Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Help removing bloatware/adware

This is a discussion on Help removing bloatware/adware within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi, Having a few issues with bloatware after using restoring my Windows 7 back to the state it was when


 
 
Thread Tools Search this Thread
Old 08-22-2016, 04:18 PM   #1
Registered Member
 
Join Date: Jul 2010
Posts: 184
OS: Windows 7



Hi,

Having a few issues with bloatware after using restoring my Windows 7 back to the state it was when it was first bought.

The first thing i noticed was a start up item named offers.exe, i don't remember having this item before restoring my OS and would ideally like to get rid of it if it is bloatware. Only about a week or so ago i received a pop up in the corner advertising something, i don't quite remember what, i think it was possibly Norton AV and i'm assuming offers.exe was behind the pop up.

I've also noticed a fair few shortcuts in various places that seem to be bloatware too, please see attachments. I deleted various shortcuts on the desktop that were initially there straight after the recovery and also deleted some others in another folder but as you can see from the attachment there are more hidden away and i'd like to get rid of them all in a more comprehensive manner if that's possible. There seems to be a fair bit of bloatware in a folder named 'Dockbar' too, but i'm not sure it's all bloatware in that folder, so i'm unsure of what to delete and what to leave. Dockbar is a start up item too but i've disabled it.

Also, i installed winzip which in turn installed 'bing powered search' and changed my homepage to Bing. I've since uninstalled Winzip and changed my homepage back to what it was but 'bing powered search' is still one of the search options in the search bar in Mozilla, and i'm pretty sure it was not before. I've checked in add/remove programs and no traces of bing are there.

I've run Malwarebytes, MSE and Adaware, none of which have detected the bloatware or Bing.

All help would be much appreciated.

Thank you.


