Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware, Hijacks, Errors


  • This topic is locked This topic is locked
6 replies to this topic

#1 Brock0304

Brock0304

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 18 December 2016 - 10:33 AM

Where to start. Working on my dad's computer. I was able to uninstall the various toolbars, but there is a lot of adware and other junk on this computer. Getting errors trying to run an update to the latest version of malwarebytes (Unable To Execute Files In The Temporary Directory. Setup Aborted. Error 5: Access Is Denied) but was able to update the definitions. Having trouble connecting to the Internet through IE or Firefox, but am able to connect via Teamviewer in order to transfer various files (FRST, etc.).

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:30 AM

Posted 19 December 2016 - 11:42 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.

DirectionsAce Internet Explorer Toolbar (HKLM-x32\...\DirectionsAce_fvbar Uninstall Internet Explorer) (Version: - Mindspark Interactive Network) <==== ATTENTION
FilmFanatic Internet Explorer Toolbar (HKLM-x32\...\FilmFanaticbar Uninstall Internet Explorer) (Version: - Mindspark Interactive Network) <==== ATTENTION
Free Ride Games Player (HKLM-x32\...\{2B7BDADB-EC8C-4C54-B5DD-CE45A016D3A7}) (Version: - Exent Technologies Ltd) <==== ATTENTION
FromDocToPDF Internet Explorer Toolbar (HKLM-x32\...\FromDocToPDF_65bar Uninstall Internet Explorer) (Version: - Mindspark Interactive Network) <==== ATTENTION
iWin Games (HKLM-x32\...\iWinArcade) (Version: 2.92 - )
Mah Jong Quest III (HKLM-x32\...\Mah Jong Quest III) (Version: - iWin.com)
MapsGalaxy Internet Explorer Toolbar (HKLM-x32\...\MapsGalaxy_39bar Uninstall Internet Explorer) (Version: - Mindspark Interactive Network) <==== ATTENTION

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
Hosts:

