Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Virus or Malware affecting my network access


  • This topic is locked This topic is locked
18 replies to this topic

#1 singlre

singlre

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 27 October 2015 - 08:29 AM

Hello,

 

For the past six months I’ve been experiencing very slow and unloadable or unresponsive web pages and downloading errors using (chrome, firefox or internet explorer) browsers on my main computer. This computer is directly connected to my ISP modem/router. The slowness happens even with just this computer on the network. Other devices also have connection problems be it laptop, tablet or cell phone; mine or a visitor. I’ve been through several discussions with my ISP and they always tell me the same thing every time….everything looks fine on their end, I’m getting the appropriate speed for my plan. Now, I admit I do have the lowest internet speed of 768 kbps / 384 kbps but prior to this ISP doing migration of their internet services everything was fine on my DSL with multiple devices…it was slow, but fine. I was able to accomplish things and so could others in my home. I've taken my laptop to work and it was connecting/browsing fine, brought it back home and pages barely load. Speedtest.net can't even come up. I can't drag my desktop to work so I need to know is it the computer.

 

I’m at the end of the patience line and wanted someone else’s point of view because I’ve ran several security, networking and utility tools trying to find out why my internet speed is now so lousy with the one computer on it. Nothing major ever comes up after the scans so now I’m at the point of firing my ISP and getting better service from someone else because if feel my ISP is probably throttling down my speeds but want to be absolutely sure that is the case.

 

Thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 30 October 2015 - 10:39 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove the programs in bold using the Add/Remove Programs applet.

Catalina Savings Printer (HKLM-x32\...\{4956ACE3-F537-4418-BB45-FD52395275A7}) (Version: 1.0.0 - Catalina Marketing Corp) <==== ATTENTION
Coupon Printer for Windows (HKLM-x32\...\Coupon Printer for Windows5.0.1.5) (Version: 5.0.1.5 - Coupons.com Incorporated)
Freemake Video Converter version 4.1.6 (HKLM-x32\...\Freemake Video Converter_is1) (Version: 4.1.6 - Ellora Assets Corporation)
YTD Toolbar v7.3 (HKLM-x32\...\{6C587D8F-FE8B-4FAE-AC4C-B990BACFE6EB}) (Version: 7.3 - Spigot, Inc.) <==== ATTENTION

===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Coupons.com Inc.) C:\Program Files (x86)\Coupons\CouponPrinterService.exe
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1826123673-4292494960-549196744-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
FF Plugin HKU\S-1-5-21-1826123673-4292494960-549196744-1000: CouponNetwork.com/CMDUniversalCouponPrintActivator -> C:\Users\REGEVE~1\AppData\Roaming\CATALI~2\NPBCSK~1.DLL [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPcol400.dll [2013-02-19] (Catalina Marketing Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2015-02-26] (Coupons, Inc.)
CHR HomePage: Default -> hxxp://mysearch.avg.com/?cid={CEB41B20-2927-407A-97B9-B18D1415EBD5}&mid=f02d1a30c6bc47d3aaccd16fd8e40634-2f7f47b1ad61968f08d95f1847002a540f461ac0&lang=en&ds=oc011&pr=sa&d=2013-06-08 21:43:30&v=15.2.0.5&pid=safeguard&sg=&sap=hp
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.80\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.80\pdf.dll => No File
CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Program Files (x86)\Google\Chrome\Application\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
CHR Plugin: (CouponNetwork Coupon Activator Netscape Plugin v. 5.0.0.0) - C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll (Catalina Marketing Corporation)
CHR Plugin: (DivX Plus Web Player) - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll => No File
CHR Plugin: (Java(TM) Platform SE 7 U25) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll => No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll => No File
CHR Plugin: (Catalina Savings Printer) - C:\Users\REGEVE~1\AppData\Roaming\CATALI~2\NPBCSK~1.DLL => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll => No File
CHR Plugin: (Java Deployment Toolkit 7.0.250.17) - C:\Windows\SysWOW64\npDeployJava1.dll => No File
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll => No File
R2 CouponPrinterService; C:\Program Files (x86)\Coupons\CouponPrinterService.exe [1413104 2015-03-04] (Coupons.com Inc.)
U3 idsvc; no ImagePath
S3 NPF; system32\drivers\NPF.sys [X]
S3 PcdrNdisuio; \SystemRoot\syswow64\drivers\pcdrndisuio.sys [X]
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0; \??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [X]
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
U3 wpcsvc; no ImagePath
Task: {15A87FAD-5CD9-4C52-AA7C-9BDC16BF5CC0} - \Safer-Networking\Spybot - Search and Destroy\Check for updates -> No File <==== ATTENTION
Task: {16E13AD7-70D0-4B91-92F7-431921A10DD9} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {1BC98E83-EBE6-4353-84AB-192D7E8A1A5B} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {1C957307-BD7D-473C-B6FA-7A1D3BAE2B1E} - \Safer-Networking\Spybot - Search and Destroy\Refresh immunization -> No File <==== ATTENTION
Task: {1FA966AD-57A9-424B-8767-160019094B91} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {267BEA5C-8F86-476D-BCAA-773EBE2B7DBF} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {375B8506-1AF9-4CAC-8959-B7C1146A6899} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {4EE2EC4B-F42B-430D-8B7C-19363151C022} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {52424697-8DF3-4670-B584-6369E812606B} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {6D40B2CF-FD52-4317-AB48-4CC854C48B27} - \Safer-Networking\Spybot - Search and Destroy\Scan the system -> No File <==== ATTENTION
Task: {B8B10C78-FB2B-4C4A-A7E3-17E9C97AF7D6} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {D7DDE63E-7305-43E4-99D4-C7A11472CFE9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {E0F6742E-CEF9-4BB7-ADDB-EF6F30FEC215} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {FE5391D6-9407-48F1-8075-476E96004555} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION[/B]
AlternateDataStreams: C:\ProgramData\Temp:792D4CF1

