Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer crashing with BSOD Kernel Data Inpage Error


  • This topic is locked This topic is locked
24 replies to this topic

#1 helpmyhawk

helpmyhawk

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 13 February 2017 - 02:52 PM

So my windows 7 x64 professional machine is keep on crashing with kernel data inpage error.

And various programs have been crashing with some memory exceptions.

I have ran JRT and adwcleaner and also ESET online scanner

(see previous thread

https://www.bleepingcomputer.com/forums/t/639734/computer-keeps-crashing-corrupted/)

 

The eset security scan came back with 30 or so threats including opencandy trojans

After running the scan in safe mode and cleaning the quarantined items, my computer crashed with the same Kernel Data inpage error.

I ran the chkdsk command to check my drive but it did not find any bad sectors or anything

Attached is the Addition.txt and Frst.txt from my run of FRST. Thank you

 

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:09 PM

Posted 14 February 2017 - 06:30 AM

Hello helpmyhawk and Welcome to the BleepingComputer. :welcome:

My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If you haven't answered within 5 days, I am assuming that you don't need help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all malware. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator the computer. How is open as administrator the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to get help here

Thanks
 
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.

Sincerely
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:09 PM

Posted 14 February 2017 - 08:38 AM

Hi helpmyhawk,

Please post MalwareBytes scan report.

=======================================

[b]ATTENTION: System Restore is disabled[/b]

Please do enable system restore.
How to Enable and Disable System Restore
https://support.microsoft.com/tr-tr/help/264887/how-to-enable-and-disable-system-restore?wa=wsignin1.0%3Fwa%3Dwsignin1.0
=============================================

ProxyServer: [S-1-5-21-3446860588-382003032-31899574-1000] => localhost:8080

Are you aware of this?

================================

C:\Users\TEMP.steven-LAPTOP.001
C:\Users\TEMP.steven-LAPTOP.002
C:\Users\TEMP.steven-LAPTOP.000

Are you aware of their?

==================================

C:\{160920ED-8C7A-4DBF-A8A0-1CBF73396CA2}.CBM
C:\maven
C:\Hadoop
C:\Anaconda2

Are these familiar to you?

========================================================================================
uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove
İOBit 
Spybot S&D
COMODO Programs Manager
Google Update Helper
Java 8 Update 121
Java SE Development Kit 7 Update 51
SlimCleaner
Wondershare

  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish
  • PC restart now.

=================================================================================

Step 1:
 Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search, then Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 2:
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 helpmyhawk

helpmyhawk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 14 February 2017 - 11:29 AM

I have uninstalled the programs - Iobit seems to be a leftover from when i uninstalled it months ago.

How do i turn off or disable MBAM and microsoft security essentials?



#5 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:09 PM

Posted 14 February 2017 - 12:08 PM

How do i turn off or disable MBAM and microsoft security essentials?

You can right click on the Malwarebytes Icon in the system tray and click on Exit.

 

Also you can open Malwarebytes then click on Settings => Advanced Settings => and in that window Uncheck the top 3 items.

 

Start Malwarebytes Anti-Malware with Windows

Enable Malware Protection when Malwarebytes Anti-Malware starts

Enable Malicious Website Protection when Malwarebytes Anti-Malware starts

=======================================================================

Open Microsoft Security Essentials -> click "Settings" tab -> select "Real time protection" -> uncheck the box "Turn on real-time protection" (recommended).
 

Ok ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#6 helpmyhawk

helpmyhawk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 15 February 2017 - 06:45 AM

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 2/12/17
Scan Time: 8:02 AM
Logfile: MBAM.txt
Administrator: Yes
 
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1241
License: Premium
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: steven-LAPTOP\steven-admin
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 564251
Time Elapsed: 10 min, 54 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 7 Professional x64 
Ran by steven-admin (Limited) on Wed 02/15/2017 at  6:28:51.21
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 9 
 
Successfully deleted: C:\Windows\wininit.ini (File) 
Successfully deleted: C:\Users\steven-admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OXEOTFD (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\steven-admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9MQS976A (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\steven-admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQI2Z1OH (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\steven-admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QFTJOKGN (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OXEOTFD (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9MQS976A (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQI2Z1OH (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QFTJOKGN (Temporary Internet Files Folder) 
 
 
 
Registry: 1 
 
Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_4CBEBCD78B3D1778C2CBD84AC16DAE73 (Registry Value) 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 02/15/2017 at  6:30:34.15
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#7 helpmyhawk

helpmyhawk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 15 February 2017 - 07:16 AM

# AdwCleaner v6.043 - Logfile created 14/02/2017 at 11:40:59
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-13.1 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : steven-admin - STEVEN-LAPTOP
# Running from : D:\Users\steven-admin\Desktop\AdwCleaner.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
No malicious folders found.
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.
 
