Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Due diligence on brother's PC

This is a discussion on Due diligence on brother's PC within the Resolved HJT Threads forums, part of the Tech Support Forum category. Cleaning up my brother's PC ahead of upgrading to Win 10. Updated virus definitions, uninstalled some toolbars and freeware, etc.


 
 
Thread Tools Search this Thread
Old 01-04-2016, 05:29 AM   #1
Registered Member
 
Join Date: Jan 2016
Posts: 10
OS: windows 7 service pack 1



Cleaning up my brother's PC ahead of upgrading to Win 10. Updated virus definitions, uninstalled some toolbars and freeware, etc. Malwarebytes and Avira each found several files to quarantine/delete. Still seems to be running slow, particularly at startup and when opening new program windows.

He said he thinks he can find the Windows 7 recovery disc if he looks.

Thanks for your help!

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18124 BrowserJavaVersion: 10.9.2
Run by Justin at 22:02:08 on 2016-01-03
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6143.4692 [GMT -5:00]
.
AV: Avira Antivirus *Enabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
AV: Microsoft Security Essentials *Enabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
SP: Microsoft Security Essentials *Enabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Avira Antivirus *Enabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\atieclxx.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe
C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe
C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe
C:\Windows\SysWOW64\WinMsgBalloonServer.exe
C:\Windows\SysWOW64\WinMsgBalloonClient.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\AMD\CNext\CNext\cnext.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe
C:\Windows\system32\GWX\GWX.exe
C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_20_0_0_267.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_20_0_0_267.exe
C:\Windows\SysWOW64\wscript.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://search.avira.net/#web/result?source=art&q=
uDefault_Page_URL = hxxps://search.avira.net/#web/result?source=art&q=
uDefault_Search_URL = hxxps://search.avira.net/#web/result?source=art&q=
mStart Page = hxxps://search.avira.net/#web/result?source=art&q=
mSearch Page = hxxps://search.avira.net/#web/result?source=art&q=
mDefault_Page_URL = hxxps://search.avira.net/#web/result?source=art&q=
mDefault_Search_URL = hxxps://search.avira.net/#web/result?source=art&q=
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} -
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Avira SearchFree Toolbar plus Web Protection: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: Avira SearchFree Toolbar plus Web Protection: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: Avira SearchFree Toolbar plus Web Protection: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
mRun: [Avira SystrayStartTrigger] C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
StartupFolder: C:\Users\Justin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files\Dell\DellDock\DellDock.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{A0685346-E7F7-4412-BC33-22C58325D317} : DHCPNameServer = 75.75.75.75 75.75.76.76
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - C:\Program Files (x86)\Microsoft\Outlook Web Access SMIME Client\mimectl.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxps://search.avira.net/#web/result?source=art&q=
x64-mSearch Page = hxxps://search.avira.net/#web/result?source=art&q=
x64-mDefault_Page_URL = hxxps://search.avira.net/#web/result?source=art&q=
x64-mDefault_Search_URL = hxxps://search.avira.net/#web/result?source=art&q=
x64-BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
x64-Run: [RunDLLEntry_THXCfg] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\THXCfg64.dll,RunDLLEntry THXCfg64
x64-Run: [RunDLLEntry_EptMon] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\EptMon64.dll,RunDLLEntry EptMon64
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [StartCN] "C:\Program Files\AMD\CNext\CNext\cnext.exe" atlogon
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\ws6sgnhz.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.41105.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_267.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2015-3-4 280376]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-8-3 55856]
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2013-3-27 28600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2015-12-4 246272]
R2 AMD_RAIDXpert;AMD RAIDXpert;C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe [2009-3-16 122880]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-10-31 466408]
R2 AntiVirService;Avira Real-Time Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-10-31 466408]
R2 AntiVirWebService;Avira Web Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [2013-5-7 1418560]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2013-3-27 162072]
R2 Avira.ServiceHost;Avira Service Host;C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [2015-11-23 249624]
R2 avnetflt;avnetflt;C:\Windows\System32\drivers\avnetflt.sys [2013-5-7 75472]
R2 DiagTrack;Diagnostics Tracking Service;C:\Windows\System32\svchost.exe -k utcsvc [2009-7-13 27136]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2012-7-7 48488]
R2 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 124568]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2010-11-26 398176]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2014-10-8 534184]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-8-3 1692480]
R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2012-8-22 46136]
R3 AmdLLD64;AMD Low Level Device Driver;C:\Windows\System32\drivers\AmdLLD64.sys [2010-8-3 47672]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2015-9-17 96256]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2010-8-3 321064]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2016-1-1 25816]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2015-4-30 366544]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2014-10-8 766632]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2014-10-8 273576]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2014-10-8 29352]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2014-10-8 23208]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2014-10-8 211104]
