Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Problems: SafeGuard.A, Search Protect, Mysearch


  • This topic is locked This topic is locked
10 replies to this topic

#1 efhunter

efhunter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 02 April 2016 - 10:36 AM

I have had an ongoing problem with this computer. I have used several scanners and tried to remove anything found, but different problems with different names keep infecting the computer.  I listed the names of the ones I remember in the title.  At this point my browsers are still hijacked.  I have to remove a proxy server every time I open Firefox or Chrome.  The browsers are opening to different websites.  Some programs will not open at all. (Malwarebytes and a couple others ask if I want to let it make changes and then nothing happens.) Some programs are showing multiple entries running at the same time. I have deleted some of the same files listed as infected and they come back again.  The computer is running slow and I suspect it is causing network lag for the rest as well.

 

My original post is at http://www.bleepingcomputer.com/forums/t/609293/computer-infected-with-multiple-problems/

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:05-03-2016 01
Ran by Beth (administrator) on MEDIABOX (02-04-2016 10:55:07)
Running from C:\Users\Beth\Desktop\Malware Tools
Loaded Profiles: Beth (Available Profiles: Beth)
Platform: Microsoft Windows 7 Home Premium  (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(sonarr.tv) C:\ProgramData\NzbDrone\bin\NzbDrone.Console.exe
(Seagate) C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
(Seagate) C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
(Acronis) C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
() C:\Program Files\SteelSeries\World of Warcraft® MMO Gaming Mouse Legendary Edition\WoWMHID4.exe
(Plex, Inc.) C:\Program Files\Plex\Plex Media Server\Plex Media Server.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
() C:\Program Files\SABnzbd\SABnzbd.exe
() C:\Program Files\SteelSeries\World of Warcraft® MMO Gaming Mouse Legendary Edition\WoWMTray4.exe
() C:\Windows\System32\PnkBstrA.exe
(Seagate) C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
(skype.cog.cc) C:\Program Files\SkypeUpdateEx\SkypeUpdateEx.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Users\Beth\AppData\Roaming\XBox\XBLive.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Symantec Corporation) C:\Program Files\Norton Security\Engine\22.5.0.124\NS.exe
(Python Software Foundation) C:\Program Files\Plex\Plex Media Server\PlexScriptHost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Symantec Corporation) C:\Program Files\Norton Security\Engine\22.5.0.124\NS.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\Program Files\Battle.net\Battle.net.7020\Battle.net.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4869\Agent.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\x86\CLIStart.exe [747264 2013-12-06] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [DiscWizardMonitor.exe] => C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe [6382504 2013-10-30] (Seagate)
HKLM\...\Run: [Seagate Scheduler2 Service] => C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe [400376 2013-10-30] (Seagate)
HKLM\...\Run: [AcronisTibMounterMonitor] => C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [1103424 2013-01-10] (Acronis)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1085656 2015-12-14] (Adobe Systems Incorporated)
HKLM\...\Run: [win_en_77] => "C:\Program Files\win_en_77\win_en_77.exe"
HKLM\...\Run: [sun3] => [X]
HKLM\...\Run: [gmsd_us_005010247] => "C:\Program Files\gmsd_us_005010247\gmsd_us_005010247.exe"
HKLM\...\Run: [SteelSeries World of Warcraft® MMO Gaming Mouse Legendary Edition] => C:\Program Files\SteelSeries\World of Warcraft® MMO Gaming Mouse Legendary Edition\WoWMHID4.exe [1945600 2011-10-03] ()
HKLM\...\Run: [sun13] => [X]
HKLM\...\Run: [rec_en_225] => "C:\Program Files\rec_en_225\rec_en_225.exe"
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\...\Run: [Plex Media Server] => C:\Program Files\Plex\Plex Media Server\Plex Media Server.exe [6294664 2015-09-24] (Plex, Inc.)
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\...\Run: [Clownfish] => 0
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\...\Run: [exdbmt] => rundll32.exe "C:\Users\Beth\AppData\Local\exdbmt.dll",exdbmt <===== ATTENTION
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\...\MountPoints2: {73a39da5-f52d-11e5-bb85-00e04dc4cbf7} - E:\DVDSetup.exe
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files\Norton Security\Engine\22.5.0.124\buShell.dll [2015-06-06] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files\Norton Security\Engine\22.5.0.124\buShell.dll [2015-06-06] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files\Norton Security\Engine\22.5.0.124\buShell.dll [2015-06-06] (Symantec Corporation)
ShellIconOverlayIdentifiers: [ExplorerEx] -> {E056AFDD-03E9-4D73-8D33-8FCCBCA73438} =>  No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WN111v2 Smart Wizard.lnk [2015-08-22]
ShortcutTarget: NETGEAR WN111v2 Smart Wizard.lnk -> C:\Program Files\NETGEAR\WN111v2\WN111v2.exe (NETGEAR)
Startup: C:\Users\Beth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SABnzbd.lnk [2016-03-28]
ShortcutTarget: SABnzbd.lnk -> C:\Program Files\SABnzbd\SABnzbd.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [S-1-5-21-3314193060-3455151175-2916073930-1000] => Proxy is enabled.
ProxyServer: [S-1-5-21-3314193060-3455151175-2916073930-1000] => http=127.0.0.1:8080;https=127.0.0.1:8080
AutoConfigURL: [S-1-5-21-3314193060-3455151175-2916073930-1000] => http=127.0.0.1:8080;https=127.0.0.1:8080
Winsock: Catalog5 10 C:\ProgramData\System32\SafeGuard32.dll [2771896 2016-04-01] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{0CC5664F-9D69-4EB3-9E7E-A49888BFC086}: [DhcpNameServer] 192.168.1.1
ManualProxies: 1http=127.0.0.1:8080;https=127.0.0.1:8080