*************************
 
C:\AdwCleaner\AdwCleaner[C2].txt - [2299 Bytes] - [12/02/2017 10:36:52]
C:\AdwCleaner\AdwCleaner[C3].txt - [2546 Bytes] - [19/10/2015 18:58:40]
C:\AdwCleaner\AdwCleaner[R0].txt - [2113 Bytes] - [07/02/2015 22:52:56]
C:\AdwCleaner\AdwCleaner[R1].txt - [2110 Bytes] - [08/02/2015 04:55:31]
C:\AdwCleaner\AdwCleaner[R2].txt - [1132 Bytes] - [14/02/2015 11:22:52]
C:\AdwCleaner\AdwCleaner[S0].txt - [2196 Bytes] - [08/02/2015 08:33:44]
C:\AdwCleaner\AdwCleaner[S1].txt - [1201 Bytes] - [14/02/2015 11:50:04]
C:\AdwCleaner\AdwCleaner[S3].txt - [2302 Bytes] - [12/02/2017 10:35:54]
C:\AdwCleaner\AdwCleaner[S4].txt - [2364 Bytes] - [19/10/2015 18:57:06]
C:\AdwCleaner\AdwCleaner[S5].txt - [1681 Bytes] - [14/02/2017 11:40:59]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S5].txt - [1754 Bytes] ##########


#8 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:09 PM

Posted 15 February 2017 - 07:41 AM

I am waiting for your answers / for my Questions ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 helpmyhawk

helpmyhawk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 15 February 2017 - 02:18 PM

Yes i am aware of the hadoop, anaconda and maven. I am using those programs in my project.

I am not sure what these are - C:\Users\TEMP.steven-LAPTOP.001

C:\Users\TEMP.steven-LAPTOP.002
C:\Users\TEMP.steven-LAPTOP.000



#10 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:09 PM

Posted 15 February 2017 - 03:36 PM

Hi helpmyhawk,

 

Step 1:
Run FRST fixlist
 
Please open notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
Save it to the Desktop, and name it: fixlist.txt

CreateRestorePoint:
CloseProcesses:
C:\Windows\wininit.ini
C:\Users\TEMP.steven-LAPTOP.002\AppData\Local\PackageAware
C:\Program Files\COMODO\COMODO Programs Manager\CPMservice.exe
C:\Program Files (x86)\Google\Chrome Remote Desktop\56.0.2924.51\remoting_host.exe
HKU\S-1-5-21-3446860588-382003032-31899574-1000\...\Run: [BingSvc] => C:\Users\steven-admin\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-12] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-3446860588-382003032-31899574-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
GroupPolicyScripts: Restriction <======= ATTENTION
FF Plugin-x32: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-01-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-01-19] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin HKU\S-1-5-21-3446860588-382003032-31899574-1000: @symantec.com/nptblive-4-x86 -> C:\Users\steven-admin\AppData\Local\PKI Client\4\32\nptblive-4-x86.dll [2014-11-19] (Symantec Corporation)
Task: {3612839D-A776-4D6A-A48D-FEBBF7E69B58} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Task: {3C6748ED-0758-4BAC-A0F6-F9EE8E691034} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe
Task: {8EEC3888-A2F9-47EB-8A04-755AC80F095B} - System32\Tasks\{86BA53AD-6D5A-46B4-8CB1-BF69E7A64C87} => pcalua.exe -a C:\Users\STEVEN~1\AppData\Local\Temp\jre-8u111-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
Task: {A8FD0083-868E-4B2F-BE3F-91C42BCC8C26} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe
2011-09-05 10:11 - 2011-09-05 10:11 - 00116032 _____ () C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\78252234.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\78252234.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
FirewallRules: [TCP Query User{CDFD734E-35B5-46DA-801D-D1E31AEDC927}C:\java\jdk1.7.0_09\bin\javaw.exe] => C:\java\jdk1.7.0_09\bin\javaw.exe
FirewallRules: [UDP Query User{EC29F0C1-48F9-4BB7-8AA8-796CD4FE136D}C:\java\jdk1.7.0_09\bin\javaw.exe] => C:\java\jdk1.7.0_09\bin\javaw.exe
FirewallRules: [TCP Query User{87A983A6-CF66-4FE1-B632-3D2B6E9F4922}C:\java\jdk1.7.0_09\bin\java.exe] => C:\java\jdk1.7.0_09\bin\java.exe
FirewallRules: [UDP Query User{0F8084FE-CC0D-4E1D-B0A0-35377E32A90D}C:\java\jdk1.7.0_09\bin\java.exe] => C:\java\jdk1.7.0_09\bin\java.exe
FirewallRules: [TCP Query User{7C3F09C6-1926-4EF9-A3E8-480F805D8F7D}C:\java\jdk1.6.0_39_32\jre\bin\javaw.exe] => C:\java\jdk1.6.0_39_32\jre\bin\javaw.exe
FirewallRules: [UDP Query User{F5D41403-61CF-48F6-8239-BB2F56991F46}C:\java\jdk1.6.0_39_32\jre\bin\javaw.exe] => C:\java\jdk1.6.0_39_32\jre\bin\javaw.exe
FirewallRules: [TCP Query User{BE05E7CC-3132-464F-9733-20EE685B1BFF}C:\java\jdk1.7.0_51\bin\java.exe] => C:\java\jdk1.7.0_51\bin\java.exe
FirewallRules: [UDP Query User{6AF1BB5D-9791-4254-AE50-70D8C4E9BD7C}C:\java\jdk1.7.0_51\bin\java.exe] => C:\java\jdk1.7.0_51\bin\java.exe
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\8bklh.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\g1sk7ae.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\wywror.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\ifqdbe5.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\0zwq8im.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\5k038iw.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\y1uf30uoi.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\u527chjrc.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\48f4bkkjq.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\km8w5oqfe.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\6q7zue426.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\cfgc08if.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\76tz21.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\jvow1n0.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\327acq3.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\5aroi87.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\b03fjhv8.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\2mvi3.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\z6kubld14.exe] => Enabled:Policy
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3446860588-382003032-31899574-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3446860588-382003032-31899574-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3446860588-382003032-31899574-1000 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_121\bin\ssv.dll [2017-01-19] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-01-19] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\ssv.dll [2017-01-19] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-01-19] (Oracle Corporation)
FF Plugin: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-01-19] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-01-19] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
CHR HKU\S-1-5-21-3446860588-382003032-31899574-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ahgdclgdhfeingghldkedleghekbfhef] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3446860588-382003032-31899574-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
R2 CPMService; C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe [116032 2011-09-05] ()
C:\Users\TEMP.steven-LAPTOP.002\AppData\Roaming\IObit
C:\Users\Administrator\AppData\Roaming\IObit
C:\Program Files (x86)\Spybot - Search & Destroy 2
C:\ProgramData\Spybot - Search & Destroy
C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
CMD: bitsadmin /reset /allusers
CMD: netsh winsock reset all
CMD: ipconfig /flushdns
Hosts:
EmptyTemp:
Reboot:
End

NOTICE: This script is written specifically for this computer!!!
Running this on another computer may cause damage to the Operating System.

Now, please run FRST, and press the Fix button, just once, and wait.
When done, the tool creates a report on the Desktop called: Fixlog.txt
>> Please post the Fixlog.txt in your reply.

 

Step2:

Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program .
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Scan type > Smart scan (Default)
  • Close all open files, folders and browsers
  • Click scan now ''Run as Administrator'' and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.
  • Please PC restart now.

===========================================================

How is your PC running now ?

 

Have a nice day.

 

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 helpmyhawk

helpmyhawk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 15 February 2017 - 08:38 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-02-2017 02
Ran by steven-admin (15-02-2017 17:40:16) Run:1
Running from D:\Users\steven-admin\Desktop
Loaded Profiles: steven-admin (Available Profiles: steven-admin & UpdatusUser & Administrator)
Boot Mode: Safe Mode (with Networking)
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
C:\Windows\wininit.ini
C:\Users\TEMP.steven-LAPTOP.002\AppData\Local\PackageAware
C:\Program Files\COMODO\COMODO Programs Manager\CPMservice.exe
C:\Program Files (x86)\Google\Chrome Remote Desktop\56.0.2924.51\remoting_host.exe
HKU\S-1-5-21-3446860588-382003032-31899574-1000\...\Run: [BingSvc] => C:\Users\steven-admin\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-12] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-3446860588-382003032-31899574-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
GroupPolicyScripts: Restriction <======= ATTENTION
FF Plugin-x32: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-01-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-01-19] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin HKU\S-1-5-21-3446860588-382003032-31899574-1000: @symantec.com/nptblive-4-x86 -> C:\Users\steven-admin\AppData\Local\PKI Client\4\32\nptblive-4-x86.dll [2014-11-19] (Symantec Corporation)
Task: {3612839D-A776-4D6A-A48D-FEBBF7E69B58} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Task: {3C6748ED-0758-4BAC-A0F6-F9EE8E691034} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe
Task: {8EEC3888-A2F9-47EB-8A04-755AC80F095B} - System32\Tasks\{86BA53AD-6D5A-46B4-8CB1-BF69E7A64C87} => pcalua.exe -a C:\Users\STEVEN~1\AppData\Local\Temp\jre-8u111-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
Task: {A8FD0083-868E-4B2F-BE3F-91C42BCC8C26} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe
2011-09-05 10:11 - 2011-09-05 10:11 - 00116032 _____ () C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\78252234.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\78252234.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
FirewallRules: [TCP Query User{CDFD734E-35B5-46DA-801D-D1E31AEDC927}C:\java\jdk1.7.0_09\bin\javaw.exe] => C:\java\jdk1.7.0_09\bin\javaw.exe
FirewallRules: [UDP Query User{EC29F0C1-48F9-4BB7-8AA8-796CD4FE136D}C:\java\jdk1.7.0_09\bin\javaw.exe] => C:\java\jdk1.7.0_09\bin\javaw.exe
FirewallRules: [TCP Query User{87A983A6-CF66-4FE1-B632-3D2B6E9F4922}C:\java\jdk1.7.0_09\bin\java.exe] => C:\java\jdk1.7.0_09\bin\java.exe
FirewallRules: [UDP Query User{0F8084FE-CC0D-4E1D-B0A0-35377E32A90D}C:\java\jdk1.7.0_09\bin\java.exe] => C:\java\jdk1.7.0_09\bin\java.exe
FirewallRules: [TCP Query User{7C3F09C6-1926-4EF9-A3E8-480F805D8F7D}C:\java\jdk1.6.0_39_32\jre\bin\javaw.exe] => C:\java\jdk1.6.0_39_32\jre\bin\javaw.exe
FirewallRules: [UDP Query User{F5D41403-61CF-48F6-8239-BB2F56991F46}C:\java\jdk1.6.0_39_32\jre\bin\javaw.exe] => C:\java\jdk1.6.0_39_32\jre\bin\javaw.exe
FirewallRules: [TCP Query User{BE05E7CC-3132-464F-9733-20EE685B1BFF}C:\java\jdk1.7.0_51\bin\java.exe] => C:\java\jdk1.7.0_51\bin\java.exe
FirewallRules: [UDP Query User{6AF1BB5D-9791-4254-AE50-70D8C4E9BD7C}C:\java\jdk1.7.0_51\bin\java.exe] => C:\java\jdk1.7.0_51\bin\java.exe
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\8bklh.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\g1sk7ae.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\wywror.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\ifqdbe5.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\0zwq8im.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\5k038iw.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\y1uf30uoi.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\u527chjrc.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\48f4bkkjq.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\km8w5oqfe.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\6q7zue426.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\cfgc08if.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\76tz21.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\jvow1n0.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\327acq3.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\5aroi87.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\b03fjhv8.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\2mvi3.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\z6kubld14.exe] => Enabled:Policy
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3446860588-382003032-31899574-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3446860588-382003032-31899574-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3446860588-382003032-31899574-1000 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_121\bin\ssv.dll [2017-01-19] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-01-19] (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\ssv.dll [2017-01-19] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-01-19] (Oracle Corporation)
FF Plugin: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-01-19] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-01-19] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
CHR HKU\S-1-5-21-3446860588-382003032-31899574-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ahgdclgdhfeingghldkedleghekbfhef] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3446860588-382003032-31899574-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
R2 CPMService; C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe [116032 2011-09-05] ()
C:\Users\TEMP.steven-LAPTOP.002\AppData\Roaming\IObit
C:\Users\Administrator\AppData\Roaming\IObit
C:\Program Files (x86)\Spybot - Search & Destroy 2
C:\ProgramData\Spybot - Search & Destroy
C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
CMD: bitsadmin /reset /allusers
CMD: netsh winsock reset all
CMD: ipconfig /flushdns
Hosts:
EmptyTemp:
Reboot:
End
*****************
 
Error: Restore point can only be created in normal mode.
Processes closed successfully.
"C:\Windows\wininit.ini" => not found.
C:\Users\TEMP.steven-LAPTOP.002\AppData\Local\PackageAware => moved successfully
"C:\Program Files\COMODO\COMODO Programs Manager\CPMservice.exe" => not found.
C:\Program Files (x86)\Google\Chrome Remote Desktop\56.0.2924.51\remoting_host.exe => moved successfully
HKU\S-1-5-21-3446860588-382003032-31899574-1000\Software\Microsoft\Windows\CurrentVersion\Run\\BingSvc => value removed successfully
HKU\S-1-5-21-3446860588-382003032-31899574-1000\Software\Microsoft\Windows\CurrentVersion\Run\\SpybotPostWindows10UpgradeReInstall => value removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=11.121.2 => key not found. 
C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll => not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin,version=11.121.2 => key not found. 
C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll => not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKU\S-1-5-21-3446860588-382003032-31899574-1000\Software\MozillaPlugins\@symantec.com/nptblive-4-x86 => key removed successfully
C:\Users\steven-admin\AppData\Local\PKI Client\4\32\nptblive-4-x86.dll => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3612839D-A776-4D6A-A48D-FEBBF7E69B58} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3612839D-A776-4D6A-A48D-FEBBF7E69B58} => key removed successfully
C:\Windows\System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Safer-Networking\Spybot - Search and Destroy\Check for updates => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3C6748ED-0758-4BAC-A0F6-F9EE8E691034} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C6748ED-0758-4BAC-A0F6-F9EE8E691034} => key removed successfully
C:\Windows\System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Safer-Networking\Spybot - Search and Destroy\Scan the system => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8EEC3888-A2F9-47EB-8A04-755AC80F095B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8EEC3888-A2F9-47EB-8A04-755AC80F095B} => key removed successfully
C:\Windows\System32\Tasks\{86BA53AD-6D5A-46B4-8CB1-BF69E7A64C87} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{86BA53AD-6D5A-46B4-8CB1-BF69E7A64C87} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A8FD0083-868E-4B2F-BE3F-91C42BCC8C26} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A8FD0083-868E-4B2F-BE3F-91C42BCC8C26} => key removed successfully
C:\Windows\System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => key removed successfully
"C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe" => not found.
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => key removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\78252234.sys => key removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\78252234.sys => key removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => key removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{CDFD734E-35B5-46DA-801D-D1E31AEDC927}C:\java\jdk1.7.0_09\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{EC29F0C1-48F9-4BB7-8AA8-796CD4FE136D}C:\java\jdk1.7.0_09\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{87A983A6-CF66-4FE1-B632-3D2B6E9F4922}C:\java\jdk1.7.0_09\bin\java.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{0F8084FE-CC0D-4E1D-B0A0-35377E32A90D}C:\java\jdk1.7.0_09\bin\java.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{7C3F09C6-1926-4EF9-A3E8-480F805D8F7D}C:\java\jdk1.6.0_39_32\jre\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{F5D41403-61CF-48F6-8239-BB2F56991F46}C:\java\jdk1.6.0_39_32\jre\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{BE05E7CC-3132-464F-9733-20EE685B1BFF}C:\java\jdk1.7.0_51\bin\java.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{6AF1BB5D-9791-4254-AE50-70D8C4E9BD7C}C:\java\jdk1.7.0_51\bin\java.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\8bklh.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\g1sk7ae.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\wywror.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\ifqdbe5.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\0zwq8im.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\5k038iw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\y1uf30uoi.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\u527chjrc.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\48f4bkkjq.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\km8w5oqfe.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\6q7zue426.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\cfgc08if.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\76tz21.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\jvow1n0.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\327acq3.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\5aroi87.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\b03fjhv8.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\2mvi3.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\z6kubld14.exe => value removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\S-1-5-21-3446860588-382003032-31899574-1000\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Search Page => value removed successfully
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page => value removed successfully
HKU\S-1-5-21-3446860588-382003032-31899574-1000\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-3446860588-382003032-31899574-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} => key removed successfully
HKCR\CLSID\{012E1000-F331-11DB-8314-0800200C9A66} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => key removed successfully
HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key removed successfully
HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => key not found. 
HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found. 
HKCR\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found. 
HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=11.121.2 => key removed successfully
C:\Program Files\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll => moved successfully
HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=11.121.2 => key removed successfully
C:\Program Files\Java\jre1.8.0_121\bin\plugin2\npjp2.dll => moved successfully
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKU\S-1-5-21-3446860588-382003032-31899574-1000\SOFTWARE\Google\Chrome\Extensions\ahgdclgdhfeingghldkedleghekbfhef => key removed successfully
HKU\S-1-5-21-3446860588-382003032-31899574-1000\SOFTWARE\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl => key removed successfully
CPMService => service not found.
C:\Users\TEMP.steven-LAPTOP.002\AppData\Roaming\IObit => moved successfully
C:\Users\Administrator\AppData\Roaming\IObit => moved successfully
C:\Program Files (x86)\Spybot - Search & Destroy 2 => moved successfully
C:\ProgramData\Spybot - Search & Destroy => moved successfully
C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc => moved successfully
 
========= bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
Unable to connect to BITS - 0x8007042c
The dependency service or group failed to start.
 
 
 
========= End of CMD: =========
 
 
========= netsh winsock reset all =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 14696064 B
Java, Flash, Steam htmlcache => 88826346 B
Windows/system/drivers => 11119 B
Edge => 0 B
Chrome => 45301831 B
Firefox => 434360786 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 1388 B
steven-admin => 57422306 B
TEMP.steven-LAPTOP.002 => 0 B
UpdatusUser => 0 B
Administrator => 17755 B
 
RecycleBin => 7093 B
EmptyTemp: => 611 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 17:41:25 ====


#12 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:09 PM

Posted 16 February 2017 - 02:36 AM

I am waiting also Zemana AntiMalware logfile.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 helpmyhawk

helpmyhawk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 16 February 2017 - 05:59 AM

Zemana AntiMalware 2.72.179.101 (Installed)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2017/2/15
Operating System       : Windows 7 64-bit
Processor              : 4X Intel® Core™ i5-3210M CPU @ 2.50GHz
BIOS Mode              : Legacy
CUID                   : 12172B9FE9F96BAB01881B
Scan Type              : System Scan
Duration               : 101m 43s
Scanned Objects        : 827882
Detected Objects       : 2
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2
 
Detected Objects
-------------------------------------------------------
 
Internet Explorer Shortcut
Status             : Scanned
Object             : "C:\PROGRA~2\FIRMAP~1\STANDA~1\CCOURSE\CCSTAAICCDLG_INTEGRATEDHOMEPAGE.HTM"
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Internet Explorer Shortcut
 
Proxy Server (User)
Status             : Scanned
Object             : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Potentially Unwanted Modification
Cleaning Action    : Delete
Related Objects    :
                Registry Entry - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = localhost:8080
 
 
Cleaning Result
-------------------------------------------------------
Cleaned               : 2
Reported as safe      : 0
Failed                : 0


#14 helpmyhawk

helpmyhawk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 16 February 2017 - 06:01 AM

The computer has not crashed and seems to be running smoothly



#15 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:09 PM

Posted 16 February 2017 - 06:44 AM

The computer has not crashed and seems to be running smoothly

Glad to hear that.is everything  running well ?

==========================================

 

Please download and run RogueKiller  32/64 bit to your desktop

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes)


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users