Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please help- malware taking ober netbook


  • This topic is locked This topic is locked
32 replies to this topic

#1 tentoze

tentoze

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 08 May 2016 - 07:43 PM

hope i will be able to complete this post. every time i press the shift key, it boots me out of posting. my netbook has become unusable basically, from runws.exe, switchusb.exe, and other processes eating up all memory and cpu. drop down menus scroll uncontrollably. please help.

 

 

 



BC AdBot (Login to Remove)

 


#2 tentoze

tentoze
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 08 May 2016 - 07:46 PM

...


Edited by tentoze, 08 May 2016 - 07:52 PM.


#3 tentoze

tentoze
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 08 May 2016 - 07:50 PM

see attached files. thank you.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:07-05-2016
Ran by et (administrator) on GARBAGE (08-05-2016 20:21:01)
Running from C:\Users\et\Desktop
Loaded Profiles: et (Available Profiles: et)
Platform: Microsoft Windows 7 Starter (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgcsrvx.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dritek System Inc.) C:\Program Files\Launch Manager\LManager.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgui.exe
(Acer Incorporated) C:\Program Files\Acer\Acer VCM\AcerVCM.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avguix.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avgsvcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgwdsvcx.exe
(Dritek System Inc.) C:\Program Files\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
(Acer Incorporated) C:\Program Files\Acer\Registration\GREGsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgemcx.exe
(Acer Incorporated) C:\Program Files\Acer\Acer VCM\RS_Service.exe
(Acer Group) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Dritek System Inc.) C:\Program Files\Launch Manager\LMworker.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [9874024 2010-11-19] (Realtek Semiconductor)
HKLM\...\Run: [OOTag] => C:\Program Files\Acer\OOBEOffer\OOTag.exe [13856 2010-02-23] (Microsoft)
HKLM\...\Run: [LManager] => C:\Program Files\Launch Manager\LManager.exe [975952 2010-08-10] (Dritek System Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1692968 2010-02-05] (Synaptics Incorporated)
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [714120 2011-01-05] (Acer Incorporated)
HKLM\...\Run: [AvgUi] => C:\Program Files\AVG\Framework\Common\avguirnx.exe [186640 2016-04-14] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\Av\avgui.exe [3930896 2016-04-20] (AVG Technologies CZ, s.r.o.)
HKU\S-1-5-21-1923537549-404146695-4209632777-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\System32\Acer.scr [456224 2010-07-29] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Acer VCM.lnk [2011-01-11]
ShortcutTarget: Acer VCM.lnk -> C:\Program Files\Acer\Acer VCM\AcerVCM.exe (Acer Incorporated)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{97827D71-D530-44CC-9623-C840D395C730}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{F433C961-DA20-4C9D-A7EB-CBC403AE569F}: [DhcpNameServer] 192.168.1.250

