Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Secure Pages Changed, Some Malware Programs Blocked, Passwords Not Working


  • This topic is locked This topic is locked
14 replies to this topic

#1 BCGronk

BCGronk

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 01 March 2017 - 01:05 PM

On startup on Win 10 machine, two small white pages flash by.  When MalwareHunter starts, a small black page comes up and goes away.  Using Firefox browser, some pages that were HTTPS secure are now no longer secure.  Norton Eraser blocked; on startup after agreement page, it says unable to continue because not on internet, however internet is fine and operational.  On some programs, they will not accept my passwords.  I have run rKill, HitmanPro, and Malwarehunter, nothing ever found.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 27-02-2017

Ran by Judi (administrator) on JUDI-PC (27-02-2017 09:15:19)
Running from C:\Users\Judi\Desktop
Loaded Profiles: Judi (Available Profiles: Judi)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe
() C:\Program Files (x86)\ASUS\WebStorage\2.0.1.213\AsusWSWinService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
() C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
() C:\Program Files\ASUS\ASUS Secure Delete\ADDEL.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
() C:\Users\Judi\AppData\Local\Amazon Music\Amazon Music Helper.exe
(Amazon.com Inc.) C:\Users\Judi\AppData\Local\Amazon Drive\AmazonDrive.exe
(Glarysoft Ltd) C:\Program Files (x86)\Glarysoft\Malware Hunter\mhtray.exe
(Glarysoft Ltd) C:\Program Files (x86)\Glarysoft\Malware Hunter\MalwareHunter.exe
(Glarysoft Ltd) C:\Program Files (x86)\Glarysoft\Malware Hunter\Cloudscan\MHCloudSvc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7200984 2013-10-04] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1353432 2013-09-25] (Realtek Semiconductor)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-16] (Microsoft Corporation)
HKLM-x32\...\Run: [WebStorage] => C:\Program Files (x86)\ASUS\WebStorage\2.0.1.213\ASUSWSLoader.exe [56640 2013-06-26] ()
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [MalTray] => C:\Program Files (x86)\Glarysoft\Malware Hunter\mhtray.exe [926200 2017-02-12] (Glarysoft Ltd)
HKLM\...\Winlogon: [Shell]  [0 ] () <=== ATTENTION
HKU\S-1-5-21-1314836614-3806821797-2933460574-1001\...\Run: [Amazon Music] => C:\Users\Judi\AppData\Local\Amazon Music\Amazon Music Helper.exe [5890368 2015-11-16] ()
HKU\S-1-5-21-1314836614-3806821797-2933460574-1001\...\Run: [Amazon Drive] => C:\Users\Judi\AppData\Local\Amazon Drive\AmazonDrive.exe [4775088 2017-01-29] (Amazon.com Inc.)
HKU\S-1-5-21-1314836614-3806821797-2933460574-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\Mystify.scr [152064 2016-07-16] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7191} => C:\Program Files (x86)\Common Files\AWS\2.0.1.213\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D809} => C:\Program Files (x86)\Common Files\AWS\2.0.1.213\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4E} => C:\Program Files (x86)\Common Files\AWS\2.0.1.213\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk [2015-02-15]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{05537e2e-3860-4110-9e67-6df7b927e2dc}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{c2304e7e-5e77-4a47-8704-160d4eb98b90}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{cc4b15fb-bd19-4c02-b6db-e0f2708ebfde}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-1314836614-3806821797-2933460574-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://att.yahoo.com/
HKU\S-1-5-21-1314836614-3806821797-2933460574-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus13.msn.com/?pc=ASJB
SearchScopes: HKU\S-1-5-21-1314836614-3806821797-2933460574-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?PC=WCUG&FORM=WCUGDF&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1314836614-3806821797-2933460574-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?PC=WCUG&FORM=WCUGDF&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1314836614-3806821797-2933460574-1001 -> {CD71A0F8-3CB9-479E-8014-64EEFB6F810E} URL = hxxps://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=523482&p={searchTerms}
BHO: No Name -> {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} -> No File
BHO-x32: No Name -> {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} -> No File
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll [2015-01-31] (Oracle Corporation)
BHO-x32: MSN Toolbar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\MSN\Toolbar\3.0.1203.0\msneshellx.dll [2009-03-13] (Microsoft Corp.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-01-31] (Oracle Corporation)
Toolbar: HKLM-x32 - MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files (x86)\MSN\Toolbar\3.0.1203.0\msneshellx.dll [2009-03-13] (Microsoft Corp.)
 
