Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BHO Mail.ru hijacks Chrome


  • This topic is locked This topic is locked
17 replies to this topic

#1 Zuix

Zuix

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 01 February 2017 - 04:37 PM

I am using Windows 7, and Chrome, IE and Firefox, latest versions of each. A couple of months ago the malware Mail.ru plus some associated malwares got on my computer, and I have tried literally everything I can think of or have researched to get rid of the malware. It seems to mainly affect Chrome. However, when I uninstall and then reinstall Chrome, it comes back, indicating that it never went away.
 
Here is a copy of my hijack this log:
 
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 1:26:29 PM, on 2/1/2017
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.18538)
 
FIREFOX: 20.0.1 (en-US)
Boot mode: Normal
 
Running processes:
C:\Program Files (x86)\Samsung\Remote PC\rvagtray.exe
C:\Program Files (x86)\UltimateOutsider\GWX Control Panel\GWX_control_panel.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files\AVAST Software\Avast\avastui.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Users\Cathy\AppData\Roaming\BitTorrent\BitTorrent.exe
C:\Users\Cathy\AppData\Roaming\BitTorrent\updates\7.9.9_42974\bittorrentie.exe
C:\Users\Cathy\AppData\Roaming\BitTorrent\updates\7.9.9_42974\bittorrentie.exe
C:\Program Files (x86)\bfgclient\bfgclient.exe
C:\Program Files (x86)\bfgclient\bfgclient.exe
C:\Users\Cathy\Downloads\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = 23801038c19b11e69c3e902b34de2e59
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
O4 - HKLM\..\Run: [RemoteView5 Tray] "C:\Program Files (x86)\Samsung\Remote PC\rvagtray.exe" /background
O4 - HKCU\..\Run: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
O4 - HKCU\..\Run: [WinPatrol] C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Users\Cathy\AppData\Roaming\BitTorrent\BitTorrent.exe"  /MINIMIZED
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil64_24_0_0_186_ActiveX.exe -update activex
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - https://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: activeMARK Instant Service (AMInstantService) - GameHouse - C:\Program Files (x86)\GameHouse Games\aminstantservice.exe
O23 - Service: Apple Mobile Device Service - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AppleChargerSrv - Unknown owner - C:\Windows\system32\AppleChargerSrv.exe (file missing)
O23 - Service: Avast Antivirus (avast! Antivirus) - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Futuremark SystemInfo Service - Futuremark Corporation - C:\Program Files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Intel® Capability Licensing Service Interface - Intel® Corporation - C:\Program Files\Intel\iCLS Client\HeciServer.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Dynamic Application Loader Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: MBAMService - Malwarebytes - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Online Games Manager (ogmservice) - RealNetworks, Inc. - C:\Program Files (x86)\Online Games Manager\ogmservice.exe
O23 - Service: Origin Client Service - Electronic Arts - C:\Program Files (x86)\Origin\OriginClientService.exe
O23 - Service: Plays.tv Update Service (PlaysService) - Plays.tv, LLC - C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: RemotePC Agent - Rsupport Co., Ltd. - C:\Program Files (x86)\Samsung\Remote PC\rvagent.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 10169 bytes
 
I have used several different malware removal tools, combofix, and several suggestions from help forums, none of which have eradicated the malware.
 
Thank you for any help provided!


I am very sorry - I just saw the "do not post hijack this" logs in this forum. Sorry!!
 
Mod Edit:  Moved to Malware Removal Logs forum - Hamluis.

Edited by hamluis, 01 February 2017 - 05:00 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,538 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:15 AM

Posted 02 February 2017 - 09:05 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Wait for further instructions.

#3 Zuix

Zuix
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 04 February 2017 - 04:26 PM

Hello nasdaq, and thank you very much for responding! The FRST.txt file is pasted here, and the Addition.txt file is attached.

 

