Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7-Appears infected, most sites not available, invalid certificate errors


  • Please log in to reply
23 replies to this topic

#1 whatisavailable

whatisavailable

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:59 PM

Posted 21 August 2016 - 09:39 PM

Hi

Per request, I am creating a new post.

Windows 7 desktop.  Several attempts to clean it have failed.

cnn.com is available but nearly every other site fails, including bleepingcomputer.com so we will be using a USB drive until it has access to the internet.

I submit the following and attached.

Appreciate your help!!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-08-2016 01

Ran by Bill (administrator) on BILL-PC (21-08-2016 20:23:58)

Running from C:\Users\Bill\Desktop

Loaded Profiles: Bill (Available Profiles: Bill & Rosemary & UpdatusUser)

Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)

Internet Explorer Version 11 (Default browser: IE)

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/



==================== Processes (Whitelisted) =================



(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)



(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe

(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe

(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe

(Acer Incorporated) C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe

(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe

(Logitech Inc.) C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe

(Logitech Inc.) C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe

(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe

(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe

(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe

(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe

(Skype Technologies) C:\Program Files (x86)\Skype\Updater\Updater.exe

(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater Beta\ksu.exe

(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpsystray.exe

(Acer) C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe

() C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe

() C:\Program Files (x86)\RealNetworks\RealDownloader\downloader2.exe

() C:\Program Files (x86)\Common Files\LogiShrd\LQCVFX\COCIManager.exe

(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe

(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe

(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

(Tweaking.com) C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe

(Logitech, Inc.) C:\Program Files\Logitech\Logitech WebCam Software\LU\LULnchr.exe

(Logitech, Inc.) C:\Program Files\Logitech\Logitech WebCam Software\LU\LogitechUpdate.exe

(Microsoft Corporation) C:\Windows\System32\dllhost.exe





==================== Registry (Whitelisted) ===========================



(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)



HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7981088 2009-07-20] (Realtek Semiconductor)

HKLM-x32\...\Run: [ArcSoft Connection Service] => C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)

HKLM-x32\...\Run: [LogitechQuickCamRibbon] => C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] ()

HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9103976 2016-08-18] (AVAST Software)

HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [598552 2016-06-22] (Oracle Corporation)

HKLM-x32\...\Run: [TkBellExe] => C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe [293768 2016-08-19] (RealNetworks, Inc.)

HKLM-x32\...\Run: [RealDownloader] => C:\Program Files (x86)\RealNetworks\RealDownloader\downloader2.exe [714992 2016-05-13] ()

HKU\S-1-5-21-720449975-2614750782-2466370000-1001\...\Run: [KSS] => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe [1556448 2015-12-15] (AO Kaspersky Lab)

HKU\S-1-5-21-720449975-2614750782-2466370000-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [29494400 2016-07-13] (Skype Technologies S.A.)

HKU\S-1-5-18\...\Run: [KSS] => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe [1556448 2015-12-15] (AO Kaspersky Lab)

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-08-18] (AVAST Software)

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Kaspersky Software Updater Beta.lnk [2016-08-16]

ShortcutTarget: Kaspersky Software Updater Beta.lnk -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater Beta\ksu.exe (AO Kaspersky Lab)

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RealTimes.lnk [2016-08-19]

ShortcutTarget: RealTimes.lnk -> C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpsystray.exe (RealNetworks, Inc.)



==================== Internet (Whitelisted) ====================



(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)



Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File

Winsock: Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File

Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File

Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

Tcpip\..\Interfaces\{6014EB82-7467-411F-99AD-057385EF415B}: [DhcpNameServer] 192.168.1.254



Internet Explorer:

==================

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

HKU\S-1-5-21-720449975-2614750782-2466370000-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

HKU\S-1-5-21-720449975-2614750782-2466370000-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=UP97&ocid=UP97DHP

HKU\S-1-5-21-720449975-2614750782-2466370000-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW

SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW

SearchScopes: HKU\S-1-5-21-720449975-2614750782-2466370000-1001 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW_enUS363US363

BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin64.dll [2016-05-13] (RealDownloader)

BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-08-18] (AVAST Software)

BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-05-25] (Microsoft Corporation)

BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2013-05-08] (Adobe Systems Incorporated)

BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2016-05-13] (RealDownloader)

BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File

BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-08-19] (Oracle Corporation)

BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-08-18] (AVAST Software)

BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)

BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)

BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-08-19] (Oracle Corporation)

Toolbar: HKU\S-1-5-21-720449975-2614750782-2466370000-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File

DPF: HKLM-x32 {C345E174-3E87-4F41-A01C-B066A90A49B4} hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx

DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL No File

Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL No File

Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)

Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-05-25] (Microsoft Corporation)

Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)



FireFox:

========

FF Plugin: @microsoft.com/GENUINE -> disabled [No File]

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)

FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-08-19] (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-08-19] (Oracle Corporation)

FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]

FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)

FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-04-16] (Microsoft Corporation)

FF Plugin-x32: @real.com/nppl3260;version=18.1.4.135 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll [2016-08-19] (RealNetworks, Inc.)

FF Plugin-x32: @real.com/nprpchromebrowserrecordext;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [2012-12-02] (RealNetworks, Inc.)

FF Plugin-x32: @real.com/nprphtml5videoshim;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll [2012-12-02] (RealNetworks, Inc.)

FF Plugin-x32: @real.com/nprpplugin;version=18.1.4.135 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll [2016-08-19] (RealPlayer)

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-04] (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-04] (Google Inc.)

FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2013-05-08] (Adobe Systems Inc.)

FF Plugin HKU\S-1-5-21-720449975-2614750782-2466370000-1001: @yahoo.com/BrowserPlus,version=2.9.8 -> C:\Users\Bill\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll [2010-08-04] (Yahoo! Inc.)

FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF

FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-08-18]

FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF

FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-08-18]

FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found

FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF

FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF

FF HKLM-x32\...\Firefox\Extensions: [{0153E448-190B-4987-BDE1-F256CADA672F}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF Extension: RealPlayer Browser Record Plugin - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2016-08-04] [not signed]



Chrome:

=======

CHR Profile: C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (RealPlayer Downloader) - C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2016-08-18]

CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx [2012-12-02]

CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2016-05-25]



==================== Services (Whitelisted) ========================



(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)



R2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-08-18] (AVAST Software)

R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [223600 2016-08-18] (AVAST Software)

R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1364096 2016-05-25] (Microsoft Corporation)

R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1687680 2016-05-25] (Microsoft Corporation)

S3 GameConsoleService; C:\Program Files (x86)\eMachines Games\eMachines Game Console\GameConsoleService.exe [250616 2009-05-22] (WildTangent, Inc.)

R2 Greg_Service; C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [1150496 2009-08-28] (Acer Incorporated)

R2 kss; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe [1556448 2015-12-15] (AO Kaspersky Lab)

R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)

R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)

R2 RealTimes Desktop Service; C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe [1095440 2016-08-19] (RealNetworks, Inc.)

R2 Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [240160 2009-07-03] (Acer)

S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)



===================== Drivers (Whitelisted) ==========================



(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)



U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)

S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-08-18] (AVAST Software)

R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-08-18] (AVAST Software)

R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108816 2016-08-18] (AVAST Software)

R3 aswNetNd6; C:\Windows\System32\DRIVERS\aswNetNd6.sys [28312 2016-08-18] (AVAST Software)

R1 aswNetSec; C:\Windows\system32\drivers\aswNetSec.sys [453192 2016-08-18] (AVAST Software)

R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-08-18] (AVAST Software)

R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-08-18] (AVAST Software)

R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [969560 2016-08-18] (AVAST Software)

R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [513496 2016-08-18] (AVAST Software)

R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [163416 2016-08-18] (AVAST Software)

R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [292704 2016-08-18] (AVAST Software)

S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)

R3 LVPr2M64; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-07] ()

S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-07] ()

R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [140672 2016-03-10] (Malwarebytes)

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)

R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-08-21] (Malwarebytes)

R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)

S3 catchme; \??\C:\ComboFix-3\catchme.sys [X]

S3 MFE_RR; \??\C:\Users\Bill\AppData\Local\Temp\mfe_rr.sys [X]



==================== NetSvcs (Whitelisted) ===================



(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)





==================== One Month Created files and folders ========



(If an entry is included in the fixlist, the file/folder will be moved.)



