Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Update No Longer Works


  • This topic is locked This topic is locked
11 replies to this topic

#1 k-j-m

k-j-m

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 12 June 2018 - 08:04 PM

I have an Acer Aspire One "laptop" that has not been used for quite awhile.

 

I am running Windows 7 Pro.

 

I wanted to apply all of the MS updates, but when attempting to do so, Windows Update seems to connect, but does not successfully obtain the updates.

 

What does appear to be happening is a LOT of disk activity, but nothing else.  No progress bars.  No estimated times, nothing useful.

 

I do suspect that there may have been some Malware on the machine at one point in time, but I thought it was removed long ago.  perhaps there are some remnants remaining?

 

Thanks!

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 06.06.2018 01
Ran by Olga Monz (administrator) on OLGAMONZ-PC (12-06-2018 20:49:01)
Running from C:\Users\Olga Monz\Desktop
Loaded Profiles: Olga Monz (Available Profiles: Olga Monz & Administrator)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Sophos Limited) C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Sophos Limited) C:\Program Files\Sophos\AutoUpdate\ALMon.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
(Sophos Limited) C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [Sophos AutoUpdate Monitor] => C:\Program Files\Sophos\AutoUpdate\almon.exe [929272 2013-01-11] (Sophos Limited)
HKU\S-1-5-18\...\RunOnce: [SPReview] => "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"hxxp://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
AppInit_DLLs: c:\progra~1\sophos\sophos~1\sophos~1.dll => c:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll [221840 2012-09-21] (Sophos Limited)
HKLM\...\AppCertDlls: [x64] -> c:\program files\settings manager\smdmf\x64\sysapcrt.dll
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog9 01 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 02 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 03 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 04 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 05 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 06 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 07 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 08 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 19 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{00D28703-21F1-4DA6-B4BA-A3C9AB64FA7A}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{C501E438-4D9C-4D5C-B94E-FAE49B0740DD}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKU\S-1-5-21-808537165-590170511-107395098-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/
HKU\S-1-5-21-808537165-590170511-107395098-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = hxxp://www.default-search.net/search?sid=492&aid=227&itype=a&ver=15005&tm=495&src=ds&p={searchTerms}
SearchScopes: HKU\S-1-5-21-808537165-590170511-107395098-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_dnldwz_15_45_ssg01&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzutDtDtByDyDyCyE0DyEyC0B0AyDyEtCyCtN0D0Tzu0StCyEtDtCtN1L2XzutAtFtCyDtFtDtFtDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0D0EtAtC0FyEyEtGtDyD0A0FtGzz0AtB0FtGtAtB0C0CtGtD0DyB0ByB0C0C0B0FtCyCzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0C0B0B0D0D0CyDtG0C0AtA0AtGyEyDzz0BtG0A0A0C0BtGzy0Dzy0CtA0BtCtDyCzz0D0F2QtN0A0LzuyE%26cr%3D1862193694%26a%3Dwncy_dnldwz_15_45_ssg01%26os%3DWindows%2B7%2BProfessional&p={searchTerms}
SearchScopes: HKU\S-1-5-21-808537165-590170511-107395098-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_dnldwz_15_45_ssg01&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzutDtDtByDyDyCyE0DyEyC0B0AyDyEtCyCtN0D0Tzu0StCyEtDtCtN1L2XzutAtFtCyDtFtDtFtDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0D0EtAtC0FyEyEtGtDyD0A0FtGzz0AtB0FtGtAtB0C0CtGtD0DyB0ByB0C0C0B0FtCyCzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0C0B0B0D0D0CyDtG0C0AtA0AtGyEyDzz0BtG0A0A0C0BtGzy0Dzy0CtA0BtCtDyCzz0D0F2QtN0A0LzuyE%26cr%3D1862193694%26a%3Dwncy_dnldwz_15_45_ssg01%26os%3DWindows%2B7%2BProfessional&p={searchTerms}
SearchScopes: HKU\S-1-5-21-808537165-590170511-107395098-1000 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2011-06-12] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Olga Monz\AppData\Roaming\Mozilla\Firefox\Profiles\2dbqiwii.default [2018-06-12]
FF user.js: detected! => C:\Users\Olga Monz\AppData\Roaming\Mozilla\Firefox\Profiles\2dbqiwii.default\user.js [2018-06-11]
FF Homepage: Mozilla\Firefox\Profiles\2dbqiwii.default -> google.com
FF Extension: (No Name) - C:\Users\Olga Monz\AppData\Roaming\Mozilla\Firefox\Profiles\2dbqiwii.default\extensions\extension@linkeyproject.com [not found]
FF Extension: (No Name) - C:\Users\Olga Monz\AppData\Roaming\Mozilla\Firefox\Profiles\2dbqiwii.default\extensions\{e9bebce7-deb3-4ab9-896c-549739f208c5}.xpi [not found]
FF Extension: (No Name) - C:\Users\Olga Monz\AppData\Roaming\Mozilla\Firefox\Profiles\2dbqiwii.default\extensions\{7012eec1-4f37-42d4-a2cd-26727494d248}.xpi [not found]
FF SearchPlugin: C:\Users\Olga Monz\AppData\Roaming\Mozilla\Firefox\Profiles\2dbqiwii.default\searchplugins\default-search.xml [2014-12-30]
FF SearchPlugin: C:\Users\Olga Monz\AppData\Roaming\Mozilla\Firefox\Profiles\2dbqiwii.default\searchplugins\Search Provided by Yahoo.xml [2015-11-02]
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1211151.dll [2014-04-15] (Adobe Systems, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2017-03-28] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 SAVAdminService; C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [217592 2013-01-11] (Sophos Limited)
R2 SAVService; C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe [159296 2012-09-21] (Sophos Limited)
R2 Sophos AutoUpdate Service; C:\Program Files\Sophos\AutoUpdate\ALsvc.exe [237048 2013-01-11] (Sophos Limited)
R2 swi_service; C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2890232 2013-02-04] (Sophos Limited)
S2 swi_update; C:\ProgramData\Sophos\Web Intelligence\swi_update.exe [1468920 2013-02-04] (Sophos Limited)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] (Microsoft Corporation)
S2 Update Framed Display; "C:\Program Files\Framed Display\updateFramedDisplay.exe" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [132424 2012-09-21] (Sophos Limited)
R1 SKMScan; C:\Windows\System32\DRIVERS\skmscan.sys [33096 2012-10-23] (Sophos Limited)
S4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [22536 2011-08-25] (Sophos Plc)
R1 {7012eec1-4f37-42d4-a2cd-26727494d248}Gw; C:\Windows\System32\drivers\{7012eec1-4f37-42d4-a2cd-26727494d248}Gw.sys [43160 2014-10-15] (StdLib)
R1 {cd63c300-b231-4a93-a479-5a1e96976d74}w; C:\Windows\System32\drivers\{cd63c300-b231-4a93-a479-5a1e96976d74}w.sys [43152 2014-12-30] (StdLib)
R1 {e9bebce7-deb3-4ab9-896c-549739f208c5}Gw; C:\Windows\System32\drivers\{e9bebce7-deb3-4ab9-896c-549739f208c5}Gw.sys [43160 2014-10-09] (StdLib)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-06-12 20:49 - 2018-06-12 20:49 - 000010014 _____ C:\Users\Olga Monz\Desktop\FRST.txt
2018-06-12 20:48 - 2018-06-12 20:49 - 000000000 ____D C:\FRST
2018-06-12 20:47 - 2018-06-12 20:33 - 001773568 _____ (Farbar) C:\Users\Olga Monz\Desktop\FRST.exe
2018-06-11 13:21 - 2018-06-11 13:21 - 000000000 ____D C:\Users\Olga Monz\AppData\Local\ElevatedDiagnostics
2018-06-11 10:11 - 2018-06-11 10:11 - 000000000 ____D C:\Users\Olga Monz\AppData\Local\Sophos
2018-06-11 09:57 - 2014-08-08 14:35 - 000001409 _____ C:\Users\Olga Monz\Desktop\Internet Explorer.lnk
2018-06-11 09:10 - 2018-06-11 09:10 - 000000000 ____D C:\ProgramData\2308189059
2018-06-11 08:59 - 2018-06-12 13:13 - 000000000 ____D C:\Users\Olga Monz\AppData\LocalLow\Mozilla
2018-06-10 21:02 - 2018-06-11 15:27 - 000000000 ___RD C:\Users\Olga Monz\Documents\Scanned Documents
2018-06-10 21:02 - 2018-06-11 15:27 - 000000000 ____D C:\Users\Olga Monz\Documents\Fax
2018-06-10 20:51 - 2018-06-11 15:48 - 000000000 ____D C:\Users\Olga Monz\AppData\Local\Microsoft Games
2018-06-09 14:31 - 2018-06-09 14:31 - 000001113 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2018-06-09 14:31 - 2018-06-09 14:31 - 000001101 _____ C:\Users\Public\Desktop\Firefox.lnk
2018-06-09 14:31 - 2018-06-09 14:31 - 000000000 ____D C:\Program Files\Mozilla Maintenance Service
2018-06-09 14:04 - 2018-06-11 15:44 - 000000000 ____D C:\Program Files\Microsoft Games
2018-06-07 19:27 - 2014-08-07 10:12 - 000002951 _____ C:\Users\Olga Monz\Desktop\Microsoft Excel 2010.lnk
2018-06-07 19:26 - 2014-08-07 10:12 - 000003021 _____ C:\Users\Olga Monz\Desktop\Microsoft Word 2010.lnk
2018-06-05 19:24 - 2018-06-05 19:24 - 000000000 ____D C:\Windows\pss
2018-06-05 18:49 - 2018-06-05 18:49 - 000000000 ____D C:\Users\Olga Monz\AppData\LocalLow\Adobe
2018-06-05 18:49 - 2018-06-05 18:49 - 000000000 ____D C:\Users\Olga Monz\AppData\Local\Adobe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-06-12 20:46 - 2009-07-13 23:53 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-06-12 13:45 - 2009-07-13 23:34 - 000021440 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-06-12 13:45 - 2009-07-13 23:34 - 000021440 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-06-12 13:42 - 2014-08-07 10:02 - 000726316 _____ C:\Windows\system32\PerfStringBackup.INI
2018-06-12 13:42 - 2009-07-13 21:37 - 000000000 ____D C:\Windows\inf
2018-06-12 13:36 - 2015-11-02 15:35 - 000000318 _____ C:\Windows\Tasks\UpdateTask.job
2018-06-12 12:47 - 2009-07-13 21:37 - 000000000 __RHD C:\Users\Public\Libraries
2018-06-12 12:30 - 2009-07-13 21:37 - 000000000 ____D C:\Windows\system32\NDF
2018-06-12 07:59 - 2014-09-01 12:13 - 000007605 _____ C:\Users\Olga Monz\AppData\Local\Resmon.ResmonCfg
2018-06-12 07:19 - 2014-10-09 13:03 - 000000484 _____ C:\Windows\Tasks\UpdaterEX.job
2018-06-11 17:10 - 2009-07-13 21:37 - 000000000 ____D C:\Windows\rescache
2018-06-11 15:44 - 2009-07-13 23:52 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2018-06-11 15:24 - 2009-07-13 21:37 - 000000000 ____D C:\Windows\Registration
2018-06-11 12:55 - 2014-10-09 13:03 - 000000000 ____D C:\Users\Olga Monz\AppData\Roaming\INOP_UpdaterEX
2018-06-11 09:52 - 2014-08-11 07:55 - 000000000 ____D C:\Windows\system32\appmgmt
2018-06-11 08:59 - 2014-08-08 14:40 - 000000000 ____D C:\Users\Olga Monz\AppData\Roaming\Mozilla
2018-06-11 08:37 - 2014-10-09 14:07 - 000000000 ____D C:\Users\Olga Monz\AppData\LocalLow\DataMngr
2018-06-10 21:31 - 2014-08-07 10:06 - 000000000 ____D C:\Users\Olga Monz\AppData\Local\Microsoft Help
2018-06-10 21:09 - 2014-08-14 09:19 - 000000000 ____D C:\Users\Olga Monz\AppData\Roaming\Adobe
2018-06-09 14:35 - 2015-11-02 15:34 - 000000000 ____D C:\Users\Olga Monz\AppData\Local\{E0C2D69E-C46A-BA26-A9F2-9FCE8D9A6356}
2018-06-09 14:31 - 2014-08-08 07:21 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-06-09 14:03 - 2014-10-15 11:44 - 000000217 _____ C:\Users\Olga Monz\AppData\Roaming\WB.CFG
2018-06-09 13:24 - 2014-08-07 10:37 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2018-06-09 13:23 - 2014-08-07 10:36 - 000000000 ____D C:\Program Files\Common Files\Adobe
2018-06-07 19:46 - 2014-08-07 10:12 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2018-06-05 19:21 - 2009-07-13 21:37 - 000000000 ___HD C:\Windows\system32\GroupPolicy
2018-06-05 18:49 - 2014-08-07 10:30 - 000000000 ____D C:\ProgramData\Adobe

==================== Files in the root of some directories =======

2014-10-15 11:44 - 2018-06-09 14:03 - 000000217 _____ () C:\Users\Olga Monz\AppData\Roaming\WB.CFG
2014-09-01 12:13 - 2018-06-12 07:59 - 000007605 _____ () C:\Users\Olga Monz\AppData\Local\Resmon.ResmonCfg

Some files in TEMP:
====================
2014-10-09 13:03 - 2014-10-09 13:03 - 000108032 _____ () C:\Users\Olga Monz\AppData\Local\Temp\925.4847622057514_Update.exe
2014-10-09 12:57 - 2014-10-09 12:57 - 005601864 _____ () C:\Users\Olga Monz\AppData\Local\Temp\CloudBackup8235.exe
2015-11-02 15:33 - 2015-11-02 15:33 - 000964259 _____ (Software Installer                                          ) C:\Users\Olga Monz\AppData\Local\Temp\ICSW1.14_0D1F2W1G1I1F1T1Q0W1L2T1T1C1Q1.14.exe
2014-10-09 14:07 - 2014-10-09 14:07 - 000000000 _____ () C:\Users\Olga Monz\AppData\Local\Temp\im08mnqy.dll
2018-06-12 13:11 - 2018-06-12 13:11 - 001868288 _____ (Opera Software) C:\Users\Olga Monz\AppData\Local\Temp\Opera_installer_1806121810086183476.dll
2014-10-09 12:57 - 2014-10-09 12:57 - 005777584 _____ (                                                            ) C:\Users\Olga Monz\AppData\Local\Temp\optprosetup.exe
2014-10-09 13:04 - 2014-10-09 14:06 - 000006144 _____ () C:\Users\Olga Monz\AppData\Local\Temp\uyjy9wqs.dll
2014-10-09 12:57 - 2014-10-09 12:58 - 004216840 _____ (Microsoft Corporation) C:\Users\Olga Monz\AppData\Local\Temp\vcredist_x86.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-06-11 17:02

==================== End of FRST.txt ============================

 

Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 06.06.2018 01
Ran by Olga Monz (12-06-2018 20:50:38)
Running from C:\Users\Olga Monz\Desktop
Microsoft Windows 7 Professional  Service Pack 1 (X86) (2014-08-07 14:57:06)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-808537165-590170511-107395098-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-808537165-590170511-107395098-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-808537165-590170511-107395098-1007 - Limited - Enabled)
Olga Monz (S-1-5-21-808537165-590170511-107395098-1000 - Administrator - Enabled) => C:\Users\Olga Monz
SophosSAUOLGAMONZ-P0 (S-1-5-21-808537165-590170511-107395098-1005 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Sophos Anti-Virus (Enabled - Out of date) {65FBD860-96D8-75EF-C7ED-7BE27E6C498A}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Sophos Anti-Virus (Enabled - Out of date) {DE9A3984-B0E2-7A61-FD5D-409005EB0337}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM\...\Adobe AIR) (Version: 3.8.0.1430 - Adobe Systems Incorporated)
Adobe Flash Player 13 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 13.0.0.214 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.20) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.20 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM\...\Adobe Shockwave Player) (Version: 12.1.1.151 - Adobe Systems, Inc.)
Chromium (HKU\S-1-5-21-808537165-590170511-107395098-1000\...\Chromium) (Version: 46.0.2480.0 - Chromium)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Mozilla Firefox 60.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 60.0.2 (x86 en-US)) (Version: 60.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 60.0.2 - Mozilla)
Opera Stable 53.0.2907.68 (HKU\S-1-5-21-808537165-590170511-107395098-1000\...\Opera 53.0.2907.68) (Version: 53.0.2907.68 - Opera Software)
Sophos Anti-Virus (HKLM\...\{9ACB414D-9347-40B6-A453-5EFB2DB59DFA}) (Version: 10.2.7 - Sophos Limited)
Sophos AutoUpdate (HKLM\...\{15C418EB-7675-42be-B2B3-281952DA014D}) (Version: 2.9.0.344 - Sophos Limited)
swMSM (HKLM\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-808537165-590170511-107395098-1000_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\localserver32 -> C:\Users\Olga Monz\AppData\Local\Chromium\Application\46.0.2480.0\delegate_execute.exe (The Chromium Authors) <==== ATTENTION
ContextMenuHandlers1: [SavShellExt] -> {A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D} => C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll [2012-12-13] (Sophos Limited)
ContextMenuHandlers2: [SavShellExt] -> {A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D} => C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll [2012-12-13] (Sophos Limited)
ContextMenuHandlers4: [SavShellExt] -> {A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D} => C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll [2012-12-13] (Sophos Limited)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2009-09-23] (Intel Corporation)
ContextMenuHandlers6: [SavShellExt] -> {A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D} => C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll [2012-12-13] (Sophos Limited)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {4A146351-0081-418C-9611-00E4BAE9EEB3} - System32\Tasks\UpdateTask => C:\Users\Olga Monz\AppData\Local\{E0C2D69E-C46A-BA26-A9F2-9FCE8D9A6356}\uninstall.exe [2015-11-02] () <==== ATTENTION
Task: {4B793474-2DC4-4BDB-8480-4C363A109F9F} - System32\Tasks\UpdaterEX => C:\Users\OLGAMO~1\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {8C7A86FD-A32A-4ADF-B56F-BDC79497D16C} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-02-09] (Adobe Systems Incorporated)
Task: {EF2809A8-CC34-490B-A5A2-806F4FBE9C78} - System32\Tasks\Opera scheduled Autoupdate 1446496636 => C:\Users\Olga Monz\AppData\Local\Programs\Opera\launcher.exe [2018-05-23] (Opera Software)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\UpdaterEX.job => C:\Users\OLGAMO~1\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\UpdateTask.job => C:\Users\OLGAMO~1\AppData\Local\{E0C2D~1\UNINST~1.EXE