FRST.txt file:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-01-2017
Ran by Cathy (administrator) on MOM-XPLORER2 (04-02-2017 13:12:50)
Running from C:\Users\Cathy\Desktop\FARBAR Recovery San Tool
Loaded Profiles: Cathy (Available Profiles: Cathy & Administrator)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7Debug\mdm.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Online Games Manager\ogmservice.exe
(Plays.tv, LLC) C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe
(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(Rsupport Co., Ltd.) C:\Program Files (x86)\Samsung\Remote PC\rvagent.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(Rsupport Co., Ltd.) C:\Program Files (x86)\Samsung\Remote PC\rvagtray.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(UltimateOutsider) C:\Program Files (x86)\UltimateOutsider\GWX Control Panel\GWX_control_panel.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
() C:\Program Files (x86)\RocketDock\RocketDock.exe
(Ruiware) C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(GameHouse) C:\Program Files (x86)\GameHouse Games\aminstantservice.exe
(BitTorrent Inc.) C:\Users\Cathy\AppData\Roaming\BitTorrent\BitTorrent.exe
(BitTorrent Inc.) C:\Users\Cathy\AppData\Roaming\BitTorrent\updates\7.9.9_43086\bittorrentie.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12503184 2012-06-10] (Realtek Semiconductor)
HKLM\...\Run: [GwxControlPanelMonitor] => C:\Program Files (x86)\UltimateOutsider\GWX Control Panel\GWX_control_panel.exe [4559944 2016-01-24] (UltimateOutsider)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-20] (Intel Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9080768 2016-11-15] (AVAST Software)
HKLM-x32\...\Run: [RemoteView5 Tray] => C:\Program Files (x86)\Samsung\Remote PC\rvagtray.exe [2615704 2014-05-08] (Rsupport Co., Ltd.)
HKU\S-1-5-21-2641974688-232558819-1225516046-1000\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [23818360 2016-11-30] (Google)
HKU\S-1-5-21-2641974688-232558819-1225516046-1000\...\Run: [RocketDock] => C:\Program Files (x86)\RocketDock\RocketDock.exe [495616 2007-09-02] ()
HKU\S-1-5-21-2641974688-232558819-1225516046-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8641240 2016-02-12] (Piriform Ltd)
HKU\S-1-5-21-2641974688-232558819-1225516046-1000\...\Run: [WinPatrol] => C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe [1216648 2015-08-05] (Ruiware)
HKU\S-1-5-21-2641974688-232558819-1225516046-1000\...\Run: [BitTorrent] => C:\Users\Cathy\AppData\Roaming\BitTorrent\BitTorrent.exe [2143432 2017-02-01] (BitTorrent Inc.)
HKU\S-1-5-21-2641974688-232558819-1225516046-1000\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\system32\Macromed\Flash\FlashUtil64_24_0_0_186_ActiveX.exe [951896 2016-12-31] (Adobe Systems Incorporated)
HKU\S-1-5-21-2641974688-232558819-1225516046-1000\...\Policies\Explorer: [CDRAutoRun] 0
HKU\S-1-5-21-2641974688-232558819-1225516046-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> 
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-09-06] (AVAST Software)
ShellIconOverlayIdentifiers: [0PerformanceMonitor] -> {3B5B973C-92A4-4855-9D3F-0F3D23332208} =>  -> No File
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} =>  -> No File
GroupPolicy: Restriction <======= ATTENTION
GroupPolicy\User: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 75.75.76.76
Tcpip\..\Interfaces\{C4F689B5-7C7D-4E9D-8215-322B452A0726}: [DhcpNameServer] 192.168.1.1 75.75.76.76
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2641974688-232558819-1225516046-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2641974688-232558819-1225516046-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2641974688-232558819-1225516046-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com
HKU\S-1-5-21-2641974688-232558819-1225516046-1000\Software\Microsoft\Internet Explorer\Main,Old Start Page = hxxp://www.msn.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {21A51130-7285-49FE-B3F6-2385CC71CDEA} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {21A51130-7285-49FE-B3F6-2385CC71CDEA} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-10-24] (AVAST Software)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-23] (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-04-03] (Oracle Corporation)
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-10-24] (AVAST Software)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-23] (Google Inc.)
Toolbar: HKLM - avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-23] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-23] (Google Inc.)
Toolbar: HKU\S-1-5-21-2641974688-232558819-1225516046-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-2641974688-232558819-1225516046-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-23] (Google Inc.)
Toolbar: HKU\S-1-5-21-2641974688-232558819-1225516046-1000 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} -  No File
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {A4110378-789B-455F-AE86-3A1BFC402853} hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: HKLM-x32 {B8BE5E93-A60C-4D26-A2DC-220313175592} hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: HKLM-x32 {BD8667B7-38D8-4C77-B580-18C3E146372C} hxxp://ak.imgag.com/imgag/cp/install/Crusher.cab
DPF: HKLM-x32 {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Cathy\AppData\Roaming\Mozilla\Firefox\Profiles\61hbkyv2.default [2017-02-04]
FF SearchEngineOrder.1: Mozilla\Firefox\Profiles\61hbkyv2.default -> Google
FF Extension: (BeFrugal Coupons Add-On) - C:\Users\Cathy\AppData\Roaming\Mozilla\Firefox\Profiles\61hbkyv2.default\Extensions\shopcbtoolbar@befrugal.com [2017-01-05] [not signed]
FF SearchPlugin: C:\Users\Cathy\AppData\Roaming\Mozilla\Firefox\Profiles\61hbkyv2.default\searchplugins\google-avast.xml [2014-11-14]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-10-04]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-10-04]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Plugin: @java.com/DTPlugin,version=10.17.2 -> C:\Windows\system32\npDeployJava1.dll [2013-04-03] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.17.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-04-03] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll [2011-03-01] (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1225195.dll [2016-09-20] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll [2011-03-01] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-04-16] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2641974688-232558819-1225516046-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Cathy\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [No File]
FF Plugin HKU\S-1-5-21-2641974688-232558819-1225516046-1000: thehappycloud.com/HappyCloudPlugin -> C:\ProgramData\HappyCloud\Application\npHappyCloudPlugin.dll [2013-05-26] (The Happy Cloud)
 