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.

====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141

For IE 10, 11 follow the following instructions.
http://refreshyourcache.com/en/internet-explorer-11/
===

Restart the computer normally.

How is the computer running now?

#3 singlre

singlre
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 30 October 2015 - 11:56 PM

Okay, I don't know whats going on with FRST. I clicked on the file like before, it stated "New update found...please wait". After it was finished and update was complete the program closed out on me before doing anything. Clicked on the file to open again and I get a message "This app can't run on your PC". Not able to re-download it here at home, it starts then hangs at 0.1/2.1 MB then eventually the download fails. I have to download at work on Monday at best.

 

The programs you told me to remove I could not remove Catalina Savings Printer and YTD Toolbar. Both stated "The installation source for this product is not available. Verify that the source exists and the you can access it".

 

The browsers have been reset tho.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 31 October 2015 - 08:22 AM

The programs you told me to remove I could not remove Catalina Savings Printer and YTD Toolbar. Both stated "The installation source for this product is not available. Verify that the source exists and the you can access it"

.
This is probably just a remnan item in the Registry. Forget about it.
==

In your first FRST log you have executed the Farbar tool that was in your Desktop.

C:\Users\Regevette\Desktop

Make sure that the new version is also on the Desktop.

The file Fixlixt.txt that you have created must also be located on your Desktop.

With both file on the Desktop of Revevette run the tool and click the Fix button.
Post the log if you can.
If not let me know what message you receive.

#5 singlre

singlre
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 31 October 2015 - 09:56 PM

Yes, the Farbar tool is on my desktop and that's were I launched it again. The update happened and it placed a different icon on the desktop named FRST64. Once clicking on it I got the message "This app can't run on your PC". Weird but I can't do anything but wait until Monday after work. I'm not able to re-download it here at home because of the issues I'm experiencing.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 01 November 2015 - 08:53 AM

You should download the FRST64.exe using an other computer.
Copy the File to the Desktop of the compromised computer and run the Fix.

===

If that fails, download and run this tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

===

#7 singlre

singlre
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 02 November 2015 - 07:00 PM

Alright, got the updated version of FRST64 at work today. Placed on desktop and ran the fix. Didn't run the Zoek tool because FRST did work, so awaiting further instructions.

I'm using the computer connected to ISP modem alone and the pages still load extremely slow or incomplete (speedtest.net won't even completely load and if it does get there the test will have timed out), downloading anything starts for like 0.3 kb then stops and eventually fails or will be incomplete.