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2010-01-30 02:41 - 2010-01-30 02:41 - 004254560 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-03-24 21:17 - 2010-03-24 21:17 - 008794464 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAVService => ""="service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:04 - 2009-06-10 16:39 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-808537165-590170511-107395098-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Olga Monz\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupfolder: C:^Users^Olga Monz^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MyPC Backup.lnk => C:\Windows\pss\MyPC Backup.lnk.Startup
MSCONFIG\startupreg: Driver Support => C:\Program Files\Driver Support\Driver Support\DriverSupport.exe /applicationMode:systemTray /showWelcome:false
MSCONFIG\startupreg: GoogleChromeAutoLaunch_9B56C802069DB60609951592156D243E => "C:\Users\Olga Monz\AppData\Local\Chromium\Application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session
MSCONFIG\startupreg: Optimizer Pro => C:\Program Files\Optimizer Pro\OptProLauncher.exe

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{789A7AF5-0712-40E9-AF6D-15E8B30D2702}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{8DAAB1E7-0353-4357-89A9-44F72A9E557F}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{BFD1B435-9759-404B-80B3-22A75B3878BE}C:\windows\system32\mmc.exe] => (Block) C:\windows\system32\mmc.exe
FirewallRules: [UDP Query User{86A34D53-93D9-49C6-9BC7-32281D934ACF}C:\windows\system32\mmc.exe] => (Block) C:\windows\system32\mmc.exe

==================== Restore Points =========================

09-10-2014 12:54:45 Windows 7 Service Pack 1
09-10-2014 14:16:18 Windows Update
17-12-2014 18:27:10 Scheduled Checkpoint
17-12-2014 23:24:12 Windows Update
30-12-2014 12:18:33 Windows Update
09-06-2018 14:02:47 Windows Modules Installer
11-06-2018 15:42:54 Windows Modules Installer

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Atheros AR5007EG Wireless Network Adapter
Description: Atheros AR5007EG Wireless Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Atheros Communications Inc.
Service: athr
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (06/11/2018 05:02:55 PM) (Source: Microsoft-Windows-Defrag) (EventID: 257) (User: )
Description: The volume MCUSB (D:) was not defragmented because an error was encountered: The parameter is incorrect. (0x80070057)

Error: (06/11/2018 03:33:38 PM) (Source: CardSpace 3.0.0.0) (EventID: 269) (User: NT AUTHORITY)
Description: The Windows CardSpace service is too busy to process this request.
User has too many outstanding requests.



Additional Information:
   at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
   at System.Environment.get_StackTrace()
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException ie)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception e)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception e)
   at Microsoft.InfoCards.UIAgentMonitor.AddNewClient(UIAgentMonitorHandle handle)
   at Microsoft.InfoCards.UIAgentMonitorHandle.CreateAgent(Int32 callerPid, WindowsIdentity callerIdentity, Int32 tsSessionId)
   at Microsoft.InfoCards.RequestFactory.CreateClientRequestInstance(UIAgentMonitorHandle monitorHandle, String reqName, IntPtr rpcHandle, Stream inStream, Stream outStream)
   at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle, IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

Error: (06/11/2018 03:33:38 PM) (Source: CardSpace 3.0.0.0) (EventID: 269) (User: NT AUTHORITY)
Description: The Windows CardSpace service is too busy to process this request.
User has too many outstanding requests.



Additional Information:
   at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
   at System.Environment.get_StackTrace()
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException ie)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception e)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception e)
   at Microsoft.InfoCards.UIAgentMonitor.AddNewClient(UIAgentMonitorHandle handle)
   at Microsoft.InfoCards.UIAgentMonitorHandle.CreateAgent(Int32 callerPid, WindowsIdentity callerIdentity, Int32 tsSessionId)
   at Microsoft.InfoCards.RequestFactory.CreateClientRequestInstance(UIAgentMonitorHandle monitorHandle, String reqName, IntPtr rpcHandle, Stream inStream, Stream outStream)
   at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle, IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

Error: (06/11/2018 03:33:38 PM) (Source: CardSpace 3.0.0.0) (EventID: 269) (User: NT AUTHORITY)
Description: The Windows CardSpace service is too busy to process this request.
User has too many outstanding requests.



Additional Information:
   at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
   at System.Environment.get_StackTrace()
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException ie)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception e)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception e)
   at Microsoft.InfoCards.UIAgentMonitor.AddNewClient(UIAgentMonitorHandle handle)
   at Microsoft.InfoCards.UIAgentMonitorHandle.CreateAgent(Int32 callerPid, WindowsIdentity callerIdentity, Int32 tsSessionId)
   at Microsoft.InfoCards.RequestFactory.CreateClientRequestInstance(UIAgentMonitorHandle monitorHandle, String reqName, IntPtr rpcHandle, Stream inStream, Stream outStream)
   at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle, IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

Error: (06/11/2018 03:33:37 PM) (Source: CardSpace 3.0.0.0) (EventID: 269) (User: NT AUTHORITY)
Description: The Windows CardSpace service is too busy to process this request.
User has too many outstanding requests.



Additional Information:
   at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
   at System.Environment.get_StackTrace()
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException ie)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception e)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception e)
   at Microsoft.InfoCards.UIAgentMonitor.AddNewClient(UIAgentMonitorHandle handle)
   at Microsoft.InfoCards.UIAgentMonitorHandle.CreateAgent(Int32 callerPid, WindowsIdentity callerIdentity, Int32 tsSessionId)
   at Microsoft.InfoCards.RequestFactory.CreateClientRequestInstance(UIAgentMonitorHandle monitorHandle, String reqName, IntPtr rpcHandle, Stream inStream, Stream outStream)
   at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle, IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

Error: (06/11/2018 02:43:34 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program mmc.exe version 6.1.7600.16385 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: c34

Start Time: 01d401ba0188ba39

Termination Time: 78

Application Path: C:\Windows\system32\mmc.exe

Report Id:

Error: (06/11/2018 01:51:59 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program mmc.exe version 6.1.7600.16385 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: b08

Start Time: 01d401a33ab727ee

Termination Time: 281

Application Path: C:\Windows\system32\mmc.exe

Report Id: 5ac1b7fa-6da8-11e8-8c21-00235ae5f49d

Error: (06/10/2018 10:08:22 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Users\Olga Monz\Downloads\iTunes6464Setup [1].exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.


System errors:
=============
Error: (06/12/2018 08:46:32 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (06/12/2018 08:46:30 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Update Framed Display service failed to start due to the following error:
The system cannot find the file specified.

Error: (06/12/2018 01:37:59 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (06/12/2018 01:37:58 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Update Framed Display service failed to start due to the following error:
The system cannot find the file specified.

Error: (06/12/2018 01:33:20 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (06/12/2018 01:33:20 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Update Framed Display service failed to start due to the following error:
The system cannot find the file specified.

Error: (06/12/2018 01:27:42 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.

Error: (06/12/2018 12:45:22 PM) (Source: Tcpip) (EventID: 4199) (User: )
Description: The system detected an address conflict for IP address 2602:304:44d3:9530::49 with the system
having network hardware address 14-FE-B5-E4-F1-A1. Network operations on this system may
be disrupted as a result.


==================== Memory info ===========================

Processor: Intel® Atom™ CPU N270 @ 1.60GHz
Percentage of memory in use: 61%
Total physical RAM: 1013.95 MB
Available physical RAM: 392.43 MB
Total Virtual: 2037.95 MB
Available Virtual: 1235.63 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:148.95 GB) (Free:111.74 GB) NTFS
Drive d: (MCUSB) (Removable) (Total:29.82 GB) (Free:6.76 GB) FAT32

\\?\Volume{6ceec840-1e4e-11e4-b07b-806e6f6e6963}\ (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 149.1 GB) (Disk ID: 9A0D38EA)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=149 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 29.8 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=29.8 GB) - (Type=0C)

==================== End of Addition.txt ============================


Edited by k-j-m, 12 June 2018 - 10:23 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:06 AM

Posted 13 June 2018 - 07:53 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Lets start the cleaning with these programs.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Run the Farbar program and scan the computer again.
Post a fresh FRST.txt log for my review.

#3 k-j-m

k-j-m
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 13 June 2018 - 09:12 AM

I have downloaded and installed Malwarebytes as you requested.  The installation process and navigation was a little different from the exact steps that you suggested, but it seems to have installed correctly.

Because of the high level of I/O and enormous Internet activity when the subject computer is connected to the Internet, I did not update Malwarebytes before performing the scan.  Hopefully the version that I downloaded from your link was reasonably current.

There were 96 items found by Malwarebyes and I did ask to quarantine all of them.  During the quarantine process Sophos detected "suspicious behavior" and displayed a pop-up or two. Malwarebytes then reported that 93 of the 96 threats were marked as quarantined and asked for a restart, which I allowed it to do. However, the report indicates that 93 threats were detected and 91 of them were quarantined.  I hope that the discrepancy in the counts is OK.   

One other item that I'd like to ask about is the removal of all of the tools that we use to identify and correct the problems on this machine.  Will we be able to remove all of the tools at the end of the process, so that I can eliminate some of the "clutter"?

In an abundance of caution, I am going to pause here and delay running AdwCleaner until I hear back from you.