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://nav.brotstation.com?uid={fb2976bcbf184d76bf8359e6f3e6b134}&r=eg
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://nav.brotstation.com?uid={fb2976bcbf184d76bf8359e6f3e6b134}&r=eg
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://nav.brotstation.com?uid={fb2976bcbf184d76bf8359e6f3e6b134}&r=eg
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://nav.brotstation.com?uid={fb2976bcbf184d76bf8359e6f3e6b134}&r=eg
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3314193060-3455151175-2916073930-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Security\Engine\22.5.0.124\coIEPlg.dll [2015-06-05] (Symantec Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2014-02-24] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-01-08] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2014-02-24] (Oracle Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security\Engine\22.5.0.124\coIEPlg.dll [2015-06-05] (Symantec Corporation)
Handler: AutorunsDisabled\skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-01-08] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Beth\AppData\Roaming\Mozilla\Firefox\Profiles\m0eqdjdz.default-1459215388002OLD
FF DefaultSearchEngine.US: Google
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_19_0_0_226.dll [2015-10-16] ()
FF Plugin: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-02-24] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-02-24] (Oracle Corporation)
FF Plugin: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [2014-07-18] (Pando Networks)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-01] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-01] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.7 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2013-06-07] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-02-27] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3314193060-3455151175-2916073930-1000: pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [2014-07-18] (Pando Networks)
FF Extension: Adblock Plus - C:\Users\Beth\AppData\Roaming\Mozilla\Firefox\Profiles\uc4ef473.Beth\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-03-28]
FF Extension: Skype - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2016-01-06]
FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi [2016-03-15] [not signed]
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NS_22.5.0.124\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NS_22.5.0.124\coFFPlgn [2016-04-01] [not signed]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://google.com/"
CHR Profile: C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-11-04]
CHR Extension: (Google Docs) - C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-11-04]
CHR Extension: (Google Drive) - C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-04]
CHR Extension: (Facebook Auto Poster and Scheduler) - C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgbkbddnmplgngbbipkophmcangiahja [2016-02-24]
CHR Extension: (YouTube) - C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-11-04]
CHR Extension: (Norton Security Toolbar) - C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe [2016-03-28]
CHR Extension: (Google Search) - C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-04]
CHR Extension: (Google Docs Offline) - C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-21]
CHR Extension: (Norton Identity Safe) - C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2016-03-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-11-04]
CHR Extension: (Gmail) - C:\Users\Beth\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-11-04]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files\Norton Security\Engine\22.5.0.124\Exts\Chrome.crx [2015-06-05]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2016-01-08]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [276992 2013-12-06] (Advanced Micro Devices, Inc.) [File not signed]
R2 c2cautoupdatesvc; C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1433216 2016-01-08] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1773696 2016-01-08] (Microsoft Corporation)
S3 jswpsapi; C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe [942080 2008-02-29] (Atheros Communications, Inc.) [File not signed]
R2 NS; C:\Program Files\Norton Security\Engine\22.5.0.124\NS.exe [282016 2015-06-17] (Symantec Corporation)
R2 NzbDrone; C:\ProgramData\NzbDrone\bin\NzbDrone.Console.exe [24064 2016-03-12] (sonarr.tv) [File not signed]
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76152 2015-11-18] ()
R2 SgtSch2Svc; C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe [801888 2013-10-30] (Seagate)
R2 SkypeUpdateEx; C:\Program Files\SkypeUpdateEx\SkypeUpdateEx.exe [167352 2016-03-21] (skype.cog.cc)
S3 SophosVirusRemovalTool; C:\Program Files\Sophos\Sophos Virus Removal Tool\SVRTservice.exe [153352 2015-10-20] (Sophos Limited)
S4 ViscosityVPPVPNetworksLLCService; C:\Program Files\TorGuard.Viscosity\ViscosityVPPVPNetworksLLCService.exe [56096 2014-01-22] (SparkLabs)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] (Microsoft Corporation)
R2 XBox; C:\Users\Beth\AppData\Roaming\XBox\XBLive.exe [5906904 2016-02-27] (Microsoft Corporation)
S2 WindowsSecurity; C:\ProgramData\Windows Security\winsecurity.exe [X]
S2 ZombieNews; "C:\ProgramData\ZombieNews\ZombieNewsService.exe" [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.2.0; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [50432 2013-09-20] (Advanced Micro Devices)
R3 BHDrvx86; C:\Program Files\Norton Security\NortonData\22.5.0.124\Definitions\BASHDefs\20150521.001\BHDrvx86.sys [1172696 2015-06-04] (Symantec Corporation)
R3 ccSet_NS; C:\Windows\system32\drivers\NS\1605000.07C\ccSetx86.sys [128728 2015-06-04] (Symantec Corporation)
S3 DNIMp50; C:\Windows\System32\Drivers\DNIMp50.sys [21504 2006-11-16] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 DNISp50; C:\Windows\System32\Drivers\DNISp50.sys [20480 2006-11-16] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R3 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [380720 2015-05-15] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [113456 2015-05-15] (Symantec Corporation)
R3 IDSVix86; C:\Program Files\Norton Security\NortonData\22.5.0.124\Definitions\IPSDefs\20150519.100\IDSVix86.sys [514776 2015-06-04] (Symantec Corporation)
S3 LVUSBSta; C:\Windows\System32\drivers\LVUSBSta.sys [41752 2008-07-26] (Logitech Inc.)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [170200 2016-04-01] (Malwarebytes)
R3 NAVENG; C:\Program Files\Norton Security\NortonData\22.5.0.124\Definitions\VirusDefs\20150603.019\NAVENG.SYS [95704 2014-11-15] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Norton Security\NortonData\22.5.0.124\Definitions\VirusDefs\20150603.019\NAVEX15.SYS [1636696 2014-11-15] (Symantec Corporation)
S3 PID_PEPI; C:\Windows\System32\DRIVERS\LV302V32.SYS [2570520 2008-07-26] (Logitech Inc.)
R3 SRTSP; C:\Windows\system32\drivers\NS\1605000.07C\SRTSP.SYS [702680 2015-06-04] (Symantec Corporation)
R3 SRTSPX; C:\Windows\system32\drivers\NS\1605000.07C\SRTSPX.SYS [36056 2015-06-04] (Symantec Corporation)
R3 SSMO4Filter; C:\Windows\System32\drivers\MO4Driver.sys [16896 2011-07-26] (Sagatek Co. Ltd.)
R3 SymEFASI; C:\Windows\system32\drivers\NS\1605000.07C\SYMEFASI.SYS [1278168 2015-06-04] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [94424 2016-03-28] (Symantec Corporation)
R3 SymIRON; C:\Windows\system32\drivers\NS\1605000.07C\Ironx86.SYS [226008 2015-06-04] (Symantec Corporation)
