Rootkit issues? and other prblms? Sorry not sure..

Hi, I am having problems with a very slow working comp. Not able to access my own settings etc. Computor refuses to start at some times, when scans runs its being stopped, Avast is not working consistantly. Had a screenmessage after doing/running a health report on C: that said "Ghostprogram or virus?" then Avast run a scan without my command and it didnt find anything. I have more problems, but stop here, due to the risk my comp will shut down and this will be lost. Would appreciate some help pls. /Annie

 

 

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:05-03-2016 01
Ran by Anki (administrator) on ANKI-DATOR (27-03-2016 16:00:30)
Running from C:\Users\Anki\Downloads
Loaded Profiles: Anki (Available Profiles: Anki)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) Language: Svenska (Sverige)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
() C:\ProgramData\MobileBrServ\mbbService.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPStart.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Microsoft Corporation) C:\Windows\System32\mmc.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-21] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4669440 2007-07-06] (Realtek Semiconductor)
HKLM\...\Run: [SynTPStart] => C:\Program Files\Synaptics\SynTP\SynTPStart.exe [102400 2007-08-17] (Synaptics, Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7139256 2016-03-24] (AVAST Software)
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-21] (Microsoft Corporation)
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: F - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {0331e905-2efc-11e4-929d-806e6f6e6963} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {10b3c8b9-a529-11e2-8aff-806e6f6e6963} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {26707a29-9374-11e4-9f7d-d06830659c88} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {5594d53d-a3c2-11e2-af50-000ae4cd0560} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {5594d5c5-a3c2-11e2-af50-000ae4cd0560} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {6693ab32-50d7-11e5-99c7-e85274ffa18b} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {72d48322-e080-11e3-9778-fa147064188b} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {7fcb1647-3b68-11e3-aca8-f5ab6bb7b087} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {a9e34a72-528c-11e5-b10c-a2b8f69270b1} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {b29af99c-a428-11e2-a096-000ae4cd0560} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {b7194fa0-91e6-11e4-8e3c-92848217748d} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {fa75f6e2-944e-11e4-9b1e-806e6f6e6963} - F:\AutoRun.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2016-03-24] (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.8.1 192.168.8.1
Tcpip\..\Interfaces\{884DAE63-C386-4E68-A91A-89AF80653B46}: [DhcpNameServer] 192.168.8.1 192.168.8.1

Internet Explorer:
==================
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-826142902-2630971588-3216476343-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-03-24] (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files\Windows Live\Companion\companioncore.dll [2012-03-08] (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-826142902-2630971588-3216476343-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab

FireFox:
========
FF ProfilePath: C:\Users\Anki\AppData\Roaming\Mozilla\Firefox\Profiles\tphcomxb.default
FF DefaultSearchEngine: Bing
FF Plugin: @bankid.com/BankID säkerhetsprogram,version=5.1.3.2 -> C:\Program Files\BankID\npBispBrowser.dll [2014-04-09] (Finansiell ID-Teknik BID AB)
FF Plugin: @bankid.com/BankID säkerhetsprogram,version=5.1.4.3 -> C:\Program Files\BankID\npBispBrowser.dll [2014-04-09] (Finansiell ID-Teknik BID AB)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Extension: Avast Online Security - C:\Users\Anki\AppData\Roaming\Mozilla\Firefox\Profiles\tphcomxb.default\Extensions\wrc@avast.com.xpi [2016-03-24]
FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi [2016-03-19] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-04-14] [not signed]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-03-24]

