Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AdwCleaner not able to remove MCP


  • Please log in to reply
8 replies to this topic

#1 rionel

rionel

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 04 May 2016 - 03:26 PM

I've used AdwCleaner to try and remove MCP.  I ran it three times and it cleaned out most everything, popups are still showing up and my browser is hijacked by MCP.  The Avast Online Security reports that 33 trackers are in use.  How can I be rid of this?  I followed Aura's advice on this topic to the letter, to no avail.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:04-05-2016

Ran by Administrator (administrator) on WIA (04-05-2016 15:14:05)
Running from C:\Users\Administrator\Desktop
Loaded Profiles: Administrator (Available Profiles: Wear-It-Again & Administrator & DefaultAppPool)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Lenovo.) C:\Windows\System32\ibmpmsvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
(Lenovo) C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\CamMute.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
(Nitro PDF Software) C:\Program Files\Nitro\Pro 10\NitroPDFDriverService10x64.exe
() C:\Program Files\Nitro\Pro 10\Nitro_UpdateService.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
(Apple Inc.) C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpnumlk.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tphkload.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.29.5\GoogleCrashHandler.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\shtctky.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.29.5\GoogleCrashHandler64.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpnumlkd.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\FAX Utility\FUFAXRCV.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\FAX Utility\FUFAXSTM.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\BTStackServer.exe
(Tific AB) C:\Program Files (x86)\Common Files\Tific\Tific Client G1\Tific System Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser_crashreporter.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
() C:\Program Files\AVAST Software\Avast\AvastNM.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
() C:\Program Files\AVAST Software\Avast\AvastNM.exe
(Avast Software) C:\Program Files\AVAST Software\SZBrowser\1.48.2066.101\SZBrowser.exe
(The OpenVPN Project) C:\Program Files\AVAST Software\Avast\OpenVPN\openvpn.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13196432 2012-09-25] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2908984 2012-07-12] (Synaptics Incorporated)
HKLM-x32\...\Run: [Fastboot] => C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe [733936 2013-07-02] (Lenovo)
HKLM-x32\...\Run: [LTCM Client] => C:\Program Files (x86)\LTCM Client\ltcmClient.exe [1596096 2009-08-05] (Leader Technologies Inc.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-03-26] (Intel Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7391632 2016-05-03] (AVAST Software)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] => C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
HKLM-x32\...\Run: [RIM PeerManager] => "C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe"
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1058400 2012-01-26] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [642664 2013-12-24] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [863848 2013-12-24] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596528 2015-11-09] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3591202183-1233023162-4214933117-500\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-3591202183-1233023162-4214933117-500\...\RunOnce: [Uninstall C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\17.3.5951.0827] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\17.3.5951.0827"
HKU\S-1-5-21-3591202183-1233023162-4214933117-500\...\MountPoints2: {a7466ec6-7abf-11e3-baab-806e6f6e6963} - Q:\LenovoQDrive.exe
Lsa: [Notification Packages] scecli C:\Program Files\Lenovo\Bluetooth Software\BtwProximityCP.dll
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-05-03] (AVAST Software)
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-09-19] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-09-19] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-09-19] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-09-19] (SugarSync, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2014-01-11]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Quick Connect.lnk [2015-01-27]
ShortcutTarget: Quick Connect.lnk -> C:\Program Files (x86)\Tific\Tific Client G1\Tific.exe (Tific)
BootExecute: autocheck autochk * aswBoot.exe /M:11cac8a9 /wow /dir:"C:\Program Files\AVAST Software\Avast"
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
AutoConfigURL: [S-1-5-21-3591202183-1233023162-4214933117-500] => hxxp://unstops.net/wpad.dat?323431b7d4638134f39f784b4e86a2059679470
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{3A86E81B-8243-4C2E-A101-938E46261D70}: [DhcpNameServer] 172.168.111.2
Tcpip\..\Interfaces\{473EED9E-EF61-4A63-BA5D-2387F6CAE776}: [NameServer] 77.234.40.79
Tcpip\..\Interfaces\{E18656E3-AC6A-4C41-8CE1-FBD693257F40}: [DhcpNameServer] 192.168.1.254
ManualProxies: 0hxxp://unstops.net/wpad.dat?323431b7d4638134f39f784b4e86a2059679470
 
Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
SearchScopes: HKLM-x32 -> {EFE522B3-7ABD-49CB-A5C3-A2AFBBA83B9D} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3591202183-1233023162-4214933117-500 -> DefaultScope {D18F19F8-F63E-4146-BBA1-A2542D98651A} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-3591202183-1233023162-4214933117-500 -> {4C918B4F-6F5D-4F9A-9D47-AFD350B57DD6} URL = hxxps://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
SearchScopes: HKU\S-1-5-21-3591202183-1233023162-4214933117-500 -> {AAE500E4-9565-43EB-A46F-B956D6B121E0} URL = 
SearchScopes: HKU\S-1-5-21-3591202183-1233023162-4214933117-500 -> {D18F19F8-F63E-4146-BBA1-A2542D98651A} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2015-12-04] (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-05-03] (AVAST Software)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\URLREDIR.DLL [2015-12-04] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2015-12-04] (Microsoft Corporation)
BHO-x32: E-Web Print -> {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} -> C:\Program Files (x86)\Epson Software\E-Web Print\ewps_tb.dll [2014-11-27] (SEIKO EPSON CORPORATION)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\ssv.dll [2015-11-19] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-05-03] (AVAST Software)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\URLREDIR.DLL [2015-12-04] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-11-19] (Oracle Corporation)
Toolbar: HKLM-x32 - E-Web Print - {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} - C:\Program Files (x86)\Epson Software\E-Web Print\ewps_tb.dll [2014-11-27] (SEIKO EPSON CORPORATION)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2015-12-04] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2015-12-04] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2015-12-04] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2015-12-04] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_213.dll [2016-04-27] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_213.dll [2016-04-27] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-05] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-05] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-11-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-11-19] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2015-12-04] (Microsoft Corporation)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll [2014-06-24] ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-04-29] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-05-03]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [e-webprint@epson.com] - C:\Program Files (x86)\Epson Software\E-Web Print\Firefox Add-on
FF Extension: E-Web Print - C:\Program Files (x86)\Epson Software\E-Web Print\Firefox Add-on [2015-08-17] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-05-03]
 
Chrome: 
=======
CHR StartupUrls: Default -> "about:blank"
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.885\_platform_specific\win_x86\widevinecdmadapter.dll (Google Inc.)
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\50.0.2661.94\PepperFlash\pepflashplayer.dll ()
CHR Profile: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-11]
CHR Extension: (Google Docs) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-11]
CHR Extension: (Google Drive) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (Google Search) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Google Sheets) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-11]
CHR Extension: (Google Docs Offline) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-14]
CHR Extension: (Avast Online Security) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-05-03]
CHR Extension: (Video Ad Blocker Plus) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hegneaniplmfjcmohoclabblbahcbjoe [2016-04-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Gmail) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28]
CHR Extension: (Sci-Hub) - C:\Users\Administrator\Desktop\sci-hub\Sci-Hub [2016-04-03] [UpdateUrl: hxxps://extension.sci-hub.io/update] <==== ATTENTION
CHR HKU\S-1-5-21-3591202183-1233023162-4214933117-500\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hegneaniplmfjcmohoclabblbahcbjoe] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [emhginjpijfggbofeediiojmdlmlkoik] - C:\Program Files\AVAST Software\Avast\pam\Chrome\pam.crx [2016-05-03]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-05-03]
CHR HKLM-x32\...\Chrome\Extension: [hegneaniplmfjcmohoclabblbahcbjoe] - hxxp://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [243296 2016-05-03] (AVAST Software)
R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [370656 2016-05-03] (AVAST Software)
R2 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [945440 2012-02-01] (Broadcom Corporation.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2748600 2015-12-04] (Microsoft Corporation)
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)
R2 FastbootService; C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [140016 2013-07-02] (Lenovo)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-03-06] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [163608 2012-03-06] (Intel Corporation)
R2 LENOVO.TVTVCAM; C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe [187688 2013-05-29] (Lenovo Group Limited)
R2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [136288 2012-08-10] (Lenovo Group Limited)
S3 LSCWinService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [272776 2014-09-03] ()
R2 NitroDriverReadSpool10; C:\Program Files\Nitro\Pro 10\NitroPDFDriverService10x64.exe [324760 2015-05-26] (Nitro PDF Software)
R2 NitroUpdateService; C:\Program Files\Nitro\Pro 10\Nitro_UpdateService.exe [418968 2015-05-26] ()
R2 RIM MDNS; C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe [389632 2014-06-23] (Apple Inc.) [File not signed]
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [24560 2014-06-18] ()
R3 Tific System Service; C:\Program Files (x86)\Common Files\Tific\Tific Client G1\Tific System Service.exe [1701160 2014-12-18] (Tific AB)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2014-01-11] (Microsoft Corporation)
S4 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [X]
S3 BlackBerry Device Manager; "C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe" [X]
S2 McAPExe; "C:\Program Files\McAfee\MSC\McAPExe.exe" [X]
S4 McMPFSvc; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S2 RIM Tunnel Service; "C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe" service [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-05-03] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-05-03] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [107792 2016-05-03] (AVAST Software)
R3 aswNetNd6; C:\Windows\System32\DRIVERS\aswNetNd6.sys [28312 2016-05-03] (AVAST Software)
R1 aswNetSec; C:\Windows\system32\drivers\aswNetSec.sys [536312 2016-05-03] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-05-03] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-05-03] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-05-03] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [465792 2016-05-03] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [166432 2016-05-03] (AVAST Software)
R3 aswTap; C:\Windows\System32\DRIVERS\aswTap.sys [44640 2015-01-27] (The OpenVPN Project)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [287528 2016-05-03] (AVAST Software)
R3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [134696 2012-02-01] (Broadcom Corporation.)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 Fastboot; C:\Windows\System32\DRIVERS\fastboot.sys [56048 2013-07-02] (Windows ® Win 7 DDK provider)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [79872 2013-12-02] (BlackBerry Limited)
R3 rimvndis; C:\Windows\System32\Drivers\rimvndis6_AMD64.sys [17920 2014-06-23] (Research in Motion Limited)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [27960 2012-07-12] (Synaptics Incorporated)
R3 TVTI2C; C:\Windows\System32\DRIVERS\Tvti2c.sys [40248 2011-05-29] (Lenovo Information Product(ShenZhen China) Inc.)
R3 tvtvcamd; C:\Windows\System32\DRIVERS\tvtvcamd.sys [27432 2011-12-08] (ThinkVantage Communications Utility)
S3 usbohci; C:\Windows\system32\drivers\usbohci.sys [25600 2014-01-11] (Microsoft Corporation) [File not signed]
S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [19968 2014-01-11] (Microsoft Corporation)
S3 usbuhci; C:\Windows\system32\drivers\usbuhci.sys [30720 2014-01-11] (Microsoft Corporation) [File not signed]
R3 vm331avs; C:\Windows\System32\Drivers\vm331avs.sys [1045248 2013-03-01] (Vimicro Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-05-04 15:14 - 2016-05-04 15:15 - 00028909 _____ C:\Users\Administrator\Desktop\FRST.txt
2016-05-04 15:13 - 2016-05-04 15:14 - 00000000 ____D C:\FRST
2016-05-04 15:11 - 2016-05-04 15:11 - 02377216 _____ (Farbar) C:\Users\Administrator\Desktop\FRST64.exe
2016-05-04 11:27 - 2016-05-04 11:27 - 00002138 _____ C:\Users\Administrator\Desktop\AdwCleaner[C5].txt
2016-05-04 11:27 - 2016-05-04 11:27 - 00001227 _____ C:\Users\Administrator\Desktop\AdwCleaner - Shortcut.lnk
2016-05-03 14:51 - 2016-05-04 10:57 - 00000545 _____ C:\Users\Administrator\Desktop\MTB.txt
2016-05-03 14:48 - 2016-05-03 14:48 - 00891392 _____ (Farbar) C:\Users\Administrator\Desktop\MiniToolBox.exe
2016-05-03 14:29 - 2016-05-03 14:29 - 03615296 _____ C:\Users\Administrator\Downloads\AdwCleaner.exe
2016-05-03 14:26 - 2016-05-03 14:26 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bluetooth Devices
2016-05-03 14:12 - 2016-05-03 14:12 - 00006519 _____ C:\Users\Administrator\Documents\AdwCleaner[C1].txt
2016-05-03 14:01 - 2016-05-03 14:01 - 03615296 _____ C:\Users\Administrator\Downloads\adwcleaner_5.115.exe
2016-05-03 13:40 - 2016-05-03 13:40 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\MCorp
2016-05-03 05:39 - 2016-05-03 05:39 - 00398152 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2016-05-03 05:38 - 2016-05-03 05:38 - 00052184 _____ (AVAST Software) C:\Windows\avastSS.scr
2016-05-03 05:38 - 2016-05-03 05:38 - 00028312 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNetNd6.sys
2016-05-03 05:31 - 2016-05-03 05:32 - 03615296 _____ C:\Users\Administrator\Downloads\EDFC.tmp
2016-05-02 21:07 - 2016-05-02 21:07 - 00000000 _____ C:\Windows\SysWOW64\Number of results
2016-05-02 20:35 - 2016-05-04 11:24 - 00000000 ____D C:\Program Files (x86)\-1462239346---
2016-05-01 16:09 - 2016-05-01 16:09 - 00014745 _____ C:\Users\Administrator\Desktop\fyea.jpg-large
2016-04-27 23:08 - 2016-04-27 23:08 - 07021280 _____ (Microsoft Corporation) C:\Users\Administrator\Downloads\Silverlight.exe
2016-04-27 10:36 - 2016-04-27 10:36 - 00000000 ____D C:\Users\Administrator\AppData\Local\Macromedia
2016-04-27 05:38 - 2016-05-03 14:07 - 00000860 _____ C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Tor Browser.lnk
2016-04-27 05:38 - 2016-05-03 14:07 - 00000812 _____ C:\Users\Administrator\Desktop\Start Tor Browser.lnk
2016-04-27 05:37 - 2016-05-03 14:07 - 00000000 ____D C:\Users\Administrator\Desktop\Tor Browser
2016-04-27 03:29 - 2016-04-27 03:32 - 43833160 _____ C:\Users\Administrator\Downloads\torbrowser-install-5.5.5_en-US.exe
2016-04-14 16:57 - 2016-04-14 16:57 - 00003590 _____ C:\Windows\System32\Tasks\klcp_update
2016-04-14 16:57 - 2016-04-14 16:57 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Mozilla
2016-04-14 16:56 - 2016-04-14 16:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\K-Lite Codec Pack
2016-04-14 16:56 - 2016-04-14 16:56 - 00000000 ____D C:\Program Files (x86)\K-Lite Codec Pack
2016-04-14 16:47 - 2016-04-14 19:18 - 00000000 ____D C:\Users\Administrator\Desktop\New folder
2016-04-05 12:45 - 2016-04-05 12:45 - 00000000 ____D C:\Users\Administrator\AppData\LocalLow\Temp
2016-04-04 05:57 - 2016-04-04 05:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2016-04-04 05:57 - 2016-04-04 05:57 - 00000000 ____D C:\Program Files\7-Zip
2016-04-04 04:18 - 2016-04-04 04:32 - 00000000 ____D C:\Users\Administrator\Desktop\Kindle
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-05-04 14:45 - 2014-05-28 12:53 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-05-04 14:42 - 2016-01-16 13:47 - 00000000 ____D C:\Users\Administrator\Desktop\1111
2016-05-04 11:36 - 2015-01-27 09:31 - 00000000 ____D C:\AdwCleaner
2016-05-04 11:33 - 2009-07-13 23:45 - 00031472 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-05-04 11:33 - 2009-07-13 23:45 - 00031472 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-05-04 11:31 - 2015-02-11 02:06 - 00914482 _____ C:\IFRToolLog.txt
2016-05-04 11:31 - 2009-07-14 00:13 - 00906536 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-04 11:31 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2016-05-04 11:26 - 2015-02-11 02:06 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Tific
2016-05-04 11:26 - 2014-05-28 12:53 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-05-04 11:26 - 2014-01-11 08:17 - 00000828 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2016-05-04 11:23 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-05-03 17:15 - 2014-01-11 08:04 - 00000000 ____D C:\Program Files (x86)\Lenovo
2016-05-03 14:07 - 2016-01-22 12:09 - 00000963 _____ C:\Users\Public\Desktop\Avast SafeZone Browser.lnk
2016-05-03 14:07 - 2016-01-22 09:56 - 00000975 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-05-03 14:07 - 2015-02-11 02:05 - 00000976 _____ C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-05-03 14:07 - 2014-12-02 07:57 - 00000858 _____ C:\Users\Administrator\Desktop\iexplore - Shortcut.lnk
2016-05-03 14:07 - 2014-05-28 12:57 - 00001309 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-05-03 13:35 - 2014-05-24 11:27 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-05-03 13:34 - 2016-01-22 12:09 - 00003880 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1453482586
2016-05-03 05:39 - 2015-01-27 10:18 - 00465792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2016-05-03 05:39 - 2015-01-27 10:18 - 00287528 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2016-05-03 05:39 - 2015-01-27 10:18 - 00166432 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2016-05-03 05:39 - 2015-01-27 10:18 - 00107792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2016-05-03 05:39 - 2015-01-27 10:18 - 00103064 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2016-05-03 05:39 - 2015-01-27 10:18 - 00074544 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2016-05-03 05:39 - 2015-01-27 10:18 - 00037656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2016-05-03 05:38 - 2016-02-12 16:39 - 00536312 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNetSec.sys
2016-05-03 05:38 - 2016-01-22 12:09 - 00037144 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2016-05-03 05:38 - 2015-01-27 10:18 - 01070904 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2016-05-02 21:04 - 2014-05-28 12:57 - 00002194 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-05-01 07:31 - 2015-01-04 13:03 - 00000000 ____D C:\Users\DefaultAppPool
2016-04-29 14:46 - 2014-05-28 13:22 - 00001068 _____ C:\Users\Administrator\Desktop\Wear-It-Again - Shortcut.lnk
2016-04-27 11:09 - 2015-07-11 00:39 - 00000000 ____D C:\Users\Administrator\Desktop\WIA-Main
2016-04-27 10:33 - 2015-03-04 15:27 - 00000000 ____D C:\Users\Administrator\AppData\Local\Adobe
2016-04-27 10:32 - 2014-05-24 12:08 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-04-27 10:32 - 2014-05-24 12:08 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-04-22 14:40 - 2015-03-04 15:27 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Nitro
2016-04-22 14:40 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\system32\FxsTmp
2016-04-21 15:05 - 2010-11-20 22:27 - 00453288 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-04-09 14:52 - 2014-12-16 11:32 - 00000000 ____D C:\Windows\Minidump
 
==================== Files in the root of some directories =======
 
2015-10-02 15:18 - 2015-10-02 15:18 - 31083273 _____ () C:\Program Files (x86)\Common Files\Research In Motion.zip
2015-02-11 02:12 - 2016-01-22 11:24 - 0000600 _____ () C:\Users\Administrator\AppData\Roaming\winscp.rnd
2015-10-13 04:17 - 2015-10-13 04:17 - 0007602 _____ () C:\Users\Administrator\AppData\Local\Resmon.ResmonCfg
2016-01-27 07:13 - 2016-01-27 08:02 - 0000138 _____ () C:\Users\Administrator\AppData\Local\Support.ini
2015-03-04 14:23 - 2015-03-04 14:23 - 0002784 _____ () C:\ProgramData\epstplog.bak
 
Some files in TEMP:
====================
C:\Users\Administrator\AppData\Local\Temp\jre-8u91-windows-au.exe
C:\Users\Administrator\AppData\Local\Temp\lBYlDUn4rE.exe
C:\Users\Administrator\AppData\Local\Temp\nsh3F5F.tmp.exe
C:\Users\Administrator\AppData\Local\Temp\OgGasJ10PT.exe
C:\Users\Administrator\AppData\Local\Temp\pplxmLqBgV.exe
C:\Users\Administrator\AppData\Local\Temp\ThIks9Izzm.exe
C:\Users\Wear-It-Again\AppData\Local\Temp\Quarantine.exe
C:\Users\Wear-It-Again\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-04-28 04:13
 
==================== End of FRST.txt ============================Attached File  Addition.txt   31.5KB   4 downloads


BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 04 May 2016 - 04:57 PM

Hello rionel and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
 
Please do the following.

 

Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program .
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Scan type > Smart scan (Default)
  • Close all open files, folders and browsers
  • Click scan now ''Run as Administrator'' and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.
  • Please PC restart now.

How is the PC . İs there still MCP  ?

And please post a fresh FRST Logs.

====================================
Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure the following option is checked: addition.png
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Sincerely  . :hello:

 


Edited by olgun52, 04 May 2016 - 05:01 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 rionel

rionel
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 06 May 2016 - 06:20 PM

Hello,  I just saw this and am out the door in just a few minutes.  I'll have those logs first thing,   Thanks



#4 rionel

rionel
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 09 May 2016 - 05:41 PM

Hello Yılmaz,
 
Here is the scan report.  The program removed the virus which is not what you wanted.  I also left Chrome open so, if needed, i can re-run the program.
Thanks
 
Zemana AntiMalware 2.20.2.613 (Installed)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2016/5/9
Operating System       : Windows 7 64-bit
Processor              : 2X Intel® Pentium® CPU 2020M @ 2.40GHz
BIOS Mode              : Legacy
CUID                   : 004DB7FCEB0C3B486A71EC
Scan Type              : Smart Scan
Duration               : 4m 54s
Scanned Objects        : 16506
Detected Objects       : 1
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : ON
Detect All Extensions  : OFF
Scan Documents         : OFF
Domain Info            : WORKGROUP,0,2
 
Detected Objects
-------------------------------------------------------
 
unstops.net
Status             : Scanned
Object             : HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C91118139C08E54C0DB5F7FFC6252BF51F42D854\Blob
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Root CA
Cleaning Action    : Delete
Related Objects    :
                Registry Entry - HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C91118139C08E54C0DB5F7FFC6252BF51F42D854\Blob = 5C0000000100000004000000000800001900000001000000100000001B0295E58D41C297E5225198B8692DA20F00000001000000200000005BA6CBBCB6BEA088499CDC0C28A9186ACC3C5B21D0006451CDC0E08748FD645D030000000100000014000000C91118139C08E54C0DB5F7FFC6252BF51F42D8541400000001000000140000002E47FA21985F16943D8821630780810E3D2A7B29040000000100000010000000B3F37EDF251F35613A2EBAB6652A162420000000010000002F0300003082032B30820213A003020102020900E8E726E170DD4E03300D06092A864886F70D01010B0500302C3114301206035504030C0B756E73746F70732E6E657431143012060355040A0C0B756E73746F70732E6E6574301E170D3136303431383134303235385A170D3236303431363134303235385A302C3114301206035504030C0B756E73746F70732E6E657431143012060355040A0C0B756E73746F70732E6E657430820122300D06092A864886F70D01010105000382010F003082010A0282010100C55788A6848D487EDFB6B28D0959C3F3F14330E924D55C33D8A0A27A9F9BE0D9F3DF99B547B2126BB0B55744FC6EC5AB796DA466D2041670F7D0F8AD9EAC290FFE7B9D873ACF60F55AA18714F615551035CC712184FDC9D07D6FCCA9E331CB9CB1F762AFD028C64FFB6997E5A8B05028ACFA97D0E196587D88713F83F0681D668ED00E7BEB36A23298F57EBD0781FF9EF4216B13DB924F38467D7749FF7EEB2CB223546C27653C6288E6DBE4B2EA3AA5C649EA2C2316E07E7BBA2D06962612B33BC1F6CA88DB75E4587721C95D3C6D2B2AD7996D2EE20A84EABE6CEA82E27F01FC9A9C34FDB6ECAFB6842218FFA241D6429F9D427FD4DA288E3836F3D4287B1B0203010001A350304E301D0603551D0E041604142E47FA21985F16943D8821630780810E3D2A7B29301F0603551D230418301680142E47FA21985F16943D8821630780810E3D2A7B29300C0603551D13040530030101FF300D06092A864886F70D01010B050003820101001EFCAFF964E8A1665503C8ABB6B3AFDA6DE369E6F51AD4400541EDD7194010E682B80F7EC4EB09C20A06D6349A596B7C19FAEFB15F36900FD4EF3A69917E8D0E585F2F8A4C81510D65B9E220A63F071DE0FC0AFC8495531C1997CED310C8B5F429A3D9774D043877813C95D9EFBAAED865B43680E41570366C1BAA3C0D872D8E7BEE6945B1E61FB8FD2F0588A639942A4DA641447A39F7BDB65BA346F9E1EB48B6C6289076EE1716DCBE05DA900D6E5972E6CBB4005970F08E9BBA9865C6E747E2C895D388BC8B2D1F36706387AD3FECB86012E6CD5ECA323B136E4FB3340D03071A5FFBC52C840282C7D6907F677ECBF5AA3D44E9812B1E1BCDB60B2F567F71
 
 
Cleaning Result
-------------------------------------------------------
Cleaned               : 1
Reported as safe      : 0


#5 olgun52

olgun52

  • Malware Response Team
  • 3,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 10 May 2016 - 11:46 AM

I've used AdwCleaner to try and remove MCP. I ran it three times and it cleaned out most everything, popups are still showing up and my browser is hijacked by MCP.

is there MCP issue still ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#6 rionel

rionel
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 10 May 2016 - 12:20 PM

yes



#7 olgun52

olgun52

  • Malware Response Team
  • 3,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 10 May 2016 - 04:03 PM

Did you make manual proxy setting on the PC ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 rionel

rionel
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 10 May 2016 - 09:16 PM

no, I wouldn't know how to without instruction.

#9 olgun52

olgun52

  • Malware Response Team
  • 3,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 11 May 2016 - 07:23 AM

Okay.

Please do the following,

=================================================================

FRST Fixlist run:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

CreateRestorePoint:
CloseProcesses:
AutoConfigURL: [S-1-5-21-3591202183-1233023162-4214933117-500] => hxxp://unstops.net/wpad.dat?323431b7d4638134f39f784b4e86a2059679470
ManualProxies: 0hxxp://unstops.net/wpad.dat?323431b7d4638134f39f784b4e86a2059679470
Task: {A5B9690F-FEDA-4B4E-A4A6-D2FDDE26FAD7} - System32\Tasks\{F4820928-5FFE-426B-9882-10498D955148} => pcalua.exe -a "C:\Program Files (x86)\Research In Motion\BlackBerry Link\InstallerUtils\InstallerUtils.exe" -c /UninstallDesktop
Task: {C2996F73-B9A6-496A-BC67-4F4DEF5B3E80} - System32\Tasks\{874B5F50-5393-41D6-9832-9B69F0678239} => pcalua.exe -a "C:\Program Files (x86)\Research In Motion\BlackBerry Link\InstallerUtils\InstallerUtils.exe" -c /UninstallDesktop
AlternateDataStreams: C:\Windows:nlsPreferences [514]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
FirewallRules: [{D16FACD4-9689-4A6B-8C4B-1515C546B14D}] => (Allow) C:\Users\Administrator\AppData\Local\Temp\WZSE0.TMP\Common\EpsonNet Setup\ENEasyApp.exe
FirewallRules: [{F559C7E8-2A62-43A0-80FD-A676BBB61368}] => (Allow) C:\Users\Administrator\AppData\Local\Temp\WZSE0.TMP\Common\EpsonNet Setup\ENEasyApp.exe
HKU\S-1-5-21-3591202183-1233023162-4214933117-500\...\MountPoints2: {a7466ec6-7abf-11e3-baab-806e6f6e6963} - Q:\LenovoQDrive.exe
BootExecute: autocheck autochk * aswBoot.exe /M:11cac8a9 /wow /dir:"C:\Program Files\AVAST Software\Avast"
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3591202183-1233023162-4214933117-500 -> DefaultScope {D18F19F8-F63E-4146-BBA1-A2542D98651A} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-3591202183-1233023162-4214933117-500 -> {4C918B4F-6F5D-4F9A-9D47-AFD350B57DD6} URL = hxxps://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
SearchScopes: HKU\S-1-5-21-3591202183-1233023162-4214933117-500 -> {AAE500E4-9565-43EB-A46F-B956D6B121E0} URL =
SearchScopes: HKU\S-1-5-21-3591202183-1233023162-4214933117-500 -> {D18F19F8-F63E-4146-BBA1-A2542D98651A} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-04-29] (Adobe Systems Inc.)
CHR StartupUrls: Default -> "about:blank"
CHR Extension: (Sci-Hub) - C:\Users\Administrator\Desktop\sci-hub\Sci-Hub [2016-04-03] [UpdateUrl: hxxps://extension.sci-hub.io/update] <==== ATTENTION
CHR HKU\S-1-5-21-3591202183-1233023162-4214933117-500\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hegneaniplmfjcmohoclabblbahcbjoe] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hegneaniplmfjcmohoclabblbahcbjoe] - hxxp://clients2.google.com/service/update2/crx
S2 McAPExe; "C:\Program Files\McAfee\MSC\McAPExe.exe" [X]
S4 McMPFSvc; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
C:\Users\Administrator\AppData\Roaming\MCorp
C:\Users\Administrator\Downloads\EDFC.tmp
C:\Program Files (x86)\-1462239346---
2016-05-04 11:26 - 2014-01-11 08:17 - 00000828 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2015-02-11 02:12 - 2016-01-22 11:24 - 0000600 _____ () C:\Users\Administrator\AppData\Roaming\winscp.rnd
2015-10-13 04:17 - 2015-10-13 04:17 - 0007602 _____ () C:\Users\Administrator\AppData\Local\Resmon.ResmonCfg
2016-01-27 07:13 - 2016-01-27 08:02 - 0000138 _____ () C:\Users\Administrator\AppData\Local\Support.ini
2015-03-04 14:23 - 2015-03-04 14:23 - 0002784 _____ () C:\ProgramData\epstplog.bak
C:\Users\Administrator\AppData\Local\Temp\jre-8u91-windows-au.exe
C:\Users\Administrator\AppData\Local\Temp\lBYlDUn4rE.exe
C:\Users\Administrator\AppData\Local\Temp\nsh3F5F.tmp.exe
C:\Users\Administrator\AppData\Local\Temp\OgGasJ10PT.exe
C:\Users\Administrator\AppData\Local\Temp\pplxmLqBgV.exe
C:\Users\Administrator\AppData\Local\Temp\ThIks9Izzm.exe
C:\Users\Wear-It-Again\AppData\Local\Temp\Quarantine.exe
C:\Users\Wear-It-Again\AppData\Local\Temp\sqlite3.dll
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: sc config WinDefend start= disabled
CMD: sc stop WinDefend
RemoveProxy:
CMD: bitsadmin /reset /allusers
EmptyTemp:
Reboot:

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.
=============================================================================================

Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete or Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

=============================================================================================

 

Please download ZHPcleaner to your desktop.

  • Double click on ZHPCleaner to run the tool.
  • If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click ZHPCleaner and select "Run as Administrator".
  • Please klick Ashampoo_Snap_20140819_13h09m50s_001__zp
  • Then press ''Repair'' button.
  • Browsers will automatically shut down.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.

=============================================================================================

Chrome:
Delete your cache, history, and other browser data
https://support.google.com/chrome/answer/95582?hl=en
Next >>
Reset Chrome browser settings

https://support.google.com/chrome/answer/3296214?hl=en

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users