R3 SymNetS; C:\Windows\system32\drivers\NS\1605000.07C\SYMNETS.SYS [421080 2015-06-04] (Symantec Corporation)
S3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [35288 2014-02-01] (The OpenVPN Project)
S3 tdrpman; C:\Windows\System32\DRIVERS\tdrpman.sys [888640 2014-04-22] (Acronis International GmbH)
R0 tib; C:\Windows\System32\DRIVERS\tib.sys [736192 2014-04-22] (Acronis International GmbH)
R0 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [130488 2014-04-22] (Acronis)
S1 VBoxNetAdp; C:\Windows\System32\DRIVERS\VBoxNetAdp6.sys [98704 2015-12-18] (Oracle Corporation)
R1 VBoxNetLwf; C:\Windows\System32\DRIVERS\VBoxNetLwf.sys [163576 2015-12-18] (Oracle Corporation)
R0 vididr; C:\Windows\System32\DRIVERS\vididr.sys [116000 2014-04-22] (Acronis International GmbH)
R0 vidsflt; C:\Windows\System32\DRIVERS\vidsflt.sys [85280 2014-04-22] (Acronis International GmbH)
S3 visctap0901; C:\Windows\System32\DRIVERS\visctap0901.sys [33160 2014-06-06] (The OpenVPN Project)
R3 WmBEnum; C:\Windows\System32\drivers\WmBEnum.sys [22856 2010-04-27] (Logitech Inc.)
S3 WmFilter; C:\Windows\System32\drivers\WmFilter.sys [37704 2010-04-27] (Logitech Inc.)
S3 WmVirHid; C:\Windows\System32\drivers\WmVirHid.sys [15048 2010-04-27] (Logitech Inc.)
R3 WmXlCore; C:\Windows\System32\drivers\WmXlCore.sys [66632 2010-04-27] (Logitech Inc.)
R3 WN111v2; C:\Windows\System32\DRIVERS\WN111v2w7.sys [624128 2010-04-27] (Atheros Communications, Inc.)
S3 cpuz136; \??\C:\Users\Beth\AppData\Local\Temp\cpuz136\cpuz136_x32.sys [X]
S3 MSICDSetup; \??\E:\CDriver.sys [X]
S3 NTIOLib_1_0_C; \??\E:\NTIOLib.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-02 10:42 - 2016-04-02 10:42 - 00000000 ____D C:\Users\Beth\Desktop\UToRrent Downloads
2016-04-02 10:40 - 2016-04-02 10:40 - 00000000 ____D C:\Users\Beth\AppData\LocalLow\uTorrent
2016-04-02 10:34 - 2016-04-02 10:34 - 10457272 _____ (SurfRight B.V.) C:\Users\Beth\Downloads\hitmanpro.exe
2016-04-01 20:23 - 2016-04-02 10:33 - 00000000 ____D C:\ProgramData\System32
2016-04-01 20:16 - 2016-04-01 20:23 - 00000034 _____ C:\Users\Public\Documents\{DE764086-1C0A-4DD3-90BA-0B93BDD794BE}
2016-03-31 16:56 - 2016-03-31 18:05 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-03-31 16:13 - 2016-03-31 16:13 - 00000000 ____D C:\Users\Beth\Desktop\rkill
2016-03-31 16:12 - 2016-03-31 16:15 - 00003874 _____ C:\Users\Beth\Desktop\Rkill.txt
2016-03-30 21:59 - 2016-03-30 21:59 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\0D001BC2.sys
2016-03-30 21:27 - 2016-04-01 20:23 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-03-30 21:18 - 2016-03-31 16:18 - 00000000 ____D C:\Users\Beth\Desktop\Computer Cleanup
2016-03-29 09:39 - 2016-03-29 09:39 - 00000000 ____D C:\Windows\19
2016-03-28 23:47 - 2016-03-28 23:47 - 00000913 _____ C:\Users\Beth\Desktop\SABnzbd.lnk
2016-03-28 23:47 - 2016-03-28 23:47 - 00000000 ____D C:\Users\Beth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SABnzbd
2016-03-28 23:47 - 2016-03-28 23:47 - 00000000 ____D C:\Program Files\SABnzbd
2016-03-28 22:37 - 2016-03-28 22:37 - 00001069 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-03-28 21:36 - 2016-03-28 21:36 - 00000000 ____D C:\Users\Beth\Desktop\Old Firefox Data
2016-03-28 21:32 - 2016-03-28 21:32 - 00023854 _____ C:\Users\Beth\Desktop\SearchProtect Norton Removal.txt
2016-03-28 17:58 - 2016-03-28 18:22 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2016-03-28 17:58 - 2016-03-28 17:58 - 00094424 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SYMEVENT.SYS
2016-03-28 17:58 - 2016-03-28 17:58 - 00008138 _____ C:\Windows\system32\Drivers\SYMEVENT.CAT
2016-03-28 17:57 - 2016-03-28 17:58 - 00000000 ____D C:\ProgramData\Norton
2016-03-28 17:57 - 2016-03-28 17:57 - 00002273 _____ C:\Users\Public\Desktop\Norton Security.LNK
2016-03-28 17:57 - 2016-03-28 17:57 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security
2016-03-28 17:57 - 2016-03-28 17:57 - 00000000 ____D C:\Windows\system32\Drivers\NS
2016-03-28 17:57 - 2016-03-28 17:57 - 00000000 ____D C:\Program Files\Norton Security
2016-03-28 17:56 - 2016-03-28 17:56 - 00000000 ____D C:\ProgramData\NortonInstaller
2016-03-28 17:56 - 2016-03-28 17:56 - 00000000 ____D C:\Program Files\NortonInstaller
2016-03-20 01:28 - 2016-03-28 22:37 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-03-18 06:58 - 2016-03-18 06:58 - 00000000 ____D C:\Windows\3
2016-03-15 21:03 - 2016-04-02 10:55 - 00000000 ____D C:\FRST
2016-03-15 21:00 - 2016-03-15 21:01 - 00000000 ____D C:\ProgramData\Sophos
2016-03-15 21:00 - 2016-03-15 21:00 - 00002747 _____ C:\Users\Public\Desktop\Sophos Virus Removal Tool.lnk
2016-03-15 21:00 - 2016-03-15 21:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
2016-03-15 21:00 - 2016-03-15 21:00 - 00000000 ____D C:\Program Files\Sophos
2016-03-15 20:59 - 2016-03-31 18:05 - 00000000 ____D C:\Users\Beth\Desktop\mbar
2016-03-15 20:45 - 2016-03-28 22:01 - 00000000 ____D C:\Program Files\AdwCleaner
2016-03-15 20:44 - 2016-03-16 12:53 - 00000000 ____D C:\Users\Beth\Desktop\Malware Tools
2016-03-15 19:53 - 2016-04-01 20:45 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-03-15 19:53 - 2016-03-31 18:50 - 00001024 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-03-15 19:53 - 2016-03-31 18:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-03-15 19:53 - 2016-03-15 19:53 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-03-15 19:53 - 2016-03-10 14:09 - 00053120 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-03-15 19:53 - 2016-03-10 14:08 - 00126336 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-03-15 19:53 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-03-15 05:07 - 2016-04-01 20:45 - 00000000 ____D C:\Program Files\SkypeUpdateEx
2016-03-15 05:05 - 2016-03-15 05:05 - 00000000 ____D C:\Users\Beth\AppData\Roaming\FrivLauncher
2016-03-15 05:04 - 2016-03-15 05:05 - 00000000 ____D C:\Users\Beth\AppData\Local\app
2016-03-15 05:04 - 2016-03-15 05:04 - 00000000 ____D C:\Users\Beth\AppData\Local\Downloaded Installations
2016-03-15 05:04 - 2016-03-15 05:04 - 00000000 ____D C:\Users\Beth\AppData\Local\brsrv
2016-03-15 05:01 - 2016-03-15 05:01 - 00015360 _____ C:\Users\Beth\AppData\Local\exdbmt.dll
2016-03-15 05:01 - 2016-03-15 05:01 - 00002560 _____ C:\Users\Beth\AppData\Local\uninstall.exe
2016-03-15 05:01 - 2016-03-15 05:01 - 00000000 ____D C:\Users\Beth\AppData\Roaming\XBox
2016-03-08 15:20 - 2016-03-08 15:20 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_MO4Driver_01009.Wdf
2016-03-08 15:20 - 2016-03-08 15:20 - 00000000 ____D C:\Users\Beth\AppData\Roaming\SteelSeries
2016-03-08 15:20 - 2016-03-08 15:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SteelSeries
2016-03-08 15:19 - 2016-03-08 15:19 - 00000000 ____D C:\Program Files\SteelSeries
2016-03-08 15:19 - 2011-07-26 22:18 - 00016896 _____ (Sagatek Co. Ltd.) C:\Windows\system32\Drivers\MO4Driver.sys
2016-03-08 15:19 - 2010-12-17 16:25 - 01461992 _____ (Microsoft Corporation) C:\Windows\system32\WdfCoInstaller01009.dll
2016-03-06 18:58 - 2016-03-15 05:33 - 00000000 ____D C:\Users\Beth\AppData\Local\TSVNCache
2016-03-06 18:13 - 2016-03-06 18:13 - 00000000 ____D C:\Users\Beth\AppData\Roaming\TortoiseSVN
2016-03-06 18:11 - 2016-03-06 18:11 - 00000000 ____D C:\Users\Beth\AppData\Roaming\Subversion
2016-03-06 17:04 - 2016-03-06 18:01 - 00000000 ____D C:\CSS
2016-03-06 14:58 - 2016-03-06 15:12 - 00000000 ____D C:\Users\Beth\Documents\steamCMD
2016-03-06 14:57 - 2016-03-06 14:58 - 00000000 ____D C:\Program Files\steamCMDg
2016-03-04 16:05 - 2016-04-01 20:12 - 00575574 _____ C:\Windows\ntbtlog.txt
2016-03-03 01:19 - 2016-03-04 16:59 - 00000000 ____D C:\Users\Beth\AppData\Roaming\Audacity

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-02 10:53 - 2014-02-23 13:10 - 00000000 ____D C:\ProgramData\NzbDrone
2016-04-02 10:49 - 2016-01-07 11:20 - 00000000 ____D C:\Users\Beth\AppData\Roaming\uTorrent
2016-04-02 10:47 - 2014-10-03 22:22 - 00000000 ____D C:\Users\Beth\AppData\Local\Battle.net
2016-04-02 10:30 - 2015-09-01 20:03 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-02 09:23 - 2014-10-03 22:23 - 00000000 ____D C:\Program Files\World of Warcraft
2016-04-02 04:50 - 2014-10-03 22:22 - 00000000 ____D C:\Program Files\Battle.net
2016-04-01 20:25 - 2009-07-14 00:34 - 00015904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-01 20:25 - 2009-07-14 00:34 - 00015904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-01 20:14 - 2015-09-01 20:03 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-01 20:14 - 2009-07-14 00:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-03-30 21:20 - 2014-02-23 12:59 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2016-03-30 21:20 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\inf
2016-03-29 00:34 - 2016-01-09 23:11 - 00000000 ____D C:\Users\Beth\AppData\Roaming\vlc
2016-03-28 23:52 - 2014-02-23 13:05 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-03-28 22:37 - 2014-02-23 13:05 - 00001081 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-03-25 11:01 - 2016-02-26 19:14 - 00001519 _____ C:\Users\Beth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-03-25 11:01 - 2015-09-01 20:05 - 00002243 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-03-25 09:02 - 2009-07-14 00:53 - 00032614 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-03-22 20:18 - 2014-02-23 23:29 - 00000000 ____D C:\Users\Beth\AppData\Local\ElevatedDiagnostics
2016-03-20 11:35 - 2014-11-08 01:14 - 00000000 ____D C:\Users\Beth\AppData\Local\Deployment
2016-03-15 18:47 - 2014-02-23 12:35 - 00000000 ____D C:\Windows\Panther
2016-03-15 18:44 - 2014-07-18 01:59 - 00000000 __SHD C:\Windows\system32\AI_RecycleBin
2016-03-15 18:41 - 2015-11-04 21:16 - 00000000 ____D C:\Program Files\HitmanPro
2016-03-15 13:23 - 2016-01-14 17:16 - 00000000 ____D C:\Users\Beth\AppData\Roaming\Firestorm
2016-03-15 13:10 - 2016-01-22 00:48 - 00000000 ____D C:\Users\Beth\AppData\Roaming\Samsung
2016-03-15 13:10 - 2016-01-21 21:10 - 00000000 ____D C:\Program Files\SAMSUNG
2016-03-15 13:10 - 2015-08-15 14:07 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2016-03-15 13:08 - 2016-01-06 14:09 - 00000000 ____D C:\Users\Beth\AppData\Roaming\NCH Software
2016-03-15 05:41 - 2014-02-23 14:06 - 00064752 _____ C:\Users\Beth\AppData\Local\GDIPFONTCACHEV1.DAT
2016-03-15 05:40 - 2009-07-14 00:33 - 00295816 _____ C:\Windows\system32\FNTCACHE.DAT
2016-03-15 05:32 - 2016-01-06 06:15 - 00000000 ____D C:\Users\Beth\AppData\Roaming\TeamViewer
2016-03-15 05:32 - 2015-12-08 00:04 - 00000000 ____D C:\Program Files\TeamViewer
2016-03-15 05:06 - 2014-02-23 23:44 - 00000000 ____D C:\ProgramData\AMD
2016-03-14 14:51 - 2014-10-12 21:02 - 00000000 ____D C:\Program Files\Hearthstone
2016-03-10 04:22 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\system32\NDF
2016-03-08 15:20 - 2016-01-21 21:40 - 00000000 ____D C:\Program Files\DIFX
2016-03-07 14:21 - 2015-10-13 18:41 - 00000000 ____D C:\Program Files\Common Files\Steam
2016-03-05 11:40 - 2015-12-21 03:34 - 00000600 _____ C:\Users\Beth\AppData\Local\PUTTY.RND

