Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP computer going downhill, SafeMode only now; Wombat??


  • This topic is locked This topic is locked
67 replies to this topic

#1 ceratops

ceratops

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 23 June 2016 - 09:17 PM

Running XP Pro 32-bit.

 

Bootable partition is on SSD drive; probably too full for good operation -- 92 GB used, only 5.5 GB free at the moment.

 

Avast antivirus program running.

 

The system has been slowish for quite some time, but perhaps just because of the SSD drive being fairly full (we didn't realize until a few days ago that these drives apparently need a higher proportion of free space for efficient operation).

 

********

 

The current problem appeared to start when my husband allowed Avast to do an update, about a week and a half ago. The update never completed, and Avast hung up. After reboot the computer was still very sluggish. Task manager showed Avast often using 50% and higher of CPU cycles. We also noted something called MRT.exe once or twice, using lots of CPU cycles. I was using Firefox browser a few days later (husband had not yet told me about the weird consequence of failed Avast update) and noticed that the system was very sluggish (CPU usage often up near 100% in task manager), and also noticed after a while that the system clock time was stuck - very unusual.

 

I took a closer look at the system on 6/19. I was able to get to the mode selection screen (with F8 key), and noted that it started OK in Safe Mode with Networking. Tried to install some scan software that we had put on a USB flash drive from another computer... but the ailing machine could not see the flash drive from Safe Mode. I then tried the option of starting in last known good configuration -- that looked pretty good for a while -- Windows appeared to start normally, I was able to use the browser, and CPU usage looked normal in task manager. I started Malwarebytes (already installed on the computer, but not recently updated) -- it went out to the Internet to get its updates, and started running, apparently normally, so I was very optimistic. Came back some time later to find Malwarebytes stuck, on file 36000+ (so it had scanned quite a few objects at that point). It stayed stuck there, which didn't seem a good sign, so I eventually restarted the computer in Safe Mode.

 

I then ran Malwarebytes in Safe Mode, it ran to completion, and found ~200 threats, pretty much all PUPs. None were reported as major threats. I told the program to go ahead and get rid of all of them. Also ran SuperAntiSpyware in Safe Mode (previously installed on the machine, and recently updated) -- it ran apparently successfully, and reported 18 tracking cookies, which I told it to get rid of. I then downloaded SpyBot Search and Destroy (a program recommended by a family member). I believe I briefly brought the system back up in normal Windows mode to do this download, as I was not able to use the browser from Safe Mode. Back in Safe Mode, I told the SpyBot program to install, and that installation appeared to proceed normally. However, when I then tried to run it, the option to do a system scan was grayed out, so I was unable to run that scan. It did allow me to run a quick rootkit scan, and found nothing

 

At this point, having found no really dangerous-looking malware, I thought something might have been corrupted during the failed Avast update, and that it might be worth looking at Restore. I opened the Restore utility, and restored to a mid-May restore point -- well before the date of the observed problems. The restore process appeared to complete successfully. However, when I then allowed the machine to boot to regular Windows, it was flakier than before. I then went back to Restore to reverse the process (as it had assured me I could do), but there was no option shown for reversion. I then told it to restore to a June 12 restore point (shortly before the Avast update mishap) -- again, the process seemed to complete successfully, but with no good result. After that second restore, I briefly rebooted into full Windows. At this point, it refused to start the task manager when requested -- an error message came up that that file was corrupted. Also, when I tried to start Firefox as an experiment, the Windows error chime/bleat sounded and the browser did not start. Trying to run Malwarebytes led to the same failure -- although that made some sense if that program had been set back to its earlier not-updated state by the restore... ?

 

As things were obviously going downhill, we decided to back up personal data as best we could. Although the computer had been unable to see a USB flash drive from Safe Mode, it was able (fortunately) to see an external USB hard drive that we had available. From Safe Mode, I told it copy over everything in My Documents, as well as in Application Data (the latter mainly to preserve our email history -- I think that history is in the Thunderbird Profile directory).

 

After this partial backup, I turned the computer off until today.

 

Today, I intended to back up the same data again onto a second (newly purchased) external HDD. My thinking was that an external HDD might be our only way to install new scanning and anti-malware software on the ailing machine, and that I would rather not use our valuable backup HDD to repeatedly connect to a possibly malware-infected computer. Unfortunately, the computer would not access this second external drive in Safe Mode (it was invisible from My Computer, just as the USB flash drives I've tried are invisible).

 

Since the computer still showed its CD-ROM drive (from the My Computer display in Safe Mode), I then decided to burn a number of scan utilities on CD (from a healthy computer), and try to introduce them in that way. This approach seems workable, although the results haven't been encouraging so far. I was able to run the Malwarebytes cleanup tool (to get rid of the earlier remnants of that software), and then ran Malwarebytes setup. After installation, Malwarebytes then ran successfully -- went out to get updates (apparently) and then ran its scan. It found 58 objects. Those all were in the PUP category. I told the program to get rid of them, and then allowed it to reboot the computer. I let it come up in full Windows on reboot. There was further deterioration in this environment -- the desktop icons still appeared as usual, but nothing appeared at the bottom of the screen this time (no Start menu, nor the usual icons for anti-virus, networking, etc.). Starting task manager led to the same error message about a corrupted file. Task manager then did actually start a moment later, but was unable to kill any processes or reboot the computer.

 

Back in Safe Mode, I tried to run FRST (Farbar), which also was on the CD. It appeared to install fine, and looked OK (normal welcome screen) on running; however, it got stuck on trying to get updates, and never came back. Task manager appeared to start fine in Safe Mode; it showed the FRST process as not responding, but was unable to kill it. After another forced reboot (power button is getting a lot of use during this process!!!) I tried installing and running AdwCleaner (also carried over on the CD). When I went to run this program, it started and immediately ended. I tried renaming the AdwCleaner program and running it again, but no luck with that either.

 

At this point I decided to look more closely at the files saved a few days ago on the external USB HDD. I attached the HDD to a healthy computer, and ran an Avast scan on the contents of the HDD. Avast found 4 threats. Three of these were related to PUPs, and were not described as very dangerous by Avast. The fourth was reported as 'high' severity by Avast. It was a file called WombatUpdater.exe, and was found in a My Documents\Downloads subdirectory. Avast reported it as:

 

Threat: Win32: Wombat-A[Adw]

 

I did allow the malfunctioning machine to boot into the full Windows environment once more after this, and this time the only thing that came up was the graphic background (the green hillside and clouds of the standard XP display) -- no icons of any kind.

 

**************

 

Since the Farbar scan tool was unable to run, I can't attach its report files here...

 

I've noticed that task manager, even in Safe Mode, seems compromised -- it lets me look at processes, but doesn't allow me to end anything, even seemingly trivial processes.

 

I would be grateful if you can suggest what to try next.

 

We are open to reformatting if really necessary (were planning to upgrade to Windows 7 soon anyway). However, I would prefer to fix things if possible, and would also like to know if the machine is indeed infected with malware.

 

Should I try to clear more space on the partition before proceeding?

 

 

 

 



BC AdBot (Login to Remove)

 


#2 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 26 June 2016 - 06:25 PM

Read up a bit on FRST, trying to figure out why it wasn't completing its updates, and therefore unable to proceed to scan... I eventually found mention that the tool automatically goes out for updates IF the computer is connected to the Internet. Thus, I tried bringing the computer up in plain vanilla Safe Mode (I had been using Safe Mode with Networking on all previous attempts) -- lo and behold, FRST ran this time.

