Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Son handed me his laptop, can't login to his profile and slow and unusable


  • This topic is locked This topic is locked
9 replies to this topic

#1 micklee34

micklee34

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 01 May 2017 - 05:28 AM

So my son handed me his laptop which he could no longer log in to, when logging into windows it sometimes shows his desktop and but often get a temporary profile. Have now logged in.

 

I've run standard Avast scans including a boot scan which showed tons of adware. I've run Malware bytes. Neither Avast or Malware Bytes are showing any detections now. Ran TSDkiller and Zbot from Kaspersky. However things are still not right.

 

Here is my FRST log.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 30-04-2017
Ran by user (administrator) on HP (01-05-2017 11:18:10)
Running from C:\Users\TEMP.hp.001\Downloads
Loaded Profiles: user &  (Available Profiles: user)
Platform: Windows 8.1 (Update) (X64) Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
() C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe
(Softex Inc.) C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
() C:\Program Files\ATI Technologies\ATI.ACE\a4\AdaptiveSleepService.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\Dragon Notes\Core\DACore.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(AVAST Software s.r.o.) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
() C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\HPSmplPass.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7202520 2013-08-20] (Realtek Semiconductor)
HKLM\...\Run: [SimplePass] => C:\Program Files\Hewlett-Packard\SimplePass\HPSmplPass.exe [2758200 2013-10-14] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [155704 2013-10-14] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [155704 2013-10-14] (Hewlett-Packard)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2771184 2013-07-26] (Synaptics Incorporated)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [213824 2017-05-01] (AVAST Software)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-09-25] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [YouCam Service] => C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [267224 2013-09-02] (CyberLink Corp.)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [126240 2014-02-13] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [475448 2014-03-26] (Hewlett-Packard Development Company, L.P.)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-05-01] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-05-01] (AVAST Software)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{65560BC5-8E7E-494C-8494-CDA0B4F31B92}: [DhcpNameServer] 40.22.1.201 40.22.1.203
Tcpip\..\Interfaces\{A4334A66-76FD-41B6-B963-6C23D89F53B1}: [DhcpNameServer] 192.168.0.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPNOT14/2
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-3681891341-1149350563-342323943-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPNOT14/2
HKU\S-1-5-21-3681891341-1149350563-342323943-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPNOT14/2
HKU\S-1-5-21-3681891341-1149350563-342323943-1002.bak-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-05012017110312308\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3681891341-1149350563-342323943-1002.bak-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-05012017110312308\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = 
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM -> {FDDCB575-7293-4848-8477-A979CFB7A874} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM-x32 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {FDDCB575-7293-4848-8477-A979CFB7A874} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-3681891341-1149350563-342323943-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-3681891341-1149350563-342323943-1002 -> {FDDCB575-7293-4848-8477-A979CFB7A874} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-3681891341-1149350563-342323943-1002.bak-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-05012017110312308 -> DefaultScope {5BDD5D8A-DC22-45DF-96AE-ABC7372C256C} URL = hxxps://uk.search.yahoo.com/search?fr=mcafee&type=B011GB0D20141006&p={searchTerms}
SearchScopes: HKU\S-1-5-21-3681891341-1149350563-342323943-1002.bak-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-05012017110312308 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3681891341-1149350563-342323943-1002.bak-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-05012017110312308 -> {5BDD5D8A-DC22-45DF-96AE-ABC7372C256C} URL = hxxps://uk.search.yahoo.com/search?fr=mcafee&type=B011GB0D20141006&p={searchTerms}
SearchScopes: HKU\S-1-5-21-3681891341-1149350563-342323943-1002.bak-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-05012017110312308 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = 
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2017-05-01] (AVAST Software)
BHO: MyAdGuardian Plugin -> {D9D6CFA3-2880-47D4-A001-FA4E6308C350} -> C:\Program Files (x86)\DotAds International\MyAdGuardian\Bin\MyAdGuardian64.dll [2014-10-28] (DotAds International)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2017-05-01] (AVAST Software)
BHO-x32: MyAdGuardian Plugin -> {D9D6CFA3-2880-47D4-A001-FA4E6308C350} -> C:\Program Files (x86)\DotAds International\MyAdGuardian\Bin\MyAdGuardian32.dll [2014-10-28] (DotAds International)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-28] (Hewlett-Packard)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
 
FireFox:
========
FF HKLM-x32\...\Firefox\Extensions: [{b9bfaf1c-a63f-47cd-0829-29526ced3667}] - C:\Program Files (x86)\Mozilla Firefox\extension\\getvideosoft.xpi
FF Extension: (YouTube Downloader and Converter) - C:\Program Files (x86)\Mozilla Firefox\extension\\getvideosoft.xpi [2014-09-08] [not signed]
FF HKLM-x32\...\Mozilla Firefox 30.0\Extensions: [{b9bfaf1c-a63f-47cd-0829-29526ced3667}] - C:\Program Files (x86)\Mozilla Firefox\extension\\getvideosoft.xpi
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1228198.dll [2017-02-27] (Adobe Systems, Inc.)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-05] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-03-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-03-14] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
 
