Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Thrown a lot at google.ru and it will not just jog on


  • This topic is locked This topic is locked
43 replies to this topic

#1 originaloli

originaloli

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 12 May 2016 - 10:41 AM

Hi,

 

I have read bleepingcomputer a few times, never posted.  But this time, it's different.  Redirect virus under guise /google.ru refuses to go away.  So far I have tried:

 

Farbar FRST and minitoolbox

 

RogueKiller (finds HKEY PUMs, changes them, they reappear) 

 

Kaspersky TDSS

 

RKill

 

Emsisoft

 

Avast

 

MBAM

 

HitmanPro

 

JRT

 

AdwCleaner

 

McAfee (preinstall from three years ago!)

 

I have also reset Windows 10, then deleting files, and finally back to Factory Settings (Windows 8).  That's where I am now.

 

I can't not use my computer, but I am minimising time on the computer, especially with connection open.  Rkill this morning found that Windows Defender has been disabled and McAfee seems to have gone away too.

 

Any ideas before I format the disk and install Windows 10 from scratch?

 

Oli

 

FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:09-05-2016
Ran by Oli (administrator) on Trevor (12-05-2016 10:04:55)
Running from D:\Programs
Loaded Profiles: Oli (Available Profiles: Oli)
Platform: Windows 8 (X64) Language: English (United Kingdom)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(AMD) C:\Windows\System32\SET8C94.tmp
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
() C:\Program Files (x86)\TOSHIBA\Password Utility\GFNEXSrv.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Teco\TecoService.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAWFwk.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\mcu22C.tmp
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\mcmigrator.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(SRS Labs, Inc.) C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Teco\TecoResident.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(McAfee, Inc.) C:\Program Files\mcafee\msm\McSmtFwk.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [] => [X]
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13196432 2012-09-25] (Realtek Semiconductor)
HKLM\...\Run: [SRS Premium Sound HD] => C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2170784 2012-08-19] (SRS Labs, Inc.)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2611112 2012-09-04] ()
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [169896 2012-08-13] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [356776 2012-07-11] (TOSHIBA Corporation)
HKLM\...\Run: [TODDMain] => C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-04] ()
HKLM-x32\...\Run: [Intel AppUp(SM) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [155488 2012-08-01] (Intel Corporation)
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [1527896 2012-06-21] (McAfee, Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642216 2012-09-17] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [TPUReg] => C:\Program Files (x86)\TOSHIBA\Password Utility\TosPU.exe [7148032 2012-10-30] (Pegatron Corporation)
HKLM-x32\...\Run: [TPUReg(x86)] => "C:\Program Files\TOSHIBA\Password Utility\TosPU.exe" /Retimes
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [1527896 2012-06-21] (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 190.112.223.106 8.8.8.8
Tcpip\..\Interfaces\{B8630EF6-933F-431B-92CE-A2563B0E0EB8}: [DhcpNameServer] 190.112.223.106 8.8.8.8

Internet Explorer:
==================
HKU\S-1-5-21-2969227266-9193306-3110235960-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
SearchScopes: HKU\S-1-5-21-2969227266-9193306-3110235960-1001 -> DefaultScope {6AC3D6F2-A56D-4527-A32C-3DBCC617EC8B} URL =
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll [2014-04-25] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll [2014-04-25] (McAfee, Inc.)