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:31-10-2015
Ran by Regevette (2015-11-02 18:17:07) Run:1
Running from C:\Users\Regevette\Desktop
Loaded Profiles: Regevette & DefaultAppPool (Available Profiles: Regevette & Guest & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
(Coupons.com Inc.) C:\Program Files (x86)\Coupons\CouponPrinterService.exe
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1826123673-4292494960-549196744-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
FF Plugin HKU\S-1-5-21-1826123673-4292494960-549196744-1000: CouponNetwork.com/CMDUniversalCouponPrintActivator -> C:\Users\REGEVE~1\AppData\Roaming\CATALI~2\NPBCSK~1.DLL [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPcol400.dll [2013-02-19] (Catalina Marketing Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2015-02-26] (Coupons, Inc.)
CHR HomePage: Default -> hxxp://mysearch.avg.com/?cid={CEB41B20-2927-407A-97B9-B18D1415EBD5}&mid=f02d1a30c6bc47d3aaccd16fd8e40634-2f7f47b1ad61968f08d95f1847002a540f461ac0&lang=en&ds=oc011&pr=sa&d=2013-06-08 21:43:30&v=15.2.0.5&pid=safeguard&sg=&sap=hp
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.80\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.80\pdf.dll => No File
CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Program Files (x86)\Google\Chrome\Application\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
CHR Plugin: (CouponNetwork Coupon Activator Netscape Plugin v. 5.0.0.0) - C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll (Catalina Marketing Corporation)
CHR Plugin: (DivX Plus Web Player) - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll => No File
CHR Plugin: (Java™ Platform SE 7 U25) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll => No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll => No File
CHR Plugin: (Catalina Savings Printer) - C:\Users\REGEVE~1\AppData\Roaming\CATALI~2\NPBCSK~1.DLL => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll => No File
CHR Plugin: (Java Deployment Toolkit 7.0.250.17) - C:\Windows\SysWOW64\npDeployJava1.dll => No File
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll => No File
R2 CouponPrinterService; C:\Program Files (x86)\Coupons\CouponPrinterService.exe [1413104 2015-03-04] (Coupons.com Inc.)
U3 idsvc; no ImagePath
S3 NPF; system32\drivers\NPF.sys [X]
S3 PcdrNdisuio; \SystemRoot\syswow64\drivers\pcdrndisuio.sys [X]
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0; \??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [X]
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
U3 wpcsvc; no ImagePath
Task: {15A87FAD-5CD9-4C52-AA7C-9BDC16BF5CC0} - \Safer-Networking\Spybot - Search and Destroy\Check for updates -> No File <==== ATTENTION
Task: {16E13AD7-70D0-4B91-92F7-431921A10DD9} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {1BC98E83-EBE6-4353-84AB-192D7E8A1A5B} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {1C957307-BD7D-473C-B6FA-7A1D3BAE2B1E} - \Safer-Networking\Spybot - Search and Destroy\Refresh immunization -> No File <==== ATTENTION
Task: {1FA966AD-57A9-424B-8767-160019094B91} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {267BEA5C-8F86-476D-BCAA-773EBE2B7DBF} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {375B8506-1AF9-4CAC-8959-B7C1146A6899} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {4EE2EC4B-F42B-430D-8B7C-19363151C022} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {52424697-8DF3-4670-B584-6369E812606B} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {6D40B2CF-FD52-4317-AB48-4CC854C48B27} - \Safer-Networking\Spybot - Search and Destroy\Scan the system -> No File <==== ATTENTION
Task: {B8B10C78-FB2B-4C4A-A7E3-17E9C97AF7D6} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {D7DDE63E-7305-43E4-99D4-C7A11472CFE9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {E0F6742E-CEF9-4BB7-ADDB-EF6F30FEC215} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {FE5391D6-9407-48F1-8075-476E96004555} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION[/B]
AlternateDataStreams: C:\ProgramData\Temp:792D4CF1
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Program Files (x86)\Coupons\CouponPrinterService.exe => No running process found
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-1826123673-4292494960-549196744-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully
"HKU\S-1-5-21-1826123673-4292494960-549196744-1000\Software\MozillaPlugins\CouponNetwork.com/CMDUniversalCouponPrintActivator" => key removed successfully