Internet Explorer:
==================
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27] (Adobe Systems Incorporated)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Acer\Acer VCM\Skype4COM.dll [2008-07-02] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\et\AppData\Roaming\Mozilla\Firefox\Profiles\xzy8wwke.default
FF Homepage: hxxps://mail.google.com/mail/ca/u/0/?shva=1#inbox
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-04-01] ( Microsoft Corporation)
FF Extension: Thumbnail Zoom Plus - C:\Users\et\AppData\Roaming\Mozilla\Firefox\Profiles\xzy8wwke.default\extensions\thumbnailZoom@dadler.github.com.xpi [2016-05-07]
FF Extension: Amazon Assistant for Firefox - C:\Users\et\AppData\Roaming\Mozilla\Firefox\Profiles\xzy8wwke.default\Extensions\abb@amazon.com.xpi [2016-05-07]
FF Extension: F.B. Purity - Cleans Up Facebook - C:\Users\et\AppData\Roaming\Mozilla\Firefox\Profiles\xzy8wwke.default\Extensions\fbp@fbpurity.com.xpi [2016-05-07]
FF Extension: Ghostery - C:\Users\et\AppData\Roaming\Mozilla\Firefox\Profiles\xzy8wwke.default\Extensions\firefox@ghostery.com.xpi [2016-05-07]
FF Extension: uBlock Origin - C:\Users\et\AppData\Roaming\Mozilla\Firefox\Profiles\xzy8wwke.default\Extensions\uBlock0@raymondhill.net.xpi [2016-05-07]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AvgAMPS; C:\Program Files\AVG\Av\avgamps.exe [638968 2016-04-20] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files\AVG\Av\avgidsagent.exe [4016608 2016-04-20] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files\AVG\Framework\Common\avgsvcx.exe [886032 2016-04-14] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\Av\avgwdsvcx.exe [594904 2016-04-20] (AVG Technologies CZ, s.r.o.)
R2 ePowerSvc; C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [734592 2011-01-05] (Acer Incorporated)
S3 GameConsoleService; C:\Program Files\Acer Games\Acer Game Console\GameConsoleService.exe [246520 2010-04-03] (WildTangent, Inc.)
R2 GREGService; C:\Program Files\Acer\Registration\GREGsvc.exe [23584 2010-01-08] (Acer Incorporated)
R2 RS_Service; C:\Program Files\Acer\Acer VCM\RS_Service.exe [260640 2010-01-29] (Acer Incorporated)
R2 Updater Service; C:\Program Files\Acer\Acer Updater\UpdaterService.exe [243232 2010-01-28] (Acer Group)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [134944 2016-02-16] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [253184 2016-04-20] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [207792 2016-01-26] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [31664 2015-11-20] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [229296 2015-10-21] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [287008 2016-02-16] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [191232 2016-03-29] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [46848 2016-04-14] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [231856 2015-10-08] (AVG Technologies CZ, s.r.o.)
R0 avgunivx; C:\Windows\System32\DRIVERS\avgunivx.sys [61696 2016-04-18] (AVG Technologies CZ, s.r.o.)
S3 EUCR; C:\Windows\system32\DRIVERS\EUCR6SK.SYS [82768 2010-06-17] (ENE Technology Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-08 20:21 - 2016-05-08 20:21 - 00009056 _____ C:\Users\et\Desktop\FRST.txt
2016-05-08 20:16 - 2016-05-08 20:21 - 00000000 ____D C:\FRST
2016-05-08 20:16 - 2016-05-08 20:16 - 01730048 _____ (Farbar) C:\Users\et\Desktop\FRST.exe
2016-05-07 23:41 - 2016-05-08 19:08 - 00000000 ____D C:\NPE
2016-05-07 23:37 - 2016-05-08 19:11 - 00000000 ____D C:\Users\et\AppData\Local\NPE
2016-05-07 23:37 - 2016-05-07 23:38 - 00000000 ____D C:\ProgramData\Norton
2016-05-07 23:35 - 2016-05-08 19:05 - 00000559 _____ C:\Users\et\Desktop\MTB.txt
2016-05-07 23:32 - 2016-05-07 23:34 - 00002388 _____ C:\Users\et\Desktop\Rkill.txt
2016-05-07 23:32 - 2016-05-05 21:26 - 03088296 _____ (Symantec Corporation) C:\Users\et\Desktop\NPE.exe
2016-05-07 23:32 - 2016-05-05 20:49 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\et\Desktop\rkill.exe
2016-05-07 23:32 - 2016-05-05 20:33 - 00448512 _____ (OldTimer Tools) C:\Users\et\Desktop\TFC.exe
2016-05-07 23:32 - 2016-05-05 20:29 - 00891392 _____ (Farbar) C:\Users\et\Desktop\MiniToolBox.exe
2016-05-07 23:31 - 2016-05-07 23:31 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2016-05-07 23:03 - 2016-05-07 23:03 - 00000000 ____D C:\Windows\NAPP_Dism_Log
2016-05-07 23:00 - 2016-05-07 23:00 - 00000000 ____D C:\Users\et\AppData\Roaming\AVG