S2 AntiVirMailService;Avira Mail Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [2015-4-7 948392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2014-4-11 103608]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2014-4-11 124088]
S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2015-3-18 822496]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2016-1-1 1135416]
S2 SessionLauncher;SessionLauncher;c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [?]
S3 ahcix64s;ahcix64s;C:\Windows\System32\drivers\ahcix64s.sys [2010-8-3 226616]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2015-12-9 114688]
S3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2016-1-1 63704]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCom\RoxMediaDB10.exe [2009-6-26 1124848]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Win7 Driver;C:\Windows\System32\drivers\wg111v3.sys [2011-6-17 446976]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-7 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-8-14 1255736]
.
=============== Created Last 30 ================
.
2016-01-03 07:05:06 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0CE05A6A-0E66-4289-AC2B-D6A07C8E7DBB}\offreg.892.dll
2016-01-03 07:03:24 11154520 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0CE05A6A-0E66-4289-AC2B-D6A07C8E7DBB}\mpengine.dll
2016-01-02 16:00:27 11154520 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2016-01-01 22:02:41 -------- d-----w- C:\Users\Justin\AppData\Local\ATI
2016-01-01 21:56:12 0 ----a-w- C:\Windows\ativpsrm.bin
2016-01-01 21:52:57 -------- d-----w- C:\Program Files (x86)\Common Files\ATI Technologies
2016-01-01 21:52:48 -------- d-----w- C:\Users\Justin\AppData\Local\AMD
2016-01-01 21:48:33 -------- d-----w- C:\Program Files\Common Files\ATI Technologies
2016-01-01 21:46:23 -------- d-----w- C:\Program Files\AMD
2016-01-01 21:42:40 -------- d-----w- C:\AMD
2016-01-01 21:10:08 -------- d-----w- C:\Users\Justin\AppData\Local\CEF
2016-01-01 21:10:06 -------- d-----w- C:\Users\Justin\AppData\Local\Steam
2016-01-01 20:53:18 -------- d-----w- C:\Program Files (x86)\VS Revo Group
2016-01-01 15:14:36 192216 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2016-01-01 15:14:13 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2016-01-01 15:14:13 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2016-01-01 15:14:13 109272 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2016-01-01 15:14:13 -------- d-----w- C:\ProgramData\Malwarebytes
2016-01-01 15:14:13 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-01-01 15:11:15 -------- d-----w- C:\Users\Justin\AppData\Local\Programs
2016-01-01 14:57:17 -------- d-----w- C:\Users\Justin\AppData\Local\{3EE2DE48-F6AB-485D-9AA5-3302B156B328}
2015-12-30 14:41:27 -------- d-----w- C:\Users\Justin\AppData\Local\{5E673665-D98C-422B-8356-76E7F725422B}
2015-12-29 02:35:04 -------- d-----w- C:\Users\Justin\AppData\Local\{63322F69-12AA-435F-8603-3411A5BA3A16}
2015-12-24 14:00:55 -------- d-----w- C:\Users\Justin\AppData\Local\{0C13BB0E-3267-4A78-B032-D8AE347E00AD}
2015-12-17 10:44:30 -------- d-----w- C:\Users\Justin\AppData\Local\{5DD16C4E-9357-4982-AE05-12A485448986}
2015-12-11 13:15:25 -------- d-----w- C:\Users\Justin\AppData\Local\{BB5C2D43-02C4-4A1B-BE0F-FA9D9634F461}
2015-12-11 01:14:45 -------- d-----w- C:\Users\Justin\AppData\Local\{67CDB0FA-A62B-48F0-9017-9579FBC62BEC}
2015-12-10 08:26:51 1190000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1A5A8D69-EF35-48B0-A836-CA8EF07F5F94}\gapaengine.dll
2015-12-09 10:48:57 3211264 ----a-w- C:\Windows\System32\win32k.sys
2015-12-09 10:48:57 1648128 ----a-w- C:\Windows\System32\DWrite.dll
2015-12-09 10:48:55 1251328 ----a-w- C:\Windows\SysWow64\DWrite.dll
2015-12-09 10:48:55 1180160 ----a-w- C:\Windows\System32\FntCache.dll
2015-12-09 10:48:55 1008640 ----a-w- C:\Windows\System32\user32.dll
2015-12-09 10:48:53 833024 ----a-w- C:\Windows\SysWow64\user32.dll
2015-12-09 10:48:51 17408 ----a-w- C:\Windows\System32\wshrm.dll
2015-12-09 10:48:51 14848 ----a-w- C:\Windows\SysWow64\wshrm.dll
2015-12-09 10:48:51 146944 ----a-w- C:\Windows\System32\drivers\rmcast.sys
2015-12-09 10:48:49 525312 ----a-w- C:\Windows\System32\catsrvut.dll
2015-12-09 10:48:49 1735680 ----a-w- C:\Windows\System32\comsvcs.dll
2015-12-09 10:48:48 487936 ----a-w- C:\Windows\SysWow64\catsrvut.dll
2015-12-09 10:48:48 1242624 ----a-w- C:\Windows\SysWow64\comsvcs.dll
2015-12-05 11:01:02 -------- d-----w- C:\Users\Justin\AppData\Local\{8C12EFED-40B8-4E70-A13F-69BCE9CC5A8D}
.
==================== Find3M ====================
.
2016-01-02 01:28:32 796864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2016-01-02 01:28:32 142528 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2015-12-09 03:39:31 301728 ------w- C:\Windows\System32\MpSigStub.exe
2015-12-04 17:44:56 10907328 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2015-12-04 17:44:48 8089248 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2015-12-04 17:44:40 9070320 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2015-12-04 17:44:32 9017808 ----a-w- C:\Windows\System32\atiumd6a.dll
2015-12-04 17:44:26 10815664 ----a-w- C:\Windows\System32\atiumd64.dll
2015-12-04 17:41:48 296648 ----a-w- C:\Windows\System32\drivers\amdacpksd.sys
2015-12-04 17:38:22 23961088 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2015-12-04 17:33:06 235008 ----a-w- C:\Windows\System32\clinfo.exe
2015-12-04 17:33:02 49984000 ----a-w- C:\Windows\System32\amdocl64.dll
2015-12-04 17:31:48 41510400 ----a-w- C:\Windows\SysWow64\amdocl.dll
2015-12-04 17:30:42 65024 ----a-w- C:\Windows\System32\OpenCL.dll
2015-12-04 17:30:40 59392 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2015-12-04 17:29:14 27596288 ----a-w- C:\Windows\System32\amdocl12cl64.dll
2015-12-04 17:29:08 22348288 ----a-w- C:\Windows\SysWow64\amdocl12cl.dll