C:\Users\REGEVE~1\AppData\Roaming\CATALI~2\NPBCSK~1.DLL => not found.
C:\Program Files (x86)\mozilla firefox\plugins\NPcol400.dll => moved successfully
C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll => moved successfully
Chrome HomePage => removed successfully
C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.80\ppGoogleNaClPluginChrome.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.80\pdf.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\plugins\npMozCouponPrinter.dll => moved successfully
C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll => not found.
C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll => not found.
C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll => not found.
C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll => not found.
C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll => not found.
C:\Users\REGEVE~1\AppData\Roaming\CATALI~2\NPBCSK~1.DLL => not found.
C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll => not found.
C:\Windows\SysWOW64\npDeployJava1.dll => not found.
C:\Windows\system32\Adobe\Director\np32dsw.dll => not found.
c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll => not found.
CouponPrinterService => service removed successfully
idsvc => service removed successfully
NPF => service removed successfully
PcdrNdisuio => service removed successfully
PCDSRVC{F36B3A4C-F95654BD-06000000}_0 => service removed successfully
wfpcapture => service removed successfully
wpcsvc => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{15A87FAD-5CD9-4C52-AA7C-9BDC16BF5CC0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15A87FAD-5CD9-4C52-AA7C-9BDC16BF5CC0}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Safer-Networking\Spybot - Search and Destroy\Check for updates => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{16E13AD7-70D0-4B91-92F7-431921A10DD9}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{16E13AD7-70D0-4B91-92F7-431921A10DD9}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1BC98E83-EBE6-4353-84AB-192D7E8A1A5B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1BC98E83-EBE6-4353-84AB-192D7E8A1A5B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1C957307-BD7D-473C-B6FA-7A1D3BAE2B1E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1C957307-BD7D-473C-B6FA-7A1D3BAE2B1E}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1FA966AD-57A9-424B-8767-160019094B91}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1FA966AD-57A9-424B-8767-160019094B91}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{267BEA5C-8F86-476D-BCAA-773EBE2B7DBF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{267BEA5C-8F86-476D-BCAA-773EBE2B7DBF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{375B8506-1AF9-4CAC-8959-B7C1146A6899}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{375B8506-1AF9-4CAC-8959-B7C1146A6899}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4EE2EC4B-F42B-430D-8B7C-19363151C022}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4EE2EC4B-F42B-430D-8B7C-19363151C022}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{52424697-8DF3-4670-B584-6369E812606B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{52424697-8DF3-4670-B584-6369E812606B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6D40B2CF-FD52-4317-AB48-4CC854C48B27}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6D40B2CF-FD52-4317-AB48-4CC854C48B27}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Safer-Networking\Spybot - Search and Destroy\Scan the system => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B8B10C78-FB2B-4C4A-A7E3-17E9C97AF7D6}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B8B10C78-FB2B-4C4A-A7E3-17E9C97AF7D6}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D7DDE63E-7305-43E4-99D4-C7A11472CFE9}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D7DDE63E-7305-43E4-99D4-C7A11472CFE9}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E0F6742E-CEF9-4BB7-ADDB-EF6F30FEC215}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E0F6742E-CEF9-4BB7-ADDB-EF6F30FEC215}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FE5391D6-9407-48F1-8075-476E96004555}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FE5391D6-9407-48F1-8075-476E96004555}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => key removed successfully
C:\ProgramData\Temp => ":792D4CF1" ADS removed successfully.
EmptyTemp: => 134.5 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 18:18:47 ====


