Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm infected by www-mysearch.com, how to get rid of it?


  • This topic is locked This topic is locked
16 replies to this topic

#1 Joe Z

Joe Z

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 06 February 2016 - 04:27 PM

Hello,

I got infected by this and I need help getting rid of it.

It seems to be lurking in my shortcuts in the task bar.  If I have either IE or Firefox open and I go to open a new tab by right clicking the icon that is already open I get re-directed to a fake Bing page that calls itself www-mysearch.com.  It won't happen if I open a new browsing window.

 

I can see the infection in the Addition.txt log under ===Shortcuts===  but for some reason it isn't in the FRST64 log

 

Here is my FRST64 Log:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-01-2016
Ran by Dad (administrator) on DAD-PC (06-02-2016 15:57:28)
Running from C:\Users\Dad\Desktop
Loaded Profiles: Dad (Available Profiles: Dad)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_20_0_0_286_ActiveX.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [594992 2016-01-29] (Oracle Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Tcpip\..\Interfaces\{4B4BF0A0-C65A-410F-A0C3-C2F6131D75BD}: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3167222858-928045956-1320353739-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3167222858-928045956-1320353739-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3167222858-928045956-1320353739-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://reuters.com/
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_73\bin\ssv.dll [2016-02-06] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_73\bin\jp2ssv.dll [2016-02-06] (Oracle Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll [2015-11-13] (Belarc, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\kiwkuecq.default-1454472190981
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_20_0_0_286.dll [2016-01-20] ()
FF Plugin: @java.com/DTPlugin,version=11.73.2 -> C:\Program Files\Java\jre1.8.0_73\bin\dtplugin\npDeployJava1.dll [2016-02-06] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.73.2 -> C:\Program Files\Java\jre1.8.0_73\bin\plugin2\npjp2.dll [2016-02-06] (Oracle Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_286.dll [2016-01-20] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-02-06] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
S3 MOSUMAC; C:\Windows\System32\DRIVERS\USBMAC64.SYS [55296 2009-12-07] (--)
S3 A6100; system32\DRIVERS\A6100.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-06 15:57 - 2016-02-06 15:57 - 00005420 _____ C:\Users\Dad\Desktop\FRST.txt
2016-02-06 15:56 - 2016-02-06 15:57 - 00000000 ____D C:\FRST
2016-02-06 15:56 - 2016-02-06 15:56 - 02370560 _____ (Farbar) C:\Users\Dad\Desktop\FRST64.exe
2016-02-06 06:37 - 2016-02-06 06:37 - 00000000 ____D C:\ProgramData\Sophos
2016-02-06 06:36 - 2016-02-06 06:36 - 00002759 _____ C:\Users\Public\Desktop\Sophos Virus Removal Tool.lnk
2016-02-06 06:36 - 2016-02-06 06:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
2016-02-06 06:36 - 2016-02-06 06:36 - 00000000 ____D C:\Program Files (x86)\Sophos
2016-02-06 06:33 - 2016-02-06 06:33 - 00000932 _____ C:\Users\Dad\Desktop\JRT.txt
2016-02-06 06:30 - 2016-02-06 06:30 - 01609032 _____ (Malwarebytes) C:\Users\Dad\Desktop\JRT.exe
2016-02-06 06:27 - 2016-02-06 06:27 - 00000841 _____ C:\Users\Dad\Desktop\AdwCleaner[C2].txt
2016-02-05 05:56 - 2016-02-06 09:03 - 00002038 _____ C:\Users\Dad\Desktop\Rkill.txt
2016-02-05 05:39 - 2016-02-05 05:53 - 00000000 ____D C:\Users\Dad\Desktop\mbar
2016-02-05 05:39 - 2016-02-05 05:53 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-02-05 05:10 - 2016-02-05 05:10 - 00023412 _____ C:\Users\Dad\Desktop\MTB.txt
2016-02-05 05:06 - 2016-02-05 05:08 - 00002509 _____ C:\Users\Dad\Desktop\FSS.txt
2016-02-05 04:59 - 2016-02-05 04:59 - 00852720 _____ C:\Users\Dad\Desktop\SecurityCheck.exe
2016-02-03 18:44 - 2016-02-06 09:03 - 00000000 ____D C:\Users\Dad\Desktop\Cleaners
2016-02-03 18:04 - 2016-02-03 18:04 - 00001500 _____ C:\Users\Dad\Desktop\firefox - Shortcut.lnk
2016-02-02 23:06 - 2016-02-02 23:06 - 00659968 _____ C:\Users\Dad\Desktop\MicrosoftFixit50195.msi
2016-02-02 06:43 - 2016-02-06 06:21 - 00000000 ____D C:\AdwCleaner
2016-02-02 06:39 - 2016-02-02 06:39 - 00020860 _____ C:\ComboFix.txt
2016-02-02 06:30 - 2016-02-02 06:39 - 00000000 ____D C:\Qoobox
2016-02-02 06:30 - 2016-02-02 06:38 - 00000000 ____D C:\Windows\erdnt
2016-02-02 06:30 - 2011-06-26 01:45 - 00256000 _____ C:\Windows\PEV.exe
2016-02-02 06:30 - 2010-11-07 12:20 - 00208896 _____ C:\Windows\MBR.exe
2016-02-02 06:30 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-02-02 06:30 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-02-02 06:30 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-02-02 06:30 - 2000-08-30 19:00 - 00098816 _____ C:\Windows\sed.exe
2016-02-02 06:30 - 2000-08-30 19:00 - 00080412 _____ C:\Windows\grep.exe
2016-02-02 06:30 - 2000-08-30 19:00 - 00068096 _____ C:\Windows\zip.exe
2016-02-02 06:29 - 2016-02-02 06:29 - 05656479 ____R (Swearware) C:\Users\Dad\Desktop\ComboFix.exe
2016-02-02 06:23 - 2016-02-02 06:27 - 00186518 _____ C:\TDSSKiller.3.1.0.9_02.02.2016_06.23.04_log.txt
2016-02-01 18:16 - 2016-02-01 18:16 - 00772430 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2016-02-01 07:34 - 2016-02-01 07:34 - 00874720 _____ C:\Windows\Minidump\020116-13150-01.dmp
2016-01-31 05:42 - 2016-01-31 05:42 - 00271576 _____ C:\Windows\Minidump\013116-14118-01.dmp
2016-01-29 19:07 - 2016-01-29 19:08 - 00879224 _____ C:\Windows\Minidump\012916-14383-01.dmp
2016-01-26 17:09 - 2016-01-26 17:09 - 00895240 _____ C:\Windows\Minidump\012616-20576-01.dmp
2016-01-19 11:09 - 2016-01-19 11:09 - 00136413 _____ C:\Users\Dad\Desktop\Candidate Profile_distributedA.pdf
2016-01-19 10:24 - 2016-01-19 10:24 - 00130319 _____ C:\Users\Dad\Desktop\Candidate Profile_distributed.pdf
2016-01-17 09:56 - 2016-02-02 23:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-01-10 12:37 - 2016-01-10 12:38 - 00000062 _____ C:\Users\Dad\Desktop\case number.txt
2016-01-10 08:21 - 2016-01-10 08:21 - 00878736 _____ C:\Windows\Minidump\011016-14492-01.dmp
2016-01-09 06:20 - 2016-01-09 06:20 - 00877408 _____ C:\Windows\Minidump\010916-13026-01.dmp

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-06 15:01 - 2015-12-12 14:26 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-02-06 13:48 - 2015-12-12 16:59 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-02-06 10:48 - 2009-07-14 00:13 - 00778150 _____ C:\Windows\system32\PerfStringBackup.INI
2016-02-06 10:48 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2016-02-06 08:22 - 2009-07-13 23:45 - 00031904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-02-06 08:22 - 2009-07-13 23:45 - 00031904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-02-06 08:14 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-02-06 07:54 - 2015-12-12 18:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-02-06 07:54 - 2015-12-12 18:03 - 00000000 ____D C:\Program Files\Java
2016-02-06 07:53 - 2015-12-12 18:03 - 00110176 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2016-02-06 07:53 - 2015-12-12 18:03 - 00000000 ____D C:\Users\Dad\.oracle_jre_usage
2016-02-05 05:39 - 2015-12-12 16:59 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-02-02 23:09 - 2015-12-12 16:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-02-02 06:37 - 2009-07-13 21:34 - 00000215 _____ C:\Windows\system.ini
2016-02-01 18:25 - 2015-12-10 22:43 - 00001593 _____ C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-02-01 18:22 - 2010-11-21 02:17 - 00000000 ____D C:\Windows\CSC
2016-02-01 18:21 - 2009-07-13 21:34 - 00000505 _____ C:\Windows\win.ini
2016-02-01 18:06 - 2015-12-12 16:10 - 00001335 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-02-01 07:34 - 2015-12-16 08:51 - 352064313 _____ C:\Windows\MEMORY.DMP
2016-02-01 07:34 - 2015-12-16 08:51 - 00000000 ____D C:\Windows\Minidump
2016-01-25 17:06 - 2015-12-12 18:03 - 00000000 ____D C:\ProgramData\Oracle
2016-01-20 22:01 - 2015-12-12 14:26 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-01-20 22:01 - 2015-12-12 14:26 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-01-20 22:01 - 2015-12-12 14:26 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-01-17 10:34 - 2015-12-12 01:18 - 00000000 ____D C:\Users\Dad\AppData\Local\ElevatedDiagnostics
2016-01-14 17:14 - 2015-12-16 00:18 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-01-14 17:14 - 2015-12-16 00:18 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-01-10 14:56 - 2015-12-10 23:20 - 00000000 ____D C:\Users\Dad\Desktop\recover

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-01-29 00:34

==================== End of FRST.txt ============================

 

 

Here is the link to my previous post under "Am I infected, what to do?"

http://www.bleepingcomputer.com/forums/t/604147/im-infected-by-www-mysearchcom-how-to-get-rid-of-it/

 

Thanks in advance for your help, you guys rock!!

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 PM

Posted 06 February 2016 - 04:50 PM

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the Malware Removal forum and wait for help.

Failure to post replies within 4 days will result in this thread being closed.


Hello Joe Z,

My name is mAL_rEm018, but feel free to call me mAL.  I will be helping you with your malware related problems. :)

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Because of this, I advise you to backup any personal files and folders before you start.


Cobian Backup
DriveImage XML


To make sure everything goes smoothly, I would like you to observe the following rules:

  • You must have Administrator rights, permissions for this computer.
  • Please reply to this thread.  Do not start another topic.
  • Perform all actions in the order given.
  • If you don't know, stop and ask!
  • DO NOT run any other fix or removal tools unless instructed to do so!
  • Don't attempt to install any new software (other than those I ask you to) until your computer is clean.
  • DO NOT post for help at any other forum.  Applying fixes from multiple help sites can cause problems.
  • I advise you to print the instructions if possible, since your internet connection might not be available during some of the fixes.
  • Absence of symptoms does not mean that everything is clear, therefore stick with this topic until I give you the "all clear".

I am currently reviewing you logs and will return as soon as possible, with additional instructions.


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#3 Joe Z

Joe Z
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 06 February 2016 - 05:07 PM

Hi mAL,

 

Thanks for your reply and thanks for your help.  I already backed up my files as I'm still pretty gun shy after a hard drive crash in December....

 

Cheers



#4 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 PM

Posted 06 February 2016 - 07:15 PM

Hello Joe Z,
 

C:\Users\Dad\Desktop\ComboFix.exe

A word of caution: Combofix is a very powerful tool that could cause substantial damage to your computer if used incorrectly.  Please do not use it in the future, unless you are being asked by a trained helper. That being said, please navigate to the following location and post the "ComboFix.txt" log in your next reply:


C:\ComboFix.txt


Now let's get to work :)


Backup your registry using TCRB


  • Please download TCRB to your Desktop.
  • Open Tweaking.com Registry Backup.
  • Click on the Backup Registry tab and ensure that all options are checked.
  • Press on Backup Now.
  • Wait until the backup is complete and exit the program.

 

No anti-virus

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently.  Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors.




Note: You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.


I need you to run a search using FRST...


  • Double click Frst64.exe to launch it.
  • FRST will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Copy/Paste or Type the following line into the Search: box.

babylon;Bandoo;CleverSearch;conduit;datamngr;Fun4IM;iLivid;kelkoopartners;Luckysearches;QuickSurf;Searchnu;Searchqu;SharkManCoupon;sushileads;SweetIM;SweetPacks;TidyNetwork;trolltech;whitesmoke;Wordinator;WordSurfer;www-mysearch.com;mysearch

  • Press the Search Registry button.
  • When finished searching a log will open on your Desktop ... Search.txt
  • Please post it in your next reply.

 

-----------------------------------------
In your next reply, I would like to see..

  • Did you have trouble performing any of the steps?
  • ComboFix.txt
  • Search.txt

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#5 Joe Z

Joe Z
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 06 February 2016 - 07:38 PM

Hi mAL,

 

Here are the logs requested:

 

ComboFix 16-01-31.01 - Dad 02/02/2016   6:32.1.8 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.4027.1900 [GMT -5:00]
Running from: c:\users\Dad\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2016-01-02 to 2016-02-02  )))))))))))))))))))))))))))))))
.
.
2016-02-02 11:37 . 2016-02-02 11:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2016-02-01 23:10 . 2016-02-01 23:10 -------- d-----w- c:\program files (x86)\Microsoft.NET
2016-02-01 23:07 . 2016-02-01 23:20 -------- d-----w- c:\programdata\Service1291
2016-02-01 23:07 . 2016-02-01 23:07 -------- d-----w- c:\programdata\28341ff220e0446c9fff27c4493d622e
2016-02-01 23:06 . 2016-02-01 23:06 23208 ----a-w- c:\windows\system32\drivers\sdfhgdf.sys
2016-01-30 13:02 . 2016-01-30 13:02 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3A1407E9-2A5A-4DEF-B668-E652EB6E83FB}\offreg.2996.dll
2016-01-27 12:19 . 2016-01-27 12:19 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3A1407E9-2A5A-4DEF-B668-E652EB6E83FB}\offreg.748.dll
2016-01-25 22:06 . 2016-01-25 22:06 -------- d-----w- c:\program files (x86)\Common Files\Java
2016-01-18 14:42 . 2016-01-18 14:42 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3A1407E9-2A5A-4DEF-B668-E652EB6E83FB}\offreg.2924.dll
2016-01-11 10:15 . 2016-01-11 10:15 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3A1407E9-2A5A-4DEF-B668-E652EB6E83FB}\offreg.2400.dll
2016-01-10 07:33 . 2016-01-10 07:33 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3A1407E9-2A5A-4DEF-B668-E652EB6E83FB}\offreg.4064.dll
2016-01-06 12:16 . 2016-01-06 12:16 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3A1407E9-2A5A-4DEF-B668-E652EB6E83FB}\offreg.2636.dll
2016-01-04 11:40 . 2016-01-04 11:40 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3A1407E9-2A5A-4DEF-B668-E652EB6E83FB}\offreg.2136.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-02-02 11:18 . 2015-12-12 21:59 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-01-25 22:05 . 2015-12-12 23:03 110176 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2016-01-21 03:01 . 2015-12-12 19:26 796864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2016-01-21 03:01 . 2015-12-12 19:26 142528 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-12-29 12:48 . 2015-12-29 12:48 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3A1407E9-2A5A-4DEF-B668-E652EB6E83FB}\offreg.2276.dll
2015-12-21 10:40 . 2015-12-21 10:40 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3A1407E9-2A5A-4DEF-B668-E652EB6E83FB}\offreg.576.dll
2015-12-15 13:42 . 2015-12-15 13:42 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3A1407E9-2A5A-4DEF-B668-E652EB6E83FB}\offreg.1340.dll
2015-12-12 23:18 . 2015-12-12 23:18 194048 ----a-w- c:\windows\SysWow64\elshyph.dll
2015-12-12 23:18 . 2015-12-12 23:18 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2015-12-12 23:18 . 2015-12-12 23:18 645120 ----a-w- c:\windows\SysWow64\jsIntl.dll
2015-12-12 23:18 . 2015-12-12 23:18 235008 ----a-w- c:\windows\system32\elshyph.dll
2015-12-12 23:18 . 2015-12-12 23:18 182272 ----a-w- c:\windows\SysWow64\msls31.dll
2015-12-12 23:18 . 2015-12-12 23:18 62464 ----a-w- c:\windows\SysWow64\tdc.ocx
2015-12-12 23:18 . 2015-12-12 23:18 24576 ----a-w- c:\windows\SysWow64\licmgr10.dll
2015-12-12 23:18 . 2015-12-12 23:18 151552 ----a-w- c:\windows\SysWow64\iexpress.exe
2015-12-12 23:18 . 2015-12-12 23:18 139264 ----a-w- c:\windows\SysWow64\wextract.exe
2015-12-12 23:18 . 2015-12-12 23:18 942592 ----a-w- c:\windows\system32\jsIntl.dll
2015-12-12 23:18 . 2015-12-12 23:18 90112 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2015-12-12 23:18 . 2015-12-12 23:18 86016 ----a-w- c:\windows\SysWow64\iesysprep.dll
2015-12-12 23:18 . 2015-12-12 23:18 86016 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2015-12-12 23:18 . 2015-12-12 23:18 74240 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2015-12-12 23:18 . 2015-12-12 23:18 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2015-12-12 23:18 . 2015-12-12 23:18 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2015-12-12 23:18 . 2015-12-12 23:18 36352 ----a-w- c:\windows\SysWow64\imgutil.dll
2015-12-12 23:18 . 2015-12-12 23:18 247808 ----a-w- c:\windows\system32\msls31.dll
2015-12-12 23:18 . 2015-12-12 23:18 13312 ----a-w- c:\windows\SysWow64\mshta.exe
2015-12-12 23:18 . 2015-12-12 23:18 13312 ----a-w- c:\windows\system32\msfeedssync.exe
2015-12-12 23:18 . 2015-12-12 23:18 131072 ----a-w- c:\windows\system32\IEAdvpack.dll
2015-12-12 23:18 . 2015-12-12 23:18 111616 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2015-12-12 23:18 . 2015-12-12 23:18 48640 ----a-w- c:\windows\system32\mshtmler.dll
2015-12-12 23:18 . 2015-12-12 23:18 81408 ----a-w- c:\windows\system32\icardie.dll
2015-12-12 23:18 . 2015-12-12 23:18 77312 ----a-w- c:\windows\system32\tdc.ocx
2015-12-12 23:18 . 2015-12-12 23:18 62464 ----a-w- c:\windows\system32\pngfilt.dll
2015-12-12 23:18 . 2015-12-12 23:18 616104 ----a-w- c:\windows\system32\ieapfltr.dat
2015-12-12 23:18 . 2015-12-12 23:18 48128 ----a-w- c:\windows\system32\imgutil.dll
2015-12-12 23:18 . 2015-12-12 23:18 30208 ----a-w- c:\windows\system32\licmgr10.dll
2015-12-12 23:18 . 2015-12-12 23:18 235520 ----a-w- c:\windows\system32\url.dll
2015-12-12 23:18 . 2015-12-12 23:18 167424 ----a-w- c:\windows\system32\iexpress.exe
2015-12-12 23:18 . 2015-12-12 23:18 143872 ----a-w- c:\windows\system32\wextract.exe
2015-12-12 23:18 . 2015-12-12 23:18 13824 ----a-w- c:\windows\system32\mshta.exe
2015-12-12 23:18 . 2015-12-12 23:18 135680 ----a-w- c:\windows\system32\iepeers.dll
2015-12-12 23:18 . 2015-12-12 23:18 105984 ----a-w- c:\windows\system32\iesysprep.dll
2015-12-12 23:18 . 2015-12-12 23:18 101376 ----a-w- c:\windows\system32\inseng.dll
2015-12-12 23:17 . 2015-12-12 23:17 878080 ----a-w- c:\windows\system32\advapi32.dll
2015-12-12 23:17 . 2015-12-12 23:17 859648 ----a-w- c:\windows\system32\tdh.dll
2015-12-12 23:17 . 2015-12-12 23:17 640512 ----a-w- c:\windows\SysWow64\advapi32.dll
2015-12-12 23:17 . 2015-12-12 23:17 619520 ----a-w- c:\windows\SysWow64\tdh.dll
2015-12-12 23:17 . 2015-12-12 23:17 327168 ----a-w- c:\windows\system32\mswsock.dll
2015-12-12 23:17 . 2015-12-12 23:17 231424 ----a-w- c:\windows\SysWow64\mswsock.dll
2015-12-12 23:16 . 2015-12-12 23:16 68608 ----a-w- c:\windows\system32\taskhost.exe
2015-12-12 23:15 . 2015-12-12 23:15 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 648192 ----a-w- c:\windows\system32\d3d10level9.dll
2015-12-12 23:15 . 2015-12-12 23:15 604160 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2015-12-12 23:15 . 2015-12-12 23:15 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2015-12-12 23:15 . 2015-12-12 23:15 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2015-12-12 23:15 . 2015-12-12 23:15 363008 ----a-w- c:\windows\system32\dxgi.dll
2015-12-12 23:15 . 2015-12-12 23:15 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 333312 ----a-w- c:\windows\system32\d3d10_1core.dll
2015-12-12 23:15 . 2015-12-12 23:15 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 296960 ----a-w- c:\windows\system32\d3d10core.dll
2015-12-12 23:15 . 2015-12-12 23:15 293376 ----a-w- c:\windows\SysWow64\dxgi.dll
2015-12-12 23:15 . 2015-12-12 23:15 2776576 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2015-12-12 23:15 . 2015-12-12 23:15 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 249856 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2015-12-12 23:15 . 2015-12-12 23:15 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2015-12-12 23:15 . 2015-12-12 23:15 2284544 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll
2015-12-12 23:15 . 2015-12-12 23:15 221184 ----a-w- c:\windows\system32\UIAnimation.dll
2015-12-12 23:15 . 2015-12-12 23:15 220160 ----a-w- c:\windows\SysWow64\d3d10core.dll
2015-12-12 23:15 . 2015-12-12 23:15 207872 ----a-w- c:\windows\SysWow64\WindowsCodecsExt.dll
2015-12-12 23:15 . 2015-12-12 23:15 194560 ----a-w- c:\windows\system32\d3d10_1.dll
2015-12-12 23:15 . 2015-12-12 23:15 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2015-12-12 23:15 . 2015-12-12 23:15 1682432 ----a-w- c:\windows\system32\XpsPrint.dll
2015-12-12 23:15 . 2015-12-12 23:15 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2015-12-12 23:15 . 2015-12-12 23:15 1238528 ----a-w- c:\windows\system32\d3d10.dll
2015-12-12 23:15 . 2015-12-12 23:15 1158144 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2015-12-12 23:15 . 2015-12-12 23:15 1080832 ----a-w- c:\windows\SysWow64\d3d10.dll
2015-12-12 23:15 . 2015-12-12 23:15 10752 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2015-12-12 23:15 . 2015-12-12 23:15 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2015-12-12 23:14 . 2015-12-12 23:14 1887232 ----a-w- c:\windows\system32\d3d11.dll
2015-12-12 23:14 . 2015-12-12 23:14 1505280 ----a-w- c:\windows\SysWow64\d3d11.dll
2015-12-02 21:18 . 2010-11-21 03:27 301728 ------w- c:\windows\system32\MpSigStub.exe
2015-11-24 03:10 . 2015-12-15 03:42 140158008 ----a-w- c:\windows\system32\MRT.exe
2015-11-20 18:54 . 2015-12-15 03:14 98816 ----a-w- c:\windows\system32\wudriver.dll
2015-11-20 18:54 . 2015-12-15 03:14 37888 ----a-w- c:\windows\system32\wups2.dll
2015-11-20 18:54 . 2015-12-15 03:14 36864 ----a-w- c:\windows\system32\wups.dll
2015-11-20 18:54 . 2015-12-15 03:14 3170304 ----a-w- c:\windows\system32\wucltux.dll
2015-11-20 18:54 . 2015-12-15 03:14 2609152 ----a-w- c:\windows\system32\wuaueng.dll
2015-11-20 18:54 . 2015-12-15 03:14 192512 ----a-w- c:\windows\system32\wuwebv.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2015-12-23 596528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R3 A6100;NETGEAR A6100 WiFi Adapter;c:\windows\system32\DRIVERS\A6100.sys;c:\windows\SYSNATIVE\DRIVERS\A6100.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\DRIVERS\USBMAC64.SYS;c:\windows\SYSNATIVE\DRIVERS\USBMAC64.SYS [x]
R3 netr7364;Conceptronic RT73 Wireles Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys;c:\windows\SYSNATIVE\DRIVERS\netr7364.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 sdfhgdf;sdfhgdf;c:\windows\system32\DRIVERS\sdfhgdf.sys;c:\windows\SYSNATIVE\DRIVERS\sdfhgdf.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS;c:\windows\SYSNATIVE\DRIVERS\Thpevm.SYS [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5s64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 17862314
*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - 17862314
.
Contents of the 'Scheduled Tasks' folder
.
2016-02-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-12-12 03:01]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.reuters.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\fnrc8xvk.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.malwarebytes.org/restorebrowser/com/?site=shyosffdefault&prd=set_ff&s=G21zswatn1,b7af241f-aba3-44df-8b39-bfe029b23c18,
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_20_0_0_286_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_20_0_0_286_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_20_0_0_286_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_20_0_0_286_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_20_0_0_286.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.20"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_20_0_0_286.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_20_0_0_286.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_20_0_0_286.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2016-02-02  06:39:48
ComboFix-quarantined-files.txt  2016-02-02 11:39
.
Pre-Run: 281,178,112,000 bytes free
Post-Run: 280,880,824,320 bytes free
.
- - End Of File - - 89CE5B37D5C2FAA097FD5423D97C6DBB
A36C5E4F47E84449FF07ED3517B43A31

 

 

Farbar Recovery Scan Tool (x64) Version:27-01-2016
Ran by Dad (2016-02-06 19:33:00)
Running from C:\Users\Dad\Desktop
Boot Mode: Normal

================== Search Registry: "babylon;Bandoo;CleverSearch;conduit;datamngr;Fun4IM;iLivid;kelkoopartners;Luckysearches;QuickSurf;Searchnu;Searchqu;SharkManCoupon;sushileads;SweetIM;SweetPacks;TidyNetwork;trolltech;whitesmoke;Wordinator;WordSurfer;www-mysearch.com;mysearch" ===========

===================== Search result for "babylon" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
"DllName"="BabylonToolbar.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
"DllName"="BabylonToolbarTlbr.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
"DllName"="BabylonToolbar.dll"

===================== Search result for "Searchqu" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
""="ISearchQueryHelper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
""="ISearchQueryHelper"

===================== Search result for "trolltech" ==========

[HKEY_USERS\S-1-5-21-3167222858-928045956-1320353739-1000\Software\Trolltech]

====== End of Search ======

I'll address the anti-virus issue once all this is resolved.

 

Let me know what the next steps are.

 

Cheers



#6 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 PM

Posted 07 February 2016 - 04:04 PM

Hello Joe Z,
 

I'll address the anti-virus issue once all this is resolved.

This is your choice, however I would feel more comfortable knowing that you have an Anti-virus running on your computer while we work together.  This is to prevent your computer from catching other infections.  As I already mentioned in my last post, your computer is at risk.  If you insist on not having an Anti-virus while we clean your computer, then I would advise you not to use the internet for anything else, other than to access this topic.


Please run the following fix..



  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
  • Copy/Paste the contents of the code box below into Notepad.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3167222858-928045956-1320353739-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
S3 A6100; system32\DRIVERS\A6100.sys [X]
Task: {874B9F28-33CD-445C-BEF1-DFC62ED62945} - \IBUpd -> No File <==== ATTENTION
Task: {8B1A7D79-C7CF-4917-9C9B-CE6BC06BBE38} - \MAXDriverUpdaterRunAtStartup -> No File <==== ATTENTION
Task: {DF9C4C45-E6C6-4A2A-8A71-97F1E8800D3F} - \RSPro -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www%2dmysearch.com/?prd=set_epc&s=G21zswatn1,b7af241f-aba3-44df-8b39-bfe029b23c18,
ShortcutWithArgument: C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www%2dmysearch.com/?prd=set_epc&s=G21zswatn1,b7af241f-aba3-44df-8b39-bfe029b23c18,
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www-mysearch.com/?prd=set_epc&s=G21zswatn1,b7af241f-aba3-44df-8b39-bfe029b23c18,
FirewallRules: [{8DBA7FE6-B1C3-4E13-8C37-22DEA0B17DAE}] => (Allow) C:\Users\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z8M15TY9\download[1].exe
FirewallRules: [{EB0B0195-95A7-471D-B21D-B539D7D65537}] => (Allow) C:\Users\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z8M15TY9\download[1].exe

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
[-HKEY_USERS\S-1-5-21-3167222858-928045956-1320353739-1000\Software\Trolltech]


Hosts:
EmptyTemp:
CreateRestorePoint:
  •  
  • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system



  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log


I need you to run an online scan..

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.



  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to  ESET online scannner

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • When prompted allow the Add-On/Active X to install.
  • Click on Run ESET Online Scanner, then elect the option YES, I accept the Terms of Use, then click Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is  checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on Start.
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on Finish.
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.


Next..


I need to see a fresh FRST log..



  • Right-click on FRST64.exe and select Run as administrator.
  • Ensure that Addition.txt is checked.
  • Select Scan.
  • When the scan is over two windows will open, FRST.txt and Addition.txt.
  • Please post the contents of both logs in your next reply.

How is your computer behaving?


-----------------------------------------
In your next reply, I would like to see..


  • fixlog.txt
  • ESET scan results
  • FRST.txt
  • Addition.txt
  • Update on your computer performance.

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#7 Joe Z

Joe Z
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 07 February 2016 - 04:47 PM

Hello mAL,

Before I get started, I understand your concerns about the anti-virus software and I will install.  Which of those do you recommend?  I realize it is your personal opinion and I am okay with that.  I have used Windows Defender previously but I felt it was "underpowered" but maybe there have been improvements.  I'm open to trying something new however.

Cheers



#8 Joe Z

Joe Z
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 07 February 2016 - 06:18 PM

Hello mAL,

 

It looks like everything is running well =)   Thank you so much for your help!!  For anti-virus I decided to go with Avast, so far it seems easy to work with.

 

Here are the logs you've requested:

 

FixLog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:27-01-2016
Ran by Dad (2016-02-07 16:59:53) Run:1
Running from C:\Users\Dad\Desktop
Loaded Profiles: Dad (Available Profiles: Dad)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3167222858-928045956-1320353739-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
S3 A6100; system32\DRIVERS\A6100.sys [X]
Task: {874B9F28-33CD-445C-BEF1-DFC62ED62945} - \IBUpd -> No File <==== ATTENTION
Task: {8B1A7D79-C7CF-4917-9C9B-CE6BC06BBE38} - \MAXDriverUpdaterRunAtStartup -> No File <==== ATTENTION
Task: {DF9C4C45-E6C6-4A2A-8A71-97F1E8800D3F} - \RSPro -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www%2dmysearch.com/?prd=set_epc&s=G21zswatn1,b7af241f-aba3-44df-8b39-bfe029b23c18,
ShortcutWithArgument: C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www%2dmysearch.com/?prd=set_epc&s=G21zswatn1,b7af241f-aba3-44df-8b39-bfe029b23c18,
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www-mysearch.com/?prd=set_epc&s=G21zswatn1,b7af241f-aba3-44df-8b39-bfe029b23c18,
FirewallRules: [{8DBA7FE6-B1C3-4E13-8C37-22DEA0B17DAE}] => (Allow) C:\Users\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z8M15TY9\download[1].exe
FirewallRules: [{EB0B0195-95A7-471D-B21D-B539D7D65537}] => (Allow) C:\Users\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z8M15TY9\download[1].exe

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
[-HKEY_USERS\S-1-5-21-3167222858-928045956-1320353739-1000\Software\Trolltech]

Hosts:
EmptyTemp:
CreateRestorePoint:
*****************

"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-3167222858-928045956-1320353739-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
A6100 => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{874B9F28-33CD-445C-BEF1-DFC62ED62945}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{874B9F28-33CD-445C-BEF1-DFC62ED62945}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\IBUpd => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8B1A7D79-C7CF-4917-9C9B-CE6BC06BBE38}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8B1A7D79-C7CF-4917-9C9B-CE6BC06BBE38}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MAXDriverUpdaterRunAtStartup => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{DF9C4C45-E6C6-4A2A-8A71-97F1E8800D3F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF9C4C45-E6C6-4A2A-8A71-97F1E8800D3F}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RSPro => key not found.
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => Shortcut argument removed successfully.
C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk => Shortcut argument restored successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => Shortcut argument removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8DBA7FE6-B1C3-4E13-8C37-22DEA0B17DAE} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{EB0B0195-95A7-471D-B21D-B539D7D65537} => value removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63} => could not remove at first attempt (ErrorCode: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63} => could not remove at first attempt (ErrorCode: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E} => key removed successfully
HKEY_USERS\S-1-5-21-3167222858-928045956-1320353739-1000\Software\Trolltech => could not remove at first attempt (ErrorCode: C0000121), see next line.
HKEY_USERS\S-1-5-21-3167222858-928045956-1320353739-1000\Software\Trolltech => key removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
Restore point was successfully created.
EmptyTemp: => 137.5 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 17:00:23 ====

 

 

ESET Log (I think there should be more here, not sure why this is the only info it created?):

 

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
Update Init
Update Download
Update Finalize
Updated modules version: 28018

 

 

FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-01-2016
Ran by Dad (administrator) on DAD-PC (07-02-2016 18:08:10)
Running from C:\Users\Dad\Desktop
Loaded Profiles: Dad (Available Profiles: Dad)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_20_0_0_286_ActiveX.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [594992 2016-01-29] (Oracle Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7139768 2016-02-07] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-02-07] (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Tcpip\..\Interfaces\{4B4BF0A0-C65A-410F-A0C3-C2F6131D75BD}: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12

Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3167222858-928045956-1320353739-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3167222858-928045956-1320353739-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://reuters.com/
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_73\bin\ssv.dll [2016-02-06] (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-02-07] (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_73\bin\jp2ssv.dll [2016-02-06] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-02-07] (AVAST Software)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll [2015-11-13] (Belarc, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\kiwkuecq.default-1454472190981
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_20_0_0_286.dll [2016-01-20] ()
FF Plugin: @java.com/DTPlugin,version=11.73.2 -> C:\Program Files\Java\jre1.8.0_73\bin\dtplugin\npDeployJava1.dll [2016-02-06] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.73.2 -> C:\Program Files\Java\jre1.8.0_73\bin\plugin2\npjp2.dll [2016-02-06] (Oracle Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_286.dll [2016-01-20] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-02-07]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-02-07]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [237096 2016-02-07] (AVAST Software)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-02-07] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [107792 2016-02-07] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-02-07] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-02-07] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1065720 2016-02-07] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [463744 2016-02-07] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [165344 2016-02-07] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [286440 2016-02-07] (AVAST Software)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-02-07] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
S3 MOSUMAC; C:\Windows\System32\DRIVERS\USBMAC64.SYS [55296 2009-12-07] (--)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-07 17:07 - 2016-02-07 17:07 - 00000000 ____D C:\Program Files (x86)\ESET
2016-02-07 16:59 - 2016-02-07 17:00 - 00006474 _____ C:\Users\Dad\Desktop\Fixlog.txt
2016-02-07 16:52 - 2016-02-07 16:51 - 00398152 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2016-02-07 16:51 - 2016-02-07 16:52 - 00003924 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-02-07 16:51 - 2016-02-07 16:51 - 01065720 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2016-02-07 16:51 - 2016-02-07 16:51 - 00463744 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2016-02-07 16:51 - 2016-02-07 16:51 - 00286440 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2016-02-07 16:51 - 2016-02-07 16:51 - 00165344 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2016-02-07 16:51 - 2016-02-07 16:51 - 00107792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2016-02-07 16:51 - 2016-02-07 16:51 - 00103064 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2016-02-07 16:51 - 2016-02-07 16:51 - 00074544 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2016-02-07 16:51 - 2016-02-07 16:51 - 00052184 _____ (AVAST Software) C:\Windows\avastSS.scr
2016-02-07 16:51 - 2016-02-07 16:51 - 00037656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2016-02-07 16:51 - 2016-02-07 16:51 - 00001922 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2016-02-07 16:51 - 2016-02-07 16:51 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-02-07 16:51 - 2016-02-07 16:51 - 00000000 ____D C:\Users\Dad\AppData\Roaming\AVAST Software
2016-02-07 16:51 - 2016-02-07 16:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2016-02-07 16:51 - 2016-02-07 16:51 - 00000000 ____D C:\Program Files\Common Files\AV
2016-02-07 16:50 - 2016-02-07 16:50 - 05066104 _____ (AVAST Software) C:\Users\Dad\Desktop\avast_free_antivirus_setup_online_cnet2.exe
2016-02-07 16:50 - 2016-02-07 16:50 - 00000000 ____D C:\ProgramData\AVAST Software
2016-02-07 16:50 - 2016-02-07 16:50 - 00000000 ____D C:\Program Files\AVAST Software
2016-02-06 20:16 - 2016-02-06 20:16 - 00020700 _____ C:\ComboFix.txt
2016-02-06 19:32 - 2016-02-06 19:33 - 00001475 _____ C:\Users\Dad\Desktop\Search.txt
2016-02-06 19:30 - 2016-02-06 19:30 - 00000207 _____ C:\Windows\tweaking.com-regbackup-DAD-PC-Windows-7-Professional-(64-bit).dat
2016-02-06 19:30 - 2016-02-06 19:30 - 00000000 ____D C:\RegBackup
2016-02-06 19:29 - 2016-02-06 19:29 - 00002235 _____ C:\Users\Dad\Desktop\Tweaking.com - Registry Backup.lnk
2016-02-06 19:29 - 2016-02-06 19:29 - 00000000 ____D C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2016-02-06 19:29 - 2016-02-06 19:29 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
2016-02-06 19:28 - 2016-02-06 19:29 - 00016481 _____ C:\Windows\Tweaking.com - Registry Backup Setup Log.txt
2016-02-06 19:28 - 2016-02-06 19:28 - 04777232 _____ (Tweaking.com) C:\Users\Dad\Desktop\tweaking.com_registry_backup_setup.exe
2016-02-06 15:57 - 2016-02-07 18:08 - 00007413 _____ C:\Users\Dad\Desktop\FRST.txt
2016-02-06 15:57 - 2016-02-06 15:58 - 00018372 _____ C:\Users\Dad\Desktop\Addition.txt
2016-02-06 15:56 - 2016-02-07 18:08 - 00000000 ____D C:\FRST
2016-02-06 15:56 - 2016-02-06 15:56 - 02370560 _____ (Farbar) C:\Users\Dad\Desktop\FRST64.exe
2016-02-06 06:37 - 2016-02-06 06:37 - 00000000 ____D C:\ProgramData\Sophos
2016-02-06 06:36 - 2016-02-06 06:36 - 00002759 _____ C:\Users\Public\Desktop\Sophos Virus Removal Tool.lnk
2016-02-06 06:36 - 2016-02-06 06:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
2016-02-06 06:36 - 2016-02-06 06:36 - 00000000 ____D C:\Program Files (x86)\Sophos
2016-02-06 06:33 - 2016-02-06 06:33 - 00000932 _____ C:\Users\Dad\Desktop\JRT.txt
2016-02-06 06:30 - 2016-02-06 06:30 - 01609032 _____ (Malwarebytes) C:\Users\Dad\Desktop\JRT.exe
2016-02-06 06:27 - 2016-02-06 06:27 - 00000841 _____ C:\Users\Dad\Desktop\AdwCleaner[C2].txt
2016-02-05 05:56 - 2016-02-06 09:03 - 00002038 _____ C:\Users\Dad\Desktop\Rkill.txt
2016-02-05 05:39 - 2016-02-05 05:53 - 00000000 ____D C:\Users\Dad\Desktop\mbar
2016-02-05 05:39 - 2016-02-05 05:53 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-02-05 05:10 - 2016-02-05 05:10 - 00023412 _____ C:\Users\Dad\Desktop\MTB.txt
2016-02-05 05:06 - 2016-02-05 05:08 - 00002509 _____ C:\Users\Dad\Desktop\FSS.txt
2016-02-05 04:59 - 2016-02-05 04:59 - 00852720 _____ C:\Users\Dad\Desktop\SecurityCheck.exe
2016-02-03 18:44 - 2016-02-06 09:03 - 00000000 ____D C:\Users\Dad\Desktop\Cleaners
2016-02-03 18:04 - 2016-02-03 18:04 - 00001500 _____ C:\Users\Dad\Desktop\firefox - Shortcut.lnk
2016-02-02 23:06 - 2016-02-02 23:06 - 00659968 _____ C:\Users\Dad\Desktop\MicrosoftFixit50195.msi
2016-02-02 06:43 - 2016-02-06 06:21 - 00000000 ____D C:\AdwCleaner
2016-02-02 06:30 - 2016-02-06 20:16 - 00000000 ____D C:\Qoobox
2016-02-02 06:30 - 2016-02-02 06:38 - 00000000 ____D C:\Windows\erdnt
2016-02-02 06:30 - 2011-06-26 01:45 - 00256000 _____ C:\Windows\PEV.exe
2016-02-02 06:30 - 2010-11-07 12:20 - 00208896 _____ C:\Windows\MBR.exe
2016-02-02 06:30 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-02-02 06:30 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-02-02 06:30 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-02-02 06:30 - 2000-08-30 19:00 - 00098816 _____ C:\Windows\sed.exe
2016-02-02 06:30 - 2000-08-30 19:00 - 00080412 _____ C:\Windows\grep.exe
2016-02-02 06:30 - 2000-08-30 19:00 - 00068096 _____ C:\Windows\zip.exe
2016-02-02 06:29 - 2016-02-02 06:29 - 05656479 ____R (Swearware) C:\Users\Dad\Desktop\ComboFix.exe
2016-02-02 06:23 - 2016-02-02 06:27 - 00186518 _____ C:\TDSSKiller.3.1.0.9_02.02.2016_06.23.04_log.txt
2016-02-01 18:16 - 2016-02-01 18:16 - 00772430 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2016-02-01 07:34 - 2016-02-01 07:34 - 00874720 _____ C:\Windows\Minidump\020116-13150-01.dmp
2016-01-31 05:42 - 2016-01-31 05:42 - 00271576 _____ C:\Windows\Minidump\013116-14118-01.dmp
2016-01-29 19:07 - 2016-01-29 19:08 - 00879224 _____ C:\Windows\Minidump\012916-14383-01.dmp
2016-01-26 17:09 - 2016-01-26 17:09 - 00895240 _____ C:\Windows\Minidump\012616-20576-01.dmp
2016-01-19 11:09 - 2016-01-19 11:09 - 00136413 _____ C:\Users\Dad\Desktop\Candidate Profile_distributedA.pdf
2016-01-19 10:24 - 2016-01-19 10:24 - 00130319 _____ C:\Users\Dad\Desktop\Candidate Profile_distributed.pdf
2016-01-17 09:56 - 2016-02-02 23:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-01-10 12:37 - 2016-01-10 12:38 - 00000062 _____ C:\Users\Dad\Desktop\case number.txt
2016-01-10 08:21 - 2016-01-10 08:21 - 00878736 _____ C:\Windows\Minidump\011016-14492-01.dmp
2016-01-09 06:20 - 2016-01-09 06:20 - 00877408 _____ C:\Windows\Minidump\010916-13026-01.dmp

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-07 18:01 - 2015-12-12 14:26 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-02-07 17:43 - 2015-12-12 16:59 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-02-07 17:10 - 2009-07-13 23:45 - 00031904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-02-07 17:10 - 2009-07-13 23:45 - 00031904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-02-07 17:07 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\Downloaded Program Files
2016-02-07 17:06 - 2009-07-14 00:13 - 00778150 _____ C:\Windows\system32\PerfStringBackup.INI
2016-02-07 17:06 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2016-02-07 17:01 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-02-07 16:59 - 2015-12-12 16:10 - 00001061 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-02-07 16:59 - 2015-12-10 22:43 - 00001156 _____ C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-02-07 16:38 - 2015-12-13 01:44 - 00883844 _____ C:\Windows\ntbtlog.txt
2016-02-06 20:15 - 2009-07-13 21:34 - 00000215 _____ C:\Windows\system.ini
2016-02-06 07:54 - 2015-12-12 18:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-02-06 07:54 - 2015-12-12 18:03 - 00000000 ____D C:\Program Files\Java
2016-02-06 07:53 - 2015-12-12 18:03 - 00110176 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2016-02-06 07:53 - 2015-12-12 18:03 - 00000000 ____D C:\Users\Dad\.oracle_jre_usage
2016-02-05 05:39 - 2015-12-12 16:59 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-02-02 23:09 - 2015-12-12 16:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-02-01 18:22 - 2010-11-21 02:17 - 00000000 ____D C:\Windows\CSC
2016-02-01 18:21 - 2009-07-13 21:34 - 00000505 _____ C:\Windows\win.ini
2016-02-01 07:34 - 2015-12-16 08:51 - 352064313 _____ C:\Windows\MEMORY.DMP
2016-02-01 07:34 - 2015-12-16 08:51 - 00000000 ____D C:\Windows\Minidump
2016-01-25 17:06 - 2015-12-12 18:03 - 00000000 ____D C:\ProgramData\Oracle
2016-01-20 22:01 - 2015-12-12 14:26 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-01-20 22:01 - 2015-12-12 14:26 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-01-20 22:01 - 2015-12-12 14:26 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-01-17 10:34 - 2015-12-12 01:18 - 00000000 ____D C:\Users\Dad\AppData\Local\ElevatedDiagnostics
2016-01-14 17:14 - 2015-12-16 00:18 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-01-14 17:14 - 2015-12-16 00:18 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-01-10 14:56 - 2015-12-10 23:20 - 00000000 ____D C:\Users\Dad\Desktop\recover

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-01-29 00:34

==================== End of FRST.txt ============================

 

 

 

FRST Addition Log:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:27-01-2016
Ran by Dad (2016-02-07 18:08:42)
Running from C:\Users\Dad\Desktop
Windows 7 Professional Service Pack 1 (X64) (2015-12-11 03:42:57)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-3167222858-928045956-1320353739-500 - Administrator - Disabled)
Dad (S-1-5-21-3167222858-928045956-1320353739-1000 - Administrator - Enabled) => C:\Users\Dad
Guest (S-1-5-21-3167222858-928045956-1320353739-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.010.20056 - Adobe Systems Incorporated)
Adobe Flash Player 20 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 20.0.0.286 - Adobe Systems Incorporated)
Adobe Flash Player 20 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 20.0.0.286 - Adobe Systems Incorporated)
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 11.1.2253 - AVAST Software)
Belarc Advisor 8.5b (HKLM-x32\...\Belarc Advisor) (Version: 8.5.2.0 - Belarc Inc.)
DownloadX ActiveX Download Control 1.6.8 (HKLM-x32\...\CA17A131-B7D9-41D6-868F-29A9BD9FCC8E_is1) (Version:  - DownloadXCtrl.com)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
Java 8 Update 73 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418073F0}) (Version: 8.0.730.2 - Oracle Corporation)
Magical Jelly Bean KeyFinder (HKLM-x32\...\KeyFinder_is1) (Version: 2.0.10.10 - Magical Jelly Bean)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Mozilla Firefox 43.0.4 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 43.0.4 (x86 en-US)) (Version: 43.0.4 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 43.0.4.5848 - Mozilla)
Recover Keys (HKLM\...\Recover Keys_is1) (Version: 9.0.3.168 - Recover Keys)
Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.5.5 - Sophos Limited)
Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry Backup) (Version: 3.3.1 - Tweaking.com)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {5A40E926-9E86-4B89-9CFD-B12311724371} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig => config upnphost start= auto
Task: {72DFCE0E-0BA4-44DB-95BB-9F68424D7F51} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-01-20] (Adobe Systems Incorporated)
Task: {8C59FADD-4B36-47BD-B6C4-3ABBE35730E1} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-02-07] (AVAST Software)
Task: {9DFCE2DD-35E8-4B7B-A989-847DBFE31740} - System32\Tasks\Games\UpdateCheck_S-1-5-21-3167222858-928045956-1320353739-1000
Task: {B833DF8B-D18E-48DD-A51B-D66278FF5A29} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-02-07] (AVAST Software)
Task: {D77629A4-4073-4E01-B4BD-E5727BACDE33} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-12-13] (Adobe Systems Incorporated)
Task: {DD9F510C-95F4-499A-90C8-BAC5BC372FF4} - System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask => start sppsvc

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-02-07 16:51 - 2016-02-07 16:51 - 00113496 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2016-02-07 16:51 - 2016-02-07 16:51 - 00133768 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-02-07 16:52 - 2016-02-07 16:52 - 02819072 _____ () C:\Program Files\AVAST Software\Avast\defs\16020701\algo.dll
2016-02-07 16:51 - 2016-02-07 16:51 - 00480760 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2016-02-07 16:51 - 2016-02-07 16:51 - 40539648 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2016-02-07 16:59 - 00000035 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3167222858-928045956-1320353739-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 68.105.28.11 - 68.105.29.11
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{ECB9315D-743C-4F86-A6BA-0F7BF9A8FE00}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{2997A004-7591-40A2-A049-8FE3C1A2B714}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{252CD788-D36F-4B91-AFB5-D3511B121DF1}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{AC354553-B208-4DB0-8EA1-FEA84A0CB446}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Restore Points =========================

08-01-2016 20:14:09 Scheduled Checkpoint
16-01-2016 17:20:35 Scheduled Checkpoint
24-01-2016 19:04:39 Scheduled Checkpoint
01-02-2016 08:14:12 Scheduled Checkpoint
01-02-2016 18:09:05 Windows Update
02-02-2016 06:54:02 JRT Pre-Junkware Removal
02-02-2016 22:58:32 Installed Microsoft Fix it 50195
02-02-2016 23:07:21 Installed Microsoft Fix it 50195
06-02-2016 06:30:47 JRT Pre-Junkware Removal
06-02-2016 06:36:30 Installed Sophos Virus Removal Tool.
07-02-2016 16:59:59 Restore Point Created by FRST

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Intel® Centrino® Advanced-N + WiMAX 6250
Description: Intel® Centrino® Advanced-N + WiMAX 6250
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Realtek PCIe FE Family Controller
Description: Realtek PCIe FE Family Controller
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Realtek
Service: RTL8167
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (02/07/2016 06:04:20 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.18124, time stamp: 0x5641278d
Faulting module name: ONLINE~1.OCX_unloaded, version: 0.0.0.0, time stamp: 0x55546935
Exception code: 0xc0000005
Fault offset: 0x674508e0
Faulting process id: 0xfa4
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3

Error: (02/07/2016 06:02:41 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (02/07/2016 05:02:12 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/07/2016 04:59:59 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {9a504317-09e2-44b8-91cb-d183124cff7b}

Error: (02/07/2016 04:40:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/07/2016 01:00:30 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/07/2016 12:30:25 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/06/2016 08:15:47 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/06/2016 07:48:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/06/2016 06:24:58 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

System errors:
=============
Error: (02/07/2016 05:12:56 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (02/07/2016 05:12:56 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Dad\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (02/07/2016 05:12:55 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (02/07/2016 05:12:55 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Dad\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (02/07/2016 05:12:54 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (02/07/2016 05:12:54 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Dad\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (02/07/2016 05:10:28 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (02/07/2016 05:10:28 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Dad\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (02/07/2016 05:10:27 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (02/07/2016 05:10:27 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Dad\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

CodeIntegrity:
===================================
  Date: 2015-12-14 20:51:14.206
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Dad\Desktop\recover\Windows\explorer.exe because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-14 20:51:14.128
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Dad\Desktop\recover\Windows\explorer.exe because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-14 20:51:14.066
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Dad\Desktop\recover\Windows\explorer.exe because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-14 20:51:13.957
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Dad\Desktop\recover\Windows\explorer.exe because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-14 20:51:13.863
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Dad\Desktop\recover\Windows\explorer.exe because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-14 20:51:13.754
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Dad\Desktop\recover\Windows\explorer.exe because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-14 20:51:13.691
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Dad\Desktop\recover\Windows\explorer.exe because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-14 20:51:13.613
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Dad\Desktop\recover\Windows\explorer.exe because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-14 20:51:13.520
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Dad\Desktop\recover\Windows\explorer.exe because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-13 18:50:50.065
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Dad\Desktop\recover\Windows\explorer.exe because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: Intel® Core™ i7 CPU Q 740 @ 1.73GHz
Percentage of memory in use: 42%
Total physical RAM: 4026.67 MB
Available physical RAM: 2300.88 MB
Total Virtual: 8051.55 MB
Available Virtual: 6347.27 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.66 GB) (Free:260.06 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 6ECF3554)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 

 

Let me know if there are additional items that need to be corrected.  As of now everything seems to be working fine.  Thank you again for all your help!!

 

Cheers
 

 



#9 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 PM

Posted 07 February 2016 - 06:22 PM

Hello Joe Z,
 

Before I get started, I understand your concerns about the anti-virus software and I will install.  Which of those do you recommend?  I realize it is your personal opinion and I am okay with that.  I have used Windows Defender previously but I felt it was "underpowered" but maybe there have been improvements.  I'm open to trying something new however.

This is a wise choice. :)  It's important to note that Windows Defender does not serve as an Anti-virus in Windows 7.  From my personal experience I can say that both avast! and Microsoft Security Essentials are very good.  I used Avast! for several years and only recently switched to MSE.  As both programs have their pros and cons, I would say it might be best to just pick one and if you are dissatisfied with it, then you can always switch to another one later.  Once the Anti-virus is installed, please follow the steps outlined my last post: http://www.bleepingcomputer.com/forums/t/604687/im-infected-by-www-mysearchcom-how-to-get-rid-of-it/?p=3929257  If you run into any issue while doing so, please let me know.

Please note: I will be out for the rest of the night, therefore I won't be able to post a reply until tomorrow.

mAL   
 

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#10 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 PM

Posted 07 February 2016 - 06:26 PM

Hello Joe Z,

Please ignore my last post.  I didn't notice you had posted a reply.  I will provide you with additional instructions as soon as possible.

mAL


Edited by mAL_rEm018, 07 February 2016 - 06:26 PM.

Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#11 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 PM

Posted 08 February 2016 - 03:32 AM

Hello Joe Z,
 

It looks like everything is running well =)

That's good! :)  We still have a few things to do, so please stick with this topic until I give you the all clean.

Please run the following fix..



  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
  • Copy/Paste the contents of the code box below into Notepad.
CMD: sc config WinDefend start= disabled
CMD: sc stop WinDefend
EmptyTemp:
  •  
  • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system



  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log


ESET Log (I think there should be more here, not sure why this is the only info it created?):

The log should be in the following location:


C:\Program Files\ESET\EsetOnlineScanner\log.txt.


If the log is not present, please do the following instead:

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:



  • Launch Malwarebytes then click Update Now.
  • Press the Scan Settings icon on the top bar of the MBAM interface, make sure Threat Scan is checked.
  • Press the Scan Now >> button.
  • When the scan is finished:
  • If clean, a message will be displayed "The scan completed successfully! No malicious items were detected!"
  • If infections were found, click the Quarantine all button.
  • Press the View detailed log >> link to display the results log.
  • Press the Copy to Clipboard button.
  • Copy and paste the scan results in your next reply and exit MBAM.


-----------------------------------------
In your next reply, I would like to see..

  • fixlog.txt
  • ESET or MBAM log

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#12 Joe Z

Joe Z
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 08 February 2016 - 07:02 AM

Hello mAL,

 

Here is the FIXLOG:

 

Loaded Profiles: Dad (Available Profiles: Dad)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: sc config WinDefend start= disabled
CMD: sc stop WinDefend
EmptyTemp:
*****************

=========  sc config WinDefend start= disabled =========

[SC] ChangeServiceConfig SUCCESS

========= End of CMD: =========

=========  sc stop WinDefend =========

SERVICE_NAME: WinDefend
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

========= End of CMD: =========

 

 

MALWAREBYTES:  Found no threats

 

ESET Log:

 

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
Update Init
Update Download
Update Finalize
Updated modules version: 28018

 

 

My only concern is that ESET did find two items yet they're not reported in the above log and the Quarantine folder is empty.  I will run it again at some point to verify the items were removed if you think it is necessary.

 

Thanks again for all your help, let me know if there are any further steps.

 

Cheers
 



#13 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 PM

Posted 08 February 2016 - 11:36 AM

Hello Joe Z,
 

My only concern is that ESET did find two items yet they're not reported in the above log and the Quarantine folder is empty.  I will run it again at some point to verify the items were removed if you think it is necessary.

There shouldn't be any items in the quarantine folder, since my instruction stated the following:


Make sure that the option Remove found threats is NOT checked

Can you run the scan again and this time copy/paste the scan results directly from your browser?

 

mAL


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#14 Joe Z

Joe Z
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 08 February 2016 - 06:08 PM

Hi mAL,

 

I did run another scan before your last post, all is clear so apparently the threats found were removed at that time.  Everything seems to be working normally now.  Please let me know if there are any further steps.

 

Cheers



#15 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 PM

Posted 09 February 2016 - 01:47 AM

Hello Joe Z,
 

I did run another scan before your last post, all is clear so apparently the threats found were removed at that time.  Everything seems to be working normally now.

That's great!  Now for the good news..there are no more signs of malware on your computer :)  Please follow the steps below and then you'll be all set to go.

I noticed that your Firefox browser was outdated.  If you have not already done so, please follow the steps below to update it.

Update Firefox


  • Open Firefox.
  • Click on Help in the Menu Bar.
  • Select About Firefox.
  • When the update has finished downloading, click Restart Firefox to Update.
    Firefox should now be updated.  If you were unable to update FF, please let me know in your next post.

Let's remove the tools we have been using so far..

To remove Combofix..


  • Open the Start menu.
  • In the search box copy/paste or type the following:
    
    combofix /uninstall
    
    
  • Press Enter.

Next..



  • Please download Delfix to your desktop.
  • Right-click on delfix_1.011.exe and select Run as administrator.
  • Check the following boxes:

     

    • Remove disinfection tools
    • Purge system restore

     

  • You can now safely remove any tools and/or logs that may remain on your computer.

You should also read and get acquainted with the following topic: COMPUTER SECURITY - a short guide to staying safer online , which goes into depth on how to keep your computer secure.  I bookmarked it for easy reference and so should you.

If you have any questions please feel free to ask them, if not please let me know so that I can close this topic.

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users