2015-12-04 17:08:28 677888 ----a-w- C:\Windows\System32\amdlvr64.dll
2015-12-04 17:08:14 562688 ----a-w- C:\Windows\SysWow64\amdlvr32.dll
2015-12-04 17:08:00 127488 ----a-w- C:\Windows\System32\mantle64.dll
2015-12-04 17:07:56 113664 ----a-w- C:\Windows\SysWow64\mantle32.dll
2015-12-04 17:07:50 6643200 ----a-w- C:\Windows\System32\amdmantle64.dll
2015-12-04 17:03:02 5223936 ----a-w- C:\Windows\SysWow64\amdmantle32.dll
2015-12-04 16:59:28 31376896 ----a-w- C:\Windows\System32\atio6axx.dll
2015-12-04 16:59:10 96256 ----a-w- C:\Windows\System32\mantleaxl64.dll
2015-12-04 16:59:06 89088 ----a-w- C:\Windows\SysWow64\mantleaxl32.dll
2015-12-04 16:57:06 865280 ----a-w- C:\Windows\System32\coinst_15.30.dll
2015-12-04 16:53:42 50688 ----a-w- C:\Windows\System32\amdmmcl6.dll
2015-12-04 16:53:38 39424 ----a-w- C:\Windows\SysWow64\amdmmcl.dll
2015-12-04 16:53:36 25840128 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2015-12-04 16:51:46 367104 ----a-w- C:\Windows\System32\atiapfxx.exe
2015-12-04 16:51:44 62464 ----a-w- C:\Windows\System32\aticalrt64.dll
2015-12-04 16:51:42 52224 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2015-12-04 16:51:40 55808 ----a-w- C:\Windows\System32\aticalcl64.dll
2015-12-04 16:51:40 49152 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2015-12-04 16:51:34 15711744 ----a-w- C:\Windows\System32\aticaldd64.dll
2015-12-04 16:50:44 14302208 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2015-12-04 16:47:26 442368 ----a-w- C:\Windows\System32\atidemgy.dll
2015-12-04 16:47:24 223744 ----a-w- C:\Windows\System32\dgtrayicon.exe
2015-12-04 16:47:20 162304 ----a-w- C:\Windows\System32\atieah64.exe
2015-12-04 16:47:20 145408 ----a-w- C:\Windows\SysWow64\atieah32.exe
2015-12-04 16:47:18 204800 ----a-w- C:\Windows\System32\amdgfxinfo64.dll
2015-12-04 16:47:18 189952 ----a-w- C:\Windows\SysWow64\amdgfxinfo32.dll
2015-12-04 16:47:16 31744 ----a-w- C:\Windows\System32\atimuixx.dll
2015-12-04 16:47:14 552448 ----a-w- C:\Windows\System32\atieclxx.exe
2015-12-04 16:47:06 246272 ----a-w- C:\Windows\System32\atiesrxx.exe
2015-12-04 16:46:54 190976 ----a-w- C:\Windows\System32\atitmm64.dll
2015-12-04 16:43:32 89088 ----a-w- C:\Windows\System32\atisamu64.dll
2015-12-04 16:43:30 80896 ----a-w- C:\Windows\SysWow64\atisamu32.dll
2015-12-04 16:43:12 1272832 ----a-w- C:\Windows\System32\atiadlxx.dll
2015-12-04 16:43:10 941568 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2015-12-04 16:43:10 941568 ----a-w- C:\Windows\SysWow64\atiadlxx.dll
2015-12-04 16:43:06 75776 ----a-w- C:\Windows\System32\atig6pxx.dll
2015-12-04 16:43:04 70144 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2015-12-04 16:43:04 70144 ----a-w- C:\Windows\System32\atiglpxx.dll
2015-12-04 16:43:04 157696 ----a-w- C:\Windows\System32\atig6txx.dll
2015-12-04 16:43:00 142336 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2015-12-04 16:42:56 671232 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2015-12-04 16:42:32 43520 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2015-12-04 16:41:56 195072 ----a-w- C:\Windows\System32\hsa-thunk64.dll
2015-12-04 16:41:54 174592 ----a-w- C:\Windows\SysWow64\hsa-thunk.dll
2015-12-01 10:30:28 75472 ----a-w- C:\Windows\System32\drivers\avnetflt.sys
2015-12-01 10:30:28 162072 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2015-11-20 18:54:59 98816 ----a-w- C:\Windows\System32\wudriver.dll
2015-11-20 18:54:59 3170304 ----a-w- C:\Windows\System32\wucltux.dll
2015-11-20 18:54:59 192512 ----a-w- C:\Windows\System32\wuwebv.dll
2015-11-20 18:54:28 91136 ----a-w- C:\Windows\System32\WinSetupUI.dll
2015-11-20 18:54:18 12288 ----a-w- C:\Windows\System32\wu.upgrade.ps.dll
2015-11-20 18:54:15 37888 ----a-w- C:\Windows\System32\wuapp.exe
2015-11-20 18:34:36 93696 ----a-w- C:\Windows\SysWow64\wudriver.dll
2015-11-20 18:34:36 174080 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2015-11-20 18:33:56 35328 ----a-w- C:\Windows\SysWow64\wuapp.exe
2015-11-10 00:24:59 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2015-11-10 00:13:04 496640 ----a-w- C:\Windows\SysWow64\vbscript.dll
2015-11-10 00:13:03 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2015-11-10 00:12:29 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2015-11-10 00:12:19 341504 ----a-w- C:\Windows\SysWow64\html.iec
2015-11-10 00:11:38 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2015-11-10 00:03:01 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2015-11-10 00:02:42 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2015-11-09 23:50:28 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2015-11-09 23:46:18 4514816 ----a-w- C:\Windows\SysWow64\jscript9.dll
2015-11-09 23:36:09 2050560 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2015-11-09 23:35:17 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2015-11-09 23:17:36 2011136 ----a-w- C:\Windows\SysWow64\wininet.dll
2015-11-08 22:33:00 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2015-11-08 22:32:46 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2015-11-08 22:16:29 66560 ----a-w- C:\Windows\System32\iesetup.dll
2015-11-08 22:15:39 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2015-11-08 22:15:31 417792 ----a-w- C:\Windows\System32\html.iec
2015-11-08 22:15:22 571392 ----a-w- C:\Windows\System32\vbscript.dll
2015-11-08 22:14:50 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2015-11-08 22:04:46 5923840 ----a-w- C:\Windows\System32\jscript9.dll
2015-11-08 22:01:25 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
2015-11-08 22:01:24 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2015-11-08 22:01:01 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2015-11-08 21:52:10 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2015-11-08 21:40:10 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2015-11-08 21:14:19 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2015-11-08 21:13:40 2123264 ----a-w- C:\Windows\System32\inetcpl.cpl
.
============= FINISH: 22:03:38.62 ===============
Attached Files
File Type: txt attach.txt (21.1 KB, 18 views)
nathanpose is offline  
Sponsored Links
Advertisement
 
