Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

ESET smart installer is being blocked

This is a discussion on ESET smart installer is being blocked within the Resolved HJT Threads forums, part of the Tech Support Forum category. SYSTEM OS Version: Microsoft® Windows Vista™ Home Premium, Service Pack 2, 64 bit Processor: Intel(R) Pentium(R) Dual CPU T3400 @


 
 
Thread Tools Search this Thread
Old 06-17-2016, 08:27 AM   #1
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



SYSTEM
OS Version: Microsoft® Windows Vista™ Home Premium, Service Pack 2, 64 bit
Processor: Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz, Intel64 Family 6 Model 15 Stepping 13
Processor Count: 2
RAM: 1915 Mb
Graphics Card: Mobile Intel(R) 4 Series Express Chipset Family, 830 Mb
Hard Drives: C: Total - 110427 MB, Free - 43484 MB;
Motherboard: TOSHIBA, Portable PC
Antivirus: Microsoft Security Essentials, Updated and Enabled

PROBLEM
On startup I opened FF to start surfing. It acted funny. Its been real slow for weeks but today it had that ghost of a smaller popup come over the screen and when I went to close the main window of FF down a second window opened and did the same thing. I unplugged from the net and I closed both FF v47.0 windows. I had to click the close button multiple times before it responded.
I tried to do an ESET online scan from the ESET smart installer on my desktop and it won’t download the updates to get started. The message says “Cannot get update. Is proxy configured?” I have my connection setting to “No Proxy”.
I went to options, advanced, network and there is 253KB (changing to 254KB and back again occasionally) of stored data and when I clicked on clear now it did not go away. It is there on start even if I am not connected to the internet.

I Binged ESET website and chose online scan from the results. I saved the file that came up after clicking online scan. When I opened the folder it was in there were two files both with the same name “esetonlinescanner_enu”.
I clicked on the one that said application and it did not work then I noticed it had 0 bytes in the size column. I tried the second and it gave me the ‘can’t open this file’ warning and offered to let me choose a program. That is not the exact message it was the standard MS warning window.
When I deleted these two files the second one would not delete. I closed the ESET web page and unplugged from the internet then it deleted. When I looked in the trash there is only one file in it so I have not deleted it. The second file had 35 in the size column and I don’t know what to put after KB or Mb or ?. The file in the trash bin has 0 bytes.

I disconnected from the internet again. I decided to log in here and report. I have also updated and am now running a MWBT scan. I have also updated MSE and will start that scan once MWB is done.
The MWBT scan is complete and found nothing. Starting MSE full scan.
I recently purchased a couple items on eBay as a guest and from Rock Auto.

What is my next step please?