Here is the Malwarebytes log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/13/18
Scan Time: 8:25 AM
Log File: 306665c0-6f0d-11e8-a851-00235ae5f49d.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.374
Update Package Version: 1.0.5448
License: Free

-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: OlgaMonz-PC\Olga Monz

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 192424
Threats Detected: 93
Threats Quarantined: 91
Time Elapsed: 19 min, 13 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 31
PUP.Optional.Amonetize, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\UPDATEREX, Quarantined, [429], [183674],1.0.5448
PUP.Optional.Amonetize, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{4B793474-2DC4-4BDB-8480-4C363A109F9F}, Quarantined, [429], [183674],1.0.5448
PUP.Optional.Amonetize, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{4B793474-2DC4-4BDB-8480-4C363A109F9F}, Quarantined, [429], [183674],1.0.5448
PUP.Optional.WinYahoo.TskLnk, HKU\S-1-5-21-808537165-590170511-107395098-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Chromium, Quarantined, [3734], [484244],1.0.5448
PUP.Optional.WinYahoo.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\UpdateTask, Quarantined, [3734], [484244],1.0.5448
PUP.Optional.WinYahoo.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{4A146351-0081-418C-9611-00E4BAE9EEB3}, Quarantined, [3734], [484244],1.0.5448
PUP.Optional.WinYahoo.TskLnk, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{4A146351-0081-418C-9611-00E4BAE9EEB3}, Quarantined, [3734], [484244],1.0.5448
PUP.Optional.WinYahoo.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UpdateTask, Quarantined, [3734], [-1],0.0.0
PUP.Optional.WinYahoo.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4A146351-0081-418C-9611-00E4BAE9EEB3}, Quarantined, [3734], [-1],0.0.0
PUP.Optional.WinYahoo.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4A146351-0081-418C-9611-00E4BAE9EEB3}, Quarantined, [3734], [-1],0.0.0
PUP.Optional.InstallCore, HKU\S-1-5-21-808537165-590170511-107395098-1000\SOFTWARE\ICSW1.14, Quarantined, [392], [239562],1.0.5448
PUP.Optional.InstallCore, HKU\S-1-5-21-808537165-590170511-107395098-1000\SOFTWARE\InstallCore, Quarantined, [392], [239563],1.0.5448
PUP.Optional.Amonetize, HKU\S-1-5-21-808537165-590170511-107395098-1000\SOFTWARE\UpdaterEX, Quarantined, [429], [348112],1.0.5448
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Quarantined, [245], [254682],1.0.5448
PUP.Optional.WinYahoo, HKU\S-1-5-21-808537165-590170511-107395098-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}, Quarantined, [245], [254682],1.0.5448
PUP.Optional.FramedDisplay, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Update Framed Display, Quarantined, [489], [238477],1.0.5448
PUP.Optional.Sanbreel, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\{7012eec1-4f37-42d4-a2cd-26727494d248}Gw, Quarantined, [5111], [242519],1.0.5448
PUP.Optional.SuperOptimizer, HKU\S-1-5-18\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, Quarantined, [1465], [243667],1.0.5448
PUP.Optional.Sanbreel, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\{cd63c300-b231-4a93-a479-5a1e96976d74}w, Quarantined, [5111], [242523],1.0.5448
PUP.Optional.Sanbreel, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\{e9bebce7-deb3-4ab9-896c-549739f208c5}Gw, Quarantined, [5111], [242519],1.0.5448
PUP.Optional.OptimizerPro, HKU\S-1-5-21-808537165-590170511-107395098-1000\SOFTWARE\OPTIMIZER PRO, Quarantined, [744], [241445],1.0.5448
PUP.Optional.DefaultSearch.ShrtCln, HKU\S-1-5-21-808537165-590170511-107395098-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}, Quarantined, [268], [237681],1.0.5448
PUP.Optional.DefaultSearch.ShrtCln, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}, Quarantined, [268], [237681],1.0.5448
PUP.Optional.SuperOptimizer, HKU\S-1-5-21-808537165-590170511-107395098-1000\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, Quarantined, [1465], [243667],1.0.5448
PUP.Optional.InstallCore, HKU\S-1-5-21-808537165-590170511-107395098-1000\SOFTWARE\PRODUCTSETUP, Quarantined, [392], [481004],1.0.5448
PUP.Optional.SettingsManager, HKLM\SOFTWARE\SmdmF, Quarantined, [1492], [242950],1.0.5448
PUP.Optional.SuperOptimizer, HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}, Quarantined, [1465], [243671],1.0.5448
PUP.Optional.SuperOptimizer, HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}, Quarantined, [1465], [243672],1.0.5448
PUP.Optional.Yontoo, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Update Framed Display, Quarantined, [35], [253986],1.0.5448
PUP.Optional.Yontoo, HKLM\SOFTWARE\POLICIES\GOOGLE\CHROME, Quarantined, [35], [-1],0.0.0
PUM.Optional.DisableChromeUpdates, HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE, Quarantined, [7321], [252393],1.0.5448

Registry Value: 13
PUP.Optional.WinYahoo, HKU\S-1-5-21-808537165-590170511-107395098-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, Quarantined, [245], [254682],1.0.5448
PUP.Optional.WinYahoo, HKU\S-1-5-21-808537165-590170511-107395098-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TOPRESULTURLFALLBACK, Quarantined, [245], [254682],1.0.5448
PUP.Optional.WebBar, HKU\S-1-5-21-808537165-590170511-107395098-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION|WB.EXE, Quarantined, [5076], [254734],1.0.5448
PUP.Optional.OptimizerPro, HKU\S-1-5-21-808537165-590170511-107395098-1000\SOFTWARE\OPTIMIZER PRO|ADSBUYNOWURL, Quarantined, [744], [241445],1.0.5448
PUP.Optional.DefaultSearch.ShrtCln, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|DISPLAYNAME, Quarantined, [268], [237681],1.0.5448
PUP.Optional.DefaultSearch.ShrtCln, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|URL, Quarantined, [268], [237681],1.0.5448
PUP.Optional.DefaultSearch.ShrtCln, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|SUGGESTIONSURL_JSON, Quarantined, [268], [237681],1.0.5448
PUP.Optional.Bandoo.AppFlsh, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|FAVICONPATH, Quarantined, [3], [253597],1.0.5448
PUP.Optional.Bandoo.AppFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|APPINIT_DLLS, Quarantined, [3], [-1],0.0.0
PUP.Optional.Amonetize, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{4B793474-2DC4-4BDB-8480-4C363A109F9F}|PATH, Quarantined, [429], [183676],1.0.5448
PUP.Optional.SettingsManager, HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\APPCERTDLLS|X64, Quarantined, [1492], [190389],1.0.5448
PUP.Optional.InstallCore, HKU\S-1-5-21-808537165-590170511-107395098-1000\SOFTWARE\PRODUCTSETUP|TB, Quarantined, [392], [481004],1.0.5448
PUM.Optional.DisableChromeUpdates, HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE|DISABLEAUTOUPDATECHECKSCHECKBOXVALUE, Quarantined, [7321], [252393],1.0.5448

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 5
PUP.Optional.WinYahoo.TskLnk, C:\USERS\OLGA MONZ\APPDATA\LOCAL\{E0C2D69E-C46A-BA26-A9F2-9FCE8D9A6356}, Quarantined, [3734], [484244],1.0.5448
Adware.OtherSearch, C:\USERS\OLGA MONZ\APPDATA\LOCAL\TEMP\nsqFA78.tmp, Quarantined, [6185], [469834],1.0.5448
PUP.Optional.Bandoo.AppFlsh, C:\Users\Olga Monz\AppData\Roaming\FirefoxToolbar\Settings Manager, Quarantined, [3], [181411],1.0.5448
PUP.Optional.Bandoo.AppFlsh, C:\USERS\OLGA MONZ\APPDATA\ROAMING\FIREFOXTOOLBAR, Quarantined, [3], [181411],1.0.5448
PUP.Optional.DataMngr.AppFlsh, C:\USERS\OLGA MONZ\APPDATA\LOCALLOW\DATAMNGR, Quarantined, [63], [181454],1.0.5448

File: 44
PUP.Optional.BrowseFox, C:\Windows\System32\drivers\{7012eec1-4f37-42d4-a2cd-26727494d248}Gw.sys, Quarantined, [561], [299543],0.0.0
PUP.Optional.BrowseFox, C:\Windows\System32\drivers\{cd63c300-b231-4a93-a479-5a1e96976d74}w.sys, Quarantined, [561], [299543],0.0.0
PUP.Optional.BrowseFox, C:\Windows\System32\drivers\{e9bebce7-deb3-4ab9-896c-549739f208c5}Gw.sys, Quarantined, [561], [299543],0.0.0
PUP.Optional.Amonetize, C:\WINDOWS\TASKS\UPDATEREX.JOB, Quarantined, [429], [183675],1.0.5448
PUP.Optional.Amonetize, C:\WINDOWS\SYSTEM32\TASKS\UPDATEREX, Quarantined, [429], [183674],1.0.5448
PUP.Optional.Linkey, C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\USER PINNED\TASKBAR\BROWSE AND SEARCH THE INTERNET.LNK, Quarantined, [4086], [190090],1.0.5448
PUP.Optional.DefaultSearch.ShrtCln, C:\USERS\OLGA MONZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\2DBQIWII.DEFAULT\SEARCHPLUGINS\DEFAULT-SEARCH.XML, Quarantined, [268], [237674],1.0.5448
PUP.Optional.DefaultSearch.ShrtCln, C:\PROGRAM FILES\MOZILLA FIREFOX\BROWSER\SEARCHPLUGINS\DEFAULT-SEARCH.XML, Quarantined, [268], [237677],1.0.5448
PUP.Optional.WinYahoo, C:\USERS\OLGA MONZ\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\HOWTOREMOVE.HTML.LNK, Quarantined, [245], [254335],1.0.5448
PUP.Optional.WinYahoo.TskLnk, C:\USERS\OLGA MONZ\APPDATA\LOCAL\{E0C2D69E-C46A-BA26-A9F2-9FCE8D9A6356}\fano, Quarantined, [3734], [484244],1.0.5448
PUP.Optional.WinYahoo.TskLnk, C:\Users\Olga Monz\AppData\Local\{E0C2D69E-C46A-BA26-A9F2-9FCE8D9A6356}\config.dat, Quarantined, [3734], [484244],1.0.5448
PUP.Optional.WinYahoo.TskLnk, C:\Users\Olga Monz\AppData\Local\{E0C2D69E-C46A-BA26-A9F2-9FCE8D9A6356}\HowToRemove.html, Quarantined, [3734], [484244],1.0.5448
PUP.Optional.WinYahoo.TskLnk, C:\Users\Olga Monz\AppData\Local\{E0C2D69E-C46A-BA26-A9F2-9FCE8D9A6356}\info.dat, Quarantined, [3734], [484244],1.0.5448
PUP.Optional.WinYahoo.TskLnk, C:\Users\Olga Monz\AppData\Local\{E0C2D69E-C46A-BA26-A9F2-9FCE8D9A6356}\install.log, Quarantined, [3734], [484244],1.0.5448
PUP.Optional.WinYahoo.TskLnk, C:\Users\Olga Monz\AppData\Local\{E0C2D69E-C46A-BA26-A9F2-9FCE8D9A6356}\Sqlite3.dll, Quarantined, [3734], [484244],1.0.5448
PUP.Optional.WinYahoo.TskLnk, C:\Users\Olga Monz\AppData\Local\{E0C2D69E-C46A-BA26-A9F2-9FCE8D9A6356}\STTL.DAT, Quarantined, [3734], [484244],1.0.5448
PUP.Optional.WinYahoo.TskLnk, C:\Users\Olga Monz\AppData\Local\{E0C2D69E-C46A-BA26-A9F2-9FCE8D9A6356}\TTL.DAT, Quarantined, [3734], [484244],1.0.5448
PUP.Optional.WinYahoo.TskLnk, C:\Users\Olga Monz\AppData\Local\{E0C2D69E-C46A-BA26-A9F2-9FCE8D9A6356}\uninst.dat, Quarantined, [3734], [484244],1.0.5448
PUP.Optional.WinYahoo.TskLnk, C:\Users\Olga Monz\AppData\Local\{E0C2D69E-C46A-BA26-A9F2-9FCE8D9A6356}\uninstall.exe, Quarantined, [3734], [484244],1.0.5448
PUP.Optional.WinYahoo.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\UpdateTask, Quarantined, [3734], [484244],1.0.5448
PUP.Optional.WinYahoo.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\UpdateTask, Quarantined, [3734], [-1],0.0.0
PUP.Optional.Sanbreel, C:\WINDOWS\SYSTEM32\DRIVERS\{7012EEC1-4F37-42D4-A2CD-26727494D248}GW.SYS, Quarantined, [5111], [242519],1.0.5448
PUP.Optional.Sanbreel, C:\WINDOWS\SYSTEM32\DRIVERS\{CD63C300-B231-4A93-A479-5A1E96976D74}W.SYS, Quarantined, [5111], [242523],1.0.5448
PUP.Optional.Sanbreel, C:\WINDOWS\SYSTEM32\DRIVERS\{E9BEBCE7-DEB3-4AB9-896C-549739F208C5}GW.SYS, Quarantined, [5111], [242519],1.0.5448
Adware.OtherSearch, C:\USERS\OLGA MONZ\APPDATA\LOCAL\TEMP\nsqFA78.tmp\Starter.exe, Quarantined, [6185], [469834],1.0.5448
Adware.OtherSearch, C:\Users\Olga Monz\AppData\Local\Temp\nsqFA78.tmp\Helper.dll, Quarantined, [6185], [469834],1.0.5448
PUP.Optional.DataMngr.AppFlsh, C:\Users\Olga Monz\AppData\LocalLow\DataMngr\{99BB1406-1CFB-488C-90D1-2D978E04F707}, Quarantined, [63], [181454],1.0.5448
PUP.Optional.Yontoo, C:\DOCUMENTS AND SETTINGS\ALL USERS\NTUSER.POL, Removal Failed, [35], [-1],0.0.0
PUP.Optional.Yontoo, C:\PROGRAMDATA\NTUSER.POL, Removal Failed, [35], [-1],0.0.0
PUP.Optional.Yontoo, C:\WINDOWS\SYSTEM32\GROUPPOLICY\MACHINE\REGISTRY.POL, Quarantined, [35], [-1],0.0.0
PUP.Optional.DefaultSearch.ShrtCln, C:\USERS\OLGA MONZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\2DBQIWII.DEFAULT\PREFS.JS, Replaced, [268], [301430],1.0.5448
PUP.Optional.WinYahoo, C:\USERS\OLGA MONZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\2DBQIWII.DEFAULT\SEARCHPLUGINS\SEARCH PROVIDED BY YAHOO.XML, Quarantined, [245], [302287],1.0.5448
PUP.Optional.WinYahoo, C:\USERS\OLGA MONZ\APPDATA\LOCAL\CHROMIUM\USER DATA\DEFAULT\SECURE PREFERENCES, Replaced, [245], [303044],1.0.5448
PUP.Optional.SpeedingUpMyPC, C:\USERS\OLGA MONZ\APPDATA\LOCAL\TEMP\IS366025459\11D7299A_STP\OPTIMIZERPRO3108.EXE, Quarantined, [1256], [334223],1.0.5448
PUP.Optional.FramedDisplay, C:\USERS\OLGA MONZ\APPDATA\LOCAL\TEMP\IS366025459\1DE257BB_STP.EXE, Quarantined, [489], [301049],1.0.5448
PUP.Optional.DealPly, C:\USERS\OLGA MONZ\APPDATA\LOCAL\TEMP\925.4847622057514_UPDATE.EXE, Quarantined, [67], [65491],1.0.5448
PUP.Optional.SpeedingUpMyPC, C:\USERS\OLGA MONZ\APPDATA\LOCAL\TEMP\_IU14D2N.TMP, Quarantined, [1256], [334223],1.0.5448
PUP.Optional.InstallCore, C:\USERS\OLGA MONZ\APPDATA\LOCAL\TEMP\ICSW1.14_0D1F2W1G1I1F1T1Q0W1L2T1T1C1Q1.14.EXE, Quarantined, [392], [444671],1.0.5448
PUP.Optional.AztecMedia, C:\WINDOWS\TEMP\784A79D4\PATCH_FF.EXE, Quarantined, [425], [300977],1.0.5448
PUP.Optional.AztecMedia, C:\USERS\OLGA MONZ\APPDATA\LOCAL\TEMP\NSN143C.TMP\HELPER.DLL, Quarantined, [425], [300977],1.0.5448
PUP.Optional.AztecMedia, C:\WINDOWS\TEMP\A239791B\SETTINGSMANAGERSETUP.EXE, Quarantined, [425], [300977],1.0.5448
PUP.Optional.AztecMedia, C:\USERS\OLGA MONZ\APPDATA\LOCAL\TEMP\IS366025459\0FFC43C5_STP\SETTINGSMANAGERSETUP.EXE, Quarantined, [425], [300977],1.0.5448
PUP.Optional.MyPCBackup, C:\USERS\OLGA MONZ\APPDATA\LOCAL\TEMP\IS366025459\1BABD450_STP\AFF_SETUP.EXE, Quarantined, [514], [301130],1.0.5448
PUP.Optional.MyPCBackup, C:\USERS\OLGA MONZ\APPDATA\LOCAL\TEMP\CLOUDBACKUP8235.EXE, Quarantined, [514], [15289],1.0.5448

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:06 AM

Posted 13 June 2018 - 12:38 PM

Hi,

You are doing well.

Please run the AdwCleaner and remove everything.

Run the Farbar program and post a fresh FRST.txt log.

p.s.
You will be able to remove the tools and the files created by them.

Edited by nasdaq, 13 June 2018 - 12:39 PM.


#5 k-j-m

k-j-m
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 13 June 2018 - 03:40 PM

It is good to hear that we are making progress!

When I ran AdwCleaner there were a number of findings, as you will see.  I could not really tell what some of them were but, since they were PUP's, I allowed AdwCleaner to eliminate them.  AdwCleaner did create two log files, so I have included both of them for your review.

I also have included both of the FRST logs.

