Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop unable to upgrade to Win 10 and unable to uninstall some items


  • This topic is locked This topic is locked
15 replies to this topic

#1 TheSentinel

TheSentinel

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 17 February 2016 - 03:08 PM

FRST logs...Let me know what to remove

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:17-02-2016
Ran by raul (administrator) on RGWORK (17-02-2016 11:42:04)
Running from C:\MalwareCleanup
Loaded Profiles: raul (Available Profiles: raul)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Softex Inc.) C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
() C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7510896 2014-01-13] (Realtek Semiconductor)
HKLM\...\Run: [SimplePass] => C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe [3962936 2014-03-28] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [415288 2014-03-28] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [415288 2014-03-28] (Hewlett-Packard)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [1045304 2013-10-08] (Hewlett-Packard Development Company, L.P.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\Run: [UpdateAdmin] => C:\Users\raul\AppData\Local\UpdateAdmin\UpdateAdmin.exe [225552 2014-10-16] (DownloadAdmin)
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\Run: [GoogleChromeAutoLaunch_46E8A4EF16A1739452B8EA76F8B63B05] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [748872 2016-02-09] (Google Inc.)
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\MountPoints2: {6d01570b-8291-11e4-825c-3464a9c301ba} - "F:\VerizonWirelessUpgradeAssistantSetup.exe" -a
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\MountPoints2: {b8552450-9bef-11e5-827d-3464a9c301ba} - "G:\VerizonWirelessUpgradeAssistantSetup.exe" -a
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC64Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\VC64Loader.dll [246080 2014-11-27] ()
AppInit_DLLs-x32: c:\progra~2\searchprotect\searchprotect\bin\vc32loader.dll => c:\Program Files (x86)\searchprotect\searchprotect\bin\vc32loader.dll [216896 2014-11-27] ()
IFEO\bbqleads.exe: [Debugger] TaskList.exe
IFEO\bbqleadsapplication.exe: [Debugger] TaskList.exe
IFEO\bbqleadsservice.exe: [Debugger] TaskList.exe
IFEO\bbqquotes.exe: [Debugger] TaskList.exe
IFEO\ContentExplorer.exe: [Debugger] TaskList.exe
IFEO\donutleads.exe: [Debugger] TaskList.exe
IFEO\donutquotes.exe: [Debugger] TaskList.exe
IFEO\internetenhancer.exe: [Debugger] TaskList.exe
IFEO\internetenhancerservice.exe: [Debugger] TaskList.exe
IFEO\pastaleads.exe: [Debugger] TaskList.exe
IFEO\pastaquotes.exe: [Debugger] TaskList.exe
IFEO\spyhunter.exe: [Debugger] TaskList.exe
IFEO\theanswerfinder.exe: [Debugger] TaskList.exe
IFEO\wajam.exe: [Debugger] TaskList.exe
IFEO\wajaminternetenhancer.exe: [Debugger] TaskList.exe
IFEO\WajamInternetEnhancerApp.exe: [Debugger] TaskList.exe
IFEO\WajamInternetEnhancerAppservice.exe: [Debugger] TaskList.exe
IFEO\wajaminternetenhancerservice.exe: [Debugger] TaskList.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyEnable: [S-1-5-19] => Proxy is enabled.
ProxyServer: [S-1-5-19] => 127.0.0.1:5050
ProxyEnable: [S-1-5-20] => Proxy is enabled.
ProxyServer: [S-1-5-20] => 127.0.0.1:5050
ProxyServer: [S-1-5-21-2824485615-429292516-596377084-1001] => 127.0.0.1:5050
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{32FCF7FD-F9E0-4620-8B80-422CE1C0A01B}: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{9253C592-D4CC-4765-8378-20E649167B55}: [DhcpNameServer] 209.18.47.61 209.18.47.62
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT14/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT14/1
HKU\S-1-5-21-2824485615-429292516-596377084-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2824485615-429292516-596377084-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT14/1
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://groovorio.com/results.php?f=4&q={searchTerms}&a=grv_tight3_14_33&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtDyByCtN1L2XzutAtFyCtFtCtDtFtCtN1L1Czu2Z1L1N1M2Z1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StAtAyB0C0A0EtA0AtGtB0AtA0BtGtA0FyCtBtGzztAtDtBtGyC0FtC0EyB0AyDzz0F0A0E0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=1837525749&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://groovorio.com/results.php?f=4&q={searchTerms}&a=grv_tight3_14_33&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtDyByCtN1L2XzutAtFyCtFtCtDtFtCtN1L1Czu2Z1L1N1M2Z1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StAtAyB0C0A0EtA0AtGtB0AtA0BtGtA0FyCtBtGzztAtDtBtGyC0FtC0EyB0AyDzz0F0A0E0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=1837525749&ir=
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = 
SearchScopes: HKLM -> {7774025B-A05C-4A80-B026-A30BAB92BC83} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = 
SearchScopes: HKLM-x32 -> {7774025B-A05C-4A80-B026-A30BAB92BC83} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=irast&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtCzytCtN1L2XzutAtFyCtFtBtFtDtN1L1Czu0C0I0S0V0E0R1V1QtN1L1G1B1V1N2Y1L1Qzu2StC0BtCtCtC0CtCtDtGyB0C0AtAtGtBtAtB0AtGzy0EtDyCtGyD0AzytCzyzzzyyD0AtDyBtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=53455050&ir=
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=irast&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtCzytCtN1L2XzutAtFyCtFtBtFtDtN1L1Czu0C0I0S0V0E0R1V1QtN1L1G1B1V1N2Y1L1Qzu2StC0BtCtCtC0CtCtDtGyB0C0AtAtGtBtAtB0AtGzy0EtDyCtGyD0AzytCzyzzzyyD0AtDyBtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=53455050&ir=
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://groovorio.com/results.php?f=4&q={searchTerms}&a=grv_tight3_14_33&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtDyByCtN1L2XzutAtFyCtFtCtDtFtCtN1L1Czu2Z1L1N1M2Z1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StAtAyB0C0A0EtA0AtGtB0AtA0BtGtA0FyCtBtGzztAtDtBtGyC0FtC0EyB0AyDzz0F0A0E0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=1837525749&ir=
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = hxxp://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ggbg_nan_nan_ch&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtDyBzztN1L2XzutAtFyCtFtCtDtFtCtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyE0EyEtCzyzz0CtAtGzzzzyCtBtG0C0F0AtCtGyEyD0AtBtGyD0D0FzzyE0CtDzytBtB0CyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=1963451034&ir=
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> {7774025B-A05C-4A80-B026-A30BAB92BC83} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3333245&octid=EB_ORIGINAL_CTID&ISID=ME739EB96-F84B-4804-83D1-0D78A6A0684B&SearchSource=58&CUI=&UM=6&UP=SP92CC5790-4EE2-4E7A-A03F-BACFFB76C282&q={searchTerms}&SSPV=&SSPV=
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-28] (Hewlett-Packard)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
 
FireFox:
========
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1204144.dll [2013-09-05] (Adobe Systems, Inc.)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-05] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-12] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-12] (Google Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3333245&octid=EB_ORIGINAL_CTID&ISID=ME739EB96-F84B-4804-83D1-0D78A6A0684B&SearchSource=55&CUI=&UM=6&UP=SP92CC5790-4EE2-4E7A-A03F-BACFFB76C282&SSPV=&SSPV=
CHR StartupUrls: Default -> "hxxps://www.google.com/?gws_rd=ssl"
CHR Profile: C:\Users\raul\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\raul\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-08-20]
CHR Extension: (Google Docs) - C:\Users\raul\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-08-20]
CHR Extension: (Google Drive) - C:\Users\raul\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-12-05]
CHR Extension: (YouTube) - C:\Users\raul\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (Google Search) - C:\Users\raul\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-12-05]
CHR Extension: (Google Sheets) - C:\Users\raul\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-08-20]
CHR Extension: (Google Docs Offline) - C:\Users\raul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-12-05]
CHR Extension: (Google Play) - C:\Users\raul\AppData\Local\Google\Chrome\User Data\Default\Extensions\komhbcfkdcgmcdoenjcjheifdiabikfi [2015-08-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\raul\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-20]
CHR Extension: (Gmail) - C:\Users\raul\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-10]
CHR HKLM\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [pfkfdlcdbajamklbneflfbcmfgddmpae] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pfkfdlcdbajamklbneflfbcmfgddmpae] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [dmidaiabaeipgkcooijbikmdcofhpakp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [pfkfdlcdbajamklbneflfbcmfgddmpae] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 CltMngSvc; C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe [3312960 2014-11-27] () [File not signed]
S4 Diagnostics; C:\Program Files (x86)\Common Files\Diagnostics\node\service.exe [154624 2014-12-12] () [File not signed] <==== ATTENTION
R2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [1039160 2013-10-08] (Hewlett-Packard Development Company, L.P.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-11-08] (Intel Corporation)
R2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [88064 2014-03-28] (Softex Inc.) [File not signed]
S4 Proxy; C:\Program Files (x86)\Common Files\Diagnostics\node\service.exe [154624 2014-12-12] () [File not signed] <==== ATTENTION
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-01-08] (Realtek Semiconductor)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-05] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [100312 2013-12-09] (Intel Corporation)
S3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [291544 2014-01-03] (Realtek Semiconductor Corp.)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [3379416 2014-03-21] (Realtek Semiconductor Corporation                           )
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-22] (Hewlett-Packard Development Company, L.P.)
S3 SmbDrv; \SystemRoot\System32\drivers\Smb_driver_AMDASF.sys [X]
S3 SmbDrvI; \SystemRoot\system32\DRIVERS\Smb_driver_Intel.sys [X]
S1 wpnfd_1_10_0_2; system32\drivers\wpnfd_1_10_0_2.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-02-17 11:41 - 2016-02-17 11:42 - 00000000 ____D C:\FRST
2016-02-17 11:40 - 2016-02-17 11:42 - 00000000 ____D C:\MalwareCleanup
2016-02-12 17:09 - 2016-02-12 17:09 - 00000000 ____D C:\Windows\pss
2016-02-03 00:36 - 2016-02-03 00:36 - 07635472 _____ (Microsoft Corporation) C:\Users\raul\Downloads\GetWindows10-sds_____________.exe
2016-02-03 00:11 - 2016-02-03 00:11 - 00008925 _____ C:\Users\raul\.recently-used.xbel
2016-02-02 23:07 - 2016-02-03 00:12 - 00000000 ____D C:\Users\raul\Desktop\Aztec
2016-02-02 23:00 - 2016-02-02 23:00 - 00000377 _____ C:\Users\raul\Desktop\aztecs.txt
2016-02-02 22:59 - 2016-02-02 22:59 - 00000000 ____D C:\Users\raul\AppData\LocalLow\Oracle
2016-02-02 22:58 - 2016-02-02 22:58 - 00643168 _____ (Oracle Corporation) C:\Users\raul\Downloads\chromeinstall-8u71.exe
2016-02-02 22:10 - 2016-02-02 22:24 - 00006832 _____ C:\Users\raul\Desktop\Nopales.txt
2016-01-25 21:54 - 2016-01-25 21:54 - 00002249 _____ C:\Users\raul\Downloads\Construction Projects  (1).txt
2016-01-25 19:00 - 2016-01-25 19:00 - 00002249 _____ C:\Users\raul\Downloads\Construction Projects .txt
2016-01-25 18:49 - 2016-01-25 18:49 - 00002249 _____ C:\Users\raul\Desktop\Construction Projects .txt
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-02-17 11:40 - 2014-12-12 18:09 - 00003914 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{07866822-6593-4D7D-A63E-F04FF1F3FBB1}
2016-02-12 19:11 - 2014-12-12 22:41 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2824485615-429292516-596377084-1001
2016-02-12 18:53 - 2014-12-12 22:38 - 00000000 ____D C:\Users\raul\Documents\Youcam
2016-02-12 18:51 - 2015-08-20 22:54 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-02-12 18:51 - 2014-09-24 19:21 - 00000000 ____D C:\ProgramData\McAfee
2016-02-12 18:51 - 2014-09-24 19:21 - 00000000 ____D C:\Program Files\Common Files\mcafee
2016-02-12 18:51 - 2014-09-24 19:21 - 00000000 ____D C:\Program Files (x86)\McAfee
2016-02-12 18:50 - 2013-08-22 06:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-02-12 18:48 - 2014-04-24 18:16 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security and Protection
2016-02-12 18:48 - 2013-08-22 07:36 - 00000000 ___HD C:\Windows\ELAMBKUP
2016-02-12 18:45 - 2015-04-06 10:44 - 00000302 _____ C:\Windows\Tasks\WSE_Astromenda.job
2016-02-12 18:40 - 2015-08-20 22:56 - 00002192 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-02-12 18:40 - 2015-08-20 22:56 - 00002163 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-02-12 18:40 - 2015-08-20 22:54 - 00000920 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-02-12 18:34 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\system32\NDF
2016-02-12 18:32 - 2013-08-22 05:36 - 00000000 ____D C:\Windows\Inf
2016-02-12 18:27 - 2015-08-20 22:54 - 00003892 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-02-12 18:27 - 2015-08-20 22:54 - 00003656 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-02-12 17:09 - 2013-08-22 05:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2016-02-12 17:02 - 2013-08-22 05:25 - 00262144 ___SH C:\Windows\system32\config\ELAM
2016-02-12 16:57 - 2015-08-05 19:57 - 00000000 ____D C:\Users\raul\AppData\Local\pinger.com
2016-02-12 16:57 - 2014-04-24 18:18 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Communication and Chat
2016-02-03 00:12 - 2015-01-09 04:06 - 00000000 ____D C:\Users\raul\.gimp-2.6
2016-02-03 00:11 - 2015-01-09 04:26 - 00000000 ____D C:\Users\raul\AppData\Roaming\gtk-2.0
2016-02-03 00:11 - 2014-12-12 22:36 - 00000000 ____D C:\Users\raul
2016-02-02 21:05 - 2015-04-24 00:30 - 00116224 ___SH C:\Users\raul\Desktop\Thumbs.db
2016-02-02 21:05 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\AppReadiness
2016-02-02 21:04 - 2013-08-22 07:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-01-25 22:31 - 2015-09-10 16:50 - 00000000 ____D C:\Users\raul\Desktop\Faceb
2016-01-25 18:50 - 2015-10-05 16:46 - 00096256 ___SH C:\Users\raul\Downloads\Thumbs.db
2016-01-25 18:31 - 2015-08-16 13:43 - 00000000 ____D C:\Users\raul\Desktop\anahuc
2016-01-25 18:30 - 2015-09-10 16:48 - 00000000 ____D C:\Users\raul\Desktop\Camera 1
 
==================== Files in the root of some directories =======
 
2015-04-23 15:44 - 2015-08-31 17:44 - 0000202 _____ () C:\Users\raul\AppData\Roaming\WB.CFG
2014-12-12 21:05 - 2014-12-12 21:05 - 0000064 _____ () C:\Users\raul\AppData\Local\9cc4c62492ded345cb7c97c269516d87
2015-05-10 15:44 - 2015-05-10 15:44 - 0000010 _____ () C:\Users\raul\AppData\Local\DSI.DAT
2015-08-05 19:09 - 2015-08-05 19:09 - 0613255 _____ (CMI Limited) C:\Users\raul\AppData\Local\nsi7775.tmp
2015-08-05 19:35 - 2015-08-05 19:34 - 0613255 _____ (CMI Limited) C:\Users\raul\AppData\Local\nsoFC7.tmp
2015-08-05 23:57 - 2015-08-05 23:56 - 0613255 _____ (CMI Limited) C:\Users\raul\AppData\Local\nsp9310.tmp
 
Some files in TEMP:
====================
C:\Users\raul\AppData\Local\Temp\0264121455331554mcinst.exe
C:\Users\raul\AppData\Local\Temp\ASTStubSetup.exe
C:\Users\raul\AppData\Local\Temp\ConsumerInputSetup.exe
C:\Users\raul\AppData\Local\Temp\Extract.exe
C:\Users\raul\AppData\Local\Temp\ICReinstall_DownloadManagerSetup.exe
C:\Users\raul\AppData\Local\Temp\install_temp.exe
C:\Users\raul\AppData\Local\Temp\nslCC.exe
C:\Users\raul\AppData\Local\Temp\optprosetup.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-02-12 17:26
 
==================== End of FRST.txt ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version:17-02-2016
Ran by raul (2016-02-17 11:44:47)
Running from C:\MalwareCleanup
Windows 8.1 (X64) (2014-12-13 06:35:55)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2824485615-429292516-596377084-500 - Administrator - Disabled)
Guest (S-1-5-21-2824485615-429292516-596377084-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2824485615-429292516-596377084-1003 - Limited - Enabled)
raul (S-1-5-21-2824485615-429292516-596377084-1001 - Administrator - Enabled) => C:\Users\raul
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Shockwave Player 12.0 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.0.4.144 - Adobe Systems, Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Cache utility (HKU\.DEFAULT\...\Cache utility) (Version: 1 - Cache utility)
Canon MX420 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX420_series) (Version:  - )
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{AF312B06-5C5C-468E-89B3-BE6DE2645722}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{0A4EF0E6-A912-4CDE-A7F3-6E56E7C13A2F}) (Version: 1.1.6 - Cisco Systems, Inc.)
CyberLink LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.5.6902 - CyberLink Corp.)
CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}) (Version: 10.0.5.3303 - CyberLink Corp.)
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.5.3416 - CyberLink Corp.)
CyberLink PowerDVD 12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.3.3709 - CyberLink Corp.)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 5.0.3.3907 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DealAlly (HKU\.DEFAULT\...\DealAlly) (Version: 1 - Jet Applications)
DisableMSDefender (Version: 1.0.0 - Hewlett-Packard Company) Hidden
Display settings (HKU\.DEFAULT\...\Display settings) (Version: 1 - Display settings)
Energy Star (HKLM\...\{465CA2B6-98AF-4E77-BE22-A908C34BB9EC}) (Version: 1.0.9 - Hewlett-Packard Company)
GIMP 2.6.10 (HKLM-x32\...\WinGimp-2.0_is1) (Version: 2.6.10 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 48.0.2564.109 - Google Inc.)
Google Chrome Packages (HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\Google Chrome Packages) (Version:  - ) <==== ATTENTION
Google Update Helper (x32 Version: 1.3.29.5 - Google Inc.) Hidden
Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
Hoist Search (HKU\.DEFAULT\...\Hoist Search) (Version: 1 - Hoist Search)
HP Documentation (HKLM-x32\...\{F29E3AA8-CF19-4452-92B7-F1FE31CD11C5}) (Version: 1.1.0.0 - Hewlett-Packard)
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.7372.4698 - Hewlett-Packard)
HP SimplePass (HKLM-x32\...\InstallShield_{314FAD12-F785-4471-BCE8-AB506642B9A1}) (Version: 8.01.11 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{8C696B4B-6AB1-44BC-9416-96EAC474CABE}) (Version: 7.5.2.12 - Hewlett-Packard Company)
HP System Event Utility (HKLM-x32\...\{C78E8F51-3EAD-4F0C-83F0-EF371075E0B4}) (Version: 1.0.10 - Hewlett-Packard Company)
HP Utility Center (HKLM\...\{891A1782-8B20-4403-8383-458962525926}) (Version: 2.3.4 - Hewlett-Packard Company)
HP Wireless Button Driver (HKLM-x32\...\{30B2D1D8-0A07-4B71-9553-0710C5D31E35}) (Version: 1.1.2.1 - Hewlett-Packard Company)
Inst5675 (Version: 8.01.11 - Softex Inc.) Hidden
Inst5676 (Version: 8.01.11 - Softex Inc.) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.24.1790 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3368 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.9.1000 - Intel Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.3.9600.29075 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller All-In-One Windows Driver (HKLM-x32\...\{F7E7F0CB-AA41-4D5A-B6F2-8E6738EB063F}) (Version: 8.24.1218.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7156 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Driver (HKLM-x32\...\{A5107464-AA9B-4177-8129-5FF2F42DD322}) (Version: 1.00.13.1216 - REALTEK Semiconductor Corp.)
Search Protect (HKLM-x32\...\SearchProtect) (Version: 2.19.0.260 - Client Connect LTD) <==== ATTENTION
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
UpdateAdmin (HKLM-x32\...\{07B4B423-E4DA-47D1-8327-B589EB4BEB58}) (Version: 2.0.1885 - DownloadAdmin) <==== ATTENTION
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3508.0205 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {064BB8B3-B144-4139-BCE8-9C7538F8A171} - System32\Tasks\UpdateAdmin => C:\Users\raul\AppData\Local\UpdateAdmin\UpdateAdmin.exe [2014-10-16] (DownloadAdmin) <==== ATTENTION
Task: {1060EF70-5679-428C-A092-E0E94DA11315} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {31B56FE9-7370-4373-B52D-7B250413B39B} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-20] (Google Inc.)
Task: {35853887-E74E-429C-8E41-D7740F22603D} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2015-11-30] (Hewlett-Packard)
Task: {517EB82D-1AF1-4F98-B0C7-7627C442FC36} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2014-01-13] (Hewlett-Packard Company)
Task: {5DC1681F-C6C7-4C1D-99FF-E6E32DF7D4D1} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2016-01-06] (HP Inc.)
Task: {5EA2128C-943A-418C-9BC8-E91DF9D05D09} - System32\Tasks\TidyNetwork Update => C:\Users\raul\AppData\Local\TidyNetwork\petnupdate.exe
Task: {5EF217F5-CDC3-4446-B0EC-5A4D9B432192} - System32\Tasks\CLVDLauncher => C:\Program Files (x86)\CyberLink\Power2Go8\CLVDLauncher.exe [2013-03-12] (CyberLink Corp.)
Task: {61F6EF9E-1144-4168-A8DE-6BB27A8B8335} - System32\Tasks\WSE_Astromenda => C:\Users\raul\AppData\Roaming\WSE_Astromenda\UpdateProc\UpdateTask.exe [2015-04-06] () <==== ATTENTION
Task: {736AA325-795D-425D-9A5D-89C431D9D40C} - System32\Tasks\Synaptics TouchPad Enhancements => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Task: {7807D034-533B-4098-AA29-0CB03E58C259} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-20] (Google Inc.)
Task: {8174CF1F-2283-4FD8-AF8D-93312BBFE7F3} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2014-01-13] (Hewlett-Packard Company)
Task: {888506AF-57D7-41AB-93C0-84B698BFC36A} - System32\Tasks\YCMServiceAgent => C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [2014-03-07] (CyberLink Corp.)
Task: {A86CFD37-D17B-4086-B79B-F6813F760AA9} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_backup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2016-01-06] (HP Inc.)
Task: {C224FEEE-707B-4F1C-8284-4A307959F0B1} - System32\Tasks\CLMLSvc_P2G8 => C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [2013-08-04] (CyberLink)
Task: {D0536895-D9BC-46F2-9956-0A085C80FE78} - System32\Tasks\RunTool => C:\Users\raul\AppData\Local\Temp\install_temp.exe [2015-03-09] () <==== ATTENTION
Task: {D342B024-9569-4719-AD91-6EDBE5B16910} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Critical Actions Pending => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2014-01-13] (Hewlett-Packard Company)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\WSE_Astromenda.job => C:\Users\raul\AppData\Roaming\WSE_AS~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2014-03-28 12:31 - 2014-03-28 12:31 - 02110464 _____ () C:\Program Files\Hewlett-Packard\SimplePass\autheng.dll
2014-03-28 12:27 - 2014-03-28 12:27 - 00021504 _____ () C:\Program Files\Hewlett-Packard\SimplePass\cryptodll.dll
2014-03-28 12:27 - 2014-03-28 12:27 - 00035328 _____ () C:\Program Files\Hewlett-Packard\SimplePass\ssplogon.dll
2014-03-28 12:27 - 2014-03-28 12:27 - 00055296 _____ () C:\Program Files\Hewlett-Packard\SimplePass\RandomPass.dll
2014-03-28 12:48 - 2014-03-28 12:48 - 00367504 _____ () C:\Program Files\Hewlett-Packard\SimplePass\mstrpwd.dll
2014-03-28 12:48 - 2014-03-28 12:48 - 00712080 _____ () C:\Program Files\Hewlett-Packard\SimplePass\GraphicalPwd.dll
2014-03-28 12:36 - 2014-03-28 12:36 - 00065024 _____ () C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe
2014-09-24 19:29 - 2013-08-04 23:49 - 00627672 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMediaLibrary.dll
2013-08-05 14:48 - 2013-08-05 14:48 - 00016856 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvcPS.dll
2016-02-12 18:40 - 2016-02-09 03:58 - 01632584 _____ () C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\libglesv2.dll
2016-02-12 18:40 - 2016-02-09 03:58 - 00087880 _____ () C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 05:25 - 2013-08-22 05:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2824485615-429292516-596377084-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Hewlett-Packard Backgrounds\Birth_Of_An_Idea.jpg
DNS Servers: 209.18.47.61 - 209.18.47.62
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\Services: AERTFilters => 2
MSCONFIG\Services: Diagnostics => 2
MSCONFIG\Services: PremierOpinion => 2
MSCONFIG\Services: Proxy => 2
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\StartupApproved\Run: => "UpdateAdmin"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{48E95D83-9B8B-414B-A9A7-2AFD0BA50208}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{F82BB814-FD51-4987-A33F-250BD832B780}] => (Allow) LPort=2869
FirewallRules: [{819306FA-D122-44F5-A748-CC1307C44A50}] => (Allow) LPort=1900
FirewallRules: [{39A1ADEB-E689-48B8-B6C5-CEE805A1C261}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{13E2E41F-3891-49A4-B45F-D1E54B45DDF6}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{A72B3E1E-61C0-44D5-9700-791E88703C1A}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{C53AEBE0-C524-40B5-96DF-99B331F079B4}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{C91EC5A9-D4B6-494C-84F8-6D30DE7E8895}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{B7A6B4B3-8689-463E-9AD5-D20086D5C264}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{C55804AF-2907-4D60-BC13-DFA5004374E7}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12.exe
FirewallRules: [{53FD61A7-B884-4116-BD3A-D1D4942A42F1}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe
FirewallRules: [{0F1F9BE9-10FB-4D76-B43A-C94B57326911}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
FirewallRules: [{DB47607F-759B-4991-AED5-55271A09481B}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12Agent.exe
FirewallRules: [{D306B521-29A4-4CBE-8D38-CAC9A5B90BA2}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12ML.exe
FirewallRules: [{3D8E8FA8-E851-401D-80ED-37195285E03E}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Movie\PowerDVD.exe
FirewallRules: [{3ED03F11-3BFA-4CAE-BB4C-FC463EDEFCA7}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPDeviceDetection3.exe
FirewallRules: [{13F87A1E-5CA4-45A5-8BD7-DCFEDC0D5385}] => (Allow) C:\Program Files (x86)\PremierOpinion\pmropn.exe
FirewallRules: [{4F1FB276-0EA5-4326-9A2A-B903F587FED0}] => (Allow) C:\Program Files (x86)\PremierOpinion\pmropn.exe
FirewallRules: [{B318E56D-4BEC-464E-85CE-5BB07B38E9C9}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
08-09-2015 20:30:36 Scheduled Checkpoint
25-01-2016 19:19:33 Scheduled Checkpoint
12-02-2016 16:55:41 Removed Pinger
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/12/2016 05:09:18 PM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2006) (User: NT AUTHORITY)
Description: There was an error with the Windows Location Provider database
 
Error: (02/12/2016 04:54:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: pmropn.exe, version: 1.3.337.354, time stamp: 0x55ae6e77
Faulting module name: pmropn.exe, version: 1.3.337.354, time stamp: 0x55ae6e77
Exception code: 0xc0000005
Fault offset: 0x0009bf0a
Faulting process id: 0x1494
Faulting application start time: 0xpmropn.exe0
Faulting application path: pmropn.exe1
Faulting module path: pmropn.exe2
Report Id: pmropn.exe3
Faulting package full name: pmropn.exe4
Faulting package-relative application ID: pmropn.exe5
 
Error: (02/02/2016 09:10:09 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: McSvHost.exe, version: 3.8.703.0, time stamp: 0x51f7deae
Faulting module name: ntdll.dll, version: 6.3.9600.17936, time stamp: 0x55a68e0c
Exception code: 0xc0000005
Fault offset: 0x000000000003d86e
Faulting process id: 0x898
Faulting application start time: 0xMcSvHost.exe0
Faulting application path: McSvHost.exe1
Faulting module path: McSvHost.exe2
Report Id: McSvHost.exe3
Faulting package full name: McSvHost.exe4
Faulting package-relative application ID: McSvHost.exe5
 
Error: (02/02/2016 09:06:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: pmropn.exe, version: 1.3.337.354, time stamp: 0x55ae6e77
Faulting module name: pmropn.exe, version: 1.3.337.354, time stamp: 0x55ae6e77
Exception code: 0xc0000005
Fault offset: 0x0009bf0a
Faulting process id: 0x272c
Faulting application start time: 0xpmropn.exe0
Faulting application path: pmropn.exe1
Faulting module path: pmropn.exe2
Report Id: pmropn.exe3
Faulting package full name: pmropn.exe4
Faulting package-relative application ID: pmropn.exe5
 
Error: (01/25/2016 06:21:16 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: TabTip.exe, version: 6.3.9600.17415, time stamp: 0x54503e22
Faulting module name: pmls64.dll_unloaded, version: 4.0.20.46, time stamp: 0x54f793bd
Exception code: 0xc0000005
Fault offset: 0x000000000007986d
Faulting process id: 0x17a0
Faulting application start time: 0xTabTip.exe0
Faulting application path: TabTip.exe1
Faulting module path: TabTip.exe2
Report Id: TabTip.exe3
Faulting package full name: TabTip.exe4
Faulting package-relative application ID: TabTip.exe5
 
Error: (12/19/2015 12:18:41 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Explorer.EXE version 6.3.9600.17667 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 1244
 
Start Time: 01d13a974b193e50
 
Termination Time: 0
 
Application Path: C:\Windows\Explorer.EXE
 
Report Id: 82b342e0-a68c-11e5-827d-3464a9c301ba
 
Faulting package full name: 
 
Faulting package-relative application ID:
 
Error: (10/05/2015 03:21:47 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: RGwork)
Description: Activation of app Microsoft.BingFinance_8wekyb3d8bbwe!AppexFinance failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (10/05/2015 03:21:47 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program wwahost.exe version 6.3.9600.17415 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: ec0
 
Start Time: 01d0ffc48fc776a6
 
Termination Time: 4294967295
 
Application Path: C:\Windows\system32\wwahost.exe
 
Report Id: d6cd131e-6bb7-11e5-827d-3464a9c301ba
 
Faulting package full name: Microsoft.BingFinance_3.0.4.336_x64__8wekyb3d8bbwe
 
Faulting package-relative application ID: AppexFinance
 
Error: (10/05/2015 03:21:43 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2486) (User: RGwork)
Description: App Microsoft.BingFinance_3.0.4.336_x64__8wekyb3d8bbwe+AppexFinance did not launch within its allotted time.
 
Error: (09/25/2015 02:18:33 PM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.
 
 
System errors:
=============
Error: (02/12/2016 07:12:57 PM) (Source: DCOM) (EventID: 10010) (User: RGwork)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}
 
Error: (02/12/2016 07:12:27 PM) (Source: DCOM) (EventID: 10010) (User: RGwork)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}
 
Error: (02/12/2016 06:47:57 PM) (Source: DCOM) (EventID: 10010) (User: RGwork)
Description: {209500FC-6B45-4693-8871-6296C4843751}
 
Error: (02/12/2016 06:47:27 PM) (Source: DCOM) (EventID: 10010) (User: RGwork)
Description: {209500FC-6B45-4693-8871-6296C4843751}
 
Error: (02/12/2016 06:46:57 PM) (Source: DCOM) (EventID: 10010) (User: RGwork)
Description: {209500FC-6B45-4693-8871-6296C4843751}
 
Error: (02/12/2016 06:27:34 PM) (Source: Tcpip) (EventID: 4199) (User: )
Description: The system detected an address conflict for IP address 2605:e000:8aa0:d500::2 with the system
having network hardware address D8-CB-8A-5D-44-E9. Network operations on this system may
be disrupted as a result.
 
Error: (02/12/2016 05:14:28 PM) (Source: DCOM) (EventID: 10005) (User: RGwork)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (02/12/2016 05:14:02 PM) (Source: DCOM) (EventID: 10005) (User: RGwork)
Description: 1084dpsUnavailable{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}
 
Error: (02/12/2016 05:13:32 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: 1084WSearchUnavailable{9E175B68-F52A-11D8-B9A5-505054503030}
 
Error: (02/12/2016 05:13:19 PM) (Source: DCOM) (EventID: 10005) (User: RGwork)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i3-4010U CPU @ 1.70GHz
Percentage of memory in use: 27%
Total physical RAM: 6075.84 MB
Available physical RAM: 4435.26 MB
Total Virtual: 9787.84 MB
Available Virtual: 7999.97 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:675.36 GB) (Free:568.85 GB) NTFS
Drive d: (RECOVERY) (Fixed) (Total:22.26 GB) (Free:2.18 GB) NTFS ==>[system with boot components (obtained from drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 698.6 GB) (Disk ID: 57DF2823)
 
Partition: GPT.
 
==================== End of Addition.txt ============================

 



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:54 AM

Posted 17 February 2016 - 05:26 PM

Hi TheSentinel,

Please do the following,
Uninstall some programs:
We need to uninstall some unwanted/unneeded programs.

  • Press the WindowsKey.png + R on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search there for each entry mentioned below, right-click the entry and click Uninstall one at a time

The list of programs to uninstall:
WSE_Astromenda
Google Chrome Packages
Search Protect
UpdateAdmin
groovorio.com
astromenda.com
trovi.com
Vosteran.com

After completing uninstalls, please manually reboot your machine!
:step1:    If you get the message like: An error occurred while trying to uninstall, just press Yes.
:step2:    If you are unable to uninstall all programs, please inform me, but continue with other steps.
  
Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program .
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Scan type > Smart scan (Default)
  • Close all open files, folders and browsers
  • Click scan now ''Run as Administrator'' and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 TheSentinel

TheSentinel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 17 February 2016 - 09:37 PM

WSE_astromeda not listed
Search Protect Alerted to not enough admin rights
Updare admin network resource unavailable (UpdaterSetup4.msi)
 
The following are not listed either:
Vosteran.com
 
 
Zemana AntiMalware 2.19.179.852 (Installed)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2016/2/17
Operating System       : Windows 8.1 64-bit
Processor              : 4X Intel® Core™ i3-4010U CPU @ 1.70GHz
BIOS Mode              : UEFI
CUID                   : 004A0D10DC0D8D4D5F3A1B
Scan Type              : Smart Scan
Duration               : 5m 58s
Scanned Objects        : 16401
Detected Objects       : 15
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Yes
Include All Extensions : No
Scan Documents         : No
Domain Info            : WORKGROUP,0,2
 
Detected Objects
-------------------------------------------------------
 
Internet Widgits
Status             : Scanned
Object             : HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D69661FC4B9727381A001E70870DA4DE39383A97\Blob
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Root CA
Cleaning Action    : Delete
Traces             :
                Registry Entry - HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D69661FC4B9727381A001E70870DA4DE39383A97\Blob = 190000000100000010000000FB345F32DB94B1267965F3F187BE3893140000000100000014000000E7C724B2E5FB141713542C8CD83AEFDEDDC319C6030000000100000014000000D69661FC4B9727381A001E70870DA4DE39383A970F00000001000000140000000E1F7620F234F7E5CF7332CE9F3C32E3EED83B922000000001000000C0030000308203BC30820325A003020102020900983F8622895BFFDC300D06092A864886F70D010105050030819B310B3009060355040613025553311330110603550408130A536F6D652D53746174653121301F060355040A1318496E7465726E6574205769646769747320507479204C746431193017060355040B1310496E7465726E657420576964676974733119301706035504031310496E7465726E65742057696467697473311E301C06092A864886F70D010901160F496E7465726E657477696467697473301E170D3134303732373038343330385A170D3234303732343038343330385A30819B310B3009060355040613025553311330110603550408130A536F6D652D53746174653121301F060355040A1318496E7465726E6574205769646769747320507479204C746431193017060355040B1310496E7465726E657420576964676974733119301706035504031310496E7465726E65742057696467697473311E301C06092A864886F70D010901160F496E7465726E65747769646769747330819F300D06092A864886F70D010101050003818D0030818902818100D0862B4A5CEC30F01394A798114152EDEC4F63D4A2425D6002ADA5E3237629DBD9E80106CA207FC67345ED44E914340E4A4FDA551A5E858F5CDDEC790B5426949CD39688D030E47A67D82CF7008E83B143F8E62B53215EFA2BDDBEDE1AFC1BA76D229E107598FB8FBBCF2946039CF909B082223EB16258CDDD14091D8AF78F510203010001A382010430820100301D0603551D0E04160414E7C724B2E5FB141713542C8CD83AEFDEDDC319C63081D00603551D230481C83081C58014E7C724B2E5FB141713542C8CD83AEFDEDDC319C6A181A1A4819E30819B310B3009060355040613025553311330110603550408130A536F6D652D53746174653121301F060355040A1318496E7465726E6574205769646769747320507479204C746431193017060355040B1310496E7465726E657420576964676974733119301706035504031310496E7465726E65742057696467697473311E301C06092A864886F70D010901160F496E7465726E657477696467697473820900983F8622895BFFDC300C0603551D13040530030101FF300D06092A864886F70D010105050003818100B43CAA389F29E15D2F301AB94B9533320F2C0E09D0D95CFCC7C636DA6912BF66A01DF70EDD4BAA51B8534F5368E1F29B61DF0B0880A39106B27E10DDBD665D947AFE0B8A202101724F940BDE6A74D7CDC85DCC66CC2D69882EE5A710004A9F64C71BE9E21A3F3BA1B718E535C8BF20BBDDCE44BF5BD828A05D2498002F279766
 
DO_NOT_TRUST_FiddlerRoot
Status             : Scanned
Object             : HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B0163672008FEF2E593EFB6BC876AFB3E63AEB48\Blob
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Root CA
Cleaning Action    : Delete
Traces             :
                Registry Entry - HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B0163672008FEF2E593EFB6BC876AFB3E63AEB48\Blob = 5C00000001000000040000000004000019000000010000001000000094A299C0B0310107513677BAAEF4236D0F00000001000000200000006FEA1CC02DCC4056596536512FEF503BECBE0899863450347C3072875578720F030000000100000014000000B0163672008FEF2E593EFB6BC876AFB3E63AEB48140000000100000014000000D5315A711BD3F15A88315AF3A27D759BEDAB4C5604000000010000001000000044E165FFDFC2B48E7D1D690DEC80D1CC2000000001000000910300003082038D308202F6A0030201020210DD7EA919667B5196446315F829BAC969300D06092A864886F70D01010B050030818B312B3029060355040B13224372656174656420627920687474703A2F2F7777772E666964646C6572322E636F6D3121301F060355040A1E180044004F005F004E004F0054005F005400520055005300543139303706035504031E300044004F005F004E004F0054005F00540052005500530054005F0046006900640064006C006500720052006F006F0074301E170D3134313230353038303030305A170D3235313230353037353935395A30818B312B3029060355040B13224372656174656420627920687474703A2F2F7777772E666964646C6572322E636F6D3121301F060355040A1E180044004F005F004E004F0054005F005400520055005300543139303706035504031E300044004F005F004E004F0054005F00540052005500530054005F0046006900640064006C006500720052006F006F007430819F300D06092A864886F70D010101050003818D0030818902818100A2806176A865E740CAB03DC2D2F0908DA75FA05D36F792D3973E23A2DF8EA1B883480ED53FAD5359D75DC63C52E98F4639CFF6C4E70594E0CCF080E63BA549CA7707505DA85CAF913ECA98845729376FCC8D8C82F278BD4BA34DCCE75727DBA1C67864E9F9D1BFEEDE2D3050E4A89B6FF227CECE223CBD69040E40A8697567250203010001A381EF3081EC30120603551D130101FF040830060101FF02010130130603551D25040C300A06082B060105050703013081C00603551D010481B83081B58010B1B57C8C8DD816FC9188042FFBCE5039A1818E30818B312B3029060355040B13224372656174656420627920687474703A2F2F7777772E666964646C6572322E636F6D3121301F060355040A1E180044004F005F004E004F0054005F005400520055005300543139303706035504031E300044004F005F004E004F0054005F00540052005500530054005F0046006900640064006C006500720052006F006F00748210DD7EA919667B5196446315F829BAC969300D06092A864886F70D01010B05000381810086F07FB8B8C38E3DB3D1AD3F4FAEBC770DC3722C8994E177D0E379C879EEEDEC9374BB84920407AE69F351DF0B45964859B7441B08F752A9138ED9A873497C11487839BC9808F2949FD61A5A231599B81575A2205B64743D9D1535D51A56BD65EE9F384A87885C2F0E09B0832C9E6C995A69B73C6E347A9ECFC7336AA7803FCF
 
Proxy Server (User)
Status             : Scanned
Object             : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Setting
Cleaning Action    : Delete
Traces             :
                Registry Entry - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = 127.0.0.1:5050
 
Internet Explorer Search
Status             : Scanned
Object             : Groovorio - http://groovorio.com
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Traces             :
                Browser Setting - Internet Explorer Search
 
Internet Explorer Search
Status             : Scanned
Object             : Trovi search - http://trovi.com
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Traces             :
                Browser Setting - Internet Explorer Search
 
Internet Explorer Search
Status             : Scanned
Object             : Vosteran - http://Vosteran.com
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Traces             :
                Browser Setting - Internet Explorer Search
 
Internet Explorer Search
Status             : Scanned
Object             : Groovorio - http://groovorio.com
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Traces             :
                Browser Setting - Internet Explorer Search
 
Internet Explorer Search
Status             : Scanned
Object             : Astromenda - http://astromenda.com
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Traces             :
                Browser Setting - Internet Explorer Search
 
Chrome Homepage
Status             : Scanned
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Traces             :
                Browser Setting - Chrome Homepage
 
service.exe
Status             : Scanned
Object             : %commonprogramfiles%\diagnostics\node\service.exe
MD5                : 7BAF9EC53921DA313AD014BF98D8B911
Publisher          : -
Size               : 154624
Version            : 1.0.0.1
Detection          : Malware:Win32/Cognito.A!Acka
Cleaning Action    : Quarantine
Traces             :
                File - %commonprogramfiles%\diagnostics\node\service.exe
                Registry Entry - HKLM\System\CurrentControlSet\Services\Proxy\ImagePath = "C:\Program Files (x86)\Common Files\Diagnostics\node\service.exe" -s "C:\Program Files (x86)\Common Files\Diagnostics\node\proxy_master.js"
                Registry Entry - HKLM\System\CurrentControlSet\Services\Diagnostics\ImagePath = "C:\Program Files (x86)\Common Files\Diagnostics\node\service.exe" -s "C:\Program Files (x86)\Common Files\Diagnostics\node\diagnostics.js"
 
CltMngSvc.exe
Status             : Scanned
Object             : %programfiles%\searchprotect\main\bin\cltmngsvc.exe
MD5                : 94303D3C7EC71655D9A1D91633BF0FEA
Publisher          : ClientConnect LTD
Size               : 3312960
Version            : -
Detection          : Adware:Win32/ClientConnect!Ep
Cleaning Action    : Quarantine
Traces             :
                File - %programfiles%\searchprotect\main\bin\cltmngsvc.exe
                Registry Entry - HKLM\System\CurrentControlSet\Services\CltMngSvc\ImagePath = C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe
 
UpdateAdmin.exe
Status             : Scanned
Object             : %localappdata%\updateadmin\updateadmin.exe
MD5                : BE8E0779649D22951A4124B0DC68CA78
Publisher          : Download Admin
Size               : 225552
Version            : 1.0.0.1885
Detection          : Win32/Adware.Downloader!Ep
Cleaning Action    : Quarantine
Traces             :
                File - %localappdata%\updateadmin\updateadmin.exe
                Registry Entry - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateAdmin = C:\Users\raul\AppData\Local\UpdateAdmin\UpdateAdmin.exe /RUN
                Scheduled Task - C:\Windows\System32\Tasks\UpdateAdmin
 
vc32loader.dll
Status             : Scanned
Object             : %programfiles%\searchprotect\searchprotect\bin\vc32loader.dll
MD5                : 0F9ED214B398B527BD7C2AA4C2B02C72
Publisher          : ClientConnect LTD
Size               : 216896
Version            : -
Detection          : Adware:Win32/ClientConnect!Ep
Cleaning Action    : Quarantine
Traces             :
                File - %programfiles%\searchprotect\searchprotect\bin\vc32loader.dll
                Registry Entry - HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls = c:\progra~2\searchprotect\searchprotect\bin\vc32loader.dll
 
VC64Loader.dll
Status             : Scanned
Object             : %programfiles%\searchprotect\searchprotect\bin\vc64loader.dll
MD5                : 43ECFA8BCDF565FBB3CE494C4ED472E1
Publisher          : ClientConnect LTD
Size               : 246080
Version            : -
Detection          : Adware:Win32/ClientConnect!Ep
Cleaning Action    : Quarantine
Traces             :
                File - %programfiles%\searchprotect\searchprotect\bin\vc64loader.dll
                Registry Entry - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls = C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC64Loader.dll  
 
install_temp.exe
Status             : Scanned
Object             : %temp%\install_temp.exe
MD5                : C387A73359542AAB558445AED3D951FB
Publisher          : -
Size               : 701952
Version            : -
Detection          : Malware:Win32/Blackoat.A!Racm
Cleaning Action    : Quarantine
Traces             :
                File - %temp%\install_temp.exe
                Scheduled Task - C:\Windows\System32\Tasks\RunTool
 
 
Cleaning Result
-------------------------------------------------------
Cleaned               : 15
Reported as safe      : 0
Failed                : 0


#4 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:54 AM

Posted 18 February 2016 - 02:43 PM

Very good :thumbup2:

 

Step1:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

start
Task: {064BB8B3-B144-4139-BCE8-9C7538F8A171} - System32\Tasks\UpdateAdmin => C:\Users\raul\AppData\Local\UpdateAdmin\UpdateAdmin.exe [2014-10-16] (DownloadAdmin) <==== ATTENTION
Task: {5EA2128C-943A-418C-9BC8-E91DF9D05D09} - System32\Tasks\TidyNetwork Update => C:\Users\raul\AppData\Local\TidyNetwork\petnupdate.exe
Task: {61F6EF9E-1144-4168-A8DE-6BB27A8B8335} - System32\Tasks\WSE_Astromenda => C:\Users\raul\AppData\Roaming\WSE_Astromenda\UpdateProc\UpdateTask.exe [2015-04-06] () <==== ATTENTION
Task: {D0536895-D9BC-46F2-9956-0A085C80FE78} - System32\Tasks\RunTool => C:\Users\raul\AppData\Local\Temp\install_temp.exe [2015-03-09] () <==== ATTENTION
Task: C:\Windows\Tasks\WSE_Astromenda.job => C:\Users\raul\AppData\Roaming\WSE_AS~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
FirewallRules: [{C91EC5A9-D4B6-494C-84F8-6D30DE7E8895}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{B7A6B4B3-8689-463E-9AD5-D20086D5C264}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{13F87A1E-5CA4-45A5-8BD7-DCFEDC0D5385}] => (Allow) C:\Program Files (x86)\PremierOpinion\pmropn.exe
FirewallRules: [{4F1FB276-0EA5-4326-9A2A-B903F587FED0}] => (Allow) C:\Program Files (x86)\PremierOpinion\pmropn.exe
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\Run: [UpdateAdmin] => C:\Users\raul\AppData\Local\UpdateAdmin\UpdateAdmin.exe [225552 2014-10-16] (DownloadAdmin)
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\MountPoints2: {6d01570b-8291-11e4-825c-3464a9c301ba} - "F:\VerizonWirelessUpgradeAssistantSetup.exe" -a
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\MountPoints2: {b8552450-9bef-11e5-827d-3464a9c301ba} - "G:\VerizonWirelessUpgradeAssistantSetup.exe" -a
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC64Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\VC64Loader.dll [246080 2014-11-27] ()
AppInit_DLLs-x32: c:\progra~2\searchprotect\searchprotect\bin\vc32loader.dll => c:\Program Files (x86)\searchprotect\searchprotect\bin\vc32loader.dll [216896 2014-11-27] ()
IFEO\bbqleads.exe: [Debugger] TaskList.exe
IFEO\bbqleadsapplication.exe: [Debugger] TaskList.exe
IFEO\bbqleadsservice.exe: [Debugger] TaskList.exe
IFEO\bbqquotes.exe: [Debugger] TaskList.exe
IFEO\ContentExplorer.exe: [Debugger] TaskList.exe
IFEO\donutleads.exe: [Debugger] TaskList.exe
IFEO\donutquotes.exe: [Debugger] TaskList.exe
IFEO\internetenhancer.exe: [Debugger] TaskList.exe
IFEO\internetenhancerservice.exe: [Debugger] TaskList.exe
IFEO\pastaleads.exe: [Debugger] TaskList.exe
IFEO\pastaquotes.exe: [Debugger] TaskList.exe
IFEO\spyhunter.exe: [Debugger] TaskList.exe
IFEO\theanswerfinder.exe: [Debugger] TaskList.exe
IFEO\wajam.exe: [Debugger] TaskList.exe
IFEO\wajaminternetenhancer.exe: [Debugger] TaskList.exe
IFEO\WajamInternetEnhancerApp.exe: [Debugger] TaskList.exe
IFEO\WajamInternetEnhancerAppservice.exe: [Debugger] TaskList.exe
IFEO\wajaminternetenhancerservice.exe: [Debugger] TaskList.exe
ProxyEnable: [S-1-5-19] => Proxy is enabled.
ProxyServer: [S-1-5-19] => 127.0.0.1:5050
ProxyEnable: [S-1-5-20] => Proxy is enabled.
ProxyServer: [S-1-5-20] => 127.0.0.1:5050
ProxyServer: [S-1-5-21-2824485615-429292516-596377084-1001] => 127.0.0.1:5050
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2824485615-429292516-596377084-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://groovorio.com/results.php?f=4&q={searchTerms}&a=grv_tight3_14_33&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtDyByCtN1L2XzutAtFyCtFtCtDtFtCtN1L1Czu2Z1L1N1M2Z1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StAtAyB0C0A0EtA0AtGtB0AtA0BtGtA0FyCtBtGzztAtDtBtGyC0FtC0EyB0AyDzz0F0A0E0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=1837525749&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://groovorio.com/results.php?f=4&q={searchTerms}&a=grv_tight3_14_33&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtDyByCtN1L2XzutAtFyCtFtCtDtFtCtN1L1Czu2Z1L1N1M2Z1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StAtAyB0C0A0EtA0AtGtB0AtA0BtGtA0FyCtBtGzztAtDtBtGyC0FtC0EyB0AyDzz0F0A0E0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=1837525749&ir=
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = 
SearchScopes: HKLM -> {7774025B-A05C-4A80-B026-A30BAB92BC83} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = 
SearchScopes: HKLM-x32 -> {7774025B-A05C-4A80-B026-A30BAB92BC83} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=irast&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtCzytCtN1L2XzutAtFyCtFtBtFtDtN1L1Czu0C0I0S0V0E0R1V1QtN1L1G1B1V1N2Y1L1Qzu2StC0BtCtCtC0CtCtDtGyB0C0AtAtGtBtAtB0AtGzy0EtDyCtGyD0AzytCzyzzzyyD0AtDyBtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=53455050&ir=
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=irast&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtCzytCtN1L2XzutAtFyCtFtBtFtDtN1L1Czu0C0I0S0V0E0R1V1QtN1L1G1B1V1N2Y1L1Qzu2StC0BtCtCtC0CtCtDtGyB0C0AtAtGtBtAtB0AtGzy0EtDyCtGyD0AzytCzyzzzyyD0AtDyBtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=53455050&ir=
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://groovorio.com/results.php?f=4&q={searchTerms}&a=grv_tight3_14_33&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtDyByCtN1L2XzutAtFyCtFtCtDtFtCtN1L1Czu2Z1L1N1M2Z1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StAtAyB0C0A0EtA0AtGtB0AtA0BtGtA0FyCtBtGzztAtDtBtGyC0FtC0EyB0AyDzz0F0A0E0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=1837525749&ir=
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = hxxp://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ggbg_nan_nan_ch&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtDyBzztN1L2XzutAtFyCtFtCtDtFtCtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyE0EyEtCzyzz0CtAtGzzzzyCtBtG0C0F0AtCtGyEyD0AtBtGyD0D0FzzyE0CtDzytBtB0CyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=1963451034&ir=
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> {7774025B-A05C-4A80-B026-A30BAB92BC83} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3333245&octid=EB_ORIGINAL_CTID&ISID=ME739EB96-F84B-4804-83D1-0D78A6A0684B&SearchSource=58&CUI=&UM=6&UP=SP92CC5790-4EE2-4E7A-A03F-BACFFB76C282&q={searchTerms}&SSPV=&SSPV=
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3333245&octid=EB_ORIGINAL_CTID&ISID=ME739EB96-F84B-4804-83D1-0D78A6A0684B&SearchSource=55&CUI=&UM=6&UP=SP92CC5790-4EE2-4E7A-A03F-BACFFB76C282&SSPV=&SSPV=
CHR HKLM\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [pfkfdlcdbajamklbneflfbcmfgddmpae] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pfkfdlcdbajamklbneflfbcmfgddmpae] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [dmidaiabaeipgkcooijbikmdcofhpakp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [pfkfdlcdbajamklbneflfbcmfgddmpae] - hxxps://clients2.google.com/service/update2/crx
S4 CltMngSvc; C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe [3312960 2014-11-27] () [File not signed]
S4 Diagnostics; C:\Program Files (x86)\Common Files\Diagnostics\node\service.exe [154624 2014-12-12] () [File not signed] <==== ATTENTION
S4 Proxy; C:\Program Files (x86)\Common Files\Diagnostics\node\service.exe [154624 2014-12-12] () [File not signed] <==== ATTENTION
S1 wpnfd_1_10_0_2; system32\drivers\wpnfd_1_10_0_2.sys [X]
2016-02-12 18:51 - 2014-09-24 19:21 - 00000000 ____D C:\ProgramData\McAfee
2016-02-12 18:51 - 2014-09-24 19:21 - 00000000 ____D C:\Program Files\Common Files\mcafee
2016-02-12 18:51 - 2014-09-24 19:21 - 00000000 ____D C:\Program Files (x86)\McAfee
C:\Windows\Tasks\WSE_Astromenda.job
C:\Users\raul\AppData\Local\pinger.com
 C:\Users\raul\AppData\Roaming\gtk-2.0
C:\Users\raul\Desktop\Thumbs.db
C:\Users\raul\Downloads\Thumbs.db
2015-04-23 15:44 - 2015-08-31 17:44 - 0000202 _____ () C:\Users\raul\AppData\Roaming\WB.CFG
2014-12-12 21:05 - 2014-12-12 21:05 - 0000064 _____ () C:\Users\raul\AppData\Local\9cc4c62492ded345cb7c97c269516d87
2015-05-10 15:44 - 2015-05-10 15:44 - 0000010 _____ () C:\Users\raul\AppData\Local\DSI.DAT
2015-08-05 19:09 - 2015-08-05 19:09 - 0613255 _____ (CMI Limited) C:\Users\raul\AppData\Local\nsi7775.tmp
2015-08-05 19:35 - 2015-08-05 19:34 - 0613255 _____ (CMI Limited) C:\Users\raul\AppData\Local\nsoFC7.tmp
2015-08-05 23:57 - 2015-08-05 23:56 - 0613255 _____ (CMI Limited) C:\Users\raul\AppData\Local\nsp9310.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Proxy
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\StartupApproved\Run: => "UpdateAdmin"
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\StartupApproved\Run\UpdateAdmin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\PremierOpinion
RemoveProxy:
EmptyTemp:
End 

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

 

 

Step2:
Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Step3:
Please download and run RogueKiller  32/64 bit to your desktop

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes)


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 TheSentinel

TheSentinel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 18 February 2016 - 08:34 PM

Fix result of Farbar Recovery Scan Tool (x64) Version:17-02-2016
Ran by raul (2016-02-18 14:22:25) Run:1
Running from C:\Users\raul\Desktop
Loaded Profiles: raul (Available Profiles: raul)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
Task: {064BB8B3-B144-4139-BCE8-9C7538F8A171} - System32\Tasks\UpdateAdmin => C:\Users\raul\AppData\Local\UpdateAdmin\UpdateAdmin.exe [2014-10-16] (DownloadAdmin) <==== ATTENTION
Task: {5EA2128C-943A-418C-9BC8-E91DF9D05D09} - System32\Tasks\TidyNetwork Update => C:\Users\raul\AppData\Local\TidyNetwork\petnupdate.exe
Task: {61F6EF9E-1144-4168-A8DE-6BB27A8B8335} - System32\Tasks\WSE_Astromenda => C:\Users\raul\AppData\Roaming\WSE_Astromenda\UpdateProc\UpdateTask.exe [2015-04-06] () <==== ATTENTION
Task: {D0536895-D9BC-46F2-9956-0A085C80FE78} - System32\Tasks\RunTool => C:\Users\raul\AppData\Local\Temp\install_temp.exe [2015-03-09] () <==== ATTENTION
Task: C:\Windows\Tasks\WSE_Astromenda.job => C:\Users\raul\AppData\Roaming\WSE_AS~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
FirewallRules: [{C91EC5A9-D4B6-494C-84F8-6D30DE7E8895}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{B7A6B4B3-8689-463E-9AD5-D20086D5C264}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{13F87A1E-5CA4-45A5-8BD7-DCFEDC0D5385}] => (Allow) C:\Program Files (x86)\PremierOpinion\pmropn.exe
FirewallRules: [{4F1FB276-0EA5-4326-9A2A-B903F587FED0}] => (Allow) C:\Program Files (x86)\PremierOpinion\pmropn.exe
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\Run: [UpdateAdmin] => C:\Users\raul\AppData\Local\UpdateAdmin\UpdateAdmin.exe [225552 2014-10-16] (DownloadAdmin)
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\MountPoints2: {6d01570b-8291-11e4-825c-3464a9c301ba} - "F:\VerizonWirelessUpgradeAssistantSetup.exe" -a
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\MountPoints2: {b8552450-9bef-11e5-827d-3464a9c301ba} - "G:\VerizonWirelessUpgradeAssistantSetup.exe" -a
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC64Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\VC64Loader.dll [246080 2014-11-27] ()
AppInit_DLLs-x32: c:\progra~2\searchprotect\searchprotect\bin\vc32loader.dll => c:\Program Files (x86)\searchprotect\searchprotect\bin\vc32loader.dll [216896 2014-11-27] ()
IFEO\bbqleads.exe: [Debugger] TaskList.exe
IFEO\bbqleadsapplication.exe: [Debugger] TaskList.exe
IFEO\bbqleadsservice.exe: [Debugger] TaskList.exe
IFEO\bbqquotes.exe: [Debugger] TaskList.exe
IFEO\ContentExplorer.exe: [Debugger] TaskList.exe
IFEO\donutleads.exe: [Debugger] TaskList.exe
IFEO\donutquotes.exe: [Debugger] TaskList.exe
IFEO\internetenhancer.exe: [Debugger] TaskList.exe
IFEO\internetenhancerservice.exe: [Debugger] TaskList.exe
IFEO\pastaleads.exe: [Debugger] TaskList.exe
IFEO\pastaquotes.exe: [Debugger] TaskList.exe
IFEO\spyhunter.exe: [Debugger] TaskList.exe
IFEO\theanswerfinder.exe: [Debugger] TaskList.exe
IFEO\wajam.exe: [Debugger] TaskList.exe
IFEO\wajaminternetenhancer.exe: [Debugger] TaskList.exe
IFEO\WajamInternetEnhancerApp.exe: [Debugger] TaskList.exe
IFEO\WajamInternetEnhancerAppservice.exe: [Debugger] TaskList.exe
IFEO\wajaminternetenhancerservice.exe: [Debugger] TaskList.exe
ProxyEnable: [S-1-5-19] => Proxy is enabled.
ProxyServer: [S-1-5-19] => 127.0.0.1:5050
ProxyEnable: [S-1-5-20] => Proxy is enabled.
ProxyServer: [S-1-5-20] => 127.0.0.1:5050
ProxyServer: [S-1-5-21-2824485615-429292516-596377084-1001] => 127.0.0.1:5050
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2824485615-429292516-596377084-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://groovorio.com/results.php?f=4&q={searchTerms}&a=grv_tight3_14_33&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtDyByCtN1L2XzutAtFyCtFtCtDtFtCtN1L1Czu2Z1L1N1M2Z1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StAtAyB0C0A0EtA0AtGtB0AtA0BtGtA0FyCtBtGzztAtDtBtGyC0FtC0EyB0AyDzz0F0A0E0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=1837525749&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://groovorio.com/results.php?f=4&q={searchTerms}&a=grv_tight3_14_33&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtDyByCtN1L2XzutAtFyCtFtCtDtFtCtN1L1Czu2Z1L1N1M2Z1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StAtAyB0C0A0EtA0AtGtB0AtA0BtGtA0FyCtBtGzztAtDtBtGyC0FtC0EyB0AyDzz0F0A0E0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=1837525749&ir=
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = 
SearchScopes: HKLM -> {7774025B-A05C-4A80-B026-A30BAB92BC83} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = 
SearchScopes: HKLM-x32 -> {7774025B-A05C-4A80-B026-A30BAB92BC83} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=irast&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtCzytCtN1L2XzutAtFyCtFtBtFtDtN1L1Czu0C0I0S0V0E0R1V1QtN1L1G1B1V1N2Y1L1Qzu2StC0BtCtCtC0CtCtDtGyB0C0AtAtGtBtAtB0AtGzy0EtDyCtGyD0AzytCzyzzzyyD0AtDyBtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=53455050&ir=
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=irast&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtCzytCtN1L2XzutAtFyCtFtBtFtDtN1L1Czu0C0I0S0V0E0R1V1QtN1L1G1B1V1N2Y1L1Qzu2StC0BtCtCtC0CtCtDtGyB0C0AtAtGtBtAtB0AtGzy0EtDyCtGyD0AzytCzyzzzyyD0AtDyBtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=53455050&ir=
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://groovorio.com/results.php?f=4&q={searchTerms}&a=grv_tight3_14_33&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtDyByCtN1L2XzutAtFyCtFtCtDtFtCtN1L1Czu2Z1L1N1M2Z1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2StAtAyB0C0A0EtA0AtGtB0AtA0BtGtA0FyCtBtGzztAtDtBtGyC0FtC0EyB0AyDzz0F0A0E0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=1837525749&ir=
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = hxxp://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ggbg_nan_nan_ch&cd=2XzuyEtN2Y1L1QzutAzz0BtC0D0BtD0CyDyEtBtDyC0CyCtDtN0D0Tzu0StCtDyBzztN1L2XzutAtFyCtFtCtDtFtCtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyE0EyEtCzyzz0CtAtGzzzzyCtBtG0C0F0AtCtGyEyD0AtBtGyD0D0FzzyE0CtDzytBtB0CyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzyyDtCyB0C0AzztG0DtByE0EtGyEtByEtCtGzy0B0A0BtG0CyB0B0C0D0AyEtC0FyDyDyE2Q&cr=1963451034&ir=
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> {7774025B-A05C-4A80-B026-A30BAB92BC83} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2824485615-429292516-596377084-1001 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3333245&octid=EB_ORIGINAL_CTID&ISID=ME739EB96-F84B-4804-83D1-0D78A6A0684B&SearchSource=58&CUI=&UM=6&UP=SP92CC5790-4EE2-4E7A-A03F-BACFFB76C282&q={searchTerms}&SSPV=&SSPV=
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3333245&octid=EB_ORIGINAL_CTID&ISID=ME739EB96-F84B-4804-83D1-0D78A6A0684B&SearchSource=55&CUI=&UM=6&UP=SP92CC5790-4EE2-4E7A-A03F-BACFFB76C282&SSPV=&SSPV=
CHR HKLM\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [pfkfdlcdbajamklbneflfbcmfgddmpae] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pfkfdlcdbajamklbneflfbcmfgddmpae] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [dmidaiabaeipgkcooijbikmdcofhpakp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [pfkfdlcdbajamklbneflfbcmfgddmpae] - hxxps://clients2.google.com/service/update2/crx
S4 CltMngSvc; C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe [3312960 2014-11-27] () [File not signed]
S4 Diagnostics; C:\Program Files (x86)\Common Files\Diagnostics\node\service.exe [154624 2014-12-12] () [File not signed] <==== ATTENTION
S4 Proxy; C:\Program Files (x86)\Common Files\Diagnostics\node\service.exe [154624 2014-12-12] () [File not signed] <==== ATTENTION
S1 wpnfd_1_10_0_2; system32\drivers\wpnfd_1_10_0_2.sys [X]
2016-02-12 18:51 - 2014-09-24 19:21 - 00000000 ____D C:\ProgramData\McAfee
2016-02-12 18:51 - 2014-09-24 19:21 - 00000000 ____D C:\Program Files\Common Files\mcafee
2016-02-12 18:51 - 2014-09-24 19:21 - 00000000 ____D C:\Program Files (x86)\McAfee
C:\Windows\Tasks\WSE_Astromenda.job
C:\Users\raul\AppData\Local\pinger.com
 C:\Users\raul\AppData\Roaming\gtk-2.0
C:\Users\raul\Desktop\Thumbs.db
C:\Users\raul\Downloads\Thumbs.db
2015-04-23 15:44 - 2015-08-31 17:44 - 0000202 _____ () C:\Users\raul\AppData\Roaming\WB.CFG
2014-12-12 21:05 - 2014-12-12 21:05 - 0000064 _____ () C:\Users\raul\AppData\Local\9cc4c62492ded345cb7c97c269516d87
2015-05-10 15:44 - 2015-05-10 15:44 - 0000010 _____ () C:\Users\raul\AppData\Local\DSI.DAT
2015-08-05 19:09 - 2015-08-05 19:09 - 0613255 _____ (CMI Limited) C:\Users\raul\AppData\Local\nsi7775.tmp
2015-08-05 19:35 - 2015-08-05 19:34 - 0613255 _____ (CMI Limited) C:\Users\raul\AppData\Local\nsoFC7.tmp
2015-08-05 23:57 - 2015-08-05 23:56 - 0613255 _____ (CMI Limited) C:\Users\raul\AppData\Local\nsp9310.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Proxy
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\StartupApproved\Run: => "UpdateAdmin"
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\StartupApproved\Run\UpdateAdmin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\PremierOpinion
RemoveProxy:
EmptyTemp:
End 
*****************
 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{064BB8B3-B144-4139-BCE8-9C7538F8A171}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{064BB8B3-B144-4139-BCE8-9C7538F8A171}" => key removed successfully
C:\Windows\System32\Tasks\UpdateAdmin => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UpdateAdmin" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5EA2128C-943A-418C-9BC8-E91DF9D05D09}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5EA2128C-943A-418C-9BC8-E91DF9D05D09}" => key removed successfully
C:\Windows\System32\Tasks\TidyNetwork Update => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TidyNetwork Update" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{61F6EF9E-1144-4168-A8DE-6BB27A8B8335}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{61F6EF9E-1144-4168-A8DE-6BB27A8B8335}" => key removed successfully
C:\Windows\System32\Tasks\WSE_Astromenda => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WSE_Astromenda" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D0536895-D9BC-46F2-9956-0A085C80FE78}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D0536895-D9BC-46F2-9956-0A085C80FE78}" => key removed successfully
C:\Windows\System32\Tasks\RunTool => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RunTool" => key removed successfully
C:\Windows\Tasks\WSE_Astromenda.job => moved successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc" => key removed successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C91EC5A9-D4B6-494C-84F8-6D30DE7E8895} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B7A6B4B3-8689-463E-9AD5-D20086D5C264} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{13F87A1E-5CA4-45A5-8BD7-DCFEDC0D5385} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4F1FB276-0EA5-4326-9A2A-B903F587FED0} => value removed successfully
HKU\S-1-5-21-2824485615-429292516-596377084-1001\Software\Microsoft\Windows\CurrentVersion\Run\\UpdateAdmin => value not found.
"HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6d01570b-8291-11e4-825c-3464a9c301ba}" => key removed successfully
HKCR\CLSID\{6d01570b-8291-11e4-825c-3464a9c301ba} => key not found. 
"HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b8552450-9bef-11e5-827d-3464a9c301ba}" => key removed successfully
HKCR\CLSID\{b8552450-9bef-11e5-827d-3464a9c301ba} => key not found. 
"C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC64Loader.dll" => Value data not found.
"c:\progra~2\searchprotect\searchprotect\bin\vc32loader.dll" => Value data not found.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bbqleads.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bbqleadsapplication.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bbqleadsservice.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bbqquotes.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ContentExplorer.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\donutleads.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\donutquotes.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\internetenhancer.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\internetenhancerservice.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\pastaleads.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\pastaquotes.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\spyhunter.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\theanswerfinder.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wajam.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wajaminternetenhancer.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\WajamInternetEnhancerApp.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\WajamInternetEnhancerAppservice.exe" => key removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wajaminternetenhancerservice.exe" => key removed successfully
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-21-2824485615-429292516-596377084-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value not found.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-2824485615-429292516-596377084-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9}" => key removed successfully
HKCR\CLSID\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9} => key not found. 
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7774025B-A05C-4A80-B026-A30BAB92BC83}" => key removed successfully
HKCR\CLSID\{7774025B-A05C-4A80-B026-A30BAB92BC83} => key not found. 
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77}" => key removed successfully
HKCR\CLSID\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} => key not found. 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{7774025B-A05C-4A80-B026-A30BAB92BC83}" => key removed successfully
HKCR\Wow6432Node\CLSID\{7774025B-A05C-4A80-B026-A30BAB92BC83} => key not found. 
HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}" => key removed successfully
HKCR\CLSID\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} => key not found. 
"HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
"HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9}" => key removed successfully
HKCR\CLSID\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9} => key not found. 
"HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7774025B-A05C-4A80-B026-A30BAB92BC83}" => key removed successfully
HKCR\CLSID\{7774025B-A05C-4A80-B026-A30BAB92BC83} => key not found. 
"HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77}" => key removed successfully
HKCR\CLSID\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} => key not found. 
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => value restored successfully
Chrome HomePage => not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\blmchfpimpbbdmgpcieclabeafkljbhm" => key removed successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\oilkkkefbalmbfppgjmgjoefbclebkce" => key removed successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\pfkfdlcdbajamklbneflfbcmfgddmpae" => key removed successfully
"HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Google\Chrome\Extensions\blmchfpimpbbdmgpcieclabeafkljbhm" => key removed successfully
"HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Google\Chrome\Extensions\oilkkkefbalmbfppgjmgjoefbclebkce" => key removed successfully
"HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Google\Chrome\Extensions\pfkfdlcdbajamklbneflfbcmfgddmpae" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\blmchfpimpbbdmgpcieclabeafkljbhm" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dmidaiabaeipgkcooijbikmdcofhpakp" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\oilkkkefbalmbfppgjmgjoefbclebkce" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pfkfdlcdbajamklbneflfbcmfgddmpae" => key removed successfully
CltMngSvc => service not found.
Diagnostics => service not found.
Proxy => service not found.
wpnfd_1_10_0_2 => service removed successfully
C:\ProgramData\McAfee => moved successfully
C:\Program Files\Common Files\mcafee => moved successfully
C:\Program Files (x86)\McAfee => moved successfully
"C:\Windows\Tasks\WSE_Astromenda.job" => not found.
C:\Users\raul\AppData\Local\pinger.com => moved successfully
C:\Users\raul\AppData\Roaming\gtk-2.0 => moved successfully
C:\Users\raul\Desktop\Thumbs.db => moved successfully
C:\Users\raul\Downloads\Thumbs.db => moved successfully
C:\Users\raul\AppData\Roaming\WB.CFG => moved successfully
C:\Users\raul\AppData\Local\9cc4c62492ded345cb7c97c269516d87 => moved successfully
C:\Users\raul\AppData\Local\DSI.DAT => moved successfully
C:\Users\raul\AppData\Local\nsi7775.tmp => moved successfully
C:\Users\raul\AppData\Local\nsoFC7.tmp => moved successfully
C:\Users\raul\AppData\Local\nsp9310.tmp => moved successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Proxy => Error: No automatic fix found for this entry.
HKU\S-1-5-21-2824485615-429292516-596377084-1001\Software\Microsoft\Windows\CurrentVersion\Run\\HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\StartupApproved\Run: => "UpdateAdmin" => value not found.
HKU\S-1-5-21-2824485615-429292516-596377084-1001\...\StartupApproved\Run\UpdateAdmin => Error: No automatic fix found for this entry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\PremierOpinion => Error: No automatic fix found for this entry.
 
========= RemoveProxy: =========
 
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-2824485615-429292516-596377084-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
 
 
========= End of RemoveProxy: =========
 
EmptyTemp: => 1015 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 14:23:14 ====


#6 TheSentinel

TheSentinel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 18 February 2016 - 08:42 PM

Malwarebytes Anti-Malware is over 4000 lines long and is too long to post
 
 
RogueKiller V11.0.12.0 [Feb 15 2016] (Free) by Adlice Software
 
Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : raul [Administrator]
Started from : C:\Users\raul\Desktop\RogueKiller.exe
Mode : Scan -- Date : 02/18/2016 16:38:49
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 4 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\ORBTR -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\SpeedBrowser -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2824485615-429292516-596377084-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2824485615-429292516-596377084-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 7 ¤¤¤
[PUP][File] C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\speed browser.lnk [LNK@] C:\Program Files (x86)\speed browser\Application\browser.exe -> Found
[PUP][File] C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\speed browser.lnk [LNK@] C:\Program Files (x86)\speed browser\Application\browser.exe -> Found
[PUP][Folder] C:\ProgramData\Service1291 -> Found
[PUP][Folder] C:\ProgramData\{C19CA186-4F06-4E22-A1E6-6BAB4723A0DE} -> Found
[PUP][Folder] C:\Program Files (x86)\adlevel -> Found
[PUP][Folder] C:\Program Files (x86)\FriendlyError -> Found
[PUP][Folder] C:\Program Files (x86)\predm -> Found
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 3 ¤¤¤
[PUM.Proxy][FIREFX:Config] 0aaysr0z.default : user_pref("network.proxy.http","127.0.0.1"); -> Found
[PUM.Proxy][FIREFX:Config] 0aaysr0z.default : user_pref("network.proxy.http_port",5050); -> Found
[PUM.Proxy][FIREFX:Config] 0aaysr0z.default : user_pref("network.proxy.type",1); -> Found
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST750LM022 HN-M750MBB +++++
--- User ---
[MBR] 5166926760d9a8cc55738f0c1fc4df70
[BSP] 283c0d4fa2674c83d7add96d11a5a528 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 650 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1333248 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1865728 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2127872 | Size: 691570 MB
4 - [SYSTEM] Basic data partition | Offset (sectors): 1418463232 | Size: 22790 MB
User = LL1 ... OK
User = LL2 ... OK


#7 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:54 AM

Posted 19 February 2016 - 01:37 PM

''Malwarebytes Anti-Malware is over 4000 lines long and is too long to post''

 

After doing rar or zip, you can send with the attachment, Or you can send in pieces or you can with upload  wikisend.


Edited by olgun52, 19 February 2016 - 01:38 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 TheSentinel

TheSentinel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 19 February 2016 - 02:45 PM

There we go, it was just too many lines to load but not over the max attachment size.

Attached Files



#9 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:54 AM

Posted 19 February 2016 - 03:08 PM

Thank you for the Logs. :thumbup2:
Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

start
HKEY_LOCAL_MACHINE\Software\ORBTR
HKEY_LOCAL_MACHINE\Software\SpeedBrowser
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\speed browser.lnk [LNK@] C:\Program Files (x86)\speed browser\Application\browser.exe
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\speed browser.lnk [LNK@] C:\Program Files (x86)\speed browser\Application\browser.exe
C:\ProgramData\Service1291
C:\ProgramData\{C19CA186-4F06-4E22-A1E6-6BAB4723A0DE}
C:\Program Files (x86)\adlevel
C:\Program Files (x86)\FriendlyError
C:\Program Files (x86)\predm
end

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

==========================================================================================
 

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

=========================================================================

How is the machine running now and any issues ? Please let me know.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 TheSentinel

TheSentinel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 20 February 2016 - 10:29 AM

Fix result of Farbar Recovery Scan Tool (x64) Version:17-02-2016
Ran by raul (2016-02-19 12:19:03) Run:2
Running from C:\Users\raul\Desktop
Loaded Profiles: raul (Available Profiles: raul)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
HKEY_LOCAL_MACHINE\Software\ORBTR
HKEY_LOCAL_MACHINE\Software\SpeedBrowser
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\speed browser.lnk [LNK@] C:\Program Files (x86)\speed browser\Application\browser.exe
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\speed browser.lnk [LNK@] C:\Program Files (x86)\speed browser\Application\browser.exe
C:\ProgramData\Service1291
C:\ProgramData\{C19CA186-4F06-4E22-A1E6-6BAB4723A0DE}
C:\Program Files (x86)\adlevel
C:\Program Files (x86)\FriendlyError
C:\Program Files (x86)\predm
end
*****************

HKEY_LOCAL_MACHINE\Software\ORBTR => Error: No automatic fix found for this entry.
HKEY_LOCAL_MACHINE\Software\SpeedBrowser => Error: No automatic fix found for this entry.
"C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\speed browser.lnk [LNK@] C:\Program Files (x86)\speed browser\Application\browser.exe" => not found.
"C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\speed browser.lnk [LNK@] C:\Program Files (x86)\speed browser\Application\browser.exe" => not found.
C:\ProgramData\Service1291 => moved successfully
C:\ProgramData\{C19CA186-4F06-4E22-A1E6-6BAB4723A0DE} => moved successfully
C:\Program Files (x86)\adlevel => moved successfully
C:\Program Files (x86)\FriendlyError => moved successfully
C:\Program Files (x86)\predm => moved successfully

==== End of Fixlog 12:19:04 ====

 

C:\cars\gimp-setup.exe a variant of Win32/DownloadAdmin.J potentially unwanted application cleaned by deleting
C:\cars\Open_office_Setup.exe a variant of Win32/InstallCore.ADX.gen potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Users\raul\AppData\Local\nsi7775.tmp.xBAD Win32/AnyProtect.G potentially unwanted application deleted
C:\FRST\Quarantine\C\Users\raul\AppData\Local\nsoFC7.tmp.xBAD Win32/AnyProtect.G potentially unwanted application deleted
C:\FRST\Quarantine\C\Users\raul\AppData\Local\nsp9310.tmp.xBAD Win32/AnyProtect.G potentially unwanted application deleted
C:\Program Files (x86)\Common Files\Cache utility\node\conf.js Win32/UnlimitedDownloads.D potentially unwanted application cleaned by deleting
C:\Program Files (x86)\Common Files\Cache utility\node\service.exe a variant of Win32/UnlimitedDownloads.F potentially unwanted application cleaned by deleting
C:\Program Files (x86)\Common Files\Cache utility\node\sys.node a variant of Win32/UnlimitedDownloads.I potentially unwanted application cleaned by deleting
C:\Program Files (x86)\Common Files\Common dictionary\node\conf.js Win32/UnlimitedDownloads.D potentially unwanted application cleaned by deleting
C:\Program Files (x86)\Common Files\Common dictionary\node\service.exe a variant of Win32/UnlimitedDownloads.F potentially unwanted application cleaned by deleting
C:\Program Files (x86)\Common Files\Common dictionary\node\sys.node a variant of Win32/UnlimitedDownloads.I potentially unwanted application cleaned by deleting
C:\Program Files (x86)\Common Files\Display settings\node\conf.js Win32/UnlimitedDownloads.D potentially unwanted application cleaned by deleting
C:\Program Files (x86)\Common Files\Display settings\node\service.exe a variant of Win32/UnlimitedDownloads.F potentially unwanted application cleaned by deleting
C:\Program Files (x86)\Common Files\Display settings\node\sys.node a variant of Win32/UnlimitedDownloads.I potentially unwanted application cleaned by deleting

 

 

The laptop seems to run better, do you think I should try updating to Win 10?
 



#11 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:54 AM

Posted 20 February 2016 - 12:58 PM

Your system was very bad and we did a lot deletion. My suggestion. Let's the repair given before. what do you say?

Yes ıf you say, please do the following;

 

Download Windows Repair (All in One) from this site
Install the program then run it.

NOTE 1. In Windows Vista, 7 and 8 right click on the program, click "Run As Administrator".
NOTE 2. Disable your antivirus program before running Windows Repair.

 

Go to Step 2  by clicking  on the Open Pre-scan button

Ashampoo_Snap_2016.02.19_13h52m48s_003__
Now, go to Step 3 and click on Check button next to 1. See If Check Disk Is Needed.
If the tool indicates that the Check Disk is needed click on Do It button next to 2. Check Disk, then restart your computer.
Ashampoo_Snap_2016.02.19_13h53m11s_004__
Once the above is done, go to Step 4 and allow it to run System File Check by clicking on the Do It button.
Ashampoo_Snap_2016.02.19_13h53m34s_005__
Go to Step 5 and under"System Restore" click on Create button.

Ashampoo_Snap_2016.02.19_13h53m58s_006__

Go to Start Repairs tab and click the Start button.
Ashampoo_Snap_2016.02.20_19h38m24s_003__
Leave the check marks as they are.
NOTE for Windows 8 users. Reset Registry Permissions is NOT checked by design.
Click on Start Repairs button.
Ashampoo_Snap_2016.02.19_15h57m21s_001__
After the repair finished, you may be prompted to restart the computer. Please allow it to do so.

Please post the Windows Repair log which is located in the following folder:
64-bit systems - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs
32-bit systems - C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#12 TheSentinel

TheSentinel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 20 February 2016 - 05:51 PM

Tweaking.com - Windows Repair v3.8.3
--------------------------------------------------------------------------------

System Variables
--------------------------------------------------------------------------------
OS: Windows 8.1
OS Architecture: 64-bit
OS Version: 6.3.9600
OS Service Pack:
Computer Name: RGWORK
Windows Drive: C:\
Windows Path: C:\Windows
Program Files: C:\Program Files
Program Files (x86): C:\Program Files (x86)
Current Profile: C:\Users\raul
Current Profile SID: S-1-5-21-2824485615-429292516-596377084-1001
Current Profile Classes: S-1-5-21-2824485615-429292516-596377084-1001_Classes
Profiles Location: C:\Users
Profiles Location 2: C:\Windows\ServiceProfiles
Local Settings AppData: C:\Users\raul\AppData\Local
--------------------------------------------------------------------------------

System Information
--------------------------------------------------------------------------------
System Up Time: 0 Days 01:12:07

Process Count: 63
Commit Total: 1.73 GB
Commit Limit: 9.56 GB
Commit Peak: 1.92 GB
Handle Count: 19809
Kernel Total: 511.37 MB
Kernel Paged: 340.79 MB
Kernel Non Paged: 170.58 MB
System Cache: 4.31 GB
Thread Count: 709
--------------------------------------------------------------------------------

Memory Before Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 5.93 GB
Memory Used: 1.70 GB(28.6226%)
Memory Avail.: 4.24 GB
--------------------------------------------------------------------------------

Cleaning Memory Before Starting Repairs...

Memory After Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 5.93 GB
Memory Used: 1.35 GB(22.7237%)
Memory Avail.: 4.59 GB
--------------------------------------------------------------------------------

Starting Repairs...
   Started at (2/20/2016 12:44:26 PM)

Setting Any Missing 'InstallDate' From Uninstall Sections Before Running Repair...
Total Missing 'InstallDate' Fixed: 45
 
01 - Reset Registry Permissions
   Restore Windows 7/8/10 Default Registry Permissions
   Start (2/20/2016 12:44:32 PM)

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\hku.7z
Done,  1.77 seconds.

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\hklm.7z
Done,  6.86 seconds.

   Running Repair Under System Account
   Done (2/20/2016 12:50:24 PM)

Reset File Permissions: C:
   C: & Sub Folders
   Start (2/20/2016 12:50:24 PM)

   Running Repair Under Current User Account
   Done (2/20/2016 1:10:57 PM)

Reset File Permissions
   Restore Windows 7/8/10 Default File Permissions
   Start (2/20/2016 1:10:57 PM)

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\default.7z
Done,  0.22 seconds.

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\profile.7z
Done,  0.39 seconds.

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\program_files.7z
Done,  0.81 seconds.

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\program_files_x86.7z
Done,  0.31 seconds.

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\programdata.7z
Done,  0.25 seconds.

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\windows.7z
Done,  5.02 seconds.

   Running Repair Under Current User Account
   Done (2/20/2016 1:21:01 PM)

Reset File Permissions: Cleanup
   Repairing Restricted Folders Permissions To Avoid Infinite Loops
   Start (2/20/2016 1:21:02 PM)

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:21:06 PM)

03 - Reset Service Permissions
   Start (2/20/2016 1:21:06 PM)

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:21:53 PM)

04 - Register System Files
   Start (2/20/2016 1:21:53 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:23:29 PM)

05 - Repair WMI
   Start (2/20/2016 1:23:29 PM)

   Starting Security Center So We Can Export The Security Info.

   Exporting Antivirus Info...
   Windows Defender Exported.

   Exporting AntiSpyware Info...
   Windows Defender Exported.

   Exporting 3rd Party Firewall Info...
   No Firewall Products Reported.

   Running Repair Under Current User Account
   Done (2/20/2016 1:30:23 PM)

06 - Repair Windows Firewall
   Start (2/20/2016 1:30:23 PM)

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\services.7z
Done,  0.31 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:30:48 PM)

07 - Repair Internet Explorer
   Start (2/20/2016 1:30:48 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:32:17 PM)

08 - Repair MDAC/MS Jet
   Start (2/20/2016 1:32:17 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:32:33 PM)

09 - Repair Hosts File
   Start (2/20/2016 1:32:33 PM)
   Running Repair Under System Account
   Done (2/20/2016 1:32:34 PM)

10 - Remove Policies Set By Infections
   Start (2/20/2016 1:32:34 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:32:39 PM)

11 - Repair Start Menu Icons Removed By Infections
   Start (2/20/2016 1:32:39 PM)
   Running Repair Under System Account
   Done (2/20/2016 1:32:40 PM)

12 - Repair Icons
   Start (2/20/2016 1:32:40 PM)
   Running Repair Under Current User Account
   Done (2/20/2016 1:32:42 PM)

13 - Repair Network
   Start (2/20/2016 1:32:42 PM)

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\services.7z
Done,  0.42 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:33:08 PM)

14 - Remove Temp Files
   Start (2/20/2016 1:33:08 PM)
   Running Repair Under System Account
   Done (2/20/2016 1:33:09 PM)

15 - Repair Proxy Settings
   Start (2/20/2016 1:33:09 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:33:11 PM)

17 - Repair Windows Updates
   Start (2/20/2016 1:33:11 PM)

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\services.7z
Done,  0.36 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Setting Windows Updates Files That Are In Use To Be Removed At Next Boot.
   Done (2/20/2016 1:33:53 PM)

18 - Repair CD/DVD Missing/Not Working
   Start (2/20/2016 1:33:53 PM)
   iTunes or GEARAspiWDM.sys not found, not applying UpperFilters iTunes Reg Key
   Done (2/20/2016 1:33:53 PM)

19 - Repair Volume Shadow Copy Service
   Start (2/20/2016 1:33:53 PM)

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\services.7z
Done,  0.3 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:34:23 PM)

20 - Repair Windows Sidebar/Gadgets
   Start (2/20/2016 1:34:23 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:34:26 PM)

21 - Repair MSI (Windows Installer)
   Start (2/20/2016 1:34:26 PM)

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\services.7z
Done,  0.3 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:34:42 PM)

22 - Repair Windows Snipping Tool
   Start (2/20/2016 1:34:42 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:34:45 PM)

23.01 - Repair bat Association
   Start (2/20/2016 1:34:45 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:34:47 PM)

23.02 - Repair cmd Association
   Start (2/20/2016 1:34:47 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:34:49 PM)

23.03 - Repair com Association
   Start (2/20/2016 1:34:50 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:34:52 PM)

23.04 - Repair Directory Association
   Start (2/20/2016 1:34:52 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:34:54 PM)

23.05 - Repair Drive Association
   Start (2/20/2016 1:34:54 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:34:57 PM)

23.06 - Repair exe Association
   Start (2/20/2016 1:34:57 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:34:59 PM)

23.07 - Repair Folder Association
   Start (2/20/2016 1:34:59 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:35:02 PM)

23.08 - Repair inf Association
   Start (2/20/2016 1:35:02 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:35:04 PM)

23.09 - Repair lnk (Shortcuts) Association
   Start (2/20/2016 1:35:04 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:35:06 PM)

23.10 - Repair msc Association
   Start (2/20/2016 1:35:06 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:35:09 PM)

23.11 - Repair reg Association
   Start (2/20/2016 1:35:09 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:35:11 PM)

23.12 - Repair scr Association
   Start (2/20/2016 1:35:11 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:35:14 PM)

24 - Repair Windows Safe Mode
   Start (2/20/2016 1:35:14 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:35:16 PM)

25 - Repair Print Spooler
   Start (2/20/2016 1:35:16 PM)

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\services.7z
Done,  0.29 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:35:35 PM)

26 - Restore Important Windows Services
   Start (2/20/2016 1:35:35 PM)

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\services.7z
Done,  0.33 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:35:53 PM)

27 - Set Windows Services To Default Startup
   Start (2/20/2016 1:35:53 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 1:36:02 PM)

28.01 - Repair Windows 8/10 App Store
   Start (2/20/2016 1:36:02 PM)

Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\8\hku.7z
Done,  0.7 seconds.

   Running Repair Under Current User Account
   Done (2/20/2016 1:42:59 PM)

29 - Repair Windows 8/10 Component Store
   Start (2/20/2016 1:42:59 PM)
   Running Repair Under Current User Account
   Done (2/20/2016 2:22:55 PM)

30 - Restore Windows 8/10 COM+ Unmarshalers
   Start (2/20/2016 2:22:55 PM)
   Running Repair Under System Account
[X] -----Job Complete-----      Items Done: 1     
   Done (2/20/2016 2:22:59 PM)

31 - Repair Windows 'New' Submenu
   Start (2/20/2016 2:22:59 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 2:23:01 PM)

32 - Restore UAC (User Account Control) Settings
   Start (2/20/2016 2:23:01 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (2/20/2016 2:23:04 PM)

33 - Repair Performance Counters
   Start (2/20/2016 2:23:04 PM)
   Running Repair Under Current User Account
   Done (2/20/2016 2:23:24 PM)

Cleaning up empty logs...

All Selected Repairs Done.
   Done at (2/20/2016 2:23:25 PM)
   Total Repair Time: 01:39:03

...YOU MUST RESTART YOUR SYSTEM...

 

 

 

How do we look?



#13 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:54 AM

Posted 21 February 2016 - 04:59 PM

How do we look?

The report looks good.I do not see a problem,You can upgrade now .I can now close this the topic.

 

Thank you for your patience.  Please do the following:

In any case please download delfix to your desktop.

  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

You can do fllowing:
 
The easiest and safest way to do this is:

  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

to remove all but the most recently created Restore Point.

  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically. Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.

ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
 
Please take the time to carefully review this info contained below. Its invaluable.
Answers to common security questions - Best Practices

How Malware Spreads - How your system gets infected

Best Practices for Safe Computing - Prevention of Malware Infection

 

Some safety suggestions !

Best regards.wave.gif


Edited by olgun52, 21 February 2016 - 05:03 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#14 TheSentinel

TheSentinel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 21 February 2016 - 05:13 PM

Yup, I'll give it a shot and let you know if it doesn't work, thanks for your help.

#15 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:54 AM

Posted 21 February 2016 - 05:17 PM

Glad to have helped. :thumbup2:

 

Good Luck


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users