Chrome: 
=======
CHR DefaultProfile: Profile 1
CHR HomePage: Profile 1 -> hxxp://www.google.com/
CHR StartupUrls: Profile 1 -> "hxxps://www.google.com/","hxxp://mail.ru/cnt/10445?gp=818409"
CHR Profile: C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Default [2016-12-30]
CHR Extension: (Google Maps) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh [2013-04-04]
CHR Extension: (Poppit!) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2014-07-18]
CHR Extension: (Google Play Books) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmimngoggfoobjdlefbcabngfnmieonb [2015-02-19]
CHR Extension: (Google Wallet) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-02-25]
CHR Extension: (Picky Wallpapers) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Default\Extensions\odklcfojpedohplkimfdpcamkjnhanaj [2013-04-04]
CHR Extension: (Bastion) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Default\Extensions\oohphhdkahjlioohbalmicpokoefkgid [2013-04-04]
CHR Extension: (Weather Underground) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjejbgheonogbpfkkjigbmahaljipoej [2013-04-04]
CHR Extension: (Gmail) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-04-03]
CHR Profile: C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Guest Profile [2016-11-01]
CHR Profile: C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1 [2017-02-04]
CHR Extension: (Google Translate) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2016-12-31]
CHR Extension: (Entanglement Web App) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aciahcmjmecflokailenpkdchphgkefd [2016-12-31]
CHR Extension: (From Dust) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\anelkojiepicmcldgnmkplocifmegpfj [2016-12-31]
CHR Extension: (Google Drive) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-12-31]
CHR Extension: (YouTube) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-12-31]
CHR Extension: (Adobe Acrobat) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-01-30]
CHR Extension: (Block site) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\eiimnmioipafcokbfikbljfdeojpcgbh [2016-12-31]
CHR Extension: (Avast SafePrice) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-12-31]
CHR Extension: (Google Calendar (by Google)) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gmbgaklkmjakoegficnlkhebmhkjfich [2016-12-31]
CHR Extension: (Avast Online Security) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-12-31]
CHR Extension: (Dictionary Instant) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\hngaklbjlbjhmoilkegninbmpfigheol [2016-12-31]
CHR Extension: (World of Solitaire) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ifbnllnaaaohekjkcpfdllhhjijnidgn [2016-12-31]
CHR Extension: (iPiccy Photo Editor) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\imokeandodnlammaoenbgcnbhigjbpjh [2016-12-31]
CHR Extension: (StayFocusd) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\laankejkbhbdhmipfmgcngdelahlfoji [2016-12-31]
CHR Extension: (Google Maps) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh [2016-12-31]
CHR Extension: (Poppit!) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2016-12-31]
CHR Extension: (Google Play Books) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mmimngoggfoobjdlefbcabngfnmieonb [2016-12-31]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-17]
CHR Extension: (Weather Underground) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjejbgheonogbpfkkjigbmahaljipoej [2016-12-31]
CHR Extension: (Gmail) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-12-31]
CHR Extension: (Chrome Media Router) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-31]
CHR HKU\S-1-5-21-2641974688-232558819-1225516046-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Cathy\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-04-24]
CHR HKU\S-1-5-21-2641974688-232558819-1225516046-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
R2 AMInstantService; C:\Program Files (x86)\GameHouse Games\aminstantservice.exe [2041776 2016-10-26] (GameHouse)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-09-06] (AVAST Software)
S3 Futuremark SystemInfo Service; C:\Program Files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [128928 2010-12-14] (Futuremark Corporation)
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [116104 2009-09-08] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 ogmservice; C:\Program Files (x86)\Online Games Manager\ogmservice.exe [582544 2016-07-13] (RealNetworks, Inc.)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [1903472 2014-12-26] (Electronic Arts)
R2 PlaysService; C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe [32528 2016-09-28] (Plays.tv, LLC)
R2 RemotePC Agent; C:\Program Files (x86)\Samsung\Remote PC\rvagent.exe [813448 2014-05-07] (Rsupport Co., Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [22680 2012-10-25] ()
S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-09-06] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-09-06] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108816 2016-09-06] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-09-06] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-09-06] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [969184 2016-09-13] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [513632 2016-09-22] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [163416 2016-09-06] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [293352 2016-10-13] (AVAST Software)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [23832 2011-12-02] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [192216 2017-01-17] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
S3 rssasnt; C:\Program Files (x86)\Samsung\Remote PC\rssas64.sys [18184 2013-08-22] (Rsupport Co.,Ltd)
R3 vrvd5; C:\Windows\System32\DRIVERS\vrvd5.sys [13344 2014-05-12] (Rsupport Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz134; \??\C:\Users\Cathy\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S3 e1cexpress; system32\DRIVERS\e1c62x64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-02-04 13:12 - 2017-02-04 13:12 - 00000000 ____D C:\FRST
2017-02-04 13:11 - 2017-02-04 13:11 - 01762816 _____ (Farbar) C:\Users\Cathy\Downloads\Unconfirmed 753105.crdownload
2017-02-04 13:10 - 2017-02-04 13:12 - 00000000 ____D C:\Users\Cathy\Desktop\FARBAR Recovery San Tool
2017-02-01 18:19 - 2017-02-02 04:32 - 00000000 ____D C:\Users\Cathy\AppData\LocalLow\BitTorrent
2017-02-01 13:21 - 2017-02-01 13:21 - 00388608 _____ (Trend Micro Inc.) C:\Users\Cathy\Downloads\HijackThis.exe
2017-01-18 16:08 - 2017-01-18 16:08 - 03969024 _____ C:\Windows\SysWOW64\Tropix.scr