2016-08-21 20:23 - 2016-08-21 20:26 - 00020023 _____ C:\Users\Bill\Desktop\FRST.txt

2016-08-21 20:23 - 2016-08-21 20:23 - 00000000 ____D C:\FRST

2016-08-21 20:23 - 2016-08-21 20:00 - 02396672 _____ (Farbar) C:\Users\Bill\Desktop\FRST64.exe

2016-08-19 22:16 - 2016-08-19 22:16 - 00013739 _____ C:\ComboFix.txt

2016-08-19 22:01 - 2016-08-19 22:01 - 00002697 _____ C:\Users\Public\Desktop\Skype.lnk

2016-08-19 22:01 - 2016-08-19 22:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype

2016-08-19 21:59 - 2016-08-19 21:59 - 00001213 _____ C:\Users\Public\Desktop\RealPlayer (RealTimes).lnk

2016-08-19 21:59 - 2016-08-19 21:59 - 00000318 _____ C:\Windows\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-720449975-2614750782-2466370000-1001.job

2016-08-19 21:59 - 2016-08-19 21:59 - 00000000 ____D C:\Users\Bill\AppData\Roaming\RealNetworks

2016-08-19 21:59 - 2016-08-19 21:59 - 00000000 ____D C:\ProgramData\RealNetworks

2016-08-19 21:59 - 2016-08-19 21:59 - 00000000 ____D C:\ProgramData\Package Cache

2016-08-19 21:59 - 2016-08-19 21:59 - 00000000 ____D C:\Program Files (x86)\RealNetworks

2016-08-19 21:58 - 2016-08-19 21:58 - 00512392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll

2016-08-19 21:58 - 2016-08-19 21:58 - 00360840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll

2016-08-19 21:58 - 2016-08-19 21:58 - 00285576 _____ (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll

2016-08-19 21:58 - 2016-08-19 21:58 - 00207752 _____ (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll

2016-08-19 21:56 - 2016-08-19 21:56 - 00000000 ____D C:\Users\Bill\AppData\Roaming\Sun

2016-08-19 21:56 - 2016-08-19 21:56 - 00000000 ____D C:\Users\Bill\.oracle_jre_usage

2016-08-19 21:55 - 2016-08-19 21:55 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2016-08-19 21:55 - 2016-08-19 21:55 - 00000000 ____D C:\ProgramData\Oracle

2016-08-19 21:55 - 2016-08-19 21:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java

2016-08-19 21:55 - 2016-08-19 21:55 - 00000000 ____D C:\Program Files (x86)\Java

2016-08-19 21:46 - 2016-08-19 19:55 - 177912864 _____ (Kaspersky Lab) C:\Users\Bill\Desktop\kis17.0.0.611en_10743.exe

2016-08-19 20:12 - 2016-08-19 20:12 - 00000000 ____D C:\Users\Bill\AppData\Local\ESET

2016-08-19 02:41 - 2016-08-19 21:48 - 00288465 _____ C:\Windows\SysWOW64\rsslogs.20160819024141

2016-08-18 20:43 - 2016-08-19 02:41 - 00101526 _____ C:\Windows\SysWOW64\rsslogs.20160818204204

2016-08-18 20:38 - 2016-08-18 20:38 - 00391496 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe

2016-08-18 20:38 - 2016-08-18 20:38 - 00053208 _____ (AVAST Software) C:\Windows\avastSS.scr

2016-08-18 20:34 - 2016-08-18 20:34 - 00008454 _____ C:\Windows\SysWOW64\rsslogs.20160818203311

2016-08-18 20:32 - 2016-08-18 20:32 - 00000000 ____D C:\Users\Bill\AppData\Roaming\AVAST Software

2016-08-18 20:31 - 2016-08-18 20:44 - 00003888 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1471570286

2016-08-18 20:31 - 2016-08-18 20:31 - 00001931 _____ C:\Users\Public\Desktop\Avast Internet Security.lnk

2016-08-18 20:31 - 2016-08-18 20:31 - 00001052 _____ C:\Users\Public\Desktop\Avast SafeZone Browser.lnk

2016-08-18 20:31 - 2016-08-18 20:31 - 00001052 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk

2016-08-18 20:31 - 2016-08-18 20:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software

2016-08-18 20:28 - 2016-08-18 20:51 - 00004180 _____ C:\Windows\System32\Tasks\avast! Emergency Update

2016-08-18 20:28 - 2016-08-18 20:28 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software

2016-08-18 20:27 - 2016-08-18 20:38 - 00969560 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys

2016-08-18 20:27 - 2016-08-18 20:38 - 00513496 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys

2016-08-18 20:27 - 2016-08-18 20:38 - 00292704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys

2016-08-18 20:27 - 2016-08-18 20:38 - 00163416 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys

2016-08-18 20:27 - 2016-08-18 20:38 - 00108816 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys

2016-08-18 20:27 - 2016-08-18 20:38 - 00103064 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys

2016-08-18 20:27 - 2016-08-18 20:38 - 00074544 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys

2016-08-18 20:27 - 2016-08-18 20:38 - 00037656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys

2016-08-18 20:27 - 2016-08-18 20:38 - 00037144 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys

2016-08-18 20:27 - 2016-08-18 20:37 - 00453192 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNetSec.sys

2016-08-18 20:26 - 2016-08-18 20:26 - 00992960 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll

2016-08-18 20:26 - 2016-08-18 20:26 - 00921280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ucrtbase.dll

2016-08-18 20:26 - 2016-08-18 20:26 - 00028312 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNetNd6.sys

2016-08-18 20:26 - 2016-08-18 20:26 - 00000000 ____D C:\Program Files\AVAST Software

2016-08-18 20:25 - 2016-08-18 20:26 - 00000000 ____D C:\ProgramData\AVAST Software

2016-08-18 20:21 - 2016-08-18 20:33 - 00017105 _____ C:\Windows\SysWOW64\rsslogs.20160818202047

2016-08-18 19:18 - 2016-08-18 19:20 - 00192146 _____ C:\TDSSKiller.3.1.0.11_18.08.2016_19.18.12_log.txt

2016-08-18 19:16 - 2016-08-18 19:16 - 00072580 _____ C:\Windows\SysWOW64\rsslogs.20160818191546

2016-08-17 03:01 - 2016-08-17 03:01 - 00133372 _____ C:\Windows\SysWOW64\rsslogs.20160817030015

2016-08-16 21:02 - 2016-08-17 03:01 - 00095608 _____ C:\Windows\SysWOW64\rsslogs.20160816210111

2016-08-16 17:46 - 2016-08-16 17:46 - 00000207 _____ C:\Windows\tweaking.com-regbackup-BILL-PC-Windows-7-Home-Premium-(64-bit).dat

2016-08-16 17:46 - 2016-08-16 17:46 - 00000000 ____D C:\RegBackup

2016-08-16 17:28 - 2016-08-16 17:28 - 00020519 _____ C:\Windows\SysWOW64\rsslogs.20160816172703

2016-08-16 17:02 - 2016-08-16 17:02 - 00002168 _____ C:\Users\Bill\Desktop\Tweaking.com - Windows Repair.lnk

2016-08-16 17:01 - 2016-08-16 17:02 - 00188913 _____ C:\Windows\Tweaking.com - Windows Repair Setup Log.txt

2016-08-16 17:01 - 2016-08-16 17:01 - 00003650 _____ C:\Windows\System32\Tasks\Tweaking.com - Windows Repair Tray Icon

2016-08-16 17:01 - 2016-08-16 17:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com

2016-08-16 17:01 - 2016-08-16 17:01 - 00000000 ____D C:\Program Files (x86)\Tweaking.com

2016-08-16 16:55 - 2016-08-18 20:14 - 00001868 _____ C:\Users\Bill\Desktop\sc-cleaner.txt

2016-08-16 16:35 - 2016-08-19 22:06 - 00001954 _____ C:\Users\Bill\Desktop\Rkill.txt

2016-08-16 16:33 - 2016-08-16 17:27 - 00003358 _____ C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-720449975-2614750782-2466370000-1001

2016-08-16 16:32 - 2016-08-16 16:32 - 00038628 _____ C:\Windows\SysWOW64\rsslogs.20160816163127

2016-08-16 14:35 - 2016-08-16 14:35 - 00001104 _____ C:\Users\Public\Desktop\Kaspersky Software Updater Beta.lnk

2016-08-16 14:35 - 2016-08-16 14:35 - 00000000 ____D C:\Users\Bill\AppData\Local\CEF

2016-08-16 14:35 - 2016-08-16 14:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Software Updater Beta

2016-08-16 14:34 - 2016-08-16 14:35 - 00000000 ____D C:\ProgramData\Kaspersky Lab

2016-08-16 14:34 - 2016-08-16 14:35 - 00000000 ____D C:\Program Files (x86)\Kaspersky Lab

2016-08-16 14:34 - 2016-08-16 14:34 - 00001064 _____ C:\Users\Public\Desktop\Kaspersky Security Scan.lnk

2016-08-16 14:34 - 2016-08-16 14:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Security Scan

2016-08-16 14:31 - 2016-08-16 16:33 - 00000000 ____D C:\ProgramData\Kaspersky Lab Setup Files

2016-08-16 14:30 - 2016-08-16 14:30 - 00017379 _____ C:\Users\Bill\Desktop\JRT.txt

2016-08-16 14:21 - 2016-08-16 14:21 - 00070119 _____ C:\Windows\SysWOW64\rsslogs.20160816142010

2016-08-16 14:14 - 2016-08-16 14:18 - 00000000 ____D C:\AdwCleaner

2016-08-16 13:53 - 2016-08-14 21:50 - 05658927 ____R (Swearware) C:\Users\Bill\Desktop\ComboFix-3.exe

2016-08-16 13:29 - 2016-08-16 14:17 - 00059156 _____ C:\Windows\SysWOW64\rsslogs.20160816132801

2016-08-16 12:13 - 2016-08-21 20:22 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2016-08-16 12:13 - 2016-08-16 12:13 - 00001111 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2016-08-16 12:13 - 2016-08-16 12:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2016-08-16 12:13 - 2016-08-16 12:13 - 00000000 ____D C:\ProgramData\Malwarebytes

2016-08-16 12:13 - 2016-08-16 12:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware

2016-08-16 12:13 - 2016-03-10 14:09 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys

2016-08-16 12:13 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys

2016-08-16 12:13 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys

2016-08-16 10:34 - 2011-06-26 01:45 - 00256000 _____ C:\Windows\PEV.exe

2016-08-16 10:34 - 2010-11-07 12:20 - 00208896 _____ C:\Windows\MBR.exe

2016-08-16 10:34 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe

2016-08-16 10:34 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe

2016-08-16 10:34 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe

2016-08-16 10:34 - 2000-08-30 19:00 - 00098816 _____ C:\Windows\sed.exe

2016-08-16 10:34 - 2000-08-30 19:00 - 00080412 _____ C:\Windows\grep.exe

2016-08-16 10:34 - 2000-08-30 19:00 - 00068096 _____ C:\Windows\zip.exe

2016-08-16 10:30 - 2016-08-19 22:16 - 00000000 ____D C:\Qoobox

2016-08-16 10:30 - 2016-08-16 10:48 - 00000000 ____D C:\Windows\erdnt

2016-08-16 10:23 - 2016-07-07 19:55 - 01610560 _____ (Malwarebytes) C:\Users\Rosemary\Desktop\JRT.exe