Chrome:
=======
CHR Profile: C:\Users\Anki\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Dokument) - C:\Users\Anki\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-03-24]
CHR Extension: (Google Drive) - C:\Users\Anki\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-03-24]
CHR Extension: (YouTube) - C:\Users\Anki\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-03-24]
CHR Extension: (Google Dokument Offline) - C:\Users\Anki\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-24]
CHR Extension: (Avast Online Security) - C:\Users\Anki\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-03-24]
CHR Extension: (Betalning via Chrome Web Store) - C:\Users\Anki\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-03-24]
CHR Extension: (Gmail) - C:\Users\Anki\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-03-24]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-03-24]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [237096 2016-03-24] (AVAST Software)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 Mobile Broadband HL Service; C:\ProgramData\MobileBrServ\mbbservice.exe [242256 2014-08-20] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-21] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 ahcix86s; C:\Windows\system32\drivers\ahcix86s.sys [170000 2007-12-19] (AMD Technologies Inc.)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [32792 2016-03-24] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [35096 2016-03-27] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [91168 2016-03-24] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr.sys [64272 2016-03-24] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [58776 2016-03-24] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [816304 2016-03-24] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [447848 2016-03-24] (AVAST Software)
R3 aswStmXP; C:\Windows\system32\drivers\aswStmXP.sys [171608 2016-03-24] (AVAST Software)
S3 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [67088 2016-03-24] (AVAST Software)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [221240 2016-03-24] (AVAST Software)
S4 JRAID; C:\Windows\system32\drivers\jraid.sys [76688 2008-04-03] (JMicron Technology Corp.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [170200 2016-03-27] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [53120 2016-03-10] (Malwarebytes Corporation)
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 hwusbdev; system32\DRIVERS\ewusbdev.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 rootrepeal; \??\C:\Windows\system32\drivers\rootrepeal.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-27 16:00 - 2016-03-27 16:02 - 00012527 _____ C:\Users\Anki\Downloads\FRST.txt
2016-03-27 15:59 - 2016-03-27 15:59 - 01725440 _____ (Farbar) C:\Users\Anki\Downloads\FRST.exe
2016-03-27 01:37 - 2016-03-27 01:37 - 00000902 _____ C:\Users\Public\Desktop\Avast SafeZone Browser.lnk
2016-03-27 01:37 - 2016-03-27 01:37 - 00000902 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-03-27 01:33 - 2016-03-27 01:31 - 00035096 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2016-03-26 20:35 - 2016-03-26 20:40 - 00002198 _____ C:\Users\Anki\Desktop\Rkill.txt
2016-03-26 13:21 - 2016-03-26 13:21 - 00000000 ____D C:\fsctmp
2016-03-26 13:19 - 2016-03-26 13:21 - 00000000 ____D C:\$fsctmp
2016-03-24 22:57 - 2016-03-26 22:22 - 00000000 ____D C:\Program Files\GUM9378.tmp
2016-03-24 21:38 - 2016-03-24 21:11 - 00334280 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2016-03-24 21:16 - 2016-03-24 21:16 - 00000000 ____D C:\Users\Anki\AppData\Roaming\AVAST Software
2016-03-24 21:15 - 2016-03-24 21:15 - 05207096 _____ (AVAST Software) C:\Users\Public\Desktop\avast_free_antivirus_setup_online(2).exe
2016-03-24 21:15 - 2016-03-24 21:15 - 05207096 _____ (AVAST Software) C:\Users\Anki\Downloads\avast_free_antivirus_setup_online(2).exe
2016-03-24 21:13 - 2016-03-24 21:13 - 00001835 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2016-03-24 21:13 - 2016-03-24 21:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2016-03-24 21:12 - 2016-03-24 21:12 - 00816304 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2016-03-24 21:12 - 2016-03-24 21:12 - 00447848 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2016-03-24 21:12 - 2016-03-24 21:12 - 00221240 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2016-03-24 21:12 - 2016-03-24 21:12 - 00091168 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2016-03-24 21:12 - 2016-03-24 21:11 - 00171608 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStmXP.sys
2016-03-24 21:12 - 2016-03-24 21:11 - 00067088 _____ (AVAST Software) C:\Windows\system32\Drivers\aswTdi.sys
2016-03-24 21:12 - 2016-03-24 21:11 - 00064272 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr.sys
2016-03-24 21:12 - 2016-03-24 21:11 - 00058776 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2016-03-24 21:12 - 2016-03-24 21:11 - 00032792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2016-03-24 21:11 - 2016-03-24 21:11 - 00052184 _____ (AVAST Software) C:\Windows\avastSS.scr
2016-03-24 21:08 - 2016-03-27 01:26 - 00000000 ____D C:\Program Files\AVAST Software
2016-03-24 21:07 - 2016-03-24 21:07 - 05207096 _____ (AVAST Software) C:\Users\Anki\Downloads\avast_free_antivirus_setup_online(1).exe
2016-03-24 20:43 - 2016-03-24 20:43 - 00000364 _____ C:\Windows\Tasks\SafeZone scheduled Autoupdate 1458691937.job
2016-03-24 03:08 - 2016-03-24 03:08 - 00000000 _____ C:\Windows\system32\settings.dat
2016-03-24 00:23 - 2016-03-24 01:57 - 00000000 ____D C:\Program Files\Emsisoft Anti-Malware
2016-03-23 23:53 - 2016-03-23 23:53 - 02032072 _____ (Bleeping Computer, LLC) C:\Users\Anki\Downloads\rkill.exe
2016-03-23 23:33 - 2016-03-23 23:33 - 02032072 _____ (Bleeping Computer, LLC) C:\Users\Anki\Downloads\rkill.com
2016-03-23 23:24 - 2016-03-23 23:24 - 00000000 __RSH C:\MSDOS.SYS
2016-03-23 23:24 - 2016-03-23 23:24 - 00000000 __RSH C:\IO.SYS
2016-03-23 23:23 - 2016-03-23 23:24 - 00000347 _____ C:\Users\Anki\Downloads\EmsisoftAntiMalwareSetup_bc(1).exe
2016-03-23 23:01 - 2016-03-23 23:09 - 212514840 _____ (Emsisoft Ltd. ) C:\Users\Anki\Downloads\EmsisoftAntiMalwareSetup_bc.exe
2016-03-22 03:14 - 2016-03-22 03:14 - 00000000 __SHD C:\found.001
2016-03-21 04:11 - 2016-03-21 04:11 - 01529344 _____ C:\Users\Anki\Downloads\AdwCleaner(1).exe
2016-03-21 01:01 - 2016-03-21 01:02 - 00448512 _____ (OldTimer Tools) C:\Users\Anki\Downloads\TFC.exe
2016-03-19 00:32 - 2016-03-19 00:32 - 05207096 _____ (AVAST Software) C:\Users\Public\Desktop\avast_free_antivirus_setup_online.exe
2016-03-19 00:32 - 2016-03-19 00:32 - 05207096 _____ (AVAST Software) C:\Users\Anki\Downloads\avast_free_antivirus_setup_online.exe
2016-03-18 03:41 - 2016-03-18 03:41 - 164714926 _____ C:\Windows\MEMORY.DMP
2016-03-14 04:05 - 2016-03-14 04:05 - 00000000 ____D C:\7ef7e19dac6de15c4fd5241bda5350
2016-03-13 22:38 - 2016-02-09 02:17 - 01815552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-03-13 22:38 - 2016-02-09 02:15 - 12392960 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-03-13 22:38 - 2016-02-09 02:13 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-03-13 22:38 - 2016-02-09 02:12 - 09753600 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-03-13 22:38 - 2016-02-09 02:12 - 01140224 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-03-13 22:38 - 2016-02-09 02:11 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-03-13 22:38 - 2016-02-09 02:10 - 01804800 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-03-13 22:38 - 2016-02-09 02:10 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-03-13 22:38 - 2016-02-09 02:10 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-03-13 22:38 - 2016-02-09 02:10 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-03-13 22:38 - 2016-02-09 02:10 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2016-03-13 22:38 - 2016-02-09 02:10 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-03-13 22:38 - 2016-02-09 02:10 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-03-13 22:38 - 2016-02-09 02:09 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-03-13 22:38 - 2016-02-09 02:09 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-03-13 22:38 - 2016-02-09 02:09 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-03-13 22:38 - 2016-02-09 02:09 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-03-13 22:38 - 2016-02-09 02:09 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-03-13 22:38 - 2016-02-09 02:09 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-03-13 22:38 - 2016-02-09 02:09 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2016-03-13 22:38 - 2016-02-09 02:09 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2016-03-13 22:38 - 2016-02-09 02:09 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2016-03-09 15:31 - 2016-03-20 15:21 - 00000000 ____D C:\Program Files\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-27 16:00 - 2015-03-24 20:58 - 00000000 ____D C:\FRST
2016-03-27 14:29 - 2008-04-10 10:20 - 01548536 _____ C:\Windows\system32\PerfStringBackup.INI
2016-03-27 14:29 - 2008-04-10 09:24 - 00649186 _____ C:\Windows\system32\perfh01D.dat
2016-03-27 14:29 - 2008-04-10 09:24 - 00142000 _____ C:\Windows\system32\perfc01D.dat
2016-03-27 14:29 - 2006-11-02 13:18 - 00000000 ____D C:\Windows\inf
2016-03-27 14:27 - 2014-04-17 14:38 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-03-27 14:19 - 2014-03-19 10:18 - 00065536 _____ C:\Windows\system32\Ikeext.etl
2016-03-27 14:19 - 2006-11-02 15:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-03-27 14:19 - 2006-11-02 14:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-27 14:19 - 2006-11-02 14:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-27 01:22 - 2014-10-21 15:14 - 00000000 ____D C:\Program Files\Google
2016-03-26 22:22 - 2006-11-02 13:18 - 00000000 ____D C:\Windows\system32\spool
2016-03-26 22:22 - 2006-11-02 12:22 - 37748736 _____ C:\Windows\system32\config\system_previous
2016-03-26 22:22 - 2006-11-02 12:22 - 37486592 _____ C:\Windows\system32\config\software_previous
2016-03-26 22:13 - 2006-11-02 12:22 - 47448064 _____ C:\Windows\system32\config\components_previous
2016-03-26 22:13 - 2006-11-02 12:22 - 00057344 _____ C:\Windows\system32\config\sam_previous
2016-03-26 22:12 - 2006-11-02 12:22 - 00024576 _____ C:\Windows\system32\config\security_previous
2016-03-26 13:31 - 2013-04-13 00:44 - 00000000 ____D C:\Users\Anki
2016-03-26 04:34 - 2006-11-02 14:47 - 00009216 _____ C:\Windows\system32\umstartup.etl
2016-03-25 16:10 - 2006-11-02 14:47 - 00009216 _____ C:\Windows\system32\umstartup000.etl
2016-03-24 22:48 - 2014-10-21 15:14 - 00000000 ____D C:\Users\Anki\AppData\Local\Google
2016-03-24 22:24 - 2006-11-02 12:22 - 00212992 _____ C:\Windows\system32\config\default_previous
2016-03-24 21:16 - 2013-04-14 19:35 - 00001356 _____ C:\Users\Anki\AppData\Local\d3d9caps.dat
2016-03-24 21:08 - 2015-01-04 04:03 - 00000000 ____D C:\ProgramData\AVAST Software
2016-03-24 21:01 - 2013-04-14 19:34 - 08659392 _____ C:\Windows\ntbtlog.txt
2016-03-24 01:31 - 2015-01-02 00:42 - 00000905 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-03-24 01:31 - 2015-01-02 00:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-03-24 01:31 - 2014-06-17 20:15 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-03-23 09:38 - 2006-11-02 15:01 - 00032586 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-03-21 05:07 - 2015-11-21 23:09 - 00000000 ____D C:\AdwCleaner
2016-03-20 15:21 - 2015-07-07 23:48 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-03-18 05:38 - 2006-11-02 13:18 - 00000000 ____D C:\Windows\rescache
2016-03-18 00:38 - 2006-11-02 13:18 - 00000000 ____D C:\Program Files\Common Files\System
2016-03-18 00:38 - 2006-11-02 13:18 - 00000000 ____D C:\Program Files\Common Files\Services
2016-03-10 15:09 - 2015-01-02 00:42 - 00053120 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-03-10 15:08 - 2015-01-02 00:42 - 00126336 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-03-10 15:08 - 2015-01-02 00:42 - 00024448 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-03-08 03:45 - 2013-04-13 00:44 - 00000000 ____D C:\Users\Anki\AppData\Local\Adobe

