Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to completely remove Cassiopesa.com hijacker


  • This topic is locked This topic is locked
11 replies to this topic

#1 nae13

nae13

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 26 December 2015 - 06:35 PM

I have completed the following, in order, to no avail: uninstalled chromium, scanned and removed instances found in Windows Defender, scanned and removed 197 threats from Malware Bytes, scanned with Adwcleaner and removed 2 registry entries and 4 instances containing cassiopesa findings in the Google tab. I then reset the Google chrome settings.  Yet, even after all of that when I go to Google in my daughter's user account and search for adwcleaner it redirects to yahoo search engine after flashing cassipoesa in the URL field.  What am I missing?

 

I've already disabled administrator permissions for my daughter so hopefully this won't happen again! Thank you in advance for assistance. 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:25-12-2015

Ran by aimee (administrator) on LOGAN (26-12-2015 18:20:52)
Running from C:\Users\aimee\Downloads
Loaded Profiles: aimee (Available Profiles: L0gan & aimee)
Platform: Windows 10 Home (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Comodo Security Solutions, Inc.) C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Lenovo Corporation) C:\Program Files\Lenovo\Communications Utility\AVControlCenter32.exe
(Intel Corporation) C:\Windows\System32\DptfParticipantProcessorService.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyCriticalService.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe
(Lenovo) C:\Program Files\Lenovo\OneKey Optimizer\bin\FBService.exe
(Comodo Security Solutions, Inc.) C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Harmony\Setting\HarmonySettingService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\ibtsiva.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe
(Intel® Corporation) C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe
(Lenovo(beijing) Limited) C:\Program Files\Lenovo\OneKey Optimizer\bin\OKOUpdataService.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\SettingsDependency\SettingsService.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Lenovo Settings\x86\LenovoSetSvr.exe
() C:\Program Files\Lenovo PhoneCompanion\LPAWDService.exe
(Lenovo(beijing) Limited) C:\Windows\System32\LenovoWiFiHotspotSvr.exe
(Lenovo(beijing) Limited) C:\Program Files\Lenovo\OneKey Optimizer\bin\OKOControlSvc.exe
(PointGrab LTD) C:\Program Files (x86)\Lenovo\Motion Control\PGService.exe
(PointGrab LTD) C:\Program Files (x86)\Lenovo\Motion Control\PG_Service_Launcher.exe
(Lenovo Corporation) C:\Program Files\Lenovo\Communications Utility\avfaudiosw.exe
(Lenovo) C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Lenovo) C:\ProgramData\LenovoTransition\Server\x64\ymc.exe
(PointGrab LTD) C:\Program Files (x86)\Lenovo\Motion Control\WebcamSplitterServer.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDIntelligent.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Dolby Laboratories Inc.) C:\Program Files\Dolby\DDP_F3\ddpf3.exe
() C:\Program Files\Lenovo\LenovoUtility\utility.exe
() C:\Program Files (x86)\Lenovo\LenovoTransition\TransitionServer.exe
(Lenovo) C:\Program Files\Lenovo PhoneCompanion\Phone Companion.exe
(Lenovo(beijing) Limited) C:\Program Files\Lenovo\OneKey Optimizer\bin\OneKeyOptimizerTray.exe
(Lenovo(beijing) Limited) C:\Program Files\Lenovo\OneKey Optimizer\bin\OnekeyOptimizerUpdata.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Harmony\Picks\Lenovo.HarmonyPicks.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Harmony\Setting\Lenovo.HarmonySetting.exe
(Comodo Security Solutions, Inc.) C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\printfilterpipelinesvc.exe
() C:\Program Files\Lenovo PhoneCompanion\adb.exe
() C:\Program Files (x86)\Lenovo\CCSDK\CCSDK.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Lenovo Corporation) C:\Program Files\Lenovo\Communications Utility\tpknrres.exe
() C:\Program Files (x86)\Lenovo\CCSDK\WinGather.exe
(Lenovo) C:\Users\aimee\AppData\Local\Apps\2.0\EKCMOTPQ.L04\TQBR9X9H.RYJ\lsb...tion_91a10ba61c75c82d_0001.0006_014be6b8b4b27d94\LSB.exe
(Lenovo(beijing) Limited) C:\Program Files\Lenovo\OneKey Optimizer\bin\OneKeyOptimizer.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.exe
(Microsoft Corporation) C:\Windows\System32\PrintIsolationHost.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3743648 2015-08-19] (ELAN Microelectronics Corp.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13874392 2015-01-22] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1390808 2015-02-10] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_DOLBYDRAGON] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1390808 2015-02-10] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_MICPKEY] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1390808 2015-02-10] (Realtek Semiconductor)
HKLM\...\Run: [DDPF3] => C:\Program Files\Dolby\DDP_F3\ddpf3.exe [746496 2014-11-03] (Dolby Laboratories Inc.)
HKLM\...\Run: [LenovoUtility] => C:\Program Files\Lenovo\LenovoUtility\utility.exe [791368 2015-07-08] ()
HKLM\...\Run: [AutoStartTransition] => C:\Program Files (x86)\Lenovo\LenovoTransition\TransitionServer.exe [107776 2015-01-15] ()
HKLM\...\Run: [PhoneCompanion] => C:\Program Files\Lenovo PhoneCompanion\Phone Companion.exe [802800 2015-07-08] (Lenovo)
HKLM\...\Run: [OneKeyOptimizer] => C:\Program Files\Lenovo\OneKey Optimizer\bin\OneKeyOptimizerTray.exe [604968 2015-06-19] (Lenovo(beijing) Limited)
HKLM\...\Run: [LMCSSTART1] => C:\Program Files\Lenovo\Communications Utility\lmcsctrl.exe [30152 2015-03-23] (Lenovo Corporation)
HKLM\...\Run: [LMCSSTART2] => C:\Program Files\Lenovo\Communications Utility\lmcsctrl.exe [30152 2015-03-23] (Lenovo Corporation)
HKLM\...\Run: [LMCSSTART3] => C:\Program Files\Lenovo\Communications Utility\lmcsctrl.exe [30152 2015-03-23] (Lenovo Corporation)
HKLM-x32\...\Run: [HarmonyPicks] => C:\Program Files (x86)\Lenovo\Harmony\Picks\Lenovo.HarmonyPicks.exe [5243160 2014-12-23] (Lenovo)
HKLM-x32\...\Run: [HarmonySetting] => C:\Program Files (x86)\Lenovo\Harmony\Setting\Lenovo.HarmonySetting.exe [2696448 2015-01-04] (Lenovo)
HKLM-x32\...\Run: [tvncontrol] => C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2015-06-30] (Comodo Security Solutions, Inc.)
HKU\S-1-5-21-4012163830-1424664905-2834743002-1004\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [50378880 2015-12-17] (Skype Technologies S.A.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:47574
ProxyServer: [S-1-5-21-4012163830-1424664905-2834743002-1004] => http=127.0.0.1:47574
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{5bc03c4f-72bb-42f4-b6cd-aad1eb290731}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{dc1e37ce-3ea9-4a52-9e2a-ed67890997f4}: [DhcpNameServer] 101.1.1.1
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4012163830-1424664905-2834743002-1004\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-4012163830-1424664905-2834743002-1004\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com/?pc=LCJB
SearchScopes: HKLM -> DefaultScope {5537B25F-C664-408C-8AB9-D82583F33EC4} URL = 
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
 