2017-01-18 16:08 - 2017-01-18 16:08 - 00413696 _____ (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll
2017-01-18 16:08 - 2017-01-18 16:08 - 00258352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\unicows.dll
2017-01-18 16:08 - 2017-01-18 16:08 - 00110592 _____ (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll
2017-01-18 14:22 - 2017-01-18 14:22 - 00000000 ____D C:\Users\Cathy\AppData\Roaming\dingogames
2017-01-18 14:22 - 2017-01-18 14:22 - 00000000 ____D C:\ProgramData\com.gamehouse.aminstaller
2017-01-18 14:22 - 2017-01-18 14:22 - 00000000 ____D C:\ProgramData\activeMARK
2017-01-18 14:22 - 2017-01-18 14:22 - 00000000 ____D C:\Program Files (x86)\GameHouse Games
2017-01-18 10:12 - 2017-01-18 10:13 - 00000000 ____D C:\Program Files (x86)\Myths of the World - Bound by the Stone Collector's Edition
2017-01-18 10:12 - 2017-01-18 10:12 - 00000000 ____D C:\Users\Cathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Myths of the World - Bound by the Stone Collector's Edition
2017-01-18 10:12 - 2017-01-18 10:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Myths of the World - Bound by the Stone Collector's Edition
2017-01-17 23:10 - 2017-01-17 23:11 - 00053881 _____ C:\Users\Cathy\Downloads\The_blues_brothers_torrent__mtu99o.exe
2017-01-17 12:56 - 2017-01-17 12:56 - 00033927 _____ C:\ComboFix.txt
2017-01-14 19:33 - 2017-01-14 19:34 - 00000000 ____D C:\Users\Cathy\AppData\Local\LINE
2017-01-14 19:33 - 2017-01-14 19:33 - 35136456 _____ (LINE Corporation) C:\Users\Cathy\Downloads\LineInst.exe
2017-01-14 19:33 - 2017-01-14 19:33 - 00001136 _____ C:\Users\Cathy\AppData\Roaming\Microsoft\Windows\Start Menu\LINE.lnk
2017-01-14 19:33 - 2017-01-14 19:33 - 00000000 ____D C:\Users\Cathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\LINE
2017-01-13 15:11 - 2017-01-13 15:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gold Miner Vegas
2017-01-13 15:11 - 2017-01-13 15:11 - 00000000 ____D C:\Program Files (x86)\Gold Miner Vegas
2017-01-11 14:59 - 2017-01-11 14:59 - 01065376 _____ (Google Inc.) C:\Users\Cathy\Downloads\googledrivesync (1).exe
2017-01-11 02:24 - 2017-01-11 02:26 - 00000000 ____D C:\Program Files (x86)\Myths of the World - Black Rose Collectors Edition
2017-01-11 02:24 - 2017-01-11 02:24 - 00000000 ____D C:\Users\Cathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Myths of the World - Black Rose Collectors Edition
2017-01-11 02:24 - 2017-01-11 02:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Myths of the World - Black Rose Collectors Edition
2017-01-08 18:32 - 2017-01-08 18:32 - 00000000 ____D C:\ProgramData\Playtonium Games
2017-01-08 18:13 - 2017-01-08 18:13 - 00000000 ____D C:\ProgramData\com.gamehouse.acid
2017-01-08 18:12 - 2017-01-18 16:08 - 00000000 ____D C:\Users\Cathy\AppData\Local\com.gamehouse.acid
2017-01-08 18:12 - 2017-01-17 21:34 - 00000000 ____D C:\ProgramData\Trymedia
2017-01-08 14:55 - 2017-01-08 14:56 - 00000000 ____D C:\Program Files (x86)\Myths of the World - Of Fiends and Fairies Collectors Edition
2017-01-08 14:55 - 2017-01-08 14:55 - 00000000 ____D C:\Users\Cathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Myths of the World - Of Fiends and Fairies Collectors Edition
2017-01-08 14:55 - 2017-01-08 14:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Myths of the World - Of Fiends and Fairies Collectors Edition
2017-01-07 14:02 - 2017-01-07 14:02 - 00002267 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-01-05 07:51 - 2017-01-05 07:51 - 00000482 _____ C:\Windows\Tasks\BeFrugal.com Toolbar.job
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-02-04 03:50 - 2009-07-13 20:45 - 00035632 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-04 03:50 - 2009-07-13 20:45 - 00035632 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-03 13:41 - 2013-04-02 18:58 - 00000000 ____D C:\Users\Cathy\AppData\Local\VirtualStore
2017-02-03 02:45 - 2013-04-03 21:41 - 00000000 ____D C:\Users\Cathy\AppData\Roaming\vlc
2017-02-02 16:53 - 2013-04-03 09:47 - 00000000 ____D C:\ProgramData\TEMP
2017-02-02 04:32 - 2013-04-03 21:44 - 00000000 ____D C:\Users\Cathy\AppData\Roaming\BitTorrent
2017-02-01 16:37 - 2016-12-14 19:57 - 00000000 ____D C:\Program Files (x86)\Roller Rush
2017-02-01 15:50 - 2014-07-19 08:26 - 00000000 ____D C:\Users\Cathy\AppData\Roaming\BigFish All My Gods
2017-02-01 15:33 - 2013-04-13 23:22 - 00000000 ____D C:\ProgramData\Sandlot Games
2017-02-01 13:46 - 2013-04-06 09:48 - 00000000 ____D C:\Users\Cathy\AppData\Local\CrashDumps
2017-02-01 13:28 - 2016-12-13 22:48 - 00000000 ____D C:\Users\Cathy\Desktop\Malware scans etc
2017-01-30 19:37 - 2015-08-23 06:46 - 00000000 ____D C:\Users\Cathy\AppData\Roaming\dvdcss
2017-01-26 15:24 - 2015-11-30 13:58 - 00000000 ____D C:\Users\Cathy\Desktop\Sam Info
2017-01-21 22:01 - 2015-11-13 08:29 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-01-19 20:31 - 2016-12-30 18:29 - 00028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-01-18 16:08 - 2013-04-03 21:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GameHouse
2017-01-18 16:08 - 2013-04-03 21:09 - 00000000 ____D C:\GameHouse Games
2017-01-18 00:22 - 2013-04-03 21:09 - 00000000 ____D C:\Program Files (x86)\RealArcade
2017-01-17 23:19 - 2013-04-02 20:33 - 00000000 ___RD C:\Users\Cathy\Google Drive
2017-01-17 23:17 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-01-17 12:56 - 2013-04-13 07:39 - 00000000 ____D C:\Qoobox
2017-01-17 12:51 - 2009-07-13 18:34 - 00000215 _____ C:\Windows\system.ini
2017-01-17 12:47 - 2016-10-04 18:03 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2017-01-17 12:14 - 2014-05-18 17:54 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-01-17 11:59 - 2013-04-06 09:27 - 00002255 _____ C:\Users\Administrator\Desktop\Google Chrome.lnk
2017-01-17 11:52 - 2013-04-18 14:54 - 00000000 ____D C:\Users\Cathy\AppData\Roaming\WinPatrol
2017-01-14 23:07 - 2016-06-15 14:04 - 00000000 ____D C:\Users\Cathy\AppData\Local\Freemake Music Box
2017-01-14 19:11 - 2013-07-21 08:43 - 00000000 ____D C:\BigFishCache
2017-01-14 00:58 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\system32\NDF
2017-01-13 15:11 - 2009-07-13 21:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2017-01-11 17:00 - 2014-12-26 05:47 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2017-01-11 02:27 - 2015-01-28 16:06 - 00000000 ____D C:\Users\Cathy\AppData\Roaming\Eipix
2017-01-05 01:08 - 2015-11-03 17:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Freemake
2017-01-05 01:08 - 2015-11-03 17:22 - 00000000 ____D C:\ProgramData\Freemake
2017-01-05 01:08 - 2015-11-03 17:22 - 00000000 ____D C:\Program Files (x86)\Freemake
 