Old 01-10-2016, 06:01 AM   #2
Registered Member
 
Join Date: Jan 2016
Posts: 10
OS: windows 7 service pack 1



BUMP, please.
nathanpose is offline  
Old 01-10-2016, 11:39 PM   #3
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello and welcome to TSF nathanpose,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

**Please do not upgrade your OS to Windows 10 until I say so.

Now, let's get started, shall we? Please do the below steps.

STEP 1

Please download AdwCleaner from here and save it to your desktop.

Click the green 'Download now @bleepingcomputer' button.
Run AdwCleaner and select Scan
Once the Scan is done, select Cleaning
Once done it will ask to reboot, please allow the reboot.
On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
Please copy/paste the contents of the log in your next reply.

STEP 2

Please download Farbar Recovery Scan Tool and save it to your desktop.

Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
__________________
tekir06 is offline  
Sponsored Links
Advertisement
 
Old 01-11-2016, 03:21 AM   #4
Registered Member
 
Join Date: Jan 2016
Posts: 10
OS: windows 7 service pack 1



# AdwCleaner v5.028 - Logfile created 11/01/2016 at 06:01:03
# Updated 04/01/2016 by Xplode
# Database : 2016-01-04.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Justin - JUSTIN-PC
# Running from : C:\Users\Justin\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : Forum - ToolsLib

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\Ask.com
[-] Folder Deleted : C:\ProgramData\Ask
[-] Folder Deleted : C:\Users\Jennifer\AppData\Local\AskToolbar
[-] Folder Deleted : C:\Users\Jennifer\AppData\LocalLow\AskToolbar
[-] Folder Deleted : C:\Users\Justin\AppData\Local\apn
[-] Folder Deleted : C:\Users\Justin\AppData\LocalLow\AskToolbar
[-] Folder Deleted : C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}

***** [ Files ] *****

[-] File Deleted : C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\ws6sgnhz.default\invalidprefs.js

***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : Scheduled Update for Ask Toolbar

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
[-] Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool
[-] Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Activities\Search\ask.com
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C17DC5CF-54FF-4E63-8AC7-94335D6DA231}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D14D0EE2-2DD1-4230-BE70-3F3AD6172C40}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{05366194-3126-4601-AC1A-DDE573E093DC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{061F450C-37B9-4330-9235-0F25D9F75B33}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{22FEB0F5-0BA0-4D4B-8A66-55A21667BC31}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{26249267-15F4-4DA3-8247-C5A78E4FA918}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{39B217B4-8C69-4E45-A8DC-8CC4DAD3CF0A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CB4CE45-8849-4638-9226-D6B615A15827}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{43AB7B5D-4C40-4103-A549-7002A116A7D5}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{996ED20F-A740-47A2-A7EF-9620D422BB4E}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D2B79F7D-2D7D-4420-B2A9-ECE52C7C83A0}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{061F450C-37B9-4330-9235-0F25D9F75B33}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{22FEB0F5-0BA0-4D4B-8A66-55A21667BC31}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D2B79F7D-2D7D-4420-B2A9-ECE52C7C83A0}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1D55DAA5-04AC-4036-B0BE-DA81EE9676CD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{58CBF821-A0C7-4AE8-9430-77DD1AF38E99}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{72BCBFF7-2837-4CA0-B3B5-3DAED7F54601}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{824125FD-7732-4DA2-9277-3A7D0A0A0813}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C17DC5CF-54FF-4E63-8AC7-94335D6DA231}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D14D0EE2-2DD1-4230-BE70-3F3AD6172C40}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F994E0D9-8335-48F1-99C2-A712C21F8D5F}
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{21FA44EF-376D-4D53-9B0F-8A89D3229068}]
[-] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
[-] Key Deleted : HKCU\Software\APN
[-] Key Deleted : HKCU\Software\Ask.com
[-] Key Deleted : HKCU\Software\YahooPartnerToolbar
[-] Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
[-] Key Deleted : HKLM\SOFTWARE\APN
[-] Key Deleted : HKLM\SOFTWARE\AskToolbar
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
[-] Key Deleted : HKU\S-1-5-21-3255038389-4209058758-2932593556-1003\Software\APN
[-] Key Deleted : HKU\S-1-5-21-3255038389-4209058758-2932593556-1003\Software\AskToolbar
[-] Key Deleted : HKU\S-1-5-21-3255038389-4209058758-2932593556-1003\Software\AppDataLow\Software\AskToolbar
[-] Key Deleted : HKU\S-1-5-21-3255038389-4209058758-2932593556-1003\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\120DFADEB50841F408F04D2A278F9509
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{27E3AFBC-7A21-44DF-8095-05560DDBDBD2}
[-] Key Deleted : HKU\S-1-5-21-3255038389-4209058758-2932593556-1003\Software\Microsoft\Internet Explorer\SearchScopes\{01AA636D-C22B-4433-AC29-B8C85928E74E}

***** [ Web browsers ] *****

[-] [C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\ws6sgnhz.default\prefs.js] [Preference] Deleted : user_pref("browser.search.defaultengine", "Ask.com");
[-] [C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\ws6sgnhz.default\prefs.js] [Preference] Deleted : user_pref("browser.search.order.1", "Ask.com");
[-] [C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\ws6sgnhz.default\prefs.js] [Preference] Deleted : user_pref("startpage.ntsearch_url", "hxxps://search.yahoo.com/search?fr=spigot-nt-ff&ei=utf-8&ilc=12&type=523482&p={searchTerms}");
[-] [C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\256f2m5j.default\prefs.js] [Preference] Deleted : user_pref("browser.search.defaultengine", "Ask.com");
[-] [C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\256f2m5j.default\prefs.js] [Preference] Deleted : user_pref("browser.search.order.1", "Ask.com");
[-] [C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\256f2m5j.default\prefs.js] [Preference] Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");
[-] [C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\256f2m5j.default\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._b7Members_.toolbarCollapsed", true);
[-] [C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\256f2m5j.default\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled", false);
[-] [C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\256f2m5j.default\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "");
[-] [C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\256f2m5j.default\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark.lastInstalled", "[email protected]");
[-] [C:\Users\Justin\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : websearch.ask.com
[-] [C:\Users\Justin\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Justin\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\Justin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : aaaaabfjnbeinlpljodiajipidiompfl
[-] [C:\Users\Jennifer\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Jennifer\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [13901 bytes] ##########
Attached Files
File Type: txt Addition.txt (37.3 KB, 11 views)
File Type: txt FRST.txt (36.6 KB, 11 views)
nathanpose is offline  
Old 01-11-2016, 05:19 AM   #5
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello nathanpose,

Thanks for the logs. Please do the below instructions.

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST64.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Code:
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
GroupPolicyUsers\S-1-5-21-3255038389-4209058758-2932593556-1003\User: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-3255038389-4209058758-2932593556-1001 -> DefaultScope {FE35C2DA-7786-475F-9E92-8F3732BD8A55} URL = 
SearchScopes: HKU\S-1-5-21-3255038389-4209058758-2932593556-1001 -> {003AFE5E-85B2-49D5-835D-ABC048A11587} URL = 
SearchScopes: HKU\S-1-5-21-3255038389-4209058758-2932593556-1001 -> {FE35C2DA-7786-475F-9E92-8F3732BD8A55} URL =
BHO: No Name -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF HKLM-x32\...\Thunderbird\Extensions: [[email protected]] - C:\Program Files\McAfee\MSK => not found
Task: {4C088C68-2832-485E-A155-98C7599A1767} - \ProPCCleaner_Start -> No File <==== ATTENTION
Task: {D8006525-BA20-4463-9785-41DFF2581786} - \ProPCCleaner_Popup -> No File <==== ATTENTION
FirewallRules: [{B16B6475-0C08-492E-83B1-7DE87608E567}] => (Allow) C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
FirewallRules: [{8CF23E5E-9A92-4DFF-89CF-BE882390BAFC}] => (Allow) C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
FirewallRules: [{B6921B1B-B335-42F1-A37C-88A31C172763}] => (Allow) C:\Users\Justin\AppData\Local\Temp\nstB80B.tmp\CnetInstaller-75758783.exe
FirewallRules: [{9813A32A-726F-433C-8EE4-BA0A5A0CA5CA}] => (Allow) C:\Users\Justin\AppData\Local\Temp\nstB80B.tmp\CnetInstaller-75758783.exe
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater" /f 
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 01-11-2016, 03:08 PM   #6
Registered Member
 