2016-05-07 23:00 - 2016-05-07 23:00 - 00000000 ____D C:\Program Files\Common Files\AV
2016-05-07 22:59 - 2016-05-07 22:59 - 00000000 ____D C:\Users\et\AppData\Roaming\TuneUp Software
2016-05-07 22:59 - 2016-05-07 22:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2016-05-07 22:58 - 2016-05-07 22:58 - 00000000 ___HD C:\$AVG
2016-05-07 22:56 - 2016-05-08 18:58 - 00000000 ____D C:\ProgramData\MFAData
2016-05-07 22:56 - 2016-05-07 22:56 - 00000000 ____D C:\Users\et\AppData\Local\MFAData
2016-05-07 22:52 - 2016-05-07 22:52 - 00000832 _____ C:\Users\Public\Desktop\AVG.lnk
2016-05-07 22:52 - 2016-05-07 22:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Zen
2016-05-07 22:51 - 2016-05-07 22:58 - 00000000 ____D C:\ProgramData\Avg
2016-05-07 22:51 - 2016-05-07 22:57 - 00000000 ____D C:\Program Files\AVG
2016-05-07 22:50 - 2016-05-07 23:00 - 00000000 ____D C:\Users\et\AppData\Local\Avg
2016-05-07 22:50 - 2016-05-07 22:52 - 00000000 ____D C:\Users\et\AppData\Local\AvgSetupLog
2016-05-07 22:49 - 2016-05-07 22:49 - 03078056 _____ (AVG Technologies CZ, s.r.o.) C:\Users\et\Desktop\AVG_Protection_Free_698.exe
2016-05-07 22:45 - 2016-05-07 22:52 - 00000000 ____D C:\Users\et\AppData\Local\Mozilla
2016-05-07 22:45 - 2016-05-07 22:45 - 00001121 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-05-07 22:45 - 2016-05-07 22:45 - 00001109 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-05-07 22:45 - 2016-05-07 22:45 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-05-07 22:45 - 2016-05-07 22:45 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-05-07 22:44 - 2016-04-21 15:05 - 00374944 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-05-07 22:36 - 2016-05-07 22:36 - 00000000 ____D C:\Users\et\AppData\Roaming\Adobe
2016-05-07 22:31 - 2016-05-07 22:31 - 00000020 _____ C:\Windows\œø 
2016-05-07 22:21 - 2012-06-02 18:19 - 01933848 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2016-05-07 22:21 - 2012-06-02 18:19 - 00577048 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2016-05-07 22:21 - 2012-06-02 18:19 - 00053784 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2016-05-07 22:21 - 2012-06-02 18:19 - 00045080 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2016-05-07 22:21 - 2012-06-02 18:19 - 00035864 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2016-05-07 22:21 - 2012-06-02 18:12 - 02422272 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2016-05-07 22:21 - 2012-06-02 18:12 - 00088576 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2016-05-07 22:21 - 2012-06-02 15:19 - 00171904 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2016-05-07 22:21 - 2012-06-02 15:12 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2016-05-07 22:14 - 2016-05-07 22:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AcerSystem
2016-05-07 22:14 - 2016-05-07 22:14 - 00000000 ____D C:\book
2016-05-07 22:13 - 2016-05-07 22:13 - 00013854 _____ C:\Windows\system32\results.xml
2016-05-07 22:13 - 2016-05-07 22:13 - 00000000 ____D C:\ProgramData\boost_interprocess
2016-05-07 22:11 - 2016-05-07 22:11 - 00000003 _____ C:\Windows\system32\PLD_Framework.cmd
2016-05-07 22:10 - 2016-05-07 22:10 - 00000000 ____D C:\Windows\system32\Lang
2016-05-07 22:10 - 2010-06-16 10:32 - 01006104 _____ (Intel Corporation) C:\Windows\system32\igxpun.exe
2016-05-07 19:59 - 2006-11-29 13:06 - 03426072 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_32.dll
2016-05-07 19:55 - 2016-05-07 19:55 - 00000000 ____D C:\Program Files\Common Files\Windows Live
2016-05-07 19:50 - 2016-05-07 22:46 - 00000000 ____D C:\Users\et\AppData\Roaming\Mozilla
2016-05-07 19:49 - 2016-05-07 19:49 - 00057560 _____ C:\Users\et\AppData\Local\GDIPFONTCACHEV1.DAT
2016-05-07 19:43 - 2016-05-07 19:43 - 00014978 _____ C:\Windows\devices.txt
2016-05-07 19:40 - 2016-05-07 19:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acer Crystal Eye webcam
2016-05-07 19:40 - 2016-05-07 19:40 - 00000000 ____D C:\Program Files\Acer Crystal Eye webcam
2016-05-07 19:39 - 2016-05-07 19:39 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_SynTP_01009.Wdf
2016-05-07 19:38 - 2016-05-07 19:38 - 00000000 ____D C:\Program Files\Synaptics
2016-05-07 19:28 - 2016-05-07 19:28 - 00000172 _____ C:\Windows\LMv4.UNI
2016-05-07 19:28 - 2016-05-07 19:28 - 00000000 ____D C:\Program Files\Launch Manager
2016-05-07 19:28 - 2016-05-07 19:28 - 00000000 _____ C:\Windows\Setup.INI
2016-05-07 19:23 - 2010-11-02 00:46 - 00728448 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2016-05-07 19:23 - 2010-11-02 00:41 - 00442880 _____ (Microsoft Corporation) C:\Windows\system32\XpsPrint.dll
2016-05-07 19:23 - 2010-11-02 00:41 - 00283648 _____ (Microsoft Corporation) C:\Windows\system32\XpsGdiConverter.dll
2016-05-07 19:23 - 2010-11-02 00:41 - 00135168 _____ (Microsoft Corporation) C:\Windows\system32\XpsRasterService.dll
2016-05-07 19:23 - 2010-11-02 00:36 - 00801792 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2016-05-07 19:23 - 2010-11-02 00:35 - 01170944 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2016-05-07 19:23 - 2010-11-02 00:35 - 01074176 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2016-05-07 19:23 - 2010-11-02 00:35 - 00739840 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2016-05-07 19:23 - 2010-11-02 00:35 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
2016-05-07 19:23 - 2010-11-02 00:35 - 00161792 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
2016-05-07 19:23 - 2010-11-02 00:23 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2016-05-07 19:23 - 2010-11-01 22:37 - 00211968 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
2016-05-07 19:23 - 2010-06-26 01:14 - 01495040 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2016-05-07 19:23 - 2010-05-23 06:15 - 01619456 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2016-05-07 19:23 - 2010-05-23 06:11 - 03181568 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2016-05-07 19:23 - 2010-05-23 06:11 - 00196608 _____ (Microsoft Corporation) C:\Windows\system32\mfreadwrite.dll
2016-05-07 19:22 - 2016-05-07 19:22 - 00000000 ____D C:\Users\et\AppData\Roaming\Macromedia
2016-05-07 19:21 - 2016-05-07 19:21 - 00001417 _____ C:\Users\et\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-05-07 19:21 - 2016-05-07 19:21 - 00000000 ____D C:\Users\et\AppData\Local\EgisTec IPS
2016-05-07 19:19 - 2016-05-07 19:20 - 00000000 ____D C:\Users\et
2016-05-07 19:19 - 2016-05-07 19:19 - 00000020 ___SH C:\Users\et\ntuser.ini
2016-05-07 19:19 - 2016-05-07 19:19 - 00000000 _SHDL C:\Users\et\My Documents
2016-05-07 19:19 - 2016-05-07 19:19 - 00000000 _SHDL C:\Users\et\Documents\My Videos
2016-05-07 19:19 - 2016-05-07 19:19 - 00000000 _SHDL C:\Users\et\Documents\My Pictures
2016-05-07 19:19 - 2016-05-07 19:19 - 00000000 _SHDL C:\Users\et\Documents\My Music
2016-05-07 19:19 - 2016-05-07 19:19 - 00000000 ____D C:\Users\et\AppData\Local\VirtualStore
2016-04-20 14:17 - 2016-04-20 14:17 - 00253184 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsdriverx.sys
2016-04-18 09:10 - 2016-04-18 09:10 - 00061696 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgunivx.sys
2016-04-14 10:54 - 2016-04-14 10:54 - 00046848 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgrkx86.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-08 19:15 - 2009-07-14 00:34 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-05-08 19:15 - 2009-07-14 00:34 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-05-08 19:12 - 2011-01-11 19:29 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-08 19:12 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\inf
2016-05-08 19:07 - 2009-07-14 00:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-05-07 23:00 - 2009-07-14 00:52 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2016-05-07 22:37 - 2011-01-11 20:35 - 00000000 ____D C:\Program Files\Adobe
2016-05-07 22:35 - 2009-07-13 22:37 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2016-05-07 22:34 - 2011-01-11 19:57 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2016-05-07 22:28 - 2011-01-11 20:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acer
2016-05-07 22:28 - 2011-01-11 20:28 - 00000000 ____D C:\Program Files\Acer
2016-05-07 22:25 - 2011-01-11 20:25 - 00000000 ____D C:\ProgramData\McAfee
2016-05-07 22:17 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\rescache
2016-05-07 22:14 - 2009-10-05 16:31 - 00000000 ____D C:\Windows\DeployWinRE2
2016-05-07 22:14 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\system32\sysprep
2016-05-07 22:14 - 2007-07-11 21:49 - 00000000 ____D C:\Windows\Panther
2016-05-07 22:09 - 2011-01-11 20:07 - 00000000 ____D C:\Windows\system32\RTCOM
2016-05-07 20:03 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\Help
2016-05-07 19:52 - 2011-01-11 20:34 - 00000000 ____D C:\ProgramData\oem
2016-05-07 19:50 - 2011-01-11 19:12 - 00000000 ___HD C:\OEM

Some files in TEMP:
====================
C:\Users\et\AppData\Local\Temp\MSN84F9.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-05-08 19:54

==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x86) Version:07-05-2016
Ran by et (2016-05-08 20:22:21)
Running from C:\Users\et\Desktop
Microsoft Windows 7 Starter (X86) (2016-05-07 23:19:49)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1923537549-404146695-4209632777-500 - Administrator - Disabled)
et (S-1-5-21-1923537549-404146695-4209632777-1000 - Administrator - Enabled) => C:\Users\et
Guest (S-1-5-21-1923537549-404146695-4209632777-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition (Enabled - Up to date) {4D41356F-32AD-7C42-C820-63775EE4F413}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition (Enabled - Up to date) {F620D48B-1497-73CC-F290-58052563BEAE}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acer Crystal Eye webcam (HKLM\...\{51F026FA-5146-4232-A8BA-1364740BD053}) (Version: 1.0.5.2 - Liteon)
Acer ePower Management (HKLM\...\{3DB0448D-AD82-4923-B305-D001E521A964}) (Version: 5.00.3009 - Acer Incorporated)
Acer eRecovery Management (HKLM\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 4.05.3013 - Acer Incorporated)
Acer Game Console (Version: - WildTangent) Hidden
Acer Games (HKLM\...\WildTangent acer Master Uninstall) (Version: 1.0.1.3 - WildTangent)
Acer Registration (HKLM\...\Acer Registration) (Version: 1.03.3003 - Acer Incorporated)
Acer ScreenSaver (HKLM\...\Acer Screensaver) (Version: 1.1.1122.2010 - Acer Incorporated)
Acer Updater (HKLM\...\{EE171732-BEB4-4576-887D-CB62727F01CA}) (Version: 1.02.3001 - Acer Incorporated)
Acer VCM (HKLM\...\{047F790A-7A2A-4B6A-AD02-38092BA63DAC}) (Version: 4.05.3004 - Acer Incorporated)
Adobe Flash Player 10 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 10.1.102.64 - Adobe Systems Incorporated)
Adobe Reader 9.1 MUI (HKLM\...\{AC76BA86-7AD7-FFFF-7B44-A91000000001}) (Version: 9.1.0 - Adobe Systems Incorporated)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.35 - Atheros Communications Inc.)
AVG (HKLM\...\AvgZen) (Version: 1.51.2.3593 - AVG Technologies)
AVG (Version: 16.71.7596 - AVG Technologies) Hidden
AVG 2016 (Version: 16.0.4565 - AVG Technologies) Hidden
AVG Protection (HKLM\...\AVG) (Version: 2016.71.7596 - AVG Technologies)
AVG Zen (Version: 1.51.58 - AVG Technologies) Hidden
Bejeweled 2 Deluxe (Version: 2.2.0.95 - WildTangent) Hidden
Blackhawk Striker 2 (Version: 2.2.0.95 - WildTangent) Hidden
Chuzzle Deluxe (Version: 2.2.0.95 - WildTangent) Hidden
Diner Dash 2 Restaurant Rescue (Version: 2.2.0.95 - WildTangent) Hidden
Dora's Carnival Adventure (Version: 2.2.0.95 - WildTangent) Hidden
ENE USB Card Reader Driver (HKLM\...\3B29FD3CCF1F5B855DA0C521597413EBABE97DFB) (Version: 5.89.0.70 - ENE)
eSobi v2 (HKLM\...\InstallShield_{15D967B5-A4BE-42AE-9E84-64CD062B25AA}) (Version: 2.0.4.000274 - esobi Inc.)
eSobi v2 (Version: 2.0.4.000274 - esobi Inc.) Hidden
Farm Frenzy (Version: 2.2.0.95 - WildTangent) Hidden
FATE (Version: 2.2.0.95 - WildTangent) Hidden
Final Drive Nitro (Version: 2.2.0.95 - WildTangent) Hidden
FMW 1 (Version: 1.73.2 - AVG Technologies) Hidden
Identity Card (HKLM\...\Identity Card) (Version: 1.00.3003 - Acer Incorporated)
Insaniquarium Deluxe (Version: 2.2.0.95 - WildTangent) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.14.10.2117 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.6.4.1002 - Intel Corporation)
Jewel Quest - Heritage (Version: 2.2.0.95 - WildTangent) Hidden
Jewel Quest (Version: 2.2.0.95 - WildTangent) Hidden
Jewel Quest Solitaire 2 (Version: 2.2.0.95 - WildTangent) Hidden
Launch Manager (HKLM\...\LManager) (Version: 4.0.14 - Acer Inc.)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Mozilla Firefox 46.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 46.0.1 (x86 en-US)) (Version: 46.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 46.0.1 - Mozilla)
Penguins! (Version: 2.2.0.95 - WildTangent) Hidden
Plants vs. Zombies (Version: 2.2.0.95 - WildTangent) Hidden
Polar Bowler (Version: 2.2.0.95 - WildTangent) Hidden
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6246 - Realtek Semiconductor Corp.)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.0.7.0 - Synaptics Incorporated)
Virtual Villagers 4 - The Tree of Life (Version: 2.2.0.95 - WildTangent) Hidden
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Zuma Deluxe (Version: 2.2.0.95 - WildTangent) Hidden
Zuma's Revenge (Version: 2.2.0.95 - WildTangent) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2011-01-11 19:14 - 2009-05-20 02:02 - 00072200 _____ () C:\Program Files\Launch Manager\CdDirIo.dll
2016-05-07 22:51 - 2016-05-07 22:50 - 40500224 _____ () C:\Program Files\AVG\UiDll\2171\libcef.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:04 - 2009-06-10 17:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1923537549-404146695-4209632777-1000\Control Panel\Desktop\\Wallpaper -> %windir%\web\wallpaper\windows\img0.jpg
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{8524F189-0CD9-41C9-86FD-ACC6F06DBB58}] => (Allow) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
FirewallRules: [{FB507CA1-EEB7-4F85-AF33-5FA8724CF4CA}] => (Allow) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
FirewallRules: [{45A71F74-013D-46DD-971A-27D6550BDE91}] => (Allow) C:\Program Files\Acer\Acer VCM\VC.exe
FirewallRules: [{8D5069FD-CBF0-4ED0-BDEF-74CC9B20DA61}] => (Allow) C:\Program Files\Acer\Acer VCM\RS_Service.exe
FirewallRules: [{3D5A7244-C964-494C-8113-AC9526D9C6D5}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{4DAC874C-F745-4635-A2D4-61B4A659C8DF}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{32F3EDA4-6729-4063-8023-EF16634AEC1A}] => (Allow) C:\Program Files\AVG\Av\avgnsx.exe
FirewallRules: [{5A7D4648-3990-4C14-9332-361E154CB7EB}] => (Allow) C:\Program Files\AVG\Av\avgnsx.exe
FirewallRules: [{6918D6CA-05A7-47B8-A9E1-7166710F2173}] => (Allow) C:\Program Files\AVG\Av\avgdiagex.exe
FirewallRules: [{99A21A7C-79BB-46CA-863C-A830B97C1E53}] => (Allow) C:\Program Files\AVG\Av\avgdiagex.exe
FirewallRules: [{6896C2E6-F650-4BE2-A88E-57429E13C880}] => (Allow) C:\Program Files\AVG\Av\avgmfapx.exe
FirewallRules: [{74E1EE46-BA60-49A6-A443-7B15D09006F1}] => (Allow) C:\Program Files\AVG\Av\avgmfapx.exe
FirewallRules: [{AF6EEE3E-5C43-414A-8ABC-CF8CEBF64178}] => (Allow) C:\Program Files\AVG\Av\avgemcx.exe
FirewallRules: [{D6636B13-76A0-42F8-BA62-79C61554D796}] => (Allow) C:\Program Files\AVG\Av\avgemcx.exe

==================== Restore Points =========================

07-05-2016 19:22:53 Windows Update
07-05-2016 19:24:27 Windows Update
07-05-2016 19:51:22 Installed Acer ePower Management
07-05-2016 19:54:17 Installed Microsoft Office 2010
07-05-2016 19:59:02 Installed DirectX
07-05-2016 22:19:58 Windows Update
07-05-2016 22:26:30 Removed Microsoft Office 2010
07-05-2016 22:27:14 Removed Norton Online Backup
07-05-2016 22:32:41 Removed MyWinLocker Suite
07-05-2016 22:35:18 Removed Windows Live Sign-in Assistant
07-05-2016 22:35:52 Removed Windows Live Sync
07-05-2016 22:36:22 Removed Windows Live Upload Tool
07-05-2016 22:37:07 Removed Acrobat.com
07-05-2016 22:43:12 Windows Update
07-05-2016 22:56:56 Installed AVG 2016
07-05-2016 22:57:44 Installed AVG
07-05-2016 23:46:06 Norton_Power_Eraser_20160507234603484

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (05/07/2016 10:57:46 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary mwlPSDVDisk.

System Error:
The system cannot find the file specified.
.

Error: (05/07/2016 10:57:46 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary mwlPSDNServ.

System Error:
The system cannot find the file specified.
.

Error: (05/07/2016 10:57:46 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary mwlPSDFilter.

System Error:
The system cannot find the file specified.
.

Error: (05/07/2016 10:56:57 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary mwlPSDVDisk.

System Error:
The system cannot find the file specified.
.

Error: (05/07/2016 10:56:57 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary mwlPSDNServ.

System Error:
The system cannot find the file specified.
.

Error: (05/07/2016 10:56:57 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary mwlPSDFilter.

System Error:
The system cannot find the file specified.
.

Error: (05/07/2016 10:43:14 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary mwlPSDVDisk.

System Error:
The system cannot find the file specified.
.

Error: (05/07/2016 10:43:14 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary mwlPSDNServ.

System Error:
The system cannot find the file specified.
.

Error: (05/07/2016 10:43:14 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary mwlPSDFilter.

System Error:
The system cannot find the file specified.
.

Error: (05/07/2016 10:37:08 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary mwlPSDVDisk.

System Error:
The system cannot find the file specified.
.


System errors:
=============
Error: (05/08/2016 07:06:05 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The NPEService service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (05/07/2016 11:38:46 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The NPEService service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (05/07/2016 08:01:51 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (05/07/2016 07:26:51 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Windows Modules Installer service terminated with the following error:
%%16405

Error: (05/07/2016 07:21:36 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Windows Search service hung on starting.


==================== Memory info ===========================

Processor: Intel® Atom™ CPU N455 @ 1.66GHz
Percentage of memory in use: 63%
Total physical RAM: 2037.09 MB
Available physical RAM: 749.02 MB
Total Virtual: 4074.19 MB
Available Virtual: 2653.95 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:135.95 GB) (Free:114.44 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: C8028B63)
Partition 1: (Not Active) - (Size=13 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=136 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Attached Files


Edited by Oh My!, 09 May 2016 - 07:47 PM.


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,424 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:57 PM

Posted 09 May 2016 - 07:53 PM

Greetings tentoze and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Click Format and check Word Wrap
  • Please copy and paste the contents of the below code box into the open notepad and save it to your Desktop as fixlist.txt. If FRST.exe is not on your Deskptop please move it to that location. (<<<Important)
CreateRestorePoint:
CloseProcesses:
C:\Users\et\AppData\Local\Temp\MSN84F9.exe
2016-05-07 22:59 - 2016-05-07 22:59 - 00000000 ____D C:\Users\et\AppData\Roaming\TuneUp Software
cmd: dir C:\Windows\ø /s
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

AdwCleaner by Xplode - Delete Adware

-------------------
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, click Run, then select I agree if it appears
  • Click Scan
  • Once the scan has completed youi will see Pending. Please check elements you don't want to remove above the progress bar
  • Click on Clean
  • Confirm the cleaning and rebooting of your computer by clicking OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can also find the logfile at C:\AdwCleaner\AdwCleaner.txt
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • AdwCleaner log
  • System Summary Information
  • Update on computer behavior

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#5 tentoze

tentoze
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 10 May 2016 - 08:10 AM

Hi Gary,

 

Please call me eric. Thank you for your prompt response! I have followed the steps in your message.

 

fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:09-05-2016
Ran by et (2016-05-10 08:29:30) Run:1
Running from C:\Users\et\Desktop
Loaded Profiles: et (Available Profiles: et)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
C:\Users\et\AppData\Local\Temp\MSN84F9.exe
2016-05-07 22:59 - 2016-05-07 22:59 - 00000000 ____D C:\Users\et\AppData\Roaming\TuneUp Software
cmd: dir C:\Windows\ø /s
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Users\et\AppData\Local\Temp\MSN84F9.exe => moved successfully
C:\Users\et\AppData\Roaming\TuneUp Software => moved successfully

=========  dir C:\Windows\ø /s =========

 Volume in drive C is Acer
 Volume Serial Number is 1E0E-4624
File Not Found

========= End of CMD: =========



The system needed a reboot.

==== End of Fixlog 08:31:48 ====

 

 

 

adwCleaner.txt:

 

# AdwCleaner v5.116 - Logfile created 10/05/2016 at 08:43:25
# Updated 09/05/2016 by Xplode
# Database : 2016-05-09.1 [Server]
# Operating system : Windows 7 Starter  (X86)
# Username : et - GARBAGE
# Running from : C:\Users\et\Desktop\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****

[-] File Deleted : C:\Users\et\AppData\Roaming\Mozilla\Firefox\Profiles\xzy8wwke.default\extensions\abb@amazon.com.xpi

***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EE171732-BEB4-4576-887D-CB62727F01CA}

***** [ Web browsers ] *****


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [936 bytes] - [10/05/2016 08:43:25]
C:\AdwCleaner\AdwCleaner[S1].txt - [985 bytes] - [10/05/2016 08:40:58]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1080 bytes] ##########
 

 

I am attaching the Summary zip file.

 

As for current behavior of the computer, I cannot tell a substantial difference so far, but it has only been a few minutes since I ran the above programs. CPU usage seems not to be maxing out, about 1/2 of the 2 gb of RAM seems available, and I don't see the runws.exe or SWUSB.exe files under task amanger now.

 

Regards,

eric

 

 

 

Attached Files



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,424 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:57 PM

Posted 10 May 2016 - 10:00 AM

Greetings Eric, nice to meet you.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
emptytemp:
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Check Uninstall application on close
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon to launch the program
  • Click OK
  • Select Run Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • ESET log
  • Security Check log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#7 tentoze

tentoze
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 10 May 2016 - 12:18 PM

Hi Gary,

 

fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:09-05-2016
Ran by et (2016-05-10 11:20:03) Run:2
Running from C:\Users\et\Desktop\frst
Loaded Profiles: et (Available Profiles: et)
Boot Mode: Normal

==============================================

fixlist content:
*****************
emptytemp:
*****************

EmptyTemp: => 390.4 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 11:20:43 ====

 

 

eset.txt:

 

 