 

FRST.txt --

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 20-06-2016 01
Ran by Philip and Katrin (administrator) on DOOLEY-2CPU (26-06-2016 19:03:11)
Running from E:\Documents and Settings\Philip and Katrin\Desktop
Loaded Profiles: Philip and Katrin (Available Profiles: Philip and Katrin)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Safe Mode (minimal)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SUPERAntiSpyware.com) E:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Microsoft Corporation) E:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SoundMAXPnP] => E:\Program Files\Analog Devices\Core\smax4pnp.exe [1044480 2009-08-03] (Analog Devices, Inc.)
HKLM\...\Run: [TkBellExe] => E:\program files\real\realplayer\update\realsched.exe [295512 2014-01-08] (RealNetworks, Inc.)
HKLM\...\Run: [AvastUI.exe] => E:\Program Files\AVAST Software\Avast\AvastUI.exe [6133520 2015-11-09] (AVAST Software)
HKLM\...\Run: [QuickTime Task] => E:\Program Files\QuickTime Alternative\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [IJNetworkScanUtility] => E:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [206240 2010-08-23] (CANON INC.)
HKLM\...\Run: [Adobe ARM] => E:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [ZoneAlarm] => E:\Program Files\CheckPoint\ZoneAlarm\zatray.exe [134792 2015-11-07] (Check Point Software Technologies Ltd.)
HKLM\...\Run: [SunJavaUpdateSched] => E:\Program Files\Common Files\Java\Java Update\jusched.exe [595992 2016-05-20] (Oracle Corporation)
HKU\S-1-5-21-1614895754-1284227242-725345543-1003\...\Run: [DellSupport] => E:\Program Files\Dell Support\DSAgnt.exe [395776 2006-08-28] (Gteko Ltd.)
HKU\S-1-5-21-1614895754-1284227242-725345543-1003\...\Run: [Akamai NetSession Interface] => E:\Documents and Settings\Philip and Katrin\Local Settings\Application Data\Akamai\netsession_win.exe [4691384 2015-09-10] (Akamai Technologies, Inc.)
HKU\S-1-5-21-1614895754-1284227242-725345543-1003\...\Run: [SUPERAntiSpyware] => E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6825888 2016-06-07] (SUPERAntiSpyware)
HKU\S-1-5-21-1614895754-1284227242-725345543-1003\...\Run: [Dropbox Update] => E:\Documents and Settings\Philip and Katrin\Local Settings\Application Data\Dropbox\Update\DropboxUpdate.exe [134512 2015-06-28] (Dropbox, Inc.)
HKU\S-1-5-21-1614895754-1284227242-725345543-1003\...\Run: [f.lux] => E:\Documents and Settings\Philip and Katrin\Local Settings\Application Data\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-1614895754-1284227242-725345543-1003\...\Run: [Adobe Reader Synchronizer] => E:\Program Files\Adobe\Reader 11.0\Reader\AdobeCollabSync.exe [746376 2014-05-08] (Adobe Systems Incorporated)
HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Control Panel\Desktop\\SCRNSAVE.EXE -> E:\WINDOWS\system32\scrnsave.scr [9216 2008-04-14] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [RunNarrator] => E:\WINDOWS\system32\Narrator.exe [53760 2008-04-14] (Microsoft Corporation)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - E:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com)
ShellIconOverlayIdentifiers: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => E:\Documents and Settings\Philip and Katrin\Application Data\Dropbox\bin\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => E:\Documents and Settings\Philip and Katrin\Application Data\Dropbox\bin\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => E:\Documents and Settings\Philip and Katrin\Application Data\Dropbox\bin\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => E:\Documents and Settings\Philip and Katrin\Application Data\Dropbox\bin\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => E:\Documents and Settings\Philip and Katrin\Application Data\Dropbox\bin\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => E:\Documents and Settings\Philip and Katrin\Application Data\Dropbox\bin\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => E:\Documents and Settings\Philip and Katrin\Application Data\Dropbox\bin\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => E:\Documents and Settings\Philip and Katrin\Application Data\Dropbox\bin\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => E:\Program Files\AVAST Software\Avast\ashShell.dll [2015-09-24] (AVAST Software)
Startup: E:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2016-04-04]
ShortcutTarget: McAfee Security Scan Plus.lnk -> E:\Program Files\McAfee Security Scan\3.11.309\SSScheduler.exe (McAfee, Inc.)
Startup: E:\Documents and Settings\Philip and Katrin\Start Menu\Programs\Startup\Dropbox.lnk [2016-06-03]
ShortcutTarget: Dropbox.lnk -> E:\Documents and Settings\Philip and Katrin\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
BootExecute: "autocheck autochk * "s)㐐ͱ포ጵ῔ጔ샘ӄ臰Ҫཤܹ읬ጵ잀ጵ쟼ጵ틈ጵ遑òӤT㩅䑜捯浵湥獴愠摮匠瑥楴杮屳桐汩灩愠摮䬠瑡楲屮灁汰捩瑡潩慄慴䑜潲扰硯扜湩䑜潲扰硯攮數ᦐòҰ* Toolbox for HP Printing System for Windows㼑òҰ)坜义佄南䅜灰楬慣楴湯䐠瑡屡潍楺汬屡牐景汩獥灜楨楬⹰潤汯祥穜硬潪桲⹲汳屴慃档履െ}\#

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{B5F4AE87-A636-4F26-8D0E-41966EBE2768}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com?fr=hp-avast&type=avastbcl
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com?fr=hp-avast&type=avastbcl
HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxps://www.yahoo.com?fr=hp-avast&type=avastbcl
SearchScopes: HKLM -> DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1614895754-1284227242-725345543-1003 -> DefaultScope {03A30767-4BCC-46EC-9C62-869FC66B4EC6} URL = hxxp://search.zonealarm.com/search?src=sp&tbid=goughGA&Lan=en&q={searchTerms}&gu=84401430c7fb48fd972653d8a2a9f46f&tu=10GXy00B72C01g0&sku=&tstsId=&ver=&&r=46
SearchScopes: HKU\S-1-5-21-1614895754-1284227242-725345543-1003 -> {03A30767-4BCC-46EC-9C62-869FC66B4EC6} URL = hxxp://search.zonealarm.com/search?src=sp&tbid=goughGA&Lan=en&q={searchTerms}&gu=84401430c7fb48fd972653d8a2a9f46f&tu=10GXy00B72C01g0&sku=&tstsId=&ver=&&r=46
SearchScopes: HKU\S-1-5-21-1614895754-1284227242-725345543-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1614895754-1284227242-725345543-1003 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> E:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2013-08-14] (RealDownloader)
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO: ZoneAlarm Do Not Track Me -> {6E45F3E8-2683-4824-A6BE-08108022FB36} -> E:\Program Files\Check Point Software Technologies LTD\zonealarm\AbineSDK\IE\DNTPAddon.dll => No File
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> E:\Program Files\Java\jre1.8.0_91\bin\ssv.dll [2016-05-30] (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> E:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-08-02] (AVAST Software)
BHO: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-10-09] (Skype Technologies S.A.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> E:\Program Files\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-05-30] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1614895754-1284227242-725345543-1003 -> No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} -  No File
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - E:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL [2000-04-19] (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-10-09] (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\Program Files\Common Files\Skype\Skype4COM.dll [2013-02-26] (Skype Technologies)