==================== Files in the root of some directories =======
 
2016-12-29 15:24 - 2016-12-29 15:24 - 0000000 _____ () C:\Users\Cathy\AppData\Roaming\cookies
2016-01-10 13:13 - 2016-01-19 00:13 - 0000137 _____ () C:\Users\Cathy\AppData\Roaming\WB.CFG
2013-04-06 13:33 - 2013-04-06 13:33 - 0003584 _____ () C:\Users\Cathy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
Some files in TEMP:
====================
2017-01-19 20:30 - 2016-10-11 07:34 - 1732864 _____ (Microsoft Corporation) C:\Users\Cathy\AppData\Local\temp\dllnt_dump.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2016-01-29 08:35
 
==================== End of FRST.txt ============================

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,538 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:15 AM

Posted 05 February 2017 - 09:49 AM

Remove these programs in bold via the Control Panel > Programs > Programs and Features.

Interenet Optimizer (HKLM-x32\...\{5F189DF5-2D05-472B-9091-84D9848AE48B}{c632643}) (Version: - BullPoint) <==== ATTENTION
Java 7 Update 17 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417017FF}) (Version: 7.0.170 - Oracle)
ScorpionSaver (HKLM-x32\...\{9B65F9A3-9D24-452A-B6EF-1457D65E4259}) (Version: 1.0.0.0 - Adpeak, Inc.) <==== ATTENTION
---

After this fix, you can install the latest version of JAVA if needed.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [0PerformanceMonitor] -> {3B5B973C-92A4-4855-9D3F-0F3D23332208} =>  -> No File
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} =>  -> No File
GroupPolicy: Restriction <======= ATTENTION
GroupPolicy\User: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2641974688-232558819-1225516046-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKLM - avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKU\S-1-5-21-2641974688-232558819-1225516046-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-2641974688-232558819-1225516046-1000 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} -  No File
FF Extension: (BeFrugal Coupons Add-On) - C:\Users\Cathy\AppData\Roaming\Mozilla\Firefox\Profiles\61hbkyv2.default\Extensions\shopcbtoolbar@befrugal.com [2017-01-05] [not signed]
FF SearchPlugin: C:\Users\Cathy\AppData\Roaming\Mozilla\Firefox\Profiles\61hbkyv2.default\searchplugins\google-avast.xml [2014-11-14]
FF Plugin HKU\S-1-5-21-2641974688-232558819-1225516046-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Cathy\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [No File]
CHR StartupUrls: Profile 1 -> "hxxps://www.google.com/","hxxp://mail.ru/cnt/10445?gp=818409"
CHR Extension: (Poppit!) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2014-07-18]
CHR Extension: (Google Wallet) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-02-25]
CHR Extension: (Avast SafePrice) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-12-31]
CHR Extension: (Avast Online Security) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-12-31]
CHR Extension: (Poppit!) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2016-12-31]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-17]
CHR Extension: (Chrome Media Router) - C:\Users\Cathy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-31]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz134; \??\C:\Users\Cathy\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S3 e1cexpress; system32\DRIVERS\e1c62x64.sys 
Task: {0E38B32F-18BE-41E0-B0AA-335F3855D1F8} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {27537E99-8313-411B-84C2-8FCECBB4D076} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
Task: {3690DB9B-BF80-4122-B7A6-6DA6CF55B50B} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
Task: {3AF50398-9666-46BD-87C8-5CC4D1FECA8C} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {42650346-89EF-4390-8EFD-4A9CF5BBD54B} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {7C1419A6-928F-4826-A78D-76198D1290EF} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {829F7983-8B60-489A-80E9-F4BEC3AD45C9} - \Microsoft\Windows\Setup\GWXTriggers\Logon-URT -> No File <==== ATTENTION
Task: {85F719B8-C8CA-43C2-849D-905BBA4D32B0} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
Task: {A260AA46-B850-4A80-9AA9-94A23BC58A6C} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {CD64A13F-AA10-40D3-A1CA-1D4B821DB289} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION
Task: {EE3EEE33-32F1-4342-8CB1-C53688BC9EFC} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION
Task: C:\Windows\Tasks\BeFrugal.com Toolbar.job => C:\Users\Cathy\AppData\Local\Programs\BeFrugal.com\Add-On\2013.3.19.3\BFHP.exe   C:\Users\Cathy\AppData\Local\Programs\BeFrugal.com\Add-On\2013.3.19.3 BeFrugal.com
AlternateDataStreams: C:\ProgramData\TEMP:00811B66 [440]
AlternateDataStreams: C:\ProgramData\TEMP:038ACE45 [382]
AlternateDataStreams: C:\ProgramData\TEMP:04560D68 [404]
AlternateDataStreams: C:\ProgramData\TEMP:05F547A9 [450]
AlternateDataStreams: C:\ProgramData\TEMP:063969F8 [438]
AlternateDataStreams: C:\ProgramData\TEMP:073139EC [215]
AlternateDataStreams: C:\ProgramData\TEMP:07D9FF25 [428]
AlternateDataStreams: C:\ProgramData\TEMP:0968E571 [458]
AlternateDataStreams: C:\ProgramData\TEMP:097FF903 [209]
AlternateDataStreams: C:\ProgramData\TEMP:0AF6266B [298]
AlternateDataStreams: C:\ProgramData\TEMP:0E61938B [478]
AlternateDataStreams: C:\ProgramData\TEMP:0F6AC518 [121]
AlternateDataStreams: C:\ProgramData\TEMP:10E0E83D [446]
AlternateDataStreams: C:\ProgramData\TEMP:11EF326F [242]
AlternateDataStreams: C:\ProgramData\TEMP:12A012A1 [123]
AlternateDataStreams: C:\ProgramData\TEMP:12D9D48F [239]
AlternateDataStreams: C:\ProgramData\TEMP:149327FE [466]
AlternateDataStreams: C:\ProgramData\TEMP:1740DC47 [410]
AlternateDataStreams: C:\ProgramData\TEMP:18345E10 [144]
AlternateDataStreams: C:\ProgramData\TEMP:18E90846 [118]
AlternateDataStreams: C:\ProgramData\TEMP:1968990D [213]
AlternateDataStreams: C:\ProgramData\TEMP:19C541B5 [251]
AlternateDataStreams: C:\ProgramData\TEMP:1A14B3AF [232]
AlternateDataStreams: C:\ProgramData\TEMP:1A15E356 [243]
AlternateDataStreams: C:\ProgramData\TEMP:1A567D7B [170]
AlternateDataStreams: C:\ProgramData\TEMP:1B9E79B3 [418]
AlternateDataStreams: C:\ProgramData\TEMP:1D8551A3 [124]
AlternateDataStreams: C:\ProgramData\TEMP:1DD8718C [398]
AlternateDataStreams: C:\ProgramData\TEMP:217A2A36 [124]
AlternateDataStreams: C:\ProgramData\TEMP:2216A431 [212]
AlternateDataStreams: C:\ProgramData\TEMP:258D2F8B [255]
AlternateDataStreams: C:\ProgramData\TEMP:260575F1 [191]
AlternateDataStreams: C:\ProgramData\TEMP:27F44544 [440]
AlternateDataStreams: C:\ProgramData\TEMP:28819F45 [222]
AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F [134]
AlternateDataStreams: C:\ProgramData\TEMP:2F5A06FD [232]
AlternateDataStreams: C:\ProgramData\TEMP:31106FCB [188]
AlternateDataStreams: C:\ProgramData\TEMP:3393A1CA [498]
AlternateDataStreams: C:\ProgramData\TEMP:3766E957 [209]
AlternateDataStreams: C:\ProgramData\TEMP:3790BACD [221]
AlternateDataStreams: C:\ProgramData\TEMP:38D2EA83 [428]
AlternateDataStreams: C:\ProgramData\TEMP:391535F9 [127]
AlternateDataStreams: C:\ProgramData\TEMP:395F6776 [500]
AlternateDataStreams: C:\ProgramData\TEMP:39CB2031 [384]
AlternateDataStreams: C:\ProgramData\TEMP:3AD6342E [228]
AlternateDataStreams: C:\ProgramData\TEMP:3B07E6F4 [220]
AlternateDataStreams: C:\ProgramData\TEMP:413E2927 [468]
AlternateDataStreams: C:\ProgramData\TEMP:4149A170 [274]
AlternateDataStreams: C:\ProgramData\TEMP:426D1496 [498]
AlternateDataStreams: C:\ProgramData\TEMP:432EC713 [134]
AlternateDataStreams: C:\ProgramData\TEMP:439E3411 [428]
AlternateDataStreams: C:\ProgramData\TEMP:453190EC [442]
AlternateDataStreams: C:\ProgramData\TEMP:45936E12 [236]
AlternateDataStreams: C:\ProgramData\TEMP:47A24D4B [214]
AlternateDataStreams: C:\ProgramData\TEMP:4B244549 [444]
AlternateDataStreams: C:\ProgramData\TEMP:52E5A75A [474]
AlternateDataStreams: C:\ProgramData\TEMP:538B96B5 [187]
AlternateDataStreams: C:\ProgramData\TEMP:554C6431 [188]
AlternateDataStreams: C:\ProgramData\TEMP:55F44B88 [121]
AlternateDataStreams: C:\ProgramData\TEMP:5AE33054 [428]
AlternateDataStreams: C:\ProgramData\TEMP:5C3ED5BB [452]