Join Date: Jan 2016
Posts: 10
OS: windows 7 service pack 1



Fix result of Farbar Recovery Scan Tool (x64) Version:10-01-2015 01
Ran by Justin (2016-01-11 17:55:07) Run:1
Running from C:\Users\Justin\Desktop
Loaded Profiles: Justin (Available Profiles: Justin & Jennifer)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
GroupPolicyUsers\S-1-5-21-3255038389-4209058758-2932593556-1003\User: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-3255038389-4209058758-2932593556-1001 -> DefaultScope {FE35C2DA-7786-475F-9E92-8F3732BD8A55} URL =
SearchScopes: HKU\S-1-5-21-3255038389-4209058758-2932593556-1001 -> {003AFE5E-85B2-49D5-835D-ABC048A11587} URL =
SearchScopes: HKU\S-1-5-21-3255038389-4209058758-2932593556-1001 -> {FE35C2DA-7786-475F-9E92-8F3732BD8A55} URL =
BHO: No Name -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF HKLM-x32\...\Thunderbird\Extensions: [[email protected]] - C:\Program Files\McAfee\MSK => not found
Task: {4C088C68-2832-485E-A155-98C7599A1767} - \ProPCCleaner_Start -> No File <==== ATTENTION
Task: {D8006525-BA20-4463-9785-41DFF2581786} - \ProPCCleaner_Popup -> No File <==== ATTENTION
FirewallRules: [{B16B6475-0C08-492E-83B1-7DE87608E567}] => (Allow) C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
FirewallRules: [{8CF23E5E-9A92-4DFF-89CF-BE882390BAFC}] => (Allow) C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
FirewallRules: [{B6921B1B-B335-42F1-A37C-88A31C172763}] => (Allow) C:\Users\Justin\AppData\Local\Temp\nstB80B.tmp\CnetInstaller-75758783.exe
FirewallRules: [{9813A32A-726F-433C-8EE4-BA0A5A0CA5CA}] => (Allow) C:\Users\Justin\AppData\Local\Temp\nstB80B.tmp\CnetInstaller-75758783.exe
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater" /f
EmptyTemp:
*****************

Restore point was successfully created.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
C:\Windows\system32\GroupPolicyUsers\S-1-5-21-3255038389-4209058758-2932593556-1003\User => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKU\S-1-5-21-3255038389-4209058758-2932593556-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-3255038389-4209058758-2932593556-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{003AFE5E-85B2-49D5-835D-ABC048A11587}" => key removed successfully
HKCR\CLSID\{003AFE5E-85B2-49D5-835D-ABC048A11587} => key not found.
"HKU\S-1-5-21-3255038389-4209058758-2932593556-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE35C2DA-7786-475F-9E92-8F3732BD8A55}" => key removed successfully
HKCR\CLSID\{FE35C2DA-7786-475F-9E92-8F3732BD8A55} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}" => key removed successfully
HKCR\CLSID\{27B4851A-3207-45A2-B947-BE8AFE6163AB} => key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
HKLM\Software\Wow6432Node\Mozilla\Thunderbird\Extensions\\[email protected] => value removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4C088C68-2832-485E-A155-98C7599A1767}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4C088C68-2832-485E-A155-98C7599A1767}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProPCCleaner_Start => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D8006525-BA20-4463-9785-41DFF2581786}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D8006525-BA20-4463-9785-41DFF2581786}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProPCCleaner_Popup => key not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B16B6475-0C08-492E-83B1-7DE87608E567} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8CF23E5E-9A92-4DFF-89CF-BE882390BAFC} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B6921B1B-B335-42F1-A37C-88A31C172763} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9813A32A-726F-433C-8EE4-BA0A5A0CA5CA} => value removed successfully

========= reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater" /f =========

The operation completed successfully.



========= End of Reg: =========

EmptyTemp: => 1.4 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 17:58:15 ====
nathanpose is offline  
Old 01-12-2016, 01:01 AM   #7
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello nathanpose,

Thankls for the log. Lets continue. Please do the below steps. Then tell me How is the machine behaving now? What problems do you still have?

STEP 1

Launch Malwarebytes Anti-Malware

On the Dashboard, click the Scan Now button.
A check for database updates will be performed.
After the update check completes, a Threat Scan will begin.
When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
In most cases, a restart will be required and a prompt will be shown.
Wait for the prompt to restart the computer to appear, then click on Yes.

Posting the Malwarebytes log:

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export.
Click Text file (*.txt)
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named File Saved should appear stating "Your file has been successfully exported".
Click Ok
Attach that saved log to your next reply.

STEP 2

Your java old. Let's update.

Please go to Start > Control Panel > Programs and Features and remove the above Java program(s) installed.


Next, download the latest Java, version 8 Update 66 from the following link

Download Free Java Software

STEP 3

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
Click the blue Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
Click on Advanced Settings
Make sure that the option Remove found threats is unticked.
Ensure these options are ticked
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
Click Start
Wait for the scan to finish
When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
Close the ESET online scan, and let me know how things are now.

=========================================================

I need to see in your next post:
  • Malwarebyte's log
  • ESET Online Scanner log
__________________
tekir06 is offline  
Old 01-12-2016, 07:00 PM   #8
Registered Member
 
Join Date: Jan 2016
Posts: 10
OS: windows 7 service pack 1



I updated the Java to the most current version and deleted the old one.
After I post this I will restart the PC and try using it a while to see how responsive it is.