(iWin Inc.) C:\Program Files (x86)\iWin Games\iWinTrusted.exe
(Exent Technologies Ltd.) C:\Program Files (x86)\Free Ride Games\GPlayer.exe
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKU\S-1-5-19\...\Run: [Exetender] => C:\Program Files (x86)\Free Ride Games\GPlayer.exe [4924296 2015-02-18] (Exent Technologies Ltd.)
HKU\S-1-5-20\...\Run: [Exetender] => C:\Program Files (x86)\Free Ride Games\GPlayer.exe [4924296 2015-02-18] (Exent Technologies Ltd.)
HKU\S-1-5-21-2587330248-2859728699-3543048470-1001\...\Run: [Exetender] => C:\Program Files (x86)\Free Ride Games\GPlayer.exe [4924296 2015-02-18] (Exent Technologies Ltd.)
HKU\S-1-5-18\...\Run: [Exetender] => C:\Program Files (x86)\Free Ride Games\GPlayer.exe [4924296 2015-02-18] (Exent Technologies Ltd.)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
URLSearchHook: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001 - (No Name) - {f4c28532-b9d0-4950-a2df-e83f9929242b} - C:\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mSrcAs.dll No File
SearchScopes: HKLM -> {0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} URL =
SearchScopes: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001 -> {0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} URL =
BHO-x32: Search Assistant BHO -> {c4b22c87-45ef-4f43-89f2-40db2078864e} -> C:\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mSrcAs.dll => No File
BHO-x32: Toolbar BHO -> {da71fd14-5f7b-46ae-b8b1-44074a38f331} -> C:\PROGRA~2\MYFUNC~1\bar\1.bin\5mbar.dll => No File
Toolbar: HKLM-x32 - FromDocToPDF - {c66a678d-5e6c-4af9-8f57-c6192f42cf74} - C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65bar.dll No File
Toolbar: HKLM-x32 - MyFunCards - {210f1b36-3b7f-41a4-b5da-3eb87f5a56c2} - C:\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mbar.dll No File
Toolbar: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001 -> MyFunCards - {210F1B36-3B7F-41A4-B5DA-3EB87F5A56C2} - C:\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mbar.dll No File
Toolbar: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001 -> FromDocToPDF - {C66A678D-5E6C-4AF9-8F57-C6192F42CF74} - C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65bar.dll No File
FF Plugin-x32: @exent.com/npExentCtl,version=7.0.0.0 -> C:\Program Files (x86)\Free Ride Games\npExentCtl.dll [2009-12-27] (Exent Technologies Ltd.)
FF Plugin-x32: www.exent.com/GameTreatWidget -> C:\Program Files (x86)\Free Ride Games\NPGameTreatPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-2587330248-2859728699-3543048470-1001: www.exent.com/GameTreatWidget -> C:\Program Files (x86)\Free Ride Games\npGameTreatWidget.dll [2016-06-17] (Exent Technologies Ltd.)
CHR Extension: (Chrome Web Store Payments) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-31]
CHR HKLM\...\Chrome\Extension: [kofkpgiaknijknhajbhnghkodiccblkg] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2587330248-2859728699-3543048470-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kofkpgiaknijknhajbhnghkodiccblkg] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [kofkpgiaknijknhajbhnghkodiccblkg] - hxxps://clients2.google.com/service/update2/crx
R2 X5XSEx_Pr143; C:\Program Files (x86)\Free Ride Games\X5XSEx_Pr143.Sys [56584 2013-07-18] (Exent Technologies Ltd.)
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Task: {36A2AF12-A849-4ADC-8E0C-468060BE385D} - System32\Tasks\{834FF6C1-DD28-477E-923A-F0E2BB2E7567} => pcalua.exe -a "C:\Program Files (x86)\PCAcceleratePro\uninstall.exe"
Task: {4E223C2C-3C48-4463-91F5-407B50573684} - \{7A7E7D47-7A7F-0808-7D11-7A78787F117F} -> No File <==== ATTENTION
Task: {6BE94133-153F-4E8E-91F4-BF30EDBEC3D9} - System32\Tasks\Trezaa Scheduler => C:\Program Files (x86)\Trezaa\\Trezaa.Scheduler.exe
Task: {CA8DCEAF-B11F-44CF-9849-0089162B3D37} - System32\Tasks\RunAsStdUser Task => C:\Program Files (x86)\iWin Games\iWinGames.exe [2013-10-23] (iWin Inc.)
Task: C:\WINDOWS\Tasks\{3487BB40-CA77-1E59-A675-6EB425FE6A28}.job => C:\Users\David\AppData\Roaming\{71124~1\Sync.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:2CB9631F [270]
AlternateDataStreams: C:\ProgramData\Temp:330E66BD [111]
AlternateDataStreams: C:\ProgramData\Temp:6F1F66C0 [106]
AlternateDataStreams: C:\ProgramData\Temp:D3E445EE [258]
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MyFunCards EPM Support
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\FilmFanatic EPM Support
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DirectionsAce EPM Support
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\FromDocToPDF EPM Support
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MapsGalaxy EPM Support
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PCAcceleratePro
FirewallRules: [{F8004345-08E0-4AEE-A3FF-D479A9198B56}] => C:\Program Files (x86)\iWin Games\iWinGames.exe
FirewallRules: [{6D202B9D-43A5-459E-9171-5E461628BCE9}] => C:\Program Files (x86)\iWin Games\iWinGames.exe
FirewallRules: [{9F9DABF1-0F96-4BE2-A022-69368C5CC460}] => C:\Program Files (x86)\iWin Games\WebUpdater.exe
FirewallRules: [{6D36DFBB-19EE-46B0-BD1D-ED880C24A07B}] => C:\Program Files (x86)\iWin Games\WebUpdater.exe
FirewallRules: [{D37623FB-E523-4EAB-AC90-95477FDBD8BB}] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
FirewallRules: [{5F94383D-F833-404B-934A-26A48868A99E}] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
FirewallRules: [{98DAA2FC-28CD-45FB-B7AF-10CC1EF61F08}] => C:\Program Files (x86)\Trezaa\Trezaa.Service.exe
C:\Program Files (x86)\Trezaa
C:\Program Files (x86)\iWin Games
C:\Users\David\AppData\Roaming\{71124~1

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 Brock0304

Brock0304
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 20 December 2016 - 11:08 AM

Computer seems to be doing well. I am unable to uninstall any of the toolbars from Control Panel. I get the error "There was a problem starting C:\Program Files (x86)\etc. etc.). The specified module could not be found." Perhaps Malwarebytes removed them?

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 17-12-2016
Ran by David (20-12-2016 10:28:10) Run:1
Running from C:\Users\David\Desktop
Loaded Profiles: David (Available Profiles: David)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
Hosts:

(iWin Inc.) C:\Program Files (x86)\iWin Games\iWinTrusted.exe
(Exent Technologies Ltd.) C:\Program Files (x86)\Free Ride Games\GPlayer.exe
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKU\S-1-5-19\...\Run: [Exetender] => C:\Program Files (x86)\Free Ride Games\GPlayer.exe [4924296 2015-02-18] (Exent Technologies Ltd.)
HKU\S-1-5-20\...\Run: [Exetender] => C:\Program Files (x86)\Free Ride Games\GPlayer.exe [4924296 2015-02-18] (Exent Technologies Ltd.)
HKU\S-1-5-21-2587330248-2859728699-3543048470-1001\...\Run: [Exetender] => C:\Program Files (x86)\Free Ride Games\GPlayer.exe [4924296 2015-02-18] (Exent Technologies Ltd.)
HKU\S-1-5-18\...\Run: [Exetender] => C:\Program Files (x86)\Free Ride Games\GPlayer.exe [4924296 2015-02-18] (Exent Technologies Ltd.)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
URLSearchHook: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001 - (No Name) - {f4c28532-b9d0-4950-a2df-e83f9929242b} - C:\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mSrcAs.dll No File
SearchScopes: HKLM -> {0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} URL =
SearchScopes: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001 -> {0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} URL =
BHO-x32: Search Assistant BHO -> {c4b22c87-45ef-4f43-89f2-40db2078864e} -> C:\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mSrcAs.dll => No File
BHO-x32: Toolbar BHO -> {da71fd14-5f7b-46ae-b8b1-44074a38f331} -> C:\PROGRA~2\MYFUNC~1\bar\1.bin\5mbar.dll => No File
Toolbar: HKLM-x32 - FromDocToPDF - {c66a678d-5e6c-4af9-8f57-c6192f42cf74} - C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65bar.dll No File
Toolbar: HKLM-x32 - MyFunCards - {210f1b36-3b7f-41a4-b5da-3eb87f5a56c2} - C:\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mbar.dll No File
Toolbar: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001 -> MyFunCards - {210F1B36-3B7F-41A4-B5DA-3EB87F5A56C2} - C:\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mbar.dll No File
Toolbar: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001 -> FromDocToPDF - {C66A678D-5E6C-4AF9-8F57-C6192F42CF74} - C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65bar.dll No File
FF Plugin-x32: @exent.com/npExentCtl,version=7.0.0.0 -> C:\Program Files (x86)\Free Ride Games\npExentCtl.dll [2009-12-27] (Exent Technologies Ltd.)
FF Plugin-x32: www.exent.com/GameTreatWidget -> C:\Program Files (x86)\Free Ride Games\NPGameTreatPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-2587330248-2859728699-3543048470-1001: www.exent.com/GameTreatWidget -> C:\Program Files (x86)\Free Ride Games\npGameTreatWidget.dll [2016-06-17] (Exent Technologies Ltd.)
CHR Extension: (Chrome Web Store Payments) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-31]
CHR HKLM\...\Chrome\Extension: [kofkpgiaknijknhajbhnghkodiccblkg] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2587330248-2859728699-3543048470-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kofkpgiaknijknhajbhnghkodiccblkg] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [kofkpgiaknijknhajbhnghkodiccblkg] - hxxps://clients2.google.com/service/update2/crx
R2 X5XSEx_Pr143; C:\Program Files (x86)\Free Ride Games\X5XSEx_Pr143.Sys [56584 2013-07-18] (Exent Technologies Ltd.)
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Task: {36A2AF12-A849-4ADC-8E0C-468060BE385D} - System32\Tasks\{834FF6C1-DD28-477E-923A-F0E2BB2E7567} => pcalua.exe -a "C:\Program Files (x86)\PCAcceleratePro\uninstall.exe"
Task: {4E223C2C-3C48-4463-91F5-407B50573684} - \{7A7E7D47-7A7F-0808-7D11-7A78787F117F} -> No File <==== ATTENTION
Task: {6BE94133-153F-4E8E-91F4-BF30EDBEC3D9} - System32\Tasks\Trezaa Scheduler => C:\Program Files (x86)\Trezaa\\Trezaa.Scheduler.exe
Task: {CA8DCEAF-B11F-44CF-9849-0089162B3D37} - System32\Tasks\RunAsStdUser Task => C:\Program Files (x86)\iWin Games\iWinGames.exe [2013-10-23] (iWin Inc.)
Task: C:\WINDOWS\Tasks\{3487BB40-CA77-1E59-A675-6EB425FE6A28}.job => C:\Users\David\AppData\Roaming\{71124~1\Sync.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:2CB9631F [270]
AlternateDataStreams: C:\ProgramData\Temp:330E66BD [111]
AlternateDataStreams: C:\ProgramData\Temp:6F1F66C0 [106]
AlternateDataStreams: C:\ProgramData\Temp:D3E445EE [258]
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MyFunCards EPM Support
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\FilmFanatic EPM Support
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DirectionsAce EPM Support
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\FromDocToPDF EPM Support
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MapsGalaxy EPM Support
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PCAcceleratePro
FirewallRules: [{F8004345-08E0-4AEE-A3FF-D479A9198B56}] => C:\Program Files (x86)\iWin Games\iWinGames.exe
FirewallRules: [{6D202B9D-43A5-459E-9171-5E461628BCE9}] => C:\Program Files (x86)\iWin Games\iWinGames.exe
FirewallRules: [{9F9DABF1-0F96-4BE2-A022-69368C5CC460}] => C:\Program Files (x86)\iWin Games\WebUpdater.exe
FirewallRules: [{6D36DFBB-19EE-46B0-BD1D-ED880C24A07B}] => C:\Program Files (x86)\iWin Games\WebUpdater.exe
FirewallRules: [{D37623FB-E523-4EAB-AC90-95477FDBD8BB}] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
FirewallRules: [{5F94383D-F833-404B-934A-26A48868A99E}] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
FirewallRules: [{98DAA2FC-28CD-45FB-B7AF-10CC1EF61F08}] => C:\Program Files (x86)\Trezaa\Trezaa.Service.exe
C:\Program Files (x86)\Trezaa
C:\Program Files (x86)\iWin Games
C:\Users\David\AppData\Roaming\{71124~1

Reboot:

End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
C:\Program Files (x86)\iWin Games\iWinTrusted.exe => No running process found
C:\Program Files (x86)\Free Ride Games\GPlayer.exe => No running process found
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui" => key removed successfully
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\\Exetender => value not found.
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\\Exetender => value not found.
HKU\S-1-5-21-2587330248-2859728699-3543048470-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Exetender => value not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Exetender => value not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => key removed successfully
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => key removed successfully
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => key removed successfully
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => key removed successfully
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => key removed successfully
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => key removed successfully
HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
HKU\S-1-5-21-2587330248-2859728699-3543048470-1001\Software\Microsoft\Internet Explorer\URLSearchHooks\\{f4c28532-b9d0-4950-a2df-e83f9929242b} => value not found.
"HKCR\Wow6432Node\CLSID\{f4c28532-b9d0-4950-a2df-e83f9929242b}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0b4d26f6-61a8-4463-99dd-5f2fe0400fa6}" => key removed successfully
HKCR\CLSID\{0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} => key not found.
"HKU\S-1-5-21-2587330248-2859728699-3543048470-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0b4d26f6-61a8-4463-99dd-5f2fe0400fa6}" => key removed successfully
HKCR\CLSID\{0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4b22c87-45ef-4f43-89f2-40db2078864e}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{c4b22c87-45ef-4f43-89f2-40db2078864e}" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{da71fd14-5f7b-46ae-b8b1-44074a38f331}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{da71fd14-5f7b-46ae-b8b1-44074a38f331}" => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{c66a678d-5e6c-4af9-8f57-c6192f42cf74} => value removed successfully
"HKCR\Wow6432Node\CLSID\{c66a678d-5e6c-4af9-8f57-c6192f42cf74}" => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{210f1b36-3b7f-41a4-b5da-3eb87f5a56c2} => value removed successfully
"HKCR\Wow6432Node\CLSID\{210f1b36-3b7f-41a4-b5da-3eb87f5a56c2}" => key removed successfully
HKU\S-1-5-21-2587330248-2859728699-3543048470-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{210F1B36-3B7F-41A4-B5DA-3EB87F5A56C2} => value removed successfully
"HKCR\CLSID\{210F1B36-3B7F-41A4-B5DA-3EB87F5A56C2}" => key removed successfully
HKU\S-1-5-21-2587330248-2859728699-3543048470-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C66A678D-5E6C-4AF9-8F57-C6192F42CF74} => value removed successfully
"HKCR\CLSID\{C66A678D-5E6C-4AF9-8F57-C6192F42CF74}" => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@exent.com/npExentCtl,version=7.0.0.0 => key not found.
C:\Program Files (x86)\Free Ride Games\npExentCtl.dll => not found.
HKLM\Software\Wow6432Node\MozillaPlugins\www.exent.com/GameTreatWidget => key not found.
"HKU\S-1-5-21-2587330248-2859728699-3543048470-1001\Software\MozillaPlugins\www.exent.com/GameTreatWidget" => key removed successfully
C:\Program Files (x86)\Free Ride Games\npGameTreatWidget.dll => not found.
C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\kofkpgiaknijknhajbhnghkodiccblkg" => key removed successfully
"HKU\S-1-5-21-2587330248-2859728699-3543048470-1001\SOFTWARE\Google\Chrome\Extensions\kofkpgiaknijknhajbhnghkodiccblkg" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\kofkpgiaknijknhajbhnghkodiccblkg" => key removed successfully
X5XSEx_Pr143 => service not found.
"HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}" => key removed successfully
"HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}" => key removed successfully
"HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}" => key removed successfully
"HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}" => key removed successfully
"HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}" => key removed successfully
"HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}" => key removed successfully
"HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}" => key removed successfully
"HKU\S-1-5-21-2587330248-2859728699-3543048470-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{36A2AF12-A849-4ADC-8E0C-468060BE385D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{36A2AF12-A849-4ADC-8E0C-468060BE385D}" => key removed successfully
C:\WINDOWS\System32\Tasks\{834FF6C1-DD28-477E-923A-F0E2BB2E7567} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{834FF6C1-DD28-477E-923A-F0E2BB2E7567}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4E223C2C-3C48-4463-91F5-407B50573684}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4E223C2C-3C48-4463-91F5-407B50573684}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7A7E7D47-7A7F-0808-7D11-7A78787F117F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6BE94133-153F-4E8E-91F4-BF30EDBEC3D9}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6BE94133-153F-4E8E-91F4-BF30EDBEC3D9}" => key removed successfully
C:\WINDOWS\System32\Tasks\Trezaa Scheduler => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Trezaa Scheduler" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CA8DCEAF-B11F-44CF-9849-0089162B3D37} => key not found.
C:\WINDOWS\System32\Tasks\RunAsStdUser Task => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RunAsStdUser Task" => key removed successfully
C:\WINDOWS\Tasks\{3487BB40-CA77-1E59-A675-6EB425FE6A28}.job => moved successfully
C:\ProgramData\Temp => ":2CB9631F" ADS removed successfully.
C:\ProgramData\Temp => ":330E66BD" ADS removed successfully.
C:\ProgramData\Temp => ":6F1F66C0" ADS removed successfully.
C:\ProgramData\Temp => ":D3E445EE" ADS removed successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MyFunCards EPM Support => could not remove key.: incorrect path.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\FilmFanatic EPM Support => could not remove key.: incorrect path.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DirectionsAce EPM Support => could not remove key. ErrorCode: 0xC000000D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\FromDocToPDF EPM Support => could not remove key. ErrorCode: 0xC000000D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MapsGalaxy EPM Support => could not remove key.: incorrect path.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PCAcceleratePro => could not remove key.: incorrect path.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F8004345-08E0-4AEE-A3FF-D479A9198B56} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6D202B9D-43A5-459E-9171-5E461628BCE9} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9F9DABF1-0F96-4BE2-A022-69368C5CC460} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6D36DFBB-19EE-46B0-BD1D-ED880C24A07B} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D37623FB-E523-4EAB-AC90-95477FDBD8BB} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5F94383D-F833-404B-934A-26A48868A99E} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{98DAA2FC-28CD-45FB-B7AF-10CC1EF61F08} => value removed successfully
"C:\Program Files (x86)\Trezaa" => not found.
"C:\Program Files (x86)\iWin Games" => not found.
C:\Users\David\AppData\Roaming\{71124~1 => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 78244822 B
Java, Flash, Steam htmlcache => 1129 B
Windows/system/drivers => 863529250 B
Edge => 0 B
Chrome => 15729325 B
Firefox => 54716471 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 5297594 B
NetworkService => 0 B
David => 1394059149 B

RecycleBin => 1128849 B
EmptyTemp: => 2.3 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 10:58:54 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:30 AM

Posted 20 December 2016 - 02:04 PM

Yes it could well be that MBAM removed them.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#5 Brock0304

Brock0304
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 20 December 2016 - 02:07 PM

How do I remove the entries from Control Panel?



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:30 AM

Posted 20 December 2016 - 02:15 PM

Follow the instructions on this page.

https://www.bleepingcomputer.com/tutorials/manually-remove-programs-from-add-remove-programs/

Make sure to export the registry key before deleting anything.

Make sure you save the registry.

Read the instructions before proceeding.

#7 Brock0304

Brock0304
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 21 December 2016 - 12:00 PM

I was able to find and delete the entries here:

 

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

 

All appears to be well. Thank you for your help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users