FireFox:
========
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2014-04-25] ()
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2014-04-25] ()
FF Plugin-x32: @Nero.com/KM -> C:\PROGRA~2\COMMON~1\Nero\BROWSE~1\NPBROW~1.DLL [2012-08-31] (Nero AG)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2012-05-11] ()
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2016-05-11] [not signed]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 0302531463009016mcinstcleanup; C:\WINDOWS\TEMP\030253~1.EXE [836168 2014-03-13] (McAfee, Inc.)
R2 GFNEXSrv; C:\Program Files (x86)\TOSHIBA\Password Utility\GFNEXSrv.exe [156672 2011-10-13] () [File not signed]
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
R3 McAWFwk; c:\Program Files\mcafee\msc\McAWFwk.exe [332080 2012-01-26] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [603424 2014-10-08] (McAfee, Inc.)
S4 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [200728 2012-05-11] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-08-20] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-06-20] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [189912 2014-06-20] (McAfee, Inc.)
R2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201360 2012-08-31] (Realtek Semiconductor)
S3 TemproMonitoringService; C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [114656 2012-09-25] (Toshiba Europe GmbH)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [15440 2012-07-25] (Microsoft Corporation)
S4 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdW86.sys [98472 2012-07-17] (Advanced Micro Devices)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72128 2014-06-20] (McAfee, Inc.)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3265256 2012-09-20] (Broadcom Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [181704 2014-06-20] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [313544 2014-06-20] (McAfee, Inc.)
U3 mfeavfk01; no ImagePath
U3 mfeavfk02; no ImagePath
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [70600 2014-06-20] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [523792 2014-06-20] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [786296 2014-06-20] (McAfee, Inc.)
U3 mfehidk01; no ImagePath
R3 mfencbdc; C:\Windows\system32\DRIVERS\mfencbdc.sys [445512 2014-08-20] (McAfee, Inc.)
S3 mfencrk; C:\Windows\system32\DRIVERS\mfencrk.sys [96592 2014-08-20] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [348552 2014-06-20] (McAfee, Inc.)
R2 PEGAGFN; C:\Program Files (x86)\TOSHIBA\Password Utility\PEGAGFN.sys [14344 2009-09-11] (PEGATRON)
S3 RTL8192Ce; C:\Windows\system32\DRIVERS\rtwlane.sys [1498256 2012-08-29] (Realtek Semiconductor Corporation                           )
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [1498256 2012-08-29] (Realtek Semiconductor Corporation                           )
R3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [28632 2012-07-31] (Windows ® Win 7 DDK provider)
U3 TrueSight; C:\Windows\System32\Drivers\TrueSight.sys [24688 2016-05-11] ()
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [34216 2012-07-25] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [258288 2012-07-25] (Microsoft Corporation)
S0 mferkdet; system32\drivers\mferkdet.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-12 10:04 - 2016-05-12 10:04 - 00000000 ____D C:\FRST
2016-05-12 10:02 - 2016-05-12 10:04 - 00215076 _____ C:\TDSSKiller.3.1.0.9_12.05.2016_10.02.03_log.txt
2016-05-12 07:21 - 2016-05-12 07:23 - 00002186 _____ C:\Users\Oli\Desktop\Rkill.txt
2016-05-12 00:54 - 2016-05-12 08:10 - 00003348 _____ C:\WINDOWS\System32\Tasks\McAfee Remediation (Prepare)
2016-05-12 00:54 - 2016-05-12 00:54 - 00000000 ____D C:\Program Files\Common Files\AV
2016-05-11 23:54 - 2013-09-23 07:49 - 00197704 _____ (McAfee, Inc.) C:\WINDOWS\system32\Drivers\HipShieldK.sys
2016-05-11 23:35 - 2016-05-12 00:25 - 00052224 ___SH C:\Users\Oli\Downloads\Thumbs.db
2016-05-11 22:29 - 2016-05-11 22:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2016-05-11 21:51 - 2016-05-11 22:56 - 00000000 ____D C:\Program Files (x86)\Google
2016-05-11 21:50 - 2016-05-11 21:50 - 00000000 ____D C:\Users\Oli\AppData\Local\Google
2016-05-11 20:37 - 2014-05-14 20:02 - 00059424 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2016-05-11 20:37 - 2014-05-14 17:43 - 03286528 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2016-05-11 20:37 - 2014-05-14 17:43 - 01623040 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2016-05-11 20:37 - 2014-05-14 17:43 - 00253440 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2016-05-11 20:37 - 2014-05-14 17:42 - 00176640 _____ (Microsoft Corporation) C:\WINDOWS\system32\storewuauth.dll
2016-05-11 20:35 - 2013-08-16 00:21 - 00049152 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups2.dll
2016-05-11 20:35 - 2012-11-05 23:00 - 00099328 _____ (Microsoft Corporation) C:\WINDOWS\system32\wushareduxresources.dll
2016-05-11 20:34 - 2012-11-05 23:20 - 00017408 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaext.dll
2016-05-11 20:22 - 2016-05-11 20:22 - 00000000 ____D C:\Users\Oli\AppData\Local\CrashDumps
2016-05-11 20:08 - 2016-05-11 20:18 - 00000000 ____D C:\ProgramData\HitmanPro
2016-05-11 18:55 - 2016-05-11 18:55 - 00000000 ____D C:\Users\Oli\AppData\Local\TOSHIBA
2016-05-11 18:52 - 2016-05-11 18:52 - 00000000 ____D C:\Users\Oli\AppData\Local\ElevatedDiagnostics
2016-05-11 18:44 - 2016-05-11 18:44 - 00000000 ____D C:\Users\Oli\AppData\Roaming\Macromedia
2016-05-11 18:34 - 2016-05-12 08:05 - 00003594 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2969227266-9193306-3110235960-1001
2016-05-11 18:33 - 2016-05-11 18:49 - 00000000 ____D C:\ProgramData\RogueKiller
2016-05-11 18:33 - 2016-05-11 18:33 - 00024688 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2016-05-11 18:33 - 2016-05-11 18:33 - 00000000 ____D C:\Users\Oli\AppData\Roaming\ATI
2016-05-11 18:33 - 2016-05-11 18:33 - 00000000 ____D C:\Users\Oli\AppData\Local\ATI
2016-05-11 18:28 - 2016-05-11 18:28 - 00000000 ____D C:\WINDOWS\System32\Tasks\WPD
2016-05-11 18:28 - 2016-05-11 18:28 - 00000000 ____D C:\Users\Oli\AppData\Local\SRS Labs
2016-05-11 18:27 - 2016-05-11 18:27 - 00001437 _____ C:\Users\Oli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-05-11 18:27 - 2016-05-11 18:27 - 00000000 ____D C:\Users\Oli\AppData\Roaming\Adobe
2016-05-11 18:23 - 2016-05-11 18:27 - 00000000 ____D C:\Users\Oli\AppData\Local\Packages
2016-05-11 18:23 - 2016-05-11 18:23 - 00000000 ____D C:\Users\Oli\AppData\Local\VirtualStore
2016-05-11 18:22 - 2016-05-11 18:27 - 00000000 ____D C:\Users\Oli
2016-05-11 18:22 - 2016-05-11 18:22 - 00000020 ___SH C:\Users\Oli\ntuser.ini
2016-05-11 06:23 - 2016-05-11 06:23 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-05-11 06:22 - 2016-05-11 06:22 - 00000000 _____ C:\Recovery.txt