FireFox:
========
FF Plugin: @mcafee.com/MSC,version=10 -> C:\Program Files\mcafee\msc\npMcSnFFPl64.dll [No File]
FF Plugin-x32: @mcafee.com/MSC,version=10 -> C:\Program Files (x86)\McAfee\msc\npMcSnFFPl.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-03] (Google Inc.)
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
 
Chrome: 
=======
CHR Profile: C:\Users\aimee\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\aimee\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-12-26]
CHR Extension: (Google Docs) - C:\Users\aimee\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-12-26]
CHR Extension: (Google Drive) - C:\Users\aimee\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-12-26]
CHR Extension: (YouTube) - C:\Users\aimee\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-12-26]
CHR Extension: (Google Search) - C:\Users\aimee\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-12-26]
CHR Extension: (Google Sheets) - C:\Users\aimee\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-12-26]
CHR Extension: (Google Docs Offline) - C:\Users\aimee\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-12-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\aimee\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-12-26]
CHR Extension: (Gmail) - C:\Users\aimee\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-12-26]
StartMenuInternet: Google Chrome - chrome.exe
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AVControlCenter; C:\Program Files\Lenovo\Communications Utility\AVControlCenter32.exe [560584 2015-03-23] (Lenovo Corporation)
R2 CCSDK; C:\Program Files (x86)\Lenovo\CCSDK\CCSDK.exe [644080 2014-10-22] ()
R2 CLPSLauncher; C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe [70848 2015-11-23] (Comodo Security Solutions, Inc.)
R2 DptfParticipantAcpiProcessorService; C:\Windows\system32\DptfParticipantProcessorService.exe [117704 2013-09-17] (Intel Corporation)
R2 DptfPolicyCriticalService; C:\Windows\system32\DptfPolicyCriticalService.exe [150760 2013-09-17] (Intel Corporation)
R2 ETDService; C:\Program Files\Elantech\ETDService.exe [134888 2015-08-19] (ELAN Microelectronics Corp.)
R2 FastbootService; C:\Program Files\Lenovo\OneKey Optimizer\bin\FbService.exe [193640 2015-10-22] (Lenovo)
R2 GeekBuddyRSP; C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2015-06-30] (Comodo Security Solutions, Inc.)
R2 HarmonySettingService; C:\Program Files (x86)\Lenovo\Harmony\Setting\HarmonySettingService.exe [17688 2014-12-23] (Lenovo) [File not signed]
R2 iBtSiva; C:\Program Files (x86)\Intel\Bluetooth\ibtsiva.exe [122984 2014-09-15] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [330136 2015-10-16] (Intel Corporation)
R2 ImControllerService; C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe [35784 2015-11-13] (Lenovo Group Limited)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe [733696 2013-07-01] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\TXE Components\TCS\SocketHeciServer.exe [822232 2013-07-01] (Intel® Corporation)
S3 Lenovo EasyPlus Hotspot; C:\Program Files (x86)\Common Files\lenovo\easyplussdk\bin\EPHotspot64.exe [561408 2014-09-22] (Lenovo)
R2 Lenovo OKO Service; C:\Program Files\Lenovo\OneKey Optimizer\bin\OKOUpdataService.exe [2730280 2015-05-26] (Lenovo(beijing) Limited)
R2 Lenovo Settings Service; C:\Program Files\Lenovo\SettingsDependency\SettingsService.exe [2016040 2015-04-10] (Lenovo Group Limited)
S3 LENOVO.TVTVCAM; C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe [625608 2015-03-23] (Lenovo Corporation)
R2 LenovoPAWDService; C:\Program Files\Lenovo PhoneCompanion\LPAWDService.exe [133440 2015-07-08] ()
R2 LenovoSetSvr; C:\Program Files (x86)\Lenovo\Lenovo Settings\x86\LenovoSetSvr.exe [258544 2014-06-19] (Lenovo(beijing) Limited)
R2 LenovoWiFiHotspotSvr; C:\Windows\System32\LenovoWiFiHotspotSvr.exe [218952 2014-08-25] (Lenovo(beijing) Limited)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 OKOControlSvc; C:\Program Files\Lenovo\OneKey Optimizer\bin\OKOControlSvc.exe [367912 2015-06-19] (Lenovo(beijing) Limited)
R2 PGService; C:\Program Files (x86)\Lenovo\Motion Control\PGService.exe [167176 2014-05-28] (PointGrab LTD)
R2 PG_Service_Launcher; C:\Program Files (x86)\Lenovo\Motion Control\PG_Service_Launcher.exe [524552 2014-05-28] (PointGrab LTD)
R2 PhoneCompanionPusher; C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe [321520 2015-07-08] (Lenovo)
S3 PhoneCompanionVap; C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionVap.exe [338416 2015-07-08] (Lenovo)
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [362928 2015-07-10] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-07-10] (Microsoft Corporation)
R2 ymc; C:\ProgramData\LenovoTransition\Server\x64\ymc.exe [30464 2015-01-15] (Lenovo)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 DptfDevAcpiProc; C:\Windows\system32\DRIVERS\DptfDevAcpiProc.sys [198808 2013-09-17] (Intel Corporation)
R3 DptfManager; C:\Windows\system32\DRIVERS\DptfManager.sys [493240 2013-09-17] (Intel Corporation)
R0 Fastboot; C:\Windows\System32\DRIVERS\Fastboot.sys [72808 2015-10-22] (Windows ® Win 7 DDK provider)
R3 GPIO; C:\Windows\System32\drivers\iaiogpioe.sys [31232 2014-06-09] (Intel Corporation)
R3 iaioi2c; C:\Windows\System32\drivers\iaioi2ce.sys [69632 2014-06-09] (Intel Corporation)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [263952 2015-08-19] (Intel Corporation)
R3 KMDFVirtualKbd; C:\Windows\System32\drivers\KMDFVirtualKbd.sys [22264 2014-08-04] ()
R3 KMDFVirtualMouse; C:\Windows\System32\drivers\KMDFVirtualMouse.sys [21240 2014-08-04] ()
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R0 MBI; C:\Windows\System32\drivers\MBI.sys [29464 2013-10-10] (Intel Corporation)
R3 NETwNb64; C:\Windows\System32\drivers\Netwbw02.sys [3496216 2015-07-10] (Intel Corporation)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [886528 2015-08-19] (Realtek                                            )
R3 RTSUER; C:\Windows\system32\Drivers\RtsUer.sys [402960 2015-08-19] (Realsil Semiconductor Corporation)
R3 rtsuvc; C:\Windows\system32\DRIVERS\rtsuvc.sys [3057920 2015-08-19] (Realtek Semiconductor Corp.)
R3 SpbAccelerometer; C:\Windows\system32\DRIVERS\WUDFRd.sys [214016 2015-07-10] (Microsoft Corporation)
R3 TXEIx64; C:\Windows\System32\drivers\TXEIx64.sys [88592 2014-01-15] (Intel Corporation)
S3 UdeCx; C:\Windows\System32\drivers\udecx.sys [44032 2015-07-10] ()
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44568 2015-07-10] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [291680 2015-07-10] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [119648 2015-07-10] (Microsoft Corporation)
S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-13] ("CyberLink)
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-26 18:20 - 2015-12-26 18:22 - 00018594 _____ C:\Users\aimee\Downloads\FRST.txt