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16789 BrowserJavaVersion: 11.91.2
Run by Me at 8:12:13 on 2016-06-17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.514 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
SP: Microsoft Security Essentials *Enabled/Updated* {CDE0C533-D3CD-62A1-E772-AFADDF863628}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RAVCpl64.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Microsoft Office\Office\WINWORD.EXE
C:\Windows\splwow64.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mWinlogon: Userinit = userinit.exe
BHO: Ghostery Plugin: {6BF739DD-3323-4C6A-975B-C7E00A50B154} - C:\Program Files (x86)\Ghostery\bin\ghostery.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll
uRun: [TOSCDSPD] TOSCDSPD.EXE
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [jswtrayutil] "C:\Program Files (x86)\Jumpstart\jswtrayutil.exe"
mRun: [cfFncEnabler.exe] cfFncEnabler.exe
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_45-windows-i586.cab
DPF: {CAFEEFAC-0018-0000-0045-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_45-windows-i586.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{C12D3495-9B83-4917-A534-5FCF1ED20B86} : DHCPNameServer = 75.75.75.75 75.75.76.76
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
x64-mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
x64-BHO: Ghostery Plugin: {6BF739DD-3323-4C6A-975B-C7E00A50B154} -
x64-Run: [Windows Defender] C:\Program Files (x86)\Windows Defender\MSASCui.exe -hide
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SmoothView] C:\Program Files (x86)\Toshiba\SmoothView\SmoothView.exe
x64-Run: [Skytel] Skytel.exe
x64-Run: [RtHDVCpl] RAVCpl64.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [IAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe"
x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [00TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-mPolicies-Explorer: NoActiveDesktop = dword:1
x64-mPolicies-Explorer: NoActiveDesktopChanges = dword:1
x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
x64-Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_242.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2015-11-13 289120]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\Windows\System32\drivers\tos_sps64.sys [2015-5-9 504912]
R1 JSWPSLWF;JumpStart Wireless Filter Driver;C:\Windows\System32\drivers\jswpslwfx.sys [2015-5-9 26624]
R2 FontCache;Windows Font Cache Service;C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
R2 HPSupportSolutionsFrameworkService;HP Support Solutions Framework Service;C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [2015-3-28 89840]
R3 FwLnk;FwLnk Driver;C:\Windows\System32\drivers\FwLnk.sys [2008-8-18 8704]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2014-11-15 133816]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2016-1-29 374344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2014-4-11 103608]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2014-4-11 124088]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 PSMounterEx;Macrium Reflect Image Explorer Driver;C:\Windows\System32\drivers\psmounterex.sys [2015-4-2 169992]
S3 PSVolAcc;PSVolAcc;C:\Windows\System32\drivers\PSVolAcc.sys [2014-7-21 12760]
S3 WIMMount;WIMMount;C:\Program Files\Macrium\Reflect\wimmount.sys [2015-5-14 22096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2014-4-11 1009864]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2015-5-10 90776]
S4 ConfigFree Gadget Service;ConfigFree Gadget Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFProcSRVC.exe [2008-4-3 36864]
S4 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFSvcs.exe [2008-4-17 40960]
S4 jswpsapi;Jumpstart Wifi Protected Setup;C:\Program Files (x86)\Jumpstart\jswpsapi.exe [2015-5-9 954368]
S4 KR10I64;KR10I64;C:\Windows\System32\drivers\KR10I64.sys [2008-8-18 248320]
S4 KR10N64;KR10N64;C:\Windows\System32\drivers\KR10N64.sys [2008-8-18 237568]
S4 ReflectService.exe;Macrium Reflect Image Mounting Service;C:\Program Files\Macrium\Reflect\ReflectService.exe [2014-7-21 3272656]
S4 SmartFaceVWatchSrv;SmartFaceVWatchSrv;C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-4-24 84992]
S4 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2008-8-18 46392]
S4 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-3 175104]
.
=============== File Associations ===============
.
FileExt: .js: JSFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
FileExt: .jse: JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2016-06-17 14:37:39 192216 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2016-06-15 23:01:56 142482544 ----a-w- C:\Windows\System32\mrt.exe
2016-06-15 20:40:57 484008 ------w- C:\Windows\System32\MpSigStub.exe
2016-05-18 15:55:46 391168 ----a-w- C:\Windows\System32\gdi32.dll
2016-05-18 15:34:13 305152 ----a-w- C:\Windows\SysWow64\gdi32.dll
2016-05-16 14:04:39 797376 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2016-05-16 14:04:39 142528 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2016-05-14 15:58:42 383208 ----a-w- C:\Windows\System32\atmfd.dll
2016-05-14 15:54:16 205824 ----a-w- C:\Windows\System32\wdigest.dll
2016-05-14 15:53:52 17920 ----a-w- C:\Windows\System32\netevent.dll
2016-05-14 15:53:15 48128 ----a-w- C:\Windows\System32\atmlib.dll
2016-05-14 15:47:02 306408 ----a-w- C:\Windows\SysWow64\atmfd.dll
2016-05-14 15:42:00 77312 ----a-w- C:\Windows\SysWow64\secur32.dll
2016-05-14 15:41:58 175616 ----a-w- C:\Windows\SysWow64\wdigest.dll
2016-05-14 15:41:48 17920 ----a-w- C:\Windows\SysWow64\netevent.dll
2016-05-14 15:41:31 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2016-05-14 14:38:34 450560 ----a-w- C:\Windows\System32\drivers\srv.sys
2016-05-14 14:38:12 176128 ----a-w- C:\Windows\System32\drivers\srv2.sys
2016-05-14 14:38:11 147456 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2016-05-12 19:52:23 18804224 ----a-w- C:\Windows\System32\mshtml.dll
2016-05-12 19:49:39 2351616 ----a-w- C:\Windows\System32\jscript9.dll
2016-05-12 19:46:18 448512 ----a-w- C:\Windows\System32\html.iec
2016-05-12 19:45:03 10940416 ----a-w- C:\Windows\System32\ieframe.dll
2016-05-12 19:44:01 1389056 ----a-w- C:\Windows\System32\urlmon.dll
2016-05-12 19:43:45 1392640 ----a-w- C:\Windows\System32\wininet.dll
2016-05-12 19:41:58 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2016-05-12 19:11:29 1815552 ----a-w- C:\Windows\SysWow64\jscript9.dll
2016-05-12 19:10:11 12840960 ----a-w- C:\Windows\SysWow64\mshtml.dll
2016-05-12 19:08:08 367616 ----a-w- C:\Windows\SysWow64\html.iec
2016-05-12 1941 9755136 ----a-w- C:\Windows\SysWow64\ieframe.dll
2016-05-12 1924 1140224 ----a-w- C:\Windows\SysWow64\urlmon.dll
2016-05-12 19:05:55 1129984 ----a-w- C:\Windows\SysWow64\wininet.dll
2016-05-12 19:04:56 425472 ----a-w- C:\Windows\SysWow64\vbscript.dll
2016-05-12 19:04:56 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2016-05-12 19:04:34 1804800 ----a-w- C:\Windows\SysWow64\iertutil.dll
2016-05-12 19:04:28 231936 ----a-w- C:\Windows\SysWow64\url.dll
2016-05-12 19:04:28 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2016-05-12 19:04:26 65536 ----a-w- C:\Windows\SysWow64\jsproxy.dll
2016-05-12 19:04:21 719360 ----a-w- C:\Windows\SysWow64\jscript.dll
2016-05-12 19:04:10 607744 ----a-w- C:\Windows\SysWow64\msfeeds.dll
2016-05-12 19:04:03 41472 ----a-w- C:\Windows\SysWow64\msfeedsbs.dll
2016-05-12 19:03:57 11776 ----a-w- C:\Windows\SysWow64\mshta.exe
2016-05-12 19:03:55 354304 ----a-w- C:\Windows\SysWow64\dxtmsft.dll
2016-05-12 19:03:53 223744 ----a-w- C:\Windows\SysWow64\dxtrans.dll
2016-05-12 19:03:50 72704 ----a-w- C:\Windows\SysWow64\mshtmled.dll
2016-05-12 19:03:47 176640 ----a-w- C:\Windows\SysWow64\ieui.dll
2016-05-12 19:03:47 10752 ----a-w- C:\Windows\SysWow64\msfeedssync.exe
2016-05-12 19:03:44 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2016-05-12 15:56:53 100864 ----a-w- C:\Windows\System32\winipsec.dll
2016-05-12 15:56:35 381952 ----a-w- C:\Windows\System32\polstore.dll
2016-05-12 15:56:10 534528 ----a-w- C:\Windows\System32\IPSECSVC.DLL
2016-05-12 15:56:06 726016 ----a-w- C:\Windows\System32\gpsvc.dll
2016-05-12 15:56:05 84480 ----a-w- C:\Windows\System32\gpapi.dll
2016-05-12 15:56:05 50176 ----a-w- C:\Windows\System32\FwRemoteSvr.dll
2016-05-12 15:34:38 61440 ----a-w- C:\Windows\SysWow64\winipsec.dll
2016-05-12 15:34:24 273920 ----a-w- C:\Windows\SysWow64\polstore.dll
2016-05-12 15:33:59 75264 ----a-w- C:\Windows\SysWow64\gpapi.dll
2016-05-12 15:33:59 28672 ----a-w- C:\Windows\SysWow64\FwRemoteSvr.dll
2016-05-12 14:45:18 2801664 ----a-w- C:\Windows\System32\win32k.sys
2016-05-12 14:39:36 2048 ----a-w- C:\Windows\System32\tzres.dll
2016-05-12 14:17:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2016-05-11 13:10:11 516328 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2016-05-10 15:55:03 264704 ----a-w- C:\Windows\System32\ws2_32.dll
2016-05-10 15:54:59 442880 ----a-w- C:\Windows\System32\winhttp.dll
2016-05-10 15:54:29 304128 ----a-w- C:\Windows\System32\mswsock.dll
2016-05-10 15:31:47 179200 ----a-w- C:\Windows\SysWow64\ws2_32.dll
2016-05-10 15:31:42 377344 ----a-w- C:\Windows\SysWow64\winhttp.dll
2016-05-10 15:31:17 223232 ----a-w- C:\Windows\SysWow64\mswsock.dll
2016-05-10 14:55:20 248320 ----a-w- C:\Windows\System32\drivers\netbt.sys
2016-05-10 14:55:05 24064 ----a-w- C:\Windows\System32\netbtugc.exe
2016-05-10 14:28:21 21504 ----a-w- C:\Windows\SysWow64\netbtugc.exe
2016-04-24 23:19:00 97856 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2016-04-09 21:39:08 4692200 ----a-w- C:\Windows\System32\ntoskrnl.exe
2016-04-09 21:17:51 975360 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2016-04-09 20:53:24 901352 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2016-04-09 20:48:28 1209856 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2016-04-09 20:46:31 47104 ----a-w- C:\Windows\System32\cdd.dll
2016-04-09 20:01:21 566272 ----a-w- C:\Windows\System32\d3d10level9.dll
2016-04-09 19:07:56 486912 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2016-03-21 23:00:51 1589168 ----a-w- C:\Windows\System32\ntdll.dll
2016-03-21 23:00:51 1171488 ----a-w- C:\Windows\SysWow64\ntdll.dll
.
============= FINISH: 8:12:54.99 ===============
Attached Files
File Type: txt attach.txt (19.3 KB, 111 views)
win98forever is offline  
Sponsored Links
Advertisement
 