FireFox:
========
FF ProfilePath: E:\Documents and Settings\Philip and Katrin\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Ecosia
FF DefaultSearchUrl: hxxps://search.yahoo.com/yhs/search
FF SearchEngineOrder.1: Yahoo! (Avast)
FF Homepage: hxxps://www.yahoo.com?fr=hp-avast&type=avastbcl
FF Session Restore: -> is enabled.
FF Plugin: @adobe.com/FlashPlayer -> E:\WINDOWS\system32\Macromed\Flash\NPSWF32_21_0_0_213.dll [2016-04-17] ()
FF Plugin: @Google.com/GoogleEarthPlugin -> E:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin: @java.com/DTPlugin,version=11.91.2 -> E:\Program Files\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-05-30] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.91.2 -> E:\Program Files\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-05-30] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> E:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> E:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=16.0.3.51 -> e:\program files\real\realplayer\Netscape6\nppl3260.dll [2014-01-08] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.3 -> E:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.3 -> E:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.3 -> E:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=16.0.3.51 -> e:\program files\real\realplayer\Netscape6\nprpplugin.dll [2014-01-08] (RealPlayer)
FF Plugin: @realnetworks.com/npdlplugin;version=1 -> E:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll [2013-08-14] (RealDownloader)
FF Plugin: @tools.google.com/Google Update;version=3 -> E:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> E:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.6 -> E:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> E:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> E:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> E:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: Adobe Reader -> E:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1614895754-1284227242-725345543-1003: @citrixonline.com/appdetectorplugin -> E:\Documents and Settings\Philip and Katrin\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll [2015-09-22] (Citrix Online)
FF Plugin ProgramFiles/Appdata: E:\Program Files\mozilla firefox\browser\plugins\npatgpc.dll [2014-12-11] (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: E:\Documents and Settings\Philip and Katrin\Application Data\mozilla\plugins\npatgpc.dll [2014-12-11] (Cisco WebEx LLC)
FF SearchPlugin: E:\Documents and Settings\Philip and Katrin\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\searchplugins\ecosia.xml [2016-02-19]
FF SearchPlugin: E:\Documents and Settings\Philip and Katrin\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\searchplugins\yahoo-avast.xml [2014-06-19]
FF SearchPlugin: E:\Documents and Settings\Philip and Katrin\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\searchplugins\zonealarm.xml [2013-11-20]
FF Extension: Xmarks - E:\Documents and Settings\Philip and Katrin\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\Extensions\foxmarks@kei.com [2016-06-19]
FF Extension: Microsoft .NET Framework Assistant - E:\Documents and Settings\Philip and Katrin\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2011-06-21] [not signed]
FF Extension: Ecosia — The search engine that plants trees! - E:\Documents and Settings\Philip and Katrin\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\Extensions\{d04b0b40-3dab-4f0b-97a6-04ec3eddbfb0}.xpi [2016-02-19]
FF Extension: Adblock Plus - E:\Documents and Settings\Philip and Katrin\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-04-29]
FF Extension: Disable Anti-Adblock - E:\Documents and Settings\Philip and Katrin\Application Data\Mozilla\Firefox\Profiles\6ix6t5u6.default\Extensions\{d49a148e-817e-4025-bee3-5d541376de3b}.xpi [2016-04-28]
FF Extension: Skype Click to Call - E:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2016-06-19] [not signed]
FF Extension: Skype Click to Call - E:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2016-06-19] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - E:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - E:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-02-23] [not signed]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - E:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - E:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2014-01-08] [not signed]
FF HKLM\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - E:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - E:\Program Files\AVAST Software\Avast\WebRep\FF => not found
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - E:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: No Name - E:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-06-19] [not signed]