==================== Files in the root of some directories =======

2016-02-24 01:45 - 2016-02-24 01:32 - 0109570 ___SH () C:\Users\Beth\AppData\Local\CSIDL_
2016-02-24 01:45 - 2016-02-24 01:32 - 0109570 ___SH () C:\Users\Beth\AppData\Local\CSIDL_X
2016-03-15 05:01 - 2016-03-15 05:01 - 0015360 _____ () C:\Users\Beth\AppData\Local\exdbmt.dll
2015-12-21 03:34 - 2016-03-05 11:40 - 0000600 _____ () C:\Users\Beth\AppData\Local\PUTTY.RND
2014-10-12 20:36 - 2014-10-12 20:36 - 0000218 _____ () C:\Users\Beth\AppData\Local\recently-used.xbel
2014-05-14 23:33 - 2015-11-20 22:35 - 0007651 _____ () C:\Users\Beth\AppData\Local\Resmon.ResmonCfg
2016-02-16 14:47 - 2016-02-16 14:47 - 0006656 _____ () C:\Users\Beth\AppData\Local\tinstall.exe
2016-02-16 14:46 - 2016-02-16 14:46 - 0007168 _____ () C:\Users\Beth\AppData\Local\tinstall4.exe
2016-03-15 05:01 - 2016-03-15 05:01 - 0002560 _____ () C:\Users\Beth\AppData\Local\uninstall.exe
2015-11-18 04:19 - 2015-11-18 04:19 - 0004912 _____ () C:\ProgramData\lbogtyso.zat
2015-08-15 14:10 - 2015-08-15 14:10 - 0004099 _____ () C:\ProgramData\mtbjfghn.xbe

Some files in TEMP:
====================
C:\Users\Beth\AppData\Local\Temp\devcon.exe
C:\Users\Beth\AppData\Local\Temp\DVDChangeDisc.exe
C:\Users\Beth\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-03-29 08:20

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:41 PM

Posted 02 April 2016 - 11:07 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: We now will run ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Then Enable your anti virus program(s).


***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
    The actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 efhunter

efhunter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 02 April 2016 - 05:48 PM

My son came in while I was out and got Hitman Pro and Malwarebytes AM to run and cleaned up most of the problems I think.  The browser hijacking has stopped at least and it supposedly got rid of the Safeguard.A  Here are the logfiles:

 

 

# AdwCleaner v5.108 - Logfile created 02/04/2016 at 18:41:58
# Updated 30/03/2016 by Xplode
# Database : 2016-03-30.1 [Server]
# Operating system : Windows 7 Home Premium  (x86)
# Username : Beth - MEDIABOX
# Running from : C:\Users\Beth\Desktop\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****

 

ComboFix 16-04-01.01 - Beth 04/02/2016  17:25:36.1.2 - x86
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3327.1776 [GMT -4:00]
Running from: c:\users\Beth\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Beth\AppData\Local\tinstall.exe
c:\users\Beth\AppData\Local\tinstall4.exe
c:\users\Beth\AppData\Local\uninstall.exe
c:\users\Beth\AppData\Roaming\Microsoft\Windows\Recent\progress.html.url
c:\users\Beth\AppData\Roaming\mIRC\logs\status.log
c:\windows\19
c:\windows\19\503BBB50300FEDE3D74117BBC0CB97FC.tmp
c:\windows\3
c:\windows\3\302529eeeff1d817f55ade80cc167462.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2016-03-02 to 2016-04-02  )))))))))))))))))))))))))))))))
.
.
2016-04-02 21:53 . 2016-04-02 21:53    --------    d-----w-    c:\users\Beth\AppData\Local\temp
2016-04-02 21:53 . 2016-04-02 21:53    --------    d-----w-    c:\users\Default\AppData\Local\temp
2016-04-02 17:01 . 2016-04-02 17:25    --------    d-----w-    c:\users\Beth\AppData\Roaming\CouchPotato
2016-04-02 16:43 . 2016-04-02 16:43    32384    ----a-w-    c:\windows\system32\drivers\hitmanpro37.sys
2016-03-31 20:56 . 2016-03-31 22:05    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2016-03-31 01:59 . 2016-03-31 01:59    94936    ----a-w-    c:\windows\system32\drivers\0D001BC2.sys
2016-03-31 01:27 . 2016-04-02 16:49    170200    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-03-29 03:47 . 2016-03-29 03:47    --------    d-----w-    c:\program files\SABnzbd
2016-03-28 21:58 . 2016-04-02 18:52    103152    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2016-03-28 21:58 . 2016-03-28 22:22    --------    d-----w-    c:\program files\Common Files\Symantec Shared
2016-03-28 21:57 . 2016-04-02 17:49    --------    d-----w-    c:\windows\system32\drivers\NS
2016-03-28 21:57 . 2016-03-28 21:58    --------    d-----w-    c:\programdata\Norton
2016-03-28 21:57 . 2016-03-28 21:57    --------    d-----w-    c:\program files\Norton Security
2016-03-28 21:56 . 2016-03-28 21:56    --------    d-----w-    c:\program files\NortonInstaller
2016-03-17 21:16 . 2016-03-17 21:16    62576    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{C08EBBC6-027A-4C3B-A306-6D438AA259E3}\offreg.2896.dll
2016-03-16 10:28 . 2016-03-16 10:28    62576    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{C08EBBC6-027A-4C3B-A306-6D438AA259E3}\offreg.5436.dll
2016-03-16 01:03 . 2016-04-02 15:09    --------    d-----w-    C:\FRST
2016-03-16 01:00 . 2016-03-16 01:01    --------    d-----w-    c:\programdata\Sophos
2016-03-16 01:00 . 2016-03-16 01:00    --------    d-----w-    c:\program files\Sophos
2016-03-16 00:45 . 2016-04-02 16:01    --------    d-----w-    c:\program files\AdwCleaner
2016-03-15 23:56 . 2016-03-02 20:59    9067696    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{C08EBBC6-027A-4C3B-A306-6D438AA259E3}\mpengine.dll
2016-03-15 23:53 . 2016-04-02 00:45    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2016-03-15 23:53 . 2016-03-15 23:53    --------    d-----w-    c:\programdata\Malwarebytes
2016-03-15 23:53 . 2016-03-10 18:09    53120    ----a-w-    c:\windows\system32\drivers\mwac.sys
2016-03-15 23:53 . 2016-03-10 18:08    126336    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2016-03-15 23:53 . 2016-03-10 18:08    24448    ----a-w-    c:\windows\system32\drivers\mbam.sys
2016-03-15 09:05 . 2016-03-15 09:05    --------    d-----w-    c:\users\Beth\AppData\Roaming\FrivLauncher
2016-03-15 09:04 . 2016-03-15 09:05    --------    d-----w-    c:\users\Beth\AppData\Local\app
2016-03-15 09:04 . 2016-03-15 09:04    --------    d-----w-    c:\users\Beth\AppData\Local\Downloaded Installations
2016-03-08 19:20 . 2016-03-08 19:20    --------    d-----w-    c:\users\Beth\AppData\Roaming\SteelSeries
2016-03-08 19:19 . 2011-07-27 02:18    16896    ----a-w-    c:\windows\system32\drivers\MO4Driver.sys
2016-03-08 19:19 . 2010-12-17 20:25    1461992    ----a-w-    c:\windows\system32\WdfCoInstaller01009.dll
2016-03-08 19:19 . 2016-03-08 19:19    --------    d-----w-    c:\program files\SteelSeries
2016-03-06 22:58 . 2016-03-15 09:33    --------    d-----w-    c:\users\Beth\AppData\Local\TSVNCache
2016-03-06 22:13 . 2016-03-06 22:13    --------    d-----w-    c:\users\Beth\AppData\Roaming\TortoiseSVN
2016-03-06 22:11 . 2016-03-06 22:11    --------    d-----w-    c:\users\Beth\AppData\Roaming\Subversion
2016-03-06 21:04 . 2016-03-06 22:01    --------    d-----w-    C:\CSS
2016-03-06 18:57 . 2016-03-06 18:58    --------    d-----w-    c:\program files\steamCMDg
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Plex Media Server"="c:\program files\Plex\Plex Media Server\Plex Media Server.exe" [2015-09-24 6294664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\x86\CLIStart.exe" [2013-12-06 747264]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2013-10-30 6382504]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2013-10-30 400376]
"AcronisTibMounterMonitor"="c:\program files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe" [2013-01-10 1103424]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2015-12-14 1085656]
"SteelSeries World of Warcraft® MMO Gaming Mouse Legendary Edition"="c:\program files\SteelSeries\World of Warcraft® MMO Gaming Mouse Legendary Edition\WoWMHID4.exe" [2011-10-04 1945600]
.
c:\users\Beth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SABnzbd.lnk - c:\program files\SABnzbd\SABnzbd.exe -b0 [2016-3-28 108032]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WN111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WN111v2\WN111v2.exe [2009-10-10 1728512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux9"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SophosVirusRemovalTool]
@="Service"
.
R1 VBoxNetAdp;VirtualBox NDIS 6.0 Miniport Service;c:\windows\system32\DRIVERS\VBoxNetAdp6.sys [2015-12-18 98704]
R2 NzbDrone;NzbDrone;c:\programdata\NzbDrone\bin\NzbDrone.Console.exe [2016-03-12 24064]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2015-07-09 327296]
R3 cpuz136;cpuz136;c:\users\Beth\AppData\Local\Temp\cpuz136\cpuz136_x32.sys [x]
R3 DNIMp50;DNIMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\DNIMp50.sys [2006-11-16 21504]
R3 DNISp50;DNISp50 NDIS Protocol Driver;c:\windows\system32\Drivers\DNISp50.sys [2006-11-16 20480]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2016-04-02 32384]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\NETGEAR\WN111v2\jswpsapi.exe [2008-02-29 942080]
R3 MSICDSetup;MSICDSetup;E:\CDriver.sys [x]
R3 NTIOLib_1_0_C;NTIOLib_1_0_C;E:\NTIOLib.sys [x]
R3 SophosVirusRemovalTool;Sophos Virus Removal Tool;c:\program files\Sophos\Sophos Virus Removal Tool\SVRTservice.exe [2015-10-20 153352]
R3 visctap0901;Viscosity Virtual Adapter V9.1;c:\windows\system32\DRIVERS\visctap0901.sys [2014-06-06 33160]
R4 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2013-12-06 276992]
R4 ViscosityVPPVPNetworksLLCService;ViscosityVPP VPNetworks LLC Service;c:\program files\TorGuard.Viscosity\ViscosityVPPVPNetworksLLCService.exe [2014-01-23 56096]
S0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\DRIVERS\fltsrv.sys [2014-04-22 81184]
S0 SymEFASI;Symantec Extended File Attributes (SI);c:\windows\system32\drivers\NS\1605020.00F\SYMEFASI.SYS [2015-07-11 1286896]
S0 tib;Acronis TIB Manager;c:\windows\system32\DRIVERS\tib.sys [2014-04-22 736192]
S0 tib_mounter;Acronis TIB Mounter;c:\windows\system32\DRIVERS\tib_mounter.sys [2014-04-22 130488]
S0 vididr;Acronis Virtual Disk;c:\windows\system32\DRIVERS\vididr.sys [2014-04-22 116000]
S0 vidsflt;Acronis Disk Storage Filter;c:\windows\system32\DRIVERS\vidsflt.sys [2014-04-22 85280]
S1 ccSet_NS;NS Settings Manager;c:\windows\system32\drivers\NS\1605020.00F\ccSetx86.sys [2015-07-11 137456]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-05-15 20384]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NS\1605020.00F\Ironx86.SYS [2015-07-11 234744]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2015-12-18 784696]
S1 VBoxNetLwf;VirtualBox NDIS6 Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetLwf.sys [2015-12-18 163576]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2015-12-18 112112]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2013-12-06 209408]
S2 AODDriver4.2.0;AODDriver4.2.0;c:\program files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [2013-09-20 50432]
S2 NS;Norton Security;c:\program files\Norton Security\Engine\22.5.2.15\NS.exe [2015-07-16 282016]
S2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [2013-10-30 801888]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2013-09-24 77312]
S3 BHDrvx86;BHDrvx86;c:\program files\Norton Security\NortonData\22.5.0.124\Definitions\BASHDefs\20160401.001\BHDrvx86.sys [2016-03-31 1269488]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2015-05-15 113456]
S3 IDSVix86;IDSVix86;c:\program files\Norton Security\NortonData\22.5.0.124\Definitions\IPSDefs\20160401.001\IDSvix86.sys [2016-04-01 580344]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S3 SSMO4Filter;MMO-4 Mouse;c:\windows\system32\drivers\MO4Driver.sys [2011-07-27 16896]
S3 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\NS\1605000.07C\SYMNETS.SYS [2015-06-04 421080]
S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\WN111v2w7.sys [2010-04-28 624128]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ERASERUTILDRV11520
*Deregistered* - EraserUtilDrv11520
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2016-03-15 00:31    1106072    ----a-w-    c:\program files\Google\Chrome\Application\49.0.2623.87\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-10-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-02-23 03:39]
.
2016-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-09-02 00:03]
.
2016-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-09-02 00:03]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uDefault_Search_URL = hxxp://www.google.com
mStart Page = www.google.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Beth\AppData\Roaming\Mozilla\Firefox\Profiles\m0eqdjdz.default-1459215388002OLD\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{E056AFDD-03E9-4D73-8D33-8FCCBCA73438} - (no file)
HKLM-Run-win_en_77 - c:\program files\win_en_77\win_en_77.exe
AddRemove-uTorrent - c:\users\Beth\AppData\Roaming\uTorrent\uTorrent.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NS]
"ImagePath"="\"c:\program files\Norton Security\Engine\22.5.2.15\NS.exe\" /s \"NS\" /m \"c:\program files\Norton Security\Engine\22.5.2.15\diMaster.dll\" /prefetch:1"
"ImagePath"="\SystemRoot\system32\drivers\NS\1605000.07C\SYMNETS.SYS"
"TrustedImagePaths"="c:\program files\Norton Security\Engine\22.5.0.124"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3314193060-3455151175-2916073930-1000\Software\SecuROM\License information*]
"datasecu"=hex:b5,7e,72,7f,9e,94,7a,2b,ec,96,35,40,0a,b7,ab,85,27,81,3d,df,e9,
   42,3d,33,c6,2b,98,c6,5e,4f,37,12,d6,e7,b6,e4,b4,0a,27,b7,4e,ac,d7,e0,5a,29,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2016-04-02  17:55:19
ComboFix-quarantined-files.txt  2016-04-02 21:55
.
Pre-Run: 228,735,963,136 bytes free
Post-Run: 228,702,089,216 bytes free
.
- - End Of File - - E6A47AE84EAE84D601A5BA397978491D
A36C5E4F47E84449FF07ED3517B43A31

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org

Database version:
  main:    v2016.04.02.06
  rootkit: v2016.03.30.01

Windows 7 x86 NTFS
Internet Explorer 9.0.8112.16421
Beth :: MEDIABOX [administrator]

4/2/2016 6:03:21 PM
mbar-log-2016-04-02 (18-03-21).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 327683
Time elapsed: 25 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)





***** [ Folders ] *****


***** [ Files ] *****


***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


*************************

C:\AdwCleaner\AdwCleaner[S1].txt - [747 bytes] - [02/04/2016 18:37:55]
C:\AdwCleaner\AdwCleaner[S2].txt - [669 bytes] - [02/04/2016 18:41:58]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [741 bytes] ##########
 



#4 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:41 PM

Posted 02 April 2016 - 06:07 PM

Please run only tools instructed from me!

---

Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***



Copy FRST / FSRT64 to your desktop!

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt


start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
HKLM\...\Run: [win_en_77] => "C:\Program Files\win_en_77\win_en_77.exe"
HKLM\...\Run: [sun3] => [X]
HKLM\...\Run: [gmsd_us_005010247] => "C:\Program Files\gmsd_us_005010247\gmsd_us_005010247.exe"
HKLM\...\Run: [sun13] => [X]
HKLM\...\Run: [rec_en_225] => "C:\Program Files\rec_en_225\rec_en_225.exe"
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\...\Run: [Clownfish] => 0
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\...\Run: [exdbmt] => rundll32.exe "C:\Users\Beth\AppData\Local\exdbmt.dll",exdbmt <===== ATTENTION
ShellIconOverlayIdentifiers: [ExplorerEx] -> {E056AFDD-03E9-4D73-8D33-8FCCBCA73438} => No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
S3 cpuz136; \??\C:\Users\Beth\AppData\Local\Temp\cpuz136\cpuz136_x32.sys [X]
S3 MSICDSetup; \??\E:\CDriver.sys [X]
S3 NTIOLib_1_0_C; \??\E:\NTIOLib.sys [X]
S2 WindowsSecurity; C:\ProgramData\Windows Security\winsecurity.exe [X]
S2 ZombieNews; "C:\ProgramData\ZombieNews\ZombieNewsService.exe" [X]
ManualProxies: 1http=127.0.0.1:8080;https=127.0.0.1:8080
ProxyEnable: [S-1-5-21-3314193060-3455151175-2916073930-1000] => Proxy is enabled.
ProxyServer: [S-1-5-21-3314193060-3455151175-2916073930-1000] => http=127.0.0.1:8080;https=127.0.0.1:8080
AutoConfigURL: [S-1-5-21-3314193060-3455151175-2916073930-1000] => http=127.0.0.1:8080;https=127.0.0.1:8080
Winsock: Catalog5 10 C:\ProgramData\System32\SafeGuard32.dll [2771896 2016-04-01] ()
Task: {07B1F593-4F15-4F5C-BC6D-9A009228AECF} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {1182BB86-DAD9-4681-8EEF-5FCF4A2B28DF} - \{A5C85FC2-D24E-4262-B27E-2862631B89EC} -> No File <==== ATTENTION
Task: {12BF1365-69E2-44B6-A0BC-BBB76F971A32} - \{3FFD2A2C-D224-462B-B1F2-FF5B02339E5E} -> No File <==== ATTENTION
Task: {1E0FA602-7915-40C1-8138-53EA7C1F2771} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {369D34D3-B5D2-4F90-948D-76D6B889E32C} - \{1BDFE0AE-3CA9-4756-8FCE-BE75DFA02BDE} -> No File <==== ATTENTION
Task: {410A3412-1400-4ECB-BB65-378033ADD0F8} - \{D605BAFA-1505-40DB-8951-88C35DDBF6EE} -> No File <==== ATTENTION
Task: {6B24C7AB-83D0-4C07-8EDD-1A7239783989} - \WebBarUpdateTask -> No File <==== ATTENTION
Task: {7CC444C6-8BED-495B-8F40-BE1838000F12} - \{492BF66E-3948-40D0-8F68-352C85C031C1} -> No File <==== ATTENTION
Task: {87391F9E-DECB-480D-9FE6-1986945B582E} - \{EF3AC125-E989-42BD-84E6-D49CD94A76D2} -> No File <==== ATTENTION
Task: {8CEFC702-7933-4670-BDF7-09F48FA8ECA1} - \Adobe Flash Player Updater -> No File <==== ATTENTION
Task: {9D4047A5-1AE4-48D2-8A43-1E146533EBD9} - \Adobe Acrobat Update Task -> No File <==== ATTENTION
Task: {C5A32C5A-A1A5-4BC1-BA4B-3555F168D16A} - \{1DE938C7-2843-41EA-8D7D-488ECBED3A2C} -> No File <==== ATTENTION
Task: {C6A987D1-FEB9-4BC9-AE80-DC7E8806C44F} - \{8F5EA732-8BC5-4037-B349-7830D0BB043C} -> No File <==== ATTENTION
RemoveProxy:
end


NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

---

How the computer is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 efhunter

efhunter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 04 April 2016 - 12:48 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.4 (03.14.2016)
Operating System: Windows 7 Home Premium x86
Ran by Beth (Administrator) on Mon 04/04/2016 at 12:26:47.00
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 20

Successfully deleted: C:\Users\Beth\AppData\Local\crashrpt (Folder)
Successfully deleted: C:\Users\Beth\AppData\Roaming\couchpotato (Folder)
Successfully deleted: C:\Users\Beth\AppData\Roaming\new version available (Folder)
Successfully deleted: C:\Windows\System32\ai_recyclebin (Folder)
Successfully deleted: C:\Users\Beth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\16ZO5PEP (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Beth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2PQ0KF2U (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Beth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EUSKL7YA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Beth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GZ2QO69T (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Beth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KZ7QI6T5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Beth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MGRPPI66 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Beth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VDGFLSZT (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Beth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIPMJWM6 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\16ZO5PEP (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2PQ0KF2U (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EUSKL7YA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GZ2QO69T (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KZ7QI6T5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MGRPPI66 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VDGFLSZT (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIPMJWM6 (Temporary Internet Files Folder)



Registry: 1

Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 04/04/2016 at 12:32:20.36
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Norton seems to have come alive and killed FRST and now when I redownload it, I get an error message upon clicking that says windows cannot find the specified file or you may not have permission.  I need to know how to actually shut norton down completely without uninstalling, because I tried to turn it off and it is still catching regardless of turning it on silent mode and killing the firewall.  The turn off auto protect is greyed out.  Is there a service I can kill to actually turn it all the way off?  I'm on the way out for a couple of days so it will be a bit before I can come back and deal with this. 



#6 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:41 PM

Posted 04 April 2016 - 01:03 PM

try reboot see what happens.


Look inside Norton User Interface / Settings if you can de-activate it there.

Edited by Jo*, 04 April 2016 - 01:04 PM.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:41 PM

Posted 12 April 2016 - 04:04 AM

Hi,

it has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

Note: Thread will be closed if no response after 3 days.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#8 efhunter

efhunter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 13 April 2016 - 04:10 PM

I finally got the FRST to run. As far as I can tell, nothing obvious is going on with the computer now.  It looks like everything is running as it should.

 

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version:13-04-2016
Ran by Beth (2016-04-13 15:43:24) Run:1
Running from C:\Users\Beth\Desktop
Loaded Profiles: Beth (Available Profiles: Beth)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
HKLM\...\Run: [win_en_77] => "C:\Program Files\win_en_77\win_en_77.exe"
HKLM\...\Run: [sun3] => [X]
HKLM\...\Run: [gmsd_us_005010247] => "C:\Program Files\gmsd_us_005010247\gmsd_us_005010247.exe"
HKLM\...\Run: [sun13] => [X]
HKLM\...\Run: [rec_en_225] => "C:\Program Files\rec_en_225\rec_en_225.exe"
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\...\Run: [Clownfish] => 0
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\...\Run: [exdbmt] => rundll32.exe "C:\Users\Beth\AppData\Local\exdbmt.dll",exdbmt <===== ATTENTION
ShellIconOverlayIdentifiers: [ExplorerEx] -> {E056AFDD-03E9-4D73-8D33-8FCCBCA73438} => No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
S3 cpuz136; \??\C:\Users\Beth\AppData\Local\Temp\cpuz136\cpuz136_x32.sys [X]
S3 MSICDSetup; \??\E:\CDriver.sys [X]
S3 NTIOLib_1_0_C; \??\E:\NTIOLib.sys [X]
S2 WindowsSecurity; C:\ProgramData\Windows Security\winsecurity.exe [X]
S2 ZombieNews; "C:\ProgramData\ZombieNews\ZombieNewsService.exe" [X]
ManualProxies: 1http=127.0.0.1:8080;https=127.0.0.1:8080
ProxyEnable: [S-1-5-21-3314193060-3455151175-2916073930-1000] => Proxy is enabled.
ProxyServer: [S-1-5-21-3314193060-3455151175-2916073930-1000] => http=127.0.0.1:8080;https=127.0.0.1:8080
AutoConfigURL: [S-1-5-21-3314193060-3455151175-2916073930-1000] => http=127.0.0.1:8080;https=127.0.0.1:8080
Winsock: Catalog5 10 C:\ProgramData\System32\SafeGuard32.dll [2771896 2016-04-01] ()
Task: {07B1F593-4F15-4F5C-BC6D-9A009228AECF} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {1182BB86-DAD9-4681-8EEF-5FCF4A2B28DF} - \{A5C85FC2-D24E-4262-B27E-2862631B89EC} -> No File <==== ATTENTION
Task: {12BF1365-69E2-44B6-A0BC-BBB76F971A32} - \{3FFD2A2C-D224-462B-B1F2-FF5B02339E5E} -> No File <==== ATTENTION
Task: {1E0FA602-7915-40C1-8138-53EA7C1F2771} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {369D34D3-B5D2-4F90-948D-76D6B889E32C} - \{1BDFE0AE-3CA9-4756-8FCE-BE75DFA02BDE} -> No File <==== ATTENTION
Task: {410A3412-1400-4ECB-BB65-378033ADD0F8} - \{D605BAFA-1505-40DB-8951-88C35DDBF6EE} -> No File <==== ATTENTION
Task: {6B24C7AB-83D0-4C07-8EDD-1A7239783989} - \WebBarUpdateTask -> No File <==== ATTENTION
Task: {7CC444C6-8BED-495B-8F40-BE1838000F12} - \{492BF66E-3948-40D0-8F68-352C85C031C1} -> No File <==== ATTENTION
Task: {87391F9E-DECB-480D-9FE6-1986945B582E} - \{EF3AC125-E989-42BD-84E6-D49CD94A76D2} -> No File <==== ATTENTION
Task: {8CEFC702-7933-4670-BDF7-09F48FA8ECA1} - \Adobe Flash Player Updater -> No File <==== ATTENTION
Task: {9D4047A5-1AE4-48D2-8A43-1E146533EBD9} - \Adobe Acrobat Update Task -> No File <==== ATTENTION
Task: {C5A32C5A-A1A5-4BC1-BA4B-3555F168D16A} - \{1DE938C7-2843-41EA-8D7D-488ECBED3A2C} -> No File <==== ATTENTION
Task: {C6A987D1-FEB9-4BC9-AE80-DC7E8806C44F} - \{8F5EA732-8BC5-4037-B349-7830D0BB043C} -> No File <==== ATTENTION
RemoveProxy:
end

*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\win_en_77 => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\sun3 => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\gmsd_us_005010247 => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\sun13 => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\rec_en_225 => value not found.
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Clownfish => value not found.
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\Software\Microsoft\Windows\CurrentVersion\Run\\exdbmt => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ExplorerEx => key not found.
HKCR\CLSID\{E056AFDD-03E9-4D73-8D33-8FCCBCA73438} => key not found.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
cpuz136 => service removed successfully.
MSICDSetup => service removed successfully.
NTIOLib_1_0_C => service removed successfully.
WindowsSecurity => service not found.
ZombieNews => service not found.
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value removed successfully.
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully.
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value not found.
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value not found.
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000010" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{07B1F593-4F15-4F5C-BC6D-9A009228AECF}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{07B1F593-4F15-4F5C-BC6D-9A009228AECF}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1182BB86-DAD9-4681-8EEF-5FCF4A2B28DF}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1182BB86-DAD9-4681-8EEF-5FCF4A2B28DF}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{A5C85FC2-D24E-4262-B27E-2862631B89EC}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{12BF1365-69E2-44B6-A0BC-BBB76F971A32}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{12BF1365-69E2-44B6-A0BC-BBB76F971A32}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{3FFD2A2C-D224-462B-B1F2-FF5B02339E5E}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1E0FA602-7915-40C1-8138-53EA7C1F2771}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1E0FA602-7915-40C1-8138-53EA7C1F2771}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{369D34D3-B5D2-4F90-948D-76D6B889E32C}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{369D34D3-B5D2-4F90-948D-76D6B889E32C}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{1BDFE0AE-3CA9-4756-8FCE-BE75DFA02BDE}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{410A3412-1400-4ECB-BB65-378033ADD0F8}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{410A3412-1400-4ECB-BB65-378033ADD0F8}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{D605BAFA-1505-40DB-8951-88C35DDBF6EE}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6B24C7AB-83D0-4C07-8EDD-1A7239783989}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B24C7AB-83D0-4C07-8EDD-1A7239783989} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WebBarUpdateTask => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7CC444C6-8BED-495B-8F40-BE1838000F12}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7CC444C6-8BED-495B-8F40-BE1838000F12}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{492BF66E-3948-40D0-8F68-352C85C031C1}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{87391F9E-DECB-480D-9FE6-1986945B582E}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{87391F9E-DECB-480D-9FE6-1986945B582E}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{EF3AC125-E989-42BD-84E6-D49CD94A76D2}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8CEFC702-7933-4670-BDF7-09F48FA8ECA1}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8CEFC702-7933-4670-BDF7-09F48FA8ECA1}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Adobe Flash Player Updater" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{9D4047A5-1AE4-48D2-8A43-1E146533EBD9}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9D4047A5-1AE4-48D2-8A43-1E146533EBD9}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Adobe Acrobat Update Task" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C5A32C5A-A1A5-4BC1-BA4B-3555F168D16A}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C5A32C5A-A1A5-4BC1-BA4B-3555F168D16A}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{1DE938C7-2843-41EA-8D7D-488ECBED3A2C}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C6A987D1-FEB9-4BC9-AE80-DC7E8806C44F}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C6A987D1-FEB9-4BC9-AE80-DC7E8806C44F}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{8F5EA732-8BC5-4037-B349-7830D0BB043C}" => key removed successfully.

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully.
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully.
HKU\S-1-5-21-3314193060-3455151175-2916073930-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully.


========= End of RemoveProxy: =========

EmptyTemp: => 710.8 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 16:13:29 ====



#9 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:41 PM

Posted 14 April 2016 - 03:03 AM


Hello again,

:step1: We need to download Temp File Cleaner (TFC) by OldTimer:
  • Please download TFC.exe by Oldtimer at one of the two links: Link 1 Link 2
  • Save and close all running applications
  • Double-click on TFC.exe to run the program
  • Click on Start to begin the cleaning process note: this program may close running applications, make your screen disappear temporarily, or require a reboot of your PC - this is normal and part of the cleanup
  • When the scan is complete, if you were not asked to reboot the computer, please do so now
More Information can be found about the tool here:
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/


***


:step2: Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
- Kaspersky Lab report: Evaluating the threat level of software vulnerabilities
- Microsoft: Unprecedented Wave of Java Exploitation
- Ghosts of Java Haunt Users

Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 8 and save it to your desktop.
  • Under "Java Platform, Standard Edition"...click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select (click on) the download link for your operating system (Windows x86 Offline: jre-8u66-windows-i586.exe or Windows x64: jre-8u66-windows-x64.exe) and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to StartBtn.gif > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7/8 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-8u66-windows-i586.exe (or jre-8u66-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7/8 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered any unwanted software or toolbars during installation, just uncheck the box before continuing unless you want it. The McAfee Security Scan Plus may be installed unless you uncheck the McAfee installation box when updating Java.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version. However, be aware that the Java updater prompts you to make Yahoo Search your browser's default search engine and home page...the option is pre-checked.

***


:step3: ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Open the scan log and copy and paste the content to your next reply.

***


:step4: How the computer is running now?

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#10 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:41 PM

Posted 17 April 2016 - 04:38 AM

Hi,

it has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

Note: Thread will be closed if no response after 3 days.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:41 PM

Posted 20 April 2016 - 12:36 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users