Old 06-17-2016, 10:54 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

ESET Online Scanner has changed versions recently. I noticed you have the older version installed, ESET Online Scanner v3.

The newer version does not install like ESET Online Scanner v3 does. It only creates a data folder.

I would uninstall ESET Online Scanner v3 from Programs and Features via your Control Panel, then restart your machine.

Your title also mentions ESET smart installer as having problems. The older version used esetsmartinstaller_enu.exe to install ESET Online Scanner.

The new version uses esetonlinescanner_enu.exe to run the online scan, and esetonlinescanner_enu.exe to install the actual ESET Smart Security 9 antivirus/firewall package.

I believe you meant to say esetonlinescanner_enu.exe instead of esetsmartinstaller_enu.exe in your title, correct?

After uninstalling ESET Online Scanner v3, delete any and all ESET installers from your desktop.

If that second file still resists deletion, try renaming then see if it will delete. If still no joy, you might try deleting it in Safe Mode.

------------------------------------------------------

Follow these instructions for running ESET Online Scanner:

Go here and click 'SCAN NOW' under 'ESET Online Scanner' to check for remnants.
  • You will be prompted to download and install esetonlinescanner_enu.exe. Click on the link and save the file to a convenient location.
  • Double-click on esetonlinescanner_enu.exe to install and a new window will open. Follow the prompts.
  • Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how
  • At the bottom of the Terms of use window, tick the option Download latest version of ESET Online Scanner then click Accept
  • When/if prompted by UAC, 'Do you want to allow this app to make changes to your PC?', please choose Yes
  • Tick the option Enable detection of potentially unwanted applications
  • Click on Advanced settings
  • Make sure that the option Clean threats automatically is unticked.
  • Ensure these options are ticked:
    • Enable detection of potentially unsafe applications
    • Enable detection of suspicious applications
    • Scan archives
    • Enable Anti-Stealth technology
  • Click Scan
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says Threats found, click Save to text file... then name it and save it to your desktop.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Please copy/paste the contents of the log in your next reply.
  • To close ESET Online Scanner, select Do not clean then Finish
------------------------------------------------------

If you still have trouble running ESET Online Scanner, follow the rest of these instructions.