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-12 08:10 - 2012-11-22 14:52 - 00000000 ____D C:\ProgramData\McAfee
2016-05-12 07:30 - 2012-07-26 00:37 - 00000000 ____D C:\WINDOWS\Inf
2016-05-12 07:18 - 2012-07-26 02:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-05-12 00:54 - 2012-11-22 14:52 - 00000000 ____D C:\Program Files\Common Files\mcafee
2016-05-11 23:52 - 2012-07-26 03:12 - 00000000 ___HD C:\WINDOWS\ELAMBKUP
2016-05-11 22:29 - 2012-11-22 14:55 - 00001839 _____ C:\Users\Public\Desktop\McAfee Internet Security.lnk
2016-05-11 20:40 - 2012-07-26 03:12 - 00000000 ____D C:\WINDOWS\system32\en-GB
2016-05-11 20:25 - 2012-08-01 19:02 - 00725978 _____ C:\WINDOWS\system32\perfh01D.dat
2016-05-11 20:25 - 2012-08-01 19:02 - 00153132 _____ C:\WINDOWS\system32\perfc01D.dat
2016-05-11 20:25 - 2012-08-01 18:55 - 00454218 _____ C:\WINDOWS\system32\perfh014.dat
2016-05-11 20:25 - 2012-08-01 18:55 - 00081138 _____ C:\WINDOWS\system32\perfc014.dat
2016-05-11 20:25 - 2012-08-01 18:48 - 00439770 _____ C:\WINDOWS\system32\perfh00B.dat
2016-05-11 20:25 - 2012-08-01 18:48 - 00085674 _____ C:\WINDOWS\system32\perfc00B.dat
2016-05-11 20:25 - 2012-08-01 18:41 - 00469132 _____ C:\WINDOWS\system32\perfh006.dat
2016-05-11 20:25 - 2012-08-01 18:41 - 00083646 _____ C:\WINDOWS\system32\perfc006.dat
2016-05-11 20:25 - 2012-07-26 02:28 - 03259898 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-05-11 18:29 - 2012-07-26 00:26 - 00262144 ___SH C:\WINDOWS\system32\config\ELAM
2016-05-11 18:27 - 2012-11-22 13:41 - 00000000 ____D C:\ProgramData\Toshiba
2016-05-11 18:23 - 2012-11-22 14:52 - 00000000 ____D C:\Program Files (x86)\McAfee
2016-05-11 18:23 - 2012-07-26 03:12 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2016-05-11 18:23 - 2012-07-26 03:12 - 00000000 ____D C:\WINDOWS\WinStore
2016-05-11 18:19 - 2012-07-26 03:12 - 00000000 ____D C:\WINDOWS\rescache
2016-05-11 06:23 - 2012-07-26 02:22 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-05-11 06:21 - 2012-07-26 03:13 - 00262144 _____ C:\WINDOWS\system32\config\BCD-Template

Some files in TEMP:
====================
C:\Users\Oli\AppData\Local\Temp\dllnt_dump.dll

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2012-11-22 14:28

==================== End of FRST.txt ============================

 

and Addition txt

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:09-05-2016
Ran by Oli (2016-05-12 10:06:21)
Running from D:\Programs
Windows 8 (X64) (2016-05-11 23:23:11)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-2969227266-9193306-3110235960-500 - Administrator - Disabled)
Guest (S-1-5-21-2969227266-9193306-3110235960-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2969227266-9193306-3110235960-1003 - Limited - Enabled)
Oli (S-1-5-21-2969227266-9193306-3110235960-1001 - Administrator - Enabled) => C:\Users\Oli