Chrome:
=======
CHR HomePage: Default -> hxxps://www.yahoo.com?fr=hp-avast&type=avastbcl
CHR StartupUrls: Default -> "hxxps://www.yahoo.com?fr=hp-avast&type=avastbcl"
CHR Session Restore: Default -> is enabled.
CHR Plugin: (Native Client) - E:\Program Files\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - E:\Program Files\Google\Chrome\Application\49.0.2623.112\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - E:\Program Files\Google\Chrome\Application\49.0.2623.112\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - E:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll => No File
CHR Plugin: (Adobe Acrobat) - E:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Microsoft DRM) - E:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Microsoft DRM) - E:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - E:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (RealNetworks™ Chrome Background Extension Plug-In (32-bit) ) - E:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll => No File
CHR Plugin: (RealPlayer™ HTML5VideoShim Plug-In (32-bit) ) - E:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll => No File
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - E:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Version Plugin) - E:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll => No File
CHR Plugin: (npFFApi) - E:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll => No File
CHR Plugin: (Google Earth Plugin) - E:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - E:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (Java™ Platform SE 6 U31) - E:\Program Files\Java\jre6\bin\plugin2\npjp2.dll => No File
CHR Plugin: (RealJukebox NS Plugin) - E:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll => No File
CHR Plugin: (Silverlight Plug-In) - e:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll => No File
CHR Plugin: (Windows Presentation Foundation) - e:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Profile: E:\Documents and Settings\Philip and Katrin\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Avast Online Security) - E:\Documents and Settings\Philip and Katrin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-05-20]
CHR Extension: (RealDownloader) - E:\Documents and Settings\Philip and Katrin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2014-03-02]
CHR Extension: (Skype Click to Call) - E:\Documents and Settings\Philip and Katrin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-05-20]
CHR Extension: (Google Wallet) - E:\Documents and Settings\Philip and Katrin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-05-20]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - E:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-04-03]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - E:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-04-03]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - E:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - E:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-10-09]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; E:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-08-26] (SUPERAntiSpyware.com)
S2 ASFIPmon; E:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [65536 2006-03-17] (Broadcom Corporation) [File not signed]
S2 avast! Antivirus; E:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-09-24] (AVAST Software)
S2 CCALib8; E:\Program Files\Canon\CAL\CALMAIN.exe [86606 2005-06-02] (Canon Inc.) [File not signed]
S3 McComponentHostService; E:\Program Files\McAfee Security Scan\3.11.309\McCHSvc.exe [239880 2016-03-11] (McAfee, Inc.)
S2 RealNetworks Downloader Resolver Service; E:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S2 Skype C2C Service; E:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3275136 2013-10-09] (Skype Technologies S.A.)
S2 vsmon; E:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe [3722912 2015-11-07] (Check Point Software Technologies Ltd.)
S2 ZAPrivacyService; E:\Program Files\CheckPoint\ZoneAlarm\ZaPrivacyService.exe [96272 2015-10-19] (Check Point Software Technologies, Ltd.)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 anvsnddrv; E:\WINDOWS\System32\drivers\anvsnddrv.sys [32896 2012-05-17] (AnvSoft Inc.) [File not signed]
S2 aswHwid; E:\WINDOWS\system32\drivers\aswHwid.sys [24016 2015-09-24] (AVAST Software)
S2 aswMonFlt; E:\WINDOWS\system32\drivers\aswMonFlt.sys [76000 2015-09-24] (AVAST Software)
S1 aswRdr; E:\WINDOWS\system32\drivers\aswRdr.sys [55200 2015-09-24] (AVAST Software)
S0 aswRvrt; E:\WINDOWS\system32\Drivers\aswRvrt.sys [49776 2015-09-24] (AVAST Software)
S1 aswSnx; E:\WINDOWS\system32\drivers\aswSnx.sys [794952 2015-11-09] (AVAST Software)
S1 aswSP; E:\WINDOWS\system32\drivers\aswSP.sys [435464 2015-11-09] (AVAST Software)
S3 aswStmXP; E:\WINDOWS\system32\drivers\aswStmXP.sys [157888 2015-09-24] (AVAST Software)
S3 aswTdi; E:\WINDOWS\system32\drivers\aswTdi.sys [57888 2015-09-24] (AVAST Software)
S0 aswVmm; E:\WINDOWS\system32\Drivers\aswVmm.sys [208664 2015-09-24] (AVAST Software)
S2 BASFND; E:\Program Files\Broadcom\ASFIPMon\BASFND.sys [6025 2003-04-24] (Broadcom Corporation) [File not signed]
S3 brfilt; E:\WINDOWS\System32\Drivers\Brfilt.sys [2944 2001-08-17] (Brother Industries Ltd.)
S2 BrPar; E:\WINDOWS\System32\drivers\BrPar.sys [19537 2000-07-24] (Brother Industries Ltd.) [File not signed]
S3 BrUsbScn; E:\WINDOWS\System32\Drivers\BrUsbScn.sys [10368 2001-08-17] (Brother Industries Ltd.)
S3 Dot4Scan; E:\WINDOWS\System32\DRIVERS\Dot4Scan.sys [8704 2001-08-17] (Microsoft Corporation)
S3 DSproct; E:\Program Files\Dell Support\GTAction\triggers\DSproct.sys [4864 2006-01-10] (GTek Technologies Ltd.) [File not signed]
S3 libusb0; E:\WINDOWS\System32\drivers\libusb0.sys [21504 2010-06-24] (hxxp://libusb-win32.sourceforge.net) [File not signed]
S3 mf; E:\WINDOWS\System32\DRIVERS\mf.sys [63744 2008-04-14] (Microsoft Corporation)
S3 plcmusb; E:\WINDOWS\System32\Drivers\plcmusb.sys [57370 2003-02-20] (Polycom Inc)
S3 pwdrvio; E:\WINDOWS\system32\pwdrvio.sys [15688 2013-09-30] ()
S3 pwdspio; E:\WINDOWS\system32\pwdspio.sys [10320 2013-09-30] ()
S1 SASDIFSV; E:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; E:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 SDDMI2; E:\WINDOWS\system32\DDMI2.sys [6977 2004-06-09] (Gteko Ltd.) [File not signed]
S2 StarOpen; E:\WINDOWS\system32\Drivers\StarOpen.sys [13120 2013-08-25] ()
S1 Vsdatant; E:\WINDOWS\System32\vsdatant.sys [540424 2015-11-07] (Check Point Software Technologies Ltd.)
S4 IntelIde; no ImagePath
U5 ScsiPort; E:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
U5 Tcpip6; E:\Windows\System32\Drivers\Tcpip6.sys [226880 2010-02-11] (Microsoft Corporation)
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-26 19:03 - 2016-06-26 19:03 - 00027150 _____ E:\Documents and Settings\Philip and Katrin\Desktop\FRST.txt
2016-06-23 14:20 - 2016-06-23 10:21 - 03703360 _____ E:\Documents and Settings\Philip and Katrin\Desktop\AdwCleaner.exe
2016-06-23 14:19 - 2016-06-23 10:25 - 01610816 _____ (Malwarebytes) E:\Documents and Settings\Philip and Katrin\Desktop\JunkRT.exe
2016-06-23 14:11 - 2016-06-23 14:11 - 00000000 ____D E:\AdwCleaner
2016-06-23 14:10 - 2016-06-23 14:10 - 00000000 ____D E:\Documents and Settings\Philip and Katrin\Desktop\mbar
2016-06-23 14:09 - 2016-06-23 10:12 - 16563352 _____ (Malwarebytes Corp.) E:\Documents and Settings\Philip and Katrin\Desktop\mbar-1.09.3.1001.exe
2016-06-23 13:25 - 2016-06-23 13:25 - 00011242 _____ E:\Documents and Settings\Philip and Katrin\Desktop\mwbytes_safe_0623.txt
2016-06-23 13:14 - 2016-06-23 13:39 - 00170200 _____ (Malwarebytes) E:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-06-23 13:13 - 2016-06-23 14:10 - 00121560 _____ (Malwarebytes) E:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-06-23 13:13 - 2016-06-23 13:13 - 00000777 _____ E:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2016-06-23 13:13 - 2016-06-23 13:13 - 00000000 ____D E:\Program Files\Malwarebytes Anti-Malware
2016-06-23 13:13 - 2016-06-23 13:13 - 00000000 ____D E:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2016-06-23 13:13 - 2016-06-23 13:13 - 00000000 ____D E:\Documents and Settings\All Users\Application Data\Malwarebytes
2016-06-23 13:13 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) E:\WINDOWS\system32\Drivers\mbam.sys
2016-06-23 13:10 - 2016-06-23 10:06 - 22851472 _____ (Malwarebytes ) E:\Documents and Settings\Philip and Katrin\Desktop\mbam-setup-bc.1878-2.2.1.1043.exe
2016-06-23 13:05 - 2016-06-23 10:10 - 00334792 _____ (Malwarebytes Corporation) E:\Documents and Settings\Philip and Katrin\Desktop\mbam-clean-2.2.2.7.exe
2016-06-23 12:51 - 2016-06-26 19:03 - 00000000 ____D E:\FRST
2016-06-23 12:50 - 2016-06-23 10:46 - 01738240 _____ (Farbar) E:\Documents and Settings\Philip and Katrin\Desktop\FRST.exe
2016-06-19 14:56 - 2015-09-24 00:10 - 00313472 _____ (AVAST Software) E:\WINDOWS\system32\aswBoot.exe
2016-06-19 14:53 - 2016-06-19 14:53 - 00000000 ____D E:\Program Files\Common Files\Java
2016-06-19 12:16 - 2016-06-19 12:16 - 00044507 _____ E:\Documents and Settings\Philip and Katrin\Desktop\malwarebytes_safemode_run1.txt
2016-06-19 11:58 - 2016-06-19 13:03 - 00065536 _____ E:\WINDOWS\system32\config\SpybotSD.evt
2016-06-19 11:50 - 2016-06-19 11:50 - 00065536 _____ E:\WINDOWS\system32\config\Spybot -.evt
2016-06-19 11:49 - 2016-06-19 14:54 - 00000000 ____D E:\Program Files\Spybot - Search & Destroy 2
2016-06-19 11:49 - 2016-06-19 11:50 - 00000000 ____D E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2016-06-10 01:31 - 2016-06-19 14:55 - 00000000 ____D E:\Program Files\Mozilla Firefox
2016-06-04 02:11 - 2016-06-19 14:53 - 00000000 ____D E:\Program Files\Mozilla Thunderbird
2016-06-03 16:18 - 2016-06-19 14:18 - 00000000 ____D E:\Documents and Settings\Philip and Katrin\Start Menu\Programs\Dropbox
2016-06-03 01:26 - 2016-06-03 01:26 - 00000000 ____D E:\Documents and Settings\Philip and Katrin\My Documents\Investments
2016-05-30 02:52 - 2016-05-30 02:52 - 00000744 _____ E:\Documents and Settings\Philip and Katrin\Desktop\javatmp.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-26 19:03 - 2011-06-16 04:12 - 00000000 ____D E:\Documents and Settings\Philip and Katrin\Local Settings\Temp
2016-06-26 19:02 - 2014-11-29 12:25 - 01805408 _____ E:\WINDOWS\ntbtlog.txt
2016-06-26 19:02 - 2001-08-23 08:00 - 00002206 _____ E:\WINDOWS\system32\wpa.dbl
2016-06-23 23:09 - 2011-06-16 04:12 - 00000278 ___SH E:\Documents and Settings\Philip and Katrin\ntuser.ini
2016-06-23 15:00 - 2015-05-18 17:51 - 00000000 __SHD E:\WINDOWS\CSC
2016-06-23 13:30 - 2011-06-22 21:13 - 00002682 _____ E:\WINDOWS\BRMFBIDI.INI
2016-06-23 13:26 - 2014-11-29 12:31 - 00000364 ____H E:\WINDOWS\Tasks\avast! Emergency Update.job
2016-06-23 13:26 - 2013-01-29 03:09 - 00000310 _____ E:\WINDOWS\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1614895754-1284227242-725345543-1003.job
2016-06-23 13:26 - 2013-01-29 03:09 - 00000302 _____ E:\WINDOWS\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1614895754-1284227242-725345543-1003.job
2016-06-23 13:26 - 2012-03-12 04:10 - 00000302 _____ E:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1614895754-1284227242-725345543-1003.job
2016-06-23 13:26 - 2011-06-22 16:43 - 00000882 _____ E:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-23 13:26 - 2011-06-16 04:11 - 00000006 ____H E:\WINDOWS\Tasks\SA.DAT
2016-06-23 13:25 - 2011-06-22 17:37 - 00000000 ____D E:\Program Files\Conduit
2016-06-19 15:44 - 2013-12-18 03:48 - 00000000 ___RD E:\Documents and Settings\Philip and Katrin\My Documents\Dropbox
2016-06-19 15:43 - 2011-06-22 16:43 - 00000886 _____ E:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-19 14:58 - 2014-11-29 12:31 - 00001689 _____ E:\Documents and Settings\All Users\Desktop\Avast Free Antivirus.lnk
2016-06-19 14:58 - 2011-06-15 23:51 - 00000000 ___HD E:\WINDOWS\inf
2016-06-19 14:55 - 2012-07-02 01:47 - 00000000 ____D E:\Program Files\Mozilla Maintenance Service
2016-06-19 14:54 - 2013-11-12 04:22 - 00000000 ____D E:\WINDOWS\system32\MRT
2016-06-19 14:54 - 2011-06-16 04:11 - 00000000 __SHD E:\Documents and Settings\NetworkService
2016-06-19 14:54 - 2011-06-16 04:11 - 00000000 __SHD E:\Documents and Settings\LocalService
2016-06-19 14:54 - 2011-06-16 04:05 - 00000000 ____D E:\WINDOWS\Registration
2016-06-19 14:18 - 2016-01-20 02:17 - 00000000 ____D E:\Documents and Settings\All Users\Application Data\Oracle
2016-06-19 14:10 - 2011-06-16 04:11 - 00000000 ____D E:\Documents and Settings\LocalService\Local Settings\Temp
2016-06-19 13:03 - 2012-06-04 03:28 - 00000000 __HDC E:\WINDOWS\$NtUninstallKB2718704$
2016-06-19 11:40 - 2015-06-28 01:22 - 00001036 _____ E:\WINDOWS\Tasks\DropboxUpdateTaskUserS-1-5-21-1614895754-1284227242-725345543-1003UA.job
2016-06-19 07:54 - 2001-08-23 08:00 - 00000983 _____ E:\WINDOWS\win.ini
2016-06-19 07:54 - 2001-08-23 08:00 - 00000327 _____ E:\WINDOWS\system.ini
2016-06-19 07:46 - 2011-06-16 04:11 - 00032480 _____ E:\WINDOWS\SchedLgU.Txt
2016-06-19 07:37 - 2011-06-16 04:12 - 00000000 ____D E:\Documents and Settings\Philip and Katrin
2016-06-15 00:10 - 2014-04-27 09:22 - 00000000 ____D E:\Program Files\SUPERAntiSpyware
2016-06-12 21:33 - 2015-06-28 01:22 - 00000984 _____ E:\WINDOWS\Tasks\DropboxUpdateTaskUserS-1-5-21-1614895754-1284227242-725345543-1003Core.job
2016-06-12 21:09 - 2013-05-09 21:09 - 00000350 _____ E:\WINDOWS\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-1614895754-1284227242-725345543-1003.job
2016-06-12 13:46 - 2011-06-22 21:15 - 00000466 _____ E:\WINDOWS\brwmark.ini
2016-06-10 10:00 - 2011-06-16 04:12 - 00000000 ___RD E:\Documents and Settings\Philip and Katrin\My Documents
2016-06-10 09:48 - 2011-07-03 14:33 - 00002489 _____ E:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
2016-06-09 01:15 - 2012-03-12 04:10 - 00000310 _____ E:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1614895754-1284227242-725345543-1003.job
2016-06-09 00:57 - 2013-01-25 03:15 - 00000000 ____D E:\Documents and Settings\Philip and Katrin\My Documents\SEAC
2016-06-03 16:18 - 2013-12-18 03:42 - 00000000 ____D E:\Documents and Settings\Philip and Katrin\Application Data\Dropbox
2016-06-03 02:00 - 2011-06-20 03:28 - 00000000 ____D E:\Documents and Settings\Philip and Katrin\My Documents\Climate Change
2016-06-02 00:28 - 2011-06-20 03:28 - 00000000 ____D E:\Documents and Settings\Philip and Katrin\My Documents\Dynage
2016-05-30 02:51 - 2015-08-02 01:19 - 00000000 ____D E:\Documents and Settings\All Users\Start Menu\Programs\Java
2016-05-30 02:51 - 2013-07-17 20:34 - 00000000 ____D E:\Program Files\Java
2016-05-30 02:50 - 2016-01-20 02:18 - 00000000 ____D E:\Documents and Settings\Philip and Katrin\.oracle_jre_usage
2016-05-30 02:49 - 2016-01-20 02:20 - 00095808 _____ (Oracle Corporation) E:\WINDOWS\system32\WindowsAccessBridge.dll
2016-05-30 02:49 - 2015-08-02 01:19 - 00153088 _____ (Oracle Corporation) E:\WINDOWS\system32\javacpl.cpl
2016-05-29 01:00 - 2012-04-18 01:36 - 00002393 _____ E:\Documents and Settings\All Users\Start Menu\Programs\Serif PagePlus X6.lnk