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Clean
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download Farbar Recovery Scan Tool and save it to your desktop.
  • Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-17-2016, 02:36 PM   #3
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



I've deleted the ESETv3 from programs and deleted the desktop icon. The properties of that icon did say it was the ESET Smart Installer. It is the icon I have been using to do ESET scans for over a year now.
I will comply with the rest once I log out.
win98forever is offline  
Sponsored Links
Advertisement
 
Old 06-17-2016, 03:59 PM   #4
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



MSE found nothing. ESET scan found nothing.

FARBAR results

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:16-06-2016 01
Ran by Me (administrator) on ME-PC (17-06-2016 15:52:51)
Running from C:\Users\Me\Desktop
Loaded Profiles: Me (Available Profiles: Me)
Platform: Windows Vista (TM) Home Premium Service Pack 2 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor) C:\Windows\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(TOSHIBA) C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\ConfigFree\NDSTray.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\ConfigFree\CFSwMgr.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqste08.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1584184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [431968 2008-02-06] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1573160 2008-08-14] (Synaptics, Inc.)
HKLM\...\Run: [SmoothView] => C:\Program Files\Toshiba\SmoothView\SmoothView.exe [518008 2008-06-02] (TOSHIBA Corporation)
HKLM\...\Run: [Skytel] => C:\Windows\Skytel.exe [1826816 2007-11-20] (Realtek Semiconductor Corp.)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RAVCpl64.exe [6156288 2008-04-08] (Realtek Semiconductor)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [178712 2008-04-15] (Intel Corporation)
HKLM\...\Run: [HSON] => C:\Program Files\TOSHIBA\TBS\HSON.exe [52560 2007-12-06] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [865280 2008-05-09] (TOSHIBA Corporation)
HKLM-x32\...\Run: [NDSTray.exe] => NDSTray.exe
HKLM-x32\...\Run: [jswtrayutil] => "C:\Program Files (x86)\Jumpstart\jswtrayutil.exe"
HKLM-x32\...\Run: [cfFncEnabler.exe] => cfFncEnabler.exe
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49152 2006-12-10] (Hewlett-Packard Co.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\...\Run: [TOSCDSPD] => TOSCDSPD.EXE
HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_21_0_0_242_Plugin.exe [1173184 2016-05-16] (Adobe Systems Incorporated)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk [2016-04-05]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk [2015-05-10]
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{C12D3495-9B83-4917-A534-5FCF1ED20B86}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.toshibadirect.com/dpdstart
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.toshibadirect.com/dpdstart
HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.toshibadirect.com/dpdstart
SearchScopes: HKLM -> {433BB3A7-874E-436B-BD51-239C6921FE98} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage};
SearchScopes: HKLM-x32 -> {7CC94BCA-8E5E-4FAD-ACE5-798C208642BC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1782139309-2775357304-4162436881-1000 -> {56B663A7-8091-4EF3-A706-11C321B76ABB} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
SearchScopes: HKU\S-1-5-21-1782139309-2775357304-4162436881-1000 -> {7CC94BCA-8E5E-4FAD-ACE5-798C208642BC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
BHO: Ghostery Plugin -> {6BF739DD-3323-4C6A-975B-C7E00A50B154} -> C:\Program Files (x86)\Ghostery\bin\ghostery64.dll => No File
BHO-x32: Ghostery Plugin -> {6BF739DD-3323-4C6A-975B-C7E00A50B154} -> C:\Program Files (x86)\Ghostery\bin\ghostery.dll [2015-10-30] (Ghostery, Inc.)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-04-24] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-04-24] (Oracle Corporation)
Handler-x32: http - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: http - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: https - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: https - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: ipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897
FF DefaultSearchEngine.US: Bing
FF Homepage: about:home
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_242.dll [2016-05-16] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_242.dll [2016-05-16] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-04-24] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-04-24] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\searchplugins\yahoo-ysp.xml [2015-11-23]
FF Extension: NoScript - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-04-06]
FF Extension: Adblock Plus Pop-up Addon - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\extensions\[email protected] [2016-04-27]
FF Extension: BetterPrivacy - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2016-05-04]
FF Extension: Ghostery - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\[email protected] [2016-05-03]
FF Extension: Facebook™ Disconnect - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\[email protected] [2016-05-06]
FF Extension: Flagfox - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}.xpi [2016-05-20]
FF Extension: Adblock Plus - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-04-28]
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-05-10] [not signed]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 ConfigFree Gadget Service; C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe [36864 2008-04-03] (TOSHIBA Corporation.) [File not signed]
S4 ConfigFree Service; C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [40960 2008-04-17] (TOSHIBA CORPORATION) [File not signed]
R3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [225280 2007-03-13] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [131072 2007-03-13] (Hewlett-Packard Co.) [File not signed]
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [89840 2015-03-28] (Hewlett-Packard Company)
S4 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
S4 jswpsapi; C:\Program Files (x86)\Jumpstart\jswpsapi.exe [954368 2008-04-16] (Atheros Communications, Inc.) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
S4 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [3272656 2014-07-21] (Paramount Software UK Ltd)
S4 SmartFaceVWatchSrv; C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [84992 2008-04-24] (Toshiba) [File not signed]
S4 TNaviSrv; C:\Program Files (x86)\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [83312 2008-07-18] (TOSHIBA Corporation)
S4 TODDSrv; C:\Windows\system32\TODDSrv.exe [135168 2007-11-21] (TOSHIBA Corporation) [File not signed]
S4 TOSHIBA SMART Log Service; C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [175104 2007-12-03] (TOSHIBA Corporation) [File not signed]
S4 UleadBurningHelper; C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.) [File not signed]
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [383544 2008-01-20] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
S3 PSMounterEx; C:\Windows\system32\drivers\psmounterex.sys [169992 2015-04-02] (Windows (R) Win 7 DDK provider)
S3 PSVolAcc; C:\Windows\System32\Drivers\PSVolAcc.sys [12760 2014-07-21] (Paramount Software UK Ltd)
S3 WIMMount; C:\Program Files\Macrium\Reflect\wimmount.sys [22096 2015-05-14] (Microsoft Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-17 15:52 - 2016-06-17 15:53 - 00015426 _____ C:\Users\Me\Desktop\FRST.txt
2016-06-17 15:32 - 2016-06-17 15:32 - 02386944 _____ (Farbar) C:\Users\Me\Desktop\FRST64.exe
2016-06-17 14:38 - 2016-06-17 14:38 - 00000000 ____D C:\Users\Me\AppData\Local\ESET
2016-06-17 14:37 - 2016-06-17 14:38 - 06858912 _____ (ESET spol. s r.o.) C:\Users\Me\Desktop\esetonlinescanner_enu.exe
2016-06-17 08:13 - 2016-06-17 08:13 - 00019789 _____ C:\Users\Me\Desktop\attach.txt
2016-06-17 08:13 - 2016-06-17 08:12 - 00015888 _____ C:\Users\Me\Desktop\dds.txt
2016-06-17 08:11 - 2016-06-17 08:11 - 00688992 ____R (Swearware) C:\Users\Me\Desktop\dds.scr
2016-06-15 16:08 - 2016-05-14 08:53 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\netevent.dll
2016-06-15 16:08 - 2016-05-14 08:41 - 00017920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\netevent.dll