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {ADA629C7-7F48-5689-624A-3B76997E0892}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {16C7C823-5972-5907-58FA-0004E2F9422F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall (Enabled) {959DA8E2-3527-57D1-4915-924367AD4FE9}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Aloha TriPeaks (x32 Version: 2.2.0.98 - WildTangent) Hidden
AMD Catalyst Install Manager (HKLM\...\{79AE0BD1-A930-B07C-C96D-E11FA9BB586F}) (Version: 8.0.881.0 - Advanced Micro Devices, Inc.)
Bejeweled 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Empress of the Deep - The Darkest Secret (x32 Version: 2.2.0.98 - WildTangent) Hidden
Intel AppUp(SM) center (HKLM-x32\...\Intel AppUp(SM) center 33268) (Version: 3.6.1.33268.15 - Intel)
Island Tribe (x32 Version: 2.2.0.98 - WildTangent) Hidden
Jewel Quest Solitaire 2 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Magic Academy (x32 Version: 2.2.0.98 - WildTangent) Hidden
McAfee Internet Security (HKLM-x32\...\MSC) (Version: 12.8.992 - McAfee, Inc.)
Microsoft Office (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.6120.5004 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Nero 12 Essentials Toshiba (HKLM-x32\...\{2EF76291-8647-46F0-89D8-0AA8B72A5420}) (Version: 12.0.00600 - Nero AG)
Peggle Nights (x32 Version: 2.2.0.98 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.98 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Premium Sound HD (HKLM\...\{94F03B8E-CB73-4653-AFE9-79112C01FED2}) (Version: 1.12.5000 - SRS Labs, Inc.)
Prerequisite installer (x32 Version: 12.0.0002 - Nero AG) Hidden
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.3.730.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6738 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.8400.30136 - Realtek Semiconductor Corp.)
Realtek WLAN Driver (HKLM-x32\...\{9D3D8C60-A55F-4fed-B2B9-173001290E16}) (Version: 2.00.0020 - REALTEK Semiconductor Corp.)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 16.2.10.5 - Synaptics Incorporated)
TOSHIBA Desktop Assist (HKLM\...\{95CCACF0-010D-45F0-82BF-858643D8BC02}) (Version: 1.00.08.6402 - Toshiba Corporation)
TOSHIBA eco Utility (HKLM\...\{5944B9D4-3C2A-48DE-931E-26B31714A2F7}) (Version: 2.0.0.6415 - Toshiba Corporation)
TOSHIBA Function Key (HKLM\...\{16562A90-71BC-41A0-B890-D91B0C267120}) (Version: 1.00.6626.6406 - Toshiba Corporation)
TOSHIBA Manuals (HKLM-x32\...\{90FF4432-21B7-4AF6-BA6E-FB8C1FED9173}) (Version: 10.10 - TOSHIBA)
Toshiba Password Utility (HKLM-x32\...\InstallShield_{78931270-BC9E-441A-A52B-73ECD4ACFAB5}) (Version: 2.00.972 - Toshiba Corporation)
TOSHIBA PC Health Monitor (HKLM\...\{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}) (Version: 1.8.17.640104 - Toshiba Corporation)
TOSHIBA Recovery Media Creator (HKLM-x32\...\{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}) (Version: 2.2.1.54043006 - Toshiba Corporation)
TOSHIBA Service Station (HKLM\...\{B8C8422F-01F1-4791-B084-047AAFF9BFCC}) (Version: 2.4.4 - TOSHIBA)
TOSHIBA System Driver (HKLM-x32\...\{1E6A96A1-2BAB-43EF-8087-30437593C66C}) (Version: 1.00.0015 - Toshiba Corporation)
TOSHIBA System Settings (HKLM-x32\...\{05A55927-DB9B-4E26-BA44-828EBFF829F0}) (Version: 1.00.0002.32002 - Toshiba Corporation)
Toshiba TEMPRO (HKLM-x32\...\{F76F5214-83A8-4030-80C9-1EF57391D72A}) (Version: 4.2.2 - Toshiba Europe GmbH)
TOSHIBA VIDEO PLAYER (HKLM\...\{FF07604E-C860-40E9-A230-E37FA41F103A}) (Version: 5.1.0.12-A - Toshiba Corporation)
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Virtual Villagers 4 - The Tree of Life (x32 Version: 2.2.0.98 - WildTangent) Hidden
Welcome App (Start-up experience) (x32 Version: 12.0.14000 - Nero AG) Hidden
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.3.0 - WildTangent)
WildTangent Games App (Toshiba Games) (x32 Version: 4.0.9.7 - WildTangent) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {2823A146-26AB-4DAC-AEBE-1DCE8E973AA5} - System32\Tasks\Toshiba\CommonNotifier => C:\Program Files (x86)\Toshiba TEMPRO\Toshiba.Tempro.UI.CommonNotifier.exe [2012-09-25] (Toshiba Europe GmbH)
Task: {30106DB7-72CE-46E6-9D88-E39C75C0147E} - System32\Tasks\Toshiba\BlobDelivery => C:\Program Files (x86)\Toshiba TEMPRO\Toshiba.BlobDelivery.exe [2012-09-25] (Microsoft)
Task: {48633718-01D0-460A-B8AE-582051D2623A} - System32\Tasks\TOSHIBA\Service Station => C:\Program Files\TOSHIBA\Toshiba Service Station\ToshibaServiceStation.exe [2012-07-27] (TOSHIBA Corporation)
Task: {9C75E96D-E28F-4654-A990-0B9EB61931E2} - System32\Tasks\McAfee Remediation (Prepare) => C:\Program Files\Common Files\AV\McAfee Anti-Virus And Anti-Spyware\upgrade.exe [2016-03-01] (McAfee, Inc.)
Task: {D1FEF9EA-F122-47FB-84DD-4158BE6A5A40} - System32\Tasks\Synaptics TouchPad Enhancements => Program Files\Synaptics\SynTP\SynTPEnh.exe

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2011-10-13 09:38 - 2011-10-13 09:38 - 00156672 _____ () C:\Program Files (x86)\TOSHIBA\Password Utility\GFNEXSrv.exe
2012-08-13 14:13 - 2012-08-13 14:13 - 00018344 _____ () C:\Program Files\TOSHIBA\Teco\TecoMUI.dll
2012-12-20 00:22 - 2012-11-22 15:06 - 00337920 _____ () C:\Program Files\WindowsApps\McAfeeInc.04.McAfeeSecurityAdvisorforToshiba_1.0.0.3_x64__m0mgz90br52t0\McMetroShim.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-07-26 00:26 - 2012-07-26 00:26 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2969227266-9193306-3110235960-1001\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Toshiba\standard.jpg
DNS Servers: 190.112.223.106 - 8.8.8.8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\Run: => "TCrdMain"
HKLM\...\StartupApproved\Run: => "TODDMain"
HKLM\...\StartupApproved\Run: => "TosWaitSrv"
HKLM\...\StartupApproved\Run32: => "TPUReg"
HKLM\...\StartupApproved\Run32: => "TPUReg(x86)"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{3E055C0A-EED1-488D-AA3A-270E3C06F0F4}] => (Allow) C:\Program Files (x86)\Nero\Nero 12\Nero BackItUp\BackItUp.exe
FirewallRules: [{674B03AB-E73E-4A85-A315-3532175BDF82}] => (Allow) C:\Program Files (x86)\Nero\Nero 12\Nero BackItUp\BackItUp.exe
FirewallRules: [{642830C7-386C-4BA4-B47C-97FE8BB36BCC}] => (Allow) C:\Program Files (x86)\Nero\KM\KwikMedia.exe
FirewallRules: [{DB89BCFB-729E-4C0C-90DA-C4D9F753534F}] => (Allow) C:\Program Files (x86)\Nero\KM\KwikMedia.exe
FirewallRules: [{756DF21C-B302-4BBB-96C5-36A16E353894}] => (Allow) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
FirewallRules: [{AC3C1B98-3947-489F-85E6-D19EE144AA33}] => (Allow) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
FirewallRules: [{73198A11-A614-414E-8F8C-A82AC15ACF7B}] => (Allow) C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe
FirewallRules: [{090847C4-62EB-4EB3-9724-1C29B6C2EF52}] => (Allow) C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe

==================== Restore Points =========================

11-05-2016 20:32:58 Windows Update

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (05/12/2016 10:06:51 AM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description: ATI EEU Client event error

Error: (05/12/2016 10:06:36 AM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description: ATI EEU Client event error

Error: (05/12/2016 10:06:21 AM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description: ATI EEU Client event error

Error: (05/12/2016 10:06:06 AM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description: ATI EEU Client event error

Error: (05/12/2016 10:05:51 AM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description: ATI EEU Client event error

Error: (05/12/2016 10:05:36 AM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description: ATI EEU Client event error

Error: (05/12/2016 10:05:21 AM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description: ATI EEU Client event error

Error: (05/12/2016 10:05:06 AM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description: ATI EEU Client event error

Error: (05/12/2016 10:04:51 AM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description: ATI EEU Client event error

Error: (05/12/2016 10:04:36 AM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description: ATI EEU Client event error

System errors:
=============
Error: (05/12/2016 09:48:46 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.

Error: (05/12/2016 09:48:46 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.

Error: (05/12/2016 09:48:46 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.

Error: (05/12/2016 09:24:27 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.

Error: (05/12/2016 09:24:14 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.

Error: (05/12/2016 09:24:14 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.

Error: (05/12/2016 09:24:14 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.

Error: (05/12/2016 07:21:49 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {6DFC2D17-579D-4C1C-93B7-B05B7DCCD766}

Error: (05/12/2016 07:21:18 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {6DFC2D17-579D-4C1C-93B7-B05B7DCCD766}

Error: (05/12/2016 07:20:46 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {6DFC2D17-579D-4C1C-93B7-B05B7DCCD766}

==================== Memory info ===========================

Processor: AMD E1-1200 APU with Radeon™ HD Graphics
Percentage of memory in use: 31%
Total physical RAM: 5731.26 MB
Available physical RAM: 3932.56 MB
Total Virtual: 9827.26 MB
Available Virtual: 8264.48 MB

==================== Drives ================================

Drive c: (TI31013600A) (Fixed) (Total:286.67 GB) (Free:258.28 GB) NTFS
Drive d: (HD-CEU2) (Fixed) (Total:931.28 GB) (Free:111.89 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298.1 GB) (Disk ID: 00000000)

Partition: GPT.

========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: 7F445D15)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=0C)

==================== End of Addition.txt ============================

 

and Rogue Killer picks up

 

Suspicious Path

 

PUM HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\030253143009016mcinctcleanup

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\030253143009016mcinctcleanup

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\parameters\dhcpNameServer

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\parameters\dhcpNameServer

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\parameters\interfaces{B8630EF6-933F-431B-92CE-A2563B0E0EB8

 

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\parameters\interfaces{B8630EF6-933F-431B-92CE-A2563B0E0EB8



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:10 PM

Posted 12 May 2016 - 08:44 PM

Greetings Oli and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Click Format and check Word Wrap
  • Please copy and paste the contents of the below code box into the open notepad and save it to your Desktop as fixlist.txt. If FRST.exe is not on your Deskptop please move it to that location. (<<<Important)
CreateRestorePoint:
CloseProcesses:
Tcpip\Parameters: [DhcpNameServer] 190.112.223.106 8.8.8.8
Tcpip\..\Interfaces\{B8630EF6-933F-431B-92CE-A2563B0E0EB8}: [DhcpNameServer] 190.112.223.106 8.8.8.8
SearchScopes: HKU\S-1-5-21-2969227266-9193306-3110235960-1001 -> DefaultScope {6AC3D6F2-A56D-4527-A32C-3DBCC617EC8B} URL =
S4 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [X]
U3 mfeavfk01; no ImagePath
U3 mfeavfk02; no ImagePath
U3 mfehidk01; no ImagePath
S0 mferkdet; system32\drivers\mferkdet.sys [X]
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Rerun RogueKiller and post the log.

===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • RogueKiller log
  • System Summary Information
  • Update on computer behavior

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 originaloli

originaloli
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 12 May 2016 - 10:05 PM

Dear Gary.  Jolly nice to be making your acquaintance, albeit under trying circumstance.  I have done that which you requested and everything should be included below.  As regards behaviour, I have hardly used the computer since posting the original message.  Fewer sites seem to be redirecting, although that may well be a result of having recently reset.  I should make clear at this juncture that I literally just reset the computer to factor settings and have left well alone.  I have installed nothing; deleted nothing, changed no settings.  All important files remain on hard drives etc.

 

I shall retire to my quarters in around an hour, although I shall rise at 10:30 GMT (05:30 local in Colombia) and perform any outstanding steps.  My warmest thanks for your time and indeed effort.  While this may be somewhat easier for you than me, it is nonetheless a great boon to have your assistance.

 

Yours,

 

Oli

 

Farbar:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:09-05-2016
Ran by Oli (2016-05-12 21:12:15) Run:1
Running from C:\Users\Oli\Desktop
Loaded Profiles: Oli (Available Profiles: Oli)
Boot Mode: Normal
==============================================