AdwCleaner[C00]

# -------------------------------
# Malwarebytes AdwCleaner 7.2.0.0
# -------------------------------
# Build:    06-05-2018
# Database: 2018-04-24.1
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    06-13-2018
# Duration: 00:00:04
# OS:       Windows 7 Professional
# Cleaned:  18
# Failed:   0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

Deleted       C:\Users\Olga Monz\Desktop\Facebook.lnk

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

Deleted       C:\Windows\Tasks\updateTask.job

***** [ Registry ] *****

Deleted       HKLM\Software\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Deleted       HKLM\Software\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Deleted       HKLM\Software\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
Deleted       HKLM\Software\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Deleted       HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-808537165-590170511-107395098-1000\Software\Framed Display
Deleted       HKLM\Software\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Deleted       HKCU\Software\yahooprovidedsearch
Deleted       HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Deleted       HKCU\Software\WebBar
Deleted       HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{54739D49-AC03-4C57-9264-C5195596B3A1}
Deleted       HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com
Deleted       HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\default-search.net
Deleted       HKCU\Software\Microsoft\Internet Explorer\DOMStorage\default-search.net
Deleted       HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cmptch.com
Deleted       HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\frameddisplay.com
Deleted       HKCU\Software\Linkey

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [2920 octets] - [13/06/2018 15:09:03]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########


AdwCleaner[S00]

# -------------------------------
# Malwarebytes AdwCleaner 7.2.0.0
# -------------------------------
# Build:    06-05-2018
# Database: 2018-04-24.1
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    06-13-2018
# Duration: 00:00:38
# OS:       Windows 7 Professional
# Scanned:  40920
# Detected: 18


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

PUP.Optional.Legacy             C:\Users\Olga Monz\Desktop\Facebook.lnk

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

PUP.Optional.Legacy             C:\Windows\Tasks\updateTask.job

***** [ Registry ] *****

PUP.Optional.AppEnable.A        HKLM\Software\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
PUP.Optional.AppEnable.A        HKLM\Software\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
PUP.Optional.AppEnable.A        HKLM\Software\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
PUP.Optional.AppEnable.A        HKLM\Software\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
PUP.Optional.BrowseFox          HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-808537165-590170511-107395098-1000\Software\Framed Display
PUP.Optional.BrowseFox.A        HKLM\Software\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
PUP.Optional.Legacy             HKCU\Software\yahooprovidedsearch
PUP.Optional.Legacy             HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
PUP.Optional.Legacy             HKCU\Software\WebBar
PUP.Optional.Legacy             HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{54739D49-AC03-4C57-9264-C5195596B3A1}
PUP.Optional.Legacy             HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com
PUP.Optional.Legacy             HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\default-search.net
PUP.Optional.Legacy             HKCU\Software\Microsoft\Internet Explorer\DOMStorage\default-search.net
PUP.Optional.Legacy             HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cmptch.com
PUP.Optional.Legacy             HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\frameddisplay.com
PUP.Optional.Linkey.AppFlsh     HKCU\Software\Linkey

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 06.06.2018 01
Ran by Olga Monz (administrator) on OLGAMONZ-PC (13-06-2018 15:20:03)
Running from C:\Users\Olga Monz\Desktop
Loaded Profiles: Olga Monz (Available Profiles: Olga Monz & Administrator)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Sophos Limited) C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Sophos Limited) C:\Program Files\Sophos\AutoUpdate\ALMon.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
(Sophos Limited) C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [Sophos AutoUpdate Monitor] => C:\Program Files\Sophos\AutoUpdate\almon.exe [929272 2013-01-11] (Sophos Limited)
HKU\S-1-5-18\...\RunOnce: [SPReview] => "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"hxxp://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog9 01 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 02 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 03 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 04 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 05 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 06 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 07 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 08 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Winsock: Catalog9 29 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [88128 2012-11-12] (Sophos Limited)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{00D28703-21F1-4DA6-B4BA-A3C9AB64FA7A}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{C501E438-4D9C-4D5C-B94E-FAE49B0740DD}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKU\S-1-5-21-808537165-590170511-107395098-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/
HKU\S-1-5-21-808537165-590170511-107395098-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-808537165-590170511-107395098-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2011-06-12] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Olga Monz\AppData\Roaming\Mozilla\Firefox\Profiles\2dbqiwii.default [2018-06-12]
FF user.js: detected! => C:\Users\Olga Monz\AppData\Roaming\Mozilla\Firefox\Profiles\2dbqiwii.default\user.js [2018-06-11]
FF Homepage: Mozilla\Firefox\Profiles\2dbqiwii.default -> google.com
FF Extension: (No Name) - C:\Users\Olga Monz\AppData\Roaming\Mozilla\Firefox\Profiles\2dbqiwii.default\extensions\extension@linkeyproject.com [not found]
FF Extension: (No Name) - C:\Users\Olga Monz\AppData\Roaming\Mozilla\Firefox\Profiles\2dbqiwii.default\extensions\{e9bebce7-deb3-4ab9-896c-549739f208c5}.xpi [not found]
FF Extension: (No Name) - C:\Users\Olga Monz\AppData\Roaming\Mozilla\Firefox\Profiles\2dbqiwii.default\extensions\{7012eec1-4f37-42d4-a2cd-26727494d248}.xpi [not found]
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1211151.dll [2014-04-15] (Adobe Systems, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2017-03-28] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4753104 2018-05-09] (Malwarebytes)
R2 SAVAdminService; C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [217592 2013-01-11] (Sophos Limited)
R2 SAVService; C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe [159296 2012-09-21] (Sophos Limited)
R2 Sophos AutoUpdate Service; C:\Program Files\Sophos\AutoUpdate\ALsvc.exe [237048 2013-01-11] (Sophos Limited)
R2 swi_service; C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2890232 2013-02-04] (Sophos Limited)
S2 swi_update; C:\ProgramData\Sophos\Web Intelligence\swi_update.exe [1468920 2013-02-04] (Sophos Limited)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [220896 2018-06-13] (Malwarebytes)
R1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [132424 2012-09-21] (Sophos Limited)
R1 SKMScan; C:\Windows\System32\DRIVERS\skmscan.sys [33096 2012-10-23] (Sophos Limited)
S4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [22536 2011-08-25] (Sophos Plc)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-06-13 15:12 - 2018-06-13 15:12 - 000002776 _____ C:\Users\Olga Monz\Desktop\AdwCleaner[C00].txt
2018-06-13 15:09 - 2018-06-13 15:09 - 000002920 _____ C:\Users\Olga Monz\Desktop\AdwCleaner[S00].txt
2018-06-13 15:07 - 2018-06-13 15:11 - 000000000 ____D C:\AdwCleaner
2018-06-13 09:01 - 2018-06-13 09:01 - 000014796 _____ C:\Users\Olga Monz\Desktop\Malwarebytes_Scan_1.txt
2018-06-13 08:48 - 2018-06-13 08:58 - 000000258 __RSH C:\ProgramData\ntuser.pol
2018-06-13 08:18 - 2018-06-13 08:18 - 000220896 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-06-13 08:17 - 2018-06-13 08:17 - 000002016 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-06-13 08:17 - 2018-06-13 08:17 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-06-13 08:17 - 2018-05-24 06:55 - 000128736 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae.sys
2018-06-13 08:16 - 2018-06-13 08:16 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-06-13 08:16 - 2018-06-13 08:16 - 000000000 ____D C:\Program Files\Malwarebytes
2018-06-13 08:15 - 2018-06-13 08:11 - 077609632 _____ (Malwarebytes ) C:\Users\Olga Monz\Desktop\mb3-setup-consumer-3.5.1.2522-1.0.374-1.0.5448.exe
2018-06-13 08:15 - 2018-06-13 08:11 - 007372496 _____ (Malwarebytes) C:\Users\Olga Monz\Desktop\adwcleaner_7.2.0.exe
2018-06-12 20:50 - 2018-06-12 20:51 - 000019809 _____ C:\Users\Olga Monz\Desktop\Addition.txt
2018-06-12 20:49 - 2018-06-13 15:21 - 000007808 _____ C:\Users\Olga Monz\Desktop\FRST.txt
2018-06-12 20:48 - 2018-06-13 15:20 - 000000000 ____D C:\FRST
2018-06-12 20:47 - 2018-06-12 20:33 - 001773568 _____ (Farbar) C:\Users\Olga Monz\Desktop\FRST.exe
2018-06-11 13:21 - 2018-06-11 13:21 - 000000000 ____D C:\Users\Olga Monz\AppData\Local\ElevatedDiagnostics
2018-06-11 10:11 - 2018-06-11 10:11 - 000000000 ____D C:\Users\Olga Monz\AppData\Local\Sophos
2018-06-11 09:57 - 2014-08-08 14:35 - 000001409 _____ C:\Users\Olga Monz\Desktop\Internet Explorer.lnk
2018-06-11 09:10 - 2018-06-11 09:10 - 000000000 ____D C:\ProgramData\2308189059
2018-06-11 08:59 - 2018-06-12 13:13 - 000000000 ____D C:\Users\Olga Monz\AppData\LocalLow\Mozilla
2018-06-10 21:02 - 2018-06-11 15:27 - 000000000 ___RD C:\Users\Olga Monz\Documents\Scanned Documents
2018-06-10 21:02 - 2018-06-11 15:27 - 000000000 ____D C:\Users\Olga Monz\Documents\Fax
2018-06-10 20:51 - 2018-06-11 15:48 - 000000000 ____D C:\Users\Olga Monz\AppData\Local\Microsoft Games
2018-06-09 14:31 - 2018-06-09 14:31 - 000001113 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2018-06-09 14:31 - 2018-06-09 14:31 - 000001101 _____ C:\Users\Public\Desktop\Firefox.lnk
2018-06-09 14:31 - 2018-06-09 14:31 - 000000000 ____D C:\Program Files\Mozilla Maintenance Service
2018-06-09 14:04 - 2018-06-11 15:44 - 000000000 ____D C:\Program Files\Microsoft Games
2018-06-07 19:27 - 2014-08-07 10:12 - 000002951 _____ C:\Users\Olga Monz\Desktop\Microsoft Excel 2010.lnk
2018-06-07 19:26 - 2014-08-07 10:12 - 000003021 _____ C:\Users\Olga Monz\Desktop\Microsoft Word 2010.lnk
2018-06-05 19:24 - 2018-06-05 19:24 - 000000000 ____D C:\Windows\pss
2018-06-05 18:49 - 2018-06-05 18:49 - 000000000 ____D C:\Users\Olga Monz\AppData\LocalLow\Adobe
2018-06-05 18:49 - 2018-06-05 18:49 - 000000000 ____D C:\Users\Olga Monz\AppData\Local\Adobe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-06-13 15:20 - 2009-07-13 23:34 - 000021440 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-06-13 15:20 - 2009-07-13 23:34 - 000021440 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-06-13 15:19 - 2014-08-07 10:02 - 000726316 _____ C:\Windows\system32\PerfStringBackup.INI
2018-06-13 15:19 - 2009-07-13 21:37 - 000000000 ____D C:\Windows\inf
2018-06-13 15:13 - 2009-07-13 23:53 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-06-13 10:57 - 2014-09-01 12:13 - 000007605 _____ C:\Users\Olga Monz\AppData\Local\Resmon.ResmonCfg
2018-06-12 12:47 - 2009-07-13 21:37 - 000000000 __RHD C:\Users\Public\Libraries
2018-06-12 12:30 - 2009-07-13 21:37 - 000000000 ____D C:\Windows\system32\NDF
2018-06-11 17:10 - 2009-07-13 21:37 - 000000000 ____D C:\Windows\rescache
2018-06-11 15:44 - 2009-07-13 23:52 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2018-06-11 15:24 - 2009-07-13 21:37 - 000000000 ____D C:\Windows\Registration
2018-06-11 12:55 - 2014-10-09 13:03 - 000000000 ____D C:\Users\Olga Monz\AppData\Roaming\INOP_UpdaterEX
2018-06-11 09:52 - 2014-08-11 07:55 - 000000000 ____D C:\Windows\system32\appmgmt
2018-06-11 08:59 - 2014-08-08 14:40 - 000000000 ____D C:\Users\Olga Monz\AppData\Roaming\Mozilla
2018-06-10 21:31 - 2014-08-07 10:06 - 000000000 ____D C:\Users\Olga Monz\AppData\Local\Microsoft Help
2018-06-10 21:09 - 2014-08-14 09:19 - 000000000 ____D C:\Users\Olga Monz\AppData\Roaming\Adobe
2018-06-09 14:31 - 2014-08-08 07:21 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-06-09 14:03 - 2014-10-15 11:44 - 000000217 _____ C:\Users\Olga Monz\AppData\Roaming\WB.CFG
2018-06-09 13:24 - 2014-08-07 10:37 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2018-06-09 13:23 - 2014-08-07 10:36 - 000000000 ____D C:\Program Files\Common Files\Adobe
2018-06-07 19:46 - 2014-08-07 10:12 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2018-06-05 19:21 - 2009-07-13 21:37 - 000000000 ___HD C:\Windows\system32\GroupPolicy
2018-06-05 18:49 - 2014-08-07 10:30 - 000000000 ____D C:\ProgramData\Adobe

==================== Files in the root of some directories =======

2014-10-15 11:44 - 2018-06-09 14:03 - 000000217 _____ () C:\Users\Olga Monz\AppData\Roaming\WB.CFG
2014-09-01 12:13 - 2018-06-13 10:57 - 000007605 _____ () C:\Users\Olga Monz\AppData\Local\Resmon.ResmonCfg

Some files in TEMP:
====================
2014-10-09 14:07 - 2014-10-09 14:07 - 000000000 _____ () C:\Users\Olga Monz\AppData\Local\Temp\im08mnqy.dll
2018-06-12 13:11 - 2018-06-12 13:11 - 001868288 _____ (Opera Software) C:\Users\Olga Monz\AppData\Local\Temp\Opera_installer_1806121810086183476.dll
2014-10-09 12:57 - 2014-10-09 12:57 - 005777584 _____ (                                                            ) C:\Users\Olga Monz\AppData\Local\Temp\optprosetup.exe
2014-10-09 13:04 - 2014-10-09 14:06 - 000006144 _____ () C:\Users\Olga Monz\AppData\Local\Temp\uyjy9wqs.dll
2014-10-09 12:57 - 2014-10-09 12:58 - 004216840 _____ (Microsoft Corporation) C:\Users\Olga Monz\AppData\Local\Temp\vcredist_x86.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-06-11 17:02

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 06.06.2018 01
Ran by Olga Monz (13-06-2018 15:21:58)
Running from C:\Users\Olga Monz\Desktop
Microsoft Windows 7 Professional  Service Pack 1 (X86) (2014-08-07 14:57:06)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-808537165-590170511-107395098-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-808537165-590170511-107395098-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-808537165-590170511-107395098-1007 - Limited - Enabled)
Olga Monz (S-1-5-21-808537165-590170511-107395098-1000 - Administrator - Enabled) => C:\Users\Olga Monz
SophosSAUOLGAMONZ-P0 (S-1-5-21-808537165-590170511-107395098-1005 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Sophos Anti-Virus (Enabled - Out of date) {65FBD860-96D8-75EF-C7ED-7BE27E6C498A}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Sophos Anti-Virus (Enabled - Out of date) {DE9A3984-B0E2-7A61-FD5D-409005EB0337}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM\...\Adobe AIR) (Version: 3.8.0.1430 - Adobe Systems Incorporated)
Adobe Flash Player 13 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 13.0.0.214 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.20) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.20 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM\...\Adobe Shockwave Player) (Version: 12.1.1.151 - Adobe Systems, Inc.)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Malwarebytes version 3.5.1.2522 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.5.1.2522 - Malwarebytes)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Mozilla Firefox 60.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 60.0.2 (x86 en-US)) (Version: 60.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 60.0.2 - Mozilla)
Opera Stable 53.0.2907.68 (HKU\S-1-5-21-808537165-590170511-107395098-1000\...\Opera 53.0.2907.68) (Version: 53.0.2907.68 - Opera Software)
Sophos Anti-Virus (HKLM\...\{9ACB414D-9347-40B6-A453-5EFB2DB59DFA}) (Version: 10.2.7 - Sophos Limited)
Sophos AutoUpdate (HKLM\...\{15C418EB-7675-42be-B2B3-281952DA014D}) (Version: 2.9.0.344 - Sophos Limited)
swMSM (HKLM\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-808537165-590170511-107395098-1000_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\localserver32 -> C:\Users\Olga Monz\AppData\Local\Chromium\Application\46.0.2480.0\delegate_execute.exe (The Chromium Authors) <==== ATTENTION
ContextMenuHandlers1: [SavShellExt] -> {A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D} => C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll [2012-12-13] (Sophos Limited)
ContextMenuHandlers2: [SavShellExt] -> {A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D} => C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll [2012-12-13] (Sophos Limited)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
ContextMenuHandlers4: [SavShellExt] -> {A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D} => C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll [2012-12-13] (Sophos Limited)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2009-09-23] (Intel Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
ContextMenuHandlers6: [SavShellExt] -> {A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D} => C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll [2012-12-13] (Sophos Limited)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {8C7A86FD-A32A-4ADF-B56F-BDC79497D16C} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-02-09] (Adobe Systems Incorporated)
Task: {EF2809A8-CC34-490B-A5A2-806F4FBE9C78} - System32\Tasks\Opera scheduled Autoupdate 1446496636 => C:\Users\Olga Monz\AppData\Local\Programs\Opera\launcher.exe [2018-05-23] (Opera Software)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2010-01-30 02:41 - 2010-01-30 02:41 - 004254560 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-03-24 21:17 - 2010-03-24 21:17 - 008794464 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2018-06-13 08:17 - 2018-04-25 13:16 - 001930960 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll

==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAVService => ""="service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:04 - 2009-06-10 16:39 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-808537165-590170511-107395098-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Olga Monz\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupfolder: C:^Users^Olga Monz^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MyPC Backup.lnk => C:\Windows\pss\MyPC Backup.lnk.Startup
MSCONFIG\startupreg: Driver Support => C:\Program Files\Driver Support\Driver Support\DriverSupport.exe /applicationMode:systemTray /showWelcome:false
MSCONFIG\startupreg: GoogleChromeAutoLaunch_9B56C802069DB60609951592156D243E => "C:\Users\Olga Monz\AppData\Local\Chromium\Application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session
MSCONFIG\startupreg: Optimizer Pro => C:\Program Files\Optimizer Pro\OptProLauncher.exe

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{789A7AF5-0712-40E9-AF6D-15E8B30D2702}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{8DAAB1E7-0353-4357-89A9-44F72A9E557F}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{BFD1B435-9759-404B-80B3-22A75B3878BE}C:\windows\system32\mmc.exe] => (Block) C:\windows\system32\mmc.exe
FirewallRules: [UDP Query User{86A34D53-93D9-49C6-9BC7-32281D934ACF}C:\windows\system32\mmc.exe] => (Block) C:\windows\system32\mmc.exe

==================== Restore Points =========================

09-10-2014 12:54:45 Windows 7 Service Pack 1
09-10-2014 14:16:18 Windows Update
17-12-2014 18:27:10 Scheduled Checkpoint
17-12-2014 23:24:12 Windows Update
30-12-2014 12:18:33 Windows Update
09-06-2018 14:02:47 Windows Modules Installer
11-06-2018 15:42:54 Windows Modules Installer

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Atheros AR5007EG Wireless Network Adapter
Description: Atheros AR5007EG Wireless Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Atheros Communications Inc.
Service: athr
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (06/13/2018 10:57:45 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Users\Olga Monz\Downloads\iTunes6464Setup [1].exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (06/12/2018 10:43:40 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program NOTEPAD.EXE version 6.1.7600.16385 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 458

Start Time: 01d402c89d51ddda

Termination Time: 0

Application Path: C:\Windows\system32\NOTEPAD.EXE

Report Id: f23af788-6ebb-11e8-87cf-00235ae5f49d

Error: (06/11/2018 05:02:55 PM) (Source: Microsoft-Windows-Defrag) (EventID: 257) (User: )
Description: The volume MCUSB (D:) was not defragmented because an error was encountered: The parameter is incorrect. (0x80070057)

Error: (06/11/2018 03:33:38 PM) (Source: CardSpace 3.0.0.0) (EventID: 269) (User: NT AUTHORITY)
Description: The Windows CardSpace service is too busy to process this request.
User has too many outstanding requests.



Additional Information:
   at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
   at System.Environment.get_StackTrace()
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException ie)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception e)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception e)
   at Microsoft.InfoCards.UIAgentMonitor.AddNewClient(UIAgentMonitorHandle handle)
   at Microsoft.InfoCards.UIAgentMonitorHandle.CreateAgent(Int32 callerPid, WindowsIdentity callerIdentity, Int32 tsSessionId)
   at Microsoft.InfoCards.RequestFactory.CreateClientRequestInstance(UIAgentMonitorHandle monitorHandle, String reqName, IntPtr rpcHandle, Stream inStream, Stream outStream)
   at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle, IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

Error: (06/11/2018 03:33:38 PM) (Source: CardSpace 3.0.0.0) (EventID: 269) (User: NT AUTHORITY)
Description: The Windows CardSpace service is too busy to process this request.
User has too many outstanding requests.



Additional Information:
   at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
   at System.Environment.get_StackTrace()
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException ie)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception e)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception e)
   at Microsoft.InfoCards.UIAgentMonitor.AddNewClient(UIAgentMonitorHandle handle)
   at Microsoft.InfoCards.UIAgentMonitorHandle.CreateAgent(Int32 callerPid, WindowsIdentity callerIdentity, Int32 tsSessionId)
   at Microsoft.InfoCards.RequestFactory.CreateClientRequestInstance(UIAgentMonitorHandle monitorHandle, String reqName, IntPtr rpcHandle, Stream inStream, Stream outStream)
   at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle, IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

Error: (06/11/2018 03:33:38 PM) (Source: CardSpace 3.0.0.0) (EventID: 269) (User: NT AUTHORITY)
Description: The Windows CardSpace service is too busy to process this request.
User has too many outstanding requests.



Additional Information:
   at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
   at System.Environment.get_StackTrace()
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException ie)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception e)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception e)
   at Microsoft.InfoCards.UIAgentMonitor.AddNewClient(UIAgentMonitorHandle handle)
   at Microsoft.InfoCards.UIAgentMonitorHandle.CreateAgent(Int32 callerPid, WindowsIdentity callerIdentity, Int32 tsSessionId)
   at Microsoft.InfoCards.RequestFactory.CreateClientRequestInstance(UIAgentMonitorHandle monitorHandle, String reqName, IntPtr rpcHandle, Stream inStream, Stream outStream)
   at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle, IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

Error: (06/11/2018 03:33:37 PM) (Source: CardSpace 3.0.0.0) (EventID: 269) (User: NT AUTHORITY)
Description: The Windows CardSpace service is too busy to process this request.
User has too many outstanding requests.



Additional Information:
   at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
   at System.Environment.get_StackTrace()
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException ie)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception e)
   at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception e)
   at Microsoft.InfoCards.UIAgentMonitor.AddNewClient(UIAgentMonitorHandle handle)
   at Microsoft.InfoCards.UIAgentMonitorHandle.CreateAgent(Int32 callerPid, WindowsIdentity callerIdentity, Int32 tsSessionId)
   at Microsoft.InfoCards.RequestFactory.CreateClientRequestInstance(UIAgentMonitorHandle monitorHandle, String reqName, IntPtr rpcHandle, Stream inStream, Stream outStream)
   at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle, IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

Error: (06/11/2018 02:43:34 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program mmc.exe version 6.1.7600.16385 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: c34

Start Time: 01d401ba0188ba39

Termination Time: 78

Application Path: C:\Windows\system32\mmc.exe

Report Id:


System errors:
=============
Error: (06/13/2018 03:18:36 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (06/13/2018 03:13:44 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (06/13/2018 03:11:59 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Sophos Anti-Virus service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/13/2018 03:11:59 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Software Protection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (06/13/2018 03:11:59 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (06/13/2018 03:11:59 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Sophos AutoUpdate Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/13/2018 03:11:59 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Sophos Anti-Virus status reporter service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/13/2018 03:11:59 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Adobe Acrobat Update Service service terminated unexpectedly.  It has done this 1 time(s).


==================== Memory info ===========================

Processor: Intel® Atom™ CPU N270 @ 1.60GHz
Percentage of memory in use: 58%
Total physical RAM: 1013.95 MB
Available physical RAM: 419.37 MB
Total Virtual: 2037.95 MB
Available Virtual: 1240.19 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:148.95 GB) (Free:111.39 GB) NTFS
Drive d: (MCUSB) (Removable) (Total:29.82 GB) (Free:6.68 GB) FAT32

\\?\Volume{6ceec840-1e4e-11e4-b07b-806e6f6e6963}\ (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 149.1 GB) (Disk ID: 9A0D38EA)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=149 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 29.8 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=29.8 GB) - (Type=0C)

==================== End of Addition.txt ============================
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:06 AM

Posted 15 June 2018 - 10:16 AM

Hi,

Sorry about this.
I remember seeing your reply and I had prepared this fix.
What happened after I do not know.
Maybe I had a senior moment.

===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
CustomCLSID: HKU\S-1-5-21-808537165-590170511-107395098-1000_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\localserver32 -> C:\Users\Olga Monz\AppData\Local\Chromium\Application\46.0.2480.0\delegate_execute.exe (The Chromium Authors) <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.
--
p.s.
Both of your Security programs Sophos and Windows defender are disabled and out of date.
Take care of this.

Edited by nasdaq, 15 June 2018 - 10:17 AM.


#7 k-j-m

k-j-m
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 15 June 2018 - 11:18 AM

Thanks for your help!

 

I do understand "senior moments" as I have them myself!

 

Once we are confident that everything has been completely removed, it is my intention to apply all of the Windows updates, the Defender updates, and the Sophos updates.  I have not done that yet because I didn't want to allow the computer back on the internet until everything was back to normal.

 

Are there any other updates that you noticed I should apply?  Possibly the browsers?

 

Here's the FRST fix log:

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 06.06.2018 01
Ran by Olga Monz (15-06-2018 11:05:32) Run:1
Running from C:\Users\Olga Monz\Desktop
Loaded Profiles: Olga Monz (Available Profiles: Olga Monz & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
CustomCLSID: HKU\S-1-5-21-808537165-590170511-107395098-1000_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\localserver32 -> C:\Users\Olga Monz\AppData\Local\Chromium\Application\46.0.2480.0\delegate_execute.exe (The Chromium Authors) <==== ATTENTION

End
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Policies\Google" => removed successfully.
"HKU\S-1-5-21-808537165-590170511-107395098-1000_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}" => removed successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 36461137 B
Java, Flash, Steam htmlcache => 1695 B
Windows/system/drivers => 70254398 B
Edge => 0 B
Chrome => 0 B
Firefox => 23244695 B
Opera => 3657326 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 33125 B
Public => 0 B
ProgramData => 0 B
systemprofile => 34659 B
LocalService => 0 B
NetworkService => 51241 B
Olga Monz => 135931197 B
Administrator => 111279576 B

RecycleBin => 5626819918 B
EmptyTemp: => 5.6 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:07:05 ====



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:06 AM

Posted 15 June 2018 - 12:55 PM

Hi,

Go for the Security Updates.

Restart the computer after of of the updates.

As for the Windows updates there could be many.
Do not do it all at once take your time.

#9 k-j-m

k-j-m
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 15 June 2018 - 03:12 PM

Thanks!

 

So based on the logs I have posted, do you think we are done?

 

I have noticed that there are several disabled tasks in the Start-Up.

 

Do we have to do anything with these?

 

See the attached .jpg's

 

 

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:06 AM

Posted 16 June 2018 - 06:51 AM

These are were disabled using the MsConfig tool and they are no longer active.
The programs were removed but the registry entries are still around and dead.
Nothing to worry about.

Listed in your Addition.txt log.

==================== MSCONFIG/TASK MANAGER disabled items ==
MSCONFIG\startupfolder: C:^Users^Olga Monz^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MyPC Backup.lnk => C:\Windows\pss\MyPC Backup.lnk.Startup
MSCONFIG\startupreg: Driver Support => C:\Program Files\Driver Support\Driver Support\DriverSupport.exe /applicationMode:systemTray /showWelcome:false
MSCONFIG\startupreg: GoogleChromeAutoLaunch_9B56C802069DB60609951592156D243E => "C:\Users\Olga Monz\AppData\Local\Chromium\Application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session
MSCONFIG\startupreg: Optimizer Pro => C:\Program Files\Optimizer Pro\OptProLauncher.exe


===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#11 k-j-m

k-j-m
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 16 June 2018 - 08:44 AM

Thanks, again.

 

Everything seems to be working normally, and I will connect the machine to the Internet and verify that functionality within the next several days.

 

I guess that the disabled registry entries won't matter, I was just looking to avoid problems in the future should these entries be re-enabled inadvertently.

 

Once I'm comfortable that we are 100% good, do I just uninstall the tools that we used via the Control Panel?



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:06 AM

Posted 16 June 2018 - 10:53 AM

Hi,

Unless you are limited in space I would keep the programs we used.
You can delete the Files/logs that were created.

Both the AdwCleaner and Malwarebytes have saved the bad items in Quarantined folder. You can clean these folders.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users