FireFox:
========
FF DefaultProfile: nrugslh6.default
FF ProfilePath: C:\Users\Judi\AppData\Roaming\Mozilla\Firefox\Profiles\nrugslh6.default [2017-02-17]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.21.2 -> C:\Windows\SysWOW64\npDeployJava1.dll [2014-04-21] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-31] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-19] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-19] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR StartupUrls: Default -> "hxxps://att.yahoo.com/"
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Judi\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\PepperFlash\pepflashplayer.dll => No File
CHR Profile: C:\Users\Judi\AppData\Local\Google\Chrome\User Data\Default [2017-02-27]
CHR Extension: (Google Slides) - C:\Users\Judi\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-15]
CHR Extension: (Google Docs) - C:\Users\Judi\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-15]
CHR Extension: (Google Drive) - C:\Users\Judi\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Judi\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-26]
CHR Extension: (Google Search) - C:\Users\Judi\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
CHR Extension: (Google Sheets) - C:\Users\Judi\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-15]
CHR Extension: (HTTPS Everywhere) - C:\Users\Judi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcbommkclmclpchllfjekcdonpmejbdp [2017-02-16]
CHR Extension: (Google Docs Offline) - C:\Users\Judi\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (AdBlock) - C:\Users\Judi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-02-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Judi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-18]
CHR Extension: (Gmail) - C:\Users\Judi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28]
CHR Extension: (Chrome Media Router) - C:\Users\Judi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-28]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe [936728 2013-06-04] ()
R2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe [954648 2013-07-31] (ASUSTeK Computer Inc.)
R2 Asus WebStorage Windows Service; C:\Program Files (x86)\ASUS\WebStorage\2.0.1.213\AsusWSWinService.exe [71680 2013-06-25] () [File not signed]
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135496 2017-02-07] (SurfRight B.V.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [89864 2014-12-11] (Hewlett-Packard Company)
R2 igfxCUIService1.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [337888 2016-05-03] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-03] (Intel Corporation)
S2 Net Driver HPZ12; C:\Windows\System32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
S2 Pml Driver HPZ12; C:\Windows\System32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2013-06-04] ()
R0 assd; C:\Windows\System32\Drivers\assd.sys [31104 2012-08-21] (ASUS Corporation)
R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2014-02-24] ()
S3 dot4; C:\WINDOWS\system32\DRIVERS\Dot4.sys [151968 2012-10-19] (Windows ® Win 7 DDK provider)
S3 Dot4Print; C:\WINDOWS\System32\drivers\Dot4Prt.sys [27040 2012-10-19] (Windows ® Win 7 DDK provider)
S3 GUMHFilters; C:\Program Files (x86)\Glarysoft\Malware Hunter\Native\winxp_x64\GUMHFilter.sys [37688 2016-11-03] (GlarySoft Ltd)
R1 GUSBootStartup; C:\WINDOWS\System32\drivers\GUSBootStartup.sys [20160 2016-06-18] (Glarysoft Ltd)
R3 MEIx64; C:\WINDOWS\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-03] (Intel Corporation)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
S3 RtkAvrcp; C:\WINDOWS\System32\drivers\RtkAvrcp.sys [57560 2013-08-13] (Realtek Semiconductor Corporation)
S3 RtkAvrcpCtrlr; C:\WINDOWS\System32\drivers\RtkAvrcpCtrlr.sys [69848 2013-06-20] (Realtek Semiconductor Corporation)
R3 RtkBtFilter; C:\WINDOWS\system32\DRIVERS\RtkBtfilter.sys [615728 2015-06-04] (Realtek Semiconductor Corporation)
S3 RTWlanE; C:\WINDOWS\System32\drivers\rtwlane.sys [5144064 2016-07-16] (Realtek Semiconductor Corporation                           )
R0 SMR311; C:\WINDOWS\System32\drivers\SMR311.SYS [95392 2017-02-17] (Symantec Corporation)
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-02-27 09:15 - 2017-02-27 09:16 - 00016402 _____ C:\Users\Judi\Desktop\FRST.txt
2017-02-27 09:15 - 2017-02-27 09:15 - 00000000 ____D C:\FRST
2017-02-27 09:12 - 2017-02-27 09:14 - 02423296 _____ (Farbar) C:\Users\Judi\Desktop\FRST64.exe
2017-02-27 09:08 - 2017-02-27 09:08 - 00000000 ___HD C:\OneDriveTemp
2017-02-17 10:59 - 2017-02-27 09:08 - 00060038 _____ C:\WINDOWS\ntbtlog.txt
2017-02-17 10:55 - 2017-02-17 10:55 - 02957840 _____ (Symantec Corporation) C:\Users\Judi\Desktop\NPE.exe
2017-02-17 09:50 - 2017-02-17 09:50 - 00095392 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SMR311.SYS
2017-02-14 10:52 - 2017-02-23 12:45 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-02-14 10:52 - 2017-02-14 10:52 - 00002131 _____ C:\Users\Public\Desktop\Acrobat Reader DC.lnk
2017-02-14 10:52 - 2017-02-14 10:52 - 00000000 ____D C:\Program Files (x86)\Adobe
2017-02-13 11:41 - 2017-02-15 08:22 - 00000000 ____D C:\Users\Judi\AppData\Roaming\eM Client
2017-02-10 14:32 - 2017-02-10 14:32 - 00002228 _____ C:\Users\Public\Desktop\Google Earth.lnk
2017-02-10 14:32 - 2017-02-10 14:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth
2017-01-31 12:41 - 2017-01-31 12:41 - 00001222 _____ C:\Users\Judi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amazon Drive.lnk
2017-01-31 12:41 - 2017-01-31 12:41 - 00001210 _____ C:\Users\Judi\Desktop\Amazon Drive.lnk
2017-01-31 12:41 - 2017-01-31 12:41 - 00000000 ____D C:\Users\Judi\AppData\Local\Amazon Drive
2017-01-30 09:41 - 2016-12-20 23:08 - 00142848 _____ (Microsoft Corporation) C:\WINDOWS\system32\poqexec.exe
2017-01-30 09:41 - 2016-12-20 20:44 - 00120320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\poqexec.exe
2017-01-29 15:03 - 2017-01-29 15:03 - 01311269 _____ C:\Users\Judi\Desktop\Getting started with OneDrive.pdf
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-02-27 09:08 - 2015-11-15 12:23 - 00000000 ___RD C:\Users\Judi\OneDrive
2017-02-27 09:07 - 2016-09-16 13:07 - 00000000 ____D C:\Users\Judi
2017-02-27 09:07 - 2015-11-15 12:20 - 00000000 __SHD C:\Users\Judi\IntelGraphicsProfiles
2017-02-26 20:19 - 2016-09-16 13:01 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-02-26 12:59 - 2016-07-16 03:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-02-26 12:59 - 2016-07-16 03:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-02-24 16:58 - 2015-01-31 12:11 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-02-24 16:56 - 2015-01-31 12:11 - 138020592 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-02-23 14:48 - 2015-02-15 16:01 - 00000000 ____D C:\Users\Judi\AppData\Local\CrashDumps
2017-02-21 18:13 - 2016-07-16 03:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-02-21 14:50 - 2015-06-01 07:17 - 00000000 ____D C:\Users\Judi\AppData\Local\NPE
2017-02-21 14:33 - 2016-09-16 13:21 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-02-18 11:03 - 2016-06-18 13:15 - 00000000 ____D C:\ProgramData\Glarysoft
2017-02-18 11:01 - 2016-06-18 13:15 - 00000000 ____D C:\Users\Judi\AppData\Roaming\GlarySoft
2017-02-17 11:05 - 2016-09-16 13:21 - 00003044 _____ C:\WINDOWS\System32\Tasks\GMHSkipUAC
2017-02-17 11:05 - 2016-06-18 13:15 - 00001302 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malware Hunter.lnk
2017-02-17 11:05 - 2016-06-18 13:15 - 00001290 _____ C:\Users\Public\Desktop\Malware Hunter.lnk
2017-02-17 11:00 - 2016-11-02 07:58 - 00000892 _____ C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job
2017-02-17 11:00 - 2016-11-02 07:58 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2017-02-17 10:59 - 2016-07-15 22:04 - 00786432 _____ C:\WINDOWS\system32\config\BBI
2017-02-16 16:26 - 2016-11-02 07:58 - 00003964 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player PPAPI Notifier
2017-02-16 16:26 - 2016-07-16 03:47 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-02-16 16:26 - 2016-07-16 03:47 - 00000000 ____D C:\WINDOWS\system32\Macromed
2017-02-15 15:40 - 2016-12-12 16:38 - 00003272 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
2017-02-15 15:40 - 2015-11-15 12:23 - 00002371 _____ C:\Users\Judi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-02-14 11:04 - 2015-02-15 19:17 - 00000000 ____D C:\Users\Judi\AppData\Local\Adobe
2017-02-14 10:53 - 2016-09-16 13:21 - 00004562 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2017-02-14 10:52 - 2014-04-21 07:14 - 00000000 ____D C:\ProgramData\Adobe
2017-02-10 14:32 - 2015-01-31 14:20 - 00000000 ____D C:\Program Files (x86)\Google
2017-02-06 11:48 - 2016-07-16 03:49 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-02-06 11:48 - 2016-07-16 03:49 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2017-02-02 09:43 - 2015-02-15 20:02 - 00002279 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
 