2015-12-26 18:19 - 2015-12-26 18:20 - 02370560 _____ (Farbar) C:\Users\aimee\Downloads\FRST64.exe
2015-12-26 18:15 - 2015-12-26 18:15 - 00000000 ___HD C:\OneDriveTemp
2015-12-26 18:14 - 2015-12-26 18:14 - 00016148 _____ C:\WINDOWS\system32\LOGAN_aimee_HistoryPrediction.bin
2015-12-26 18:13 - 2015-12-26 18:13 - 00016148 _____ C:\WINDOWS\system32\LOGAN_L0gan_HistoryPrediction.bin
2015-12-26 18:04 - 2015-12-26 18:06 - 00002032 _____ C:\Users\aimee\Desktop\Rkill.txt
2015-12-26 18:04 - 2015-12-26 18:04 - 02032072 _____ (Bleeping Computer, LLC) C:\Users\L0gan\Downloads\rkill.exe
2015-12-26 17:57 - 2015-12-26 17:58 - 00023720 _____ C:\Users\L0gan\Downloads\Addition.txt
2015-12-26 17:55 - 2015-12-26 18:20 - 00000000 ____D C:\FRST
2015-12-26 17:55 - 2015-12-26 17:58 - 00041245 _____ C:\Users\L0gan\Downloads\FRST.txt
2015-12-26 17:54 - 2015-12-26 17:54 - 02370560 _____ (Farbar) C:\Users\L0gan\Downloads\FRST64 (1).exe
2015-12-26 17:54 - 2015-12-26 17:54 - 00001525 _____ C:\Users\L0gan\Desktop\FRST64 - Shortcut.lnk
2015-12-26 17:53 - 2015-12-26 17:55 - 02370560 _____ (Farbar) C:\Users\L0gan\Downloads\FRST64.exe
2015-12-26 17:36 - 2015-12-26 17:36 - 00001832 _____ C:\Users\aimee\Desktop\sc-cleaner.txt
2015-12-26 17:35 - 2015-12-26 17:36 - 00463688 _____ (Bleeping Computer, LLC) C:\Users\L0gan\Downloads\sc-cleaner.exe
2015-12-26 17:06 - 2015-12-26 17:06 - 01743360 _____ C:\Users\aimee\Downloads\adwcleaner_5.026 (1).exe
2015-12-26 16:53 - 2015-12-26 16:53 - 01743360 _____ C:\Users\L0gan\Downloads\adwcleaner_5.026 (2).exe
2015-12-26 16:50 - 2015-12-26 16:50 - 01743360 _____ C:\Users\L0gan\Downloads\adwcleaner_5.026 (1).exe
2015-12-26 16:41 - 2015-12-26 16:41 - 01743360 _____ C:\Users\aimee\Downloads\adwcleaner_5.026.exe
2015-12-26 15:56 - 2015-12-26 15:57 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-12-26 15:56 - 2015-12-26 15:56 - 00001186 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-12-26 15:56 - 2015-12-26 15:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-12-26 15:56 - 2015-12-26 15:56 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-12-26 15:56 - 2015-12-26 15:56 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-12-26 15:56 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-12-26 15:56 - 2015-10-05 09:50 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-12-26 15:56 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2015-12-26 15:54 - 2015-12-26 15:55 - 22908888 _____ (Malwarebytes ) C:\Users\aimee\Downloads\mbam-setup-2.2.0.1024.exe
2015-12-26 13:41 - 2015-12-26 13:41 - 02366824 _____ (Microsoft Corporation) C:\WINDOWS\system32\WudfUpdate_01011.dll
2015-12-26 13:41 - 2015-12-26 13:41 - 00255944 _____ (Windows ® Win 7 DDK provider) C:\WINDOWS\system32\iMDriverHelper.dll
2015-12-26 13:37 - 2015-12-26 13:38 - 105058080 _____ (Lenovo ) C:\Users\aimee\Downloads\SystemInterfaceFoundation.exe
2015-12-26 13:33 - 2015-12-26 13:33 - 00491048 _____ () C:\Users\aimee\Downloads\LSBsetup.exe
2015-12-26 13:33 - 2015-12-26 13:33 - 00000000 ____D C:\Users\aimee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2015-12-26 13:33 - 2015-12-26 13:33 - 00000000 ____D C:\Users\aimee\AppData\Local\Deployment
2015-12-26 13:33 - 2015-12-26 13:33 - 00000000 ____D C:\Users\aimee\AppData\Local\Apps\2.0
2015-12-26 13:30 - 2015-12-26 13:30 - 00000000 ____D C:\Users\aimee\Tracing
2015-12-26 13:28 - 2015-12-26 18:17 - 00000000 ____D C:\Users\aimee\AppData\Roaming\Skype
2015-12-26 13:28 - 2015-12-26 13:50 - 00000000 ____D C:\ProgramData\Skype
2015-12-26 13:28 - 2015-12-26 13:28 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-12-26 13:28 - 2015-12-26 13:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-12-26 13:27 - 2015-12-26 13:27 - 01503872 _____ (Skype Technologies S.A.) C:\Users\aimee\Downloads\SkypeSetup.exe
2015-12-26 13:13 - 2015-12-26 13:13 - 00003482 _____ C:\WINDOWS\System32\Tasks\McAfee Remediation (Upgrade)
2015-12-26 13:12 - 2015-12-26 18:15 - 00000000 ___RD C:\Users\aimee\OneDrive
2015-12-26 13:12 - 2015-12-26 13:47 - 00002414 _____ C:\Users\aimee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2015-12-26 13:11 - 2015-12-26 13:12 - 00000000 ____D C:\Users\aimee\AppData\Local\ElevatedDiagnostics
2015-12-26 13:09 - 2015-12-26 15:15 - 00000000 ____D C:\Users\aimee\AppData\Local\Lenovo
2015-12-26 13:09 - 2015-12-26 13:10 - 00000000 ____D C:\Users\aimee\AppData\Local\Comms
2015-12-26 13:08 - 2015-12-26 18:16 - 00001423 _____ C:\Users\aimee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Harmony Settings Introduction.lnk
2015-12-26 13:08 - 2015-12-26 18:15 - 00002319 _____ C:\Users\aimee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Harmony Picks Introduction.lnk
2015-12-26 13:08 - 2015-12-26 13:08 - 00000000 ____D C:\Users\aimee\AppData\Roaming\Lenovo
2015-12-26 13:08 - 2015-12-26 13:08 - 00000000 ____D C:\Users\aimee\AppData\Local\MicrosoftEdge
2015-12-26 13:07 - 2015-12-26 13:07 - 00000000 ____D C:\Users\aimee\AppData\Local\Publishers
2015-12-26 13:06 - 2015-12-26 13:06 - 00000000 ____D C:\Users\aimee\AppData\Roaming\Adobe
2015-12-26 13:05 - 2015-12-26 18:15 - 00000000 __SHD C:\Users\aimee\IntelGraphicsProfiles
2015-12-26 13:05 - 2015-12-26 17:12 - 00000000 ____D C:\Users\aimee\AppData\Local\Google
2015-12-26 13:05 - 2015-12-26 13:45 - 00000000 ____D C:\Users\aimee
2015-12-26 13:05 - 2015-12-26 13:41 - 00000000 ____D C:\Users\aimee\AppData\Local\Packages
2015-12-26 13:05 - 2015-12-26 13:05 - 00000020 ___SH C:\Users\aimee\ntuser.ini
2015-12-26 13:05 - 2015-12-26 13:05 - 00000000 _SHDL C:\Users\aimee\My Documents
2015-12-26 13:05 - 2015-12-26 13:05 - 00000000 _SHDL C:\Users\aimee\Documents\My Videos
2015-12-26 13:05 - 2015-12-26 13:05 - 00000000 _SHDL C:\Users\aimee\Documents\My Pictures
2015-12-26 13:05 - 2015-12-26 13:05 - 00000000 _SHDL C:\Users\aimee\Documents\My Music
2015-12-26 13:05 - 2015-12-26 13:05 - 00000000 ____D C:\Users\aimee\AppData\Local\VirtualStore
2015-12-26 13:05 - 2015-12-26 13:05 - 00000000 ____D C:\Users\aimee\AppData\Local\TileDataLayer
2015-12-26 12:52 - 2015-12-26 12:52 - 00000000 ____D C:\Users\L0gan\AppData\Roaming\Lenovo
2015-12-26 12:34 - 2015-12-26 12:34 - 01951744 _____ C:\Users\L0gan\Downloads\FindingDiscountUninstaller.exe
2015-12-26 12:34 - 2015-12-26 12:34 - 01951744 _____ C:\Users\L0gan\Downloads\FindingDiscountUninstaller (1).exe
2015-12-26 12:25 - 2015-12-26 12:25 - 00000046 _____ C:\WINDOWS\wininit.ini
2015-12-26 11:58 - 2015-12-26 17:13 - 00000000 ____D C:\AdwCleaner
2015-12-26 11:57 - 2015-12-26 11:58 - 01743360 _____ C:\Users\L0gan\Downloads\adwcleaner_5.026.exe
2015-12-25 23:17 - 2015-12-25 23:18 - 00215168 _____ C:\Users\L0gan\Downloads\google_chrome_setup-f46dba2a567e14f1.exe
2015-12-17 18:51 - 2015-12-17 18:51 - 00000000 ____D C:\Users\L0gan\AppData\Local\ElevatedDiagnostics
2015-12-13 20:16 - 2015-12-25 23:16 - 00000137 _____ C:\Users\L0gan\AppData\Roaming\WB.CFG