==================== Files in the root of some directories =======

2013-04-13 00:48 - 2015-09-04 00:51 - 0000160 _____ () C:\Users\Anki\AppData\Roaming\addDefaultValueForDevicePathKey.reg
2013-11-05 01:18 - 2013-11-05 01:18 - 0024206 _____ () C:\Users\Anki\AppData\Roaming\UserTile.png
2013-04-14 19:35 - 2016-03-24 21:16 - 0001356 _____ () C:\Users\Anki\AppData\Local\d3d9caps.dat
2013-05-22 16:53 - 2013-05-22 16:53 - 0003584 _____ () C:\Users\Anki\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Some files in TEMP:
====================
C:\Users\Anki\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-03-27 15:18

==================== End of FRST.txt ============================

 

 

 

 

 

 

 

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the Malware Removal forum and wait for help.

Failure to post replies within 4 days will result in this thread being closed.

Hello Annie55,

My name is mAL_rEm018, but feel free to call me mAL.  I will be helping you with your malware related problems.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Cobian Backup
DriveImage XML

To make sure everything goes smoothly, I would like you to observe the following rules:

• You must have Administrator rights, permissions for this computer.
• Please reply to this thread.  Do not start another topic.
• Perform all actions in the order given.
• If you don't know, stop and ask!
• DO NOT run any other fix or removal tools unless instructed to do so!
• Don't attempt to install any new software (other than those I ask you to) until your computer is clean.
• DO NOT post for help at any other forum.  Applying fixes from multiple help sites can cause problems.
• I advise you to print the instructions if possible, since your internet connection might not be available during some of the fixes.
• Absence of symptoms does not mean that everything is clear, therefore stick with this topic until I give you the "all clear".

While I review the log you provided please do the following..

• Please rerun FRST as you did before, make sure to check the Addition.txt box before clicking Scan.  Once the scan is over, a window entitled "Addition.txt" will open.  Please post the contents of Addition.txt in your next reply.

Hi Mal-rem 018, Thanks for replying! I totally understand everything is at my own risk.I Just a few things to ask, I did a backup cd via the recovery program at my laptop, is that of no good and better to do a "Cobian backup" ? Secondly, about administrator, I have one, but are never asked to use it (when allowing downloads etc) and I am the only one using this laptop, perhaps thats why? Will try to find that out. Lastly, so no misunderstandings, about the FRST scan, I attached an ADDITION.txt in the first post, thought I followed the manual correctly by doing so,pls see below. If you stil want me to run another FRST scan let me know. So appreciate some help!/Annie

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:05-03-2016 01
Ran by Anki (2016-03-27 16:04:05)
Running from C:\Users\Anki\Downloads
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) (2013-04-13 07:26:19)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administratör (S-1-5-21-826142902-2630971588-3216476343-500 - Administrator - Disabled)
Anki (S-1-5-21-826142902-2630971588-3216476343-1000 - Administrator - Enabled) => C:\Users\Anki
Gäst (S-1-5-21-826142902-2630971588-3216476343-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

ActiveX-kontroll för fjärranslutningar för Windows Live Mesh (HKLM\...\{376D59B1-42D9-4FA2-B6CC-E346B6BE14F5}) (Version: 15.4.5722.2 - Microsoft Corporation)
Avast Free Antivirus (HKLM\...\Avast) (Version: 11.1.2253 - AVAST Software)
BankID säkerhetsprogram (HKLM\...\{2D6973ED-BBF2-434E-993C-37E05087B8C8}) (Version: 5.1.4.3 - Finansiell ID-Teknik BID AB)
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
Google Update Helper (Version: 1.3.21.169 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.29.5 - Google Inc.) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - )
Junk Mail filter update (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Mesh Runtime (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Messenger Companion (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (svenska) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1053) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Mobile Broadband HL Service (HKLM\...\Mobile Broadband HL Service) (Version: 22.001.26.01.03 - Huawei Technologies Co.,Ltd)
Mozilla Firefox 45.0.1 (x86 sv-SE) (HKLM\...\Mozilla Firefox 45.0.1 (x86 sv-SE)) (Version: 45.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 45.0.1.5918 - Mozilla)
MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB973685) (HKLM\...\{859DFA95-E4A6-48CD-B88E-A3E483E89B44}) (Version: 4.30.2107.0 - Microsoft Corporation)
Nero 8 Essentials (HKLM\...\{96AFCF8B-3C53-49A2-8456-E637021B1053}) (Version: 8.10.368 - Nero AG)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version:  - )
SafeZone Stable 1.48.2066.44 (Version: 1.48.2066.44 - Avast Software) Hidden
Segoe UI (Version: 15.4.2271.0615 - Microsoft Corp) Hidden
Språkpaket för Microsoft .NET Framework 3.5 SP 1 - sve (HKLM\...\Microsoft .NET Framework 3.5 Language Pack SP1 - sve) (Version:  - Microsoft Corporation)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 10.0.12.0 - Synaptics)
VCRedistSetup (Version: 1.0.0 - Nero AG) Hidden
Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {10C89C7C-05DB-4237-A33B-20DC6430377C} - System32\Tasks\SafeZone scheduled Autoupdate 1458691937 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2016-02-01] (Avast Software)
Task: {11E8C0E0-E263-4600-8678-C75EA78A44E0} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-03-24] (AVAST Software)
Task: {2F179423-44A0-49C7-A495-11E47F21A952} - System32\Tasks\{80451F65-7A94-44D9-9924-D6EA0C46BCE6} => pcalua.exe -a C:\Users\Anki\AppData\Local\Tific\Download\HuaweiGenericDriver.exe -d "C:\Program Files\Tele2 Connect" -c /S
Task: {92F1B976-64EA-40D6-9FE7-C31E27851323} - System32\Tasks\SafeZone scheduled Autoupdate 1459035377 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2016-02-01] (Avast Software)
Task: {A8237082-331B-4DB9-99FD-11F8216B1581} - System32\Tasks\{431B1150-44F6-438F-809A-30DE5B163680} => pcalua.exe -a C:\Users\Anki\Downloads\EmsisoftAntiMalwareSetup_bc(1).exe -d C:\Users\Anki\Downloads
Task: {B27A4A5F-AABE-482E-BA72-3EA17DAE6115} - System32\Tasks\Microsoft\Windows\RestartManager\{8F1DA40B-F87E-410c-9AD5-84137F3095CB} => C:\Windows\system32\rmclient.exe [2006-11-02] (Microsoft Corporation)
Task: {EA0FB279-F49A-4454-84B4-9E2CDC8F225A} - System32\Tasks\{A05C225B-2868-4476-B216-D09115D41EC9} => pcalua.exe -a "C:\Program Files\Tele2 Connect\WVPNCpl.cpl"