fixlist content:
*****************
<HTML><META HTTP-EQUIV="content-type" CONTENT="text/html;charset=utf-8">
<SPAN class="typ">CreateRestorePoint</SPAN><SPAN class="pun">:</SPAN><SPAN class="pln">
</SPAN><SPAN class="typ">CloseProcesses</SPAN><SPAN class="pun">:</SPAN><SPAN class="pln">
</SPAN><SPAN class="typ">Tcpip</SPAN><SPAN class="pln">\Parameters</SPAN><SPAN class="pun">:</SPAN><SPAN class="pln"> </SPAN><SPAN class="pun">[</SPAN><SPAN class="typ">DhcpNameServer</SPAN><SPAN class="pun">]</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">190.112</SPAN><SPAN class="pun">.</SPAN><SPAN class="lit">223.106</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">8.8</SPAN><SPAN class="pun">.</SPAN><SPAN class="lit">8.8</SPAN><SPAN class="pln">
</SPAN><SPAN class="typ">Tcpip</SPAN><SPAN class="pln">\.</SPAN><SPAN class="pun">.</SPAN><SPAN class="pln">\Interfaces\{B8630EF6</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">933F</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">431B</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">92CE</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">A2563B0E0EB8</SPAN><SPAN class="pun">}:</SPAN><SPAN class="pln"> </SPAN><SPAN class="pun">[</SPAN><SPAN class="typ">DhcpNameServer</SPAN><SPAN class="pun">]</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">190.112</SPAN><SPAN class="pun">.</SPAN><SPAN class="lit">223.106</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">8.8</SPAN><SPAN class="pun">.</SPAN><SPAN class="lit">8.8</SPAN><SPAN class="pln">
</SPAN><SPAN class="typ">SearchScopes</SPAN><SPAN class="pun">:</SPAN><SPAN class="pln"> HKU\S</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">1</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">5</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">21</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">2969227266</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">9193306</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">3110235960</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">1001</SPAN><SPAN class="pln"> </SPAN><SPAN class="pun">-&gt;</SPAN><SPAN class="pln"> </SPAN><SPAN class="typ">DefaultScope</SPAN><SPAN class="pln"> </SPAN><SPAN class="pun">{</SPAN><SPAN class="lit">6AC3D6F2</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">A56D</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">4527</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">A32C</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">3DBCC617EC8B</SPAN><SPAN class="pun">}</SPAN><SPAN class="pln"> URL </SPAN><SPAN class="pun">=</SPAN><SPAN class="pln">
S4 </SPAN><SPAN class="typ">McShield</SPAN><SPAN class="pun">;</SPAN><SPAN class="pln"> </SPAN><SPAN class="str">"C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe"</SPAN><SPAN class="pln"> </SPAN><SPAN class="pun">[</SPAN><SPAN class="pln">X</SPAN><SPAN class="pun">]</SPAN><SPAN class="pln">
U3 mfeavfk01</SPAN><SPAN class="pun">;</SPAN><SPAN class="pln"> </SPAN><SPAN class="kwd">no</SPAN><SPAN class="pln"> </SPAN><SPAN class="typ">ImagePath</SPAN><SPAN class="pln">
U3 mfeavfk02</SPAN><SPAN class="pun">;</SPAN><SPAN class="pln"> </SPAN><SPAN class="kwd">no</SPAN><SPAN class="pln"> </SPAN><SPAN class="typ">ImagePath</SPAN><SPAN class="pln">
U3 mfehidk01</SPAN><SPAN class="pun">;</SPAN><SPAN class="pln"> </SPAN><SPAN class="kwd">no</SPAN><SPAN class="pln"> </SPAN><SPAN class="typ">ImagePath</SPAN><SPAN class="pln">
S0 mferkdet</SPAN><SPAN class="pun">;</SPAN><SPAN class="pln"> system32\drivers\mferkdet</SPAN><SPAN class="pun">.</SPAN><SPAN class="pln">sys </SPAN><SPAN class="pun">[</SPAN><SPAN class="pln">X</SPAN><SPAN class="pun">]</SPAN>
*****************

<HTML><META HTTP-EQUIV="content-type" CONTENT="text/html;charset=utf-8"> => Error: No automatic fix found for this entry.
<SPAN class="typ">CreateRestorePoint</SPAN><SPAN class="pun">:</SPAN><SPAN class="pln"> => Error: No automatic fix found for this entry.
</SPAN><SPAN class="typ">CloseProcesses</SPAN><SPAN class="pun">:</SPAN><SPAN class="pln"> => Error: No automatic fix found for this entry.
</SPAN><SPAN class="typ">Tcpip</SPAN><SPAN class="pln">\Parameters</SPAN><SPAN class="pun">:</SPAN><SPAN class="pln"> </SPAN><SPAN class="pun">[</SPAN><SPAN class="typ">DhcpNameServer</SPAN><SPAN class="pun">]</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">190.112</SPAN><SPAN class="pun">.</SPAN><SPAN class="lit">223.106</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">8.8</SPAN><SPAN class="pun">.</SPAN><SPAN class="lit">8.8</SPAN><SPAN class="pln"> => Error: No automatic fix found for this entry.
</SPAN><SPAN class="typ">Tcpip</SPAN><SPAN class="pln">\.</SPAN><SPAN class="pun">.</SPAN><SPAN class="pln">\Interfaces\{B8630EF6</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">933F</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">431B</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">92CE</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">A2563B0E0EB8</SPAN><SPAN class="pun">}:</SPAN><SPAN class="pln"> </SPAN><SPAN class="pun">[</SPAN><SPAN class="typ">DhcpNameServer</SPAN><SPAN class="pun">]</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">190.112</SPAN><SPAN class="pun">.</SPAN><SPAN class="lit">223.106</SPAN><SPAN class="pln"> </SPAN><SPAN class="lit">8.8</SPAN><SPAN class="pun">.</SPAN><SPAN class="lit">8.8</SPAN><SPAN class="pln"> => Error: No automatic fix found for this entry.
</SPAN><SPAN class="typ">SearchScopes</SPAN><SPAN class="pun">:</SPAN><SPAN class="pln"> HKU\S</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">1</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">5</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">21</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">2969227266</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">9193306</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">3110235960</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">1001</SPAN><SPAN class="pln"> </SPAN><SPAN class="pun">-&gt;</SPAN><SPAN class="pln"> </SPAN><SPAN class="typ">DefaultScope</SPAN><SPAN class="pln"> </SPAN><SPAN class="pun">{</SPAN><SPAN class="lit">6AC3D6F2</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">A56D</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">4527</SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">A32C</SPAN><SPAN class="pun">-</SPAN><SPAN class="lit">3DBCC617EC8B</SPAN><SPAN class="pun">}</SPAN><SPAN class="pln"> URL </SPAN><SPAN class="pun">=</SPAN><SPAN class="pln"> => Error: No automatic fix found for this entry.
</SPAN><SPAN class="typ">McShield</SPAN><SPAN class="pun"> => service not found.
mfeavfk01</SPAN><SPAN class="pun"> => service not found.
mfeavfk02</SPAN><SPAN class="pun"> => service not found.
mfehidk01</SPAN><SPAN class="pun"> => service not found.
mferkdet</SPAN><SPAN class="pun"> => service not found.

