Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help getting rid of: Kovter


  • This topic is locked This topic is locked
34 replies to this topic

#1 Groffeaston

Groffeaston

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:05:14 PM

Posted 03 May 2016 - 07:51 PM

Hello everyone,

I had a previous topic here:

http://www.bleepingcomputer.com/forums/t/612211/is-there-anything-infecting-my-computer/#entry3992110
 

and was asked to start a new topic in this forum for more "sophisticated" help.  We have tried:

1) MBAM

 

2) Symantec Kovter Removal Tool 32-Bit version - Which did not produce a log report because it did not find anything. Do not know why it did not produce a report.

 

3) ESET Online Scanner

 

4) RKill

 

 Microsoft Security Essentials is my main Anti-Virus program That keeps picking up the Kovter even after it deletes it. When I check the "history" it does not show up in the "Quarantined Items" list, it only shows up in the "All Detected items" list.

Also I have noticed that when I start up my computer in the lower task-bar 2 window/page/program indicators pop-up they are:
1) f2215

2) e4187

 

I did not take notice if they popped up when I turned on my computer tonight. 

Tonight Microsoft Security Essentials picked up a NEW program right after I turned my computer on and as Windows loaded up: Trojan:JS/Kovter.A    

When I looked in the "History" tab and scanned down through the notes I saw this: "The following error occurred: Error code 0x80508023. The program could not find the malware and other potentially unwanted software on this computer."   So I do not know if that is a New one or if that was originally on my computer and was finally detected. 

I know the Kovter Trojan malware can be Very Very Very Difficult to get rid of. At least that is what I have read on other websites previously to me unfortunately experiencing it!

I hope with your help we can get rid of it!

Please note: I had back surgery on April 26, 2016 and might not be able to respond immediately. I will get back to you as soon as I can, probably in a day or two if do not respond within a few hours.

Attached Files



BC AdBot (Login to Remove)

 


#2 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 04 May 2016 - 04:41 AM

Hello Groffeaston

I am Marie Curie and will gladly help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.
 

  • Read my instructions thoroughly, carry out each step in the given order.
  • Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
  • If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
  • Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
  • Back up important files before we start.

--------------------------------------------------------------
 

 

 

STEP 1
YjhLJro.pngSystemLook

  • Please download SystemLook (x32) and save the file to your Desktop.
  • Right-Click SystemLook.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Copy the entire contents of the codebox below and paste into the textfield.
    :dir
    C:\Users\Matthew\AppData\Local\4edd0 /s
    C:\Users\Matthew\AppData\Roaming\a1d55 /s
    C:\e2cf70d6bb7998aee077c5 /s
    C:\Users\Matthew\AppData\Local\{69932216-2271-4A67-A10F-24F2C5E27DF6} /s
    
    :regfind
    mshta
    javascript
    mtbjfghn
    69932216-2271-4A67-A10F-24F2C5E27DF6
  • Click the Ji0XpU4.png button to start the scan.
  • Upon completion, a log (SystemLook.txt) will open. Attach the log to your next reply.
  • Click the OCFv7xc.png button.

Edited by Curie, 04 May 2016 - 04:43 AM.


#3 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:05:14 PM

Posted 04 May 2016 - 02:46 PM

Hello,

After the scan was complete I got an error message when it tried to bring up the results log in Notepad. I got a error message box that said: "Access Denied".  Does that mean nothing was found? or is something blocking it from accessing Notepad?



#4 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 04 May 2016 - 03:37 PM

If nothing was found, the log would still open in Notepad. So it is either a bug or an access problem. Please check if you find SystemLook.txt on your desktop or in the folder where SystemLook.exe is. If it is there, attach it to your next post.

 

If there is no such log, please try the following instead.

 

STEP 1
xlK5Hdb.pngFarbar Recovery Scan Tool (FRST) Search

  • Double click Frst.exe to launch it.
  • FRST will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Copy/Paste the following line into the Search: box.
    mshta;javascript;mtbjfghn;69932216-2271-4A67-A10F-24F2C5E27DF6
  • Press the Search Registry button.
  • When finished searching a log will open on your Desktop ... Search.txt
  • Please attach it to your next reply.

Edited by Curie, 04 May 2016 - 03:49 PM.


#5 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:05:14 PM

Posted 04 May 2016 - 07:55 PM

Hello

I could NOT find the SystemLook.txt log file Nor could I find SystemLook.exe file anywhere on my computer! So I ran the FRST scan and will attach the log report below.

 

Microsoft Security Essentials keeps picking up variants of Kovter.

Attached Files



#6 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 04 May 2016 - 09:05 PM

The malware was attacking SystemLook.exe.

Your system has a serious infection with Bedep and Kovter. Please read the warning below before you proceed.
 

goGMWSt.gifBackdoor Warning
 
------------------------------
 
One or more of the identified malware is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal system, financial & personal information.
 
If your computer has been used for online banking, has credit card information or other sensitive data, using a non-compromised computer/device you should immediately change all account information (including those used for Email, eBay, Paypal, online forums, etc).
 
Banking and credit card institutions should be notified of the possible security breach. Please read the following article for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
 
Whilst the identified malware can be removed, there is no way to guarantee the trustworthiness of your computer unless you reformat your hard drive and reinstall your Operating System. This is due to the nature of the malware, which allows a remote attacker to make any kind of modification. Many experts in the security community believe that once compromised with this type of malware, the best course of action is to reformat/reinstall. Please read the following articles for more information.

You now have the choice between cleaning the malware present or reformatting your computer. Ultimately, the decision is yours, and what you're most comfortable with. Once you've read the articles linked above, let me know if you have any questions, and how you wish to proceed.

 


If you want to continue malware removal, please follow the steps below.