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\SafeZone scheduled Autoupdate 1458691937.job => C:\Program Files\AVAST Software\SZBrowser\launcher.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-03-24 21:11 - 2016-03-24 21:11 - 00113496 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2016-03-24 21:11 - 2016-03-24 21:11 - 00133768 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-03-27 01:13 - 2016-03-27 01:13 - 02843136 _____ () C:\Program Files\AVAST Software\Avast\defs\16032600\algo.dll
2016-03-24 21:11 - 2016-03-24 21:11 - 00480760 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2016-03-27 14:22 - 2016-03-27 14:22 - 02846208 _____ () C:\Program Files\AVAST Software\Avast\defs\16032701\algo.dll
2015-09-08 17:00 - 2014-08-20 09:27 - 00242256 _____ () C:\ProgramData\MobileBrServ\mbbservice.exe
2016-03-24 21:11 - 2016-03-24 21:11 - 40539648 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 12:23 - 2015-11-02 23:34 - 00000763 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1       localhost
::1             localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-826142902-2630971588-3216476343-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Public\Pictures\Sample Pictures\Dock.jpg
DNS Servers: 192.168.8.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 1) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Ad-Aware Browsing Protection => "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
MSCONFIG\startupreg: CtrlVol => C:\Program Files\Launch Manager\CtrlVol.exe
MSCONFIG\startupreg: LaunchAp => C:\Program Files\Launch Manager\LaunchAp.exe
MSCONFIG\startupreg: NeroFilterCheck => C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
MSCONFIG\startupreg: Wbutton => C:\Program Files\Launch Manager\WButton.exe

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [WinCollab-Out-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-DFSR-Out-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-DFSR-In-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [{99723A63-16EC-4983-8AA7-018749A04148}] => (Allow) LPort=80
FirewallRules: [{3B75E4D1-3DAB-4C34-BAEA-57CC82A80970}] => (Allow) LPort=80
FirewallRules: [{CAE91FC6-C46C-4E70-B764-229FA2AF6C8B}] => (Allow) LPort=80
FirewallRules: [{BDB2E154-2CFC-483B-83A6-5B47C307C70F}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{7640F546-0E0E-4CC3-9B4F-E002BEAF59C6}] => (Allow) C:\Program Files\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{CDE60F2B-E044-4F35-9270-6B069BDC1998}] => (Allow) LPort=2869
FirewallRules: [{C8ED0DA2-6C35-4030-82CB-C8012B160E8B}] => (Allow) LPort=1900
FirewallRules: [{8972DD9E-FC78-4B58-93F7-BAE6D7FAB829}] => (Allow) C:\Program Files\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{BF08E7B6-6BBF-4C0F-934B-F2678ED6B641}] => (Allow) C:\Program Files\Windows Live\Mesh\MOE.exe
FirewallRules: [{D9250A5A-82EF-4BE4-8CA3-DAE3EFF5EDF8}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{59D27BC2-814B-4742-B3CA-CCC9E529AE58}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{AB1254DC-A2C8-4E55-A0DA-A2527D0B06B4}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{3E02F0E5-DDA8-4A7C-88CF-E096B3976F8F}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{AA7696AC-1A47-4DCE-A529-741BD2BF40A5}] => (Allow) C:\Program Files\Windows Live\Mesh\MOE.exe
FirewallRules: [{90CF5A02-DDD7-46A9-866B-18833E71F597}] => (Allow) C:\Program Files\Windows Live\Messenger\msnmsgr.exe

==================== Restore Points =========================

27-03-2016 01:11:27 Windows Update
27-03-2016 14:37:15 Windows Update

==================== Faulty Device Manager Devices =============

Name: 6TO4 Adapter
Description: Microsoft 6to4 Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

Name: Microsoft 6to4 Adapter #21
Description: Microsoft 6to4 Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

Name: Microsoft 6to4 Adapter #41
Description: Microsoft 6to4 Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

Name: Realtek PCIe FE Family Controller
Description: Realtek PCIe FE Family Controller
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Realtek
Service: RTL8169
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (03/27/2016 03:16:49 PM) (Source: ESENT) (EventID: 447) (User: )
Description: Catalog Database (1580) Catalog Database: Det finns en skadad sidlänk (fel -327) i ett B-träd (objekt-ID: 8, PgnoRoot: 35) i databasen C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb (427 => 3033, Catalog Database0).

Error: (03/27/2016 03:16:49 PM) (Source: ESENT) (EventID: 447) (User: )
Description: Catalog Database (1580) Catalog Database: Det finns en skadad sidlänk (fel -327) i ett B-träd (objekt-ID: 8, PgnoRoot: 35) i databasen C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb (427 => 3033, Catalog Database0).

Error: (03/27/2016 03:16:49 PM) (Source: ESENT) (EventID: 447) (User: )
Description: Catalog Database (1580) Catalog Database: Det finns en skadad sidlänk (fel -327) i ett B-träd (objekt-ID: 8, PgnoRoot: 35) i databasen C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb (427 => 3033, Catalog Database0).

Error: (03/27/2016 03:16:49 PM) (Source: ESENT) (EventID: 447) (User: )
Description: Catalog Database (1580) Catalog Database: Det finns en skadad sidlänk (fel -327) i ett B-träd (objekt-ID: 8, PgnoRoot: 35) i databasen C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb (427 => 3033, Catalog Database0).

Error: (03/27/2016 03:16:48 PM) (Source: ESENT) (EventID: 447) (User: )
Description: Catalog Database (1580) Catalog Database: Det finns en skadad sidlänk (fel -327) i ett B-träd (objekt-ID: 8, PgnoRoot: 35) i databasen C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb (427 => 3033, Catalog Database0).