ESET Scanner Result:

C:\AdwCleaner\Quarantine\C\Program Files (x86)\Ask.com\AviraBrowserSecurity.exe.vir a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Ask.com\AviraCallingIDhelper.dll.vir a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Ask.com\GenericAskToolbar.dll.vir a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Ask.com\precache.exe.vir a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Ask.com\SaUpdate.exe.vir a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Ask.com\UpdateTask.exe.vir a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Ask.com\Updater\Updater.exe.vir a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\AdwCleaner\Quarantine\C\Users\Jennifer\AppData\Local\AskToolbar\Downloaded Program Files\AviraSafetyPrivacy.dll.vir a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\AdwCleaner\Quarantine\C\Users\Jennifer\AppData\LocalLow\AskToolbar\avr-4.cab.vir a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Program Files (x86)\Avira\AntiVir Desktop\apnstub.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application
C:\Program Files (x86)\NCH Software\Switch\switch.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\Program Files (x86)\NCH Software\Switch\switchsetup_v4.22.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\Program Files (x86)\NCH Software\Switch\uninst.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\Users\Justin\Downloads\avira_free_antivirus_en.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\Users\Justin\Downloads\ccsetup322.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application
C:\Users\Justin\Downloads\ccsetup513.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Justin\Downloads\FreeYouTubeDownload (1).exe Win32/OpenCandy potentially unsafe application
C:\Users\Justin\Downloads\FreeYouTubeDownload (2).exe Win32/OpenCandy potentially unsafe application
C:\Users\Justin\Downloads\FreeYouTubeDownload.exe Win32/OpenCandy potentially unsafe application
C:\Users\Justin\Downloads\pf-setup-en.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Justin\Downloads\switchsetup.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\Windows\Installer\66067.msi a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
Attached Files
File Type: txt malwarebytes result 01122016.txt (1.1 KB, 10 views)
nathanpose is offline  
Old 01-12-2016, 07:48 PM   #9
Registered Member
 
Join Date: Jan 2016
Posts: 10
OS: windows 7 service pack 1



This PC feels about the same. It takes about 50 seconds to boot to the Windows login screen. But after logging into Windows it takes 2 or 3 minutes before it is done loading the desktop and all the processes in the Task Manager. Any movement of the mouse shows the blue spinning icon next to it.

A year ago this machine was not this slow.
nathanpose is offline  
Old 01-13-2016, 01:52 AM   #10
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello nathanpose,

The AV you have downloaded, Avira, comes bundled with some junkware, specifically a toolbar called the ask toolbar. As an AV, it works fine, but you may want to consider if there are other "cleaner" options available to you. If you want, you can use any other AV.
Quote:
C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Program Files (x86)\Avira\AntiVir Desktop\apnstub.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe
C:\Users\Justin\Downloads\avira_free_antivirus_en.exe
========================================================
Quote:
C:\Program Files (x86)\NCH Software\Switch\switch.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\Program Files (x86)\NCH Software\Switch\switchsetup_v4.22.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\Program Files (x86)\NCH Software\Switch\uninst.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\Users\Justin\Downloads\avira_free_antivirus_en.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\Users\Justin\Downloads\ccsetup322.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application
C:\Users\Justin\Downloads\ccsetup513.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Justin\Downloads\FreeYouTubeDownload (1).exe Win32/OpenCandy potentially unsafe application
C:\Users\Justin\Downloads\FreeYouTubeDownload (2).exe Win32/OpenCandy potentially unsafe application
C:\Users\Justin\Downloads\FreeYouTubeDownload.exe Win32/OpenCandy potentially unsafe application
C:\Users\Justin\Downloads\pf-setup-en.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Justin\Downloads\switchsetup.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application
These files arenīt malware but contain security risks. Iīd delete them

========================================================

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST64.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.
Code:
CreateRestorePoint:
C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll
C:\Program Files (x86)\Avira\AntiVir Desktop\apnstub.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe
C:\Users\Justin\Downloads\avira_free_antivirus_en.exe
C:\Program Files (x86)\NCH Software\Switch\switch.exe
C:\Program Files (x86)\NCH Software\Switch\switchsetup_v4.22.exe
C:\Program Files (x86)\NCH Software\Switch\uninst.exe
C:\Users\Justin\Downloads\ccsetup322.exe
C:\Users\Justin\Downloads\ccsetup513.exe
C:\Users\Justin\Downloads\FreeYouTubeDownload (1).exe
C:\Users\Justin\Downloads\FreeYouTubeDownload (2).exe
C:\Users\Justin\Downloads\FreeYouTubeDownload.exe
C:\Users\Justin\Downloads\pf-setup-en.exe
C:\Users\Justin\Downloads\switchsetup.exe
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 01-13-2016, 02:42 PM   #11
Registered Member
 
Join Date: Jan 2016
Posts: 10
OS: windows 7 service pack 1



Fix result of Farbar Recovery Scan Tool (x64) Version:10-01-2015 01
Ran by Justin (2016-01-13 06:08:52) Run:2
Running from C:\Users\Justin\Desktop
Loaded Profiles: Justin (Available Profiles: Justin & Jennifer)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll
C:\Program Files (x86)\Avira\AntiVir Desktop\apnstub.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe
C:\Users\Justin\Downloads\avira_free_antivirus_en.exe
C:\Program Files (x86)\NCH Software\Switch\switch.exe
C:\Program Files (x86)\NCH Software\Switch\switchsetup_v4.22.exe
C:\Program Files (x86)\NCH Software\Switch\uninst.exe
C:\Users\Justin\Downloads\ccsetup322.exe
C:\Users\Justin\Downloads\ccsetup513.exe
C:\Users\Justin\Downloads\FreeYouTubeDownload (1).exe
C:\Users\Justin\Downloads\FreeYouTubeDownload (2).exe
C:\Users\Justin\Downloads\FreeYouTubeDownload.exe
C:\Users\Justin\Downloads\pf-setup-en.exe
C:\Users\Justin\Downloads\switchsetup.exe
EmptyTemp:
*****************