STEP 1
xlK5Hdb.pngFarbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    start
    CreateRestorePoint:
    CloseProcesses:
    
    CMD: netsh advfirewall reset
    
    Folder: C:\e2cf70d6bb7998aee077c5
    Folder: C:\Users\Matthew\AppData\Roaming\a1d55
    Folder: C:\Users\Matthew\AppData\Local\4edd0
    
    [-HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\Classes\0f290\shell\open\command]
    [-HKCU\software\88b96d2f71]
    
    2016-04-25 14:35 - 2016-04-25 14:35 - 00000000 ____D C:\Users\Matthew\AppData\Roaming\a1d55
    2016-04-25 14:35 - 2016-04-25 14:35 - 00000000 ____D C:\Users\Matthew\AppData\Local\4edd0
    FF HKLM\...\Firefox\Extensions: [auto-update@mozilla.org] - C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaUpdate
    
    2011-08-31 13:45 - 2011-08-31 13:45 - 0000000 _____ () C:\Users\Matthew\AppData\Local\{69932216-2271-4A67-A10F-24F2C5E27DF6}
    2009-07-15 00:34 - 2009-07-15 00:34 - 0005016 _____ () C:\ProgramData\mtbjfghn.xbe
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Driver Updater]
    C:\Program Files\Carambis\Driver Updater
    
    AlternateDataStreams: C:\ProgramData\TEMP:54301EF8 [134]
    AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [134]
    AlternateDataStreams: C:\ProgramData\TEMP:94458101 [772]
    AlternateDataStreams: C:\ProgramData\TEMP:A696643D [137]
    AlternateDataStreams: C:\ProgramData\TEMP:D1B5B4F1 [210]
    C:\Users\Matthew\a2HiJackFreeSetup.exe
    C:\Users\Matthew\AutoFix.exe
    C:\Users\Matthew\launcher-setup.exe
    GroupPolicy: Restriction - Chrome <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    GroupPolicy: Restriction - Chrome <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    Toolbar: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000 -> No Name - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
    Toolbar: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000 -> No Name - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
    Toolbar: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    Toolbar: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000 -> No Name - {B99F805C-F0B1-48EA-8C8B-753BFCBED913} - No File
    FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext => not found
    CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => No File
    CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\49.0.2623.112\pdf.dll => No File
    CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => No File
    CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll => No File
    CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll => No File
    CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll => No File
    CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll => No File
    CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll => No File
    CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll => No File
    CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll => No File
    CHR Plugin: (AmazonMP3DownloaderPlugin) - C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll => No File
    CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll => No File
    CHR Plugin: (Java(TM) Platform SE 7 U21) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll => No File
    CHR Plugin: (tossc) - C:\Program Files\thinkorswim\tossc32.dll => No File
    CHR Plugin: (Unity Player) - C:\Users\Matthew\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll => No File
    CHR Plugin: (BrowserPlus (from Yahoo!) v2.9.8) - C:\Users\Matthew\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll => No File
    CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw_1202122.dll => No File
    CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll => No File
    CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll => No File
    CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - <no Path\update_url>
    Task: {0ADFA33B-38F6-4730-8FA9-5B3AF2B9056F} - System32\Tasks\{7291E0BB-CB95-4854-B6B8-8AE263F408CA} => pcalua.exe -a C:\Users\Matthew\Downloads\vmp_full_installer_.exe -d "C:\Program Files\Mozilla Firefox"
    Task: {36C87685-6D8F-4517-A870-153660DDFAD3} - System32\Tasks\{9C8226C0-C1B4-45C9-8FBD-C0C607C8BA7F} => pcalua.exe -a "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe"
    Task: {7BEB3D9F-6C43-4187-8935-D65D635F0C22} - System32\Tasks\{A01AC6B0-510E-4865-B172-CD84D4717103} => pcalua.exe -a C:\Users\Matthew\Downloads\weathersp3_StubInstaller.exe -d C:\Windows\system32
    Task: {871CDE61-9DD2-471E-B119-04CA2C2CE0EA} - System32\Tasks\{C91A21D6-0968-43E4-8359-60CBBB959A3C} => pcalua.exe -a "C:\Users\Matthew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2ZCKI234\nforce_winvista32_15.01_international[1].exe" -d C:\Users\Matthew\Desktop
    Task: {FD1B1869-F7B9-42E4-82C3-511193681A97} - \PCDEventLauncherTask -> No File <==== ATTENTION
    
    CMD: ipconfig /flushdns
    EmptyTemp:
    Hosts:
    end
  • Click File, Save As and type fixlist.txt as the File Name.
  • Important: The file must be saved in the same location as FRST64.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Attach the log to your next reply.

Please restart your computer twice now, before you proceed with Step 2.
 

STEP 2
xlK5Hdb.pngFarbar Recovery Scan Tool (FRST) Search

  • Double click Frst.exe to launch it.
  • FRST will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Copy/Paste the following line into the Search: box.
    mshta;javascript;mtbjfghn;69932216-2271-4A67-A10F-24F2C5E27DF6
  • Press the Search Registry button.
  • When finished searching a log will open on your Desktop ... Search.txt
  • Please attach it to your next reply.

 

======================================================
 
STEP 3
pfNZP4A.pngLogs
In your next reply please include the following logs.

  • Fixlog.txt
  • Search.txt

Edited by Curie, 04 May 2016 - 09:06 PM.


#7 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:05:14 PM

Posted 05 May 2016 - 07:45 PM

Here are the logs:

Fix result of Farbar Recovery Scan Tool (x86) Version:06-05-2016 02
Ran by Matthew (2016-05-05 20:17:48) Run:1
Running from C:\Users\Matthew\Downloads
Loaded Profiles: Matthew (Available Profiles: Matthew)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:

CMD: netsh advfirewall reset

Folder: C:\e2cf70d6bb7998aee077c5
Folder: C:\Users\Matthew\AppData\Roaming\a1d55
Folder: C:\Users\Matthew\AppData\Local\4edd0

[-HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\Classes\0f290\shell\open\command]
[-HKCU\software\88b96d2f71]

2016-04-25 14:35 - 2016-04-25 14:35 - 00000000 ____D C:\Users\Matthew\AppData\Roaming\a1d55
2016-04-25 14:35 - 2016-04-25 14:35 - 00000000 ____D C:\Users\Matthew\AppData\Local\4edd0
FF HKLM\...\Firefox\Extensions: [auto-update@mozilla.org] - C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaUpdate

2011-08-31 13:45 - 2011-08-31 13:45 - 0000000 _____ () C:\Users\Matthew\AppData\Local\{69932216-2271-4A67-A10F-24F2C5E27DF6}
2009-07-15 00:34 - 2009-07-15 00:34 - 0005016 _____ () C:\ProgramData\mtbjfghn.xbe

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Driver Updater]
C:\Program Files\Carambis\Driver Updater

AlternateDataStreams: C:\ProgramData\TEMP:54301EF8 [134]
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [134]
AlternateDataStreams: C:\ProgramData\TEMP:94458101 [772]
AlternateDataStreams: C:\ProgramData\TEMP:A696643D [137]
AlternateDataStreams: C:\ProgramData\TEMP:D1B5B4F1 [210]
C:\Users\Matthew\a2HiJackFreeSetup.exe
C:\Users\Matthew\AutoFix.exe
C:\Users\Matthew\launcher-setup.exe
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000 -> No Name - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
Toolbar: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000 -> No Name - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
Toolbar: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
Toolbar: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000 -> No Name - {B99F805C-F0B1-48EA-8C8B-753BFCBED913} - No File
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext => not found
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\49.0.2623.112\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll => No File
CHR Plugin: (AmazonMP3DownloaderPlugin) - C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll => No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll => No File
CHR Plugin: (Java™ Platform SE 7 U21) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll => No File
CHR Plugin: (tossc) - C:\Program Files\thinkorswim\tossc32.dll => No File
CHR Plugin: (Unity Player) - C:\Users\Matthew\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll => No File
CHR Plugin: (BrowserPlus (from Yahoo!) v2.9.8) - C:\Users\Matthew\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll => No File
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw_1202122.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll => No File
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - <no Path\update_url>
Task: {0ADFA33B-38F6-4730-8FA9-5B3AF2B9056F} - System32\Tasks\{7291E0BB-CB95-4854-B6B8-8AE263F408CA} => pcalua.exe -a C:\Users\Matthew\Downloads\vmp_full_installer_.exe -d "C:\Program Files\Mozilla Firefox"
Task: {36C87685-6D8F-4517-A870-153660DDFAD3} - System32\Tasks\{9C8226C0-C1B4-45C9-8FBD-C0C607C8BA7F} => pcalua.exe -a "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe"
Task: {7BEB3D9F-6C43-4187-8935-D65D635F0C22} - System32\Tasks\{A01AC6B0-510E-4865-B172-CD84D4717103} => pcalua.exe -a C:\Users\Matthew\Downloads\weathersp3_StubInstaller.exe -d C:\Windows\system32
Task: {871CDE61-9DD2-471E-B119-04CA2C2CE0EA} - System32\Tasks\{C91A21D6-0968-43E4-8359-60CBBB959A3C} => pcalua.exe -a "C:\Users\Matthew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2ZCKI234\nforce_winvista32_15.01_international[1].exe" -d C:\Users\Matthew\Desktop
Task: {FD1B1869-F7B9-42E4-82C3-511193681A97} - \PCDEventLauncherTask -> No File <==== ATTENTION

CMD: ipconfig /flushdns
EmptyTemp:
Hosts:
end
*****************

Restore point was successfully created.
Processes closed successfully.

=========  netsh advfirewall reset =========

Ok.


========= End of CMD: =========


========================= Folder: C:\e2cf70d6bb7998aee077c5 ========================

2015-12-02 14:25 - 2015-12-02 14:25 - 0247976 _____ () C:\e2cf70d6bb7998aee077c5\MPSigStub.exe

====== End of Folder: ======


========================= Folder: C:\Users\Matthew\AppData\Roaming\a1d55 ========================

2016-04-25 14:35 - 2016-04-25 14:35 - 0009750 _____ () C:\Users\Matthew\AppData\Roaming\a1d55\efb4e.bb3ee2

====== End of Folder: ======


========================= Folder: C:\Users\Matthew\AppData\Local\4edd0 ========================

2016-04-25 14:35 - 2016-04-25 14:35 - 0000060 _____ () C:\Users\Matthew\AppData\Local\4edd0\6a59b.bat
2016-04-25 14:35 - 2016-04-25 14:35 - 0049754 _____ () C:\Users\Matthew\AppData\Local\4edd0\d7d91.bb3ee2
2016-04-25 14:35 - 2016-04-25 14:35 - 0000739 _____ () C:\Users\Matthew\AppData\Local\4edd0\f22f5.lnk

====== End of Folder: ======

HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\Classes\0f290\shell\open\command => key removed successfully.
HKCU\software\88b96d2f71 => key removed successfully.
C:\Users\Matthew\AppData\Roaming\a1d55 => moved successfully
C:\Users\Matthew\AppData\Local\4edd0 => moved successfully
HKLM\Software\Mozilla\Firefox\Extensions\\auto-update@mozilla.org => value removed successfully.
C:\Users\Matthew\AppData\Local\{69932216-2271-4A67-A10F-24F2C5E27DF6} => moved successfully
C:\ProgramData\mtbjfghn.xbe => moved successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Driver Updater => key removed successfully.
C:\Program Files\Carambis\Driver Updater => moved successfully
C:\ProgramData\TEMP => ":54301EF8" ADS removed successfully..
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully..
C:\ProgramData\TEMP => ":94458101" ADS removed successfully..
C:\ProgramData\TEMP => ":A696643D" ADS removed successfully..
C:\ProgramData\TEMP => ":D1B5B4F1" ADS removed successfully..
C:\Users\Matthew\a2HiJackFreeSetup.exe => moved successfully
C:\Users\Matthew\AutoFix.exe => moved successfully
C:\Users\Matthew\launcher-setup.exe => moved successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully.
"C:\Windows\system32\GroupPolicy\Machine" => not found.
HKLM\SOFTWARE\Policies\Google => key not found.
HKU\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{71576546-354D-41C9-AAE8-31F2EC22BF0D} => value removed successfully.
HKCR\CLSID\{71576546-354D-41C9-AAE8-31F2EC22BF0D} => key not found.
HKU\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} => value removed successfully.
HKCR\CLSID\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} => key not found.
HKU\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => value removed successfully.
HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => key not found.
HKU\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{B99F805C-F0B1-48EA-8C8B-753BFCBED913} => value removed successfully.
HKCR\CLSID\{B99F805C-F0B1-48EA-8C8B-753BFCBED913} => key not found.
HKLM\Software\Mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758} => value removed successfully.
C:\Program Files\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => not found.
C:\Program Files\Google\Chrome\Application\49.0.2623.112\pdf.dll => not found.
C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll => not found.
C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll => not found.
C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll => not found.
C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll => not found.
C:\Program Files\thinkorswim\tossc32.dll => not found.
C:\Users\Matthew\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll => not found.
C:\Users\Matthew\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll => not found.
C:\Windows\system32\Adobe\Director\np32dsw_1202122.dll => not found.
C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll => not found.
c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll => not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0ADFA33B-38F6-4730-8FA9-5B3AF2B9056F}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0ADFA33B-38F6-4730-8FA9-5B3AF2B9056F}" => key removed successfully.
C:\Windows\System32\Tasks\{7291E0BB-CB95-4854-B6B8-8AE263F408CA} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7291E0BB-CB95-4854-B6B8-8AE263F408CA}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{36C87685-6D8F-4517-A870-153660DDFAD3}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{36C87685-6D8F-4517-A870-153660DDFAD3}" => key removed successfully.
C:\Windows\System32\Tasks\{9C8226C0-C1B4-45C9-8FBD-C0C607C8BA7F} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{9C8226C0-C1B4-45C9-8FBD-C0C607C8BA7F}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7BEB3D9F-6C43-4187-8935-D65D635F0C22}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7BEB3D9F-6C43-4187-8935-D65D635F0C22}" => key removed successfully.
C:\Windows\System32\Tasks\{A01AC6B0-510E-4865-B172-CD84D4717103} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{A01AC6B0-510E-4865-B172-CD84D4717103}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{871CDE61-9DD2-471E-B119-04CA2C2CE0EA}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{871CDE61-9DD2-471E-B119-04CA2C2CE0EA}" => key removed successfully.
C:\Windows\System32\Tasks\{C91A21D6-0968-43E4-8359-60CBBB959A3C} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{C91A21D6-0968-43E4-8359-60CBBB959A3C}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FD1B1869-F7B9-42E4-82C3-511193681A97}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FD1B1869-F7B9-42E4-82C3-511193681A97}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PCDEventLauncherTask" => key removed successfully.

=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 581.6 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 20:22:00 ====

 

 

 

Farbar Recovery Scan Tool (x86) Version:06-05-2016 02
Ran by Matthew (2016-05-05 20:40:54)
Running from C:\Users\Matthew\Downloads
Boot Mode: Normal

================== Search Registry: "mshta;javascript;mtbjfghn;69932216-2271-4A67-A10F-24F2C5E27DF6" ===========


===================== Search result for "mshta" ==========

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-i..plication.resources_31bf3856ad364e35_6.0.6000.16386_en-us_5326aabe12a1c009]
"f!mshta.exe.mui"="0x6D0073006800740061002E006500780065002E006D0075006900"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-i..plication.resources_31bf3856ad364e35_9.1.8112.16421_en-us_1550a7aa4d7116ef]
"f!mshta.exe.mui"="0x6D0073006800740061002E006500780065002E006D0075006900"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_6.0.6001.18000_none_5959ef41095d8ee0]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16421_none_194d2a314741d4f2]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16561_none_1921ec67476241dd]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16575_none_191b1da34766c32a]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16592_none_19027ced4779af07]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16609_none_196ad025472a6216]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16636_none_19475f83474569e4]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16659_none_1934c0894752edcb]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16684_none_190f4f53476fc2eb]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16708_none_1969d1c1472b45e6]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16723_none_194f3077473fff15]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16748_none_193e9211474bb5aa]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16770_none_19161ffd476b3ec5]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20672_none_19a1b990608716ef]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20691_none_198b196e6098357a]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20708_none_19f36ca66048e889]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20725_none_19dacbf0605bd466]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20750_none_19b55aba6078a986]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20774_none_19a3bc0a608546c4]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20799_none_19931da46090fd59]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20823_none_19d8cd42605d9edf]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20838_none_19d2fec860613983]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20863_none_19ad8d92607e0ea3]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20885_none_1999ee4e608c7933]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\mshta.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\DefaultIcon]
""="C:\Windows\system32\mshta.exe,1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htafile]
"FriendlyTypeName"="@C:\Windows\system32\mshta.exe,-6412"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME]
"mshta.exe"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-i..plication.resources_31bf3856ad364e35_6.0.6000.16386_en-us_5326aabe12a1c009]
"f!mshta.exe.mui"="0x6D0073006800740061002E006500780065002E006D0075006900"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-i..plication.resources_31bf3856ad364e35_9.1.8112.16421_en-us_1550a7aa4d7116ef]
"f!mshta.exe.mui"="0x6D0073006800740061002E006500780065002E006D0075006900"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_6.0.6001.18000_none_5959ef41095d8ee0]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16421_none_194d2a314741d4f2]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16561_none_1921ec67476241dd]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16575_none_191b1da34766c32a]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16592_none_19027ced4779af07]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16609_none_196ad025472a6216]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16636_none_19475f83474569e4]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16659_none_1934c0894752edcb]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16684_none_190f4f53476fc2eb]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16708_none_1969d1c1472b45e6]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16723_none_194f3077473fff15]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16748_none_193e9211474bb5aa]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.16770_none_19161ffd476b3ec5]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20672_none_19a1b990608716ef]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20691_none_198b196e6098357a]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20708_none_19f36ca66048e889]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20725_none_19dacbf0605bd466]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20750_none_19b55aba6078a986]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20774_none_19a3bc0a608546c4]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20799_none_19931da46090fd59]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20823_none_19d8cd42605d9edf]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20838_none_19d2fec860613983]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20863_none_19ad8d92607e0ea3]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.1.8112.20885_none_1999ee4e608c7933]
"f!mshta.exe"="0x6D0073006800740061002E00650078006500"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Shell\MuiCache]
"@C:\Windows\system32\mshta.exe,-6412"="HTML Application"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\Shell\MuiCache]
"@C:\Windows\system32\mshta.exe,-6412"="HTML Application"

===================== Search result for "javascript" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}]
""="Microsoft HTML Javascript Pluggable Protocol"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.2]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.3 Author]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files\Common Files\Apple\Apple Application Support\JavaScriptCore.resources\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1508B1D599F5544488D93C0B55C7D592]
"A3511AFA745FB9048B73A3D0C6A5F3CE"="C:\Program Files\Common Files\Apple\Apple Application Support\JavaScriptCore.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4210D39FE9C0D214DA66C66F9C686753]
"68AB67CA7DA73301B744BA0000000010"="C:\Program Files\Adobe\Reader 11.0\Reader\Javascripts\JSByteCodeWin.bin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedDragProtocols\1]
"javascript"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedDragProtocols\4]
"javascript"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\cDefaultLaunchURLPerms]
"tSchemePerms"="version:2|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:2|file:1|rlogin:3|javascript:4|data:3|jar:3|vbscript:3"

[HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\Classes\Interface\{15EE6BF6-9AB2-5E0F-830B-65E9D1520B39}]
""="IFBComJavascriptObject"

[HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\Interface\{15EE6BF6-9AB2-5E0F-830B-65E9D1520B39}]
""="IFBComJavascriptObject"

====== End of Search ======



#8 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 06 May 2016 - 04:45 AM

It looks like Kovter is gone now. Did Microsoft Security Essentials detect anything since the last fix?

 

STEP 1
E3feWj5.pngJunkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted.
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Attach JRT.txt to your next reply.

STEP 2

BY4dvz9.pngAdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts.
  • Click Scan.
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate.
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
  • Follow the prompts and allow your computer to reboot.
  • After rebooting, a log (AdwCleaner[S0].txt) will open. Attach the log in your next reply.

-- File and folder backups are made for items removed using this tool. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.

 

STEP 3
Potentially Unwanted Programmes

I found a few potentially unwanted programs on your system. These programs are not malicious, but they might be on your computer without your consent. Some of them are known to deliver ads, bundle additional software, or have questionable privacy policies.
Please tell me for each of the following programs if you want to keep them:

  • Wildtangent Games
  • Yahoo! Toolbar
  • Yahoo! Search Protection
  • Yahoo! Install Manager
  • Yahoo! Messenger
  • Yahoo! Sofware Update
  • Real Player

======================================================

STEP 4
pfNZP4A.pngLogs
In your next reply please include the following logs.

  • JRT.txt
  • AdwCleaner[S0].txt
  • Which programmes in Step 3 do you want to keep?

     

     


Edited by Curie, 06 May 2016 - 04:46 AM.


#9 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:05:14 PM

Posted 06 May 2016 - 07:26 PM

Here are the logs:
 
Step 1):

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows Vista ™ Home Premium x86
Ran by Matthew (Administrator) on Fri 05/06/2016 at 19:24:49.27
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 26

Successfully deleted: C:\Program Files\mozilla firefox\defaults\pref\itms.js (File)
Successfully deleted: C:\Users\Matthew\AppData\Local\{572552A3-6B95-494F-8241-E9F153A228AB} (Empty Folder)
Successfully deleted: C:\Users\Matthew\AppData\Local\{5DFF854F-779F-418E-B199-A8227A072845} (Empty Folder)
Successfully deleted: C:\Users\Matthew\AppData\Local\{C1584C9F-4698-472F-9F98-C7C0FF7A9714} (Empty Folder)
Successfully deleted: C:\Users\Matthew\AppData\Local\{F2C821B4-82AA-4F2D-9CFC-670AA067E08B} (Empty Folder)
Successfully deleted: C:\Users\Matthew\AppData\Local\slimware utilities inc (Folder)
Successfully deleted: C:\Users\Matthew\AppData\Roaming\compuclever (Folder)
Successfully deleted: C:\Users\Matthew\AppData\Roaming\systweak (Folder)
Successfully deleted: C:\users\Public\Documents\downloaded installers (Folder)
Successfully deleted: C:\Program Files\compuclever (Folder)
Successfully deleted: C:\Users\Matthew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9OKBMC3L (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Matthew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BGYKZGYC (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Matthew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M5VC81F6 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Matthew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MX6BR96S (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Matthew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PX7GS49H (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Matthew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PZLKN7GL (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Matthew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XMI2XGG9 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Matthew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YNIYPP4R (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9OKBMC3L (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BGYKZGYC (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M5VC81F6 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MX6BR96S (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PX7GS49H (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PZLKN7GL (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XMI2XGG9 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YNIYPP4R (Temporary Internet Files Folder)



Registry: 2

Successfully deleted: HKLM\SYSTEM\CurrentControlSet\services\YahooAUService (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 05/06/2016 at 19:27:38.48
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

At Step 2 I was not sure what was and what was not Legitimate so I "cleaned" them all. Here is the log:

# AdwCleaner v5.115 - Logfile created 06/05/2016 at 19:40:35
# Updated 01/05/2016 by Xplode
# Database : 2016-05-04.2 [Server]
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (X86)
# Username : Matthew - MATTHEW-PC
# Running from : C:\Users\Matthew\Desktop\AdwCleaner(1).exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****

[-] Service Deleted : YahooAUService

***** [ Folders ] *****

[-] Folder Deleted : C:\ProgramData\Yahoo! Companion
[-] Folder Deleted : C:\ProgramData\Avg_Update_0814tb
[#] Folder Deleted : C:\ProgramData\Application Data\Yahoo! Companion
[#] Folder Deleted : C:\ProgramData\Application Data\Avg_Update_0814tb
[-] Folder Deleted : C:\Program Files\Ascentive
[-] Folder Deleted : C:\Program Files\Yahoo!\Companion
[-] Folder Deleted : C:\Program Files\Common Files\Winferno
[-] Folder Deleted : C:\Windows\system32\config\systemprofile\AppData\Local\FileTypeAssistant
[-] Folder Deleted : C:\Users\Matthew\AppData\LocalLow\Yahoo! Companion
[-] Folder Deleted : C:\Users\Matthew\AppData\LocalLow\Yahoo!\Companion
[-] Folder Deleted : C:\Users\Matthew\AppData\Roaming\Yahoo!\Companion

***** [ Files ] *****

[-] File Deleted : C:\Program Files\Yahoo!\Common\unyt.exe

***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : AVG-Secure-Search-Update_0414c_rel
[-] Task Deleted : AVG-Secure-Search-Update_0414c_rmv

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\YMERemote.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\YCAPlugin.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\YPUBC.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\yt.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\YTabBar.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\ytbbroker.EXE
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\YTBM.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\YTMsgr.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\YTNavAssist.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\YTSingleInstance.DLL
[-] Key Deleted : HKCU\Software\Classes\Applications\updater.exe
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\citysearch.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\myway.com
[-] Key Deleted : HKLM\SOFTWARE\Classes\iMesh.LauncherEventHandler
[-] Key Deleted : HKLM\SOFTWARE\Classes\iMesh.LauncherEventHandler.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\IMWeb.IMWebControl.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.Protector
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.Protector.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\WMHelperiMesh.WMHelper
[-] Key Deleted : HKLM\SOFTWARE\Classes\WMHelperiMesh.WMHelper.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\Yahoo.AntiSpyPlugin
[-] Key Deleted : HKLM\SOFTWARE\Classes\Yahoo.AntiSpyPlugin.6
[-] Key Deleted : HKLM\SOFTWARE\Classes\Yahoo.PopupBlockerPlugin
[-] Key Deleted : HKLM\SOFTWARE\Classes\Yahoo.PopupBlockerPlugin.4
[-] Key Deleted : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar
[-] Key Deleted : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\YCAPlugin.CAYASPlugin
[-] Key Deleted : HKLM\SOFTWARE\Classes\YCAPlugin.CAYASPlugin.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl
[-] Key Deleted : HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\YPUBC.DataStore
[-] Key Deleted : HKLM\SOFTWARE\Classes\YPUBC.DataStore.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\YPUBC.PUBHTMLEventHandler
[-] Key Deleted : HKLM\SOFTWARE\Classes\YPUBC.PUBHTMLEventHandler.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\YPUBC.StringList
[-] Key Deleted : HKLM\SOFTWARE\Classes\YPUBC.StringList.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\yt.CacheLoader
[-] Key Deleted : HKLM\SOFTWARE\Classes\yt.CacheLoader.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\yt.Clickstream
[-] Key Deleted : HKLM\SOFTWARE\Classes\yt.Clickstream.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\yt.YTHelper
[-] Key Deleted : HKLM\SOFTWARE\Classes\yt.YTHelper.2
[-] Key Deleted : HKLM\SOFTWARE\Classes\yt.YToolbarBand
[-] Key Deleted : HKLM\SOFTWARE\Classes\yt.YToolbarBand.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\ytbbroker.YCAAssistant
[-] Key Deleted : HKLM\SOFTWARE\Classes\ytbbroker.YCAAssistant.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\ytbbroker.YTBAutoUpdaterAssistant
[-] Key Deleted : HKLM\SOFTWARE\Classes\ytbbroker.YTBAutoUpdaterAssistant.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\ytbbroker.YTBCustomizerAssistant
[-] Key Deleted : HKLM\SOFTWARE\Classes\ytbbroker.YTBCustomizerAssistant.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\ytbbroker.YTBGeneralAssistant
[-] Key Deleted : HKLM\SOFTWARE\Classes\ytbbroker.YTBGeneralAssistant.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\ytbbroker.YTBMessengerAssistant
[-] Key Deleted : HKLM\SOFTWARE\Classes\ytbbroker.YTBMessengerAssistant.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\ytbbroker.YTBSingleInstanceAssistant
[-] Key Deleted : HKLM\SOFTWARE\Classes\ytbbroker.YTBSingleInstanceAssistant.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\YTNavAssist.NameSpaceCF
[-] Key Deleted : HKLM\SOFTWARE\Classes\YTNavAssist.NameSpaceCF.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\YTNavAssist.NameSpacePP
[-] Key Deleted : HKLM\SOFTWARE\Classes\YTNavAssist.NameSpacePP.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\YTNavAssist.YTNavAssistPlugin
[-] Key Deleted : HKLM\SOFTWARE\Classes\YTNavAssist.YTNavAssistPlugin.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\YTSingleInstance.SingleInstance
[-] Key Deleted : HKLM\SOFTWARE\Classes\YTSingleInstance.SingleInstance.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{07CDAAD9-1226-4C6D-B774-C00E7B323484}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1CAE874F-F5C7-4BCC-BA46-9AD26DF35B93}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{35860EFB-1589-4F32-A618-99E847A502B2}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{39DCCEAF-C749-4390-9953-527CF916935C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{41D7CEE0-D91F-498C-BC88-4A6BEE46C2BC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{7D831388-D405-4272-9511-A07440AD2927}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9EDCCD11-960D-49AE-B523-C6B5AB7E1345}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EB2BA65E-41F6-4F64-92A6-216CDFFDF577}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EFC0651C-B6D7-49CD-A6E0-B1CE9AB5FE46}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{FFFFE1D1-E40D-49a1-9622-BC59BD1879C3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1147DC83-6208-4dca-8E88-DD45BAAB3043}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1E57256D-9F39-4267-AB39-D7813D644C5A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{31371420-098D-4C0E-A11E-EBEC2305DD01}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3A06AA27-D94B-48C2-BB55-9FD0FF2120E3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{46140CE4-76FE-440E-AE88-4C2272BC05C7}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F9C4C5C-2BA8-4E00-A697-9F710BB1026B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B7A0E898-93E5-43f4-B99A-6C70B303699C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D40A62D1-8FC0-4F03-90C4-0DE03BE73A41}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E1A2D448-6334-45ec-8800-6D7F71DC87FC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F9A10D86-182A-4946-869B-70C3D109D14D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{596BB86E-F1E5-A1DE-3363-41AB634E77EF}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A3492A3A-6715-9371-F8DB-1C48CC4DAAA1}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8233093C-178B-484B-979E-3C6B5B147DBC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A63B48E9-1EC7-413E-9C48-3404BBF87BF3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F56ACA29-1C99-40F1-AC64-2E44C4F6BC71}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{11D5E9EA-3117-4389-8E58-742F0975C980}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{22389F39-2CF4-47C4-B8B2-273BB16BF70C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23E3CEB3-D63A-433E-A5D0-4DB1C501B915}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{26A3152F-CF87-4C5B-8093-4D4B9EC084EB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2723E96B-905F-4C64-8999-D868A08E6370}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{29E3319C-4B3C-479F-8692-BDD2CA30BEDD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2FCB4E7E-E5C7-4D07-BB2C-78DF2DA867AD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{367BD1CD-74A3-451F-B1A4-6A2DE4129A2D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{38552F25-8DED-4206-BB21-041EF53328F9}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{49F018EE-F362-4B5B-8EC8-BCF9246ABF21}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{63B73044-FC1A-4FE1-991B-FDBD4CDAA868}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{67E5E37C-E6B8-4782-877D-E9437C4CD982}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{686D40BC-FA43-4317-8474-E634E6B487F2}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{863FCF5D-DC39-4DA9-AF32-CB0025990EEE}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A310B105-FB7D-4497-A7E8-E046462B012F}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B09E015A-4D4E-4F8D-A436-95E19140947D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B1E712C4-03AA-495F-B0F5-0F057E126E2A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DF522774-8CA0-4B15-A93A-5F61AB95DA1C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F9A10D86-182A-4946-869B-70C3D109D14D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{81CA8FCD-1420-4A07-B47D-B30F3DDA79E1}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{ADEA3C4E-2184-40A2-9556-488456427E80}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{AD34BE7D-2603-43DD-8D1F-E4431D42C44E}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D2EA97F6-6235-4B2D-B5AA-A4472B9CE557}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{0548C79F-7B8C-455D-B228-97D35371BB62}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A1E52AC-64F2-49E9-BFD7-0806D9494DBB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{61A2027D-B837-4080-A925-6E30E10DEF32}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{8A1AB044-787D-4309-8410-709768E484AB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{EEE6C35B-6118-11DC-9C72-001320C79847}]
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{EEE6C35C-6118-11DC-9C72-001320C79847}]
[-] Key Deleted : HKCU\Software\DriverTuner
[-] Key Deleted : HKCU\Software\DriverTuner_Init
[-] Key Deleted : HKCU\Software\SlimWare Utilities Inc
[-] Key Deleted : HKCU\Software\Winferno
[-] Key Deleted : HKCU\Software\Yahoo\Companion
[-] Key Deleted : HKCU\Software\Yahoo\YFriendsBar
[-] Key Deleted : HKCU\Software\Ascentive
[-] Key Deleted : HKCU\Software\systweak
[-] Key Deleted : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\StartNow Toolbar
[-] Key Deleted : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\Updater By Sweetpacks
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Yahoo\Companion
[-] Key Deleted : HKLM\SOFTWARE\SlimWare Utilities Inc
[-] Key Deleted : HKLM\SOFTWARE\Winferno
[-] Key Deleted : HKLM\SOFTWARE\Yahoo\Companion
[-] Key Deleted : HKLM\SOFTWARE\systweak
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Companion
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Toolbar
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Safe Saver
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Yahoo! Companion
[-] Key Deleted : HKU\.DEFAULT\Software\IM
[-] Key Deleted : HKU\.DEFAULT\Software\ImInstaller
[-] Key Deleted : HKU\.DEFAULT\Software\Viewpoint
[-] Key Deleted : HKU\.DEFAULT\Software\AppDataLow\Software\Yahoo\Companion
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\SweetIM
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\A97CEC23332751B47BA4B95BAA50C9D0
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ask.com

***** [ Web browsers ] *****

[-] [C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : epojlgbehpaeekopencdagbdamnkppci
[-] [C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : ogccgbmabaphcakpiclgcnmcnimhokcj

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [13957 bytes] - [06/05/2016 19:40:35]
C:\AdwCleaner\AdwCleaner[R0].txt - [3686 bytes] - [15/09/2013 21:01:36]
C:\AdwCleaner\AdwCleaner[R1].txt - [9892 bytes] - [28/10/2013 21:06:34]
C:\AdwCleaner\AdwCleaner[R2].txt - [9919 bytes] - [15/10/2014 22:17:23]
C:\AdwCleaner\AdwCleaner[R3].txt - [1339 bytes] - [01/11/2014 20:24:09]
C:\AdwCleaner\AdwCleaner[R4].txt - [1459 bytes] - [02/11/2014 07:52:20]
C:\AdwCleaner\AdwCleaner[R5].txt - [2382 bytes] - [15/11/2014 18:51:26]
C:\AdwCleaner\AdwCleaner[R6].txt - [1768 bytes] - [20/11/2014 19:04:00]
C:\AdwCleaner\AdwCleaner[S0].txt - [4016 bytes] - [15/09/2013 21:05:51]
C:\AdwCleaner\AdwCleaner[S1].txt - [25368 bytes] - [15/10/2014 22:21:40]
C:\AdwCleaner\AdwCleaner[S2].txt - [1414 bytes] - [01/11/2014 20:31:21]
C:\AdwCleaner\AdwCleaner[S3].txt - [1534 bytes] - [02/11/2014 07:54:57]
C:\AdwCleaner\AdwCleaner[S4].txt - [2465 bytes] - [15/11/2014 19:21:34]
C:\AdwCleaner\AdwCleaner[S5].txt - [1679 bytes] - [20/11/2014 19:08:37]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [14981 bytes] ##########


For Step 3; I have "Yahoo" as one of my main email accounts, but I do not use "Messenger" any more. As for "Real Player" I thought I had "uninstalled" it. And as for "Wildtangent Games", I believe that is under "Dell Games" and I have NOT played those games in many years!! I just checked it and it asked me to update the game console because it is "out of date". I clicked "maybe later".  The main reason I have NOT played those games is they say they are "free" but they only allow you just so much time to play them and then when that time is up you have to Pay to get the game or pay to add more time!! BULL CRAP!!! So I do not play those games!! 

Here is a side note that I thought you might be interested in, Yes it is related to this "Issue":  When my computer starts up and then Windows Loads up that one malware program: "e4187"  tries to load up but I get an error message stating that it cannot find it. I took a screenshot of the error message and I am attaching the screenshot.  Attached File  e4187 load up error.jpg   130.87KB   0 downloads

 



#10 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 07 May 2016 - 12:30 AM

The Real Player components are just leftovers then. I will remove them later. Let's see what is wrong with this pop-up.

 

STEP 1
EtQetiM.png Uninstall Software

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for the following programmes, right-click and click Uninstall.
    • Wildtangent Games or Dell Games
    • Yahoo! Toolbar
    • Yahoo! Search Protection
    • Yahoo! Install Manager
    • Yahoo! Messenger
    • Yahoo! Sofware Update
  • Follow the prompts.
  • Note: If you are offered the choice to install additional software, ensure you decline.
  • Reboot if necessary.

STEP 2
xlK5Hdb.pngFarbar Recovery Scan Tool (FRST) Registry Search

  • Double click FRST.exe to launch it.
  • FRST will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Copy/Paste the following line into the Search: box.
    mshta;a1d55;f2215;e4187;4edd0
  • Press the Search Registry button.
  • When finished searching a log will open on your Desktop ... Search.txt
  • Please rename the file to RegSearch.txt
  • Please attach it to your next reply.

STEP 3
xlK5Hdb.pngFarbar Recovery Scan Tool (FRST) File Search

  • Double-Click FRST.exe to run the programme.
  • Copy/Paste the following line into the Search: textbox:
    a1d55;f2215;e4187;4edd0
  • Click on the Search File(s) button.
  • Upon completion, a log (Search.txt) will open.
  • Please attach it to your next reply.

STEP 4
51f8d03670fd5-RogueKiller_icon_Canned_deRogueKiller

  • Download RogueKiller and save the file to your Desktop.
  • Close any running programs.
  • Right-Click RogueKiller.exe and select Run as administrator to run the program.
  • Allow the Prescan to complete. Upon completion, a window will open. Click Accept.
  • A browser window may open. Close the browser window.
  • Click jpgUwzp.png. Upon completion, click phPvmc6.png.
  • Close the program. Do not fix anything!
  • A log (RKreport.txt) will be open. Attach the log to your next reply.

 

======================================================
 
STEP 5
pfNZP4A.pngLogs
In your next reply please include the following logs.

  • Did you successfully uninstall the programmes in Step 1 ?
  • RegSearch.txt
  • Search.txt
  • RKreport.txt

 



#11 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:05:14 PM

Posted 07 May 2016 - 09:19 PM

Step 1: I successfully uninstalled those programs as far as I know of. It did not ask for a restart.

 

Step 2 Log: will include as an attachment.

Step 3 Log:

Farbar Recovery Scan Tool (x86) Version:07-05-2016
Ran by Matthew (2016-05-07 20:18:47)
Running from C:\Users\Matthew\Downloads
Boot Mode: Normal

================== Search Files: "a1d55;f2215;e4187;4edd0" =============

====== End of Search ======

Step 4 Log: I saved it and now I cannot read it!! And I cannot change the File type!! It was supposed to be a .txt file type, but it got named a JSON file which my computer cannot read!!! Now what the heck am I supposed to do?

Also I am running out of room on my "desktop" should I delete some of the old logs from previous scans that i used from last week in the previous help topic and earlier in this post/topic?

Attached Files



#12 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 07 May 2016 - 11:57 PM

Step 4 Log: I saved it and now I cannot read it!! And I cannot change the File type!! It was supposed to be a .txt file type, but it got named a JSON file which my computer cannot read!!! Now what the heck am I supposed to do?

 

 

Attach the file or submit it to my channel.

 

Also I am running out of room on my "desktop" should I delete some of the old logs from previous scans that i used from last week in the previous help topic and earlier in this post/topic?

 


Yes, delete all of the old logs and reports. You won't need them.



#13 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:05:14 PM

Posted 08 May 2016 - 08:40 PM

Okay I posted the file like you asked me to do and I cleaned up the old log files on my "desktop" as well.



#14 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 10 May 2016 - 01:20 AM

The malware on your system is taking up a fight and because of that it takes longer than usual to clean. You have been very patient by now. It may take more steps to get rid of the malware, though.

 

STEP 1
51f8d03670fd5-RogueKiller_icon_Canned_deRogueKiller Fix

  • Close any running programmes.
  • Right-Click RogueKiller.exe and select AVOiBNU.jpgRun as administrator to run the programme.
  • Allow the Prescan to complete.
  • A browser window may open. Close the browser window.
  • Click jpgUwzp.png.
  • Upon completion, do the following:
     
  • Click 5UKuIKl.png and place a checkmark next to the following items. Ensure any other items are unchecked.
    • [Suspicious.Path] HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\Microsoft\Windows\CurrentVersion\Run | 3ffde836 : "C:\Users\Matthew\AppData\Local\4edd0\f22f5.lnk"
    • [Hj.RegVal] HKEY_LOCAL_MACHINE\RK_Software_ON_D_45C3\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : cmd.exe /k start cmd.exe
  • Click QEIRkTE.png.
  • Click phPvmc6.png.
  • Copy the contents of the log and paste in your next reply.

STEP 2
xlK5Hdb.pngFarbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    start
    C:\Users\Matthew\AppData\Local\4edd0
    end
  • Click File, Save As and type fixlist.txt as the File Name.
  • Important: The file must be saved in the same location as FRST.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.


  • Right-click FRST.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Attach the log to your next reply.

 

Please reboot your computer twice now. Then proceed with the following step.

 

STEP 3
51f8d03670fd5-RogueKiller_icon_Canned_deRe-Scan with RogueKiller

  • Close any running programs.
  • Right-Click RogueKiller.exe and select Run as administrator to run the program.
  • Allow the Prescan to complete. Upon completion, a window will open. Click Accept.
  • A browser window may open. Close the browser window.
  • Click jpgUwzp.png. Upon completion, click phPvmc6.png.
  • Close the program. Do not fix anything!
  • A log (RKreport.txt) will be open. Attach the log to your next reply

 

======================================================
 
STEP 4
pfNZP4A.pngLogs
In your next reply please include the following logs.

  • Roguekiller report (step 1, if attaching does not work, submit the file to my channel)
  • Fixlog.txt (step 2)
  • RKreport.txt (step 3, if attaching does not work, submit the file to my channel)
  • Do you have a blank USB drive?
  • Is the message pop-up at startup still there?

Edited by Curie, 10 May 2016 - 01:26 AM.


#15 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:05:14 PM

Posted 10 May 2016 - 11:51 PM

Hello,

 

Step 1 and 3: Again I tried saving the RogueKiller Logs on my desktop, this time as a ".txt" file, but this time it somehow got changed to a .tmp file. WTF?!!!! I even SPECIFICALLY selected ".txt" as the File type to save them as, but then when I went to open them to copy and paste or to attach them, it said my computer could not read it because it is not a file type that is recognized by Windows. So it looks like I am going to have to submit both of them to your channel. I will post on here as soon as I submit them.

Step 2: here is the Fixlog.txt:

Fix result of Farbar Recovery Scan Tool (x86) Version:09-05-2016
Ran by Matthew (2016-05-10 22:59:37) Run:2
Running from c:\Users\Matthew\Downloads
Loaded Profiles: Matthew (Available Profiles: Matthew)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
C:\Users\Matthew\AppData\Local\4edd0
end
*****************

"C:\Users\Matthew\AppData\Local\4edd0" => not found.

==== End of Fixlog 22:59:37 ====

I do not have a completely Blank USB drive. I have one that I have saved a few things on, but I can get another one if it is needed.

Yes, that pop up message keeps appearing on Windows start up. I have a screenshot of it that I include if you need it.

I will now submit those 2 RogueKiller log files to your channel.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users