==================== Files in the root of some directories =======

2012-10-25 01:59 - 2012-10-25 01:59 - 0000288 _____ () E:\Documents and Settings\Philip and Katrin\Application Data\.backup.dm
2011-09-08 10:23 - 2014-08-30 02:57 - 0017408 _____ () E:\Documents and Settings\Philip and Katrin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-06-20 00:46 - 2014-07-09 23:51 - 0000090 _____ () E:\Documents and Settings\Philip and Katrin\Local Settings\Application Data\FASTWiz.log
2011-06-23 15:25 - 2011-12-13 03:15 - 0001940 _____ () E:\Documents and Settings\All Users\Application Data\hpzinstall.log

Some files in TEMP:
====================
E:\Documents and Settings\Philip\Local Settings\Temp\brmfwia1.dll
E:\Documents and Settings\Philip\Local Settings\Temp\jre-6u23-windows-i586-iftw-rv.exe
E:\Documents and Settings\Philip\Local Settings\Temp\jre-6u24-windows-i586-iftw-rv.exe
E:\Documents and Settings\Philip\Local Settings\Temp\sp_setpoint.exe
E:\Documents and Settings\Philip\Local Settings\Temp\SSUPDATE.EXE
E:\Documents and Settings\Philip and Katrin\Local Settings\Temp\libeay32.dll
E:\Documents and Settings\Philip and Katrin\Local Settings\Temp\msvcr120.dll
E:\Documents and Settings\Philip and Katrin\Local Settings\Temp\sqlite3.dll
E:\Documents and Settings\Philip and Katrin\Local Settings\Temp\{10A034C9-394B-4E32-BB82-BDED9ED563F5}-DropboxClient_4.4.29.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

E:\WINDOWS\explorer.exe => File is digitally signed
E:\WINDOWS\system32\winlogon.exe => File is digitally signed
E:\WINDOWS\system32\svchost.exe => File is digitally signed
E:\WINDOWS\system32\services.exe => File is digitally signed
E:\WINDOWS\system32\User32.dll => File is digitally signed
E:\WINDOWS\system32\userinit.exe => File is digitally signed
E:\WINDOWS\system32\rpcss.dll => File is digitally signed
E:\WINDOWS\system32\dnsapi.dll => File is digitally signed
E:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

 

 

I also noticed that I could access a USB flash drive in plain Safe Mode (was unable to do that in Safe Mode with Networking a few days ago) -- thus I was able to carry the FRST.txt file over to this other (healthy) computer.