==================== Files in the root of some directories =======
 
2015-01-31 10:21 - 2015-11-15 11:24 - 1101585 _____ () C:\Users\Judi\AppData\Local\BTServer.log
2015-07-14 14:12 - 2015-07-14 14:12 - 0000000 _____ () C:\Users\Judi\AppData\Local\{264F4ED6-56A3-48E9-B5F4-C44929B437C9}
2015-10-29 08:13 - 2015-10-29 08:13 - 0272802 _____ () C:\ProgramData\1446134927.bdinstall.bin
2016-09-16 13:03 - 2016-09-16 13:03 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-02-15 16:56 - 2015-02-15 17:01 - 0000822 _____ () C:\ProgramData\hpzinstall.log
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-02-12 14:36
 

==================== End of FRST.txt ============================

 

Attached Files



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:58 AM

Posted 02 March 2017 - 10:30 AM

BCGronk:

 
:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil and I would like to address you by your first name, if that is alright with you since we will be working together.
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time, normally 48 hours after your last post.
 
I will need some time to review your FRST logs.  That could take a day or two.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.
 
Thank you and have a great day.
 
Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#3 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:58 AM

Posted 02 March 2017 - 12:40 PM

BCGronk:

Thank you for your patience while I analyzed your FRST logs.

In future, I would respectfully ask that you copy and paste all requested scan and fix logs into your replies, rather than attaching them. It makes it faster for me to anlyze the logs and it also benefits people who are monitoring your topic because they might have similar issues. Thank you for your cooperation.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

:step1: I see that you have Search Protection by Spigot installed on your computer. You should uninstall this program, via the Control Panel, Programs, Uninstall a Program. See this link for more information on why this is an undesirable program.

.

:step2: Please run a FRST "Fix" for me.

Copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the Desktop.

NOTE: It is important that both files, FRST64.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

CreateRestorePoint:
CloseProcesses:

HKLM\...\Winlogon: [Shell]  [0 ] () <=== ATTENTION
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
SearchScopes: HKU\S-1-5-21-1314836614-3806821797-2933460574-1001 -> {CD71A0F8-3CB9-479E-8014-64EEFB6F810E} URL = hxxps://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=523482&p={searchTerms}
BHO: No Name -> {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} -> No File
BHO-x32: No Name -> {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} -> No File
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Judi\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\PepperFlash\pepflashplayer.dll => No File
Task: {03CFCA28-19E5-427A-B2AA-9F9C6605B848} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {2BF9D1C5-7C16-4239-930C-B2212274B5CA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {3735ADCA-762C-4AD3-854A-43E608725093} - \WPD\SqmUpload_S-1-5-21-1314836614-3806821797-2933460574-1001 -> No File <==== ATTENTION
Task: {58BEBDF9-E1A7-483D-BA0A-29FC3154FC8D} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {5DB3125C-A135-477F-94CD-E61AD59EB69C} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {6EB1394D-4F61-4EF1-AC38-3414D8FEF972} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {82EA1D1D-96AF-44B8-A4FF-8EAFFA57E1E2} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {84F23C88-F067-4A69-A5DB-BFD5DE710E3E} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {8D9C4EC3-DE57-4481-AF68-1FDC0CB5F463} - System32\Tasks\Bitdefender Update Product Data_A17FD818A96743FAB28AC221BEB4B2C8 => C:\Program Files\Bitdefender\Bitdefender 2015\bdproductdata.exe
C:\Program Files\Bitdefender
Task: {A72916C0-11B6-4516-9616-B94AFF702A09} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {A91913C4-9D26-41EF-B2EE-376DF86E4635} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {DB2417E1-8344-475E-947A-ED2328479FDA} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {E786D3D0-0317-4F0E-934F-C60C8FFD3B57} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
  • Right click FRST64.exe, and select "Run as Administrator".
  • Then press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop (Fixlog.txt). Please copy and paste the contents into your reply.