==== End of Fixlog 21:12:15 ====

 

RogueKiller

 

RogueKiller V12.1.6.0 [May  9 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200) 64 bits version
Started in : Normal mode
User : Oli [Administrator]
Started from : C:\Users\Oli\Desktop\RogueKiller.exe
Mode : Scan -- Date : 05/12/2016 21:44:10

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 6 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0294361463068972mcinstcleanup (C:\WINDOWS\TEMP\029436~1.EXE -cleanup -nolog) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0294361463068972mcinstcleanup (C:\WINDOWS\TEMP\029436~1.EXE -cleanup -nolog) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 190.112.223.106 8.8.8.8 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 190.112.223.106 8.8.8.8 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B8630EF6-933F-431B-92CE-A2563B0E0EB8} | DhcpNameServer : 190.112.223.106 8.8.8.8 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B8630EF6-933F-431B-92CE-A2563B0E0EB8} | DhcpNameServer : 190.112.223.106 8.8.8.8 ([X][-])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Seagate ST320LT020-9YG142 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [SYSTEM] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - Basic data partition | Offset (sectors): 923648 | Size: 260 MB
2 - Basic data partition | Offset (sectors): 1456128 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1718272 | Size: 293551 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 602912768 | Size: 823 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 604598272 | Size: 10031 MB
User = LL1 ... OK
User = LL2 ... OK

 

 

Attached Files



#4 originaloli

originaloli
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 12 May 2016 - 10:10 PM

Terribly sorry, been a right doughnut.  Somehow pasted the wrong thing into Farbar.  New fixlog is:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:09-05-2016
Ran by Oli (2016-05-12 22:07:39) Run:2
Running from C:\Users\Oli\Desktop
Loaded Profiles: Oli (Available Profiles: Oli)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint: CloseProcesses: Tcpip\Parameters: [DhcpNameServer] 190.112.223.106 8.8.8.8 Tcpip\..\Interfaces\{B8630EF6-933F-431B-92CE-A2563B0E0EB8}: [DhcpNameServer] 190.112.223.106 8.8.8.8 SearchScopes: HKU\S-1-5-21-2969227266-9193306-3110235960-1001 -> DefaultScope {6AC3D6F2-A56D-4527-A32C-3DBCC617EC8B} URL = S4 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [X] U3 mfeavfk01; no ImagePath U3 mfeavfk02; no ImagePath U3 mfehidk01; no ImagePath S0 mferkdet; system32\drivers\mferkdet.sys [X]

*****************

HKU\S-1-5-21-2969227266-9193306-3110235960-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully

==== End of Fixlog 22:07:39 ====

 

I will now run RogueKiller again



#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:10 PM

Posted 12 May 2016 - 10:12 PM

Greetings and thank you for the information. Could you please attach the Fixlog file to your reply.

So you took the computer all the way back to from the factory condition and you are still getting redirects?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:10 PM

Posted 12 May 2016 - 10:34 PM

I am ending for the evening but will check the topic in the morning.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 originaloli

originaloli
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 12 May 2016 - 11:01 PM

Dear Gary,

 

Yes, that's quite correct.  All the way back to factory settings so it's the wonders of Windows 8 once more.  The fixlog above still stands, and the roguekiller log has now lost the Suspicious Path reports:

 

RogueKiller V12.1.6.0 [May  9 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200) 64 bits version
Started in : Normal mode
User : Oli [Administrator]
Started from : C:\Users\Oli\Desktop\RogueKiller.exe
Mode : Scan -- Date : 05/12/2016 22:54:53

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 4 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 190.112.223.106 8.8.8.8 ([Costa Rica][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 190.112.223.106 8.8.8.8 ([Costa Rica][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B8630EF6-933F-431B-92CE-A2563B0E0EB8} | DhcpNameServer : 190.112.223.106 8.8.8.8 ([Costa Rica][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B8630EF6-933F-431B-92CE-A2563B0E0EB8} | DhcpNameServer : 190.112.223.106 8.8.8.8 ([Costa Rica][-])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x20]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Seagate ST320LT020-9YG142 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [SYSTEM] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - Basic data partition | Offset (sectors): 923648 | Size: 260 MB
2 - Basic data partition | Offset (sectors): 1456128 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1718272 | Size: 293551 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 602912768 | Size: 823 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 604598272 | Size: 10031 MB
User = LL1 ... OK
User = LL2 ... OK

 

 

__________________________________________________________________________________________________

 

I too shall turn in for the day.  Tomorrow I shall be mostly absent from the house, however I can download programs etc to a USB.

Attached Files



#8 originaloli

originaloli
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 13 May 2016 - 06:01 AM

Two comments on performance from this morning - Windows will update in two days, it says; Internet Explorer is running slow (of course, it is three years out of date and pretty shoddy in the first place).



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:10 PM

Posted 13 May 2016 - 09:08 AM

Greetings,

Thank you for the information.

Where are you located?

Do you recognize this?

Costa Rica San Jose Data Miners S.a.

Which browser(s) is affected?

Please do this.