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 03 November 2015 - 08:36 AM

Good.

Run the Zoek tool and post the log for my review.

Let me know if the problem persists.

#9 singlre

singlre
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 04 November 2015 - 10:13 PM

I finally got Zoek on the desktop but its been running for like three hours now. Last line is Remove from Windows Installer....Is this normal?



#10 singlre

singlre
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 05 November 2015 - 07:50 AM

Update: Zoek program ran all night still showing the same thing...didn't finish. Tried closing it but it continues stating its still running???



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 05 November 2015 - 10:58 AM

Close the process.

Please run the Zoek tool with only these commands.

autoclean;
emptyalltemp;
ipconfig /flushdns;b


see post nor 6.

#12 singlre

singlre
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 05 November 2015 - 11:44 PM

After work I did exactly as instructed like before....it also was going for hours. I tried doing it in safe mode and it was making progress much better. Don't know if that's okay but let me know.

 

Also every time I ran Zoek soon after a message box popped up "DaS21 has stopped working - A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available." 

 

After reboot...performance is still the same.

 

 
Zoek.exe v5.0.0.1 Updated 05-November-2015
Tool run by Regevette on Thu 11/05/2015 at 21:36:45.77.
Microsoft Windows 10 Home 10.0.10240  x64
Running in: Safe Mode NETWORK Internet Access Detected
Launched: C:\Users\Regevette\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== Older Logs ======================
 
C:\zoek-results2015-11-04-223100.log 406 bytes
C:\zoek-results2015-11-05-031345.log 371 bytes
 
==== Empty Folders Check ======================
 
C:\PROGRA~3\{68F203DC-6842-40A7-A22F-766FC09F195E} deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
HKEY_USERS\S-1-5-21-1826123673-4292494960-549196744-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} deleted successfully
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
C:\WINDOWS\system32\appdata deleted
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~3\{68F203DC-6842-40A7-A22F-766FC09F195E} not found
"C:\Windows\Installer\1fe7215a.msi" not found
C:\Users\Regevette\AppData\Roaming\Catalina Marketing Corp deleted
C:\WINDOWS\syswow64\appdata deleted
C:\windows\SysNative\Tasks\PrintProjects Communicator deleted
C:\WINDOWS\tasks\PrintProjects Communicator.job deleted
C:\PROGRA~3\Pure Networks deleted
C:\Users\Regevette\.android deleted
C:\PROGRA~2\Coupons deleted
C:\PROGRA~2\Digital Coupon Printer deleted
C:\PROGRA~2\Yahoo! deleted
C:\PROGRA~2\COMMON~1\Wondershare deleted
C:\PROGRA~3\Yahoo! deleted
C:\PROGRA~3\SpeedBit deleted
C:\PROGRA~3\{23D58E70-3B83-4B83-A227-68770F84F5EC} deleted
C:\PROGRA~3\{657095DF-DBDB-4B17-8245-B38845C97069} deleted
C:\PROGRA~3\{DA06AA03-DF24-4ECE-939E-1B0939235C66} deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Regevette\AppData\Local\Wondershare deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\Users\Regevette\AppData\LocalLow\Yahoo! deleted
C:\WINDOWS\Syswow64\RENE8C0.tmp deleted
C:\WINDOWS\SysWOW64\AniGIF.ocx deleted
C:\WINDOWS\Syswow64\InstallUtil.InstallLog deleted
"C:\Windows\Installer\6251e3.msi" deleted
"C:\Windows\Installer\1e751e3.msi" deleted
"C:\Users\Regevette\AppData\Roaming\Vso" deleted
 
==== Firefox Extensions Registry ======================
 
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{C1A2A613-35F1-4FCF-B27F-2840527B6556}"="C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_22.5.4.24\coFFAddon" [11/04/2015 10:04 PM]
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"{C1A2A613-35F1-4FCF-B27F-2840527B6556}"="C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_22.5.4.24\coFFAddon" [11/04/2015 10:04 PM]
 
==== Firefox Extensions ======================
 
AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
==== Firefox Plugins ======================
 
Profilepath: C:\Users\Regevette\AppData\Roaming\Mozilla\Firefox\Profiles\lenjlni1.default-1446265891707
575820ED1CB017382CC109E410E8A527 - C:\ProgramData\Visan\plugins\npRLSecurePluginLayer.dll - RocketLife Secure Plug-In Layer
AC47B55B38D626B678897F195793ECAB - C:\Windows\SysWoW64\Adobe\Director\np32dsw.dll - Shockwave for Director / Shockwave for Director
701F455DE89E110EF05F0413D8E3A4D1 - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_190.dll - Shockwave Flash
754691C2A17493BC5D9C49E550F4881F - C:\Users\Regevette\AppData\Local\HuluDesktop\instances\0.9.14.1\nphdplg.dll - Hulu Desktop
 
 
==== Chromium Look ======================
 
Google Chrome Version: 46.0.2490.80
 
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
cjabmdjcfcfdmffimndhafhblfmpjdpe - C:\Program Files (x86)\Norton Internet Security\Engine\22.5.4.24\Exts\Chrome.crx[09/23/2015 01:44 AM]
iikflkcanblccfahdhdonehdalibjnif - No path found[]
 
Angry Birds - Regevette\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj
Facebook - Regevette\AppData\Local\Google\Chrome\User Data\Default\Extensions\boeajhmfdjldchidhphikilcgdacljfm
Norton Security Toolbar - Regevette\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe
AdBlock - Regevette\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom
Fixer for Java - Regevette\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocoiokalhgfiblapcgelblmeakhidmle
Docs - Regevette\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake
Norton Identity Protection - Regevette\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
==== All HKCU SearchScopes ======================
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
{F65638E6-CD90-4674-89AF-E3EF1B982BC6} Unknown  Url="Not_Found"
 
==== Deleting CLSID Registry Keys ======================
 
HKEY_USERS\S-1-5-21-1826123673-4292494960-549196744-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F65638E6-CD90-4674-89AF-E3EF1B982BC6} deleted successfully
HKEY_USERS\S-1-5-21-1826123673-4292494960-549196744-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{562A0453-A42C-44F3-A206-E94643364CF3} deleted successfully
HKEY_USERS\S-1-5-21-1826123673-4292494960-549196744-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE4B8A6-4DB5-4F63-8013-1197503692EF} deleted successfully
HKEY_USERS\S-1-5-21-1826123673-4292494960-549196744-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E66592B-8E7C-4A14-88A5-8BF21032F651} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{F65638E6-CD90-4674-89AF-E3EF1B982BC6} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F65638E6-CD90-4674-89AF-E3EF1B982BC6} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{6CE4B8A6-4DB5-4F63-8013-1197503692EF} deleted successfully
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Registry Keys ======================
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5392EF0065BF0144BAF56D7EC071172D deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\694A5902E052F1A409DA96216418A9A9 deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\F8D785C6B8EFEAF4CAC49B09ABFC6EBE deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00FE2935-FB56-4410-AB5F-D6E70C1771D2} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.1.5 deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2095A496-250E-4A1F-90AD-691246819A9A} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4956ACE3-F537-4418-BB45-FD52395275A7} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6C587D8F-FE8B-4FAE-AC4C-B990BACFE6EB} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\5392EF0065BF0144BAF56D7EC071172D deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\694A5902E052F1A409DA96216418A9A9 deleted successfully
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\3ECA6594735F8144BB54DF259325577A deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\F8D785C6B8EFEAF4CAC49B09ABFC6EBE deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCleaner Monitoring deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Digital Coupon Print Driver deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesAirMessage deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPreload deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NortonOnlineBackupReminder deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spybot-S&D Cleaning deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSDMonitor deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wondershare Helper Compact.exe deleted successfully
 
==== Empty IE Cache ======================
 
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Regevette\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Regevette\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
 
==== Empty FireFox Cache ======================
 
C:\Users\Regevette\AppData\Local\Mozilla\Firefox\Profiles\lenjlni1.default-1446265891707\cache2 emptied successfully
 
==== Empty Chrome Cache ======================
 
C:\Users\Regevette\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
C:\Users\Regevette\AppData\Local\Google\Chrome\User Data\Profile 1\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
No Flash Cache Found
 
==== Empty All Java Cache ======================
 
Java Cache cleared successfully
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=80 folders=52 138555018 bytes)
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp successfully emptied
C:\Users\REGEVE~1\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on Thu 11/05/2015 at 23:09:06.18 ======================


#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 06 November 2015 - 10:49 AM

Is there a way for you to connect your computer bypass the router?
It may just be that it's going bad.

Please run the Farbar Recovery Scan Tool. Enter DaS_21.exe in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

<<<>>>


Lets look also in the Registry.

Please run the Farbar Recovery Scan Tool. Enter DaS_21.exe in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

#14 singlre

singlre
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 06 November 2015 - 10:26 PM

No. Before this problem began I had a Westell modem and my own router connected. During diagnosing the problem my ISP sent a tech to my home and he took that and gave me a modem/router combo and I no longer use my personal router. I have disabled the wireless feature on it and only have one computer connected.

 

It seems FRST updated again and of course when it updated on its own it wasn't working for me, but I found a way.....

 

 

Farbar Recovery Scan Tool (x64) Version:05-11-2015
Ran by Regevette (2015-11-06 22:16:50)
Running from C:\Users\Regevette\Desktop
Boot Mode: Normal
 
================== Search Files: "DaS_21.exe" =============
 
====== End of Search ======
 
 
 
Farbar Recovery Scan Tool (x64) Version:05-11-2015
Ran by Regevette (2015-11-06 22:24:17)
Running from C:\Users\Regevette\Desktop
Boot Mode: Normal
 
================== Search Registry: "DaS_21.exe" ===========
 
 
====== End of Search ======


#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 07 November 2015 - 09:31 AM

Let me check further with the Zoek tool using the follow commands.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
process;
installer-list;
installedprogs;
startupall;
firefoxlook; 
chromelook;
srinfo;
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users