 

I will attach the addition.txt file also (plus the 2 Malwarebytes log files that were created previously) in a few minutes -- have to go and read up on how to attach a file to a post.



#3 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 26 June 2016 - 06:35 PM

attached -- addition.txt from Farbar, from today;

 

also 2 runs of Malwarebytes (both done in Safe Mode with Networking) -- the first on 6/19, the second on 6/23

 

As best I can remember, I didn't let the computer reboot immediately after the first Malwarebytes run, which may be why 50+ threats were detected on 6/23.

Attached Files



#4 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:39 PM

Posted 27 June 2016 - 06:24 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
    The actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 27 June 2016 - 10:01 AM

Thanks for your response Jo!

 

Here is the information collected by the Security Check program. It looks somewhat incomplete (?), or is that a normal result ? Note that we are running older Java and Flash Player because working updates no longer seem to be available for XP. Actually, I'm not sure we have any need for Java; I do know we've tried Flash Player updates and that didn't work with the version of OS we are still running.

_________________________________________________________

 

 

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
avast! Antivirus   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 SUPERAntiSpyware     
 HostsMan 4.0.95    
 Java 8 Update 91  
 Java version 32-bit out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
 Adobe Flash Player     21.0.0.213  
 Adobe Reader XI  
 Mozilla Firefox (47.0)
 Mozilla Thunderbird (45.1.1)
 Google Chrome (49.0.2623.110)
 Google Chrome (49.0.2623.112)
 Google Chrome (plugins...)
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive E::  
````````````````````End of Log``````````````````````

 

________________________________________________
 

I am doing some further backup before running the MBAR and AdwCleaner tools.

 

Since your MBAR instructions include telling the program to do updates, I assume I should try to run that program in Safe Mode with Networking.

 

Keep in mind (first post in this thread) that I already tried running AdwCleaner a few days ago, and it wouldn't run (stopped immediately after starting). I will try again, per your instructions.


Edited by ceratops, 27 June 2016 - 11:18 AM.


#6 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:39 PM

Posted 27 June 2016 - 11:36 AM

Security Check log is complete.

And yes, please run MBAR in safe mode with networking please.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 27 June 2016 - 06:06 PM

OK, returning with further reports.

 

MBAR ran uneventfully, got its updates, and scanned. It found no malware. Logfile follows:

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org

Database version:
  main:    v2016.06.27.07
  rootkit: v2016.05.27.01

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Philip and Katrin :: DOOLEY-2CPU [administrator]

6/27/2016 6:04:53 PM
mbar-log-2016-06-27 (18-04-53).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 311956
Time elapsed: 11 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

Running AdwCleaner was a stranger experience. As mentioned earlier, I had already put this executable on the desktop back on 6/23 and tried running it then -- at that time, it simply started and then appeared to stop again a moment later. I tried running that same executable file again today, with the same result (hourglass icon briefly appears and then promptly disappears). I then thought I would reboot the computer in Safe Mode (rather than Safe Mode with Networking), just in case that made a difference. From the Start menu, I told the computer to Restart. It came up with a message that a process -- identified as "Autolt v3" and shown with the bug icon of the AdwCleaner tool -- was still running. I told it to end that process, but it was unable to do so. I tried Restart a couple of times, with the same result. Finally I forced a reboot with power button.

 

This time I let the computer boot in plain Safe Mode. I then deleted the AdwCleaner application on the desktop. I dragged a fresh copy of AdwCleaner from a CD onto the desktop. Then, BEFORE running the program, I renamed it as "happybug.exe"

 

When I ran happybug.exe, AdwCleaner started normally, and I was able to tell it to do a scan. The scan took a relatively short time (quicker than the 11 minutes of the MBAR scan). The logfile follows. I'm not sure how to interpret the logfile -- are all the identified items viewed as threats? Or did AdwCleaner not find anything definite (it didn't report any finds on its main user interface screen after completing the scan)? edited later --- never mind, I see now how the the main interface screen is organized into categories -- so, yes, these are all being flagged as undesirable...

 

Some of the items in the list certainly sound like downloads that might bring malware with them... I recognize some as tools my husband was using, and will have to ask him about the history.

 

Certainly the fact that AdwCleaner would not run until it was renamed seems suspicious!

 

AdwCleaner logfile:

 

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

 

# AdwCleaner v5.200 - Logfile created 27/06/2016 at 18:26:28
# Updated 14/06/2016 by ToolsLib
# Database : 2016-06-14.1 [Local]
# Operating system : Microsoft Windows XP Service Pack 3 (X86)
# Username : Philip and Katrin - DOOLEY-2CPU
# Running from : E:\Documents and Settings\Philip and Katrin\Desktop\happybug.exe
# Option : Scan
# Support : https://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

Folder Found : E:\Documents and Settings\All Users\Start Menu\Programs\Burn4Free
Folder Found : E:\Documents and Settings\All Users\Start Menu\Programs\Free Youtube Downloader
Folder Found : E:\Program Files\Burn4Free
Folder Found : E:\Program Files\Conduit
Folder Found : E:\Program Files\Free Youtube Downloader
Folder Found : E:\DOCUME~1\PHILIP~1\LOCALS~1\Temp\mt_ffx

***** [ Files ] *****

File Found : E:\Documents and Settings\All Users\Desktop\Free Youtube Downloader.lnk
File Found : E:\user.js

***** [ DLL ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Found : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
Key Found : HKLM\SOFTWARE\Classes\pc-mechanic
Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A}
Key Found : HKLM\SOFTWARE\Classes\Interface\{22B0769F-794B-4422-AC84-47B123C8986D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{255E0B2A-D747-4EEF-B7CE-159D73A3656D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{28ED590D-F5ED-4E05-A87F-1D759F1C6169}
Key Found : HKLM\SOFTWARE\Classes\Interface\{45D5B93F-E2ED-4AF2-915E-DCDDBDA8C33C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{771B99AB-636F-4A11-9039-8DFEB927B061}
Key Found : HKLM\SOFTWARE\Classes\Interface\{A8321AA2-2227-40C7-8525-6C2F4E1B0EBE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{AA41A731-6814-4A70-A6F1-C0A20FBBFBD5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{ABBB8A9E-D8AF-40D1-94BE-5175077465FC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BF737694-56F6-46FA-9FDC-FA99A5B25FAD}
Key Found : HKLM\SOFTWARE\Classes\Interface\{CFCD164E-8AC9-478E-9ECC-B616A932016C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D5961CC0-B442-4567-8030-67E241EF4CC2}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E450067F-1C93-41A7-928E-07E5C2EEC680}
Key Found : HKLM\SOFTWARE\Classes\Interface\{F977D9F2-4BDC-44A6-B508-7C0284C61EED}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{48C9C8B0-A546-46C1-A81F-47A31E623E9D}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\Burn4Free
Key Found : HKCU\Software\Check Point Software Technologies LTD
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Toolbar
Key Found : HKLM\SOFTWARE\Check Point Software Technologies LTD
Key Found : HKLM\SOFTWARE\CheckPoint\ISW
Key Found : HKLM\SOFTWARE\Conduit
Key Found : HKLM\SOFTWARE\PIP
Key Found : HKLM\SOFTWARE\Uniblue
Key Found : HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Software\APN PIP
Key Found : HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Software\Burn4Free
Key Found : HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Software\Check Point Software Technologies LTD
Key Found : HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Software\Conduit
Key Found : HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Software\Toolbar
Data Found : HKCU\Software\Microsoft\Internet Explorer\Main [Search Page] - hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
Data Found : HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Software\Microsoft\Internet Explorer\Main [Search Page] - hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{03A30767-4BCC-46EC-9C62-869FC66B4EC6}
Data Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {03A30767-4BCC-46EC-9C62-869FC66B4EC6}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB}
Data Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {9CB96984-43C3-4D44-90EF-01466EFCF7BB}
Key Found : HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Software\Microsoft\Internet Explorer\SearchScopes\{03A30767-4BCC-46EC-9C62-869FC66B4EC6}
Data Found : HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {03A30767-4BCC-46EC-9C62-869FC66B4EC6}
Key Found : HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Software\Microsoft\Internet Explorer\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB}

***** [ Web browsers ] *****


*************************

E:\AdwCleaner\AdwCleaner[S1].txt - [6950 bytes] - [27/06/2016 18:26:28]

########## EOF - E:\AdwCleaner\AdwCleaner[S1].txt - [7023 bytes] ##########

 

 

 

 

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

Final question -- regarding earlier FRST scan, what the heck is this key doing? That can't be right...??

 

BootExecute: "autocheck autochk * "s)㐐ͱ포ጵ῔ጔ샘ӄ臰Ҫཤܹ읬ጵ잀ጵ쟼ጵ틈ጵ遑òӤT㩅䑜捯浵湥獴愠摮匠瑥楴杮屳桐汩灩愠摮䬠瑡楲屮灁汰捩瑡潩慄慴䑜潲扰硯扜湩䑜潲扰硯攮數 ᦐòҰ* Toolbox for HP Printing System for Windows㼑òҰ)坜义佄南䅜灰楬慣楴湯䐠瑡屡潍楺汬屡牐景汩獥灜楨楬⹰潤汯祥穜硬潪桲⹲汳屴慃档履െ}\#

 

 

 

Oh, one other oddity -- today the computer was able to access a USB flash drive from Safe Mode with Networking; a couple of days ago that same flash drive was not visible (not on the list of devices under My Computer).

 


Edited by ceratops, 27 June 2016 - 06:22 PM.


#8 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:39 PM

Posted 28 June 2016 - 02:55 AM

Hello,
 

***


Log on to all your user accounts now - without restarting !

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt





Start
CreateRestorePoint:
CloseProcesses:
BootExecute: "autocheck autochk * "s)㐐ͱ포ጵ῔ጔ샘ӄ臰Ҫཤܹ읬ጵ잀ጵ쟼ጵ틈ጵ遑òӤT㩅䑜捯浵湥獴愠摮匠瑥楴杮屳桐汩灩愠摮䬠瑡楲屮灁汰捩瑡潩慄慴䑜潲扰硯扜湩䑜潲扰硯攮數ᦐòҰ* Toolbox for HP Printing System for Windows㼑òҰ)坜义佄南䅜灰楬慣楴湯䐠瑡屡潍楺汬屡牐景汩獥灜楨楬⹰潤汯祥穜硬潪桲⹲汳屴慃档履െ}\#
HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM -> DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1614895754-1284227242-725345543-1003 -> DefaultScope {03A30767-4BCC-46EC-9C62-869FC66B4EC6} URL = hxxp://search.zonealarm.com/search?src=sp&tbid=goughGA&Lan=en&q={searchTerms}&gu=84401430c7fb48fd972653d8a2a9f46f&tu=10GXy00B72C01g0&sku=&tstsId=&ver=&&r=46
SearchScopes: HKU\S-1-5-21-1614895754-1284227242-725345543-1003 -> {03A30767-4BCC-46EC-9C62-869FC66B4EC6} URL = hxxp://search.zonealarm.com/search?src=sp&tbid=goughGA&Lan=en&q={searchTerms}&gu=84401430c7fb48fd972653d8a2a9f46f&tu=10GXy00B72C01g0&sku=&tstsId=&ver=&&r=46
SearchScopes: HKU\S-1-5-21-1614895754-1284227242-725345543-1003 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
BHO: ZoneAlarm Do Not Track Me -> {6E45F3E8-2683-4824-A6BE-08108022FB36} -> E:\Program Files\Check Point Software Technologies LTD\zonealarm\AbineSDK\IE\DNTPAddon.dll => No File
CHR Plugin: (Native Client) - E:\Program Files\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - E:\Program Files\Google\Chrome\Application\49.0.2623.112\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - E:\Program Files\Google\Chrome\Application\49.0.2623.112\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - E:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll => No File
CHR Plugin: (Adobe Acrobat) - E:\Program Files\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (RealNetworks Chrome Background Extension Plug-In (32-bit) ) - E:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll => No File
CHR Plugin: (RealPlayer HTML5VideoShim Plug-In (32-bit) ) - E:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll => No File
CHR Plugin: (RealPlayer Version Plugin) - E:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll => No File
CHR Plugin: (npFFApi) - E:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll => No File
CHR Plugin: (Google Update) - E:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (Java Platform SE 6 U31) - E:\Program Files\Java\jre6\bin\plugin2\npjp2.dll => No File
CHR Plugin: (RealJukebox NS Plugin) - E:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll => No File
CHR Plugin: (Silverlight Plug-In) - e:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll => No File
S4 IntelIde; no ImagePath
U1 WS2IFSL; no ImagePath
EmptyTemp:
End

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 28 June 2016 - 08:41 AM

Log on to all your user accounts now - without restarting !

 

OK, I can do that -- as it happens, I had left the computer on after running AdwCleaner. I just wanted to point out that the AdwCleaner tool is still open at the moment; I have not yet told it to clean up any of the items that it flagged.

 

 

I do have one question before running your FRST script -- I was reading a bit of the geekstogo tutorial on FRST, to try to have some understanding of what's happening in the script, and noticed that the CreateRestorePoint command is described as "for use only in Normal Mode" -- since I am only able to run in Safe Mode at the moment, will it simply ignore that command, and continue on?



#10 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:39 PM

Posted 28 June 2016 - 09:03 AM

Save your open files and close all open programms, even AdwareCleaner.

The FRST script should work even if no restoe point is possible.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 28 June 2016 - 10:05 AM

a quick note -- saving the script .txt file in default ANSI format didn't work, because of the special characters (Chinese?). Fortunately, the system advised me to save it in a Unicode format instead

 

I ran FRST with the script you provided. When it finished, it said it needed to reboot. Since I have only been able to run in Safe Mode lately, I automatically intervened to tell the system to come up in Safe Mode on reboot (perhaps I shouldn't have done this). In any case, the system was unable to come up in Safe Mode. Neither would it come up in Safe Mode with Networking. As a last resort I tried to have it restart in Last Known Good Configuration -- the full Windows XP desktop came up (looked much more normal than the last few times I let the machine come up in normal mode). From there, I was able to copy the fixlog file to a USB flashdrive.

 

However, I'm concerned that the fixes done by FRST may not have been entirely successful, since I didn't let it reboot immediately into normal Windows mode? Should I let FRST run the script and reboot a second time?

 

Also, having Safe Mode now apparently inaccessible appears to be a new problem...

 

Thanks, and please advise what to do next.

 

FRST fixlog:

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 20-06-2016 01
Ran by Philip and Katrin (2016-06-28 10:29:59) Run:1
Running from E:\Documents and Settings\Philip and Katrin\Desktop
Loaded Profiles: Philip and Katrin (Available Profiles: Philip and Katrin)
Boot Mode: Safe Mode (minimal)

==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
BootExecute: "autocheck autochk * "s)㐐ͱ포ጵ῔ጔ샘ӄ臰Ҫཤܹ읬ጵ잀ጵ쟼ጵ틈ጵ遑òӤT㩅䑜捯浵湥獴愠摮匠瑥楴杮屳桐汩灩愠摮䬠瑡楲屮灁汰捩瑡潩慄慴䑜潲扰硯扜湩䑜潲扰硯攮數ᦐòҰ* Toolbox for HP Printing System for Windows㼑òҰ)坜义佄南䅜灰楬慣楴湯䐠瑡屡潍楺汬屡牐景汩獥灜楨楬⹰潤汯祥穜硬潪桲⹲汳屴慃档履െ}\#
HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM -> DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1614895754-1284227242-725345543-1003 -> DefaultScope {03A30767-4BCC-46EC-9C62-869FC66B4EC6} URL = hxxp://search.zonealarm.com/search?src=sp&tbid=goughGA&Lan=en&q={searchTerms}&gu=84401430c7fb48fd972653d8a2a9f46f&tu=10GXy00B72C01g0&sku=&tstsId=&ver=&&r=46
SearchScopes: HKU\S-1-5-21-1614895754-1284227242-725345543-1003 -> {03A30767-4BCC-46EC-9C62-869FC66B4EC6} URL = hxxp://search.zonealarm.com/search?src=sp&tbid=goughGA&Lan=en&q={searchTerms}&gu=84401430c7fb48fd972653d8a2a9f46f&tu=10GXy00B72C01g0&sku=&tstsId=&ver=&&r=46
SearchScopes: HKU\S-1-5-21-1614895754-1284227242-725345543-1003 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
BHO: ZoneAlarm Do Not Track Me -> {6E45F3E8-2683-4824-A6BE-08108022FB36} -> E:\Program Files\Check Point Software Technologies LTD\zonealarm\AbineSDK\IE\DNTPAddon.dll => No File
CHR Plugin: (Native Client) - E:\Program Files\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - E:\Program Files\Google\Chrome\Application\49.0.2623.112\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - E:\Program Files\Google\Chrome\Application\49.0.2623.112\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - E:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll => No File
CHR Plugin: (Adobe Acrobat) - E:\Program Files\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (RealNetworks Chrome Background Extension Plug-In (32-bit) ) - E:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll => No File
CHR Plugin: (RealPlayer HTML5VideoShim Plug-In (32-bit) ) - E:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll => No File
CHR Plugin: (RealPlayer Version Plugin) - E:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll => No File
CHR Plugin: (npFFApi) - E:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll => No File
CHR Plugin: (Google Update) - E:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (Java Platform SE 6 U31) - E:\Program Files\Java\jre6\bin\plugin2\npjp2.dll => No File
CHR Plugin: (RealJukebox NS Plugin) - E:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll => No File
CHR Plugin: (Silverlight Plug-In) - e:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll => No File
S4 IntelIde; no ImagePath
U1 WS2IFSL; no ImagePath
EmptyTemp:
End
*****************

Error: Restore point can only be created in normal mode.
Processes closed successfully.
hklm\System\CurrentControlSet\Control\Session Manager\\BootExecute => value restored successfully
HKU\S-1-5-21-1614895754-1284227242-725345543-1003\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB}" => key removed successfully.
HKCR\CLSID\{9CB96984-43C3-4D44-90EF-01466EFCF7BB} => key not found.
HKU\S-1-5-21-1614895754-1284227242-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
"HKU\S-1-5-21-1614895754-1284227242-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{03A30767-4BCC-46EC-9C62-869FC66B4EC6}" => key removed successfully.
HKCR\CLSID\{03A30767-4BCC-46EC-9C62-869FC66B4EC6} => key not found.
"HKU\S-1-5-21-1614895754-1284227242-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB}" => key removed successfully.
HKCR\CLSID\{9CB96984-43C3-4D44-90EF-01466EFCF7BB} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E45F3E8-2683-4824-A6BE-08108022FB36}" => key removed successfully.
"HKCR\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}" => key removed successfully.
E:\Program Files\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => not found.
E:\Program Files\Google\Chrome\Application\49.0.2623.112\pdf.dll => not found.
E:\Program Files\Google\Chrome\Application\49.0.2623.112\gcswf32.dll => not found.
E:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll => not found.
E:\Program Files\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll => moved successfully
E:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll => not found.
E:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll => not found.
E:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll => not found.
E:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll => not found.
E:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll => not found.
E:\Program Files\Java\jre6\bin\plugin2\npjp2.dll => not found.
E:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll => not found.
e:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll => not found.
IntelIde => service removed successfully.
WS2IFSL => service removed successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache => 276287 B
Java, Flash, Steam htmlcache => 738446 B
Windows/system/dllcache/drivers => 40637663 B
Edge => 0 B
Chrome => 84325018 B
Firefox => 314381803 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default User => 32994 B
All Users => 0 B
systemprofile => 196699515 B
LocalService => 131979 B
NetworkService => 66164 B
Philip and Katrin => 2418862127 B

RecycleBin => 1203674768 B
EmptyTemp: => 4 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 10:38:27 ====



#12 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:39 PM

Posted 28 June 2016 - 10:13 AM

Hello,

:step1: Run Malwarebytes Anti-Rootkit again: Right-click mbar.exe and select Run As Administrator
  • Scan your system for malware
  • If malware is found, click on the Cleanup
  • button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step2: Double click on AdwCleaner.exe to run the tool again.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • When the scan has finished, the actual line should say "Pending. Please uncheck elements you do not want to remove". Look through the scan results and uncheck any entries that you do not wish to remove.
  • This time, click on the Cleaning button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***


:step3: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


:step4: FRST / FSRT64: run it again.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Put a check into the box next to Addition.txt and press the Scan button.
  • When finished, it will produce logs called FRST.txt and Addition.txt in the same directory the tool was run from.
  • Please copy and paste both logs in your next reply.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 28 June 2016 - 10:16 AM

Just wanted to confirm... since I am now in normal Windows mode, I should run all of the above from there?

 

Also, I have the network cable unplugged at the moment -- I assume I should plug that back in to allow the various tools to try to get their updates?



#14 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:39 PM

Posted 28 June 2016 - 10:18 AM

The answer for both questions is yes.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#15 ceratops

ceratops
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 28 June 2016 - 11:40 AM

Interim report...

 

I ran MBAR in the normal Windows XP environment. It got its updates and started running. It then got stuck for >15 minutes on a file in WINDOWS\SYSTEM32\drivers. I realized I had not followed your instructions about right-clicking on MBAR and running it as administrator, and decided to start over, especially since the tool was apparently stuck anyway. The MBAR application didn't respond to its CANCEL button, nor was it possible to end the application from the Windows environment -- I had to push the power button again to reboot.

 

I let the system boot up again in normal Windows mode, and then started MBAR again, logging in as administrator as requested. It ran for a while, and then got stuck again, this time on a .JPG file in DOCUMENTS AND SETTINGS\PHILIP\LOCAL SETTINGS\TEMP. This is not even a current user account; probably just some archived stuff from several years ago, so it's hard to imagine an actual problem with that specific file.

 

Again, it proved impossible to end the MBAR application in the normal ways, and I had to push the power button again to reboot.

 

This is very much like the sort of unreliable behavior we were having in the normal Windows environment at the start of this thread.

 

I decided to try reboot into Safe Mode with Networking again, and it worked this time. I then ran MBAR from Safe Mode (running it as administrator was not possible -- got a message that this was not possible in Safe Mode) and it ran to completion. As before, it reported no malware found.

 

 

 

So, at this point, since the normal Windows environment still seems pretty unreliable, do you want me to do the other 3 steps (AdwCleaner, JRT, FRST) in your previous instructions from Safe Mode?

 

Or should I do something else first?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users