Error: (03/27/2016 03:16:48 PM) (Source: ESENT) (EventID: 447) (User: )
Description: Catalog Database (1580) Catalog Database: Det finns en skadad sidlänk (fel -327) i ett B-träd (objekt-ID: 8, PgnoRoot: 35) i databasen C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb (427 => 3033, Catalog Database0).

Error: (03/27/2016 03:16:48 PM) (Source: ESENT) (EventID: 447) (User: )
Description: Catalog Database (1580) Catalog Database: Det finns en skadad sidlänk (fel -327) i ett B-träd (objekt-ID: 8, PgnoRoot: 35) i databasen C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb (427 => 3033, Catalog Database0).

Error: (03/27/2016 03:16:47 PM) (Source: ESENT) (EventID: 447) (User: )
Description: Catalog Database (1580) Catalog Database: Det finns en skadad sidlänk (fel -327) i ett B-träd (objekt-ID: 8, PgnoRoot: 35) i databasen C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb (427 => 3033, Catalog Database0).

Error: (03/27/2016 03:16:47 PM) (Source: ESENT) (EventID: 447) (User: )
Description: Catalog Database (1580) Catalog Database: Det finns en skadad sidlänk (fel -327) i ett B-träd (objekt-ID: 8, PgnoRoot: 35) i databasen C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb (427 => 3033, Catalog Database0).

Error: (03/27/2016 03:15:22 PM) (Source: ESENT) (EventID: 447) (User: )
Description: Catalog Database (1580) Catalog Database: Det finns en skadad sidlänk (fel -327) i ett B-träd (objekt-ID: 8, PgnoRoot: 35) i databasen C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb (427 => 3033, Catalog Database0).


System errors:
=============
Error: (03/27/2016 03:16:54 PM) (Source: Microsoft-Windows-Servicing) (EventID: 4375) (User: NT INSTANS)
Description: Windows Servicing kunde inte ange status för paketet KB3140410(Security Update) till Matchad(Resolved)

Error: (03/27/2016 03:16:54 PM) (Source: Microsoft-Windows-Servicing) (EventID: 4375) (User: NT INSTANS)
Description: Windows Servicing kunde inte ange status för paketet KB3140410(Security Update) till Matchad(Resolved)

Error: (03/27/2016 03:16:54 PM) (Source: Microsoft-Windows-Servicing) (EventID: 4375) (User: NT INSTANS)
Description: Windows Servicing kunde inte ange status för paketet KB3140410(Security Update) till Matchad(Resolved)

Error: (03/27/2016 03:16:54 PM) (Source: Microsoft-Windows-Servicing) (EventID: 4375) (User: NT INSTANS)
Description: Windows Servicing kunde inte ange status för paketet KB3140410(Security Update) till Matchad(Resolved)

Error: (03/27/2016 03:16:54 PM) (Source: Microsoft-Windows-Servicing) (EventID: 4375) (User: NT INSTANS)
Description: Windows Servicing kunde inte ange status för paketet KB3140410(Security Update) till Matchad(Resolved)

Error: (03/27/2016 03:16:54 PM) (Source: Microsoft-Windows-Servicing) (EventID: 4375) (User: NT INSTANS)
Description: Windows Servicing kunde inte ange status för paketet KB3140410(Security Update) till Matchad(Resolved)

Error: (03/27/2016 03:16:54 PM) (Source: Microsoft-Windows-Servicing) (EventID: 4375) (User: NT INSTANS)
Description: Windows Servicing kunde inte ange status för paketet KB3140410(Security Update) till Matchad(Resolved)

Error: (03/27/2016 03:16:54 PM) (Source: Microsoft-Windows-Servicing) (EventID: 4375) (User: NT INSTANS)
Description: Windows Servicing kunde inte ange status för paketet KB3140410(Security Update) till Matchad(Resolved)

Error: (03/27/2016 03:16:54 PM) (Source: Microsoft-Windows-Servicing) (EventID: 4375) (User: NT INSTANS)
Description: Windows Servicing kunde inte ange status för paketet KB3140410(Security Update) till Matchad(Resolved)

Error: (03/27/2016 03:15:26 PM) (Source: Microsoft-Windows-Servicing) (EventID: 4375) (User: NT INSTANS)
Description: Windows Servicing kunde inte ange status för paketet KB3118401(Update) till Matchad(Resolved)


CodeIntegrity:
===================================
  Date: 2016-03-27 16:03:38.496
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-27 16:03:34.362
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-27 16:03:31.725
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-27 16:03:29.136
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-27 16:03:25.641
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-27 16:03:23.286
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-27 16:03:20.649
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-27 16:03:17.951
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-27 16:01:32.072
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-27 16:01:29.623
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Genuine Intel® CPU T1400 @ 1.73GHz
Percentage of memory in use: 58%
Total physical RAM: 2037.69 MB
Available physical RAM: 845.01 MB
Total Virtual: 4320.62 MB
Available Virtual: 2317.18 MB

==================== Drives ================================

Drive c: (System) (Fixed) (Total:92.7 GB) (Free:42.82 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (Data) (Fixed) (Total:47.56 GB) (Free:26.46 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 149.1 GB) (Disk ID: 7B2C9D29)
Partition 1: (Not Active) - (Size=8.8 GB) - (Type=27)
Partition 2: (Active) - (Size=92.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=47.6 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Hello Annie55,
 

I Just a few things to ask, I did a backup cd via the recovery program at my laptop, is that of no good and better to do a "Cobian backup" ?

If you already have a backup of the data on your computer, then it is not necessary to perform another one.

Secondly, about administrator, I have one, but are never asked to use it (when allowing downloads etc) and I am the only one using this laptop, perhaps thats why? Will try to find that out.

You can keep performing the scans from the account you have been using so far, since it is an administrator account:

C:\Users\Anki

Lastly, so no misunderstandings, about the FRST scan, I attached an ADDITION.txt in the first post, thought I followed the manual correctly by doing so,pls see below. If you stil want me to run another FRST scan let me know.

No need to run FRST again.  The Addition.txt log you posted in your last reply is exactly what I was looking for.


Before we proceed any further, let's create a backup of your registry..

• Please download TCRB to your Desktop.
• Open Tweaking.com Registry Backup.
• Click on the Backup Registry tab and ensure that all options are checked.
• Press on Backup Now.
• Wait until the backup is complete and exit the program.

It is clear from the logs that you've supplied that you have made several attempts at self-help prior to coming here to Bleeping Computer. It appears you've run a number of tools, and I need to see the logs that those tools created.

That does not mean I want you to run those tools again, it means I need to see the logs that were created when you ran them earlier.

Each will have created a report, and unless you have deleted them, or moved them, then they should be in the following locations ....

C:\Users\Anki\Desktop\Rkill.txt
C:\AdwCleaner\AdwCleaner[C*].txt  (* is the number of times the program ran)

.... if they are not in those locations, then please run a search for them to see if they are present somewhere else on your machine.

If you can't find them, then please let me know.


I also notice you recently ran Malwarebytes Anti-Malware.  I would also like to see the log that was created..