.

 

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#4 BCGronk

BCGronk
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 02 March 2017 - 02:32 PM

Thanks Phil for the help, here is the fixlist log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 27-02-2017
Ran by Judi (02-03-2017 11:12:03) Run:1
Running from C:\Users\Judi\Desktop\FRST64
Loaded Profiles: Judi (Available Profiles: Judi)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
HKLM\...\Winlogon: [Shell]  [0 ] () <=== ATTENTION
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
SearchScopes: HKU\S-1-5-21-1314836614-3806821797-2933460574-1001 -> {CD71A0F8-3CB9-479E-8014-64EEFB6F810E} URL =
hxxps://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=523482&p={searchTerms}
BHO: No Name -> {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} -> No File
BHO-x32: No Name -> {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} -> No File
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Judi\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\PepperFlash\pepflashplayer.dll => No File
Task: {03CFCA28-19E5-427A-B2AA-9F9C6605B848} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {2BF9D1C5-7C16-4239-930C-B2212274B5CA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {3735ADCA-762C-4AD3-854A-43E608725093} - \WPD\SqmUpload_S-1-5-21-1314836614-3806821797-2933460574-1001 -> No File <==== ATTENTION
Task:
{58BEBDF9-E1A7-483D-BA0A-29FC3154FC8D} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {5DB3125C-A135-477F-94CD-E61AD59EB69C} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {6EB1394D-4F61-4EF1-AC38-3414D8FEF972} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {82EA1D1D-96AF-44B8-A4FF-8EAFFA57E1E2} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {84F23C88-F067-4A69-A5DB-BFD5DE710E3E} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {8D9C4EC3-DE57-4481-AF68-1FDC0CB5F463} - System32\Tasks\Bitdefender Update Product Data_A17FD818A96743FAB28AC221BEB4B2C8 => C:\Program Files\Bitdefender\Bitdefender 2015\bdproductdata.exe
C:\Program Files\Bitdefender
Task: {A72916C0-11B6-4516-9616-B94AFF702A09} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <====
ATTENTION
Task: {A91913C4-9D26-41EF-B2EE-376DF86E4635} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {DB2417E1-8344-475E-947A-ED2328479FDA} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {E786D3D0-0317-4F0E-934F-C60C8FFD3B57} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
 
*****************
 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value restored successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
HKU\S-1-5-21-1314836614-3806821797-2933460574-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CD71A0F8-3CB9-479E-8014-64EEFB6F810E} => key removed successfully
HKCR\CLSID\{CD71A0F8-3CB9-479E-8014-64EEFB6F810E} => key not found. 
hxxps://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=523482&p={searchTerms} => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} => key removed successfully
HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} => key removed successfully
HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} => key not found. 
C:\Users\Judi\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\PepperFlash\pepflashplayer.dll => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{03CFCA28-19E5-427A-B2AA-9F9C6605B848} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{03CFCA28-19E5-427A-B2AA-9F9C6605B848} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2BF9D1C5-7C16-4239-930C-B2212274B5CA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BF9D1C5-7C16-4239-930C-B2212274B5CA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3735ADCA-762C-4AD3-854A-43E608725093} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3735ADCA-762C-4AD3-854A-43E608725093} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WPD\SqmUpload_S-1-5-21-1314836614-3806821797-2933460574-1001 => key removed successfully
Task: => Error: No automatic fix found for this entry.
{58BEBDF9-E1A7-483D-BA0A-29FC3154FC8D} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5DB3125C-A135-477F-94CD-E61AD59EB69C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DB3125C-A135-477F-94CD-E61AD59EB69C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6EB1394D-4F61-4EF1-AC38-3414D8FEF972} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6EB1394D-4F61-4EF1-AC38-3414D8FEF972} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{82EA1D1D-96AF-44B8-A4FF-8EAFFA57E1E2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{82EA1D1D-96AF-44B8-A4FF-8EAFFA57E1E2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{84F23C88-F067-4A69-A5DB-BFD5DE710E3E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{84F23C88-F067-4A69-A5DB-BFD5DE710E3E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{8D9C4EC3-DE57-4481-AF68-1FDC0CB5F463} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8D9C4EC3-DE57-4481-AF68-1FDC0CB5F463} => key removed successfully
C:\WINDOWS\System32\Tasks\Bitdefender Update Product Data_A17FD818A96743FAB28AC221BEB4B2C8 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Bitdefender Update Product Data_A17FD818A96743FAB28AC221BEB4B2C8 => key removed successfully
C:\Program Files\Bitdefender => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A72916C0-11B6-4516-9616-B94AFF702A09} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A72916C0-11B6-4516-9616-B94AFF702A09} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key removed successfully
ATTENTION => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A91913C4-9D26-41EF-B2EE-376DF86E4635} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A91913C4-9D26-41EF-B2EE-376DF86E4635} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DB2417E1-8344-475E-947A-ED2328479FDA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DB2417E1-8344-475E-947A-ED2328479FDA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E786D3D0-0317-4F0E-934F-C60C8FFD3B57} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E786D3D0-0317-4F0E-934F-C60C8FFD3B57} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key removed successfully
 
==== End of Fixlog 11:12:06 ====


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:58 AM

Posted 02 March 2017 - 03:02 PM

BCGronk:

 

Thank you for the fixlog.txt.  Did you uninstall Search Protector as recommended?

 

How is your computer working now?

 

Have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#6 BCGronk

BCGronk
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 02 March 2017 - 05:34 PM

Phil:

 

When I attempted to remove Search Protector, it stated it was just removing the name from the list, as the program had previously been removed.  I did a search for it in the computer and it never came up.

 

I have not been using the computer, until just now.  I thought I would await your reply before trying anything.

 

Was there any nasties found?  Or just a lot of junk. 

 

Dave



#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:58 AM

Posted 03 March 2017 - 03:03 PM

Dave:
 
Thank you for your post.  No, no real "nasties" found.  I just did a clean up of your computer.
 
:step1: There is one serious security vulnerability.

Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)

The current version of Java is Version 8, Update 121, available for download at this link.  Your version is WAY out of date.  Some folks do keep an old version of Java around because, for example, a special old game won't play on newer versions of Java.  That leaves a big security hole though, that malware can exploit.
 
Personally, during my malware removal training here at Bleeping Computer, when I learned how much of an unnecessary risk having Java was, I uninstalled it from both of my computer, well over a year ago, and I have never missed it.  I would recommend that you do likewise unless you really need it.
 
.
 
:step2: I would like to run some routine anti-malware scans.  FRST does not catch everything - no one tool can.

ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were detected.

Don't forget to re-enable your antivirus when finished!

.

:step2: Please run a Malwarebytes Anti-Malware scan for me.

  • Please download Malwarebytes to your Desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • Then click Finish.
  • Next, please go to "Settings", "Protection", and turn on "Scan for rootkits", if it is not "On."
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If an update of the definitions is available, it will be downloaded and installed before the scan commences.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.

The Scan log is available through History ->Application logs. Please copy and paste the contents of the log into your next reply.

 

.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#8 BCGronk

BCGronk
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 03 March 2017 - 10:50 PM

Hello Phil: I removed Java and did not reinstall a later version. I ran ESET and it found 8 unsafe items which were removed. See attached. C:\Users\Judi\AppData\Local\Downloaded Installations\{7D9DD5A4-A592-4F6C-A5DA-3FC9B92D69B5}\default.msi a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application C:\Users\Judi\AppData\Local\Downloaded Installations\{C2A47817-36F0-45ED-A131-45F221745E65}\PCmover Professional.msi a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application,a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application C:\Users\Judi\Documents\Win7 Restore Files\C\Users\JUDI\AppData\Local\Downloaded Installations\{02F343E4-9116-4509-AC26-E78CE9E11A6B}\Laplink PCmover Professional.msi a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application,a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application C:\Users\Judi\Documents\Win7 Restore Files\C\Users\JUDI\AppData\Local\Downloaded Installations\{AC08ECED-D6F8-404E-93A0-F037F0623C92}\The Weather Channel App.msi a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application C:\Users\Judi\Documents\Win7 Restore Files\C\Users\JUDI\AppData\Local\Downloaded Installations\{C2A47817-36F0-45ED-A131-45F221745E65}\PCmover Professional.msi a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application,a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application C:\Users\Judi\OneDrive\Pictures\Animals\CATS\felix.exe a variant of Win32/Joke.ScreenMate.AA potentially unsafe application C:\Users\Judi\Pictures\Animals\CATS\felix.exe a variant of Win32/Joke.ScreenMate.AA potentially unsafe application C:\Windows\Installer\178fd7.msi a variant of Win32/Systweak.L potentially unwanted application,a variant of Win32/Systweak.N potentially unwanted application When I ran Malwarebytes it found 4 items: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/3/17 Scan Time: 4:37 PM Logfile: Malw.txt Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.75 Update Package Version: 1.0.1421 License: Trial -System Information- OS: Windows 10 CPU: x64 File System: NTFS User: Judi-PC\Judi -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 386401 Time Elapsed: 3 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKU\S-1-5-21-1314836614-3806821797-2933460574-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}, Quarantined, [812], [161091],1.0.1421 PUP.Optional.MyEmoticons, HKU\S-1-5-21-1314836614-3806821797-2933460574-1001\SOFTWARE\APPDATALOW\SOFTWARE\Search Protection, Quarantined, [9060], [241021],1.0.1421 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 PUP.Optional.MindSpark, C:\USERS\JUDI\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\http_mapsgalaxy.dl.tb.ask.com_0.localstorage, Quarantined, [341], [240306],1.0.1421 PUP.Optional.MindSpark, C:\USERS\JUDI\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\http_mapsgalaxy.dl.tb.ask.com_0.localstorage-journal, Quarantined, [341], [240306],1.0.1421 Physical Sector: 0 (No malicious items detected) (end) Thanks again Phil for all of your help! Hopefully this will keep the wife's machine happy and running well. Dave

#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:58 AM

Posted 04 March 2017 - 01:19 PM

Dave:
 
Thank you for your post and your logs. Since both the ESET and Malwarebytes scans found some Potentially Unwanted Programs (PUPs), I would recommend that we run an additional two scans, just to make sure that nothing is lurking still in your computer.  No single anti-malware scanning tool can detect everything.  They are all targeting different malware variants.
 
.
 
:step1: Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait for it to complete the update.
  • Click on I Agree button.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

.

:step2: Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please copy and paste the contents of JRT.txt into your next message.

.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#10 BCGronk

BCGronk
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 05 March 2017 - 02:03 PM

Phil:

 

# AdwCleaner v6.044 - Logfile created 05/03/2017 at 09:21:43
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-02.1 [Local]
# Operating System : Windows 10 Home  (X64)
# Username : Judi - JUDI-PC
# Running from : C:\Users\Judi\Desktop\adwcleaner_6.044.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
No malicious folders found.
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Value Found:  HKU\S-1-5-21-1314836614-3806821797-2933460574-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [Browser Extensions]
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Judi\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [1158 Bytes] - [05/03/2017 09:21:43]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1231 Bytes] ##########
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.1 (02.11.2017)
Operating System: Windows 10 Home x64 
Ran by Judi (Administrator) on Sun 03/05/2017 at  9:34:48.53
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 1 
 
Successfully deleted: C:\ProgramData\1446134927.bdinstall.bin (File) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 03/05/2017 at  9:39:59.35
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
Dave


#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:58 AM

Posted 05 March 2017 - 02:58 PM

Dave:

 

Please re-run AdwCleaner in "Clean" mode unless you want to keep one or both of its detections.  Simply go to the tab and un-check any item(s) you want to keep.  If you want to keep both, do not run AdwCleaner in "Clean" mode, since there would be no point.  If you do run AdwCleaner in "Clean" mode, please copy and paste the contents of the log file into your next reply.

 

MOST IMPORTANTLY: Please give me an update on how your computer is working now?  If there are still issues, please describe them in as much detail as possible.  If not, then I will clean up the anti-malware tools that I used in my next post to you.

 

Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#12 BCGronk

BCGronk
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 05 March 2017 - 05:36 PM

Phil:

 

Computer seems to working just fine.  Have not noticed any issues at all.  No unknown flashes or anything else that looks out of the ordinary.

 

ADW Clean Mode:

 

# AdwCleaner v6.044 - Logfile created 05/03/2017 at 14:10:36
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-02.1 [Local]
# Operating System : Windows 10 Home  (X64)
# Username : Judi - JUDI-PC
# Running from : C:\Users\Judi\Desktop\adwcleaner_6.044.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
 
 
***** [ Web browsers ] *****
 
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [1245 Bytes] - [05/03/2017 09:28:26]
C:\AdwCleaner\AdwCleaner[C2].txt - [819 Bytes] - [05/03/2017 14:10:36]
C:\AdwCleaner\AdwCleaner[S0].txt - [1310 Bytes] - [05/03/2017 09:21:43]
C:\AdwCleaner\AdwCleaner[S1].txt - [1284 Bytes] - [05/03/2017 14:10:21]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1037 Bytes] ##########
 
Dave


#13 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:58 AM

Posted 06 March 2017 - 01:45 PM

Dave:

Thank you for your post and your AdwCleaner log. Looks good. I would say that you are good to go! :thumbsup:

:step1: We will now remove the tools we used during this fix using Delfix.

bwebb7v.jpgDownload Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click the Run button.

When the tool is finished, a log will open in notepad. Please copy and paste the log in your next reply.

.

:step2: . . . Some Final Advice . . .

The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do to the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

The second most common cause of infection is out of date software. Leaving your system unpatched leaves holes through which attackers can execute code on your behalf without your consent. This goes for far more than common targets such as Windows and Internet Explorer. Most recent threats target other third party software, such as Adobe's Adobe Reader, Shockwave Player, or Flash Player, or Oracle's Java browser plugins. You can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out-of-date lists mean no detection of newer malware.

Finally, occasionally you will be forced to run some potentially infected binary, or attackers will use a hole which is unpatched by software vendors, so a last line of defense is needed. That means turning on a firewall (Windows Firewall included with Windows Vista or later is fine) and leaving it on, and using and keeping up-to-date an antivirus solution such as Bitdefender. Antiviral solutions don't even have to cost money; for instance Microsoft Security Essentials provides perfectly acceptable protection for free. If for some reason you don't like MSE, there are other free products available as well:

  • Avira (shows nag screen to purchase full product when updating, home use only)
  • Bitdefender Free (home use only)

That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:

If you want more information on methods malware uses to infect your computer, consider browsing our How did I get infected? topic.

.

It has been a pleasure assisting you and I hope that you will avoid any further infections in the future. Your most important protection step is to ALWAYS HAVE MORE THAN ONE RECENT BACKUP OF YOUR ENTIRE SYSTEM on an external drive that is only connected to your computer long enough to backup or restore. I do system images weekly. With the free backup software out there (Easeus ToDo Backup Home, Macrium Reflect, etc.), and the very reasonable prices for external USB hard drives, there is no reason to not have a backup.

Please copy and paste the contents of the Delfix log into your reply. If that looks good, then we can conclude your topic.

On behalf of the Bleeping Computer Community, thank you for choosing BC to assist you with your computer issues, stay safe out there in cyberspace, and have a great day.

Regards,
-Phil
 


Member of the Unified Network of Instructors and Trusted Eliminators


#14 BCGronk

BCGronk
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 07 March 2017 - 01:47 PM

Phil:

 

The Delfix results:

 

# DelFix v1.010 - Logfile created 07/03/2017 at 10:19:55
# Updated 26/04/2015 by Xplode
# Username : Judi - JUDI-PC
# Operating System : Windows 10 Home  (64 bits)
 
~ Removing disinfection tools ...
 
 
~ Creating registry backup ... OK
 
~ Cleaning system restore ...
 
Deleted : RP #28 [End of disinfection | 03/07/2017 18:11:38]
 
New restore point created !
 
########## - EOF - ##########
 
 
OK Phil, I wanted to thank you for all the work that you have done for me, I really appreciate it!   And thanks for the suggestions on how to keep your computer clean.
I will use some of those programs.
 
Dave


#15 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:58 AM

Posted 08 March 2017 - 07:49 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Member of the Unified Network of Instructors and Trusted Eliminators





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users