Chrome: 
=======
CHR Profile: C:\Users\TEMP.hp.001\AppData\Local\Google\Chrome\User Data\Default [2017-05-01]
CHR Extension: (Google Slides) - C:\Users\TEMP.hp.001\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-05-01]
CHR Extension: (Google Docs) - C:\Users\TEMP.hp.001\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-05-01]
CHR Extension: (Google Drive) - C:\Users\TEMP.hp.001\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-05-01]
CHR Extension: (YouTube) - C:\Users\TEMP.hp.001\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-05-01]
CHR Extension: (Google Sheets) - C:\Users\TEMP.hp.001\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-05-01]
CHR Extension: (Google Docs Offline) - C:\Users\TEMP.hp.001\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-05-01]
CHR Extension: (Avast Online Security) - C:\Users\TEMP.hp.001\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-05-01]
CHR Extension: (Chrome Web Store Payments) - C:\Users\TEMP.hp.001\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-05-01]
CHR Extension: (Gmail) - C:\Users\TEMP.hp.001\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-05-01]
CHR Extension: (Chrome Media Router) - C:\Users\TEMP.hp.001\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-01]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AdaptiveSleepService; C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe [99328 2013-09-25] () [File not signed]
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2013-09-25] (Advanced Micro Devices, Inc.) [File not signed]
R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7398336 2017-05-01] (AVAST Software s.r.o.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [261712 2017-05-01] (AVAST Software)
R2 Cachedrv server; C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe [109568 2013-10-14] () [File not signed]
R2 DACoreService; C:\Program Files (x86)\Nuance\Dragon Notes\Core\DACore.exe [411024 2013-02-01] (Nuance Communications, Inc.)
R2 HPWMISVC; c:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [469304 2014-03-26] (Hewlett-Packard Development Company, L.P.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [87552 2013-10-14] (Softex Inc.) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [246488 2013-06-19] (Realtek Semiconductor)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-22] (Microsoft Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-22] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 AmdAS4; C:\Windows\System32\drivers\AmdAS4.sys [17504 2013-02-07] (Advanced Micro Devices, INC.)
R1 aswbidsdriver; C:\Windows\system32\drivers\aswbidsdrivera.sys [307736 2017-05-01] (AVAST Software s.r.o.)
R0 aswbidsh; C:\Windows\system32\drivers\aswbidsha.sys [189768 2017-05-01] (AVAST Software s.r.o.)
R0 aswblog; C:\Windows\system32\drivers\aswbloga.sys [334088 2017-05-01] (AVAST Software s.r.o.)
R0 aswbuniv; C:\Windows\system32\drivers\aswbuniva.sys [48528 2017-05-01] (AVAST Software s.r.o.)
S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [38296 2017-05-01] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [32600 2017-05-01] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [128648 2017-05-01] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [101152 2017-05-01] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\drivers\aswRvrt.sys [75704 2017-05-01] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1005048 2017-05-01] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [556784 2017-05-01] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [164064 2017-05-01] (AVAST Software)
R0 aswVmm; C:\Windows\system32\drivers\aswVmm.sys [339696 2017-05-01] (AVAST Software)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [138240 2013-06-23] (Advanced Micro Devices)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-05] (CyberLink)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [251840 2017-05-01] (Malwarebytes)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [290008 2013-07-05] (Realtek Semiconductor Corp.)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [2945240 2013-09-12] (Realtek Semiconductor Corporation                           )
R3 RTWlanE; C:\Windows\SysWOW64\DRIVERS\rtwlane.sys [2945240 2013-09-12] (Realtek Semiconductor Corporation                           )
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [30448 2013-07-26] (Synaptics Incorporated)
S3 SmbDrvI; C:\Windows\System32\drivers\Smb_driver_Intel.sys [34544 2013-07-26] (Synaptics Incorporated)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [35320 2014-09-22] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [258368 2014-09-22] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-22] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [30384 2015-06-23] (HP Inc.)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-05-01 11:18 - 2017-05-01 11:18 - 00018976 _____ C:\Users\TEMP.hp.001\Downloads\FRST.txt
2017-05-01 11:17 - 2017-05-01 11:18 - 00000000 ____D C:\FRST
2017-05-01 11:16 - 2017-05-01 11:16 - 02428928 _____ (Farbar) C:\Users\TEMP.hp.001\Downloads\FRST64.exe
2017-05-01 11:09 - 2017-05-01 11:09 - 00000000 ____D C:\Users\TEMP.hp.001\AppData\Roaming\Hewlett-Packard
2017-05-01 11:09 - 2017-05-01 11:09 - 00000000 ____D C:\Users\TEMP.hp.001\AppData\Roaming\AVAST Software
2017-05-01 11:09 - 2017-05-01 11:09 - 00000000 ____D C:\Users\TEMP.hp.001\AppData\Local\CEF
2017-05-01 11:06 - 2017-05-01 11:07 - 00220734 _____ C:\TDSSKiller.3.1.0.15_01.05.2017_11.06.01_log.txt
2017-05-01 11:05 - 2017-05-01 11:05 - 00008038 _____ C:\TDSSKiller.3.1.0.15_01.05.2017_11.05.27_log.txt
2017-05-01 11:05 - 2017-05-01 11:05 - 00000000 ____D C:\Users\TEMP.hp.001\Documents\Youcam
2017-05-01 11:05 - 2017-05-01 11:05 - 00000000 ____D C:\Users\TEMP.hp.001\AppData\Local\Hewlett-Packard
2017-05-01 11:05 - 2017-05-01 11:05 - 00000000 ____D C:\Users\TEMP.hp.001\AppData\Local\CyberLink
2017-05-01 11:04 - 2017-05-01 11:04 - 00000000 ____D C:\Users\TEMP.hp.001\AppData\Local\Power2Go8
2017-05-01 11:03 - 2017-05-01 11:13 - 00000000 ____D C:\Users\TEMP.hp.001\AppData\Local\Google
2017-05-01 11:03 - 2017-05-01 11:07 - 00002242 _____ C:\Users\TEMP.hp.001\Desktop\Google Chrome.lnk
2017-05-01 11:03 - 2017-05-01 11:03 - 00003898 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{5CC9E8B6-ACB5-4C9C-98F2-705A74EC06D1}
2017-05-01 11:03 - 2017-05-01 11:03 - 00001449 _____ C:\Users\TEMP.hp.001\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-05-01 11:03 - 2017-05-01 11:03 - 00000020 ___SH C:\Users\TEMP.hp.001\ntuser.ini
2017-05-01 11:03 - 2017-05-01 11:03 - 00000000 ____D C:\Users\TEMP.hp.001\AppData\Roaming\Synaptics
2017-05-01 11:03 - 2017-05-01 11:03 - 00000000 ____D C:\Users\TEMP.hp.001\AppData\Roaming\Adobe
2017-05-01 11:03 - 2017-05-01 11:03 - 00000000 ____D C:\Users\TEMP.hp.001\AppData\Local\VirtualStore
2017-05-01 11:03 - 2017-05-01 11:03 - 00000000 ____D C:\Users\TEMP.hp.001\AppData\Local\Packages
2017-05-01 11:03 - 2017-05-01 11:03 - 00000000 ____D C:\Users\TEMP.hp.001
2017-05-01 11:03 - 2014-02-22 05:37 - 00000369 _____ C:\Users\TEMP.hp.001\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2017-05-01 11:03 - 2014-02-22 05:37 - 00000369 _____ C:\Users\TEMP.hp.001\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2017-05-01 11:03 - 2013-10-17 20:30 - 00000000 ___HD C:\Users\TEMP.hp.001\Documents\hp.system.package.metadata
2017-05-01 11:03 - 2013-10-17 20:30 - 00000000 ___HD C:\Users\TEMP.hp.001\Documents\hp.applications.package.appdata
2017-05-01 08:50 - 2017-05-01 08:50 - 00003898 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{8CC93745-EE91-4A30-BBAE-B51C49EF5D49}
2017-05-01 08:45 - 2017-05-01 08:45 - 00003898 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{2CF630E2-BAF8-4B78-918D-8FD7BB5A8ADD}
2017-05-01 08:11 - 2017-05-01 08:14 - 00003898 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{9C475F79-64C0-4FFE-9051-EDEC0F9BF50B}
2017-05-01 08:10 - 2017-05-01 08:42 - 00000000 ____D C:\Users\TEMP.hp.000
2017-05-01 08:10 - 2017-05-01 08:15 - 00876192 _____ C:\TDSSKiller.3.1.0.15_01.05.2017_08.10.55_log.txt
2017-05-01 08:07 - 2017-05-01 08:08 - 00221546 _____ C:\TDSSKiller.3.1.0.15_01.05.2017_08.07.25_log.txt
2017-05-01 08:07 - 2017-05-01 08:07 - 00245648 _____ (Kaspersky Lab ZAO) C:\Users\user\Downloads\zbotkiller.exe
2017-05-01 08:06 - 2017-05-01 08:06 - 04922400 _____ (AO Kaspersky Lab) C:\Users\user\Downloads\tdsskiller.exe
2017-05-01 08:04 - 2017-05-01 08:03 - 00399944 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-05-01 11:15 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\AppReadiness
2017-05-01 11:12 - 2013-08-22 16:36 - 00000000 ___HD C:\Program Files\WindowsApps
2017-05-01 11:09 - 2013-08-26 07:09 - 00956476 _____ C:\Windows\system32\PerfStringBackup.INI
2017-05-01 11:09 - 2013-08-22 14:36 - 00000000 ____D C:\Windows\Inf
2017-05-01 11:03 - 2017-03-14 11:34 - 00251840 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-05-01 11:03 - 2014-10-06 16:15 - 00001376 _____ C:\Windows\Tasks\4206c1b9-7f67-4d25-b153-ccfd0f3858ef.job
2017-05-01 11:03 - 2014-10-05 08:58 - 00000578 _____ C:\Windows\Tasks\82f54e25-a34c-4d43-98b1-6d7cdead9c44.job
2017-05-01 11:01 - 2013-08-22 15:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-05-01 09:41 - 2014-10-06 16:14 - 00000000 ____D C:\ProgramData\Browser
2017-05-01 09:17 - 2014-10-06 16:29 - 00000000 ____D C:\Program Files (x86)\YouTube Downloader Services
2017-05-01 09:16 - 2015-01-10 19:25 - 00000000 ____D C:\Program Files (x86)\Software Update Services
2017-05-01 08:43 - 2013-08-22 14:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2017-05-01 08:40 - 2014-07-26 11:48 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3681891341-1149350563-342323943-1002
2017-05-01 08:35 - 2014-07-29 16:32 - 00000000 ____D C:\Program Files (x86)\Java
2017-05-01 08:35 - 2013-09-01 04:49 - 00000000 ____D C:\SWSetup
2017-05-01 08:30 - 2013-10-17 20:30 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard
2017-05-01 08:10 - 2017-03-14 12:48 - 00003880 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1489492068
2017-05-01 08:10 - 2017-03-14 12:47 - 00001066 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2017-05-01 08:07 - 2014-08-17 10:58 - 00002182 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-05-01 08:05 - 2014-07-26 11:44 - 00000000 ____D C:\Users\user\Documents\Youcam
2017-05-01 08:04 - 2017-03-14 12:46 - 00003914 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2017-05-01 08:04 - 2017-03-14 12:45 - 00556784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys
2017-05-01 08:04 - 2017-03-14 12:45 - 00128648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswmonflt.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 01005048 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00556784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys.149362228320307
2017-05-01 08:03 - 2017-03-14 12:45 - 00339696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00334088 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbloga.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00307736 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00189768 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbidsha.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00164064 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00127112 _____ (AVAST Software) C:\Windows\system32\Drivers\aswmonflt.sys.149362228320307
2017-05-01 08:03 - 2017-03-14 12:45 - 00101152 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00075704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00048528 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbuniva.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00038296 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00032600 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
 
Some files in TEMP:
====================
2015-01-10 19:23 - 2013-06-04 10:30 - 0050432 ____R () C:\Users\user\AppData\Local\Temp\Extract.exe
2014-10-06 17:08 - 2014-10-06 17:08 - 0088576 _____ () C:\Users\user\AppData\Local\Temp\hDtq4.dll
2014-10-06 17:08 - 2014-10-06 17:08 - 0100864 _____ () C:\Users\user\AppData\Local\Temp\hDtq4.exe
2014-08-07 19:06 - 2014-08-07 19:06 - 6468632 _____ (AVG Technologies) C:\Users\user\AppData\Local\Temp\oi_{19D23881-DECB-4E99-984A-6BDB362910FE}.exe
2014-08-07 19:06 - 2014-08-07 19:06 - 2940496 _____ () C:\Users\user\AppData\Local\Temp\safeguard.exe
2015-01-08 02:43 - 2015-01-08 02:43 - 95055600 _____ (Hewlett-Packard                                             ) C:\Users\user\AppData\Local\Temp\SP64339.exe
2015-01-10 16:33 - 2015-01-10 16:33 - 50965928 _____ (Hewlett-Packard                                             ) C:\Users\user\AppData\Local\Temp\SP65793.exe
2015-01-09 08:49 - 2015-01-09 08:49 - 19080008 _____ (Hewlett-Packard Company                                     ) C:\Users\user\AppData\Local\Temp\SP66078.exe
2015-01-10 00:15 - 2015-01-10 00:15 - 2829368 _____ (Hewlett-Packard Company                                     ) C:\Users\user\AppData\Local\Temp\SP66604.exe
2014-12-24 16:34 - 2014-12-24 16:34 - 9517056 _____ (InstallShield Software Corporation                          ) C:\Users\user\AppData\Local\Temp\SP66866.exe
2015-01-10 14:42 - 2015-01-10 14:42 - 159513152 _____ (Hewlett Packard                                             ) C:\Users\user\AppData\Local\Temp\SP67263.exe
2014-08-17 10:42 - 2014-08-07 19:06 - 2084888 _____ (AVG Technologies) C:\Users\user\AppData\Local\Temp\UNINSTALL.EXE
2014-10-02 18:46 - 2014-10-02 18:46 - 4961800 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\vcredist_x64.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-03-14 13:15
 
==================== End of FRST.txt ============================

Attached Files


Edited by micklee34, 01 May 2017 - 05:32 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:35 PM

Posted 01 May 2017 - 08:41 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
MySafeProxy for Internet Explorer (HKLM-x32\...\{2535ED3F-5ADD-4A65-B07F-82F04C7358E7}) (Version: 1.0.6 - XTRM Group Ltd.) <==== ATTENTION
WSE_Astromenda (HKLM-x32\...\WSE_Astromenda) (Version: - WSE_Astromenda) <==== ATTENTION

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


Task: {98C9DC0B-2028-4061-A8B3-E15CFC2FFE98} - \Super Optimizer Schedule -> No File <==== ATTENTION
Task: {F732CE60-FA5B-491E-B138-EBE247504199} - System32\Tasks\82f54e25-a34c-4d43-98b1-6d7cdead9c44 => C:\Program Files (x86)\Browsers+_App+_Pro+\82f54e25-a34c-4d43-98b1-6d7cdead9c44.exe  <==== ATTENTION
Task: C:\Windows\Tasks\3b201a1f-0963-435d-87a1-284df6fe6258.job => C:\Program Files (x86)\HD-Quality-v3V06.10\3b201a1f-0963-435d-87a1-284df6fe6258.exe ?/agentregpath='HD-Quality-v3V06.10' /appid=61762 /srcid='002027' /subid='0' /zdata='0' /bic=C0B68A90A8B24D948860C7864E2F3E4FIE /verifier=283c06c7a07ea5030038025285ef1b37 /installerversion=1_35_09_29 /installationtime=1412612264 /statsdomain=hxxp:/stats.newdatastatsserv.com /errorsdomain=hxxp:/errors.newdatastatsserv.com /exten... (long line)
Task: C:\Windows\Tasks\4206c1b9-7f67-4d25-b153-ccfd0f3858ef.job => C:\Program Files (x86)\Browsers+_App+_Pro+\4206c1b9-7f67-4d25-b153-ccfd0f3858ef.exe ?/agentregpath='Browsers+_App+_Pro+' /appid=65055 /srcid='002142' /subid='0' /zdata='0' /bic=221E93E67911432A9A1BB5447B3CEC34IE /verifier=81a7db28a0fe093751143a2e477fb7c5 /installerversion=1_35_09_29 /installationtime=1412272114 /statsdomain=hxxp:/stats.newdatastatsserv.com /errorsdomain=hxxp:/errors.newdatastatsserv.com /exten... (long line)
Task: C:\Windows\Tasks\7a89805e-b086-4de1-ba8d-802260e021cb.job => C:\Program Files (x86)\HD-Quality-v3V06.10\7a89805e-b086-4de1-ba8d-802260e021cb.exe <==== ATTENTION
Task: C:\Windows\Tasks\82f54e25-a34c-4d43-98b1-6d7cdead9c44.job => C:\Program Files (x86)\Browsers+_App+_Pro+\82f54e25-a34c-4d43-98b1-6d7cdead9c44.exe <==== ATTENTION
Task: C:\Windows\Tasks\BDMTGMH.job => C:\Users\user\AppData\Roaming\BDMTGMH.exe <==== ATTENTION
Task: C:\Windows\Tasks\KEXMK.job => C:\Users\user\AppData\Roaming\KEXMK.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:373E1720 [118]
FirewallRules: [{6AC17092-8983-4CA2-8EE1-9E8E532A3FC9}] => (Allow) C:\Program Files (x86)\Movies App\Datamngr\SRTOOL~1\IE\dtuser.exe
FirewallRules: [{505196F5-0DAA-40C2-B881-E984B8750632}] => (Allow) C:\Program Files (x86)\Movies App\Datamngr\SRTOOL~1\IE\dtuser.exe
FirewallRules: [{3388621C-0316-4D37-95D5-0D571E56910E}] => (Allow) C:\Program Files (x86)\mystarttb\dtuser.exe
FirewallRules: [{2A970DC4-DC2F-434C-BDBA-BE67D3338711}] => (Allow) C:\Program Files (x86)\mystarttb\dtuser.exe
FirewallRules: [{D47A1606-F054-43A2-AB31-3336CD4E8DE3}] => (Allow) C:\Program Files (x86)\mystarttb\ToolbarCleaner.exe
FirewallRules: [{F0B60C86-7341-46C7-AE53-F4ABEBE433BE}] => (Allow) C:\Program Files (x86)\mystarttb\ToolbarCleaner.exe
FirewallRules: [{06988048-5074-41AA-8B23-A4C771A005A3}] => (Allow) C:\Program Files (x86)\YouTube Downloader Services\P4\youtubeserv.exe
FirewallRules: [{F7B64DB2-BCDD-4399-A998-33700B0FB637}] => (Allow) C:\Program Files (x86)\YouTube Downloader Services\P4\powermgr.exe
C:\Program Files (x86)\Movies App\Datamngr
C:\Program Files (x86)\mystarttb
C:\Program Files (x86)\YouTube Downloader Services
C:\Users\user\AppData\Roaming\BDMTGMH.exe
C:\Users\user\AppData\Roaming\KEXMK.exe
C:\Windows\Tasks\4206c1b9-7f67-4d25-b153-ccfd0f3858ef.job
C:\Windows\Tasks\82f54e25-a34c-4d43-98b1-6d7cdead9c44.job
RemoveProxy:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.

Please let me know what problem persists with this computer.

#3 micklee34

micklee34
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 02 May 2017 - 01:18 PM

Hi Nasdaq,

 

Thank you so much for the fast response to my post.

 

I've removed the programs and run the fixlist from FRST, it asked me to restart and now I can't find the Download location the FRST.exe was sitting in which means I can't retrieve the log to post here. Sorry.. I forgot it had logged me into a temp profile.

 

That said the fix enabled me to login to my sons actual profile showing his desktop and files. Only thing that is still an issue is that it won't carry out a windows update.

 

Thanks for you help.

 

Regards

 

Mick



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:35 PM

Posted 03 May 2017 - 06:47 AM

 
 
 
Download the version of this tool for your operating system on the Desktop of the good profile.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
 
How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png
 
Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===
 
 
Please post the logs for my review.
 
Will take it from there.


#5 micklee34

micklee34
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 03 May 2017 - 02:05 PM

Thanks again Nasdaq.

 

Here is the log and file attached.

 

Kind regards

 

Mick

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 03-05-2017 01
Ran by user (administrator) on HP (03-05-2017 20:01:09)
Running from C:\Users\user\Downloads
Loaded Profiles: user (Available Profiles: user)
Platform: Windows 8.1 (Update) (X64) Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
() C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe
(Softex Inc.) C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
() C:\Program Files\ATI Technologies\ATI.ACE\a4\AdaptiveSleepService.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\Dragon Notes\Core\DACore.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(AVAST Software s.r.o.) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
() C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\HPSmplPass.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\WinStore\WSHost.exe
(Microsoft Corporation) C:\Windows\System32\consent.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7202520 2013-08-20] (Realtek Semiconductor)
HKLM\...\Run: [SimplePass] => C:\Program Files\Hewlett-Packard\SimplePass\HPSmplPass.exe [2758200 2013-10-14] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [155704 2013-10-14] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [155704 2013-10-14] (Hewlett-Packard)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2771184 2013-07-26] (Synaptics Incorporated)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [213824 2017-05-01] (AVAST Software)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-09-25] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [YouCam Service] => C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [267224 2013-09-02] (CyberLink Corp.)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [126240 2014-02-13] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [475448 2014-03-26] (Hewlett-Packard Development Company, L.P.)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-05-01] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-05-01] (AVAST Software)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{65560BC5-8E7E-494C-8494-CDA0B4F31B92}: [DhcpNameServer] 40.22.1.201 40.22.1.203
Tcpip\..\Interfaces\{A4334A66-76FD-41B6-B963-6C23D89F53B1}: [DhcpNameServer] 192.168.0.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPNOT14/2
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-3681891341-1149350563-342323943-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = 
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM -> {FDDCB575-7293-4848-8477-A979CFB7A874} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM-x32 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {FDDCB575-7293-4848-8477-A979CFB7A874} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2017-05-01] (AVAST Software)
BHO: MyAdGuardian Plugin -> {D9D6CFA3-2880-47D4-A001-FA4E6308C350} -> C:\Program Files (x86)\DotAds International\MyAdGuardian\Bin\MyAdGuardian64.dll [2014-10-28] (DotAds International)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2017-05-01] (AVAST Software)
BHO-x32: MyAdGuardian Plugin -> {D9D6CFA3-2880-47D4-A001-FA4E6308C350} -> C:\Program Files (x86)\DotAds International\MyAdGuardian\Bin\MyAdGuardian32.dll [2014-10-28] (DotAds International)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-28] (Hewlett-Packard)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
 
