Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TONS of popups even with adblocker plus with extremely slow streaming


  • Please log in to reply
8 replies to this topic

#1 anielica

anielica

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 02 June 2016 - 10:59 PM

Hello,

 

For the last few weeks, the internet is running extremely slow, I lose my internet connection (and regain it) at random times, and when I try to stream videos, they take forever to load.  We use a lot of couchtuner and watchseries and those videos used to load immediately, now I just get tons of popups and the load time is unbearable.  I'm wondering if there is some kind of spyware on my computer.  Would it be possible for you to do your magic? :)  Any help and/or answers on what is wrong with my computer would be greatly appreciated!

 

On a side note, when I do lose internet and troubleshoot, it says "Windows sockets registry entries required for network connectivity are missing"

 

Thank you!

Cindy


Edited by anielica, 02 June 2016 - 11:07 PM.


BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:11:49 AM

Posted 03 June 2016 - 06:34 AM

anielica:

:welcome: to the Bleeping Computer Am I Infected? - What Do I Do? Forum. My name is Phil. I would like to address you by your first name if that is alright with you, since we will be working together.

It sounds like something might be going on that could be related to malware. I think that we should run a few preliminary security scans on your computer and see what turns up.

 


:step1: ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

*Click this link to open ESET OnlineScan.
* Place a checkmark next to "Yes, I accept the Terms of Use", then click the greenstart.png button.
* When prompted allow the Add-On/Active X to install.
* In the new window that opens, tic the radio button next to Enable detection of potentially unwanted applications.
* Then click "Advanced settings", and make sure there is a checkmark next to only the following items (uncheck everything else):

  • Remove found threats
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

*Then click the shieldstart.png button and ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
*When the scan completes, click List Found Threats (only if anything is found).
*Then click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
*Click back.png, then click finish.png to exit ESET Online Scanner.

Don't forget to re-enable your antivirus when finished!



:step2: Download and install Malwarebytes Anti-Malware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup-2.2.*.****.exe and follow the prompts to install the program ( * = program version numbers may vary - always get the latest version).
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • On the Dashboard, select Settings.
  • Click on Detection and Protection.
  • Ensure that Scan for rootkits is checked. If not, check it.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard
  • Paste the contents of the clipboard into your next reply.

 

 

:step3: Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

 

 

The MiniToolBox scan will allow me to examine your "winsock" entries to determine if they are corrupted. If so, we will fix that in the next post for you.

I would like you to paste the logs from all three scans into your next reply. I will examine those and determine what our next step should be. If there is evidence of serious infection, you might have to open a new thread in the Virus, Trojan, Spyware and Malware Removal Logs Forum, but let's not get ahead of ourselves yet. Many less serious issues can be solved right here, in this Forum.

If I haven't responded to your reply in 48 hours, please send me a personal message.

Have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#3 anielica

anielica
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 03 June 2016 - 11:08 PM

Hi Phil,

 

Thank you so much for taking the time to help me.  To start off, I didn't have an internet connection all day.  For giggles, I unplugged my modem from my wireless router and plugged the modem into the ethernet on the back of my PC.  I instantly got an internet connection.  My wireless router is ancient (I think it's well over 10 years old) so it might be ka-put and if you think it wise, I have no problems junking it and buying a new one.  With that said and now that I have an internet connection, my streaming is still slow and I have tons of popups so I would like to continue receiving as much help as you would be willing to give!  Here the results you requested:

 

ESET scanner:  I had some issues with this.  The first time I ran it, it found one threat and before the scan had finished, black boxes appeared and covered up some of the texts then a blank screen came up and I had to force quit.  On the second scan, it found zero threats, but the one apparent threat was saved in quarantine.  There was no option to "List found threats" nor was there an export button anywhere.  I was, however, able to view the quarantined items and found what I think was the first threat from the first scan.  It was a potentially unsafe application.  Location: C:\$Recycle.Bin/S-1-5-21-2599921310-193900623-4191748441-1001\$R4NS47S\HP ENVY 4500 e-All-in-One Printer series Full Feature Software ad Drivers - EN4500_198.exe with a Threat Name of Win32/Bundled.Toolbar.Google.D (I'm not sure if I should remove that or not).

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/3/2016
Scan Time: 9:08 PM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.06.04.01
Rootkit Database: v2016.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Smith

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 338910
Time Elapsed: 30 min, 13 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

MiniToolBox by Farbar  Version: 07-02-2016 01
Ran by Smith (administrator) on 03-06-2016 at 22:07:57
Running from "C:\Users\Smith\Downloads"
Microsoft Windows 10 Home  (X64)
Model: Inspiron 3647 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
========================= IP Configuration: ================================

Realtek PCIe GBE Family Controller = Ethernet (Connected)
Dell Wireless 1705 802.11b/g/n (2.4GHZ) = Wi-Fi (Connected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 3" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Bluetooth Network Connection" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : SmithFamily
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Home

Wireless LAN adapter Local Area Connection* 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 1A-5A-B6-23-20-F5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : Home
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : C8-1F-66-1E-51-E9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::9848:aaf5:86e7:afe8%4(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, June 3, 2016 5:38:40 PM
   Lease Expires . . . . . . . . . . : Saturday, June 4, 2016 5:38:38 PM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 164110182
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-59-41-C2-C8-1F-66-1E-51-E9
   DNS Servers . . . . . . . . . . . : 192.168.0.1
                                       205.171.2.25
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.Home:

   Connection-specific DNS Suffix  . : Home
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5efe:192.168.0.2%18(Preferred)
   Link-local IPv6 Address . . . . . : fe80::5efe:192.168.0.3%18(Preferred)
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 301989888
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-59-41-C2-C8-1F-66-1E-51-E9
   DNS Servers . . . . . . . . . . . : 192.168.0.1
                                       205.171.2.25
   NetBIOS over Tcpip. . . . . . . . : Disabled

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : Home
   Description . . . . . . . . . . . : Dell Wireless 1705 802.11b/g/n (2.4GHZ)
   Physical Address. . . . . . . . . : 48-5A-B6-23-20-F5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::d9e4:6d96:c034:b15e%3(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, June 3, 2016 5:38:48 PM
   Lease Expires . . . . . . . . . . : Saturday, June 4, 2016 5:38:49 PM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 55073462
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-59-41-C2-C8-1F-66-1E-51-E9
   DNS Servers . . . . . . . . . . . : 192.168.0.1
                                       205.171.2.25
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 48-5A-B6-23-20-F6
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:3c03:13e4:2fd2:b085(Preferred)
   Link-local IPv6 Address . . . . . : fe80::3c03:13e4:2fd2:b085%17(Preferred)
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 335544320
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-59-41-C2-C8-1F-66-1E-51-E9
   NetBIOS over Tcpip. . . . . . . . : Disabled
Server:  modem.Home
Address:  192.168.0.1

Name:    google.com
Addresses:  2607:f8b0:400f:802::200e
      216.58.217.14


Pinging google.com [216.58.217.14] with 32 bytes of data:
Reply from 216.58.217.14: bytes=32 time=43ms TTL=57
Reply from 216.58.217.14: bytes=32 time=39ms TTL=57

Ping statistics for 216.58.217.14:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 39ms, Maximum = 43ms, Average = 41ms
Server:  modem.Home
Address:  192.168.0.1

Name:    yahoo.com
Addresses:  2001:4998:58:c02::a9
      2001:4998:44:204::a7
      2001:4998:c:a06::2:4008
      206.190.36.45
      98.138.253.109
      98.139.183.24


Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Reply from 98.138.253.109: bytes=32 time=113ms TTL=53
Reply from 98.138.253.109: bytes=32 time=112ms TTL=53

Ping statistics for 98.138.253.109:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 112ms, Maximum = 113ms, Average = 112ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 15...1a 5a b6 23 20 f5 ......Microsoft Wi-Fi Direct Virtual Adapter
  4...c8 1f 66 1e 51 e9 ......Realtek PCIe GBE Family Controller
 18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
  3...48 5a b6 23 20 f5 ......Dell Wireless 1705 802.11b/g/n (2.4GHZ)
  7...48 5a b6 23 20 f6 ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
 17...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.2     10
          0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.3     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link       192.168.0.2    266
      192.168.0.0    255.255.255.0         On-link       192.168.0.3    281
      192.168.0.2  255.255.255.255         On-link       192.168.0.2    266
      192.168.0.3  255.255.255.255         On-link       192.168.0.3    281
    192.168.0.255  255.255.255.255         On-link       192.168.0.2    266
    192.168.0.255  255.255.255.255         On-link       192.168.0.3    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.0.3    281
        224.0.0.0        240.0.0.0         On-link       192.168.0.2    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.0.3    281
  255.255.255.255  255.255.255.255         On-link       192.168.0.2    266
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 17    306 ::/0                     On-link
  1    306 ::1/128                  On-link
 17    306 2001::/32                On-link
 17    306 2001:0:9d38:6ab8:3c03:13e4:2fd2:b085/128
                                    On-link
  3    281 fe80::/64                On-link
  4    266 fe80::/64                On-link
 17    306 fe80::/64                On-link
 18    266 fe80::5efe:192.168.0.2/128
                                    On-link
 18    266 fe80::5efe:192.168.0.3/128
                                    On-link
 17    306 fe80::3c03:13e4:2fd2:b085/128
                                    On-link
  4    266 fe80::9848:aaf5:86e7:afe8/128
                                    On-link
  3    281 fe80::d9e4:6d96:c034:b15e/128
                                    On-link
  1    306 ff00::/8                 On-link
  3    281 ff00::/8                 On-link
 17    306 ff00::/8                 On-link
  4    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [55808] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [23552] (Microsoft Corporation)
Catalog5 07 C:\WINDOWS\SysWOW64\wshbth.dll [51712] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [80896] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [31744] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [63488] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 12 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (06/03/2016 05:46:19 PM) (Source: Perflib) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (06/03/2016 01:47:41 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (06/02/2016 08:12:58 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: SMITHFAMILY)
Description: Package Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy+App was terminated because it took too long to suspend.

Error: (06/02/2016 11:30:43 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (06/02/2016 10:43:32 AM) (Source: Perflib) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (06/01/2016 09:42:29 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (06/01/2016 09:01:02 AM) (Source: Perflib) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (05/31/2016 07:12:58 AM) (Source: Perflib) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (05/31/2016 06:35:29 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (05/30/2016 08:07:29 PM) (Source: ESENT) (User: )
Description: svchost (1280) SRUJet: Error -1811 (0xfffff8ed) occurred while opening logfile C:\WINDOWS\system32\SRU\SRU008E1.log.


System errors:
=============
Error: (06/03/2016 07:41:27 PM) (Source: Service Control Manager) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (06/03/2016 07:41:27 PM) (Source: Application Popup) (User: )
Description: \??\C:\Users\Smith\AppData\Local\Temp\ehdrv.sys

Error: (06/03/2016 07:41:26 PM) (Source: Service Control Manager) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (06/03/2016 07:41:26 PM) (Source: Application Popup) (User: )
Description: \??\C:\Users\Smith\AppData\Local\Temp\ehdrv.sys

Error: (06/03/2016 07:41:26 PM) (Source: Service Control Manager) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (06/03/2016 07:41:26 PM) (Source: Application Popup) (User: )
Description: \??\C:\Users\Smith\AppData\Local\Temp\ehdrv.sys

Error: (06/03/2016 07:41:26 PM) (Source: Service Control Manager) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (06/03/2016 07:41:26 PM) (Source: Application Popup) (User: )
Description: \??\C:\Users\Smith\AppData\Local\Temp\ehdrv.sys

Error: (06/03/2016 07:41:25 PM) (Source: Service Control Manager) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (06/03/2016 07:41:25 PM) (Source: Application Popup) (User: )
Description: \??\C:\Users\Smith\AppData\Local\Temp\ehdrv.sys


Microsoft Office Sessions:
=========================
Error: (06/03/2016 05:46:19 PM) (Source: Perflib)(User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (06/03/2016 01:47:41 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

Error: (06/02/2016 08:12:58 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: SMITHFAMILY)
Description: Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy+App

Error: (06/02/2016 11:30:43 AM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

Error: (06/02/2016 10:43:32 AM) (Source: Perflib)(User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (06/01/2016 09:42:29 AM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

Error: (06/01/2016 09:01:02 AM) (Source: Perflib)(User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (05/31/2016 07:12:58 AM) (Source: Perflib)(User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (05/31/2016 06:35:29 AM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

Error: (05/30/2016 08:07:29 PM) (Source: ESENT)(User: )
Description: svchost1280SRUJet: C:\WINDOWS\system32\SRU\SRU008E1.log-1811 (0xfffff8ed)


CodeIntegrity Errors:
===================================
  Date: 2016-05-15 16:04:21.538
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-14 12:38:58.617
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-12 09:36:37.463
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-12 07:37:28.580
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-11 21:06:25.760
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-14 19:58:15.154
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-14 03:35:46.105
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-12 21:27:44.488
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-23 08:32:35.700
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-11 09:39:08.938
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.


=========================== Installed Programs ============================

7-Zip 9.20 (HKLM-x32\...\7-Zip 9.20) (Version:  - )
Adblock Plus for IE (32-bit and 64-bit) (HKLM\...\{0F347A49-E36C-4639-8D2E-003AD408B8B2}) (Version: 1.5 - Eyeo GmbH)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.016.20045 - Adobe Systems Incorporated)
Adobe Flash Player 21 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 21.0.0.213 - Adobe Systems Incorporated)
AllShare Framework DMS (HKLM\...\{83232C27-8C3F-44A5-9EB2-BB7161228ADD}) (Version: 1.3.23 - Samsung)
Amazon 1Button App (HKLM-x32\...\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6}) (Version: 1.0.0.4 - Amazon)
CyberLink Media Suite Essentials (HKLM-x32\...\InstallShield_{8F14AA37-5193-4A14-BD5B-BDF9B361AEF7}) (Version: 10.0 - CyberLink Corp.)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.8.1.70 - Dell Inc.)
Dell Data Vault (HKLM\...\{2E55EEFD-2162-4A7D-9158-EDB0305603A6}) (Version: 4.3.8.0 - Dell Inc.) Hidden
Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.2.6793.01 - Dell)
Dell SupportAssistAgent (HKLM-x32\...\{3ED468C2-2235-4747-90AD-A7A34F0FE70A}) (Version: 1.2.2.8 - Dell)
Dell WLAN and Bluetooth Client Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Dell Inc.)
Escape From Horrorland (HKLM-x32\...\DreamWorks Interactive: HorrorLand) (Version:  - )
ffdshow [rev 2527] [2008-12-19] (HKLM-x32\...\ffdshow_is1) (Version: 1.0 - )
HP ENVY 4500 series Basic Device Software (HKLM\...\{6915424E-704F-4F5D-9057-9C7B406B36DB}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
HP ENVY 4500 series Help (HKLM-x32\...\{95BECC50-22B4-4FCA-8A2E-BF77713E6D3A}) (Version: 30.0.0 - Hewlett Packard)
HP FWUpdateEDO2 (HKLM-x32\...\{415FA9AD-DA10-4ABE-97B6-5051D4795C90}) (Version: 1.2.0.0 - Hewlett-Packard)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Support Solutions Framework (HKLM-x32\...\{FC3C2B77-6800-48C6-A15D-9D1031130C16}) (Version: 11.51.0049 - Hewlett-Packard Company)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDiagnosticAlert (HKLM-x32\...\{B6465A32-8BE9-4B38-ADC5-4B4BDDC10B0D}) (Version: 1.00.0001 - Microsoft) Hidden
Image Resizer for Windows (64 bit) (HKLM\...\{617CA6E9-D5FB-4017-8130-82E68C56C34D}) (Version: 3.0.4802.35565 - Brice Lambson) Hidden
Image Resizer for Windows (HKLM-x32\...\{69d72156-6582-4556-8637-06f40aa7f85b}) (Version: 3.0.4802.35565 - Brice Lambson)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.14.1724 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4331 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.0.1016 - Intel Corporation)
InterActual Player (HKLM-x32\...\InterActual Player) (Version:  - )
Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
LeapFrog Connect (HKLM-x32\...\{5B0F473D-7E18-477F-99DC-3745D5A711E9}) (Version: 7.0.6.19846 - LeapFrog) Hidden
LeapFrog Connect (HKLM-x32\...\UPCShell) (Version: 7.0.6.19846 - LeapFrog)
LeapFrog LeapPad Explorer Plugin (HKLM-x32\...\{50B93E1B-EBA1-46AE-909F-10F6F97E1505}) (Version: 7.0.6.19846 - LeapFrog) Hidden
Magellan Communicator (HKLM-x32\...\{0FD5FD0B-4BA6-47A1-99C3-F8A964C3CCA5}) (Version: 1.15.020 - Magellan Navigation, Inc.) Hidden
Magellan Communicator (HKLM-x32\...\InstallShield_{0FD5FD0B-4BA6-47A1-99C3-F8A964C3CCA5}) (Version: 1.15.020 - Magellan Navigation, Inc.)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Manager (HKLM-x32\...\{0C130275-1788-48EC-9FD4-9B766B3C3798}) (Version: 15.2.20 - NGSoftware Pty Ltd)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.130.10 - McAfee, Inc.)
Microsoft Office Home and Student 2013 - en-us (HKLM\...\HomeStudentRetail - en-us) (Version: 15.0.4823.1004 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Movie Maker (HKLM-x32\...\{5BABDA39-61CF-41EE-992D-4054B6649A9B}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{ED6C77F9-4D7E-447C-9EC0-9A212D075535}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Mozilla Firefox 46.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 46.0.1 (x86 en-US)) (Version: 46.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 46.0.1.5966 - Mozilla)
Office 15 Click-to-Run Extensibility Component (HKLM-x32\...\{90150000-008C-0000-0000-0000000FF1CE}) (Version: 15.0.4823.1004 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (HKLM\...\{90150000-008F-0000-1000-0000000FF1CE}) (Version: 15.0.4823.1004 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (HKLM-x32\...\{90150000-008C-0409-0000-0000000FF1CE}) (Version: 15.0.4823.1004 - Microsoft Corporation) Hidden
Plants vs. Zombies™ (HKLM-x32\...\Plants vs. Zombies™) (Version: 32.0.0.0 - Shockwave.com)
PocketCloud (HKLM-x32\...\{D9752C7D-A595-4687-A0D5-362E9C311C55}) (Version: 2.7.14 - Wyse Technology)
PowerTeacher Gradebook Launcher (HKCU\...\PTg) (Version: 1.0 - Pearson)
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.304 - Qualcomm Atheros Communications)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9200.30164 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7544 - Realtek Semiconductor Corp.)
Samsung Link 2.0.0.1503181422 (HKLM\...\8474-7877-9059-0204) (Version: 2.0.0.1503181422 - Copyright 2013 SAMSUNG)
Use the entry named LeapFrog Connect to uninstall (LeapFrog LeapPad Explorer Plugin) (HKLM-x32\...\LeapPadExplorerPlugin) (Version:  - LeapFrog)
VideoPad Video Editor (HKLM-x32\...\VideoPad) (Version: 4.33 - NCH Software)
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net  (09/10/2009 02.03.05.012) (HKLM\...\8F14F2ECEDE68D26EA515B48DC25B39103C4FE8D) (Version: 09/10/2009 02.03.05.012 - Leapfrog)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)

**** End of log ****
 



#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:11:49 AM

Posted 04 June 2016 - 07:13 AM

anielica:
 
Thank you for your logs.  Your winsock catalogue appears good now.  As for your modem/router, it probably doesn't owe you anything.  I am not seeing anything obviously wrong with it.
 
Your logs show ESET errors.  It appears that something might be interfering with it.  The one "threat" that it did find is in the Recycle Bin.  For now, I'd leave it be.  It is probably a false positive.  It looks like a printer installer program.


:step1: Please download Rkill by Grinler and save it to your desktop.

  • Link 1
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista/Windows7, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and try using one of the alternate download links/file names at the bottom of the download page.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer. If you do reboot, you will need to run the application again because the malware will start up again after the reboot.

 

 

:step2: Do not reboot. Please re-run the ESET scan and attach the scan log.



:step3: If ESET prompts to reboot, do so, and then re-run RKill.



:step4: Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait for it to complete the update.
  • Click on I Agree button.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it. If you don't want any of the files, press "Clean". If you have questions, then ask me and we will run the "Clean" in the next post if anything is found.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

 

:step5: Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

Now that you have done all of that, please copy and paste the RKill, ESET, AdwCleaner, and JRT logs into your next reply.

I am busy the rest of today, but I will be back tomorrow to check if there has been a response from you. Have a great weekend, and good luck with the scans! :)

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#5 anielica

anielica
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 04 June 2016 - 09:14 AM

ESET Scanner did not give me a log again, but found no threats.  Here are the other logs requested, thank you again!

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 06/04/2016 07:57:07 AM in x64 mode.
Windows Version: Windows 10 Home

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 06/04/2016 07:58:00 AM
Execution time: 0 hours(s), 0 minute(s), and 53 seconds(s)
 

# AdwCleaner v5.119 - Logfile created 04/06/2016 at 08:05:55
# Updated 30/05/2016 by Xplode
# Database : 2016-06-03.1 [Server]
# Operating system : Windows 10 Home  (X64)
# Username : Smith - SMITHFAMILY
# Running from : C:\Users\Smith\Desktop\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{26B19FA4-E8A1-4A1B-A163-1A1E46F830DD}
[-] Key Deleted : HKCU\Software\APN PIP
[-] Key Deleted : HKLM\SOFTWARE\PIP
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\C3F6D7A0BA2FDE84EB329997B1FF786D
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\C3F6D7A0BA2FDE84EB329997B1FF786D
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C3F6D7A0BA2FDE84EB329997B1FF786D
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\st.chatango.com
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\driverupdate.net
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\driverupdate.net

***** [ Web browsers ] *****

[-] [C:\Users\Smith\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Smith\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [2073 bytes] - [04/06/2016 08:05:55]
C:\AdwCleaner\AdwCleaner[S1].txt - [2241 bytes] - [04/06/2016 08:00:25]
C:\AdwCleaner\AdwCleaner[S2].txt - [2314 bytes] - [04/06/2016 08:03:27]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2292 bytes] ##########
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 10 Home x64
Ran by Smith (Administrator) on Sat 06/04/2016 at  8:11:16.60
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 2

Successfully deleted: C:\WINDOWS\system32\Tasks\PCDEventLauncherTask (Task)
Successfully deleted: C:\WINDOWS\system32\Tasks\PCDoctorBackgroundMonitorTask (Task)



Registry: 1

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{7E6A5206-53A5-4206-9B23-8FDF4C7C1AC5} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 06/04/2016 at  8:13:25.04
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#6 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:11:49 AM

Posted 05 June 2016 - 11:18 AM

anielica:
 
Thank you for running the scans.  All looks pretty good.
 
So we are left with two options:

  • The websites you are visiting are generating the pop-ups, not your computer or some adware; or,
  • Your computer has an infection that was not detected by the scan tools that we ran.

For option 1, you could send me a Personal message with a list of some of the websites that you are visiting where you are experiencing the pop-ups and I could check them out.  I know that my computer is clean.  For instance, if you go to http://www.google.com, do you see any pop-ups?  If you do, then we do need to investigate further.
 
If it is not the websites themselves, then we have to consider searching your computer more thoroughly.  We are not permitted to use the more powerful malware diagnostic software tools in this Forum.
 
 
For option 2, you could open a new topic in the Virus, Trojan, Spyware, and Malware Removal Logs Forum.
 
Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.
 
Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic, so that the Malware Removal Team member who picks up your topic knows what we have already done.
 
If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.
 
It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.
 
If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
 
 

Let's go with Option 1 for now and let me know where you are surfing, via PM, and whether you are seeing pop-ups on the Google site?

 

Thank you and have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:11:49 AM

Posted 06 June 2016 - 11:14 AM

Cindy:
 
Thank you for your PM.  I am quoting it here, in full, because the normal policy at Bleeping Computer is that all topics are discussed "in the open" so that others can benefit.  I had only asked you to send me a PM because I was looking for a list of websites that might have been causing your pop-ups.  Some of them might have posed a risk to the users here, and human nature being what is, some folks just have to click links, so I wanted to protect them from themselves.

 

It is not an issue at all, so don't be concerned.  We will carry on in the open forum here since you didn't send me any links.  I think you have figured out that the pop-ups are coming from the sites that you are visiting and not being generated by malware on your computer.
 

Hi Phil,
 
I'm guessing it's probably option 1.  We use our computer mostly for streaming TV online.  We are big users of both couchtuner and watchseries.  I'm guessing that's it although I was hoping for Ad Blocker Plus to do more for me on those sites.  No pop ups on Google. 
 
However, when running the programs you asked me to run, I am getting considerably less popups now on those sites. 
 
I don't know what's normal for Windows 10, but as far as speed of my computer I'm running about 40 background processes and 30 windows processes, many of which seem to be duplicated.  Is that a lot?  If so, is there a forum on here that I can send those processes and have someone take a look?
 
Thanks for all you do!
 
Cindy

 

Yes, if you are visiting streaming sites, then you can expect pop-ups since that is how they generate revenue. I have seen no indication that your computer is compromised with malware, so far.  The fact that you are getting no pop-ups from known good sites, like google.com, leads me to believe that it is the websites, themselves, that you are visiting, which are generating the pop-ups.

 

The number of processes is well within normal range.  You can download Process Explorer from here, and review the processes that are running on your computer.  You can also save a listing of the process, under the "File" menu and then copy and paste the listing into your next response if you want me to review what you have running.

 

It is normal for some Windows processes, like svchost.exe, and other processes, like chrome.exe, to have multiple instances running.  That is no cause for concern.

 

My computer lists 120+ processes running, but I do have a lot of background stuff that I like to have running, but which is not necessary.  My computer has the horsepower to handle it.  It was custom built for high definition video editing, so it is pretty high-end.

 

You are more thank welcome for my assistance.  It is my pleasure to be able to help you resolve any issues or concerns that you might have.  That is why Bleeping Computer exists: to help users and share knowledge.  There are many, many volunteers here who devote countless hours to helping others, not just me.

 

So, if you want me to look at your process list, then please copy and paste into your next reply.  I will be happy to review it for you.

 

Have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#8 anielica

anielica
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 07 June 2016 - 07:07 PM

You all are fantastic, I recommend you to family and friends all the time!  Just to shore things up, here is a list of my processes:

 

Process    CPU    Private Bytes    Working Set    PID    Description    Company Name
System Idle Process    81.71    0 K    4 K    0        
System    0.90    560 K    76,672 K    4        
 Interrupts    1.29    0 K    0 K    n/a    Hardware Interrupts and DPCs    
 smss.exe        372 K    192 K    332        
csrss.exe    < 0.01    1,508 K    2,052 K    528        
wininit.exe        1,084 K    844 K    620        
 services.exe        3,580 K    5,064 K    748        
  svchost.exe    0.01    8,692 K    13,108 K    832    Host Process for Windows Services    Microsoft Corporation
   WmiPrvSE.exe    0.56    9,664 K    13,268 K    3712        
   WmiPrvSE.exe        24,404 K    32,116 K    5652        
   WmiPrvSE.exe        5,148 K    6,744 K    4632        
   RuntimeBroker.exe    < 0.01    22,024 K    36,952 K    6544    Runtime Broker    Microsoft Corporation
   RemindersServer.exe    Suspended    8,652 K    5,180 K    3516    Reminders WinRT OOP Server    Microsoft Corporation
   ShellExperienceHost.exe    Suspended    25,024 K    17,492 K    4196    Windows Shell Experience Host    Microsoft Corporation
   SearchUI.exe    Suspended    42,184 K    33,392 K    3468    Search and Cortana application    Microsoft Corporation
   SettingSyncHost.exe        12,828 K    18,972 K    5884    Host Process for Setting Synchronization    Microsoft Corporation
   SkypeHost.exe    Suspended    16,952 K    6,576 K    8924    Microsoft Skype    Microsoft Corporation
   WmiPrvSE.exe        3,660 K    3,960 K    7232        
   ApplicationFrameHost.exe        8,860 K    9,964 K    2208    Application Frame Host    Microsoft Corporation
   SystemSettings.exe    Suspended    16,036 K    3,652 K    5472    Settings    Microsoft Corporation
   Calculator.exe    Suspended    16,576 K    2,840 K    8688        
  svchost.exe        5,956 K    8,224 K    888    Host Process for Windows Services    Microsoft Corporation
  svchost.exe    0.19    39,424 K    48,476 K    316    Host Process for Windows Services    Microsoft Corporation
   taskhostw.exe        5,392 K    6,416 K    5008    Host Process for Windows Tasks    Microsoft Corporation
   sihost.exe        5,708 K    12,796 K    3732    Shell Infrastructure Host    Microsoft Corporation
   CLMLSvc_P2G8.exe    0.01    2,304 K    1,680 K    8736    CyberLink MediaLibray Service    CyberLink
   uaclauncher.exe    0.02    1,644 K    7,572 K    5336        
  svchost.exe    1.21    80,196 K    76,904 K    556    Host Process for Windows Services    Microsoft Corporation
   dasHost.exe        5,668 K    11,756 K    1244        
  svchost.exe    0.01    18,776 K    17,192 K    1080    Host Process for Windows Services    Microsoft Corporation
  svchost.exe    < 0.01    3,268 K    6,068 K    1084    Host Process for Windows Services    Microsoft Corporation
  svchost.exe        10,672 K    12,536 K    1100    Host Process for Windows Services    Microsoft Corporation
  svchost.exe        13,596 K    17,316 K    1268    Host Process for Windows Services    Microsoft Corporation
  igfxCUIService.exe        1,732 K    2,212 K    1292    igfxCUIService Module    Intel Corporation
  RtkAudioService64.exe        1,588 K    1,768 K    1508    Realtek Audio Service    Realtek Semiconductor
   RAVBg64.exe        5,708 K    4,752 K    4952        
   RAVBg64.exe        5,424 K    4,560 K    6568        
  svchost.exe        10,328 K    13,324 K    1616    Host Process for Windows Services    Microsoft Corporation
  spoolsv.exe    < 0.01    9,312 K    8,256 K    1740    Spooler SubSystem App    Microsoft Corporation
  svchost.exe        7,372 K    17,760 K    1996    Host Process for Windows Services    Microsoft Corporation
  armsvc.exe        1,240 K    1,440 K    1132    Adobe Acrobat Update Service    Adobe Systems Incorporated
  UACProxy.exe        1,080 K    1,108 K    1448    Clickfree Backup    Storage Appliance Corp.
  AllShareFrameworkManagerDMS.exe        1,460 K    768 K    1392    AllShareFrameworkManagerDMS Monitoring DMS Service    Samsung
   AllShareFrameworkDMS.exe    0.18    20,992 K    6,568 K    2852        
    conhost.exe    < 0.01    1,412 K    1,380 K    2864        
  HeciServer.exe        1,336 K    1,544 K    1576    Intel® Capability Licensing Service Interface    Intel® Corporation
  officeclicktorun.exe    < 0.01    11,944 K    5,956 K    2056    Microsoft Office Click-to-Run    Microsoft Corporation
  svchost.exe        2,696 K    5,052 K    2080    Host Process for Windows Services    Microsoft Corporation
  svchost.exe        5,916 K    14,400 K    2096    Host Process for Windows Services    Microsoft Corporation
  MsMpEng.exe    0.13    138,968 K    75,704 K    2128    Antimalware Service Executable    Microsoft Corporation
  HPSupportSolutionsFrameworkService.exe        12,860 K    1,832 K    2244    SolutionsFrameworkService    Hewlett-Packard Company
  PocketCloudService.exe    < 0.01    37,844 K    6,936 K    2252    PocketCloudService    
  WyseRemoteAccess.exe    0.05    2,180 K    1,480 K    2260    Wyse RemoteAccess Server    DELL Inc.
  CommandService.exe        1,552 K    1,376 K    2268    CommandService Application    LeapFrog Enterprises, Inc.
  Samsung Link.exe        976 K    660 K    2276    Samsung Link Service    Copyright 2013 SAMSUNG
   Samsung Link.exe    0.08    140,440 K    40,856 K    2464        
  svchost.exe        1,488 K    3,432 K    2896    Host Process for Windows Services    Microsoft Corporation
  NisSrv.exe        17,928 K    11,312 K    3288    Microsoft Network Realtime Inspection Service    Microsoft Corporation
  PresentationFontCache.exe        27,144 K    1,660 K    2320    PresentationFontCache.exe    Microsoft Corporation
  SearchIndexer.exe        37,684 K    27,940 K    5608    Microsoft Windows Search Indexer    Microsoft Corporation
   SearchProtocolHost.exe        1,400 K    6,540 K    5292    Microsoft Windows Search Protocol Host    Microsoft Corporation
   SearchProtocolHost.exe    < 0.01    2,508 K    11,576 K    552        
   SearchFilterHost.exe        1,616 K    6,680 K    4324        
  DellDataVaultWiz.exe        4,120 K    2,720 K    6940    Dell Data Vault Wizard    Dell Inc.
  IAStorDataMgrSvc.exe        31,872 K    10,932 K    2952    IAStorDataSvc    Intel Corporation
  jhi_service.exe        1,108 K    988 K    5132    Intel® Dynamic Application Loader Host Interface    Intel Corporation
  LMS.exe        2,988 K    3,224 K    4412    Intel® Local Management Service    Intel Corporation
  RichVideo.exe        1,440 K    1,752 K    5060    RichVideo Module    CyberLink
  SftService.exe        14,324 K    8,312 K    5184    SoftThinks Agent Service    SoftThinks SAS
   DBRUpd.exe        16,908 K    2,236 K    7784        
   Toaster.exe    0.03    59,240 K    23,292 K    7412        
    DBRSync.exe    0.02    20,820 K    5,380 K    8560        
     conhost.exe        1,400 K    1,364 K    9092        
  SupportAssistAgent.exe        40,796 K    8,384 K    5452    Service    Dell Inc.
  DellDataVault.exe    0.05    9,724 K    10,432 K    7092    Dell Data Vault Service    Dell Inc.
  svchost.exe        14,492 K    30,680 K    4884    Host Process for Windows Services    Microsoft Corporation
  WmiApSrv.exe    0.02    1,348 K    7,068 K    1560    WMI Performance Reverse Adapter    Microsoft Corporation
 lsass.exe    0.01    5,712 K    8,992 K    764    Local Security Authority Process    Microsoft Corporation
csrss.exe    0.90    1,828 K    3,380 K    5064        
winlogon.exe        1,984 K    10,492 K    5444        
 dwm.exe    3.15    53,332 K    34,856 K    5720        
explorer.exe    0.14    90,840 K    87,612 K    720    Windows Explorer    Microsoft Corporation
 RtkNGUI64.exe        4,508 K    4,532 K    1528    Realtek HD Audio Manager    Realtek Semiconductor
 RAVBg64.exe    < 0.01    5,632 K    5,288 K    6496    HD Audio Background Process    Realtek Semiconductor
 firefox.exe    2.28    192,696 K    222,380 K    4116    Firefox    Mozilla Corporation
 procexp.exe        2,580 K    9,872 K    4540    Sysinternals Process Explorer    Sysinternals - www.sysinternals.com
  procexp64.exe    7.02    19,108 K    54,836 K    4152    Sysinternals Process Explorer    Sysinternals - www.sysinternals.com
igfxEM.exe        3,660 K    5,616 K    4844    igfxEM Module    Intel Corporation
igfxHK.exe        2,072 K    2,804 K    6312    igfxHK Module    Intel Corporation
igfxTray.exe        3,440 K    4,848 K    4528        
hpwuschd2.exe        1,536 K    2,328 K    688    hpwuSchd Application    Hewlett-Packard
IAStorIcon.exe        21,400 K    4,232 K    9016    IAStorIcon    Intel Corporation
MpCmdRun.exe        3,084 K    7,796 K    7936        
 

Thank you again!



#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:11:49 AM

Posted 08 June 2016 - 06:39 AM

Cindy:

 

Thank you for the listing of your processes.  I see nothing amiss.  I think that your computer is in good shape and there is nothing that I see that is causing me any concern.

 

From what you have said, your only major concern was slow streaming and pop-ups on certain web sites, and I think we have attributed that to the sites themselves and to the bandwidth consumed by the pop-ups.

 

Your anti-malware scans are clean now, so I think that you are good to go.

 

You are most welcome for my assistance.  Thank you and have a great day.  It has been a pleasure to work with you.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users