------------------------------


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18427 BrowserJavaVersion: 11.101.2
Run by Steve at 0:08:27 on 2016-08-23
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.8174.5593 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
SP: Microsoft Security Essentials *Enabled/Updated* {CDE0C533-D3CD-62A1-E772-AFADDF863628}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {1B8D532F-88B1-B2AD-ED22-AED92687A1D2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Led Indicator Keyboard Driver\KeyboardIndicator.exe
C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-2b0cdb98
mStart Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-2b0cdb98
mWinlogon: Userinit = userinit.exe
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [Reminder] C:\Program Files (x86)\TTG\Reminder\Reminder.exe
uRun: [Offers] C:\Program Files (x86)\TTG\Offers\Offers.exe
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [Recovery Backup Wizard] C:\Program Files (x86)\TTG\Reminder\Reminder.exe
mRun: [LedIndicatorKeyboardDriver] "C:\Program Files (x86)\Led Indicator Keyboard Driver\KeyboardIndicator.exe" showhide
mRun: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe"
mRun: [StartCCC] "C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{04B4B090-9975-4758-BF22-6D97A4372D34} : DHCPNameServer = 192.168.1.254
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-2b0cdb98
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\pns92rxq.new\
FF - prefs.js: browser.search.selectedEngine - Bing Powered Search
FF - prefs.js: browser.startup.homepage - hxxps://www.google.co.uk/
FF - prefs.js: keyword.URL - true
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2015-11-13 289120]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2015-8-4 246784]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2015-3-18 822496]
R2 DiagTrack;Diagnostics Tracking Service;C:\Windows\System32\svchost.exe -k utcsvc [2009-7-14 27136]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2016-8-4 1514464]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2016-8-4 1136608]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2014-10-8 534184]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-8-31 2656536]
R2 ZAPrivacyService;ZoneAlarm Privacy Service;C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [2016-6-30 114424]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2016-3-1 104976]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-8-31 169584]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2016-8-4 27008]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2016-8-4 192216]
R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2016-8-4 64896]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2015-11-13 133816]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2016-1-29 374344]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2014-10-8 766632]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2014-10-8 273576]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2014-10-8 29352]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2014-10-8 23208]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2014-10-8 211104]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2015-11-5 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2015-11-5 125112]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-8-31 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2016-8-9 114688]
S3 pmxdrv;pmxdrv;C:\Windows\System32\drivers\pmxdrv.sys [2016-8-20 38536]
S3 semav6msr64;semav6msr64;C:\Windows\System32\drivers\semav6msr64.sys [2016-8-4 21984]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2016-8-4 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2016-08-22 16:52:49 -------- d-----w- C:\Users\Steve\AppData\Roaming\MediaInfo
2016-08-22 16:52:28 -------- d-----w- C:\Program Files\MediaInfo
2016-08-22 11:15:18 11847048 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7EA85163-7AF8-437A-8ED7-F6F400877843}\mpengine.dll
2016-08-21 09:35:03 11847048 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2016-08-20 22:46:54 -------- d-----w- C:\Users\Steve\AppData\Local\CEF
2016-08-19 23:20:24 38536 ----a-w- C:\Windows\System32\drivers\pmxdrv.sys
2016-08-19 22:27:15 -------- d-----w- C:\LiveUpdate_Temp
2016-08-18 18:15:13 -------- d-----w- C:\Users\Steve\AppData\Local\Microsoft Help
2016-08-17 20:38:34 -------- d-----w- C:\ProgramData\HitmanPro
2016-08-17 19:30:39 -------- d-----w- C:\AdwCleaner
2016-08-17 19:24:25 -------- d-----w- C:\ProgramData\UniqueId
2016-08-17 17:58:42 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2016-08-17 17:58:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2016-08-17 12:00:52 -------- d-----w- C:\Users\Steve\AppData\Local\Apps
2016-08-14 16:07:38 -------- d-----w- C:\Users\Steve\AppData\Local\CrashDumps
2016-08-13 11:40:38 -------- d-----w- C:\Users\Steve\AppData\Local\Macromedia
2016-08-10 22:47:00 1167568 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8628A761-7C8D-413D-B6BB-6F0BB9E75F4A}\gapaengine.dll
2016-08-10 10:09:38 -------- d-----w- C:\Users\Steve\AppData\Roaming\AMD
2016-08-09 19:42:26 3218944 ----a-w- C:\Windows\System32\win32k.sys