FireFox:
========
FF HKLM-x32\...\Firefox\Extensions: [{b9bfaf1c-a63f-47cd-0829-29526ced3667}] - C:\Program Files (x86)\Mozilla Firefox\extension\\getvideosoft.xpi
FF Extension: (YouTube Downloader and Converter) - C:\Program Files (x86)\Mozilla Firefox\extension\\getvideosoft.xpi [2014-09-08] [not signed]
FF HKLM-x32\...\Mozilla Firefox 30.0\Extensions: [{b9bfaf1c-a63f-47cd-0829-29526ced3667}] - C:\Program Files (x86)\Mozilla Firefox\extension\\getvideosoft.xpi
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1228198.dll [2017-02-27] (Adobe Systems, Inc.)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-05] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-05-01] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-05-01] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default [2017-05-03]
CHR Extension: (Avast Online Security) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-05-01]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-05-01]
CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-02]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AdaptiveSleepService; C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe [99328 2013-09-25] () [File not signed]
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2013-09-25] (Advanced Micro Devices, Inc.) [File not signed]
R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7398336 2017-05-01] (AVAST Software s.r.o.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [261712 2017-05-01] (AVAST Software)
R2 Cachedrv server; C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe [109568 2013-10-14] () [File not signed]
R2 DACoreService; C:\Program Files (x86)\Nuance\Dragon Notes\Core\DACore.exe [411024 2013-02-01] (Nuance Communications, Inc.)
R2 HPWMISVC; c:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [469304 2014-03-26] (Hewlett-Packard Development Company, L.P.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [87552 2013-10-14] (Softex Inc.) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [246488 2013-06-19] (Realtek Semiconductor)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-22] (Microsoft Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-22] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 AmdAS4; C:\Windows\System32\drivers\AmdAS4.sys [17504 2013-02-07] (Advanced Micro Devices, INC.)
R1 aswbidsdriver; C:\Windows\system32\drivers\aswbidsdrivera.sys [307736 2017-05-01] (AVAST Software s.r.o.)
R0 aswbidsh; C:\Windows\system32\drivers\aswbidsha.sys [189768 2017-05-01] (AVAST Software s.r.o.)
R0 aswblog; C:\Windows\system32\drivers\aswbloga.sys [334088 2017-05-01] (AVAST Software s.r.o.)
R0 aswbuniv; C:\Windows\system32\drivers\aswbuniva.sys [48528 2017-05-01] (AVAST Software s.r.o.)
S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [38296 2017-05-01] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [32600 2017-05-01] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [128648 2017-05-01] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [101152 2017-05-01] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\drivers\aswRvrt.sys [75704 2017-05-01] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1005048 2017-05-01] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [556784 2017-05-01] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [164064 2017-05-01] (AVAST Software)
R0 aswVmm; C:\Windows\system32\drivers\aswVmm.sys [339696 2017-05-01] (AVAST Software)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [138240 2013-06-23] (Advanced Micro Devices)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-05] (CyberLink)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [251832 2017-05-02] (Malwarebytes)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [290008 2013-07-05] (Realtek Semiconductor Corp.)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [2945240 2013-09-12] (Realtek Semiconductor Corporation                           )
R3 RTWlanE; C:\Windows\SysWOW64\DRIVERS\rtwlane.sys [2945240 2013-09-12] (Realtek Semiconductor Corporation                           )
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [30448 2013-07-26] (Synaptics Incorporated)
S3 SmbDrvI; C:\Windows\System32\drivers\Smb_driver_Intel.sys [34544 2013-07-26] (Synaptics Incorporated)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [35320 2014-09-22] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [258368 2014-09-22] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-22] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [30384 2015-06-23] (HP Inc.)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-05-03 20:01 - 2017-05-03 20:01 - 00016148 _____ C:\Users\user\Downloads\FRST.txt
2017-05-03 19:58 - 2017-05-03 19:58 - 02428928 _____ (Farbar) C:\Users\user\Downloads\FRST64.exe
2017-05-02 19:25 - 2017-05-02 19:25 - 00000000 __SHD C:\Users\user\AppData\LocalLow\EmieBrowserModeList
2017-05-02 19:25 - 2017-05-02 19:25 - 00000000 __SHD C:\Users\user\AppData\Local\EmieBrowserModeList
2017-05-01 11:17 - 2017-05-03 20:01 - 00000000 ____D C:\FRST
2017-05-01 11:06 - 2017-05-01 11:07 - 00220734 _____ C:\TDSSKiller.3.1.0.15_01.05.2017_11.06.01_log.txt
2017-05-01 11:05 - 2017-05-01 11:05 - 00008038 _____ C:\TDSSKiller.3.1.0.15_01.05.2017_11.05.27_log.txt
2017-05-01 11:03 - 2017-05-02 18:59 - 00000000 ____D C:\Users\TEMP.hp.001
2017-05-01 11:03 - 2017-05-02 18:57 - 00003898 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{5CC9E8B6-ACB5-4C9C-98F2-705A74EC06D1}
2017-05-01 08:50 - 2017-05-01 08:50 - 00003898 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{8CC93745-EE91-4A30-BBAE-B51C49EF5D49}
2017-05-01 08:45 - 2017-05-01 08:45 - 00003898 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{2CF630E2-BAF8-4B78-918D-8FD7BB5A8ADD}
2017-05-01 08:11 - 2017-05-01 08:14 - 00003898 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{9C475F79-64C0-4FFE-9051-EDEC0F9BF50B}
2017-05-01 08:10 - 2017-05-01 08:42 - 00000000 ____D C:\Users\TEMP.hp.000
2017-05-01 08:10 - 2017-05-01 08:15 - 00876192 _____ C:\TDSSKiller.3.1.0.15_01.05.2017_08.10.55_log.txt
2017-05-01 08:07 - 2017-05-01 08:08 - 00221546 _____ C:\TDSSKiller.3.1.0.15_01.05.2017_08.07.25_log.txt
2017-05-01 08:04 - 2017-05-01 08:03 - 00399944 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-05-03 20:00 - 2014-07-26 11:43 - 00003898 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{D10F2B34-112C-4EDA-875F-A1C57E077C76}
2017-05-02 19:48 - 2014-07-26 11:48 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3681891341-1149350563-342323943-1002
2017-05-02 19:47 - 2013-08-22 16:36 - 00000000 ___HD C:\Program Files\WindowsApps
2017-05-02 19:47 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\AppReadiness
2017-05-02 19:33 - 2014-07-26 11:44 - 00000000 ____D C:\Users\user\Documents\Youcam
2017-05-02 19:31 - 2013-08-26 07:09 - 00956476 _____ C:\Windows\system32\PerfStringBackup.INI
2017-05-02 19:31 - 2013-08-22 14:36 - 00000000 ____D C:\Windows\Inf
2017-05-02 19:27 - 2017-03-14 11:34 - 00251832 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-05-02 19:27 - 2013-08-22 15:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-05-02 19:09 - 2014-08-17 10:57 - 00000000 ____D C:\Users\user\AppData\Local\Google
2017-05-01 13:50 - 2014-08-17 10:57 - 00003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-05-01 13:50 - 2014-08-17 10:57 - 00003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-05-01 12:04 - 2017-03-14 11:34 - 00077440 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-05-01 11:33 - 2014-08-17 10:54 - 00000000 ____D C:\ProgramData\AVAST Software
2017-05-01 09:41 - 2014-10-06 16:14 - 00000000 ____D C:\ProgramData\Browser
2017-05-01 09:16 - 2015-01-10 19:25 - 00000000 ____D C:\Program Files (x86)\Software Update Services
2017-05-01 08:43 - 2013-08-22 14:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2017-05-01 08:35 - 2014-07-29 16:32 - 00000000 ____D C:\Program Files (x86)\Java
2017-05-01 08:35 - 2013-09-01 04:49 - 00000000 ____D C:\SWSetup
2017-05-01 08:30 - 2013-10-17 20:30 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard
2017-05-01 08:10 - 2017-03-14 12:48 - 00003880 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1489492068
2017-05-01 08:10 - 2017-03-14 12:47 - 00001066 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2017-05-01 08:07 - 2014-08-17 10:58 - 00002182 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-05-01 08:04 - 2017-03-14 12:46 - 00003914 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2017-05-01 08:04 - 2017-03-14 12:45 - 00556784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys
2017-05-01 08:04 - 2017-03-14 12:45 - 00128648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswmonflt.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 01005048 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00556784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys.149362228320307
2017-05-01 08:03 - 2017-03-14 12:45 - 00339696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00334088 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbloga.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00307736 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00189768 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbidsha.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00164064 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00127112 _____ (AVAST Software) C:\Windows\system32\Drivers\aswmonflt.sys.149362228320307
2017-05-01 08:03 - 2017-03-14 12:45 - 00101152 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00075704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00048528 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbuniva.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00038296 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2017-05-01 08:03 - 2017-03-14 12:45 - 00032600 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
 
==================== Files in the root of some directories =======
 
2014-09-01 09:18 - 2014-09-01 09:18 - 0002086 _____ () C:\Users\user\AppData\Roaming\BDMTGMH
2014-09-01 09:18 - 2014-09-01 09:18 - 0001248 _____ () C:\Users\user\AppData\Roaming\KEXMK
2014-09-01 09:18 - 2014-09-01 09:18 - 0002086 _____ () C:\Users\user\AppData\Roaming\RADCPJ
2014-09-01 09:18 - 2014-09-01 09:18 - 0001248 _____ () C:\Users\user\AppData\Roaming\VLKXYSBS
2014-09-29 18:58 - 2014-10-18 15:08 - 0000107 _____ () C:\Users\user\AppData\Roaming\WB.CFG
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-03-14 13:15
 
==================== End of FRST.txt ============================

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:35 PM

Posted 04 May 2017 - 07:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.

MySafeProxy for Internet Explorer (HKLM-x32\...\{2535ED3F-5ADD-4A65-B07F-82F04C7358E7}) (Version: 1.0.6 - XTRM Group Ltd.) <==== ATTENTION
PDF Creator (HKLM\...\PDF Creator) (Version: - )
Pdf Creator Packages (HKU\S-1-5-21-3681891341-1149350563-342323943-1002\...\Pdf Creator Packages) (Version: - ) <==== ATTENTION
PepperZip 1.0 (HKLM-x32\...\PepperZip) (Version: 1.0 - PepperWare Co.) <==== ATTENTION
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
HKU\S-1-5-21-3681891341-1149350563-342323943-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKLM-x32 -> DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM-x32 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
CHR Extension: (Avast Online Security) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-05-01]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-05-01]
CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-02]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
Task: {1738E979-E26E-4462-AE46-F4C3289DCC57} - System32\Tasks\4206c1b9-7f67-4d25-b153-ccfd0f3858ef => C:\Program Files (x86)\Browsers+_App+_Pro+\4206c1b9-7f67-4d25-b153-ccfd0f3858ef.exe  <==== ATTENTION
C:\Program Files (x86)\Browsers+_App+_Pro+
C:\Users\user\AppData\Roaming\BDMTGMH
C:\Users\user\AppData\Roaming\KEXMK
C:\Users\user\AppData\Roaming\RADCPJ
C:\Users\user\AppData\Roaming\VLKXYSBS
C:\Users\user\AppData\Roaming\WB.CFG

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixldog.txt and let me know what problem persists.

#7 micklee34

micklee34
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 04 May 2017 - 01:18 PM

Hi Nasdaq,

 

PepperZip 1.0 removed

PDF Creator removed

PDF Creator Packages removed

 

I can't seem to remove MySafeProxy for Internet Explorer. I get the following message

 

The feature you are trying to use is on a network resource that is unavailable.

 

Click OK to try again, or enter an alternate path to a folder containing the installation package 'msp-latest.msi' in the box below.

 

I thought this had uninstalled the first time, sorry.

 

Thank you so much for your help.

 

Kind regards

 

Mick



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:35 PM

Posted 04 May 2017 - 01:20 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#9 micklee34

micklee34
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 04 May 2017 - 01:48 PM

Hi Nasdaq,

 

Still can't remove MySafeProxy, but here's my Fixlog as requested. Thanks Mick.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 03-05-2017 01
Ran by user (04-05-2017 19:27:12) Run:2
Running from C:\Users\user\Downloads
Loaded Profiles: user (Available Profiles: user)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
HKU\S-1-5-21-3681891341-1149350563-342323943-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKLM-x32 -> DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM-x32 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://uk.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
CHR Extension: (Avast Online Security) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-05-01]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-05-01]
CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-02]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
Task: {1738E979-E26E-4462-AE46-F4C3289DCC57} - System32\Tasks\4206c1b9-7f67-4d25-b153-ccfd0f3858ef => C:\Program Files (x86)\Browsers+_App+_Pro+\4206c1b9-7f67-4d25-b153-ccfd0f3858ef.exe  <==== ATTENTION
C:\Program Files (x86)\Browsers+_App+_Pro+
C:\Users\user\AppData\Roaming\BDMTGMH
C:\Users\user\AppData\Roaming\KEXMK
C:\Users\user\AppData\Roaming\RADCPJ
C:\Users\user\AppData\Roaming\VLKXYSBS
C:\Users\user\AppData\Roaming\WB.CFG
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Policies\Google => key removed successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKU\S-1-5-21-3681891341-1149350563-342323943-1002\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9} => key removed successfully
HKCR\CLSID\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9} => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB} => key removed successfully
HKCR\Wow6432Node\CLSID\{9CB96984-43C3-4D44-90EF-01466EFCF7BB} => key not found. 
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki => moved successfully
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1738E979-E26E-4462-AE46-F4C3289DCC57} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1738E979-E26E-4462-AE46-F4C3289DCC57} => key removed successfully
C:\Windows\System32\Tasks\4206c1b9-7f67-4d25-b153-ccfd0f3858ef => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\4206c1b9-7f67-4d25-b153-ccfd0f3858ef => key removed successfully
"C:\Program Files (x86)\Browsers+_App+_Pro+" => not found.
C:\Users\user\AppData\Roaming\BDMTGMH => moved successfully
C:\Users\user\AppData\Roaming\KEXMK => moved successfully
C:\Users\user\AppData\Roaming\RADCPJ => moved successfully
C:\Users\user\AppData\Roaming\VLKXYSBS => moved successfully
C:\Users\user\AppData\Roaming\WB.CFG => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 12714353 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 1521154 B
Edge => 0 B
Chrome => 29381669 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 1582 B
NetworkService => 0 B
user => 7485151 B
 
RecycleBin => 8964 B
EmptyTemp: => 56.7 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 19:28:07 ====


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:35 PM

Posted 05 May 2017 - 07:56 AM

Still can't remove MySafeProxy, but here's my Fixlog as requested. Thanks Mick.
It was removed. The entry is still in the Program List. It's dead. Nothing can come of it.

----

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users