• Please open Malwarebytes Anti-Malware.
• Click History and then select Application Logs.
• Double-click on the scan log by looking at the timestamp (it should be in the following order: Day/Month/Year Time)
• Click Export and select Text file (*.txt).
• In the File name: box, please write MBAM Log and save it to your desktop.
• Once the process is over, a message will appear stating that the file has been successfully exported.  Click OK.
• Please post the contents of MBAM Log.txt in your next reply.

-----------------------------------------
In your next reply, I would like to see..

• Did you have trouble performing any of the steps?
• Rkill.txt
• AdwCleaner Report
• MBAM Log.txt

 

Hi again Mal,

 

The backup registry was downloaded and saved with success .The Rkill was found at correct place as txt, but there´s no history docs, but todays date..

 

Rkill 2.8.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/31/2016 02:29:26 PM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2

 

 

 

The Ad

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 

---------------------------------------------

 

 

This is an earlier one (not found at my lap top although but from one I posted at my fist post in here at the wrong forum)

 

Rkill 2.8.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/26/2016 07:35:28 PM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost
  ::1             localhost

Program finished at: 03/26/2016 07:40:23 PM
Execution time: 0 hours(s), 4 minute(s), and 55 seconds(s)

 

 

 

Trying to find AdwCleaner logs at C:\AdwCleaner\AdwCleaner[C*].txt, but none found there,now searching in all and it takes forever and decided to post this anyone without a full reply, since we will get nowhere otherwise..my compuer shuts down everytime I do this search. Dont know what else to do..

 

The MBAM : (tried to do as you wrote-as I understud it, not sure I did it correct?, let me know..) Text is in swedish, hope it make sense anyway?

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Skanningsdatum: 2016-03-27
Skanningstid: 02:11:39
Loggfil: MBAM Log.txt
Administratör: Ja

Version: 2.2.1.1043
Databas med skadliga program: v2016.03.26.06
Databas med rootkit: v2016.03.12.01
Licens: Utvärderingsversion
Skydd mot skadliga program: Aktiverat
Skydd mot skadliga webbplatser: Aktiverat
Självförsvar: Inaktiverat

OS: Windows Vista Service Pack 2
CPU: x86
Filsystem: NTFS
Användare: Anki

Skanningstyp: Hotskanning
Resultat: Slutförd
Skannade objekt: 312008
Förfluten tid: 2 t, 32 min, 49 sek

Minne: Aktiverat
Autostart: Aktiverat
Filsystem: Aktiverat
Arkivfiler: Aktiverat
Rootkits: Aktiverat
Heuristik: Aktiverat
PUP: Aktiverat
PUM: Aktiverat

Processer: 0
(Inga skadliga poster upptäckta)

Moduler: 0
(Inga skadliga poster upptäckta)

Registernycklar: 0
(Inga skadliga poster upptäckta)

Registervärden: 0
(Inga skadliga poster upptäckta)

Registerdata: 0
(Inga skadliga poster upptäckta)

Mappar: 0
(Inga skadliga poster upptäckta)

Filer: 0
(Inga skadliga poster upptäckta)

Fysiska sektorer: 0
(Inga skadliga poster upptäckta)


(end)

 

 

Conclusion: The Rkill was found, but no history in scans on desktop

Adwcleaner logs-not found (as for now-will try again)

MBAM: see copied log txt.

 

 

Lastly, thanks again so very much for trying to help in this mess. Its a problem my comp shuts down frequently, so pls have patience if it takes time getting things done. Best rgds Annie

Add to my earlier reply: I finally found this when searching on Index placed files? (not sure if translated correct) There is this log below, and also a txt doc. copy showing when searching, with no date, type or file description, which I cant reach, neither delete, perhaps normal?.

 

 

 

 

# AdwCleaner v5.103 - Logfile created 21/03/2016 at 04:07:55
# Updated 20/03/2016 by Xplode
# Database : 2016-03-20.7 [Server]
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (x86)
# Username : Anki - ANKI-DATOR
# Running from : C:\Users\Anki\Downloads\AdwCleaner(1).exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54
[-] Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{AAEE74C4-A86F-4453-A7BA-9E203F234747}]
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{89FFA2AD-4511-44E7-BC32-474E1DB05C2A}]

***** [ Web browsers ] *****


*************************

:: "Tracing" keys removed
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1212 bytes] - [21/03/2016 04:07:55]
C:\AdwCleaner\AdwCleaner[S1].txt - [2153 bytes] - [21/11/2015 22:09:39]
C:\AdwCleaner\AdwCleaner[S2].txt - [728 bytes] - [21/11/2015 22:17:09]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1430 bytes] ##########
 

Hi Annie,

 

Lastly, thanks again so very much for trying to help in this mess.

It's my pleasure.
 

Its a problem my comp shuts down frequently, so pls have patience if it takes time getting things done.

I understand, please take your time and if you run into any issue, feel free to let me know.  I will say at this point that I don't think the problems you are experiencing with your computer are malware related.  That being said, there are a few issues we need to address and we will of course run more scans to be thorough.  If it turns out that your issues are not caused by malware, then I will probably refer you to another forum within Bleeping Computer.  For now, please follow the steps below.


Please answer the following question:

• Did you set your default search engine in Firefox to Bing?
  

  FF DefaultSearchEngine: Bing

Please run the following fix..

• Click Start
• Type notepad.exe in the search programs and files box and click Enter.
• A blank Notepad page should open.
• Copy/Paste the contents of the code box below into Notepad.

CreateRestorePoint:

HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: F - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {0331e905-2efc-11e4-929d-806e6f6e6963} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {10b3c8b9-a529-11e2-8aff-806e6f6e6963} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {26707a29-9374-11e4-9f7d-d06830659c88} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {5594d53d-a3c2-11e2-af50-000ae4cd0560} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {5594d5c5-a3c2-11e2-af50-000ae4cd0560} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {6693ab32-50d7-11e5-99c7-e85274ffa18b} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {72d48322-e080-11e3-9778-fa147064188b} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {7fcb1647-3b68-11e3-aca8-f5ab6bb7b087} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {a9e34a72-528c-11e5-b10c-a2b8f69270b1} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {b29af99c-a428-11e2-a096-000ae4cd0560} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {b7194fa0-91e6-11e4-8e3c-92848217748d} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {fa75f6e2-944e-11e4-9b1e-806e6f6e6963} - F:\AutoRun.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-826142902-2630971588-3216476343-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKU\S-1-5-21-826142902-2630971588-3216476343-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi [2016-03-19] [not signed]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 hwusbdev; system32\DRIVERS\ewusbdev.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 rootrepeal; \??\C:\Windows\system32\drivers\rootrepeal.sys [X]
2016-03-24 22:57 - 2016-03-26 22:22 - 00000000 ____D C:\Program Files\GUM9378.tmp
2013-04-13 00:48 - 2015-09-04 00:51 - 0000160 _____ () C:\Users\Anki\AppData\Roaming\addDefaultValueForDevicePathKey.reg
C:\Users\Anki\AppData\Local\Temp\sqlite3.dll

CMD: sc config WinDefend start= disabled
CMD: sc stop WinDefend
Hosts:
EmptyTemp:

•  
• Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
• Please post me the log

Next..


I would like to run a search on your computer..

• Double click Frst.exe to launch it.
• FRST will start to run.
• When the tool opens click Yes to the disclaimer.
• Copy/Paste or Type the following line into the Search: box.

babylon;Bandoo;CleverSearch;conduit;datamngr;Fun4IM;iLivid;kelkoopartners;Luckysearches;QuickSurf;Searchnu;Searchqu;SharkManCoupon;sushileads;SweetIM;SweetPacks;TidyNetwork;trolltech;whitesmoke;Wordinator;WordSurfer

• Press the Search Registry button.
• When finished searching a log will open on your Desktop ... Search.txt
• Please post it in your next reply.

Next..


I need you to run an online scan..

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• First please Disable any Antivirus you have active, as shown in This topic.
• Note: Don't forget to re-enable it after the scan.
• Next hold down Control then click on the following link to open a new window to  ESET online scannner
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• When prompted allow the Add-On/Active X to install.
• Click on Run ESET Online Scanner, then elect the option YES, I accept the Terms of Use, then click Start.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is  checked.
• Now click on Advanced Settings and select the following:

• • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on Start.
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on Finish.
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Could you give me an update on your computer performance?



-----------------------------------------
In your next reply, I would like to see..

• Did you have trouble performing any of the steps?
• fixlog.txt
• Search.txt
• ESET scan results
• Update on your computer performance

 

Hi Mal, regarding probably no malware, but we will check it thoroughly, I am so grateful-hopefully there isnt any,. I got this screen message after running a health report for C: & D:(earlier on) since my laptop was acting strange (and all of a suddenly there was a lot of stuff on D: that hadnt been there before.could it be the disc defragmentation behind this?), so I decided to do this healthreport on both D & C. Then when starting up the morning after, there was this message on the blackscreen saying "Rootkit or virus"? that I never experienced or seen before and I didnt had the time to see/write down anything before Avast runned a scan-that also different than before, I did not command it and the program icon did not show (still blackscreen) About:

 

 

"Did you set your default search engine in Firefox to Bing?"

 

The other day when trying to enter Internet, I was forced to answer a Google questionaire before entering, couldnt get by it, thought it was due to Google Chrome was installed with a re-installed Avast, so I tried re-install Chrome, successed, but had to do a reset of system, and then the same thing happened again, so I then just put Bing there as for getting by the questionarie I think. In addition, I am often directed to different searchengines, but thats normal?

 

 

To the "do & reply list":

 

 

I had no problem with the fixlist, however, about "Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt" perhaps me lacking very basic knowlegde about folders/dictonaries/files, but the FRST is a txt document and so I created a new folder and saved the fixlist there and moved the FRST.txt to the same place. I do have problems accessing some personal settings for some reason, when entering (start-documents, or start-my name, there are some folders marked with an arrow that I am denied access entering, why is that? (ashamed-and forgive me for perhaps very stupid questions in this issue..) 

 

 

FRST scan: FRST.exe (found in my recently "downloaded files library")  I am not able to run again. So I will send you this for now so no mistakes are done-should I download it again or  try something else?

 

Rest of reply will follow.

Add. to earlier reply, I dont know whats  going on, maybe its just me... but yesterday (thursday-my time) as said in my earlier reply, I downloaded the TCRB (Tweaking.com reigistry backup) and saved everything successfully and could see the icon on the desktop, today its gone, cant find it anywhere even searching for both names and on all places and advanced search.? Either I obviously did something wrong or where is it to be found? (its in the history for downloaded files on thursday but not to be found anywhere)

Hi Annie,
 

(ashamed-and forgive me for perhaps very stupid questions in this issue..)

Never apologize for asking a question.  I encourage you to ask me questions when you are unsure of anything, no matter how "ridiculous" you think it might be.  So if you run into any problems again, please do like you just did and ask.

I had no problem with the fixlist, however, about "Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt" perhaps me lacking very basic knowlegde about folders/dictonaries/files, but the FRST is a txt document and so I created a new folder and saved the fixlist there and moved the FRST.txt to the same place.

FRST.txt is the log you posted in your first reply.  What I would like you to do is to put the fixlist.txt in the same folder as FRST.exe.  Perhaps you might find it easier to download all tools onto your desktop and run the scans and fixes from there.
 

FRST scan: FRST.exe (found in my recently "downloaded files library")  I am not able to run again. So I will send you this for now so no mistakes are done-should I download it again or  try something else?

Do you get any error message when trying to open FRST.exe?

I do have problems accessing some personal settings for some reason, when entering (start-documents, or start-my name, there are some folders marked with an arrow that I am denied access entering, why is that?

I think I know why you are unable to access those folders.  Please follow the steps below and let me know if you still see those folders with an arrow after.

• Close all programs and open the Start menu.
• Click Control Panel.
• Select Appearance and Personalization
• Open Folder Options.
  Note: if you do not see Appearance and Personalization, please double-click on Folder Options.
• Click on the View tab.
• In the Advanced Settings: box, please location Hidden files and folders.
• Please select Do not show hidden files and folders.
• Click OK.

Add. to earlier reply, I dont know whats  going on, maybe its just me... but yesterday (thursday-my time) as said in my earlier reply, I downloaded the TCRB (Tweaking.com reigistry backup) and saved everything successfully and could see the icon on the desktop, today its gone, cant find it anywhere even searching for both names and on all places and advanced search.? Either I obviously did something wrong or where is it to be found? (its in the history for downloaded files on thursday but not to be found anywhere)

We will check if the program is still present on your computer in my next set of instructions.  For now I would like you to:

• Move FRST.exe and fixlist.txt to your desktop.
• Answer my question concerning running FRST.exe
• Follow the steps to disable Show hidden files and folders and check if the folders are still there.

 

Hi Mal,

Sorry, I didnt make myself clear, problem is there is no FRST.exe, only FRST.txt.
*When double clicking on FRST.exe in downloaded files history nothing happens. I guess I have to download it again from earlier step then? I thought I saved it last time..

*Followed the steps-disabled "show hidden files and folders" and it seems to work!Thank you!

Note, I havent yet runned/downloaded the ESET as advised in earlier reply, thought it might be better getting theses issues worked out first, or should I continue doing so (ESET)before finding the Tweaking backup?

Hi Annie,
 

*Followed the steps-disabled "show hidden files and folders" and it seems to work!Thank you!

Great!  We are making some progress.   Please leave "Show hidden files and folders" disabled for the future.  These hidden files and folders have a purpose and were hidden to prevent people from modifying and/or deleting them.

Note, I havent yet runned/downloaded the ESET as advised in earlier reply, thought it might be better getting theses issues worked out first, or should I continue doing so (ESET)before finding the Tweaking backup?

Let's forget about ESET for now.  We will run it later.

Sorry, I didnt make myself clear, problem is there is no FRST.exe, only FRST.txt.
*When double clicking on FRST.exe in downloaded files history nothing happens. I guess I have to download it again from earlier step then? I thought I saved it last time..

• Please download a fresh copy of FRST to your Desktop.
• Move the fixlist.txt to your desktop.

Next..

• Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt in the same folder/directory as FRST.exe
• Please post me the log

Can you give me an update on your computer performance?


