Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot install any AV and browsing Internet too slow in any browser.


  • This topic is locked This topic is locked
12 replies to this topic

#1 nmcomp

nmcomp

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Argentina
  • Local time:09:54 AM

Posted 11 March 2016 - 01:14 PM

Hi all! :)

 

I'm having trouble trying to install any Antivirus, I run the setup and nothing happens. (Originally Avast 5 was installed but not running, can't update it either so I uninstalled it)

After several days I managed to install Avira but it's in offline state - can't connect to update definitions.

Internet browsing it's too slow in any browser (I'm writing this from another computer right now because in the infected one it's impossible)

 

I must say that I cleaned several virus and malware just before this happens, because I was not able to execute any .exe file and when browsing and trying to load any AV site, the browser redirects me to ad pages. (This is now resolved)

 

I already ran Malwarebytes and it removed a bunch of malware related stuff.

I also ran AdwCleaner, TDSSKiller and Hitman Pro. If needed I can attach the log files.

 

Here's my FRST log.
Thanks!!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:05-03-2016 01
Ran by user (administrator) on USER-PC (11-03-2016 01:00:54)
Running from C:\Nueva carpeta
Loaded Profiles: user (Available Profiles: user)
Platform: Microsoft Windows 7 Home Basic  Service Pack 1 (X86) Language: Español (España, internacional)
Internet Explorer Version 11 (Default browser: Opera)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Qksee Pvt Ltd.) C:\Program Files\qksee\qkseeSvc.exe
(BlueStack Systems, Inc.) C:\Program Files\BlueStacks\HD-LogRotatorService.exe
(BlueStack Systems, Inc.) C:\Program Files\BlueStacks\HD-UpdaterService.exe
() C:\Program Files\SkypeUpdateEx\SkypeUpdateEx.exe
(Microsoft Corporation) C:\ProgramData\Windows Security\winsecurity.exe
(Microsoft Corporation) C:\Users\user\AppData\Roaming\XBox\XBLive.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe
(Microsoft Corporation) C:\Windows\System32\UI0Detect.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.Systray.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Avira SystrayStartTrigger] => C:\Program Files\Avira\Launcher\Avira.SystrayStartTrigger.exe [66328 2016-01-27] (Avira Operations GmbH & Co. KG)
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: E - E:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: H - H:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {03efd8cc-80f0-11e5-890a-d027889f81f1} - H:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {0e3e315f-5844-11e3-b067-d027889f81f1} - E:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {2f33b5a5-c4b7-11e3-8dd1-d027889f81f1} - H:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {500a8064-8459-11e3-bc1f-d027889f81f1} - E:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {500a81bd-8459-11e3-bc1f-d027889f81f1} - E:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {500a81c6-8459-11e3-bc1f-d027889f81f1} - E:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {500a81da-8459-11e3-bc1f-d027889f81f1} - E:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {500a81e4-8459-11e3-bc1f-d027889f81f1} - E:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {68b71d70-26c3-11e3-b09e-d027889f81f1} - G:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {68b71d80-26c3-11e3-b09e-d027889f81f1} - E:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {6dd28601-521f-11e3-bb1b-806e6f6e6963} - E:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {7b3e6af0-1625-11e3-a4f9-806e6f6e6963} - D:\Install.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {86d8d5dc-521f-11e3-b221-d027889f81f1} - E:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {86d8d610-521f-11e3-b221-d027889f81f1} - E:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {b81a2428-e52e-11e3-831b-d027889f81f1} - H:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {cab55911-722d-11e3-87d7-d027889f81f1} - E:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {cab5592a-722d-11e3-87d7-d027889f81f1} - E:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {cab55947-722d-11e3-87d7-d027889f81f1} - H:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {dc41c429-285a-11e3-b259-d027889f81f1} - E:\AutoRun.exe
HKU\S-1-5-21-4237170706-1981101310-1019621162-1000\...\MountPoints2: {fdfdd499-275d-11e5-a22f-d027889f81f1} - I:\Startme.exe
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2013-10-04] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\user\AppData\Local\MEGAsync\ShellExtX32.dll [2014-05-01] ()
ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\user\AppData\Local\MEGAsync\ShellExtX32.dll [2014-05-01] ()
ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\user\AppData\Local\MEGAsync\ShellExtX32.dll [2014-05-01] ()
ShellIconOverlayIdentifiers: [ExplorerEx] -> {E056AFDD-03E9-4D73-8D33-8FCCBCA73438} =>  No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2016-03-08] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2016-03-08] ()
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-4237170706-1981101310-1019621162-1000] => http=127.0.0.1:8080;https=127.0.0.1:8080
AutoConfigURL: [S-1-5-21-4237170706-1981101310-1019621162-1000] => http=127.0.0.1:8080;https=127.0.0.1:8080
Winsock: Catalog5 07 C:\ProgramData\System32\SafeGuard32.dll [1536952 2015-11-09] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{70206D9E-0BAB-4D05-B114-4238B0A81171}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{88F484F1-5E29-423B-B5D3-2B589CBB44EC}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{D2BB9A3D-0970-4E5A-B65F-882DD37A0AB5}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{E816FE55-B252-491C-A64D-FA99CAE2134B}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{FA81E09F-4556-4143-B5EF-8EB75E27A2E6}: [DhcpNameServer] 192.168.1.1
ManualProxies: 1http=127.0.0.1:8080;https=127.0.0.1:8080

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_60\bin\ssv.dll [2015-10-19] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-10-19] (Oracle Corporation)
Toolbar: HKLM - No Name - {4F524A2D-5354-2D53-5045-7A786E7484D7} -  No File
Toolbar: HKLM - No Name - {41524553-2D56-3700-76A7-7A786E7484D7} -  No File

FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gk7452zf.default
FF Homepage: hxxps://www.malwarebytes.org/restorebrowser//?type=hppp&ts=1434541889&from=xtab&uid=9EE2C88A88F74a2d8F299430B3C762F4
FF DefaultSearchEngine: Bing
FF SelectedSearchEngine: Bing
FF SearchEngineOrder.3: Bing
FF Keyword.URL: hxxp://www.bing.com/search?FORM=U313DF&PC=U313&q=
FF Plugin: @java.com/DTPlugin,version=10.13.2 -> C:\Windows\system32\npDeployJava1.dll [2015-01-28] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-10-19] (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF user.js: detected! => C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gk7452zf.default\user.js [2016-03-07]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gk7452zf.default\searchplugins\bing-.xml [2016-03-08]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gk7452zf.default\searchplugins\improvedsearch.xml [2015-03-15]
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\creativecommons.xml [2015-03-05]
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\mercadolibre-ar.xml [2015-03-05]
FF Extension: Bitdefender QuickScan - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gk7452zf.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2016-03-08]
FF Extension: Bing Search - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gk7452zf.default\Extensions\bingsearch.full@microsoft.com.xpi [2016-03-08]
FF Extension: Treasure Track - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gk7452zf.default\Extensions\{41f622d2-f0ee-4658-9f96-92d6bdce1b94}.xpi [2015-10-10] [not signed]

Chrome:
=======
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-05-03]
CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-09]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-08]
CHR Extension: (Google Search) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-08]
CHR Extension: (Google Docs Offline) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-10-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-31]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-10-08]

Opera:
=======
OPR StartupUrls: "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggadghZAFsUQxhHIlxZTA1JEwEOeQsJWBQTFwQUIgoJAFhGFwMFIk0FA1oDB0VXfV5bFElXTwh3MlxZEkwDRGFRIVpT"
OPR Session Restore: -> is enabled.

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Avira.ServiceHost; C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe [260456 2016-01-27] (Avira Operations GmbH & Co. KG)
S3 BstHdAndroidSvc; C:\Program Files\BlueStacks\HD-Service.exe [437880 2015-08-19] (BlueStack Systems, Inc.)
R2 BstHdLogRotatorSvc; C:\Program Files\BlueStacks\HD-LogRotatorService.exe [413304 2015-08-19] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files\BlueStacks\HD-UpdaterService.exe [839288 2015-08-19] (BlueStack Systems, Inc.)
S4 DCService.exe; C:\ProgramData\DatacardService\DCService.exe [229376 2010-05-08] () [File not signed]
S3 Lenovo EasyPlus Hotspot; C:\Program Files\Common Files\LENOVO\easyplussdk\bin\EPHotspot.exe [509408 2015-07-22] (Lenovo)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 qkseeService; C:\Program Files\qksee\qkseeSvc.exe [695000 2016-02-14] (Qksee Pvt Ltd.)
R2 SkypeUpdateEx; C:\Program Files\SkypeUpdateEx\SkypeUpdateEx.exe [171952 2015-09-24] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
R2 WindowsSecurity; C:\ProgramData\Windows Security\winsecurity.exe [7244240 2016-03-07] (Microsoft Corporation)
R2 XBox; C:\Users\user\AppData\Roaming\XBox\XBLive.exe [5906904 2016-02-27] (Microsoft Corporation)
S3 avast! Mail Scanner; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [X]
S3 avast! Web Scanner; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 BstHdDrv; C:\Program Files\BlueStacks\HD-Hypervisor-x86.sys [132216 2015-08-19] (BlueStack Systems)
S3 huawei_cdcacm; C:\Windows\System32\DRIVERS\ew_jucdcacm.sys [69504 2010-04-09] (Huawei Technologies Co., Ltd.)
S3 huawei_ext_ctrl; C:\Windows\System32\DRIVERS\ew_juextctrl.sys [25088 2010-04-09] (Huawei Technologies Co., Ltd.)
S3 jrdusbser; C:\Windows\System32\DRIVERS\jrdusbser.sys [106112 2011-06-20] (TCT International Mobile Ltd)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-10-05] (Malwarebytes Corporation)
S3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [657408 2009-07-13] (Ralink Technology Corp.)
S4 secdrv; C:\Windows\system32\Drivers\secdrv.sys [28400 2015-10-10] () [File not signed]
S1 ccesaixt; \??\C:\Windows\system32\drivers\ccesaixt.sys [X]
S3 cpuz134; \??\C:\Users\user\AppData\Local\Temp\cpuz134\cpuz134_x32.sys [X]
U5 ewusbnet; C:\Windows\System32\Drivers\ewusbnet.sys [204800 2010-04-07] (Huawei Technologies Co., Ltd.)
S3 huawei_wwanecm; system32\DRIVERS\ew_juwwanecm.sys [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHDA.sys [X]
S1 ptwaalxy; \??\C:\Windows\system32\drivers\ptwaalxy.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-11 01:00 - 2016-03-11 01:00 - 00000000 ____D C:\FRST
2016-03-09 00:31 - 2016-03-09 00:31 - 00001132 _____ C:\Users\Public\Desktop\Avira Launcher.lnk
2016-03-09 00:31 - 2016-03-09 00:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2016-03-09 00:31 - 2016-03-09 00:31 - 00000000 ____D C:\ProgramData\Avira
2016-03-09 00:31 - 2016-03-09 00:31 - 00000000 ____D C:\Program Files\Avira
2016-03-09 00:30 - 2016-03-09 00:31 - 00000000 ____D C:\ProgramData\Package Cache
2016-03-09 00:28 - 2016-03-09 00:28 - 00000000 ____D C:\Program Files\ESET
2016-03-09 00:17 - 2016-03-09 00:17 - 00000000 ____D C:\ProgramData\Panda Security
2016-03-08 20:48 - 2016-03-10 23:29 - 00065536 _____ C:\Windows\system32\Ikeext.etl
2016-03-08 20:42 - 2016-03-08 20:42 - 00000000 ____D C:\ProgramData\Windows Security
2016-03-08 20:10 - 2016-03-08 20:10 - 00007616 _____ C:\Users\user\AppData\Local\Resmon.ResmonCfg
2016-03-08 19:44 - 2016-03-08 19:45 - 00190036 _____ C:\TDSSKiller.3.1.0.9_08.03.2016_19.44.39_log.txt
2016-03-08 00:51 - 2016-03-08 00:51 - 00000000 ____D C:\Users\user\AppData\Roaming\QuickScan
2016-03-08 00:45 - 2016-03-08 00:45 - 00000000 ____D C:\RegUnlocker Backups
2016-03-08 00:27 - 2016-03-08 00:39 - 00000000 ____D C:\ProgramData\HitmanPro
2016-03-08 00:26 - 2016-03-08 00:26 - 00295254 _____ C:\Users\user\Documents\cc_20160308_002603.reg
2016-03-08 00:26 - 2016-03-08 00:26 - 00005946 _____ C:\Users\user\Documents\cc_20160308_002612.reg
2016-03-08 00:26 - 2016-03-08 00:26 - 00003424 _____ C:\Users\user\Documents\cc_20160308_002620.reg
2016-03-08 00:21 - 2016-03-11 01:00 - 00000000 ____D C:\Nueva carpeta
2016-03-08 00:18 - 2016-03-09 00:20 - 00000000 ____D C:\ProgramData\AVAST Software
2016-03-08 00:16 - 2016-03-08 00:16 - 00001297 _____ C:\mbam-log.txt
2016-03-08 00:03 - 2016-03-08 00:03 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-03-07 22:05 - 2016-03-08 20:32 - 00000000 ____D C:\Program Files\AdwCleaner
2016-03-07 22:04 - 2016-03-07 22:04 - 01524224 _____ C:\Users\user\Downloads\adwcleaner_5.101.exe
2016-03-07 21:57 - 2016-03-08 19:47 - 00000000 ____D C:\Users\user\AppData\LocalLow\uTorrent
2016-03-07 21:45 - 2016-03-10 23:29 - 00000000 ____D C:\Program Files\qksee
2016-03-07 21:45 - 2016-03-08 00:18 - 00001687 _____ C:\Users\Public\Desktop\qksee.lnk
2016-03-07 21:45 - 2016-03-07 21:45 - 00000000 ____D C:\Users\user\AppData\Roaming\qksee
2016-03-07 21:45 - 2016-03-07 21:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qksee
2016-03-07 21:31 - 2016-03-07 21:31 - 00000000 ____D C:\Users\user\Downloads\RevoUninstallerPortable
2016-03-07 21:30 - 2016-03-07 21:31 - 02785665 _____ (PortableApps.com) C:\Users\user\Downloads\RevoUninstallerPortable_1.95_Rev_2.paf.exe
2016-03-07 21:26 - 2016-03-10 23:29 - 00000034 _____ C:\Users\Public\Documents\{DE764086-1C0A-4DD3-90BA-0B93BDD794BE}
2016-03-07 21:24 - 2016-03-08 00:18 - 00001018 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-03-07 21:24 - 2016-03-07 21:24 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-03-07 21:24 - 2016-03-07 21:24 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-03-07 21:24 - 2015-10-05 09:50 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-03-07 21:24 - 2015-10-05 09:50 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-03-07 21:24 - 2015-10-05 09:50 - 00023256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-03-07 21:20 - 2016-03-07 21:23 - 22908888 _____ (Malwarebytes ) C:\Users\user\Downloads\mbam-setup-org-2.2.0.1024.exe
2016-03-05 18:19 - 2016-03-05 18:19 - 00000000 ____D C:\$Anvi Rescue Disk$
2016-03-01 17:10 - 2016-03-01 17:12 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-11 01:00 - 2013-09-05 14:31 - 01676890 _____ C:\Windows\system32\PerfStringBackup.INI
2016-03-11 01:00 - 2009-07-14 05:48 - 00747396 _____ C:\Windows\system32\perfh00A.dat
2016-03-11 01:00 - 2009-07-14 05:48 - 00158868 _____ C:\Windows\system32\perfc00A.dat
2016-03-11 01:00 - 2009-07-13 23:37 - 00000000 ____D C:\Windows\inf
2016-03-11 00:24 - 2009-07-14 01:34 - 00014592 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-11 00:24 - 2009-07-14 01:34 - 00014592 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-10 23:29 - 2009-07-14 01:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-03-08 19:47 - 2015-08-28 03:38 - 00000000 ____D C:\Users\user\AppData\Roaming\uTorrent
2016-03-08 00:25 - 2015-01-27 06:41 - 00000000 ____D C:\Windows\Minidump
2016-03-08 00:18 - 2015-08-16 23:15 - 00002169 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft OneDrive.lnk
2016-03-08 00:18 - 2015-03-23 01:03 - 00000904 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2016-03-08 00:18 - 2014-06-17 18:42 - 00000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2016-03-08 00:18 - 2013-12-31 12:38 - 00000985 _____ C:\Users\Public\Desktop\Movistar 3.5G.lnk
2016-03-08 00:18 - 2010-02-26 19:26 - 00002109 _____ C:\Users\Public\Desktop\Minecraft.lnk
2016-03-08 00:18 - 2010-02-26 19:26 - 00001022 _____ C:\Users\Public\Desktop\cosa de pro evolution soccer 2014 - Acceso directo.lnk
2016-03-08 00:18 - 2010-02-26 19:26 - 00001017 _____ C:\Users\Public\Desktop\Pro Evolution Soccer 2014 Repack - Acceso directo.lnk
2016-03-08 00:18 - 2010-02-26 19:26 - 00000985 _____ C:\Users\Public\Desktop\Movistar 3.5G (2).lnk
2016-03-08 00:18 - 2010-02-26 19:26 - 00000967 _____ C:\Users\Public\Desktop\MediaCreationTool - Acceso directo.lnk
2016-03-08 00:18 - 2010-02-26 19:26 - 00000926 _____ C:\Users\Public\Desktop\Mipony_Setup - Acceso directo.lnk
2016-03-08 00:18 - 2010-02-26 19:26 - 00000842 _____ C:\Users\Public\Desktop\Nueva carpeta - Acceso directo.lnk
2016-03-08 00:18 - 2010-02-26 19:26 - 00000806 _____ C:\Users\Public\Desktop\minecraft - Acceso directo.lnk
2016-03-08 00:18 - 2010-02-26 19:26 - 00000786 _____ C:\Users\Public\Desktop\asdasda - Acceso directo.lnk
2016-03-08 00:18 - 2010-02-26 19:26 - 00000781 _____ C:\Users\Public\Desktop\models - Acceso directo.lnk
2016-03-08 00:18 - 2010-02-26 19:26 - 00000781 _____ C:\Users\Public\Desktop\conter - Acceso directo.lnk
2016-03-08 00:18 - 2009-07-14 01:46 - 00001479 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-03-08 00:18 - 2009-07-14 01:42 - 00001340 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
2016-03-08 00:18 - 2009-07-14 01:42 - 00001292 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
2016-03-08 00:18 - 2009-07-14 01:42 - 00001234 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
2016-03-08 00:18 - 2009-07-14 01:42 - 00001198 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
2016-03-08 00:18 - 2009-07-14 01:37 - 00001246 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
2016-03-08 00:17 - 2015-10-19 01:10 - 00002081 _____ C:\Users\user\Desktop\Minecraft.lnk
2016-03-08 00:17 - 2015-10-11 03:12 - 00001065 _____ C:\Users\user\Desktop\Continuar con la instalación de Mipony.lnk
2016-03-08 00:17 - 2015-08-28 03:38 - 00000812 _____ C:\Users\user\Desktop\µTorrent.lnk
2016-03-08 00:17 - 2015-08-28 03:38 - 00000792 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2016-03-08 00:17 - 2015-03-23 01:03 - 00001033 _____ C:\Users\user\Desktop\Opera.lnk
2016-03-08 00:17 - 2015-03-16 11:54 - 00000000 ____D C:\Users\user\AppData\Local\com
2016-03-07 22:32 - 2015-10-11 03:10 - 00000000 ____D C:\Program Files\Lenovo
2016-03-07 22:01 - 2010-02-02 23:50 - 00000000 ____D C:\Users\user\AppData\Roaming\XBox
2016-03-07 21:27 - 2009-07-13 23:37 - 00000000 ____D C:\Windows\tracing
2016-03-07 21:22 - 2009-07-13 23:04 - 00000505 _____ C:\Windows\win.ini
2016-03-07 21:20 - 2010-02-26 19:34 - 00000000 ____D C:\Windows\7
2016-03-07 21:19 - 2015-03-23 00:57 - 00000000 ____D C:\Program Files\Opera
2016-03-07 21:17 - 2009-07-13 23:37 - 00000000 ____D C:\Windows\system32\NDF
2016-03-06 23:56 - 2015-08-01 22:09 - 00000000 ____D C:\Users\user\AppData\Roaming\Update
2016-03-06 23:55 - 2015-03-15 20:07 - 00000000 ____D C:\Users\user\AppData\Roaming\A0FD9DEA-1426460826-E111-8283-D027889F81F1

==================== Files in the root of some directories =======

2015-03-16 00:18 - 2015-03-16 00:20 - 6103040 _____ () C:\Program Files\GUT43A3.tmp
2010-01-07 20:08 - 2010-01-07 21:02 - 6103040 _____ () C:\Program Files\GUTCA2C.tmp
2016-03-08 20:10 - 2016-03-08 20:10 - 0007616 _____ () C:\Users\user\AppData\Local\Resmon.ResmonCfg
2014-01-25 16:34 - 2014-01-25 16:34 - 0002792 _____ () C:\ProgramData\epstplog.bak

Some files in TEMP:
====================
C:\Users\user\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2010-04-12 17:17

==================== End of FRST.txt ============================



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:54 AM

Posted 11 March 2016 - 03:00 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to the a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Microsoft Corporation) C:\ProgramData\Windows Security\winsecurity.exe
ShellIconOverlayIdentifiers: [ExplorerEx] -> {E056AFDD-03E9-4D73-8D33-8FCCBCA73438} =>  No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Toolbar: HKLM - No Name - {4F524A2D-5354-2D53-5045-7A786E7484D7} -  No File
Toolbar: HKLM - No Name - {41524553-2D56-3700-76A7-7A786E7484D7} -  No File
FF user.js: detected! => C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gk7452zf.default\user.js [2016-03-07]
FF Extension: Treasure Track - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gk7452zf.default\Extensions\{41f622d2-f0ee-4658-9f96-92d6bdce1b94}.xpi [2015-10-10] [not signed]
OPR StartupUrls: "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggadghZAFsUQxhHIlxZTA1JEwEOeQsJWBQTFwQUIgoJAFhGFwMFIk0FA1oDB0VXfV5bFElXTwh3MlxZEkwDRGFRIVpT"
R2 WindowsSecurity; C:\ProgramData\Windows Security\winsecurity.exe [7244240 2016-03-07] (Microsoft Corporation)
S3 avast! Mail Scanner; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [X]
S3 avast! Web Scanner; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [X]
S1 ccesaixt; \??\C:\Windows\system32\drivers\ccesaixt.sys [X]
S3 cpuz134; \??\C:\Users\user\AppData\Local\Temp\cpuz134\cpuz134_x32.sys [X]
S3 huawei_wwanecm; system32\DRIVERS\ew_juwwanecm.sys [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHDA.sys [X]
S1 ptwaalxy; \??\C:\Windows\system32\drivers\ptwaalxy.sys [X]
C:\ProgramData\Windows Security\winsecurity.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

If still unable to install or update antivirus programs remove Avast completely.
Download and run their uninstaller. Instructions here.
https://www.avast.com/en-ca/faq.php?article=AVKB10

===

Please let me know what problem persists with this computer.

#3 nmcomp

nmcomp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Argentina
  • Local time:09:54 AM

Posted 11 March 2016 - 05:33 PM

Hi nasdaq! Thanks for your quick reply! :D

 

Here are the logs you've requested:

 

Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:05-03-2016 01
Ran by user (2016-03-11 19:17:50) Run:1
Running from C:\Nueva carpeta
Loaded Profiles: user (Available Profiles: user)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Microsoft Corporation) C:\ProgramData\Windows Security\winsecurity.exe
ShellIconOverlayIdentifiers: [ExplorerEx] -> {E056AFDD-03E9-4D73-8D33-8FCCBCA73438} =>  No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Toolbar: HKLM - No Name - {4F524A2D-5354-2D53-5045-7A786E7484D7} -  No File
Toolbar: HKLM - No Name - {41524553-2D56-3700-76A7-7A786E7484D7} -  No File
FF user.js: detected! => C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gk7452zf.default\user.js [2016-03-07]
FF Extension: Treasure Track - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gk7452zf.default\Extensions\{41f622d2-f0ee-4658-9f96-92d6bdce1b94}.xpi [2015-10-10] [not signed]
OPR StartupUrls: "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggadghZAFsUQxhHIlxZTA1JEwEOeQsJWBQTFwQUIgoJAFhGFwMFIk0FA1oDB0VXfV5bFElXTwh3MlxZEkwDRGFRIVpT"
R2 WindowsSecurity; C:\ProgramData\Windows Security\winsecurity.exe [7244240 2016-03-07] (Microsoft Corporation)
S3 avast! Mail Scanner; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [X]
S3 avast! Web Scanner; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [X]
S1 ccesaixt; \??\C:\Windows\system32\drivers\ccesaixt.sys [X]
S3 cpuz134; \??\C:\Users\user\AppData\Local\Temp\cpuz134\cpuz134_x32.sys [X]
S3 huawei_wwanecm; system32\DRIVERS\ew_juwwanecm.sys [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHDA.sys [X]
S1 ptwaalxy; \??\C:\Windows\system32\drivers\ptwaalxy.sys [X]
C:\ProgramData\Windows Security\winsecurity.exe

End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\ProgramData\Windows Security\winsecurity.exe
C:\ProgramData\Windows Security\winsecurity.exe => No running process found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ExplorerEx" => key removed successfully.
HKCR\CLSID\{E056AFDD-03E9-4D73-8D33-8FCCBCA73438} => key not found.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{4F524A2D-5354-2D53-5045-7A786E7484D7} => value removed successfully.
HKCR\CLSID\{4F524A2D-5354-2D53-5045-7A786E7484D7} => key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{41524553-2D56-3700-76A7-7A786E7484D7} => value removed successfully.
HKCR\CLSID\{41524553-2D56-3700-76A7-7A786E7484D7} => key not found.
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gk7452zf.default\user.js => moved successfully
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gk7452zf.default\Extensions\{41f622d2-f0ee-4658-9f96-92d6bdce1b94}.xpi => moved successfully
OPR StartupUrls: "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggadghZAFsUQxhHIlxZTA1JEwEOeQsJWBQTFwQUIgoJAFhGFwMFIk0FA1oDB0VXfV5bFElXTwh3MlxZEkwDRGFRIVpT" => removed successfully.
WindowsSecurity => service removed successfully.
avast! Mail Scanner => service removed successfully.
avast! Web Scanner => service removed successfully.
ccesaixt => service removed successfully.
cpuz134 => service removed successfully.
huawei_wwanecm => service removed successfully.
IntcAzAudAddService => service removed successfully.
ptwaalxy => service removed successfully.
C:\ProgramData\Windows Security\winsecurity.exe => moved successfully
EmptyTemp: => 513.9 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 19:19:13 ====

 

ADW:

 

# AdwCleaner v5.101 - Registro generado 11/03/2016 en 19:26:11
# Actualizado 07/03/2016 por Xplode
# Base de datos : 2016-03-08.1 [Local]
# Sistema operativo : Windows 7 Home Basic Service Pack 1 (x86)
# Nombre de usuario : user - USER-PC
# Ejecutado desde : C:\Nueva carpeta\AdwCleaner.exe
# Opción : Limpiar
# Apoyo : http://toolslib.net/forum

***** [ Servicios ] *****


***** [ Carpetas ] *****


***** [ Archivos ] *****


***** [ DLLs ] *****


***** [ Accesos directos ] *****


***** [ Tareas programadas ] *****


***** [ Registro ] *****

[-] Llave Eliminar : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{41524553-2D56-3700-76A7-7A786E7484D7}
[-] Llave Eliminar : HKLM\SOFTWARE\hdcode
[-] Llave Eliminar : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\bestpriceninja.com
[-] Llave Eliminar : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\pstatic.bestpriceninja.com

***** [ Navegadores Web ] *****


*************************

:: Llaves "Tracing" removidas
:: Winsock Configuración borrada

*************************

C:\Program Files\AdwCleaner\AdwCleaner[C1].txt - [59594 bytes] - [07/03/2016 22:22:10]
C:\Program Files\AdwCleaner\AdwCleaner[C2].txt - [5672 bytes] - [08/03/2016 20:32:02]
C:\Program Files\AdwCleaner\AdwCleaner[C3].txt - [1280 bytes] - [11/03/2016 19:26:11]
C:\Program Files\AdwCleaner\AdwCleaner[S1].txt - [59915 bytes] - [07/03/2016 22:05:49]
C:\Program Files\AdwCleaner\AdwCleaner[S2].txt - [5431 bytes] - [08/03/2016 20:31:05]
C:\Program Files\AdwCleaner\AdwCleaner[S3].txt - [1530 bytes] - [11/03/2016 19:23:32]

########## EOF - C:\Program Files\AdwCleaner\AdwCleaner[C3].txt - [1629 bytes] ##########
 

PS: forgot to mention, Internet browsing still slow and when I open IE, it's closes itself :(

PSS: The Avira icon is no longer show on startup and I can run but not update Eset Online (it's just do nothing but wait to download definitions)

Thanks!!


Edited by nmcomp, 11 March 2016 - 05:55 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:54 AM

Posted 12 March 2016 - 09:06 AM

Please post the Addition.txt file that was created by the Farbar tool.

 

I need to have a look at it.



#5 nmcomp

nmcomp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Argentina
  • Local time:09:54 AM

Posted 12 March 2016 - 01:46 PM

Hi nasdaq! I think I've already posted it but here it goes! :D

Attached File  Addition.txt   35.45KB   1 downloads



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:54 AM

Posted 12 March 2016 - 02:41 PM

 
 
Your first try to attach the file must have failed.
 
===
 
Windows Firewall is disabled.
Turn System Restore ON - Windows Help
===
 
Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
 
Please copy the entire contents of the code box below to the a new file.
 
 
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
Java 8 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Java 8 Update 51 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218051F0}) (Version: 8.0.510 - Oracle Corporation)
Java 8 Update 60 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218060F0}) (Version: 8.0.600.27 - Oracle Corporation)
Snap.Do (HKLM\...\{627CDE42-2760-465A-8CF2-AA653EE4DEB2}) (Version: 10.157.1.12889 - ReSoft Ltd.) <==== ATTENTION
Task: {28B4BF73-D005-4A1C-AFA2-9CE892454120} - \UNELEVATE_16514 -> No File <==== ATTENTION
Task: {2D166B61-F0D3-4AFD-9468-967FBD29E8BF} - \UNELEVATE_13272 -> No File <==== ATTENTION
Task: {525DCB8A-FEC5-4E4D-A464-14932BF227EA} - \UNELEVATE_1082 -> No File <==== ATTENTION
Task: {713ED37C-AEAA-4F2A-9AD6-DF1E90410D6C} - \UNELEVATE_11144 -> No File <==== ATTENTION
Task: {7F654D32-20B3-471E-AE05-809E2778EA5B} - \UNELEVATE_1715 -> No File <==== ATTENTION
Task: {A0ABDBEF-B47C-45FB-94AE-A4089522BEE8} - \UNELEVATE_17576 -> No File <==== ATTENTION
Task: {B55A414F-FCAB-4AB3-8420-1EB43BF5F1B2} - \UNELEVATE_18747 -> No File <==== ATTENTION
Task: {EB95A1FD-9064-4147-80EF-149F1AEFC230} - \UNELEVATE_20417 -> No File <==== ATTENTION
Task: {F86415BE-E30D-4343-B192-D0D6CC60571C} - \UNELEVATE_27547 -> No File <==== ATTENTION
Task: {F9B7D8B6-63C9-4347-B0F3-D4831C48D79F} - \UNELEVATE_30206 -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:56E2E879 [120]
DNS Servers: Media is not connected to internet.
 
End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.
 
Run FRST and click Fix only once and wait.
 
Restart the computer normally to reset the registry.
 
The tool will create a log (Fixlog.txt) please post it to your reply.
==
 

If still unable to install or update antivirus programs remove Avast completely.
Download and run their uninstaller. Instructions here.
Did you execute this? If not please do it.
 
Let me know what problem persists.


#7 nmcomp

nmcomp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Argentina
  • Local time:09:54 AM

Posted 12 March 2016 - 11:06 PM

So, I uninstalled Avast.

Now I can see the Avira Launcher icon, but it's still offline.

 

Luckily, IE no longer closes itself! :-)

Unfortunately, Internet browsing still slow.

 

Here's my log, thanks!!:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:05-03-2016 01
Ran by user (2016-03-13 00:38:46) Run:2
Running from C:\Nueva carpeta
Loaded Profiles: user (Available Profiles: user)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
Java 8 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Java 8 Update 51 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218051F0}) (Version: 8.0.510 - Oracle Corporation)
Java 8 Update 60 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218060F0}) (Version: 8.0.600.27 - Oracle Corporation)
Snap.Do (HKLM\...\{627CDE42-2760-465A-8CF2-AA653EE4DEB2}) (Version: 10.157.1.12889 - ReSoft Ltd.) <==== ATTENTION
Task: {28B4BF73-D005-4A1C-AFA2-9CE892454120} - \UNELEVATE_16514 -> No File <==== ATTENTION
Task: {2D166B61-F0D3-4AFD-9468-967FBD29E8BF} - \UNELEVATE_13272 -> No File <==== ATTENTION
Task: {525DCB8A-FEC5-4E4D-A464-14932BF227EA} - \UNELEVATE_1082 -> No File <==== ATTENTION
Task: {713ED37C-AEAA-4F2A-9AD6-DF1E90410D6C} - \UNELEVATE_11144 -> No File <==== ATTENTION
Task: {7F654D32-20B3-471E-AE05-809E2778EA5B} - \UNELEVATE_1715 -> No File <==== ATTENTION
Task: {A0ABDBEF-B47C-45FB-94AE-A4089522BEE8} - \UNELEVATE_17576 -> No File <==== ATTENTION
Task: {B55A414F-FCAB-4AB3-8420-1EB43BF5F1B2} - \UNELEVATE_18747 -> No File <==== ATTENTION
Task: {EB95A1FD-9064-4147-80EF-149F1AEFC230} - \UNELEVATE_20417 -> No File <==== ATTENTION
Task: {F86415BE-E30D-4343-B192-D0D6CC60571C} - \UNELEVATE_27547 -> No File <==== ATTENTION
Task: {F9B7D8B6-63C9-4347-B0F3-D4831C48D79F} - \UNELEVATE_30206 -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:56E2E879 [120]
DNS Servers: Media is not connected to internet.
 
End
*****************

Restore point was successfully created.
Processes closed successfully.
Java 8 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation) => Error: No automatic fix found for this entry.
Java 8 Update 51 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218051F0}) (Version: 8.0.510 - Oracle Corporation) => Error: No automatic fix found for this entry.
Java 8 Update 60 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218060F0}) (Version: 8.0.600.27 - Oracle Corporation) => Error: No automatic fix found for this entry.
Snap.Do (HKLM\...\{627CDE42-2760-465A-8CF2-AA653EE4DEB2}) (Version: 10.157.1.12889 - ReSoft Ltd.) <==== ATTENTION => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{28B4BF73-D005-4A1C-AFA2-9CE892454120}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{28B4BF73-D005-4A1C-AFA2-9CE892454120}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UNELEVATE_16514 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2D166B61-F0D3-4AFD-9468-967FBD29E8BF}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2D166B61-F0D3-4AFD-9468-967FBD29E8BF}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UNELEVATE_13272 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{525DCB8A-FEC5-4E4D-A464-14932BF227EA}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{525DCB8A-FEC5-4E4D-A464-14932BF227EA}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UNELEVATE_1082" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{713ED37C-AEAA-4F2A-9AD6-DF1E90410D6C}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{713ED37C-AEAA-4F2A-9AD6-DF1E90410D6C}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UNELEVATE_11144 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7F654D32-20B3-471E-AE05-809E2778EA5B}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7F654D32-20B3-471E-AE05-809E2778EA5B}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UNELEVATE_1715" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A0ABDBEF-B47C-45FB-94AE-A4089522BEE8}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A0ABDBEF-B47C-45FB-94AE-A4089522BEE8}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UNELEVATE_17576 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B55A414F-FCAB-4AB3-8420-1EB43BF5F1B2}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B55A414F-FCAB-4AB3-8420-1EB43BF5F1B2}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UNELEVATE_18747 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EB95A1FD-9064-4147-80EF-149F1AEFC230}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EB95A1FD-9064-4147-80EF-149F1AEFC230}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UNELEVATE_20417 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F86415BE-E30D-4343-B192-D0D6CC60571C}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F86415BE-E30D-4343-B192-D0D6CC60571C}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UNELEVATE_27547 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F9B7D8B6-63C9-4347-B0F3-D4831C48D79F}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F9B7D8B6-63C9-4347-B0F3-D4831C48D79F}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UNELEVATE_30206 => key not found.
C:\ProgramData\TEMP => ":56E2E879" ADS removed successfully..
DNS Servers: Media is not connected to internet. => Error: No automatic fix found for this entry.
EmptyTemp: => 29.3 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 00:39:03 ====



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:54 AM

Posted 13 March 2016 - 08:42 AM

 
If present remove this programs via the Control Panel > Programs and Features applet.
Snap.Do (HKLM\...\{627CDE42-2760-465A-8CF2-AA653EE4DEB2}) (Version: 10.157.1.12889 - ReSoft Ltd.) <==== ATTENTION => Error: No automatic fix found for this entry
 
RESTART the computer when done.
===
 

Now I can see the Avira Launcher icon, but it's still offline.

Reinstall Avira. 
 
---
 
Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.
 
 
Clean the Internet Explorer Cache.
===
 
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
 
You can manually check your present version and update as recommended.
 
Be careful not to install malware posing as Java update!
Important read this blog.
 
Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
 
How to disable Java in your browsers
 
 
If present remove the old version(s) of Java via the Control Panel > Programs and Features applet.
Java 8 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation) => Error: No automatic fix found for this entry.
Java 8 Update 51 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218051F0}) (Version: 8.0.510 - Oracle Corporation) => Error: No automatic fix found for this entry.
Java 8 Update 60 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218060F0}) (Version: 8.0.600.27 - Oracle Corporation) => Error: No automatic fix found for this entry.
 
Keep me posted on the issues.
 


#9 nmcomp

nmcomp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Argentina
  • Local time:09:54 AM

Posted 13 March 2016 - 05:00 PM

Hi Nasdaq!

I cleaned IE cache. Now IE is OK.

Cannot uninstall Snap.Do because the installer package no longer exists.

Updated Java and removed old versions.

 

Removed Avira and installed Avast again.

Avast doesn't show the UI when I double-click the tray icon (when I right-click, the context menu doesn' show either), and when I try to update it with ashupd.exe, it's download anything: shows 0%

 

Thanks!!

 

PS: Also tried to scan with Eset Online and the same happens: can't download virus definitions!! :-S


Edited by nmcomp, 13 March 2016 - 06:55 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:54 AM

Posted 14 March 2016 - 07:37 AM

Download   Farbar's Service Scanner utility
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
  
Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
===
 

Cannot uninstall Snap.Do because the installer package no longer exists.

 
 
Please download SystemLook from one of the links below and save it to your Desktop.
 
If your operating system is 64 bit download this tool:
  •  
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:
:regfind 
627CDE42-2760-465A-8CF2-AA653EE4DEB2
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
 
===


#11 nmcomp

nmcomp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Argentina
  • Local time:09:54 AM

Posted 14 March 2016 - 09:59 PM

Hi Nasdaq-1
Here are my logs:

 

Farbar Service Scanner Version: 27-01-2016
Ran by user (administrator) on 14-03-2016 at 23:56:11
Running from "C:\Users\user\Desktop"
Microsoft Windows 7 Home Basic  Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Policy:
========================

Action Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcore.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed

**** End of log ****

 

 

SystemLook 30.07.11 by jpshortstuff
Log created at 23:57 on 14/03/2016 by user
Administrator - Elevation successful

========== regfind ==========

Searching for "627CDE42-2760-465A-8CF2-AA653EE4DEB2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\user\AppData\Roaming\Microsoft\Installer\{627CDE42-2760-465A-8CF2-AA653EE4DEB2}\"=""

-= EOF =-

 

Thankss!!



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:54 AM

Posted 15 March 2016 - 08:06 AM

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\user\AppData\Roaming\Microsoft\Installer\{627CDE42-2760-465A-8CF2-AA653EE4DEB2}\"=-


Restart the when completed.

You can delete the fixme.reg file when done.
===


Download the Avast updates from this page.
https://www.avast.com/download-update

If all goes well check in a day or two if the automatic updates is set.

#13 nmcomp

nmcomp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Argentina
  • Local time:09:54 AM

Posted 20 March 2016 - 06:08 PM

Hi nasdaq! Sorry for the delay.

 

Cannot install Avast definitions.

 

I give up, I'm gonna do a fresh install of Windows.

 

Thank you so much for your help, I really appreciated it! :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users