AlternateDataStreams: C:\ProgramData\TEMP:5C92988B [332]
AlternateDataStreams: C:\ProgramData\TEMP:5CD804FF [448]
AlternateDataStreams: C:\ProgramData\TEMP:5CE91C67 [216]
AlternateDataStreams: C:\ProgramData\TEMP:600F6768 [147]
AlternateDataStreams: C:\ProgramData\TEMP:60E755E6 [133]
AlternateDataStreams: C:\ProgramData\TEMP:60F5A2F7 [394]
AlternateDataStreams: C:\ProgramData\TEMP:61C6B926 [256]
AlternateDataStreams: C:\ProgramData\TEMP:663B62CA [438]
AlternateDataStreams: C:\ProgramData\TEMP:6BF0805F [200]
AlternateDataStreams: C:\ProgramData\TEMP:708BB0FA [406]
AlternateDataStreams: C:\ProgramData\TEMP:70E897B5 [462]
AlternateDataStreams: C:\ProgramData\TEMP:78E0DF72 [418]
AlternateDataStreams: C:\ProgramData\TEMP:7AF9CAEB [215]
AlternateDataStreams: C:\ProgramData\TEMP:7BFAAE70 [136]
AlternateDataStreams: C:\ProgramData\TEMP:7D288858 [238]
AlternateDataStreams: C:\ProgramData\TEMP:7EBCAF87 [117]
AlternateDataStreams: C:\ProgramData\TEMP:80B291A7 [426]
AlternateDataStreams: C:\ProgramData\TEMP:80E965A3 [218]
AlternateDataStreams: C:\ProgramData\TEMP:8247A199 [392]
AlternateDataStreams: C:\ProgramData\TEMP:831C6B2D [418]
AlternateDataStreams: C:\ProgramData\TEMP:84C07F6B [122]
AlternateDataStreams: C:\ProgramData\TEMP:85C0059D [95]
AlternateDataStreams: C:\ProgramData\TEMP:88E8CC2E [422]
AlternateDataStreams: C:\ProgramData\TEMP:8967C154 [127]
AlternateDataStreams: C:\ProgramData\TEMP:89C2A42C [442]
AlternateDataStreams: C:\ProgramData\TEMP:89FC8EEB [249]
AlternateDataStreams: C:\ProgramData\TEMP:8A0EFC75 [227]
AlternateDataStreams: C:\ProgramData\TEMP:8AED9359 [112]
AlternateDataStreams: C:\ProgramData\TEMP:8B3C3098 [242]
AlternateDataStreams: C:\ProgramData\TEMP:8DB1100D [131]
AlternateDataStreams: C:\ProgramData\TEMP:8FC1A8C4 [140]
AlternateDataStreams: C:\ProgramData\TEMP:8FDE078B [94]
AlternateDataStreams: C:\ProgramData\TEMP:9026FFAC [416]
AlternateDataStreams: C:\ProgramData\TEMP:953FDC1A [384]
AlternateDataStreams: C:\ProgramData\TEMP:957E9765 [394]
AlternateDataStreams: C:\ProgramData\TEMP:96646EC1 [224]
AlternateDataStreams: C:\ProgramData\TEMP:98DFF516 [195]
AlternateDataStreams: C:\ProgramData\TEMP:9A24FE7D [134]
AlternateDataStreams: C:\ProgramData\TEMP:9A4D81ED [238]
AlternateDataStreams: C:\ProgramData\TEMP:9C206FB0 [126]
AlternateDataStreams: C:\ProgramData\TEMP:9C435C94 [249]
AlternateDataStreams: C:\ProgramData\TEMP:9C5EEE30 [244]
AlternateDataStreams: C:\ProgramData\TEMP:9CD7CD43 [452]
AlternateDataStreams: C:\ProgramData\TEMP:9CF728A6 [462]
AlternateDataStreams: C:\ProgramData\TEMP:9D2DE4B4 [508]
AlternateDataStreams: C:\ProgramData\TEMP:9E3E060F [422]
AlternateDataStreams: C:\ProgramData\TEMP:9F50A55A [213]
AlternateDataStreams: C:\ProgramData\TEMP:A01F3A87 [0]
AlternateDataStreams: C:\ProgramData\TEMP:A02025CE [219]
AlternateDataStreams: C:\ProgramData\TEMP:A26AFC00 [231]
AlternateDataStreams: C:\ProgramData\TEMP:A2FF62A6 [454]
AlternateDataStreams: C:\ProgramData\TEMP:A3750BE5 [428]
AlternateDataStreams: C:\ProgramData\TEMP:A3B8F70C [452]
AlternateDataStreams: C:\ProgramData\TEMP:A688EF17 [376]
AlternateDataStreams: C:\ProgramData\TEMP:A81A3C86 [496]
AlternateDataStreams: C:\ProgramData\TEMP:A86D5AC1 [248]
AlternateDataStreams: C:\ProgramData\TEMP:A8BF0AE2 [296]
AlternateDataStreams: C:\ProgramData\TEMP:A9356284 [239]
AlternateDataStreams: C:\ProgramData\TEMP:AB82C54F [442]
AlternateDataStreams: C:\ProgramData\TEMP:ACCEFF0E [123]
AlternateDataStreams: C:\ProgramData\TEMP:ADE67221 [444]
AlternateDataStreams: C:\ProgramData\TEMP:ADFAD95A [422]
AlternateDataStreams: C:\ProgramData\TEMP:AE289451 [486]
AlternateDataStreams: C:\ProgramData\TEMP:AE2EA3C2 [472]
AlternateDataStreams: C:\ProgramData\TEMP:AE34D87E [486]
AlternateDataStreams: C:\ProgramData\TEMP:B0193F8E [140]
AlternateDataStreams: C:\ProgramData\TEMP:B1FBBD09 [404]
AlternateDataStreams: C:\ProgramData\TEMP:B722BCE5 [424]
AlternateDataStreams: C:\ProgramData\TEMP:B72454C6 [280]
AlternateDataStreams: C:\ProgramData\TEMP:B845F669 [198]
AlternateDataStreams: C:\ProgramData\TEMP:B86927F0 [143]
AlternateDataStreams: C:\ProgramData\TEMP:B8791731 [464]
AlternateDataStreams: C:\ProgramData\TEMP:BE6DC701 [406]
AlternateDataStreams: C:\ProgramData\TEMP:BFC41B39 [110]
AlternateDataStreams: C:\ProgramData\TEMP:C0913157 [119]
AlternateDataStreams: C:\ProgramData\TEMP:C0D23A2F [222]
AlternateDataStreams: C:\ProgramData\TEMP:C22674B6 [198]
AlternateDataStreams: C:\ProgramData\TEMP:C35B4B19 [422]
AlternateDataStreams: C:\ProgramData\TEMP:C36F1B98 [232]
AlternateDataStreams: C:\ProgramData\TEMP:C3702442 [270]
AlternateDataStreams: C:\ProgramData\TEMP:C74009E5 [195]
AlternateDataStreams: C:\ProgramData\TEMP:C8182692 [402]
AlternateDataStreams: C:\ProgramData\TEMP:C86B29EB [434]
AlternateDataStreams: C:\ProgramData\TEMP:C9BC8592 [412]
AlternateDataStreams: C:\ProgramData\TEMP:CAF8DAC8 [466]
AlternateDataStreams: C:\ProgramData\TEMP:CD59D2EB [466]
AlternateDataStreams: C:\ProgramData\TEMP:CEE4A457 [462]
AlternateDataStreams: C:\ProgramData\TEMP:CF61CE5A [207]
AlternateDataStreams: C:\ProgramData\TEMP:D0D17155 [378]
AlternateDataStreams: C:\ProgramData\TEMP:D0EC116C [249]
AlternateDataStreams: C:\ProgramData\TEMP:D1787194 [368]
AlternateDataStreams: C:\ProgramData\TEMP:D2A5A561 [450]
AlternateDataStreams: C:\ProgramData\TEMP:D31BE97C [414]
AlternateDataStreams: C:\ProgramData\TEMP:D667795F [212]
AlternateDataStreams: C:\ProgramData\TEMP:D8AE9DD1 [237]
AlternateDataStreams: C:\ProgramData\TEMP:D8F9D810 [448]
AlternateDataStreams: C:\ProgramData\TEMP:E0CAA39F [132]
AlternateDataStreams: C:\ProgramData\TEMP:E1D06077 [462]
AlternateDataStreams: C:\ProgramData\TEMP:E5BA9ADD [470]
AlternateDataStreams: C:\ProgramData\TEMP:E5DE9C8F [412]
AlternateDataStreams: C:\ProgramData\TEMP:E70FD81B [125]
AlternateDataStreams: C:\ProgramData\TEMP:E73B14E2 [104]
AlternateDataStreams: C:\ProgramData\TEMP:E9049821 [104]
AlternateDataStreams: C:\ProgramData\TEMP:E96A2658 [488]
AlternateDataStreams: C:\ProgramData\TEMP:EA701346 [412]
AlternateDataStreams: C:\ProgramData\TEMP:EA7D76BE [112]
AlternateDataStreams: C:\ProgramData\TEMP:EB5BDBB0 [486]
AlternateDataStreams: C:\ProgramData\TEMP:ED6B6C83 [143]
AlternateDataStreams: C:\ProgramData\TEMP:ED9B661E [416]
AlternateDataStreams: C:\ProgramData\TEMP:F123F8B9 [119]
AlternateDataStreams: C:\ProgramData\TEMP:F1F936DF [472]
AlternateDataStreams: C:\ProgramData\TEMP:F35AE645 [460]
AlternateDataStreams: C:\ProgramData\TEMP:F44D3C53 [430]
AlternateDataStreams: C:\ProgramData\TEMP:F6910DB1 [127]
AlternateDataStreams: C:\ProgramData\TEMP:F7F6E6CB [98]
AlternateDataStreams: C:\ProgramData\TEMP:FBA79096 [124]
AlternateDataStreams: C:\ProgramData\TEMP:FD786DCA [138]
AlternateDataStreams: C:\ProgramData\TEMP:FE058F1D [119]
AlternateDataStreams: C:\ProgramData\TEMP:FF9C44FE [454]
AlternateDataStreams: C:\ProgramData\TEMP:FFC3922F [252]
C:\Users\Cathy\AppData\Local\Programs\BeFrugal.com