C:\OEM\Preload\Autorun\DRV\Intel Wireless LAN INT1000H\ashampoo_burning_studio_6_free_6.77_4280.exe    a variant of Win32/Toolbar.Conduit.B potentially unwanted application    deleted
C:\OEM\Preload\Autorun\DRV\Intel Wireless LAN INT6205H\ashampoo_burning_studio_6_free_6.77_4280.exe    a variant of Win32/Toolbar.Conduit.B potentially unwanted application    deleted
 

 

 

security checkup:

 

 

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7  x86 (UAC is enabled)  
 Out of date service pack!!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
AVG AntiVirus Free Edition   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Flash Player 10 Flash Player out of Date!
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox (46.0.1)
````````Process Check: objlist.exe by Laurent````````  
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````
 

 

As for how computer is running, perhaps a bit better, but difficult to be definitive yet. Web pages still a bit slow, as is scrolling on web pages.

 

When I rebooted after running FRST, my antvirus (AVG) deleted FRST.exe, saying it contained a threat of IDP.Alexa.

 

Regards,

eric

 



#8 tentoze

tentoze
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 10 May 2016 - 01:07 PM

After a few minutes, I'd say internet browsing with Firefox is as slow and jerky as it was that led me here.



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,424 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:57 PM

Posted 10 May 2016 - 01:18 PM

Thanks Eric,

Thanks for the information.

Please do these things.

Hit the Windows Key + R at the same time. Type winsrv and hit Enter. Please tell me if that screen indicates you have Service Pack 1 installed.

===================================================

Update Adobe Flash Player

--------------------
  • Download Adobe Flash Player here and save it to your desktop. Uncheck "Yes, install McAfee Security Scan Plus - optional"
  • Close any open browsers
  • Click on Install Now
  • Click Save File and save the file to your Desktop
  • Double click the Desktop icon
  • Select either Allow Adobe to install updates (recommended) or Notify me to install updates then click Next
  • When completed click Finish
===================================================

Update Adobe Reader

--------------------

Your Adobe Reader is out of date and a security concern. Here is some excellent information and a video which explains the importance of minimizing the risk of infection through compromised PDF files.
  • Please visit Adobe Reader
  • Uncheck the McAfee optional offer
  • Click Install now
  • Save the file to your desktop
  • Double click the installation icon
  • Select Run
  • When completed click Finish
  • Press the Windows key + R at the same time
  • Type appwiz.cpl, press Enter, and allow the Programs list to populate
  • Uninstall every Adobe Reader program except the one just downloaded and installed
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Service Pack 1?
  • Did the programs update properly?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#10 tentoze

tentoze
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 10 May 2016 - 02:38 PM

Hi Gary,

 

When I tried to run winsrv, I got an error message, Windows cannot find "winsrv".  However, I did check in Control Panel and it is running Service Pack 1, which was installed when I rebooted after the previous set of instructions.

 

Adobe Flashplayer and Acrobat Rreader appear to have updated/installed properly, and there were no previous versions of Acrobat installed. I had reinstalled the OS a few days ago trying to make things better, so that is why I assume there were no older versions of Adobe programs found.

 

Regards,

eric


Edited by tentoze, 10 May 2016 - 02:39 PM.


#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,424 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:57 PM

Posted 10 May 2016 - 02:57 PM

Excellent, thank you.

A couple things please. Can you tell me if Internet Explorer is working properly? And please do this.

===================================================

Running Firefox in Browser Safe Mode

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Copy and paste the following into the run box and press Enter

firefox --safe-mode

  • Select Start in Safe Mode
  • Please report how Firefox is running
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Internet Explorer?
  • Firefox?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#12 tentoze

tentoze
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 10 May 2016 - 03:34 PM

Hi Gary,

 

Internet Explorer- loaded facebook page, got dialog box- "Stop running this script? A script on this page is..." Navigated to tumblr- page would not completely create log-in input box in order to log in.

 

Firefox- started in safe mode. tumblr page loads are sluggish. Facebook page loads are sluggish. Sluggish, as in about the same as things were before we started this.

 

The script message in IE is similar to messages I got routinely in Firefox and Chrome before we started this.

 

Regards,

eric

 



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,424 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:57 PM

Posted 10 May 2016 - 04:24 PM

Are you having any issues besides slow browsers?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#14 tentoze

tentoze
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 10 May 2016 - 07:15 PM

Other than some odd cpu usage spikes with basically nothing running but task manager, I'm not seeing anything untoward.



#15 tentoze

tentoze
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 11 May 2016 - 12:28 PM

As an update, things have gone from sluggish to Firefox locking up with "Unresponsive Script" dialog boxes for anywhere from 5 minutes to indefinitely, requiring me to shut it down through task manager (which is also unresponsive).






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users