Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Frozen - Suggested by buddy215


  • This topic is locked This topic is locked
7 replies to this topic

#1 matchead

matchead

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 15 January 2016 - 12:33 PM

Had issues with screen freezing on different websites.  Ran Eset and other programs per advice from buddy215.  (See post titled "Frozen" in "Am I infected" forum.  buddy advised posting here.

 

FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-01-2015 01
Ran by Michael (administrator) on MICHAEL-HP (15-01-2016 12:24:09)
Running from C:\Users\Michael\Desktop
Loaded Profiles: Michael (Available Profiles: Michael)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(AMD) C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe
(AMD) C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Creative Technology Ltd) C:\Windows\SysWOW64\CtHdaSvc.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Sound Blaster Recon3D PCIe\Sound Blaster Recon3D PCIe Control Panel\SBRnPCIe.exe
(AMD) C:\Windows\SysWOW64\WinMsgBalloonServer.exe
(AMD) C:\Windows\SysWOW64\WinMsgBalloonClient.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2234144 2014-02-05] (NVIDIA Corporation)
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Sound Blaster Recon3D PCIe Control Panel] => C:\Program Files (x86)\Creative\Sound Blaster Recon3D PCIe\Sound Blaster Recon3D PCIe Control Panel\SBRnPCIe.exe [880128 2011-11-14] (Creative Technology Ltd)
HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [135536 2010-12-13] (Microsoft Corporation)
HKU\S-1-5-21-3700214913-4012731398-408642833-1000\...\MountPoints2: {155050a6-888e-11e1-ae6d-74de2b79a656} - J:\unlock.exe autoplay=true
HKU\S-1-5-21-3700214913-4012731398-408642833-1000\...\MountPoints2: {8005e798-86f7-11e1-a309-74de2b79a656} - J:\LaunchU3.exe -a
HKU\S-1-5-18\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_7_700_202_ActiveX.exe -update activex
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2012-01-24]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{DF142E93-FFB4-4B09-8121-D09AFE5B13D1}: [DhcpNameServer] 209.18.47.61 209.18.47.62

Internet Explorer:
==================
HKU\S-1-5-21-3700214913-4012731398-408642833-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?PC=msnHomeST&OCID=msnHomepage
HKU\S-1-5-21-3700214913-4012731398-408642833-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK/1
SearchScopes: HKLM -> {1EABE305-EE57-4491-B2A5-30393E9DA13D} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://www.ebay.com/sch/i.html?_nkw={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://www.ebay.com/sch/i.html?_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-3700214913-4012731398-408642833-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3700214913-4012731398-408642833-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3700214913-4012731398-408642833-1000 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://www.ebay.com/sch/i.html?_nkw={searchTerms}
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2012-10-01] (Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2012-10-01] (Microsoft Corporation)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab

FireFox:
========
FF ProfilePath: C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\3bvyeog0.default
FF Homepage: hxxp://www.msn.com/?pc=SL5E&ocid=SL5EDHP&osmkt=en-us
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_20_0_0_285.dll [2016-01-13] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_285.dll [2016-01-13] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2013-04-08] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2014-03-04] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2014-03-04] (NVIDIA Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2010-12-07] ()
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2012-10-01] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2014-12-03] (Coupons, Inc.)
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2015-10-08]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 CalendarSynchService; C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe [16384 2011-08-16] (Hewlett-Packard) [File not signed]
S3 Creative ALchemy AL6 Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [79360 2012-07-18] (Creative Labs) [File not signed]
S3 Creative Audio Engine Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2012-07-18] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe [423424 2011-10-19] (Creative Technology Ltd) [File not signed]
R2 CtHdaSvc; C:\Windows\sysWow64\CtHdaSvc.exe [104448 2011-11-28] (Creative Technology Ltd)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
U2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1593632 2014-02-05] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [16941856 2014-02-05] (NVIDIA Corporation)
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1128952 2011-08-12] (PDF Complete Inc)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 bbcap; C:\Windows\System32\DRIVERS\bbcap.sys [4608 2013-04-04] (Windows ® Codename Longhorn DDK provider)
S3 cleanhlp; C:\EEK\Run\cleanhlp64.sys [57024 2014-07-29] (Emsisoft GmbH)
R3 cthda; C:\Windows\System32\drivers\cthda.sys [1266264 2011-11-28] (Creative Technology Ltd)
R3 CTHDB; C:\Windows\System32\DRIVERS\CtHDb.sys [23640 2011-11-28] ()
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [39200 2013-12-27] (NVIDIA Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-15 12:24 - 2016-01-15 12:24 - 00014241 _____ C:\Users\Michael\Desktop\FRST.txt
2016-01-15 12:21 - 2016-01-15 12:21 - 02370560 _____ (Farbar) C:\Users\Michael\Desktop\FRST64.exe
2016-01-15 09:24 - 2016-01-15 09:25 - 00013209 _____ C:\Users\Michael\Desktop\MTB.txt
2016-01-15 09:23 - 2016-01-15 09:23 - 00891392 _____ (Farbar) C:\Users\Michael\Desktop\MiniToolBox.exe
2016-01-15 09:14 - 2016-01-15 09:14 - 00000720 _____ C:\Users\Michael\Desktop\Start Emsisoft Emergency Kit.lnk
2016-01-15 09:11 - 2016-01-15 09:12 - 174779960 _____ C:\Users\Michael\Desktop\EmsisoftEmergencyKit.exe
2016-01-13 09:59 - 2016-01-13 09:59 - 00000000 ____D C:\Windows\pss
2016-01-12 20:22 - 2016-01-12 20:22 - 00005508 _____ C:\Users\Michael\Desktop\startup3.txt
2016-01-12 20:21 - 2016-01-12 20:21 - 00014316 _____ C:\Users\Michael\Desktop\install.txt
2016-01-12 20:19 - 2016-01-12 20:19 - 00004058 _____ C:\Users\Michael\Desktop\startup.txt
2016-01-12 20:19 - 2016-01-12 20:19 - 00002850 _____ C:\Users\Michael\Desktop\startup2.txt
2016-01-12 20:17 - 2016-01-12 20:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-01-12 20:09 - 2016-01-12 20:09 - 00001078 _____ C:\Users\Michael\Desktop\ESETScan.txt
2016-01-11 15:04 - 2016-01-11 15:04 - 02870984 _____ (ESET) C:\Users\Michael\Desktop\esetsmartinstaller_enu.exe
2016-01-11 15:00 - 2016-01-11 15:00 - 00004764 _____ C:\Users\Michael\Desktop\JRT.txt
2016-01-11 14:57 - 2016-01-11 14:57 - 01600184 _____ (Malwarebytes) C:\Users\Michael\Desktop\JRT.exe
2016-01-11 14:55 - 2016-01-11 14:55 - 00001274 _____ C:\Users\Michael\Desktop\AdwCleaner[C2].txt
2016-01-11 12:48 - 2016-01-11 12:48 - 01749504 _____ C:\Users\Michael\Desktop\AdwCleaner.exe
2016-01-11 11:45 - 2016-01-11 11:45 - 00001058 _____ C:\Users\Michael\Desktop\MBAMlog.txt
2016-01-11 10:51 - 2016-01-11 11:03 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-01-11 10:50 - 2016-01-11 10:50 - 00001104 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-01-11 10:50 - 2016-01-11 10:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-01-11 10:50 - 2016-01-11 10:50 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-01-11 10:50 - 2016-01-11 10:50 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-01-11 10:50 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-01-11 10:50 - 2015-10-05 09:50 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-01-11 10:50 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-01-11 10:48 - 2016-01-11 10:48 - 22908888 _____ (Malwarebytes ) C:\Users\Michael\Desktop\mbam-setup-2.2.0.1024.exe
2016-01-11 10:36 - 2016-01-11 10:36 - 00002798 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2016-01-11 10:36 - 2016-01-11 10:36 - 00000000 ____D C:\Program Files\CCleaner
2016-01-11 10:35 - 2016-01-11 10:35 - 06805440 _____ (Piriform Ltd) C:\Users\Michael\Desktop\ccsetup513.exe
2015-12-24 13:46 - 2015-12-24 13:46 - 00391376 _____ C:\Users\Michael\Documents\Book collection list1.pdf
2015-12-22 13:58 - 2015-12-24 20:24 - 00042344 _____ C:\Users\Michael\Documents\Book collection list1.xlsx
2015-12-22 13:58 - 2015-12-22 13:58 - 00000000 ____D C:\Users\Michael\Documents\Custom Office Templates
2015-12-21 11:19 - 2015-12-21 11:19 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2015-12-21 11:19 - 2015-12-21 11:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2015-12-21 11:18 - 2015-12-21 11:19 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server
2015-12-21 11:17 - 2015-12-21 11:17 - 00000000 ____D C:\Program Files (x86)\Microsoft Analysis Services
2015-12-21 11:15 - 2015-12-21 11:15 - 00000000 __RHD C:\MSOCache