2016-08-16 10:22 - 2016-08-14 21:50 - 05658927 ____R (Swearware) C:\Users\Rosemary\Desktop\ComboFix-3.exe

2016-08-16 10:22 - 2016-08-12 17:16 - 03784256 _____ C:\Users\Rosemary\Desktop\AdwCleaner-4.exe

2016-08-16 10:22 - 2016-07-28 03:53 - 237945104 _____ (AVAST Software) C:\Users\Rosemary\Desktop\avast_internet_security_setup_offline.exe

2016-08-16 10:22 - 2016-05-13 06:45 - 03017376 _____ (ESET) C:\Users\Rosemary\Desktop\eset_smart_security_live_installer.exe

2016-08-16 10:22 - 2016-03-30 09:59 - 22851472 _____ (Malwarebytes ) C:\Users\Rosemary\Desktop\mbam-setup-bc.1878-2.2.1.1043.exe

2016-08-16 10:22 - 2016-02-24 10:01 - 02622304 _____ (Kaspersky Lab) C:\Users\Rosemary\Desktop\kss16.0.0.1344en_9702-2.exe

2016-08-16 10:22 - 2013-04-05 12:00 - 09096848 _____ (SurfRight B.V.) C:\Users\Rosemary\Desktop\HitmanPro.exe

2016-08-12 11:41 - 2016-08-11 18:27 - 06757915 _____ C:\Users\Rosemary\Desktop\combofix.exe.exe

2016-08-11 17:31 - 2016-08-21 16:37 - 00169654 _____ C:\Windows\ntbtlog.txt

2016-08-11 16:54 - 2016-08-11 16:54 - 00043465 _____ C:\Windows\SysWOW64\rsslogs.20160811165350

2016-08-11 16:45 - 2016-08-11 16:45 - 00008457 _____ C:\Windows\SysWOW64\rsslogs.20160811164442

2016-08-10 14:48 - 2016-08-11 16:45 - 00033804 _____ C:\Windows\SysWOW64\rsslogs.20160810144732

2016-08-04 13:30 - 2016-08-10 14:48 - 00047082 _____ C:\Windows\SysWOW64\rsslogs.20160804132935



==================== One Month Modified files and folders ========



(If an entry is included in the fixlist, the file/folder will be moved.)



2016-08-21 20:25 - 2009-07-14 00:13 - 00772352 _____ C:\Windows\system32\PerfStringBackup.INI

2016-08-21 20:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf

2016-08-21 20:22 - 2010-06-01 19:57 - 00000000 ____D C:\Users\Bill\AppData\Roaming\Skype

2016-08-21 20:20 - 2010-02-06 13:39 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2016-08-21 20:19 - 2010-05-02 11:50 - 00000000 _____ C:\Windows\system32\Drivers\lvuvc.hs

2016-08-21 20:19 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2016-08-21 17:01 - 2009-07-13 23:45 - 00009920 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2016-08-21 17:01 - 2009-07-13 23:45 - 00009920 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2016-08-21 16:57 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF

2016-08-19 22:13 - 2009-07-13 21:34 - 00000215 _____ C:\Windows\system.ini

2016-08-19 22:01 - 2010-05-02 17:11 - 00000000 ___RD C:\Program Files (x86)\Skype

2016-08-19 22:01 - 2010-05-02 17:11 - 00000000 ____D C:\ProgramData\Skype

2016-08-19 22:00 - 2011-10-05 17:19 - 00000000 ____D C:\Users\Bill\AppData\Roaming\Real

2016-08-19 21:59 - 2013-11-26 16:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealNetworks

2016-08-19 21:59 - 2011-10-05 17:19 - 00000000 ____D C:\Program Files (x86)\Real

2016-08-19 21:57 - 2011-10-05 17:19 - 00000000 ____D C:\ProgramData\Real

2016-08-19 21:56 - 2010-01-19 11:10 - 00000000 ____D C:\Users\Bill

2016-08-19 21:39 - 2010-02-06 13:39 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2016-08-18 20:28 - 2015-07-16 10:11 - 00000000 ____D C:\Program Files\Common Files\AV

2016-08-18 20:28 - 2009-10-29 07:37 - 00000000 ____D C:\Program Files (x86)\Google

2016-08-18 19:20 - 2010-10-23 11:55 - 00079608 _____ C:\Users\Bill\AppData\Local\GDIPFONTCACHEV1.DAT

2016-08-17 02:30 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache

2016-08-16 21:15 - 2010-08-26 15:16 - 00000000 ____D C:\Users\Bill\AppData\Local\CrashDumps

2016-08-16 20:59 - 2009-07-13 23:45 - 00335312 _____ C:\Windows\system32\FNTCACHE.DAT

2016-08-16 18:13 - 2009-07-13 21:34 - 00000439 _____ C:\Windows\win.ini

2016-08-16 18:10 - 2013-05-13 10:52 - 00782510 _____ C:\Windows\SysWOW64\PerfStringBackup.INI

2016-08-16 17:27 - 2015-03-11 17:01 - 00003222 _____ C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-720449975-2614750782-2466370000-1001

2016-08-16 16:54 - 2011-10-05 17:19 - 00000000 ____D C:\Users\Bill\AppData\Local\The Weather Channel

2016-08-16 16:27 - 2010-02-20 13:08 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared

2016-08-16 16:27 - 2009-10-29 07:47 - 00000000 ____D C:\ProgramData\Norton

2016-08-16 16:25 - 2009-10-29 07:50 - 00000000 ____D C:\ProgramData\Symantec

2016-08-16 14:35 - 2015-01-19 15:52 - 00000000 __SHD C:\Users\Bill\AppData\LocalLow\EmieBrowserModeList

2016-08-16 14:35 - 2014-04-20 11:57 - 00000000 __SHD C:\Users\Bill\AppData\LocalLow\EmieUserList

2016-08-16 14:35 - 2014-04-20 11:22 - 00000000 __SHD C:\Users\Bill\AppData\LocalLow\EmieSiteList

2016-08-16 14:29 - 2015-08-06 09:43 - 00000000 ____D C:\Windows\System32\Tasks\Remediation

2016-08-16 14:22 - 2013-04-16 03:03 - 00000000 ____D C:\Users\UpdatusUser

2016-08-16 13:51 - 2015-01-19 15:52 - 00000000 __SHD C:\Users\Bill\AppData\Local\EmieBrowserModeList

2016-08-16 13:51 - 2014-04-20 11:57 - 00000000 __SHD C:\Users\Bill\AppData\Local\EmieUserList

2016-08-16 13:51 - 2014-04-20 11:57 - 00000000 __SHD C:\Users\Bill\AppData\Local\EmieSiteList

2016-08-16 13:29 - 2015-01-19 15:53 - 00003200 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-720449975-2614750782-2466370000-1001

2016-08-16 13:28 - 2015-01-19 15:52 - 00003336 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-720449975-2614750782-2466370000-1001

2016-08-16 10:46 - 2009-07-13 21:34 - 00000027 _____ C:\Windows\system32\Drivers\etc\hosts_bak_726

2016-08-16 10:43 - 2009-07-13 21:34 - 94371840 _____ C:\Windows\system32\config\software.bak

2016-08-16 10:43 - 2009-07-13 21:34 - 16252928 _____ C:\Windows\system32\config\system.bak

2016-08-16 10:43 - 2009-07-13 21:34 - 00262144 _____ C:\Windows\system32\config\security.bak

2016-08-16 10:43 - 2009-07-13 21:34 - 00262144 _____ C:\Windows\system32\config\sam.bak

2016-08-16 10:43 - 2009-07-13 21:34 - 00262144 _____ C:\Windows\system32\config\default.bak

2016-08-16 10:42 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\Downloaded Program Files

2016-08-11 17:24 - 2010-05-02 17:11 - 00000000 ____D C:\Users\Rosemary\AppData\Roaming\Skype

2016-08-11 16:54 - 2016-06-23 11:02 - 00003344 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-720449975-2614750782-2466370000-1003

2016-08-11 16:54 - 2016-06-23 11:02 - 00003216 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-720449975-2614750782-2466370000-1003

2016-08-10 14:50 - 2010-05-02 17:11 - 00002204 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

2016-08-04 13:34 - 2010-02-06 13:39 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA

2016-08-04 13:34 - 2010-02-06 13:39 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

2016-08-04 13:32 - 2010-01-19 11:27 - 00000000 ____D C:\Users\Rosemary

2016-08-04 13:27 - 2013-03-14 03:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight

2016-08-04 13:27 - 2013-03-14 03:02 - 00000000 ____D C:\Program Files\Microsoft Silverlight

2016-08-04 13:27 - 2013-03-14 03:02 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight

2016-08-04 13:27 - 2010-01-21 11:50 - 00000000 ____D C:\Users\Rosemary\AppData\Roaming\ArcSoft

2016-08-04 13:27 - 2010-01-19 15:26 - 00000000 ____D C:\ProgramData\ArcSoft

2016-08-04 13:27 - 2009-10-29 07:25 - 00000000 ____D C:\Program Files (x86)\Microsoft Office

2016-08-04 13:27 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\servicing

2016-08-04 13:27 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

2016-08-04 13:26 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\registration



==================== Files in the root of some directories =======



2014-05-22 15:19 - 2014-05-22 16:07 - 0000142 _____ () C:\Users\Bill\AppData\Roaming\wklnhst.dat

2010-05-02 17:17 - 2010-05-02 17:17 - 0000048 _____ () C:\ProgramData\ezsidmv.dat



==================== Bamital & volsnap =================



(There is no automatic fix for files that do not pass verification.)