Restore point was successfully created.
Could not move "C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\Avira\AntiVir Desktop\apnstub.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe" => Scheduled to move on reboot.
C:\Users\Justin\Downloads\avira_free_antivirus_en.exe => moved successfully
C:\Program Files (x86)\NCH Software\Switch\switch.exe => moved successfully
C:\Program Files (x86)\NCH Software\Switch\switchsetup_v4.22.exe => moved successfully
C:\Program Files (x86)\NCH Software\Switch\uninst.exe => moved successfully
C:\Users\Justin\Downloads\ccsetup322.exe => moved successfully
C:\Users\Justin\Downloads\ccsetup513.exe => moved successfully
C:\Users\Justin\Downloads\FreeYouTubeDownload (1).exe => moved successfully
C:\Users\Justin\Downloads\FreeYouTubeDownload (2).exe => moved successfully
C:\Users\Justin\Downloads\FreeYouTubeDownload.exe => moved successfully
C:\Users\Justin\Downloads\pf-setup-en.exe => moved successfully
C:\Users\Justin\Downloads\switchsetup.exe => moved successfully
EmptyTemp: => 40 MB temporary data Removed.

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2016-01-13 06:14:01)

"C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll" => Could not move
"C:\Program Files (x86)\Avira\AntiVir Desktop\apnstub.exe" => Could not move
"C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe" => Could not move

==== End of Fixlog 06:14:02 ====
nathanpose is offline  
Old 01-13-2016, 11:15 PM   #12
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello again,

Avira stands files. This is normal. As I said, if you want you can change the AV software. How is the machine behaving now? What problems do you still have?
__________________
tekir06 is offline  
Old 01-14-2016, 03:42 PM   #13
Registered Member
 
Join Date: Jan 2016
Posts: 10
OS: windows 7 service pack 1



The PC still runs slow at startup and when opening new program windows. It is an old machine. It may need new hardware to run faster.

Do you have any more malware tools to run? Can I upgrade to Windows 10 with confidence?
nathanpose is offline  
Old 01-14-2016, 03:43 PM   #14
Registered Member
 
Join Date: Jan 2016
Posts: 10
OS: windows 7 service pack 1



Also, I think I will switch antivirus when I do the upgrade to one of the other free AV, like Panda.
nathanpose is offline  
Old 01-15-2016, 12:03 AM   #15
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello nathanpose,
Quote:
Do you have any more malware tools to run?
No other tool.
Quote:
Can I upgrade to Windows 10 with confidence?
Yes, you can upgrade. But I think, You'd better get a new hardware before the upgrade.
Quote:
Also, I think I will switch antivirus when I do the upgrade to one of the other free AV, like Panda.


Your reports are clear. Let's remove all tools and logs that we use.

CLEAN UP

Please download delfix to your desktop.
  • Close all other programs and start delfix.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Ensure Remove disinfection tools is ticked. Also tick: Create registry backup, Purge system restore
  • Click Run
  • delfix will now delete all found traces of our removal process.
Note: The program will run for a few moments and then notepad will open with a log. No need to post this log.

=========================================================

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System. Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help keep your computer from becoming vulnerable. It is best if you have these set to download automatically.

Turn ON Automatic Updates in Windows 7

------------------------------------------------------

Make sure you backup your system, so possible reformatting in the future isn't necessary:

Backup and Restore - Microsoft Windows

------------------------------------------------------

PREVENTION

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows 7 here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
tekir06 is offline  
Old 01-15-2016, 03:06 AM   #16
Registered Member
 
Join Date: Jan 2016
Posts: 10
OS: windows 7 service pack 1



Thank you for all the help.
nathanpose is offline  
Old 01-15-2016, 05:32 AM   #17
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello nathanpose,

You're welcome! Thank you for your patience and cooperation.
__________________
tekir06 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
error 680
Hi everyone I have lenovo x200 windows 7ult updated, trying to use 3g sim card iin the internal modem and am getting error 680 no tone. here are the diagnostics could you tell me what to do\? Remote Access Diagnostic Report
rur Networking Support 1 09-19-2013 09:57 PM
[SOLVED] VBA Code to return a summary sheet of due actions
I'd really appreciate some help on this one as I'm totally confused. I am using Microsot Excel 2003. The idea is fairly simple I have a large workbook, one spreadsheet of which (called review dates) is of client names with corresponding review dates (2 weekly, 3/6/12/18 monthly etc, etc). The...
ambquinn Microsoft Office support 0 06-12-2011 09:21 AM
Outlook 2003 - Task Due Date and Time
Hi, I am using "Tasks" in Oulook 2003. I want to know can we add Task Due Time along with Task Due Date. any idea can we add an additional field of Due Time. Regards, Kiran
kindar Microsoft Office support 3 03-07-2011 10:06 AM
Virus redirecting all of my pages.
My computer is completely screwed! First no sound now this! Almost every time I try to do something on the internet my page is getting redirected to something else! I always have to rush to click the X button to stop the page from loading. But I want a permanent fix! Please help.
TheresMoreToMe Resolved HJT Threads 26 01-26-2011 04:48 PM
Trouble with Outlook 2007 Tasks default due date
I am going crazy with this problem; I cannot solve it. I have always used the active tasks view of my task list, and created new tasks in the New Item Row (this is an option that must be checked under Customize Current View). In the past, tasks created in this way have always defaulted to a due...
chrisb1680 Microsoft Office support 0 01-19-2011 11:55 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 10:15 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts