 - 2014-03-25 12:25 - 00001933 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-08-07 09:20 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\rescache
2015-08-07 08:49 - 2015-05-14 11:08 - 00020616 _____ C:\Windows\setupact.log
2015-08-07 08:47 - 2009-04-24 21:14 - 00000000 ____D C:\Users\Stewart

==================== Files in the root of some directories =======

2013-05-07 20:47 - 2013-10-26 20:29 - 0000159 _____ () C:\Users\Stewart\AppData\Roaming\Opusbext.dat
2013-02-26 15:21 - 2013-02-27 13:38 - 0000680 _____ () C:\Users\Stewart\AppData\Local\d3d9caps.dat
2009-04-24 21:35 - 2015-05-24 21:53 - 0039936 _____ () C:\Users\Stewart\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-03-03 16:40 - 2011-03-03 16:40 - 0000056 ____H () C:\ProgramData\ezsidmv.dat

Some files in TEMP:
====================
C:\Users\Stewart\AppData\Local\Temp\converter.exe
C:\Users\Stewart\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-08-24 17:03

==================== End of log ============================

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:03 AM

Posted 24 August 2015 - 06:03 PM

Thanks for the logs.


Run Farbar Recovery Scan Tool

Open notepad (Start >All Programs > Accessories > Notepad). Please copy the entire contents of the code box below and paste it into Notepad.


HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION
SearchScopes: HKU\.DEFAULT -> {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> DefaultScope {9932DFE4-9F24-4DF2-B891-AFE2A42C3A52} URL = hxxp://www.google.co.uk/search?hl=en&q={searchTerms}&meta=&rlz=1I7VSND_enGB581
SearchScopes: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> {4B31A162-CE26-494E-9AD4-07935CF8F6BE} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=DLCDF7&pc=MDDC&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> {9932DFE4-9F24-4DF2-B891-AFE2A42C3A52} URL = hxxp://www.google.co.uk/search?hl=en&q={searchTerms}&meta=&rlz=1I7VSND_enGB581
Toolbar: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 ZDPSp60; System32\Drivers\ZDPSp60.sys [X]
2015-08-24 16:42 - 2015-08-24 16:40 - 03681088 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Stewart\Desktop\avg_remover_stf_x86_2015_5501.exe
2015-08-24 15:52 - 2010-08-24 09:23 - 00000000 ____D C:\Users\Stewart\AppData\Roaming\uTorrent
CustomCLSID: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{BB6410D8-F879-4184-9C5C-6A02D16AE0B3}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{CA1073A2-5F3F-4445-8E5E-7109BDCEDDBE}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{D5A55D2D-C59D-42C3-A5BF-4C08EEE74339}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
C:\Users\Stewart\Desktop\avg_remover_stf_x86_2015_5501.exe
C:\Users\Stewart\AppData\Roaming\uTorrent
C:\program files\utorrent\utorrent.exe
EmptyTemp:
CMD: bitsadmin /reset /allusers

NOTE: this script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST then click Fix just once and wait
  • it will create a log (Fixlog.txt); please post it to your reply.

================================================

Run Security Check

Download Security Check by screen317 from here or here.

  • save it to your Desktop.
  • double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • a Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE: If you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED!, try rebooting the system and then run SecurityCheck again.

Can you tell me how your computer is now.

Satchfan
 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 Ilovemywifebut

Ilovemywifebut
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 25 August 2015 - 03:51 AM

Thank Nina,

 

After running the Fix on FRST the machine rebooted and Avast auto-started.  I then ran the Security check and am now doing a full deep scan w Avast.  Logs are below, and I'll report back here later on today after using the machine for a while.

 

Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:23-08-2015
Ran by Stewart (2015-08-25 09:10:37) Run:1
Running from C:\Users\Stewart\Desktop
Loaded Profiles: Stewart (Available Profiles: Stewart)
Boot Mode: Normal

==============================================

fixlist content:
*****************
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION
SearchScopes: HKU\.DEFAULT -> {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> DefaultScope {9932DFE4-9F24-4DF2-B891-AFE2A42C3A52} URL = hxxp://www.google.co.uk/search?hl=en&q={searchTerms}&meta=&rlz=1I7VSND_enGB581
SearchScopes: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> {4B31A162-CE26-494E-9AD4-07935CF8F6BE} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=DLCDF7&pc=MDDC&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> {9932DFE4-9F24-4DF2-B891-AFE2A42C3A52} URL = hxxp://www.google.co.uk/search?hl=en&q={searchTerms}&meta=&rlz=1I7VSND_enGB581
Toolbar: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 ZDPSp60; System32\Drivers\ZDPSp60.sys [X]
2015-08-24 16:42 - 2015-08-24 16:40 - 03681088 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Stewart\Desktop\avg_remover_stf_x86_2015_5501.exe
2015-08-24 15:52 - 2010-08-24 09:23 - 00000000 ____D C:\Users\Stewart\AppData\Roaming\uTorrent
CustomCLSID: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{BB6410D8-F879-4184-9C5C-6A02D16AE0B3}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{CA1073A2-5F3F-4445-8E5E-7109BDCEDDBE}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{D5A55D2D-C59D-42C3-A5BF-4C08EEE74339}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
C:\Users\Stewart\Desktop\avg_remover_stf_x86_2015_5501.exe
C:\Users\Stewart\AppData\Roaming\uTorrent
C:\program files\utorrent\utorrent.exe
EmptyTemp:
CMD: bitsadmin /reset /allusers
*****************

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION => restored successfully
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION => restored successfully
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION => restored successfully
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION => restored successfully
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION => restored successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" => key removed successfully.
HKCR\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} => key not found.
HKU\S-1-5-21-1299272057-2543773296-3063664486-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
"HKU\S-1-5-21-1299272057-2543773296-3063664486-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4B31A162-CE26-494E-9AD4-07935CF8F6BE}" => key removed successfully.
HKCR\CLSID\{4B31A162-CE26-494E-9AD4-07935CF8F6BE} => key not found.
"HKU\S-1-5-21-1299272057-2543773296-3063664486-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9932DFE4-9F24-4DF2-B891-AFE2A42C3A52}" => key removed successfully.
HKCR\CLSID\{9932DFE4-9F24-4DF2-B891-AFE2A42C3A52} => key not found.
HKU\S-1-5-21-1299272057-2543773296-3063664486-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
IpInIp => service removed successfully.
NwlnkFlt => service removed successfully.
NwlnkFwd => service removed successfully.
ZDPSp60 => service removed successfully.
C:\Users\Stewart\Desktop\avg_remover_stf_x86_2015_5501.exe => moved successfully
C:\Users\Stewart\AppData\Roaming\uTorrent => moved successfully
"HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}" => key removed successfully.
"HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}" => key removed successfully.
"HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{BB6410D8-F879-4184-9C5C-6A02D16AE0B3}" => key removed successfully.
"HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{CA1073A2-5F3F-4445-8E5E-7109BDCEDDBE}" => key removed successfully.
"HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}" => key removed successfully.
"HKU\S-1-5-21-1299272057-2543773296-3063664486-1000_Classes\CLSID\{D5A55D2D-C59D-42C3-A5BF-4C08EEE74339}" => key removed successfully.
"C:\Users\Stewart\Desktop\avg_remover_stf_x86_2015_5501.exe" => File/Folder not found.
"C:\Users\Stewart\AppData\Roaming\uTorrent" => File/Folder not found.
"C:\program files\utorrent\utorrent.exe" => File/Folder not found.

=========  bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.0.6001 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

Unable to cancel {BD4232C6-6218-4187-A749-75AE239AA483}.
Unable to cancel {4646F6D8-31B6-43B9-9F09-8CD47CC382DC}.
Unable to cancel {D7B90698-4785-4FB6-9910-DE3B5F5ECDF2}.
Unable to cancel {94A4C930-B52F-4A12-A794-2EAAEB9B16D4}.
Unable to cancel {32B8C77D-0C03-4190-8A53-E2B394B1EBDF}.
Unable to cancel {76447B5D-0AD4-4A7D-A3C0-B105098134C9}.
Unable to cancel {63E23120-E042-41C9-BB7B-EB5BE576FEC5}.
Unable to cancel {54873281-2DA7-4D8B-BE0F-CE81F914D765}.
Unable to cancel {B7A51604-2D0F-49E5-A125-4F2BD8DF363A}.
Unable to cancel {24EB32CC-F7BA-4F4D-A3B9-B35593F83BC5}.
Unable to cancel {937D8F12-678B-420D-BDB9-29C4FE86EE7F}.
Unable to cancel {4A228F65-064D-45AB-9ED5-79086118496A}.
Unable to cancel {641FC4C6-7C09-4421-A321-EE7D8B02AB8B}.
Unable to cancel {16C57975-2FD9-434E-A4A9-D3D5E2B073FA}.
Unable to cancel {625DF2DC-80DA-4B63-AFF4-3EE7C493328B}.
Unable to cancel {EDDB505F-328D-4B3C-A383-948A50CBFA97}.
Unable to cancel {3EFC0D8F-B3F0-4121-B2CC-B8C5D08DB4BC}.
Unable to cancel {1BC78C02-CDA2-4FF6-844A-420667488BB9}.
Unable to cancel {7120535E-04D1-4AD2-8D2A-110C985FC1CF}.
Unable to cancel {6F24FAEF-0E02-499C-8EC6-0C938B32577E}.
Unable to cancel {F4FE19EC-71DF-4C01-A543-E917EDC6EBC8}.
Unable to cancel {CF701764-6B18-482C-B983-01AB2A62C074}.
Unable to cancel {03B8CA23-AD38-4D46-8342-D64685F4A682}.
Unable to cancel {4BDCA62D-0FBB-4789-B5EC-52710182F6C1}.
Unable to cancel {E0898F6B-BBD4-477E-949D-43A53E5180A8}.
Unable to cancel {5B851CBE-3A1B-4A03-9E79-3AD1BA2338A5}.
Unable to cancel {3CB19A56-BA42-43F1-9E56-9CCDD8A3E100}.
Unable to cancel {F8AB8110-0C6B-4C98-9C64-997DA77477EF}.
0 out of 28 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 10.1 GB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 09:26:11 ====

 

 

Checkup.txt:

 

 Results of screen317's Security Check version 1.008 
 Windows Vista Service Pack 2 x86 (UAC is enabled) 
 Internet Explorer 9 
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
avast! Antivirus  
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 CCleaner    
 Java 7 Update 67 
 Java version 32-bit out of Date!
  Adobe Flash Player  11.7.700.169 Flash Player out of Date! 
 Adobe Reader 8 Adobe Reader out of Date!
 Mozilla Firefox (3.6.26) Firefox out of Date! 
 Google Chrome (44.0.2403.130)
 Google Chrome (44.0.2403.157)
````````Process Check: objlist.exe by Laurent```````` 
 Windows Defender MSASCui.exe
 Windows Defender MSASCui.exe  
 AVAST Software Avast AvastSvc.exe 
 AVAST Software Avast AvastUI.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````



#6 satchfan

satchfan

  • Malware Response Team
  • 2,660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:03 AM

Posted 25 August 2015 - 04:04 AM

Thanks for the logs and I'm pleased that things seem better but I asked you not to run any scans unless I requested them. There are reasons for that, one of them being that we need to remove infections in a specific order and other scans may hinder that order of events.

 

However, as it is already scanning, let it run and tell me the result.

 

Nina


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 Ilovemywifebut

Ilovemywifebut
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 25 August 2015 - 04:09 AM

Sorry Nina,

 

You sound like my old teacher - 'I'm not so much angry, as disappointed.'

 

Scan is taking a while, but I'll report back as soon as it's finished.



#8 satchfan

satchfan

  • Malware Response Team
  • 2,660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:03 AM

Posted 25 August 2015 - 04:12 AM

:) OK, I'll be here.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 Ilovemywifebut

Ilovemywifebut
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 25 August 2015 - 06:03 AM

Nina,

 

'Scan complete, NO THREAT FOUND'.

 

This was with Avast, set for Full system scan, all harddisks, rootkits (full scan), auto-start programs and modules loaded from memory.

 

Will await further instructions :)



#10 satchfan

satchfan

  • Malware Response Team
  • 2,660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:03 AM

Posted 25 August 2015 - 06:29 AM

Good that Avast found nothing but then antiviruses don’t pick up everything. If the next scan shows up clean we’ll take it that all is well but if it finds anything, we’ll finish with an online scan which is more thorough.

Download Malwarebytes-Anti-Malware

Click here.

  • double-click mbam-setup.exe and follow the prompts to install the program – (Note: Vista & Windows 7 users, please right-click and select “Run as Administrator”)
  • select the “Scan” tab at the top
  • there are three scan types; choose Threat Scan, then click on Scan
  • when the scan is complete, if no malicious items are found you can close the program
  • if malicious items are found be sure that everything is checked and click Quarantine
  • when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Can you tell me if there are any outstanding problems.

Satchfan

 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 Ilovemywifebut

Ilovemywifebut
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 25 August 2015 - 07:34 AM

MBAM run:

 

Time to Complete Scan:  00:10;37

Items Scanned:  312,395

Threats Identified:  0

 

Thanks Nina.  Anything else that I need to do?



#12 satchfan

satchfan

  • Malware Response Team
  • 2,660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:03 AM

Posted 25 August 2015 - 09:21 AM

Good job: your computer appears to be clean.

Now that you’re free from malware, as long as your computer seems to be running well, please follow these simple steps to tidy up you computer and decrease the likelihood of getting infected again:

Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes.

===================================================

Download & run Delfix

  • download Delfix from here to remove many of the tools we've used during the cleaning process.
  • ensure “Remove disinfection tools” is checked.

Also place a checkmark next to:


o    Create registry backup
o    Purge system restore


  • click the Run button.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Windows updates

I notice that Windows updates are waiting to be installed. Click here for information on how to get the latest Windows updates:

===================================================

Update installed programs

Your versions of Flash Player, Java and Adobe Reader are out-of-date and need to be removed and updated.

Having the latest updates and removing old versions ensures there are no security vulnerabilities in your system.

To remove them:

  • click Start, Control Panel, Programs and Features.
  • click on each of these programs, one at a time, name and then on Uninstall:


Java 7 Update 67
Adobe Flash Player  11.7.700.169
Adobe Reader 8

 

If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Go here and download the latest version of Flash Player.

Note: Before you hit the Download now button, uncheck the Chrome offer if it’s not something you want.

NEXT

Visit Adobe and download the latest version of Acrobat Reader.


NEXT

Install the latest version of Java:

Java

NOTE – when you install Java, before clicking on Install, be sure to Uncheck “Install the Ask Toolbar and make Ask my default search provider”

Java.gif

Even though I just had you get the latest version of Java, there is a vulnerability with regards to Java and web browsers. Therefore, we recommend to disable java in web browsers.

More information can be found here.

===================================================

Recommended programs

SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

======================

Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly.

======================

It’s important to keep programs up to date so that malware doesn't exploit any old security flaws.

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated.

======================

Download WOT

Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:



green if it's safe
yellow for caution
red for unsafe
 

You can download the WOT add-on for Firefox, Chrome, Internet Explorer, Opera, and Safari browsers. It does not slow down your browsing experience, it is easy to use and free. Just click “Download” and you are ready to go!

======================

MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

A couple of links with information here and here which can answer any questions you might have about installing/using it.

======================

Unchecky

Be careful when downloading free software. Many free programs come bundled with adware, many of which cause redirects/popups and verge on being malware. There is a program that automatically “unckecks” the boxes you may not notice when downloading programs.

Download and install Unchecky .

======================

Download and install CryptoPrevent

Crypto Ransomware Warning

There are particularly nasty “Ransomware” infections out there at the moment that encrypt your files and the only way possible to get them “de-crypted” is to pay a ransome. You can read more about this here.

  • download CryptoPrevent
  • save the file to your Desktop and then open the program by clicking Run when prompted from your browser or by going to the desktop where the file was saved and double-clicking.
  • accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This will launch the program once you click Finish
  • you will get a prompt asking if you purchased a Product Key for Automatic Updates. Click No
  • you will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to
  • click OK to continue and select your protection level. Go ahead and click OK.
  • click the Apply button to set Default protection
  • you may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.

You are now protected.

Note: The free version doesn't provide automatic updates but should be updated often, (at least weekly), as this infection has serious consequences. To update it manually, open the program, select the “Updates” menu then select Check for Updates to see if there are any available.

===================================================

I also recommend that you read the following:

How to prevent malware by miekiemoes

Help! My computer is slow! by miekiemoes

Simple and easy ways to keep your computer safe and secure on the Internet  by Lawrence Abrams

I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Nina

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 Ilovemywifebut

Ilovemywifebut
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 25 August 2015 - 09:35 AM

Nina,

 

Very many thanks again.  I will do as you say, and then try to educate my wife to stop it happening again.

 

All the best

Stewart



#14 satchfan

satchfan

  • Malware Response Team
  • 2,660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:03 AM

Posted 25 August 2015 - 09:59 AM

You're welcome Stewart.

 

Regards to you and your wife.

 

Nina


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 Ilovemywifebut

Ilovemywifebut
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 25 August 2015 - 10:16 AM

Nina,

 

Just to say that the link you've got to techsupportforum about the Java vulnerability is out of date - says that page no longer exists.

 

Cheers






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users