C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\SysWOW64\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\dnsapi.dll => File is digitally signed

C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed





LastRegBack: 2016-08-17 01:02



==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:59 PM

Posted 23 August 2016 - 09:55 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Your Wiindows Winsock it broken. This fix should restore it.

Remove this Updater via the Control Panel > Programs > Programs and Features.
Updater (HKLM-x32\...\{D54E3D9F-FEB8-4D2D-A138-B69A5C80080B}) (Version: 2.6.53 - Creative Island Media, LLC) <==== ATTENTION
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File
Winsock: Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File
Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File
Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-720449975-2614750782-2466370000-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKU\S-1-5-21-720449975-2614750782-2466370000-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_0favicon1129903636 [30174]
AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_1favicon-298702541 [8574]
AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_2favicon-1464078272 [1790]
AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_3favicon-860043155 [8574]
AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_4favicon640180837 
S3 catchme; \??\C:\ComboFix-3\catchme.sys [X]
S3 MFE_RR; \??\C:\Users\Bill\AppData\Local\Temp\mfe_rr.sys [X][/B]
cmd: netsh winsock reset catalog

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#3 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:59 PM

Posted 23 August 2016 - 01:09 PM

Hi and THANK YOU for the help!

We accidentally forgot to uninstall the Updater before we ran the FRST64 fix, so we uninstalled it and re-ran FRST64 with the fixlog.txt again.

While we are getting pop ups that people are logged into Skype and drivers (Logitech) need to be updated, we still cannot access most sites.  cnn.com works but google.com does not.

 

Below is the 2nd log that we got after uninstalling the Update via the control panel.

 

I had asked my sister to send both fix logs but she only sent one. 

Let me know if you have to have the other one and I can get it as well.

I wanted to post the results we had asap.

 

Thank you!

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-08-2016 01

Ran by Bill (23-08-2016 11:22:34) Run:2

Running from C:\Users\Bill\Desktop

Loaded Profiles: Bill (Available Profiles: Bill & Rosemary & UpdatusUser)

Boot Mode: Normal

==============================================



fixlist content:

*****************

start



CreateRestorePoint:

EmptyTemp:

CloseProcesses:



Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File

Winsock: Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File

Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File

Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

HKU\S-1-5-21-720449975-2614750782-2466370000-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File

Toolbar: HKU\S-1-5-21-720449975-2614750782-2466370000-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File

Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL No File

Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL No File

FF Plugin: @microsoft.com/GENUINE -> disabled [No File]

FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]

FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found

CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx

AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_0favicon1129903636 [30174]

AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_1favicon-298702541 [8574]

AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_2favicon-1464078272 [1790]

AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_3favicon-860043155 [8574]

AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_4favicon640180837

S3 catchme; \??\C:\ComboFix-3\catchme.sys [X]

S3 MFE_RR; \??\C:\Users\Bill\AppData\Local\Temp\mfe_rr.sys [X][/B]

cmd: netsh winsock reset catalog



End

*****************



Restore point was successfully created.

Processes closed successfully.

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000008 => key not found.

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000009 => key not found.

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000008 => key not found.

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000009 => key not found.

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.

HKU\S-1-5-21-720449975-2614750782-2466370000-1001\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB} => key not found.

HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => key not found.

HKU\S-1-5-21-720449975-2614750782-2466370000-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value not found.

HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.

HKCR\PROTOCOLS\Handler\livecall => key not found.

HKCR\CLSID\{828030A1-22C1-4009-854F-8E305202313F} => key not found.

HKCR\PROTOCOLS\Handler\msnim => key not found.

HKCR\CLSID\{828030A1-22C1-4009-854F-8E305202313F} => key not found.

HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key not found.

HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key not found.

HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758} => value not found.

HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif => key not found.

HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck => key not found.

HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki => key not found.

"C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website" => ":TASKICON_0favicon1129903636" ADS not found.

"C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website" => ":TASKICON_1favicon-298702541" ADS not found.

"C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website" => ":TASKICON_2favicon-1464078272" ADS not found.

"C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website" => ":TASKICON_3favicon-860043155" ADS not found.

"C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website" => "AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_4favicon640180837" ADS not found.

catchme => service not found.

MFE_RR => service not found.



========= netsh winsock reset catalog =========





Sucessfully reset the Winsock Catalog.

You must restart the computer in order to complete the reset.





========= End of CMD: =========





=========== EmptyTemp: ==========



BITS transfer queue => 8388608 B

DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 4083040 B

Java, Flash, Steam htmlcache => 0 B

Windows/system/drivers => 240688 B

Edge => 0 B

Chrome => 0 B

Firefox => 0 B

Opera => 0 B



Temp, IE cache, history, cookies, recent:

Default => 0 B

Public => 0 B

ProgramData => 0 B

systemprofile => 0 B

systemprofile32 => 0 B

LocalService => 0 B

NetworkService => 0 B

Bill => 10943977 B

Rosemary => 0 B

UpdatusUser => 0 B



RecycleBin => 0 B

EmptyTemp: => 22.6 MB temporary data Removed.



================================





The system needed a reboot.



==== End of Fixlog 11:23:41 ====



#4 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:59 PM

Posted 23 August 2016 - 01:20 PM

Got the first fixlog.txt as well:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-08-2016 01

Ran by Bill (23-08-2016 11:11:07) Run:1

Running from C:\Users\Bill\Desktop

Loaded Profiles: Bill (Available Profiles: Bill & Rosemary & UpdatusUser)

Boot Mode: Normal

==============================================



fixlist content:

*****************

start



CreateRestorePoint:

EmptyTemp:

CloseProcesses:



Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File

Winsock: Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File

Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File

Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

HKU\S-1-5-21-720449975-2614750782-2466370000-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File

Toolbar: HKU\S-1-5-21-720449975-2614750782-2466370000-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File

Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL No File

Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL No File

FF Plugin: @microsoft.com/GENUINE -> disabled [No File]

FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]

FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found

CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx

AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_0favicon1129903636 [30174]

AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_1favicon-298702541 [8574]

AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_2favicon-1464078272 [1790]

AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_3favicon-860043155 [8574]

AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_4favicon640180837

S3 catchme; \??\C:\ComboFix-3\catchme.sys [X]

S3 MFE_RR; \??\C:\Users\Bill\AppData\Local\Temp\mfe_rr.sys [X][/B]

cmd: netsh winsock reset catalog



End

*****************



Restore point was successfully created.

Processes closed successfully.

"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000008" => key removed successfully

"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000009" => key removed successfully

"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000008" => key removed successfully

"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000009" => key removed successfully

"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully

"HKU\S-1-5-21-720449975-2614750782-2466370000-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}" => key removed successfully

HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => key not found.

HKU\S-1-5-21-720449975-2614750782-2466370000-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully

HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.

"HKCR\PROTOCOLS\Handler\livecall" => key removed successfully

HKCR\CLSID\{828030A1-22C1-4009-854F-8E305202313F} => key not found.

"HKCR\PROTOCOLS\Handler\msnim" => key removed successfully

HKCR\CLSID\{828030A1-22C1-4009-854F-8E305202313F} => key not found.

"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully

"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully

HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758} => value removed successfully

"HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => key removed successfully

"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck" => key removed successfully

"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => key removed successfully

C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website => ":TASKICON_0favicon1129903636" ADS removed successfully.

C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website => ":TASKICON_1favicon-298702541" ADS removed successfully.

C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website => ":TASKICON_2favicon-1464078272" ADS removed successfully.

C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website => ":TASKICON_3favicon-860043155" ADS removed successfully.

"C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website" => "AlternateDataStreams: C:\Users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\MSN.com.website:TASKICON_4favicon640180837" ADS not found.

catchme => service removed successfully

MFE_RR => service removed successfully



========= netsh winsock reset catalog =========



Initialization Function InitHelperDll in NSHHTTP.DLL failed to start with error code 11003



Sucessfully reset the Winsock Catalog.

You must restart the computer in order to complete the reset.





========= End of CMD: =========





=========== EmptyTemp: ==========



BITS transfer queue => 8388608 B

DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 5433641 B

Java, Flash, Steam htmlcache => 20182 B

Windows/system/drivers => 247664 B

Edge => 0 B

Chrome => 9128368 B

Firefox => 0 B

Opera => 0 B



Temp, IE cache, history, cookies, recent:

Default => 33125 B

Public => 0 B

ProgramData => 0 B

systemprofile => 42343269 B

systemprofile32 => 110197 B

LocalService => 132244 B

NetworkService => 66228 B

Bill => 256504328 B

Rosemary => 248171546 B

UpdatusUser => 33125 B



RecycleBin => 0 B

EmptyTemp: => 544.2 MB temporary data Removed.



================================





The system needed a reboot.



==== End of Fixlog 11:13:21 ====



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:59 PM

Posted 24 August 2016 - 08:20 AM

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141
===

Run this cleaning tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#6 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:59 PM

Posted 24 August 2016 - 09:35 AM

Thank you.  We will follow these instructions later this morning and report back.



#7 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:59 PM

Posted 24 August 2016 - 02:41 PM

Hi

Zoek results are listed below.

While Avast was able to update itself and other 'networky" things look like they are running, alas, going to google.com gets an error.

We ran the FRST again to give you a summary of what is there - thought it might be useful so it is included (guess I can't attach so it is just in the text after the zoek results)

Also, Avast shows the following in a pop-up "Avast Web Shield has blocked access to this page because the following certificate is invalid: https://(clippedonimage)eonline.microsoft.com (sorry, I took a screenshot at the first part of that url might be missing).

 

Thank you for your help!

 


Zoek.exe v5.0.0.1 Updated 27-09-2015

Tool run by Bill on Wed 08/24/2016 at 11:21:18.32.

Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64

Running in: Normal Mode No Internet Access Detected

Launched: C:\Users\Bill\Desktop\zoek.exe [Scan all users] [Script inserted]



==== System Restore Info ======================



8/24/2016 11:23:17 AM Zoek.exe System Restore Point Created Successfully.



==== Empty Folders Check ======================



C:\PROGRA~2\MSXML 4.0 deleted successfully

C:\PROGRA~2\The Weather Channel FW deleted successfully

C:\Program Files\Google deleted successfully

C:\Program Files\Preload deleted successfully

C:\Program Files\Symantec deleted successfully

C:\Program Files\Common Files\Symantec Shared deleted successfully

C:\PROGRA~3\PCSettings deleted successfully

C:\Users\Bill\AppData\Roaming\Skinux deleted successfully

C:\Users\Rosemary\AppData\Roaming\Skinux deleted successfully

C:\Users\Bill\AppData\Local\EmieBrowserModeList deleted successfully

C:\Users\Bill\AppData\Local\EmieSiteList deleted successfully

C:\Users\Bill\AppData\Local\EmieUserList deleted successfully

C:\Users\Bill\AppData\Local\KodakGallery deleted successfully

C:\Users\Bill\AppData\Local\Skype deleted successfully

C:\Users\Rosemary\AppData\Local\EmieBrowserModeList deleted successfully

C:\Users\Rosemary\AppData\Local\EmieSiteList deleted successfully

C:\Users\Rosemary\AppData\Local\EmieUserList deleted successfully

C:\Users\Rosemary\AppData\Local\KodakGallery deleted successfully



==== Deleting CLSID Registry Keys ======================





==== Deleting CLSID Registry Values ======================





==== Deleting Services ======================





==== Batch Command(s) Run By Tool======================





==== Deleting Files \ Folders ======================



C:\PROGRA~2\The Weather Channel FW not found

C:\PROGRA~2\Windows Live SkyDrive deleted

C:\PROGRA~3\Package Cache deleted

C:\Users\Bill\AppData\LocalLow\Yahoo! deleted

C:\Windows\SysNative\config\systemprofile\Searches deleted



==== Firefox Extensions Registry ======================



[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [08/18/2016 08:38 PM]

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]

"{0153E448-190B-4987-BDE1-F256CADA672F}"="C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext" [08/04/2016 01:27 PM]



==== Chromium Look ======================



Google Chrome Version: 46.0.2490.86



HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions

iikflkcanblccfahdhdonehdalibjnif - No path found[]

jfmjfhklogoienhpfnppmbcbjfjnkonk - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx[12/02/2012 05:09 PM]

lifbcibllhkdhoafpjfnlhfpfgnpldfl - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx[05/25/2016 10:31 AM]



RealPlayer Downloader - Bill\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji

RealPlayer Downloader - Rosemary\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji

Skype Click to Call - Rosemary\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl

Norton Security Toolbar - Rosemary\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk



==== Set IE to Default ======================



Old Values:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"Start Page"="http://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE09&ocid=UE09DHP"



New Values:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"Start Page"="http://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE09&ocid=UE09DHP"



==== All HKCU SearchScopes ======================



HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes

"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"

{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"

{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE10"

{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Unknown  Url="Not_Found"



==== Reset Google Chrome ======================



C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully

C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully

C:\Users\Rosemary\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully

C:\Users\Rosemary\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully

C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully

C:\Users\Rosemary\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully

C:\Users\Rosemary\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully



==== Deleting CLSID Registry Keys ======================



HKEY_USERS\S-1-5-21-720449975-2614750782-2466370000-1001\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} deleted successfully

HKEY_USERS\S-1-5-21-720449975-2614750782-2466370000-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE4B8A6-4DB5-4F63-8013-1197503692EF} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} deleted successfully

HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{6CE4B8A6-4DB5-4F63-8013-1197503692EF} deleted successfully



==== Deleting CLSID Registry Values ======================





==== Empty IE Cache ======================



C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\Bill\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\Bill\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully

C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully



==== Empty FireFox Cache ======================



No FireFox Profiles found



==== Empty Chrome Cache ======================



C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

C:\Users\Rosemary\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully



==== Empty All Flash Cache ======================



Flash Cache Emptied Successfully



==== Empty All Java Cache ======================



Java Cache cleared successfully



==== C:\zoek_backup content ======================



C:\zoek_backup (files=8 folders=6 7895483 bytes)



==== Empty Temp Folders ======================



C:\Users\Bill\AppData\Local\temp will be emptied at reboot

C:\Users\Default\AppData\Local\temp emptied successfully

C:\Users\Default User\AppData\Local\temp emptied successfully

C:\Users\Public\AppData\Local\temp emptied successfully

C:\Users\Rosemary\AppData\Local\temp emptied successfully

C:\Users\UpdatusUser\AppData\Local\temp emptied successfully

C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Temp emptied successfully

C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp will be emptied at reboot

C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully

C:\Windows\Temp will be emptied at reboot



==== After Reboot ======================



==== Empty Temp Folders ======================



C:\Windows\Temp successfully emptied

C:\Users\Bill\AppData\Local\Temp successfully emptied



==== Empty Recycle Bin ======================



C:\$RECYCLE.BIN successfully emptied



==== Deleting Files / Folders ======================



"C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp\Low" not deleted



==== EOF on Wed 08/24/2016 at 12:38:07.18 ======================
 

 

=================== FRST3.txt ================================

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-08-2016 01

Ran by Bill (administrator) on BILL-PC (24-08-2016 13:00:00)

Running from C:\Users\Bill\Desktop

Loaded Profiles: Bill (Available Profiles: Bill & Rosemary & UpdatusUser)

Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)

Internet Explorer Version 11 (Default browser: IE)

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/



==================== Processes (Whitelisted) =================



(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)



(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe

(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe

(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe

(Acer Incorporated) C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe

(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater Beta\ksu.exe

(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpsystray.exe

() C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe

(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe

() C:\Program Files (x86)\RealNetworks\RealDownloader\downloader2.exe

() C:\Program Files (x86)\Common Files\LogiShrd\LQCVFX\COCIManager.exe

(Logitech Inc.) C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe

(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe

(Logitech Inc.) C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe

(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe

(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe

(Skype Technologies) C:\Program Files (x86)\Skype\Updater\Updater.exe

(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe

(Acer) C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe

(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe

(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe

(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe

(Microsoft Corporation) C:\Windows\System32\dllhost.exe

(Tweaking.com) C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe

(Logitech, Inc.) C:\Program Files\Logitech\Logitech WebCam Software\LU\LULnchr.exe

(Logitech, Inc.) C:\Program Files\Logitech\Logitech WebCam Software\LU\LogitechUpdate.exe





==================== Registry (Whitelisted) ===========================



(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)



HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7981088 2009-07-20] (Realtek Semiconductor)

HKLM-x32\...\Run: [ArcSoft Connection Service] => C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)

HKLM-x32\...\Run: [LogitechQuickCamRibbon] => C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] ()

HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9103976 2016-08-24] (AVAST Software)

HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [598552 2016-06-22] (Oracle Corporation)

HKLM-x32\...\Run: [TkBellExe] => C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe [293768 2016-08-19] (RealNetworks, Inc.)

HKLM-x32\...\Run: [RealDownloader] => C:\Program Files (x86)\RealNetworks\RealDownloader\downloader2.exe [714992 2016-05-13] ()

HKU\S-1-5-21-720449975-2614750782-2466370000-1001\...\Run: [KSS] => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe [1556448 2015-12-15] (AO Kaspersky Lab)

HKU\S-1-5-21-720449975-2614750782-2466370000-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [29494400 2016-07-13] (Skype Technologies S.A.)

HKU\S-1-5-18\...\Run: [KSS] => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe [1556448 2015-12-15] (AO Kaspersky Lab)

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-08-24] (AVAST Software)

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Kaspersky Software Updater Beta.lnk [2016-08-16]

ShortcutTarget: Kaspersky Software Updater Beta.lnk -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater Beta\ksu.exe (AO Kaspersky Lab)

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RealTimes.lnk [2016-08-19]

ShortcutTarget: RealTimes.lnk -> C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpsystray.exe (RealNetworks, Inc.)



==================== Internet (Whitelisted) ====================



(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)



Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

Tcpip\..\Interfaces\{6014EB82-7467-411F-99AD-057385EF415B}: [DhcpNameServer] 192.168.1.254



Internet Explorer:

==================

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

HKU\S-1-5-21-720449975-2614750782-2466370000-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\S-1-5-21-720449975-2614750782-2466370000-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE09&ocid=UE09DHP

HKU\S-1-5-21-720449975-2614750782-2466370000-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?pc=UE09&ocid=UE09DHP

SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =

SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW

SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW

SearchScopes: HKU\S-1-5-21-720449975-2614750782-2466370000-1001 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}

BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin64.dll [2016-05-13] (RealDownloader)

BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-08-18] (AVAST Software)

BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-05-25] (Microsoft Corporation)

BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2013-05-08] (Adobe Systems Incorporated)

BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2016-05-13] (RealDownloader)

BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-08-19] (Oracle Corporation)

BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-08-18] (AVAST Software)

BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)

BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)

BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-08-19] (Oracle Corporation)

DPF: HKLM-x32 {C345E174-3E87-4F41-A01C-B066A90A49B4} hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx

DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)

Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-05-25] (Microsoft Corporation)

Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)



FireFox:

========

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)

FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-08-19] (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-08-19] (Oracle Corporation)

FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)

FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-04-16] (Microsoft Corporation)

FF Plugin-x32: @real.com/nppl3260;version=18.1.4.135 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll [2016-08-19] (RealNetworks, Inc.)

FF Plugin-x32: @real.com/nprpchromebrowserrecordext;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [2012-12-02] (RealNetworks, Inc.)

FF Plugin-x32: @real.com/nprphtml5videoshim;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll [2012-12-02] (RealNetworks, Inc.)

FF Plugin-x32: @real.com/nprpplugin;version=18.1.4.135 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll [2016-08-19] (RealPlayer)

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-04] (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-04] (Google Inc.)

FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2013-05-08] (Adobe Systems Inc.)

FF Plugin HKU\S-1-5-21-720449975-2614750782-2466370000-1001: @yahoo.com/BrowserPlus,version=2.9.8 -> C:\Users\Bill\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll [2010-08-04] (Yahoo! Inc.)

FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF

FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-08-24]

FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF

FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-08-24]

FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF

FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF

FF HKLM-x32\...\Firefox\Extensions: [{0153E448-190B-4987-BDE1-F256CADA672F}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF Extension: RealPlayer Browser Record Plugin - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2016-08-04] [not signed]



Chrome:

=======

CHR Profile: C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (RealPlayer Downloader) - C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2016-08-18]

CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx [2012-12-02]

CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2016-05-25]



==================== Services (Whitelisted) ========================



(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)



R2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-08-24] (AVAST Software)

R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [223600 2016-08-24] (AVAST Software)

R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1364096 2016-05-25] (Microsoft Corporation)

R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1687680 2016-05-25] (Microsoft Corporation)

S3 GameConsoleService; C:\Program Files (x86)\eMachines Games\eMachines Game Console\GameConsoleService.exe [250616 2009-05-22] (WildTangent, Inc.)

R2 Greg_Service; C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [1150496 2009-08-28] (Acer Incorporated)

R2 kss; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe [1556448 2015-12-15] (AO Kaspersky Lab)

R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)

R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)

R2 RealTimes Desktop Service; C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe [1095440 2016-08-19] (RealNetworks, Inc.)

R2 Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [240160 2009-07-03] (Acer)

S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)



===================== Drivers (Whitelisted) ==========================



(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)



U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)

S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-08-24] (AVAST Software)

R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-08-24] (AVAST Software)

R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108816 2016-08-24] (AVAST Software)

R3 aswNetNd6; C:\Windows\System32\DRIVERS\aswNetNd6.sys [28312 2016-08-18] (AVAST Software)

R1 aswNetSec; C:\Windows\system32\drivers\aswNetSec.sys [453192 2016-08-24] (AVAST Software)

R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-08-24] (AVAST Software)

R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-08-24] (AVAST Software)

R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [969560 2016-08-24] (AVAST Software)

R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [513496 2016-08-24] (AVAST Software)

S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [163416 2016-08-24] (AVAST Software)

R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [292704 2016-08-24] (AVAST Software)

S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)

R3 LVPr2M64; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-07] ()

S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-07] ()

R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [140672 2016-03-10] (Malwarebytes)

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)

R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-08-24] (Malwarebytes)

R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)



==================== NetSvcs (Whitelisted) ===================



(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)





==================== One Month Created files and folders ========



(If an entry is included in the fixlist, the file/folder will be moved.)



2016-08-24 12:47 - 2016-08-24 12:47 - 00391496 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe

2016-08-24 12:46 - 2016-08-24 12:46 - 00053208 _____ (AVAST Software) C:\Windows\avastSS.scr

2016-08-24 11:56 - 2016-08-24 11:20 - 00024064 _____ C:\Windows\zoek-delete.exe

2016-08-24 11:20 - 2016-08-24 12:36 - 00000000 ____D C:\zoek_backup

2016-08-24 11:08 - 2016-08-24 09:00 - 00002310 _____ C:\Users\Bill\Desktop\latest-post.txt

2016-08-24 11:08 - 2016-08-24 08:58 - 00000188 _____ C:\Users\Bill\Desktop\zoek-input.txt

2016-08-24 11:08 - 2016-08-24 08:55 - 01309184 _____ C:\Users\Bill\Desktop\zoek.exe

2016-08-23 11:11 - 2016-08-23 11:23 - 00006668 _____ C:\Users\Bill\Desktop\Fixlog2.txt

2016-08-21 20:26 - 2016-08-21 20:27 - 00038465 _____ C:\Users\Bill\Desktop\Addition.txt

2016-08-21 20:23 - 2016-08-24 13:00 - 00018526 _____ C:\Users\Bill\Desktop\FRST.txt

2016-08-21 20:23 - 2016-08-24 13:00 - 00000000 ____D C:\FRST

2016-08-21 20:23 - 2016-08-21 20:00 - 02396672 _____ (Farbar) C:\Users\Bill\Desktop\FRST64.exe

2016-08-19 22:16 - 2016-08-19 22:16 - 00013739 _____ C:\ComboFix.txt

2016-08-19 22:01 - 2016-08-19 22:01 - 00002697 _____ C:\Users\Public\Desktop\Skype.lnk

2016-08-19 22:01 - 2016-08-19 22:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype

2016-08-19 21:59 - 2016-08-19 21:59 - 00001213 _____ C:\Users\Public\Desktop\RealPlayer (RealTimes).lnk

2016-08-19 21:59 - 2016-08-19 21:59 - 00000318 _____ C:\Windows\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-720449975-2614750782-2466370000-1001.job

2016-08-19 21:59 - 2016-08-19 21:59 - 00000000 ____D C:\Users\Bill\AppData\Roaming\RealNetworks

2016-08-19 21:59 - 2016-08-19 21:59 - 00000000 ____D C:\ProgramData\RealNetworks

2016-08-19 21:59 - 2016-08-19 21:59 - 00000000 ____D C:\Program Files (x86)\RealNetworks

2016-08-19 21:58 - 2016-08-19 21:58 - 00512392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll

2016-08-19 21:58 - 2016-08-19 21:58 - 00360840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll

2016-08-19 21:58 - 2016-08-19 21:58 - 00285576 _____ (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll

2016-08-19 21:58 - 2016-08-19 21:58 - 00207752 _____ (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll

2016-08-19 21:56 - 2016-08-19 21:56 - 00000000 ____D C:\Users\Bill\AppData\Roaming\Sun

2016-08-19 21:56 - 2016-08-19 21:56 - 00000000 ____D C:\Users\Bill\.oracle_jre_usage

2016-08-19 21:55 - 2016-08-19 21:55 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2016-08-19 21:55 - 2016-08-19 21:55 - 00000000 ____D C:\ProgramData\Oracle

2016-08-19 21:55 - 2016-08-19 21:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java

2016-08-19 21:55 - 2016-08-19 21:55 - 00000000 ____D C:\Program Files (x86)\Java

2016-08-19 21:46 - 2016-08-19 19:55 - 177912864 _____ (Kaspersky Lab) C:\Users\Bill\Desktop\kis17.0.0.611en_10743.exe

2016-08-19 20:12 - 2016-08-19 20:12 - 00000000 ____D C:\Users\Bill\AppData\Local\ESET

2016-08-19 02:41 - 2016-08-19 21:48 - 00288465 _____ C:\Windows\SysWOW64\rsslogs.20160819024141

2016-08-18 20:43 - 2016-08-19 02:41 - 00101526 _____ C:\Windows\SysWOW64\rsslogs.20160818204204

2016-08-18 20:34 - 2016-08-18 20:34 - 00008454 _____ C:\Windows\SysWOW64\rsslogs.20160818203311

2016-08-18 20:32 - 2016-08-18 20:32 - 00000000 ____D C:\Users\Bill\AppData\Roaming\AVAST Software

2016-08-18 20:31 - 2016-08-24 12:49 - 00003888 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1471570286

2016-08-18 20:31 - 2016-08-18 20:31 - 00001931 _____ C:\Users\Public\Desktop\Avast Internet Security.lnk

2016-08-18 20:31 - 2016-08-18 20:31 - 00001052 _____ C:\Users\Public\Desktop\Avast SafeZone Browser.lnk

2016-08-18 20:31 - 2016-08-18 20:31 - 00001052 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk

2016-08-18 20:31 - 2016-08-18 20:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software

2016-08-18 20:28 - 2016-08-24 12:47 - 00003922 _____ C:\Windows\System32\Tasks\avast! Emergency Update

2016-08-18 20:28 - 2016-08-18 20:28 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software

2016-08-18 20:27 - 2016-08-24 12:47 - 00513496 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys

2016-08-18 20:27 - 2016-08-24 12:47 - 00292704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys

2016-08-18 20:27 - 2016-08-24 12:47 - 00163416 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys

2016-08-18 20:27 - 2016-08-24 12:47 - 00108816 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys

2016-08-18 20:27 - 2016-08-24 12:47 - 00103064 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys

2016-08-18 20:27 - 2016-08-24 12:47 - 00074544 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys

2016-08-18 20:27 - 2016-08-24 12:47 - 00037656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys

2016-08-18 20:27 - 2016-08-24 12:46 - 00969560 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys

2016-08-18 20:27 - 2016-08-24 12:46 - 00453192 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNetSec.sys

2016-08-18 20:27 - 2016-08-24 12:46 - 00037144 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys

2016-08-18 20:26 - 2016-08-18 20:26 - 00992960 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll

2016-08-18 20:26 - 2016-08-18 20:26 - 00921280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ucrtbase.dll

2016-08-18 20:26 - 2016-08-18 20:26 - 00028312 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNetNd6.sys

2016-08-18 20:26 - 2016-08-18 20:26 - 00000000 ____D C:\Program Files\AVAST Software

2016-08-18 20:25 - 2016-08-18 20:26 - 00000000 ____D C:\ProgramData\AVAST Software

2016-08-18 20:21 - 2016-08-18 20:33 - 00017105 _____ C:\Windows\SysWOW64\rsslogs.20160818202047

2016-08-18 19:18 - 2016-08-18 19:20 - 00192146 _____ C:\TDSSKiller.3.1.0.11_18.08.2016_19.18.12_log.txt

2016-08-18 19:16 - 2016-08-18 19:16 - 00072580 _____ C:\Windows\SysWOW64\rsslogs.20160818191546

2016-08-17 03:01 - 2016-08-17 03:01 - 00133372 _____ C:\Windows\SysWOW64\rsslogs.20160817030015

2016-08-16 21:02 - 2016-08-17 03:01 - 00095608 _____ C:\Windows\SysWOW64\rsslogs.20160816210111

2016-08-16 17:46 - 2016-08-16 17:46 - 00000207 _____ C:\Windows\tweaking.com-regbackup-BILL-PC-Windows-7-Home-Premium-(64-bit).dat

2016-08-16 17:46 - 2016-08-16 17:46 - 00000000 ____D C:\RegBackup

2016-08-16 17:28 - 2016-08-16 17:28 - 00020519 _____ C:\Windows\SysWOW64\rsslogs.20160816172703

2016-08-16 17:02 - 2016-08-16 17:02 - 00002168 _____ C:\Users\Bill\Desktop\Tweaking.com - Windows Repair.lnk

2016-08-16 17:01 - 2016-08-16 17:02 - 00188913 _____ C:\Windows\Tweaking.com - Windows Repair Setup Log.txt

2016-08-16 17:01 - 2016-08-16 17:01 - 00003650 _____ C:\Windows\System32\Tasks\Tweaking.com - Windows Repair Tray Icon

2016-08-16 17:01 - 2016-08-16 17:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com

2016-08-16 17:01 - 2016-08-16 17:01 - 00000000 ____D C:\Program Files (x86)\Tweaking.com

2016-08-16 16:55 - 2016-08-18 20:14 - 00001868 _____ C:\Users\Bill\Desktop\sc-cleaner.txt

2016-08-16 16:35 - 2016-08-19 22:06 - 00001954 _____ C:\Users\Bill\Desktop\Rkill.txt

2016-08-16 16:33 - 2016-08-16 17:27 - 00003358 _____ C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-720449975-2614750782-2466370000-1001

2016-08-16 16:32 - 2016-08-16 16:32 - 00038628 _____ C:\Windows\SysWOW64\rsslogs.20160816163127

2016-08-16 14:35 - 2016-08-16 14:35 - 00001104 _____ C:\Users\Public\Desktop\Kaspersky Software Updater Beta.lnk

2016-08-16 14:35 - 2016-08-16 14:35 - 00000000 ____D C:\Users\Bill\AppData\Local\CEF

2016-08-16 14:35 - 2016-08-16 14:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Software Updater Beta

2016-08-16 14:34 - 2016-08-16 14:35 - 00000000 ____D C:\ProgramData\Kaspersky Lab

2016-08-16 14:34 - 2016-08-16 14:35 - 00000000 ____D C:\Program Files (x86)\Kaspersky Lab

2016-08-16 14:34 - 2016-08-16 14:34 - 00001064 _____ C:\Users\Public\Desktop\Kaspersky Security Scan.lnk

2016-08-16 14:34 - 2016-08-16 14:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Security Scan

2016-08-16 14:31 - 2016-08-16 16:33 - 00000000 ____D C:\ProgramData\Kaspersky Lab Setup Files

2016-08-16 14:30 - 2016-08-16 14:30 - 00017379 _____ C:\Users\Bill\Desktop\JRT.txt

2016-08-16 14:21 - 2016-08-16 14:21 - 00070119 _____ C:\Windows\SysWOW64\rsslogs.20160816142010

2016-08-16 14:14 - 2016-08-16 14:18 - 00000000 ____D C:\AdwCleaner

2016-08-16 13:53 - 2016-08-14 21:50 - 05658927 ____R (Swearware) C:\Users\Bill\Desktop\ComboFix-3.exe

2016-08-16 13:29 - 2016-08-16 14:17 - 00059156 _____ C:\Windows\SysWOW64\rsslogs.20160816132801

2016-08-16 12:13 - 2016-08-24 12:57 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2016-08-16 12:13 - 2016-08-16 12:13 - 00001111 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2016-08-16 12:13 - 2016-08-16 12:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2016-08-16 12:13 - 2016-08-16 12:13 - 00000000 ____D C:\ProgramData\Malwarebytes

2016-08-16 12:13 - 2016-08-16 12:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware

2016-08-16 12:13 - 2016-03-10 14:09 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys

2016-08-16 12:13 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys

2016-08-16 12:13 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys

2016-08-16 10:34 - 2011-06-26 01:45 - 00256000 _____ C:\Windows\PEV.exe

2016-08-16 10:34 - 2010-11-07 12:20 - 00208896 _____ C:\Windows\MBR.exe

2016-08-16 10:34 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe

2016-08-16 10:34 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe

2016-08-16 10:34 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe

2016-08-16 10:34 - 2000-08-30 19:00 - 00098816 _____ C:\Windows\sed.exe

2016-08-16 10:34 - 2000-08-30 19:00 - 00080412 _____ C:\Windows\grep.exe

2016-08-16 10:34 - 2000-08-30 19:00 - 00068096 _____ C:\Windows\zip.exe

2016-08-16 10:30 - 2016-08-19 22:16 - 00000000 ____D C:\Qoobox

2016-08-16 10:30 - 2016-08-16 10:48 - 00000000 ____D C:\Windows\erdnt

2016-08-16 10:23 - 2016-07-07 19:55 - 01610560 _____ (Malwarebytes) C:\Users\Rosemary\Desktop\JRT.exe

2016-08-16 10:22 - 2016-08-14 21:50 - 05658927 ____R (Swearware) C:\Users\Rosemary\Desktop\ComboFix-3.exe

2016-08-16 10:22 - 2016-08-12 17:16 - 03784256 _____ C:\Users\Rosemary\Desktop\AdwCleaner-4.exe

2016-08-16 10:22 - 2016-07-28 03:53 - 237945104 _____ (AVAST Software) C:\Users\Rosemary\Desktop\avast_internet_security_setup_offline.exe

2016-08-16 10:22 - 2016-05-13 06:45 - 03017376 _____ (ESET) C:\Users\Rosemary\Desktop\eset_smart_security_live_installer.exe

2016-08-16 10:22 - 2016-03-30 09:59 - 22851472 _____ (Malwarebytes ) C:\Users\Rosemary\Desktop\mbam-setup-bc.1878-2.2.1.1043.exe

2016-08-16 10:22 - 2016-02-24 10:01 - 02622304 _____ (Kaspersky Lab) C:\Users\Rosemary\Desktop\kss16.0.0.1344en_9702-2.exe

2016-08-16 10:22 - 2013-04-05 12:00 - 09096848 _____ (SurfRight B.V.) C:\Users\Rosemary\Desktop\HitmanPro.exe

2016-08-12 11:41 - 2016-08-11 18:27 - 06757915 _____ C:\Users\Rosemary\Desktop\combofix.exe.exe

2016-08-11 17:31 - 2016-08-21 16:37 - 00169654 _____ C:\Windows\ntbtlog.txt

2016-08-11 16:54 - 2016-08-11 16:54 - 00043465 _____ C:\Windows\SysWOW64\rsslogs.20160811165350

2016-08-11 16:45 - 2016-08-11 16:45 - 00008457 _____ C:\Windows\SysWOW64\rsslogs.20160811164442

2016-08-10 14:48 - 2016-08-11 16:45 - 00033804 _____ C:\Windows\SysWOW64\rsslogs.20160810144732

2016-08-04 13:30 - 2016-08-10 14:48 - 00047082 _____ C:\Windows\SysWOW64\rsslogs.20160804132935



==================== One Month Modified files and folders ========



(If an entry is included in the fixlist, the file/folder will be moved.)



2016-08-24 12:57 - 2010-06-01 19:57 - 00000000 ____D C:\Users\Bill\AppData\Roaming\Skype

2016-08-24 12:57 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf

2016-08-24 12:56 - 2010-02-06 13:39 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2016-08-24 12:55 - 2010-05-02 11:50 - 00000000 _____ C:\Windows\system32\Drivers\lvuvc.hs

2016-08-24 12:55 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2016-08-24 12:44 - 2009-07-13 23:45 - 00009920 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2016-08-24 12:44 - 2009-07-13 23:45 - 00009920 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2016-08-24 12:40 - 2009-07-14 00:13 - 00772352 _____ C:\Windows\system32\PerfStringBackup.INI

2016-08-24 12:39 - 2010-02-06 13:39 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2016-08-21 16:57 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF

2016-08-19 22:13 - 2009-07-13 21:34 - 00000215 _____ C:\Windows\system.ini

2016-08-19 22:01 - 2010-05-02 17:11 - 00000000 ___RD C:\Program Files (x86)\Skype

2016-08-19 22:01 - 2010-05-02 17:11 - 00000000 ____D C:\ProgramData\Skype

2016-08-19 22:00 - 2011-10-05 17:19 - 00000000 ____D C:\Users\Bill\AppData\Roaming\Real

2016-08-19 21:59 - 2013-11-26 16:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealNetworks

2016-08-19 21:59 - 2011-10-05 17:19 - 00000000 ____D C:\Program Files (x86)\Real

2016-08-19 21:57 - 2011-10-05 17:19 - 00000000 ____D C:\ProgramData\Real

2016-08-19 21:56 - 2010-01-19 11:10 - 00000000 ____D C:\Users\Bill

2016-08-18 20:28 - 2015-07-16 10:11 - 00000000 ____D C:\Program Files\Common Files\AV

2016-08-18 20:28 - 2009-10-29 07:37 - 00000000 ____D C:\Program Files (x86)\Google

2016-08-18 19:20 - 2010-10-23 11:55 - 00079608 _____ C:\Users\Bill\AppData\Local\GDIPFONTCACHEV1.DAT

2016-08-17 02:30 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache

2016-08-16 21:15 - 2010-08-26 15:16 - 00000000 ____D C:\Users\Bill\AppData\Local\CrashDumps

2016-08-16 20:59 - 2009-07-13 23:45 - 00335312 _____ C:\Windows\system32\FNTCACHE.DAT

2016-08-16 18:13 - 2009-07-13 21:34 - 00000439 _____ C:\Windows\win.ini

2016-08-16 18:10 - 2013-05-13 10:52 - 00782510 _____ C:\Windows\SysWOW64\PerfStringBackup.INI

2016-08-16 17:27 - 2015-03-11 17:01 - 00003222 _____ C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-720449975-2614750782-2466370000-1001

2016-08-16 16:54 - 2011-10-05 17:19 - 00000000 ____D C:\Users\Bill\AppData\Local\The Weather Channel

2016-08-16 16:27 - 2009-10-29 07:47 - 00000000 ____D C:\ProgramData\Norton

2016-08-16 16:25 - 2009-10-29 07:50 - 00000000 ____D C:\ProgramData\Symantec

2016-08-16 14:35 - 2015-01-19 15:52 - 00000000 __SHD C:\Users\Bill\AppData\LocalLow\EmieBrowserModeList

2016-08-16 14:35 - 2014-04-20 11:57 - 00000000 __SHD C:\Users\Bill\AppData\LocalLow\EmieUserList

2016-08-16 14:35 - 2014-04-20 11:22 - 00000000 __SHD C:\Users\Bill\AppData\LocalLow\EmieSiteList

2016-08-16 14:29 - 2015-08-06 09:43 - 00000000 ____D C:\Windows\System32\Tasks\Remediation

2016-08-16 14:22 - 2013-04-16 03:03 - 00000000 ____D C:\Users\UpdatusUser

2016-08-16 13:29 - 2015-01-19 15:53 - 00003200 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-720449975-2614750782-2466370000-1001

2016-08-16 13:28 - 2015-01-19 15:52 - 00003336 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-720449975-2614750782-2466370000-1001

2016-08-16 10:46 - 2009-07-13 21:34 - 00000027 _____ C:\Windows\system32\Drivers\etc\hosts_bak_726

2016-08-16 10:43 - 2009-07-13 21:34 - 94371840 _____ C:\Windows\system32\config\software.bak

2016-08-16 10:43 - 2009-07-13 21:34 - 16252928 _____ C:\Windows\system32\config\system.bak

2016-08-16 10:43 - 2009-07-13 21:34 - 00262144 _____ C:\Windows\system32\config\security.bak

2016-08-16 10:43 - 2009-07-13 21:34 - 00262144 _____ C:\Windows\system32\config\sam.bak

2016-08-16 10:43 - 2009-07-13 21:34 - 00262144 _____ C:\Windows\system32\config\default.bak

2016-08-16 10:42 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\Downloaded Program Files

2016-08-11 17:24 - 2010-05-02 17:11 - 00000000 ____D C:\Users\Rosemary\AppData\Roaming\Skype

2016-08-11 16:54 - 2016-06-23 11:02 - 00003344 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-720449975-2614750782-2466370000-1003

2016-08-11 16:54 - 2016-06-23 11:02 - 00003216 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-720449975-2614750782-2466370000-1003

2016-08-10 14:50 - 2010-05-02 17:11 - 00002204 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

2016-08-04 13:34 - 2010-02-06 13:39 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA

2016-08-04 13:34 - 2010-02-06 13:39 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

2016-08-04 13:32 - 2010-01-19 11:27 - 00000000 ____D C:\Users\Rosemary

2016-08-04 13:27 - 2013-03-14 03:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight

2016-08-04 13:27 - 2013-03-14 03:02 - 00000000 ____D C:\Program Files\Microsoft Silverlight

2016-08-04 13:27 - 2013-03-14 03:02 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight

2016-08-04 13:27 - 2010-01-21 11:50 - 00000000 ____D C:\Users\Rosemary\AppData\Roaming\ArcSoft

2016-08-04 13:27 - 2010-01-19 15:26 - 00000000 ____D C:\ProgramData\ArcSoft

2016-08-04 13:27 - 2009-10-29 07:25 - 00000000 ____D C:\Program Files (x86)\Microsoft Office

2016-08-04 13:27 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\servicing

2016-08-04 13:27 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

2016-08-04 13:26 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\registration



==================== Files in the root of some directories =======



2014-05-22 15:19 - 2014-05-22 16:07 - 0000142 _____ () C:\Users\Bill\AppData\Roaming\wklnhst.dat

2010-05-02 17:17 - 2010-05-02 17:17 - 0000048 _____ () C:\ProgramData\ezsidmv.dat



==================== Bamital & volsnap =================



(There is no automatic fix for files that do not pass verification.)



C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\SysWOW64\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\dnsapi.dll => File is digitally signed

C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed





LastRegBack: 2016-08-17 01:02



==================== End of FRST.txt ============================



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:59 PM

Posted 25 August 2016 - 08:39 AM



Avast shows the following in a pop-up "Avast Web Shield has blocked access to this page because the following certificate is invalid: https://(clippedonimage)eonline.microsoft.com

No such link https:\\... was there an image ?
It could have been a bad link. At least Avast worked.

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141
===

Let me know what problem persists.

#9 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:59 PM

Posted 25 August 2016 - 11:34 AM

Hi

Thanks. We did that a couple of times before.

Went ahead and completed the steps per your request.

 

Avast is still complaining about an invalid certificate and prevents the page from being displayed.  Turns out the URL was actually https://eonline.microsoft.com (though there was something before the e but there was not).

When IE comes up, it brings up the msn.com webpage normally.  Then it immediately opens a new windows and that new window, with the same msn.com URL, shows up with an error "This page can't be displayed" with an offer to "fix connection problems"

 

IE also ask to choose add-ons.  The add-ons that are listed are Discuss and Research.

 

An attempt to go go bleepingcomputer.com from the infected computer worked for the first time.  Avast comes up with a lot of certificate errors once she brought up bleepingcomputer.com.  It appears that "expedia.XXX" is listed as an invalid certificate and Avast has blocked access to it. Suspect this is from the other window that is open.

 

When "google.com" is entered into the URL window in IE, it comes up with the page can't be displayed and the URL resolves to "https://www.google.com/?gws_rd=ssl"

 

I noticed that when she puts in a URL within the IE window, the system will not just go to that address but someone do a search that ends up going to www.bing.com.  Entering "cnn.com" will not go to cnn.com but brings up www.bing.com with "cnn.com" in the bing search window.  Clicking on the CNN Official site has the show up eventually but Avast is yet again complaining about certificate for the site z.moatads.com

 

No real change.

 

Thanks!

 

PS - We let the computer try to run Windows Update overnight but it never actually was able to update itself.


Edited by whatisavailable, 25 August 2016 - 11:35 AM.


#10 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:59 PM

Posted 25 August 2016 - 12:32 PM

FYI, I looked up the avast certificate issue and found this:

 

http://support.postbox-inc.com/hc/en-us/articles/204602300-Invalid-Security-Certificate-Error-when-using-AVAST

 

But I haven't followed the instructions yet until we hear back from you.

Thanks



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:59 PM

Posted 26 August 2016 - 08:30 AM

Run this tool and fix everything that will be identified.
When required the default settings will be used.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

If the problem persists yes execute the Avast fix.
This should be temporary and should be enable when the Windows updates is competed.

http://support.postbox-inc.com/hc/en-us/articles/204602300-Invalid-Security-Certificate-Error-when-using-AVAST

===

Check the Windows Updates status.
http://pcsupport.about.com/od/system-security/f/windows-update-settings.htm

Set it to
Check for updates but let me choose whether to download and install them: With this option, Windows Update will check for and notify you of available updates but you'll need to manually approve the download and installation of them.

Download only the important updates manually.

If the updates freezes make a note of the KB update number.

Post it for my review.

#12 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:59 PM

Posted 26 August 2016 - 01:53 PM

Hi

Sadly, the computer is still acting up in a similar way.  cnn.com comes up but going to google or nearly anything else comes up with the site can't be found error.

 

Confirmed the Update settings but it never updates. 

 

RogueKiller report is listed below. 

Thanks!

 

 

=============

RogueKiller V12.5.1.0 (x64) [Aug 22 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Bill [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 08/26/2016 11:31:26 (Duration : 00:21:17)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-720449975-2614750782-2466370000-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-720449975-2614750782-2466370000-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST375052 8AS SCSI Disk Device +++++
--- User ---
[MBR] 48484be0bd9a4956bddcc135a3c98483
[BSP] b5dc6bfb0216a422413a7c5bdc7ea68a : Acer MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13312 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 27265024 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 27469824 | Size: 701990 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: Generic Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic microSD USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic MS/MS-PRO USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Generic SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 



#13 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:59 PM

Posted 26 August 2016 - 04:44 PM

FYI, now that I know better, there were no RED highlighted items on the RogueKiller list. 

Just in case that is significant.


And it looks like we exported the log then cleaned the two items.  But they were successfully removed.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:59 PM

Posted 27 August 2016 - 09:54 AM

Please download and run the Kaspersky removald tool for the version you previously used.

http://support.kaspersky.com/common/service.aspx?el=1464

Restart the computer when completed.
===

Let me know what problems persists.

p.s.
Are the searches problems with IE or and other browser.

#15 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:59 PM

Posted 28 August 2016 - 05:33 PM

Hi

We should be able to do this tonight or tomorrow.

Will post the results asap.

Thanks






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users