===================================================

Farbar's MiniToolBox

--------------------
  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the icon to launch the program
  • Make sure only the following options are checked:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries

  • Click Go and once the scan is completed a MTB.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Reply to questions
  • MTB.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 originaloli

originaloli
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 13 May 2016 - 01:01 PM

I won't be able to run MTB until I return home, but I will do it and send the log overnight.  I'm based in Bogotá, Colombia and cannot think of any possible connection to Costa Rica.  I normally run FireFox and Chrome, but after the reset I have avoided installing or running either of them.  I'm running an old IE, version 5 I think.



#11 originaloli

originaloli
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 14 May 2016 - 11:25 AM

Dear Gary.  Apologies for the delay, but here is the MTB report:

 

MiniToolBox by Farbar  Version: 07-02-2016 01
Ran by Oli (administrator) on 14-05-2016 at 11:22:21
Running from "C:\Users\Oli\Desktop"
Microsoft Windows 8  (X64)
Model: SATELLITE C850D-11Q Manufacturer: TOSHIBA
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
========================= IP Configuration: ================================

Realtek RTL8188CE Wireless LAN 802.11n PCI-E NIC = WiFi (Connected)
Realtek PCIe FE Family Controller = Ethernet (Media disconnected)

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
set interface interface="Local Area Connection* 9" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="WiFi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 11" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled

popd
# End of IPv4 configuration

 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Trevor
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 20-16-D8-84-45-ED
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
   Physical Address. . . . . . . . . : 70-54-D2-7A-AE-7F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter WiFi:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek RTL8188CE Wireless LAN 802.11n PCI-E NIC
   Physical Address. . . . . . . . . : 20-16-D8-84-45-ED
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8830:16d2:3be4:528f%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.32(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 14 May 2016 00:19:56
   Lease Expires . . . . . . . . . . : 15 May 2016 05:07:41
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 253761240
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-64-51-DC-20-16-D8-84-45-ED
   DNS Servers . . . . . . . . . . . : 190.112.223.106
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{B8630EF6-933F-431B-92CE-A2563B0E0EB8}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  190.112.223.106

Name:    google.com
Addresses:  2607:f8b0:4008:804::200e
   216.58.192.110

Pinging google.com [216.58.192.110] with 32 bytes of data:
Reply from 216.58.192.110: bytes=32 time=1988ms TTL=54
Reply from 216.58.192.110: bytes=32 time=70ms TTL=54

Ping statistics for 216.58.192.110:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 70ms, Maximum = 1988ms, Average = 1029ms
Server:  UnKnown
Address:  190.112.223.106

Name:    yahoo.com
Addresses:  2001:4998:58:c02::a9
   2001:4998:44:204::a7
   2001:4998:c:a06::2:4008
   98.138.253.109
   98.139.183.24
   206.190.36.45

Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=262ms TTL=51
Reply from 206.190.36.45: bytes=32 time=137ms TTL=51

Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 137ms, Maximum = 262ms, Average = 199ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 14...20 16 d8 84 45 ed ......Microsoft Wi-Fi Direct Virtual Adapter
 13...70 54 d2 7a ae 7f ......Realtek PCIe FE Family Controller
 12...20 16 d8 84 45 ed ......Realtek RTL8188CE Wireless LAN 802.11n PCI-E NIC
  1...........................Software Loopback Interface 1
 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 16...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1     192.168.0.32     30
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link      192.168.0.32    286
     192.168.0.32  255.255.255.255         On-link      192.168.0.32    286
    192.168.0.255  255.255.255.255         On-link      192.168.0.32    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.0.32    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.0.32    286
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 12    286 fe80::/64                On-link
 12    286 fe80::8830:16d2:3be4:528f/128
                                    On-link
  1    306 ff00::/8                 On-link
 12    286 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [67584] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [67584] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [55296] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [21504] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [66560] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [85504] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [85504] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [72192] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [53760] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)

**** End of log ****



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:10 PM

Posted 14 May 2016 - 03:09 PM

Greetings Oli.

Thank you for the information and the report. Run the below and see if things are better.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
Tcpip\Parameters: [DhcpNameServer] 190.112.223.106 8.8.8.8
Tcpip\..\Interfaces\{B8630EF6-933F-431B-92CE-A2563B0E0EB8}: [DhcpNameServer] 190.112.223.106 8.8.8.8
emptytemp:
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • How are your browsers behaving?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 originaloli

originaloli
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 14 May 2016 - 06:12 PM

Dear Gary,

 

Apologies for the delay - FRST needed to reboot after the fix and 29 Windows updates took effect with the restart.  When I tried to log into my bleepingcomputer account it immediately redirected to google.ru as before.  The internet connection keeps going down, but that happens at times here in Colombia...so may well be a coincidence.

 

Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:09-05-2016
Ran by Oli (2016-05-14 15:34:55) Run:3
Running from C:\Users\Oli\Desktop
Loaded Profiles: Oli (Available Profiles: Oli)
Boot Mode: Normal
==============================================

fixlist content:
*****************

Tcpip\Parameters: [DhcpNameServer] 190.112.223.106 8.8.8.8
Tcpip\..\Interfaces\{B8630EF6-933F-431B-92CE-A2563B0E0EB8}: [DhcpNameServer] 190.112.223.106 8.8.8.8
emptytemp:
*****************

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B8630EF6-933F-431B-92CE-A2563B0E0EB8}\\DhcpNameServer => value removed successfully
EmptyTemp: => 411.3 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 15:36:20 ====



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:10 PM

Posted 14 May 2016 - 07:10 PM

Are there any other issues besides google.ru?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 originaloli

originaloli
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 14 May 2016 - 07:36 PM

Nope, nothing else going on as far as I can see...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users