-----------------------------------------
In your next reply, I would like to see..

• fixlog.txt
• Update on your computer performance.

 

Hi Mal, just a quick reply, I will try the FRST download again. As for now, an update on how my computor is working its the same and I wasnt able to start it at all this morning. (tried a recovery and reset to earlier point-what else could I do, but it said there was no earlier point..) But now, all of a sudden it did start again. Just so you know if my reply might be delayed.

Hi Mal, just a quick reply, I will try the FRST download again. As for now, an update on how my computor is working its the same and I wasnt able to start it at all this morning. (tried a recovery and reset to earlier point-what else could I do, but it said there was no earlier point..) But now, all of a sudden it did start again. Just so you know if my reply might be delayed.

Finally made it..:)After cleaning my disc (do it very often-but obviously it made my comp start again) Now after that and fixlist, an update is, my laptop seems to be a bit more alert, at least for now.

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version:05-03-2016 01
Ran by Anki (2016-04-04 21:20:47) Run:2
Running from C:\Users\Anki\Desktop
Loaded Profiles: Anki (Available Profiles: Anki)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:

HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: F - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {0331e905-2efc-11e4-929d-806e6f6e6963} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {10b3c8b9-a529-11e2-8aff-806e6f6e6963} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {26707a29-9374-11e4-9f7d-d06830659c88} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {5594d53d-a3c2-11e2-af50-000ae4cd0560} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {5594d5c5-a3c2-11e2-af50-000ae4cd0560} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {6693ab32-50d7-11e5-99c7-e85274ffa18b} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {72d48322-e080-11e3-9778-fa147064188b} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {7fcb1647-3b68-11e3-aca8-f5ab6bb7b087} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {a9e34a72-528c-11e5-b10c-a2b8f69270b1} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {b29af99c-a428-11e2-a096-000ae4cd0560} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {b7194fa0-91e6-11e4-8e3c-92848217748d} - F:\AutoRun.exe
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\...\MountPoints2: {fa75f6e2-944e-11e4-9b1e-806e6f6e6963} - F:\AutoRun.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-826142902-2630971588-3216476343-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKU\S-1-5-21-826142902-2630971588-3216476343-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi [2016-03-19] [not signed]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 hwusbdev; system32\DRIVERS\ewusbdev.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 rootrepeal; \??\C:\Windows\system32\drivers\rootrepeal.sys [X]
2016-03-24 22:57 - 2016-03-26 22:22 - 00000000 ____D C:\Program Files\GUM9378.tmp
2013-04-13 00:48 - 2015-09-04 00:51 - 0000160 _____ () C:\Users\Anki\AppData\Roaming\addDefaultValueForDevicePathKey.reg
C:\Users\Anki\AppData\Local\Temp\sqlite3.dll

CMD: sc config WinDefend start= disabled
CMD: sc stop WinDefend
Hosts:
EmptyTemp:
*****************

Restore point was successfully created.
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F => key not found.
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0331e905-2efc-11e4-929d-806e6f6e6963} => key not found.
HKCR\CLSID\{0331e905-2efc-11e4-929d-806e6f6e6963} => key not found.
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{10b3c8b9-a529-11e2-8aff-806e6f6e6963} => key not found.
HKCR\CLSID\{10b3c8b9-a529-11e2-8aff-806e6f6e6963} => key not found.
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{26707a29-9374-11e4-9f7d-d06830659c88} => key not found.
HKCR\CLSID\{26707a29-9374-11e4-9f7d-d06830659c88} => key not found.
"HKU\S-1-5-21-826142902-2630971588-3216476343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5594d53d-a3c2-11e2-af50-000ae4cd0560}" => key removed successfully.
HKCR\CLSID\{5594d53d-a3c2-11e2-af50-000ae4cd0560} => key not found.
"HKU\S-1-5-21-826142902-2630971588-3216476343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5594d5c5-a3c2-11e2-af50-000ae4cd0560}" => key removed successfully.
HKCR\CLSID\{5594d5c5-a3c2-11e2-af50-000ae4cd0560} => key not found.
"HKU\S-1-5-21-826142902-2630971588-3216476343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6693ab32-50d7-11e5-99c7-e85274ffa18b}" => key removed successfully.
HKCR\CLSID\{6693ab32-50d7-11e5-99c7-e85274ffa18b} => key not found.
"HKU\S-1-5-21-826142902-2630971588-3216476343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{72d48322-e080-11e3-9778-fa147064188b}" => key removed successfully.
HKCR\CLSID\{72d48322-e080-11e3-9778-fa147064188b} => key not found.
"HKU\S-1-5-21-826142902-2630971588-3216476343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7fcb1647-3b68-11e3-aca8-f5ab6bb7b087}" => key removed successfully.
HKCR\CLSID\{7fcb1647-3b68-11e3-aca8-f5ab6bb7b087} => key not found.
"HKU\S-1-5-21-826142902-2630971588-3216476343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a9e34a72-528c-11e5-b10c-a2b8f69270b1}" => key removed successfully.
HKCR\CLSID\{a9e34a72-528c-11e5-b10c-a2b8f69270b1} => key not found.
"HKU\S-1-5-21-826142902-2630971588-3216476343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b29af99c-a428-11e2-a096-000ae4cd0560}" => key removed successfully.
HKCR\CLSID\{b29af99c-a428-11e2-a096-000ae4cd0560} => key not found.
"HKU\S-1-5-21-826142902-2630971588-3216476343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7194fa0-91e6-11e4-8e3c-92848217748d}" => key removed successfully.
HKCR\CLSID\{b7194fa0-91e6-11e4-8e3c-92848217748d} => key not found.
"HKU\S-1-5-21-826142902-2630971588-3216476343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fa75f6e2-944e-11e4-9b1e-806e6f6e6963}" => key removed successfully.
HKCR\CLSID\{fa75f6e2-944e-11e4-9b1e-806e6f6e6963} => key not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
"HKU\S-1-5-21-826142902-2630971588-3216476343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully.
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
HKU\S-1-5-21-826142902-2630971588-3216476343-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi => not found.
hwdatacard => service removed successfully.
hwusbdev => service removed successfully.
IpInIp => service removed successfully.
NwlnkFlt => service removed successfully.
NwlnkFwd => service removed successfully.
rootrepeal => service removed successfully.
"C:\Program Files\GUM9378.tmp" => not found.
C:\Users\Anki\AppData\Roaming\addDefaultValueForDevicePathKey.reg => moved successfully
C:\Users\Anki\AppData\Local\Temp\sqlite3.dll => moved successfully

=========  sc config WinDefend start= disabled =========

[SC] ChangeServiceConfig LYCKADES

========= End of CMD: =========


=========  sc stop WinDefend =========


TJ�NSTNAMN:   WinDefend
        TYP                : 20  WIN32_SHARE_PROCESS  
        TILLST�ND          : 3  STOP_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32-SLUTKOD      : 0  (0x0)
        TJ�NSTSLUTKOD      : 0  (0x0)
        KONTROLLPUNKT      : 0x4
        V�NTETIPS          : 0x7530

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 745.5 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 22:00:08 ====