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-15 12:24 - 2014-07-26 19:37 - 00000000 ____D C:\FRST
2016-01-15 11:30 - 2014-08-06 19:12 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-01-15 11:05 - 2009-07-13 23:45 - 00024608 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-01-15 11:05 - 2009-07-13 23:45 - 00024608 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-01-15 10:38 - 2013-03-15 23:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-01-15 10:38 - 2013-03-15 23:45 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-01-15 10:38 - 2013-03-15 23:45 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-01-15 09:14 - 2014-07-30 15:42 - 00000000 ____D C:\EEK
2016-01-15 08:38 - 2009-07-14 00:13 - 00783360 _____ C:\Windows\system32\PerfStringBackup.INI
2016-01-15 08:38 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2016-01-15 08:36 - 2012-01-24 20:15 - 00000000 ____D C:\ProgramData\PDFC
2016-01-15 08:34 - 2013-04-05 06:36 - 00000031 _____ C:\Windows\system32\bbcap.err
2016-01-15 08:34 - 2012-01-24 19:53 - 00000000 ____D C:\ProgramData\NVIDIA
2016-01-15 08:34 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-01-15 00:02 - 2012-04-14 14:35 - 00003942 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{496A4010-DC1D-40AF-9279-FF008AE0FC18}
2016-01-14 00:04 - 2015-09-25 21:21 - 00006324 _____ C:\Users\Michael\Desktop\Pal Text.txt
2016-01-13 10:30 - 2014-08-06 19:12 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-01-13 10:30 - 2014-08-06 19:12 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-01-13 10:30 - 2014-08-06 19:12 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-01-13 10:10 - 2013-10-16 06:54 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-01-13 10:09 - 2013-11-23 09:31 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-01-13 10:07 - 2014-04-08 14:20 - 00000000 ____D C:\ProgramData\Adobe
2016-01-13 10:07 - 2012-01-24 20:12 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-01-13 10:06 - 2014-08-08 08:07 - 00000000 ____D C:\Users\Michael\AppData\Local\Adobe
2016-01-13 10:03 - 2012-07-08 18:38 - 00003100 _____ C:\Windows\System32\Tasks\{7B6FCCA2-9C23-4954-B4DC-CC52110E1653}
2016-01-13 10:03 - 2012-07-08 08:29 - 00003100 _____ C:\Windows\System32\Tasks\{79BD6A89-68BA-44B4-A789-072061F6879E}
2016-01-13 10:03 - 2012-07-08 08:28 - 00003100 _____ C:\Windows\System32\Tasks\{CEF43000-9307-4123-8F41-1C6D13FE9796}
2016-01-13 10:02 - 2012-05-19 20:07 - 00003192 _____ C:\Windows\System32\Tasks\{5778B7CF-7D4A-4206-B06F-9A61D02F1C19}
2016-01-13 10:02 - 2012-04-20 08:17 - 00003304 _____ C:\Windows\System32\Tasks\{50616899-3BF9-45AD-8F81-DC01CCB4545F}
2016-01-13 10:01 - 2012-04-17 19:50 - 00003180 _____ C:\Windows\System32\Tasks\{22A0C4FE-E719-4A80-AD06-6CF11D3BDFD3}
2016-01-13 09:59 - 2009-07-13 22:20 - 00000000 ____D C:\Windows
2016-01-11 12:51 - 2014-07-29 07:41 - 00000000 ____D C:\AdwCleaner
2016-01-11 10:39 - 2015-10-28 19:27 - 00000000 ____D C:\Windows\Minidump
2016-01-11 10:39 - 2012-06-02 20:14 - 00000000 ____D C:\Users\Michael\AppData\Local\CrashDumps
2016-01-11 10:39 - 2011-02-11 12:00 - 00000000 ____D C:\Windows\Panther
2016-01-04 23:22 - 2012-04-14 19:28 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Paltalk
2016-01-04 21:16 - 2013-08-29 18:51 - 00000000 ____D C:\Users\Michael\Documents\Carol
2015-12-29 14:20 - 2013-12-13 10:51 - 00017378 _____ C:\Users\Michael\Documents\Bill Pay Schedule.xlsx
2015-12-24 23:53 - 2012-04-16 20:04 - 00111728 _____ C:\Users\Michael\AppData\Local\GDIPFONTCACHEV1.DAT
2015-12-23 20:19 - 2009-07-14 00:08 - 00032580 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-12-21 20:09 - 2009-07-13 23:45 - 00434432 _____ C:\Windows\system32\FNTCACHE.DAT
2015-12-21 11:20 - 2015-01-19 19:18 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-12-21 11:19 - 2010-11-21 02:16 - 00000000 ____D C:\Windows\ShellNew
2015-12-21 11:18 - 2012-01-24 20:03 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2015-12-21 11:17 - 2009-07-13 21:34 - 00000478 _____ C:\Windows\win.ini
2015-12-21 11:16 - 2012-04-26 19:40 - 00000000 ____D C:\Program Files\Microsoft Office
2015-12-21 11:16 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2015-12-18 11:26 - 2012-04-26 19:41 - 00000000 ____D C:\Users\Michael\AppData\Roaming\SoftGrid Client
2015-12-17 11:35 - 2014-03-27 09:23 - 00000000 ____D C:\Users\Michael\AppData\LocalLow\Sun

==================== Files in the root of some directories =======

2013-06-10 19:49 - 2013-06-10 19:49 - 0000017 _____ () C:\Users\Michael\AppData\Local\resmon.resmoncfg

Some files in TEMP:
====================
C:\Users\Michael\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-01-09 09:41

==================== End of FRST.txt ============================

 

 

Addition log attached.

 

Thank you.

Attached Files



BC AdBot (Login to Remove)

 


#2 polskamachina

polskamachina

  • Malware Response Team
  • 3,928 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:07:23 PM

Posted 20 January 2016 - 12:32 AM

Hi matchead :)

 

My name is polskamachina and I would like to welcome you back to the Malware Removal Forum. I will be helping you with your malware issues.

What follows below are some ground rules for this forum.

I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know. I am in California at GMT-8 hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

Due to the fact that you have posted quite a bit of information in your previous topic in the Am I Infected forum, it might take me a bit longer to review all your information before I can respond with specific instructions. Please be patient.

 

polskamachina



#3 matchead

matchead
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 20 January 2016 - 10:51 AM

Understood

Awaiting instruction.

:thumbup2:



#4 polskamachina

polskamachina

  • Malware Response Team
  • 3,928 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:07:23 PM

Posted 22 January 2016 - 03:00 PM

Hi matchead :)
 
Let's begin with running Adwcleaner again.
 
Right-click Adwcleaner and select Run As Administrator

  • The tool will start to update the database, please wait a bit.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • This time click on the Cleaning button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

Next:
 
I don't see an Anti Virus Program running on your machine

Please download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software. Here are some suggestions for a good, free, antivirus program for non-commercial home use:

Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
 
Finally, I see that you have Norton online backup installed. While I'm sure this is a fine program, I've seen it interfere with the smooth operation of some systems. If you have been using other backup options and don't need Norton, then I would suggest removing it. Directions are below:

Click the "Start" orb on the taskbar, and then click the "Control Panel" button.

  • If you use Category mode, click on Uninstall a Program.
  • If you use Icons mode, click on Program and Features.

A list of programs installed will be "populated" (this may take a bit of time).
If they exist, uninstall the following by clicking on the below entry and selecting "Remove":

  • Norton Online Backup

Additional instructions can be found here if needed.
 
In summary I will need from you:

  • Adwcleaner log
  • Confirmation that you installed an Anti-virus program
  • Let me know if you uninstalled Norton Online Backup
  • Most importantly, how is your computer performing now?

polskamachina



#5 matchead

matchead
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 23 January 2016 - 10:11 AM

Installed Avast!

Removed Norton Online Backup

PC seems to be performing ok now.

Here is Adwcleaner log:

 

# AdwCleaner v5.030 - Logfile created 23/01/2016 at 09:30:35
# Updated 17/01/2016 by Xplode
# Database : 2016-01-19.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Michael - MICHAEL-HP
# Running from : C:\Users\Michael\Desktop\adwcleaner_5.030.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [686 bytes] ##########



#6 polskamachina

polskamachina

  • Malware Response Team
  • 3,928 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:07:23 PM

Posted 24 January 2016 - 04:29 PM

Hi matchead,

PC seems to be performing ok now.

That's very good news. :)
 
I did notice that you don't have a pdf reader installed. You can install Adobe Reader or if you would like an alternative free PDF reader, I would suggest PDF-XChange Viewer <--second choice from the top of the linked page.

  • Check  the option for EXE installer (32/64 bit) | 17 MB and download it.
  • When the program begins to install, you can check the option for the Free version.

If you'd rather install Adobe Reader, the directions are below:

  • Download the latest version of Adobe Reader and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Then from your desktop right-click on Adobe Reader, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

If you have no other issues with your system, we can remove the tools we used to diagnose and clean it:
bwebb7v.jpgDownload Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click the Run button.

When the tool is finished, a log will open in notepad. Please copy and paste the log into your next reply to me. Let me know if you have any questions.
 
Finally:
 
Below are some security tips to read. Following these guidelines will help you avoid another visit to the Malware Removal Forum. :woot:

 

Here is some recommended reading material to help you protect your computer from infection in the future:

Be safe! :hello:
 
polskamachina



#7 matchead

matchead
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 24 January 2016 - 04:40 PM

Thanx for all your help !!

 

# DelFix v1.011 - Logfile created 24/01/2016 at 16:38:25
# Updated 18/08/2015 by Xplode
# Username : Michael - MICHAEL-HP
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Michael\Desktop\Addition.txt
Deleted : C:\Users\Michael\Desktop\AdwCleaner[C2].txt
Deleted : C:\Users\Michael\Desktop\AdwCleaner[C3].txt
Deleted : C:\Users\Michael\Desktop\adwcleaner_5.030.exe
Deleted : C:\Users\Michael\Desktop\esetsmartinstaller_enu.exe
Deleted : C:\Users\Michael\Desktop\FRST.txt
Deleted : C:\Users\Michael\Desktop\FRST64.exe
Deleted : C:\Users\Michael\Desktop\JRT.exe
Deleted : C:\Users\Michael\Desktop\JRT.txt
Deleted : C:\Users\Michael\Desktop\MiniToolBox.exe
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\AdwCleaner

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #266 [Scheduled Checkpoint | 01/20/2016 16:56:44]
Deleted : RP #267 [Removed Norton Online Backup | 01/23/2016 15:04:02]

New restore point created !

########## - EOF - ##########



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:23 AM

Posted 30 January 2016 - 08:45 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users