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Please post the logs and let me know what problem persists with this computer.

#5 Zuix

Zuix
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 08 February 2017 - 07:19 PM

Hello nasdaq. I ran into a snag with the instructions. Started with uninstalling the 3 programs listed at the beginning of your instructions. I could not uninstall Internet Optimizer. The following error message popped up:

There was a problem starting C:\PROGRA~3\INTERE~1\INTERE~1.DLL  The specified module could not be found.

 

I did uninstall the Java update successfully.

 

I was unable to uninstall Scorpion Saver. It did not appear in the Control Panel list of programs. It did not show up in a search of my hard drive.

 

I was uncertain as to whether to proceed with the rest of your instructions, so I am waiting to hear from you on this.

 

Thank you very much



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,538 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:15 AM

Posted 09 February 2017 - 08:45 AM

There was a problem starting C:\PROGRA~3\INTERE~1\INTERE~1.DLL The specified module could not be found.
I was unable to uninstall Scorpion Saver. It did not appear in the Control Panel list of programs. It did not show up in a search of my hard drive.


The programs were removed by a security program but there is still remnant enties in the registry.
You can let it go or remove the items in the registry if you fell like it.

How To:
https://www.bleepingcomputer.com/tutorials/manually-remove-programs-from-add-remove-programs/

===

For now continue with the rest of the instructions I gave you.

#7 Zuix

Zuix
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 10 February 2017 - 12:28 AM

Hello nasdaq. Ok, I have completed your instructions, and the two files are attached.

 

The problem continues, however. With no programs open, Chrome opens, and displays some kind of adware page. So, whatever is running in the background, or still on my computer, opens Chrome all by itself.

 

Thank you for all of your help with this issue.

Attached Files



#8 Zuix

Zuix
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 10 February 2017 - 01:06 AM

In fact, the problem seems to have gotten worse, with the malware acting much more aggressive than before. Now, Chrome opens up on it's own, with adware sites with loud sound, and the only way I can close these sites is through Task Manager.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,538 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:15 AM

Posted 10 February 2017 - 09:45 AM

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===


--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Please post the logs and provide an update on how the computer is behaving after running the above script.

#10 Zuix

Zuix
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 10 February 2017 - 08:32 PM

Hello nasdaq. The rogue report is pasted here:

RogueKiller V12.9.7.0 (x64) [Feb  6 2017] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Cathy [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/10/2017 16:55:51 (Duration : 00:27:02)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 0 ¤¤¤
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 1 ¤¤¤
[PUP.Filefinder][Folder] C:\Program Files (x86)\Pluto TV -> Found
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EZEX-00RKKA0 ATA Device +++++
--- User ---
[MBR] 74c584bcb38f0f5571a17c260d2a845e
[BSP] 2ec59ba7a30324b51913183a72b9c137 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
The zoek results are attached.
 
I'm sorry to say, but the problem persists. Chrome opens on it's own, with adware sites that the only safe way to exit is using task manager to shut them down. A new chrome page opens on it's own about every 10 minutes.

Attached Files



#11 Zuix

Zuix
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 10 February 2017 - 09:02 PM

Nasdaq, There is one difference however. Before the last fix with zoek and rogue killer, the automatic chrome window popups would minimize any other program running at the time. Now, the chrome automatic window openings/popups continue, but they don't automatically minimize other windows or programs.



#12 Zuix

Zuix
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 10 February 2017 - 10:11 PM

I take that back. Chrome window popups are continuing, and still minimizing other running programs. Just not all the Chrome popup windows do that, but some do.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,538 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:15 AM

Posted 11 February 2017 - 09:17 AM

Possible ENTERPRISE POLICY issues.

Read the instructions on this page if applicable.
http://forums.anvisoft.com/viewtopic-51-8494-0.html

Remove Installed by enterprise policy extension from Chrome.

If you find one and cannot remove it let me know the ID NUMBER that you have found.
<<<>>>

It his is not the cause then remove and reinstall Chrome.

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

Re-install Chrome and the Bookmarks.

If you want to save all your settings refer to this page.
Follow the instructions before removing Chrome.
http://juan2geek.com/how-to-backup-and-restore-entire-google-chrome-setting/
===

Keep me posted.

#14 Zuix

Zuix
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 11 February 2017 - 11:16 AM

Ok. I could not find any installed by enterprise extensions.  All of my chrome extensions are ones I expected. They are:

 

Adobe Acrobat (not enabled)

Application Launcher for Google Drive (not enabled)

Google Docs, Sheets and Slides (all enabled)

All have trash cans, so I am assuming they are not Installed by Enterprise extensions.

 

I followed all the rest of your instructions, saved bookmarks, cleared cache, uninstalled and reinstalled, and the problem persists.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,538 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:15 AM

Posted 12 February 2017 - 09:45 AM


Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • <- REMOVE ALL ITEMS THAT WILL BE FOUND.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

If the problem persists please run the Farbar tool and post a fresh FRST log for my review.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users