2015-12-13 19:29 - 2015-12-13 19:29 - 00000000 ____D C:\Users\L0gan\AppData\Roaming\YourUpdater
2015-12-13 19:18 - 2015-12-26 12:25 - 00000000 ____D C:\Program Files\COMODO
2015-12-13 19:18 - 2015-12-13 19:21 - 00000000 ____D C:\ProgramData\COMODO
2015-12-13 19:16 - 2015-12-25 23:17 - 00000258 __RSH C:\ProgramData\ntuser.pol
2015-12-13 19:16 - 2015-12-13 20:16 - 00000000 ____D C:\Users\L0gan\AppData\Local\{FCCECA92-D866-A62A-B5FE-83C291967F5A}
2015-12-13 19:14 - 2015-12-24 18:20 - 00000000 ____D C:\Program Files (x86)\DownloaderYourUp
2015-12-13 19:13 - 2015-12-13 19:13 - 00220832 _____ C:\Users\L0gan\Downloads\SetupNow (4).exe
2015-12-13 19:13 - 2015-12-13 19:13 - 00220832 _____ C:\Users\L0gan\Downloads\SetupNow (3).exe
2015-12-13 19:13 - 2015-12-13 19:13 - 00220832 _____ C:\Users\L0gan\Downloads\SetupNow (2).exe
2015-12-13 19:13 - 2015-12-13 19:13 - 00000003 _____ C:\Users\L0gan\Downloads\2.txt
2015-12-13 19:13 - 2015-12-13 19:13 - 00000003 _____ C:\Users\L0gan\Downloads\1.txt
2015-12-13 19:12 - 2015-12-13 19:12 - 00220832 _____ C:\Users\L0gan\Downloads\SetupNow (1).exe
2015-12-13 19:08 - 2015-12-13 19:08 - 00220832 _____ C:\Users\L0gan\Downloads\SetupNow.exe
2015-12-13 19:05 - 2015-12-13 19:05 - 01576430 _____ C:\Users\L0gan\Downloads\LakeShore.zip
2015-12-10 17:23 - 2015-12-01 00:51 - 07523840 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2015-12-10 17:23 - 2015-11-30 23:59 - 05455360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2015-12-10 17:23 - 2015-11-25 00:33 - 03622272 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-12-10 17:23 - 2015-11-25 00:27 - 01366680 _____ (Microsoft Corporation) C:\WINDOWS\system32\user32.dll
2015-12-10 17:23 - 2015-11-25 00:09 - 01310880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\user32.dll
2015-12-10 17:23 - 2015-11-25 00:01 - 02879024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-12-10 17:23 - 2015-11-24 23:49 - 01569280 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Globalization.dll
2015-12-10 17:23 - 2015-11-24 23:44 - 21872640 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2015-12-10 17:23 - 2015-11-24 23:42 - 24592384 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-12-10 17:23 - 2015-11-24 23:36 - 01710592 _____ (Microsoft Corporation) C:\WINDOWS\system32\SRHInproc.dll
2015-12-10 17:23 - 2015-11-24 23:35 - 00929792 _____ (Microsoft Corporation) C:\WINDOWS\system32\SRH.dll
2015-12-10 17:23 - 2015-11-24 23:35 - 00845824 _____ (Microsoft Corporation) C:\WINDOWS\system32\Magnify.exe
2015-12-10 17:23 - 2015-11-24 23:34 - 12504576 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-12-10 17:23 - 2015-11-24 23:29 - 01649152 _____ (Microsoft Corporation) C:\WINDOWS\system32\comsvcs.dll
2015-12-10 17:23 - 2015-11-24 23:23 - 19323392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-12-10 17:23 - 2015-11-24 23:22 - 01717248 _____ (Microsoft Corporation) C:\WINDOWS\system32\GdiPlus.dll
2015-12-10 17:23 - 2015-11-24 23:18 - 01233920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Globalization.dll
2015-12-10 17:23 - 2015-11-24 23:17 - 00774656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SRH.dll
2015-12-10 17:23 - 2015-11-24 23:16 - 01442816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SRHInproc.dll
2015-12-10 17:23 - 2015-11-24 23:16 - 00786432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Magnify.exe
2015-12-10 17:23 - 2015-11-24 23:10 - 18801664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2015-12-10 17:23 - 2015-11-24 23:10 - 01328128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\comsvcs.dll
2015-12-10 17:23 - 2015-11-24 23:05 - 11263488 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-12-10 17:23 - 2015-11-24 23:04 - 01467392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\GdiPlus.dll
2015-12-10 17:22 - 2015-12-01 02:01 - 02115936 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ntfs.sys
2015-12-10 17:22 - 2015-12-01 01:03 - 00008192 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\gpuenergydrv.sys
2015-12-10 17:22 - 2015-12-01 00:54 - 00771072 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
2015-12-10 17:22 - 2015-12-01 00:49 - 04792320 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-12-10 17:22 - 2015-12-01 00:02 - 03580416 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-12-10 17:22 - 2015-11-25 00:42 - 04532304 _____ (Microsoft Corporation) C:\WINDOWS\explorer.exe
2015-12-10 17:22 - 2015-11-25 00:42 - 00168288 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetworkUXBroker.exe
2015-12-10 17:22 - 2015-11-25 00:41 - 01822280 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2015-12-10 17:22 - 2015-11-25 00:40 - 00516448 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\USBHUB3.SYS
2015-12-10 17:22 - 2015-11-25 00:32 - 00113184 _____ (Microsoft Corporation) C:\WINDOWS\system32\userenv.dll
2015-12-10 17:22 - 2015-11-25 00:12 - 04047288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\explorer.exe
2015-12-10 17:22 - 2015-11-25 00:11 - 01532984 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2015-12-10 17:22 - 2015-11-24 23:59 - 00092992 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\userenv.dll
2015-12-10 17:22 - 2015-11-24 23:49 - 00498688 _____ (Microsoft Corporation) C:\WINDOWS\system32\WlanMediaManager.dll
2015-12-10 17:22 - 2015-11-24 23:49 - 00467456 _____ (Microsoft Corporation) C:\WINDOWS\system32\MBMediaManager.dll
2015-12-10 17:22 - 2015-11-24 23:49 - 00270336 _____ (Microsoft Corporation) C:\WINDOWS\system32\RasMediaManager.dll
2015-12-10 17:22 - 2015-11-24 23:48 - 00146944 _____ (Microsoft Corporation) C:\WINDOWS\system32\EthernetMediaManager.dll
2015-12-10 17:22 - 2015-11-24 23:48 - 00126464 _____ (Microsoft Corporation) C:\WINDOWS\system32\DAMediaManager.dll
2015-12-10 17:22 - 2015-11-24 23:37 - 02350592 _____ (Microsoft Corporation) C:\WINDOWS\system32\authui.dll
2015-12-10 17:22 - 2015-11-24 23:36 - 00022528 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usb8023.sys
2015-12-10 17:22 - 2015-11-24 23:31 - 00121344 _____ (Microsoft Corporation) C:\WINDOWS\system32\DAMM.dll
2015-12-10 17:22 - 2015-11-24 23:30 - 00171008 _____ (Microsoft Corporation) C:\WINDOWS\system32\dot3mm.dll
2015-12-10 17:22 - 2015-11-24 23:30 - 00147968 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\rmcast.sys
2015-12-10 17:22 - 2015-11-24 23:30 - 00080896 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\hdaudbus.sys
2015-12-10 17:22 - 2015-11-24 23:29 - 00355328 _____ (Microsoft Corporation) C:\WINDOWS\system32\ninput.dll
2015-12-10 17:22 - 2015-11-24 23:28 - 00572928 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-12-10 17:22 - 2015-11-24 23:28 - 00523776 _____ (Microsoft Corporation) C:\WINDOWS\system32\catsrvut.dll
2015-12-10 17:22 - 2015-11-24 23:27 - 02180608 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
2015-12-10 17:22 - 2015-11-24 23:26 - 00849408 _____ (Microsoft Corporation) C:\WINDOWS\system32\comdlg32.dll
2015-12-10 17:22 - 2015-11-24 23:26 - 00181760 _____ (Microsoft Corporation) C:\WINDOWS\system32\shutdownux.dll
2015-12-10 17:22 - 2015-11-24 23:25 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\system32\profsvc.dll
2015-12-10 17:22 - 2015-11-24 23:25 - 00067072 _____ (Microsoft Corporation) C:\WINDOWS\system32\profext.dll
2015-12-10 17:22 - 2015-11-24 23:23 - 03588096 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2015-12-10 17:22 - 2015-11-24 23:23 - 00587776 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieui.dll
2015-12-10 17:22 - 2015-11-24 23:22 - 01383424 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys
2015-12-10 17:22 - 2015-11-24 23:22 - 00603648 _____ (Microsoft Corporation) C:\WINDOWS\system32\duser.dll
2015-12-10 17:22 - 2015-11-24 23:22 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\system32\kbdgeoqw.dll
2015-12-10 17:22 - 2015-11-24 23:22 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\system32\KBDAZST.DLL
2015-12-10 17:22 - 2015-11-24 23:22 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\system32\KBDAZEL.DLL
2015-12-10 17:22 - 2015-11-24 23:22 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\system32\KBDAZE.DLL
2015-12-10 17:22 - 2015-11-24 23:19 - 01795584 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.dll
2015-12-10 17:22 - 2015-11-24 23:19 - 00185344 _____ (Microsoft Corporation) C:\WINDOWS\system32\psmsrv.dll
2015-12-10 17:22 - 2015-11-24 23:13 - 02153984 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
2015-12-10 17:22 - 2015-11-24 23:11 - 00296960 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ninput.dll
2015-12-10 17:22 - 2015-11-24 23:10 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-12-10 17:22 - 2015-11-24 23:10 - 00415744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\catsrvut.dll
2015-12-10 17:22 - 2015-11-24 23:08 - 00749568 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\comdlg32.dll
2015-12-10 17:22 - 2015-11-24 23:07 - 00053248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\profext.dll
2015-12-10 17:22 - 2015-11-24 23:04 - 00480768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\duser.dll
2015-12-10 17:22 - 2015-11-24 23:04 - 00474624 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieui.dll
2015-12-10 17:22 - 2015-11-24 23:04 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kbdgeoqw.dll
2015-12-10 17:22 - 2015-11-24 23:04 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KBDAZST.DLL
2015-12-10 17:22 - 2015-11-24 23:04 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KBDAZEL.DLL
2015-12-10 17:22 - 2015-11-24 23:04 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KBDAZE.DLL
2015-12-10 17:22 - 2015-11-24 21:52 - 00775312 _____ C:\WINDOWS\SysWOW64\locale.nls
2015-12-10 17:22 - 2015-11-24 21:52 - 00775312 _____ C:\WINDOWS\system32\locale.nls
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-26 18:20 - 2015-07-10 04:05 - 00000000 ____D C:\Windows
2015-12-26 18:18 - 2015-07-08 01:49 - 00000000 ____D C:\ProgramData\Lenovo
2015-12-26 18:15 - 2015-08-17 12:01 - 00000914 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-26 18:14 - 2015-07-10 07:21 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-12-26 18:13 - 2015-07-10 04:05 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2015-12-26 18:12 - 2015-08-21 14:42 - 00004148 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{FA9A598F-1163-4B4C-B389-77A738883F15}
2015-12-26 18:12 - 2015-08-17 12:01 - 00000918 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-26 17:18 - 2015-08-17 11:52 - 00002319 _____ C:\Users\L0gan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Harmony Picks Introduction.lnk
2015-12-26 17:18 - 2015-08-17 11:52 - 00001423 _____ C:\Users\L0gan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Harmony Settings Introduction.lnk
2015-12-26 17:18 - 2015-08-17 11:49 - 00000000 __SHD C:\Users\L0gan\IntelGraphicsProfiles
2015-12-26 16:27 - 2015-07-10 06:04 - 00000000 ___RD C:\WINDOWS\DesktopTileResources
2015-12-26 15:49 - 2015-08-18 21:35 - 00000000 ____D C:\Users\L0gan
2015-12-26 13:41 - 2015-07-10 06:04 - 00000000 ____D C:\WINDOWS\AppReadiness
2015-12-26 13:41 - 2015-07-10 06:02 - 00000000 ____D C:\WINDOWS\INF
2015-12-26 13:41 - 2015-07-08 02:15 - 00000000 ____D C:\WINDOWS\System32\Tasks\Lenovo
2015-12-26 13:41 - 2015-07-08 01:50 - 00000000 ____D C:\Program Files (x86)\Lenovo
2015-12-26 13:41 - 2015-07-08 01:49 - 00000000 ____D C:\Program Files\Lenovo
2015-12-26 13:39 - 2015-07-08 01:31 - 00000000 ____D C:\ProgramData\Package Cache
2015-12-26 13:38 - 2015-07-08 02:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo
2015-12-26 13:22 - 2015-07-10 06:04 - 00000000 ___HD C:\Program Files\WindowsApps
2015-12-26 13:16 - 2015-07-10 06:04 - 00000000 ____D C:\WINDOWS\system32\NDF
2015-12-26 13:13 - 2015-07-08 02:18 - 00000000 ____D C:\ProgramData\McAfee
2015-12-26 13:09 - 2015-08-18 21:49 - 00875126 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-12-26 13:06 - 2015-08-18 02:43 - 00000000 __RHD C:\Users\Public\AccountPictures
2015-12-26 12:46 - 2015-07-08 02:25 - 00000000 ____D C:\ProgramData\Downloaded Installations
2015-12-26 11:47 - 2015-07-10 07:20 - 00214512 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-12-25 22:12 - 2015-07-10 06:04 - 00000000 ____D C:\WINDOWS\system32\oobe
2015-12-17 18:47 - 2015-08-19 01:26 - 00000000 ___DC C:\WINDOWS\Panther
2015-12-17 16:07 - 2015-10-30 04:42 - 00000000 ___HD C:\$WINDOWS.~BT
2015-12-13 20:18 - 2015-09-14 13:00 - 00000000 ____D C:\Users\L0gan\AppData\Roaming\.minecraft
2015-12-13 19:16 - 2015-07-10 06:04 - 00000000 ____D C:\WINDOWS\SysWOW64\GroupPolicy
2015-12-13 19:16 - 2013-08-22 10:36 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy
2015-12-13 18:29 - 2015-07-10 05:55 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-12-13 18:27 - 2015-08-18 09:58 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-12-13 18:21 - 2015-08-18 09:57 - 140158008 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-12-11 20:01 - 2015-08-17 11:49 - 00000000 ____D C:\Users\L0gan\AppData\Local\Packages
2015-12-08 22:39 - 2015-08-19 09:31 - 00301728 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2015-12-08 22:33 - 2015-08-19 07:16 - 00002414 _____ C:\Users\L0gan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2015-12-08 22:33 - 2015-08-19 07:16 - 00000000 ___RD C:\Users\L0gan\OneDrive
2015-12-03 21:07 - 2015-08-17 12:01 - 00003976 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2015-12-03 21:07 - 2015-08-17 12:01 - 00003744 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2015-11-30 19:32 - 2015-07-10 06:06 - 00826872 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-11-30 19:32 - 2015-07-10 06:06 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
 
==================== Files in the root of some directories =======
 
2015-08-18 21:30 - 2015-08-18 21:30 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
Some files in TEMP:
====================
C:\Users\aimee\AppData\Local\Temp\sqlite3.dll
C:\Users\L0gan\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-12-26 12:33
 

==================== End of FRST.txt ============================

Attached Files


Edited by nae13, 26 December 2015 - 08:34 PM.


BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:52 AM

Posted 26 December 2015 - 11:44 PM

Hello.  Please do this:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:47574
ProxyServer: [S-1-5-21-4012163830-1424664905-2834743002-1004] => http=127.0.0.1:47574
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Task: {183A5617-EEB4-4BD1-89C4-61B5BE905FB3} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {21DF3B98-7E9B-44BF-B6FC-E30B6CEFA111} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {2D489373-F463-4424-AD03-3DFEC57E118D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {44F416DE-0D0C-4569-A0EA-09135CB50FB8} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {5ECC45E2-9C36-4AFF-B39B-33A15DD61714} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {70BB000A-F14E-475C-AE5D-9926BC67F554} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {8C7966C0-27BD-4E56-AFD7-B7F2398831D6} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {C0A0D77D-EEBA-43DE-928B-859B68EDD5C8} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {C5DD63DB-F438-4D83-AC75-A3D9AC76BDC4} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {D3A37BB0-1ACA-4D93-9D8A-AFA2121B6D7F} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {E524E944-DB75-4311-B9F5-8471990D36F0} - \Cassiopesa sate -> No File <==== ATTENTION
Task: {FCE85FBE-3928-4EE2-B14B-390573B1A9F5} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
EmptyTemp:

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.


  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.

 


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 nae13

nae13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 27 December 2015 - 12:09 AM

Hello - thank  you for the reply!  Below is the log after completing the steps above.

 

Fix result of Farbar Recovery Scan Tool (x64) Version:25-12-2015
Ran by aimee (2015-12-26 23:58:00) Run:1
Running from C:\Users\aimee\Desktop
Loaded Profiles: aimee (Available Profiles: L0gan & aimee)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:47574
ProxyServer: [S-1-5-21-4012163830-1424664905-2834743002-1004] => http=127.0.0.1:47574
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Task: {183A5617-EEB4-4BD1-89C4-61B5BE905FB3} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {21DF3B98-7E9B-44BF-B6FC-E30B6CEFA111} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {2D489373-F463-4424-AD03-3DFEC57E118D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {44F416DE-0D0C-4569-A0EA-09135CB50FB8} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {5ECC45E2-9C36-4AFF-B39B-33A15DD61714} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {70BB000A-F14E-475C-AE5D-9926BC67F554} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {8C7966C0-27BD-4E56-AFD7-B7F2398831D6} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {C0A0D77D-EEBA-43DE-928B-859B68EDD5C8} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {C5DD63DB-F438-4D83-AC75-A3D9AC76BDC4} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {D3A37BB0-1ACA-4D93-9D8A-AFA2121B6D7F} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {E524E944-DB75-4311-B9F5-8471990D36F0} - \Cassiopesa sate -> No File <==== ATTENTION
Task: {FCE85FBE-3928-4EE2-B14B-390573B1A9F5} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
EmptyTemp:
*****************
 
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value not found.
HKU\S-1-5-21-4012163830-1424664905-2834743002-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{183A5617-EEB4-4BD1-89C4-61B5BE905FB3}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{183A5617-EEB4-4BD1-89C4-61B5BE905FB3}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{21DF3B98-7E9B-44BF-B6FC-E30B6CEFA111}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{21DF3B98-7E9B-44BF-B6FC-E30B6CEFA111}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2D489373-F463-4424-AD03-3DFEC57E118D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2D489373-F463-4424-AD03-3DFEC57E118D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{44F416DE-0D0C-4569-A0EA-09135CB50FB8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{44F416DE-0D0C-4569-A0EA-09135CB50FB8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5ECC45E2-9C36-4AFF-B39B-33A15DD61714}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5ECC45E2-9C36-4AFF-B39B-33A15DD61714}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{70BB000A-F14E-475C-AE5D-9926BC67F554}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{70BB000A-F14E-475C-AE5D-9926BC67F554}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8C7966C0-27BD-4E56-AFD7-B7F2398831D6}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8C7966C0-27BD-4E56-AFD7-B7F2398831D6}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C0A0D77D-EEBA-43DE-928B-859B68EDD5C8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C0A0D77D-EEBA-43DE-928B-859B68EDD5C8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C5DD63DB-F438-4D83-AC75-A3D9AC76BDC4}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C5DD63DB-F438-4D83-AC75-A3D9AC76BDC4}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D3A37BB0-1ACA-4D93-9D8A-AFA2121B6D7F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D3A37BB0-1ACA-4D93-9D8A-AFA2121B6D7F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E524E944-DB75-4311-B9F5-8471990D36F0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E524E944-DB75-4311-B9F5-8471990D36F0}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Cassiopesa sate => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FCE85FBE-3928-4EE2-B14B-390573B1A9F5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FCE85FBE-3928-4EE2-B14B-390573B1A9F5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => key removed successfully
EmptyTemp: => 134.6 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 23:58:11 ====


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:52 AM

Posted 27 December 2015 - 12:20 AM

How is it running now?  Please do this:

icon11.gif  Open Malwarebytes AntiMalware (MBAM)

  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator


  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

Please include the following in your next post:

  • How is the computer running now?
  • MBAM log
  • ESET log

 


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 nae13

nae13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 27 December 2015 - 11:58 AM

Good morning,

 

I still get the redirect when searching for adwcleaner on her user account. The MBAM log did not require a restart. Unfortunately I was a bit confused last night.  The screens didn't match up to your instructions below on ESET and I thought the advanced options would appear on the next screen.  Ultimately it ran overnight with the default settings, including the automatic removal. That log is below.  I re-ran this morning paying closer attention and making sure the additional scan options were chosen plus the tick mark removed from removing them. It came back with no threats identified but there is a list in the quarantine which I couldn't copy/paste or export..  I apologize if this creates any additional challenges for you. 

 

MBAM log:

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 12/27/2015
Scan Time: 12:35 AM
Logfile: 
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2015.12.27.01
Rootkit Database: v2015.12.26.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: aimee
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 376966
Time Elapsed: 35 min, 53 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 1
PUP.Optional.Cassiopesa, HKU\S-1-5-21-4012163830-1424664905-2834743002-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://www.cassiopessa.com/?f=1&a=csp_installertech_15_50&cd=2XzuyEtN2Y1L1Qzu0EyC0Fzzzy0CtAtAyDtD0CtBzz0E0FtCtN0D0Tzu0StCyEyEtBtN1L2XzutAtFtCtBtFyDtFtDtN1L1Czu1R1B1E1V1L1G1B2Z1T1I1I1P1C2Z1P1R1MtN1L1G1B1V1N2Y1L1Qzu2StAzytB0EyBzzzyyCtGyB0A0CyDtGyD0AtC0AtGyCyEyE0EtG0DtA0E0BtC0EtAyEtCyDzy0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0A0ByByBzz0EzztG0ByD0B0CtGyE0F0C0AtGzzyD0E0FtGzz0CtDtB0DtD0F0EyEtCtC0F2QtN0A0LzuyE&cr=1004075132&ir=, Good: (www.google.com), Bad: (http://www.cassiopessa.com/?f=1&a=csp_installertech_15_50&cd=2XzuyEtN2Y1L1Qzu0EyC0Fzzzy0CtAtAyDtD0CtBzz0E0FtCtN0D0Tzu0StCyEyEtBtN1L2XzutAtFtCtBtFyDtFtDtN1L1Czu1R1B1E1V1L1G1B2Z1T1I1I1P1C2Z1P1R1MtN1L1G1B1V1N2Y1L1Qzu2StAzytB0EyBzzzyyCtGyB0A0CyDtGyD0AtC0AtGyCyEyE0EtG0DtA0E0BtC0EtAyEtCyDzy0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0A0ByByBzz0EzztG0ByD0B0CtGyE0F0C0AtGzzyD0E0FtGzz0CtDtB0DtD0F0EyEtCtC0F2QtN0A0LzuyE&cr=1004075132&ir=),Replaced,[fa13fcaee4a769cd97f2484b758f738d]
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
First ESET scan log:
 
C:\AdwCleaner\Quarantine\C\Program Files\WNEn\4c30ef421a1964c3d05d743caa0469c6.exe.vir a variant of Win32/Wajam.AA potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\WNEn\WNEnlibs\idghsy.dll.vir a variant of Win32/Wajam.AA potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\CIuninstall.exe.vir a variant of Win32/Compete.C potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\Firefox\uninstall.exe.vir a variant of Win32/Compete.C potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\InternetExplorer\cpturlpassthru.dll.vir a variant of Win32/Compete.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\InternetExplorer\dca-bho.dll.vir a variant of Win32/Compete.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\InternetExplorer\uninstall.exe.vir a variant of Win32/Compete.C potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\Monitoring\cinm-host.exe.vir a variant of Win32/Compete.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\Monitoring\dca-monitoring.exe.vir a variant of Win32/Compete.C potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\Monitoring\uninstall.exe.vir a variant of Win32/Compete.C potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\Update\1.3.25.309\goopdate.dll.vir a variant of Win32/Compete.A potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\Update\1.3.25.309\psmachine.dll.vir a variant of Win32/Compete.A potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\Update\1.3.25.309\psuser.dll.vir a variant of Win32/Compete.A potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\Update\Download\{1138A907-2253-45D6-99C1-843A0AC58730}\0.0.0.0\ciie-3.2.0-12456.exe.vir a variant of Win32/Compete.C potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\Update\Download\{B3F80DB8-951F-4A2A-BE2F-ED6F4FF63B98}\0.0.0.0\cimt-3.2.1-1130.exe.vir a variant of Win32/Compete.C potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\Update\Download\{B3F80DB8-951F-4A2A-BE2F-ED6F4FF63B98}\0.0.0.0\cimt-3.2.1-1131.exe.vir a variant of Win32/Compete.C potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\Update\Download\{C7B061F6-380E-4545-86E3-400E3156FD28}\0.0.0.0\ciff-3.2.0-12229.exe.vir a variant of Win32/Compete.C potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Consumer Input\Update\Download\{C7B061F6-380E-4545-86E3-400E3156FD28}\0.0.0.0\ciff-3.2.0-12244.exe.vir a variant of Win32/Compete.C potentially unwanted application deleted - quarantined
C:\Users\L0gan\Downloads\SetupNow (1).exe multiple threats cleaned by deleting - quarantined
C:\Users\L0gan\Downloads\SetupNow (2).exe multiple threats cleaned by deleting - quarantined
C:\Users\L0gan\Downloads\SetupNow (3).exe multiple threats cleaned by deleting - quarantined
C:\Users\L0gan\Downloads\SetupNow (4).exe multiple threats cleaned by deleting - quarantined
C:\Users\L0gan\Downloads\SetupNow.exe multiple threats cleaned by deleting - quarantined
C:\Windows.old\Users\L0gan\AppData\Local\Microsoft\Windows\INetCache\IE\H3F15KD1\optin[1].php a variant of Win32/DealPly.CH potentially unwanted application cleaned by deleting - quarantined
C:\Windows.old\Users\L0gan\AppData\Local\Microsoft\Windows\INetCache\IE\H3F15KD1\optin[2].php a variant of Win32/Wajam.AA potentially unwanted application deleted - quarantined
C:\Windows.old\Users\L0gan\AppData\Local\Microsoft\Windows\INetCache\IE\L48LATK6\optin[1].php a variant of Win32/Compete.C potentially unwanted application deleted - quarantined
C:\Windows.old\Users\L0gan\AppData\Local\Microsoft\Windows\INetCache\IE\L48LATK6\optin[2].php Win32/Adware.MarketScore.A application cleaned by deleting - quarantined
C:\Windows.old\Users\L0gan\AppData\Local\Microsoft\Windows\INetCache\IE\MOXCLNV3\optin[1].php a variant of Win32/RiskWare.VMDetector.A application cleaned by deleting - quarantined
C:\Windows.old\Users\L0gan\AppData\Local\Microsoft\Windows\INetCache\IE\WJFZWKRG\google_chrome_setup[1].exe a variant of Win32/DownloadAssistant.C potentially unwanted application cleaned by deleting - quarantined
 


#6 nae13

nae13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 27 December 2015 - 12:08 PM

Hello, after posting the above I rebooted the computer and tried searching for Adwcleaner and it worked!  No redirect or sign of cassiopesa.com.  

 

I will wait to hear from you with hopefully the all clear before allowing my daughter to use the computer again.  Thank you so much. 



#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:52 AM

Posted 27 December 2015 - 01:00 PM

That all looks good.  All I have left for you is some housekeeping:

icon11.gif  Download OTC to your desktop and run it

  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
  • Manually delete any remaining logs or tools from our fixes

icon11.gif  Double click on AdwCleaner.exe to run the tool again.


  • Click on the Uninstall button.
  • Click Yes when asked are you sure you want to uninstall.
  • Both AdwCleaner.exe, its folder and all logs will be removed.

icon11.gif  Finally, I'd like to make a couple of suggestions to help you stay clean in the future:


  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated.  Scan with them at least weekly.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

 


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 nae13

nae13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 27 December 2015 - 04:11 PM

The Adwcleaner found cassiopesa.com in the logs. I stopped there in your instructions and am posting that log below.  Should I continue to uninstall Adwcleaner?

 

# AdwCleaner v5.026 - Logfile created 27/12/2015 at 16:04:22
# Updated 21/12/2015 by Xplode
# Database : 2015-12-23.1 [Server]
# Operating system : Windows 10 Home  (x64)
# Username : aimee - LOGAN
# Running from : C:\Users\aimee\Downloads\adwcleaner_5.026 (1).exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
 
***** [ Web browsers ] *****
 
[-] [C:\Users\L0gan\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : cassiopesa.com
[-] [C:\Users\L0gan\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\L0gan\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\L0gan\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://www.cassiopessa.com/?f=7&a=csp_installertech_15_50&cd=2XzuyEtN2Y1L1Qzu0EyC0Fzzzy0CtAtAyDtD0CtBzz0E0FtCtN0D0Tzu0StCyEyEtBtN1L2XzutAtFtCtBtFyDtFtDtN1L1Czu1R1B1E1V1L1G1B2Z1T1I1I1P1C2Z1P1R1MtN1L1G1B1V1N2Y1L1Qzu2StAzytB0EyBzzzyyCtGyB0A0CyDtGyD0AtC0AtGyCyEyE0EtG0DtA0E0BtC0EtAyEtCyDzy0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0A0ByByBzz0EzztG0ByD0B0CtGyE0F0C0AtGzzyD0E0FtGzz0CtDtB0DtD0F0EyEtCtC0F2QtN0A0LzuyE&cr=1004075132&ir=
[-] [C:\Users\L0gan\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Homepage] Deleted : hxxp://www.cassiopessa.com/?f=1&a=csp_installertech_15_50&cd=2XzuyEtN2Y1L1Qzu0EyC0Fzzzy0CtAtAyDtD0CtBzz0E0FtCtN0D0Tzu0StCyEyEtBtN1L2XzutAtFtCtBtFyDtFtDtN1L1Czu1R1B1E1V1L1G1B2Z1T1I1I1P1C2Z1P1R1MtN1L1G1B1V1N2Y1L1Qzu2StAzytB0EyBzzzyyCtGyB0A0CyDtGyD0AtC0AtGyCyEyE0EtG0DtA0E0BtC0EtAyEtCyDzy0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0A0ByByBzz0EzztG0ByD0B0CtGyE0F0C0AtGzzyD0E0FtGzz0CtDtB0DtD0F0EyEtCtC0F2QtN0A0LzuyE&cr=1004075132&ir=
 
*************************
 
:: "Tracing" keys removed
:: Winsock settings cleared
 
########## EOF - C:\AdwCleaner\AdwCleaner[C4].txt - [2157 bytes] ##########


#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:52 AM

Posted 27 December 2015 - 05:32 PM

Those entries are all showing as deleted, so you may continue.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 nae13

nae13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 27 December 2015 - 07:33 PM

I went back into her account and it's redirecting back to Cassiopesa.com.  Would it make sense to just delete her user account and start over since it doesn't occur on my account?



#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:52 AM

Posted 27 December 2015 - 11:47 PM

That shouldn't be necessary, let me have another look.  Please re-download and run FRST for me and post the two logs.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:52 AM

Posted 02 January 2016 - 04:34 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users