2016-06-15 16:07 - 2016-05-18 08:55 - 00391168 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2016-06-15 16:07 - 2016-05-18 08:34 - 00305152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2016-06-15 16:07 - 2016-05-14 08:54 - 00205824 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-06-15 16:07 - 2016-05-14 08:42 - 00077312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2016-06-15 16:07 - 2016-05-14 08:41 - 00175616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2016-06-15 16:07 - 2016-05-14 07:38 - 00450560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2016-06-15 16:07 - 2016-05-14 07:38 - 00176128 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2016-06-15 16:07 - 2016-05-14 07:38 - 00147456 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2016-06-15 16:07 - 2016-05-11 06:10 - 00516328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-06-15 16:01 - 2016-05-14 08:58 - 00383208 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2016-06-15 16:01 - 2016-05-14 08:53 - 00048128 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2016-06-15 16:01 - 2016-05-14 08:47 - 00306408 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2016-06-15 16:01 - 2016-05-14 08:41 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2016-06-15 16:01 - 2016-05-12 07:39 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-06-15 16:01 - 2016-05-12 07:17 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2016-06-15 16:00 - 2016-05-12 08:56 - 00726016 _____ (Microsoft Corporation) C:\Windows\system32\gpsvc.dll
2016-06-15 16:00 - 2016-05-12 08:56 - 00534528 _____ (Microsoft Corporation) C:\Windows\system32\IPSECSVC.DLL
2016-06-15 16:00 - 2016-05-12 08:56 - 00381952 _____ (Microsoft Corporation) C:\Windows\system32\polstore.dll
2016-06-15 16:00 - 2016-05-12 08:56 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\winipsec.dll
2016-06-15 16:00 - 2016-05-12 08:56 - 00084480 _____ (Microsoft Corporation) C:\Windows\system32\gpapi.dll
2016-06-15 16:00 - 2016-05-12 08:56 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\FwRemoteSvr.dll
2016-06-15 16:00 - 2016-05-12 08:34 - 00273920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\polstore.dll
2016-06-15 16:00 - 2016-05-12 08:34 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winipsec.dll
2016-06-15 16:00 - 2016-05-12 08:33 - 00075264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpapi.dll
2016-06-15 16:00 - 2016-05-12 08:33 - 00028672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FwRemoteSvr.dll
2016-06-15 16:00 - 2016-05-12 07:45 - 02801664 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-06-15 16:00 - 2016-05-10 08:55 - 00264704 _____ (Microsoft Corporation) C:\Windows\system32\ws2_32.dll
2016-06-15 16:00 - 2016-05-10 08:54 - 00442880 _____ (Microsoft Corporation) C:\Windows\system32\winhttp.dll
2016-06-15 16:00 - 2016-05-10 08:54 - 00304128 _____ (Microsoft Corporation) C:\Windows\system32\mswsock.dll
2016-06-15 16:00 - 2016-05-10 08:31 - 00377344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winhttp.dll
2016-06-15 16:00 - 2016-05-10 08:31 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswsock.dll
2016-06-15 16:00 - 2016-05-10 08:31 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ws2_32.dll
2016-06-15 16:00 - 2016-05-10 07:55 - 00248320 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netbt.sys
2016-06-15 16:00 - 2016-05-10 07:55 - 00024064 _____ (Microsoft Corporation) C:\Windows\system32\netbtugc.exe
2016-06-15 16:00 - 2016-05-10 07:28 - 00021504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\netbtugc.exe
2016-06-15 15:57 - 2016-05-12 12:52 - 18804224 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-06-15 15:57 - 2016-05-12 12:49 - 02351616 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-06-15 15:57 - 2016-05-12 12:46 - 00448512 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-06-15 15:57 - 2016-05-12 12:44 - 01389056 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-06-15 15:57 - 2016-05-12 12:43 - 01392640 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-06-15 15:57 - 2016-05-12 12:42 - 01494528 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-06-15 15:57 - 2016-05-12 12:42 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-06-15 15:57 - 2016-05-12 12:42 - 00579584 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-06-15 15:57 - 2016-05-12 12:42 - 00452608 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-06-15 15:57 - 2016-05-12 12:42 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-06-15 15:57 - 2016-05-12 12:42 - 00248320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-06-15 15:57 - 2016-05-12 12:42 - 00237056 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2016-06-15 15:57 - 2016-05-12 12:42 - 00173568 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-06-15 15:57 - 2016-05-12 12:42 - 00096256 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-06-15 15:57 - 2016-05-12 12:42 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-06-15 15:57 - 2016-05-12 12:42 - 00055296 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2016-06-15 15:57 - 2016-05-12 12:42 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2016-06-15 15:57 - 2016-05-12 12:41 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-06-15 15:57 - 2016-05-12 12:11 - 01815552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-06-15 15:57 - 2016-05-12 12:10 - 12840960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-06-15 15:57 - 2016-05-12 12:08 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2016-06-15 15:57 - 2016-05-12 12:06 - 01140224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-06-15 15:57 - 2016-05-12 12:05 - 01129984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-06-15 15:57 - 2016-05-12 12:04 - 01427968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-06-15 15:57 - 2016-05-12 12:04 - 00719360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-06-15 15:57 - 2016-05-12 12:04 - 00425472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-06-15 15:57 - 2016-05-12 12:04 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2016-06-15 15:57 - 2016-05-12 12:04 - 00041472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2016-06-15 15:57 - 2016-05-12 12:03 - 02382848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2016-06-15 15:57 - 2016-05-12 12:03 - 00223744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-06-15 15:57 - 2016-05-12 12:03 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2016-06-15 15:57 - 2016-05-12 12:03 - 00072704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2016-06-15 15:57 - 2016-05-12 12:03 - 00011776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2016-06-15 15:56 - 2016-05-12 12:45 - 10940416 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-06-15 15:56 - 2016-05-12 12:42 - 02159104 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-06-15 15:56 - 2016-05-12 12:42 - 00729088 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-06-15 15:56 - 2016-05-12 12:42 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2016-06-15 15:56 - 2016-05-12 12:06 - 09755136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-06-15 15:56 - 2016-05-12 12:04 - 01804800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-06-15 15:56 - 2016-05-12 12:04 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-06-15 15:56 - 2016-05-12 12:04 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2016-06-15 15:56 - 2016-05-12 12:04 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2016-06-15 15:56 - 2016-05-12 12:03 - 00354304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2016-06-15 15:56 - 2016-05-12 12:03 - 00010752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-17 15:52 - 2015-07-06 06:46 - 00000000 ____D C:\FRST
2016-06-17 15:11 - 2006-11-02 08:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-06-17 15:11 - 2006-11-02 08:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-06-17 15:04 - 2016-05-06 13:01 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-06-17 14:23 - 2006-11-02 06:33 - 00000000 ____D C:\Windows\inf
2016-06-17 07:37 - 2015-07-09 07:57 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-06-17 07:15 - 2006-11-02 05:46 - 00758370 _____ C:\Windows\system32\PerfStringBackup.INI
2016-06-17 07:10 - 2006-11-02 08:42 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-16 21:06 - 2006-11-02 08:42 - 00032576 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-06-15 16:56 - 2006-11-02 06:33 - 00000000 ____D C:\Windows\rescache
2016-06-15 16:41 - 2006-11-02 08:21 - 00409496 _____ C:\Windows\system32\FNTCACHE.DAT
2016-06-15 16:07 - 2015-05-10 07:50 - 00000000 ____D C:\Windows\system32\MRT
2016-06-15 16:01 - 2006-11-02 05:35 - 142482544 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2016-06-15 13:40 - 2015-05-10 09:11 - 00484008 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-06-15 11:33 - 2015-07-16 11:33 - 00000272 _____ C:\Windows\Tasks\DriverDoc_UPDATES.job
2016-06-09 08:44 - 2015-05-10 08:22 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-06-08 18:43 - 2015-05-14 15:58 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== Files in the root of some directories =======

2015-05-10 08:00 - 2012-03-25 09:43 - 0000680 _____ () C:\Users\Me\AppData\Local\d3d9caps.dat
2015-05-10 08:00 - 2015-04-24 19:51 - 0001460 _____ () C:\Users\Me\AppData\Local\d3d9caps64.dat
2015-05-10 08:00 - 2016-03-31 08:42 - 0010240 _____ () C:\Users\Me\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-05-10 08:00 - 2013-03-18 17:21 - 0386444 _____ () C:\Users\Me\AppData\Local\dd_vcredistMSI25C2.txt
2015-05-10 08:00 - 2013-03-18 17:21 - 0011374 _____ () C:\Users\Me\AppData\Local\dd_vcredistUI25C2.txt
2015-06-09 08:44 - 2016-04-12 11:15 - 0007088 _____ () C:\ProgramData\hpzinstall.log
2015-05-10 06:55 - 2015-05-10 06:55 - 0005115 _____ () C:\ProgramData\N360BUOptions.ini

Some files in TEMP:
====================
C:\Users\Me\AppData\Local\Temp\jre-8u77-windows-au.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-06-17 07:19

==================== End of FRST.txt ============================
Attached Files
File Type: txt attach.txt (19.3 KB, 9 views)
win98forever is offline  
Old 06-18-2016, 12:34 AM   #5
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello win98forever. It appears you attached the second DDS log, Attach.txt, instead of the second FRST log, Addition.txt, to your last reply.

I need to see the Addition.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-18-2016, 06:35 AM   #6
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



:) oops.
Attached Files
File Type: txt Addition.txt (34.1 KB, 9 views)
win98forever is offline  
Old 06-19-2016, 01:35 PM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, win98forever. Any remaining problems?

Quote:
It is the icon I have been using to do ESET scans for over a year now
As previously explained, ESET Online Scanner recently changed, and the new version uses esetonlinescanner_enu.exe to run the online scan instead.

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    CustomCLSID: HKU\S-1-5-21-1782139309-2775357304-4162436881-1000_Classes\CLSID\{693566bc-21f8-401e-8d42-e2c5ce50dacc}\localserver32 -> C:\Users\Me\AppData\Local\Temp\{d5641912-e47a-429c-879e-cfe13eac7a13}\IDriver.NonElevated.exe => No  (the data entry has 4 more characters).
    HKLM\...\cmdfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <===== ATTENTION
    FirewallRules: [{931F098C-F39D-4D7D-A074-342D4263DBFD}] => (Allow) C:\Users\Me\AppData\Local\Temp\7zS3198\HPDiagnosticCoreUI.exe
    FirewallRules: [{680013DB-880E-4898-941B-C21675E9A089}] => (Allow) C:\Users\Me\AppData\Local\Temp\7zS3198\HPDiagnosticCoreUI.exe
    FirewallRules: [{0FD3CBE9-B20A-4AEE-AC03-E49FDFFEF5E2}] => (Allow) C:\Users\Me\AppData\Local\Temp\7zS5E8E\HPDiagnosticCoreUI.exe
    FirewallRules: [{03FE9F1F-A2B5-488C-B531-38BCB29E9E08}] => (Allow) C:\Users\Me\AppData\Local\Temp\7zS5E8E\HPDiagnosticCoreUI.exe
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    BHO: Ghostery Plugin -> {6BF739DD-3323-4C6A-975B-C7E00A50B154} -> C:\Program Files (x86)\Ghostery\bin\ghostery64.dll => No File
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-19-2016, 01:46 PM   #8
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



I created a folder on the desktop and drug the frst64 into it and the FIXLIST in it. I clicked and when it updated I chose fix.
I got this message "No fixlist.txt found. The fixlist.txt should be in the same folder/directory the tool is located."
I have tried it with them both on the desktop with the same result. ????
win98forever is offline  
Old 06-19-2016, 02:05 PM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, win98forever.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook_x64.exe to run it. (Vista/Win7/Win8/Win10 users, right-click > Run as administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
    Code:
    :filefind
    fixlist.txt
    frst64.exe
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-19-2016, 02:24 PM   #10
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



OK I made a mistake I saw this log
SystemLook 30.07.11 by jpshortstuff
Log created at 14:13 on 19/06/2016 by Me
Administrator - Elevation successful

========== filefind ==========

Searching for "fixlist.txt"
No files found.

Searching for "frst64.exe"
C:\Users\Me\Desktop\FRST64.exe --a---- 2387456 bytes [22:32 17/06/2016] [20:42 19/06/2016] 12BE66DE0ABE9BFB60046C537349D25C

-= EOF =-
And I realized I misspelled it fixlixt.txt once I looked at it. I corrected it and it has run and restarted. Here is the Fix Log

Fix result of Farbar Recovery Scan Tool (x64) Version: 19-06-2016 01
Ran by Me (2016-06-19 14:14:43) Run:1
Running from C:\Users\Me\Desktop
Loaded Profiles: Me (Available Profiles: Me)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
createrestorepoint:
CustomCLSID: HKU\S-1-5-21-1782139309-2775357304-4162436881-1000_Classes\CLSID\{693566bc-21f8-401e-8d42-e2c5ce50dacc}\localserver32 -> C:\Users\Me\AppData\Local\Temp\{d5641912-e47a-429c-879e-cfe13eac7a13}\IDriver.NonElevated.exe => No (the data entry has 4 more characters).
HKLM\...\cmdfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <===== ATTENTION
FirewallRules: [{931F098C-F39D-4D7D-A074-342D4263DBFD}] => (Allow) C:\Users\Me\AppData\Local\Temp\7zS3198\HPDiagnosticCoreUI.exe
FirewallRules: [{680013DB-880E-4898-941B-C21675E9A089}] => (Allow) C:\Users\Me\AppData\Local\Temp\7zS3198\HPDiagnosticCoreUI.exe
FirewallRules: [{0FD3CBE9-B20A-4AEE-AC03-E49FDFFEF5E2}] => (Allow) C:\Users\Me\AppData\Local\Temp\7zS5E8E\HPDiagnosticCoreUI.exe
FirewallRules: [{03FE9F1F-A2B5-488C-B531-38BCB29E9E08}] => (Allow) C:\Users\Me\AppData\Local\Temp\7zS5E8E\HPDiagnosticCoreUI.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Ghostery Plugin -> {6BF739DD-3323-4C6A-975B-C7E00A50B154} -> C:\Program Files (x86)\Ghostery\bin\ghostery64.dll => No File
EmptyTemp:
end
*****************

Restore point was successfully created.
"HKU\S-1-5-21-1782139309-2775357304-4162436881-1000_Classes\CLSID\{693566bc-21f8-401e-8d42-e2c5ce50dacc}" => key removed successfully
HKLM\Software\Classes\cmdfile\DefaultIcon\\Default => value restored successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{931F098C-F39D-4D7D-A074-342D4263DBFD} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{680013DB-880E-4898-941B-C21675E9A089} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0FD3CBE9-B20A-4AEE-AC03-E49FDFFEF5E2} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{03FE9F1F-A2B5-488C-B531-38BCB29E9E08} => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BF739DD-3323-4C6A-975B-C7E00A50B154}" => key removed successfully
"HKCR\CLSID\{6BF739DD-3323-4C6A-975B-C7E00A50B154}" => key removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 31680123 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 8014031 B
Edge => 0 B
Chrome => 0 B
Firefox => 14222493 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 33058 B
Public => 0 B
ProgramData => 0 B
systemprofile => 66228 B
systemprofile32 => 82994 B
LocalService => 66228 B
LocalService => 0 B
NetworkService => 1402770 B
NetworkService => 0 B
Me => 554412512 B

RecycleBin => 0 B
EmptyTemp: => 589.7 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 14:15:10 ====
win98forever is offline  
Old 06-19-2016, 02:58 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Any remaining problems? Let me know and I will give you some final instructions.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-19-2016, 03:04 PM   #12
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



Everything seems alright except FF is still slow as heck. I assume its the addons.
win98forever is offline  
Old 06-19-2016, 08:53 PM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Press the Windows "logo" key and "R" key then copy/paste the following into the Run box but don't click OK yet:

firefox -safe-mode

Close Firefox, or it won't work. Then click 'OK'.

Check 'Disable all add-ons' then click 'Make Changes and Restart'.

This disables all Add-ons(Extensions, Themes, and Plugins). See if the problem persists. If not, one of your Add-ons is at fault.

Go Tools > Add-ons(Extensions, Themes, and Plugins) and re-enable each Add-on one at a time until you find the offending Add-on.

Let me know what you found.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-20-2016, 07:44 AM   #14
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



I don't see where I could check "disable all addons" FF safe mode is with all addons disabled. I also so not see where make changes is. I could turn off all addons the restart and try turning on one at a time restarting each time.
I know it worked fine with noscript, adblock plus, adblock popup addon, flax fox, better privacy and ghostery, the problems with it taking 30+ seconds to open and be ready to use and fairly often not shutting down fully after I close a window are since I added Facebook disconnect. I'll turn one off at a time starting with FBD.
win98forever is offline  
Old 06-20-2016, 08:13 AM   #15
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



I shut them off one at a time and Facebook Disconnect seems to be the biggest slowdown. It didn't improve much after that in that it took 10-12 seconds for the tabs to be responsive when started until they were all off then it was 3-4 seconds to being responsive after the start click. Thing is it was that fast with all the addons sans FBD until about a month ago.
Something else I noticed is that it takes a while to shut down. Watching task manager processes it takes 10-17 seconds to shut down after the window closes with all addons and with FBD disabled its about 10-13 seconds to shut down. ???? That sort of alarming and makes me wonder if the addons meant to protect my privacy aren't actually data mining themselves.
win98forever is offline  
Old 06-21-2016, 11:58 AM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, win98forever. It appears any remaining problems are beyond malware.

I suggest you seek expert advice in our Mozilla/Firefox Browsers Forum

Let them know you were here first and were cleared of malware.

------------------------------------------------------

You can first try reintalling FF. Use the instructions here under 'Clean reinstall':

Standard diagnostic - Firefox - MozillaZine Knowledge Base

Let me know and I will give you some final instructions.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-21-2016, 01:05 PM   #17
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



I am not sure if we are finished but I have an update.
I read some of the linked info. I opened the FF profile page. I searched each folder and I found something that had been saved to FF by Facebook early in 2015. I deleted it without thinking much about it. I decided to deal with this later as I didn;t feel like reading a lot right now. I was surfing several pages and I noticed that things were moving quite a bit faster almost normal. When it hit me and I came here to post I then realized I should have saved the name of that file. Sorry about that. Anyway things seem quite a bit faster so far. Now I really wish I knew what that file was so I could figure out how FB got it onto my machine.
win98forever is offline  
Old 06-21-2016, 02:57 PM   #18
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



DUH! Palm to forehead.
The file is in the trash bin I put the spaces between the dot and the rest of it
https+++www . facebook

I have logged into FB since and it is back this time in the Storage/Temporary folder
win98forever is offline  
Old 06-21-2016, 03:28 PM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



I have the same file, and no problems with FF. And, I hardly ever use FB.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-21-2016, 04:28 PM   #20
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



Thanks.
Can't get thread tools to mark this solved.
win98forever is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
ESET Smart Security or G Data InternetSecurity 2011?
Hello everyone :) I've been looking for a good antivirus for a while now, and came over a test with G Data which it won. A bit after that I saw ESET and downloaded the trail, and I think it is quite good. So my question is; which anti-virus would you recommend of those two, or is there...
nfornate General Computer Security 9 05-15-2011 02:05 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 09:16 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts