Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Summer cleaning


  • This topic is locked This topic is locked
12 replies to this topic

#1 MadalinVlad

MadalinVlad

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 06 May 2016 - 05:58 AM

So the last virus problem I had was a year ago. Since then I've been even more careful at what I download. However on my last windows I had the system on a normal HDD and since then I've made an in-place update to windows 10 from windows 7 and moved the partition to an SSD. No major problems but I want to make sure the performance is top notch. Also a few "fixes" carried over from windows 7 (the most noticeable is the two explorer instances, I have two explorer processes in the task manager and also related to explorer.exe is related the fact that when I wake the pc up from sleep if I had any windows open they freeze together with the whole explorer process and I have to restart the process manually. Also most times I open a file explorer window it refreshes, this is an excruciating problem when using "open file location" to select a file only to have the folder refresh and I have to find the file again).

 

If possible, I'd like to refrain from clean installing windows. Also, i'd like to clean the users from the registry, to only have "WIlliam" and any system dependant account.

 

Logs:

FRST - Attached File  FRST.txt   105.18KB   5 downloads

FRST Addition - Attached File  Addition.txt   74.82KB   5 downloads

 

EDIT: I forgot to add, I use Nvidia DSR and checked all the resolutions, however if I go with it over a certain resolution the keyboard lags as hell (input is received after a minute). I tried clean reinstall nvidia drivers 3 or 4 times at different ocasions but no luck.


Edited by MadalinVlad, 06 May 2016 - 06:06 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 AM

Posted 06 May 2016 - 08:04 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold via the Control Panel > Programs > Programs and Applet.
Driver Booster 3.2 (HKLM-x32\...\Driver Booster_is1) (Version: 3.2 - IObit)
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version: - )
Lightshot-5.3.0.0 (HKLM-x32\...\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1) (Version: 5.3.0.0 - Skillbrains)
Popcorn Time (HKLM-x32\...\Popcorn Time_is1) (Version: 5.4.7.0 - Popcorn Time)
Java 8 Update 91 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418091F0}) (Version: 8.0.910.14 - Oracle Corporation)
Java SE Development Kit 8 Update 45 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180450}) (Version: 8.0.450.15 - Oracle Corporation)
Java SE Development Kit 8 Update 66 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180660}) (Version: 8.0.660.18 - Oracle Corporation)
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Popcorn Time) C:\Program Files (x86)\Popcorn Time\Updater.exe
(Skillbrains) C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe
HKLM-x32\...\Run: [Lightshot] => C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe [226560 2014-11-18] ()
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
ShellExecuteHooks-x32:  - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} -  No File [ ]
ShellIconOverlayIdentifiers-x32: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [Groove Explorer Icon Overlay 1 (GFS Unread Stub)] -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} =>  No File
ShellIconOverlayIdentifiers-x32: [Groove Explorer Icon Overlay 2 (GFS Stub)] -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} =>  No File
ShellIconOverlayIdentifiers-x32: [Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)] -> {920E6DB1-9907-4370-B3A0-BAFC03D81399} =>  No File
ShellIconOverlayIdentifiers-x32: [Groove Explorer Icon Overlay 3 (GFS Folder)] -> {16F3DD56-1AF5-4347-846D-7C10C4192619} =>  No File
ShellIconOverlayIdentifiers-x32: [Groove Explorer Icon Overlay 4 (GFS Unread Mark)] -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} =>  No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Deluge.lnk [2015-08-13]
ShortcutTarget: Deluge.lnk -> F:\Program Files (x86)\Deluge\deluge.exe (No File)
HKU\S-1-5-21-2374710267-329911287-271095899-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO-x32: No Name -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> No File
FF NewTab: chrome://fvd.speeddial/content/fvd_about_blank.html
FF Homepage: chrome://fvd.speeddial/content/fvd_about_blank.html
FF Extension: Speed Dial [FVD] - New Tab Page, Sync... - C:\Users\William\AppData\Roaming\Mozilla\Firefox\Profiles\lk1eqcmv.default\extensions\pavel.sherbakov@gmail.com [2016-03-03]
FF Extension: EverSync - Sync bookmarks, backup your favorites. - C:\Users\William\AppData\Roaming\Mozilla\Firefox\Profiles\lk1eqcmv.default\extensions\fvdmedia@gmail.com [2016-03-03]
FF Extension: YouRepeat - C:\Users\William\AppData\Roaming\Mozilla\Firefox\Profiles\lk1eqcmv.default\Extensions\{3E5EE13F-9517-4DDF-BABF-83303B9AB98F}.xpi [2015-07-18]
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\William\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.866\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Extension: (EverSync - Sync bookmarks, backup favorites) - C:\Users\William\AppData\Local\Google\Chrome\User Data\Default\Extensions\iohcojnlgnfbmjfjfkbhahhmppcggdog [2016-04-29]
CHR Extension: (Speed Dial [FVD] - New Tab Page, 3D, Sync...) - C:\Users\William\AppData\Local\Google\Chrome\User Data\Default\Extensions\llaficoajjainaijghjlofdfmbjpebpa [2016-04-29]
CHR Extension: (Awesome New Tab Page) - C:\Users\William\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgmiemnjjchgkmgbeljfocdjjnpjnmcg [2016-01-12]
CHR Extension: (Pla?i prin Magazinul web Chrome) - C:\Users\William\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-01]
CHR Extension: (Hover Zoom) - C:\Users\William\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl [2016-04-04]
R2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [339968 2015-10-19] (Popcorn Time) [File not signed]
S3 cpuz137; \??\C:\WINDOWS\TEMP\cpuz137\cpuz137_x64.sys [X]
S3 cpuz138; \??\F:\TEMPOR~1\cpuz138\cpuz138_x64.sys [X]
S3 GPUZ; \??\C:\WINDOWS\TEMP\GPUZ.sys [X]
U3 idsvc; no ImagePath
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
U3 wpcsvc; no ImagePath
C:\Program Files (x86)\Skillbrains\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Deluge.lnk
C:\Users\William\AppData\Roaming\Mozilla\Firefox\Profiles\lk1eqcmv.default\extensions\pavel.sherbakov@gmail.com
C:\Users\William\AppData\Roaming\Mozilla\Firefox\Profiles\lk1eqcmv.default\extensions\fvdmedia@gmail.com
C:\Users\William\AppData\Roaming\Mozilla\Firefox\Profiles\lk1eqcmv.default\Extensions\{3E5EE13F-9517-4DDF-BABF-83303B9AB98F}.xpi
C:\Users\William\AppData\Local\Google\Chrome\User Data\Default\Extensions\iohcojnlgnfbmjfjfkbhahhmppcggdog
C:\Users\William\AppData\Local\Google\Chrome\User Data\Default\Extensions\llaficoajjainaijghjlofdfmbjpebpa
C:\Users\William\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgmiemnjjchgkmgbeljfocdjjnpjnmcg
C:\Users\William\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\William\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl
Task: {05635E11-0FAA-4812-9691-5E9363E63929} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {232D7357-E683-4584-821B-31472E7A7310} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {2ED1320B-C329-45EF-B5B7-CD7C6E93C668} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {3B5BC0AA-7E32-4255-A638-CC2D89B49DEB} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {3DD0FCA9-7728-43DE-8B20-120D927E0AC1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {46018319-93F3-4DF4-BFDC-745BFFDB1C9D} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {6731D58E-C374-4913-AC2E-F2D99714DF1A} - System32\Tasks\AutoPico Daily Restart => F:\Program Files\KMSpico\AutoPico.exe
Task: {7646A1F5-2E07-4434-8DD1-4BFAE7171664} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {805B8D6A-3ADF-4ECC-A179-72B681A751C1} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {9641B00F-BBB9-4E34-90F3-77BCE0AA9BF2} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {CDADB4FA-2A4C-4DC8-9176-3D9FF9B047CD} - \Microsoft\Windows\File Classification Infrastructure\Property Definition Sync -> No File <==== ATTENTION
Task: {E48A98CF-1210-467F-8AD6-48AE93252737} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {FB0DDB25-3665-44E0-BDA1-24B95AF2E805} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns1 [5]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns2 [5]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns3 [5]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns4 [5]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

#3 MadalinVlad

MadalinVlad
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 06 May 2016 - 09:35 AM

Could you tell me why I should remove Lightshot and Driver Booster? I use them frequently and use Driver Booster to keep my drivers up to date (also Lightshot for better screenshot making)



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 AM

Posted 06 May 2016 - 09:55 AM

Both are potentially unwanted programs.

It's your call if you want to keep them.

#5 MadalinVlad

MadalinVlad
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 06 May 2016 - 10:55 AM

Spoiler

Edited by MadalinVlad, 06 May 2016 - 10:56 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 AM

Posted 07 May 2016 - 07:20 AM

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#7 MadalinVlad

MadalinVlad
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 08 May 2016 - 05:02 AM

There is some hanging here and there where the keyboard input freezes for a second (mouse interaction works normally) and then what I typed appeared again.

Here is another batch of FRST logs.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 AM

Posted 08 May 2016 - 07:59 AM

I strongly suggest you remove this program.
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version: - )

Source.
https://www.herdprotect.com/kmspico-v9.2.3-final-tested-activated-windows-8.1-and-7-dwindows-os-free-download.exe-164ea219c52d51f4bda83a419290172a660298e0.aspx

Let me know if the problem persists.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 AM

Posted 14 May 2016 - 06:57 AM

Are you still with me?

#10 MadalinVlad

MadalinVlad
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 14 May 2016 - 07:36 AM

Yes I am, I removed KMSPico. Now there's some occasional freezing and thunderbird freezes after sending a mail (although that might be program-related not OS-related)

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 AM

Posted 14 May 2016 - 12:58 PM


thunderbird freezes after sending a mail


Some people have success with this fix.
http://www.ghacks.net/2009/05/19/fix-slow-or-hanging-thunderbird-email-client/

Think also of delete the very old messages.

Or, create a new folder and move them to the new folder.
===

If Chrome is slow reset it.
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Restart Chrome.

Hope that helps.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 AM

Posted 20 May 2016 - 10:10 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 AM

Posted 26 May 2016 - 07:41 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users