2016-08-05 11:27:10 1167568 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2016-08-05 10:41:16 -------- d-----w- C:\Users\Steve\AppData\Local\ElevatedDiagnostics
2016-08-05 10:12:29 -------- d-----w- C:\Users\Steve\dwhelper
2016-08-04 21:32:51 -------- d-----w- C:\ProgramData\VirtualizedApplications
2016-08-04 18:07:55 -------- d-----w- C:\Users\Steve\.oracle_jre_usage
2016-08-04 18:07:50 97856 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2016-08-04 18:07:37 -------- d-----w- C:\ProgramData\Oracle
2016-08-04 18:01:41 -------- d-----w- C:\Users\Steve\AppData\Local\Diagnostics
2016-08-04 15:00:59 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
2016-08-04 13:07:32 -------- d-----w- C:\Users\Steve\AppData\Roaming\SoftGrid Client
2016-08-04 13:07:32 -------- d-----w- C:\Users\Steve\AppData\Local\SoftGrid Client
2016-08-04 1356 -------- d-----w- C:\Program Files (x86)\Microsoft Application Virtualization Client
2016-08-04 1342 -------- d-----w- C:\Users\Steve\AppData\Roaming\TP
2016-08-04 13:02:55 129024 ----a-w- C:\Windows\SysWow64\AVERM.dll
2016-08-04 13:02:54 28672 ----a-w- C:\Windows\SysWow64\AVEQT.dll
2016-08-04 13:02:53 -------- d-----w- C:\Program Files (x86)\Ultra Video Splitter
2016-08-04 12:55:49 -------- d-----w- C:\Program Files (x86)\VideoLAN
2016-08-04 12:08:47 192216 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2016-08-04 12:08:24 64896 ----a-w- C:\Windows\System32\drivers\mwac.sys
2016-08-04 12:08:24 27008 ----a-w- C:\Windows\System32\drivers\mbam.sys
2016-08-04 12:08:24 140672 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2016-08-04 12:08:24 -------- d-----w- C:\ProgramData\Malwarebytes
2016-08-04 12:08:24 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-08-04 12:08:00 -------- d-----w- C:\Users\Steve\AppData\Local\Programs
2016-08-04 12:03:48 -------- d-----w- C:\Users\Steve\AppData\Local\Adobe
2016-08-04 09:55:31 -------- d-----w- C:\Program Files (x86)\AMD
2016-08-04 09:53:24 -------- d-----w- C:\Program Files\AMD
2016-08-04 09:49:01 -------- d-----w- C:\AMD
2016-08-04 09:23:26 -------- d-----w- C:\Program Files (x86)\CheckPoint
2016-08-04 09:22:47 -------- d-----w- C:\ProgramData\CheckPoint
2016-08-04 09:15:47 -------- d-----w- C:\Users\Steve\AppData\Local\Intel
2016-08-04 09:14:45 21984 ----a-w- C:\Windows\System32\drivers\semav6msr64.sys
2016-08-04 09:14:16 -------- d-----w- C:\ProgramData\Package Cache
2016-08-04 08:17:37 -------- d-----w- C:\Windows\System32\MRT
2016-08-04 07:53:26 7168 ----a-w- C:\Windows\SysWow64\KBDYAK.DLL
2016-08-04 07:53:26 7168 ----a-w- C:\Windows\System32\KBDYAK.DLL
2016-08-04 07:53:26 7168 ----a-w- C:\Windows\System32\KBDBASH.DLL
2016-08-04 07:53:26 6656 ----a-w- C:\Windows\SysWow64\KBDBASH.DLL
2016-08-04 07:27:44 -------- d-s---w- C:\Windows\System32\CompatTel
2016-08-04 07:27:44 -------- d-----w- C:\Windows\System32\appraiser
2016-08-04 06:25:10 124624 ----a-w- C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2016-08-04 06:25:10 103120 ----a-w- C:\Windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2016-08-04 06:02:45 -------- d-----w- C:\Windows\Migration
2016-08-04 05:48:31 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2016-08-04 03:11:35 -------- d-----w- C:\Windows\SysWow64\Wat
2016-08-04 03:11:35 -------- d-----w- C:\Windows\System32\Wat
2016-08-04 02:50:22 950272 ----a-w- C:\Windows\System32\perftrack.dll
2016-08-04 02:50:22 91136 ----a-w- C:\Windows\System32\wdi.dll
2016-08-04 02:50:22 76800 ----a-w- C:\Windows\SysWow64\wdi.dll
2016-08-04 02:50:22 29696 ----a-w- C:\Windows\System32\powertracker.dll
2016-08-04 02:48:59 82432 ----a-w- C:\Windows\System32\cryptsp.dll
2016-08-04 02:47:42 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
2016-08-04 02:47:41 142336 ----a-w- C:\Windows\System32\poqexec.exe
2016-08-04 02:47:22 91648 ----a-w- C:\Windows\System32\mapistub.dll
2016-08-04 02:47:22 76800 ----a-w- C:\Windows\SysWow64\mapistub.dll
2016-08-04 02:47:21 17920 ----a-w- C:\Windows\System32\fixmapi.exe
2016-08-04 02:47:21 14336 ----a-w- C:\Windows\SysWow64\fixmapi.exe
2016-08-04 02:47:00 254976 ----a-w- C:\Windows\System32\cewmdm.dll
2016-08-04 02:47:00 210432 ----a-w- C:\Windows\SysWow64\cewmdm.dll
2016-08-04 02:45:42 52736 ----a-w- C:\Windows\System32\TSWbPrxy.exe
2016-08-04 02:45:22 1885696 ----a-w- C:\Windows\System32\msxml3.dll
2016-08-04 02:45:21 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2016-08-04 02:45:21 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2016-08-04 02:45:21 1240576 ----a-w- C:\Windows\SysWow64\msxml3.dll
2016-08-04 02:45:19 464896 ----a-w- C:\Windows\System32\drivers\srv.sys
2016-08-04 02:45:19 459640 ----a-w- C:\Windows\System32\drivers\cng.sys
2016-08-04 02:45:19 405504 ----a-w- C:\Windows\System32\drivers\srv2.sys
2016-08-04 02:45:18 297984 ----a-w- C:\Windows\System32\bcryptprimitives.dll
2016-08-04 02:45:18 249352 ----a-w- C:\Windows\SysWow64\bcryptprimitives.dll
2016-08-04 02:45:18 168960 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2016-08-04 02:43:56 571904 ----a-w- C:\Program Files\Windows Defender\MpClient.dll
2016-08-04 02:42:59 47104 ----a-w- C:\Windows\System32\typeperf.exe
2016-08-04 02:42:59 43008 ----a-w- C:\Windows\System32\relog.exe
2016-08-04 02:42:59 40448 ----a-w- C:\Windows\SysWow64\typeperf.exe
2016-08-04 02:42:59 37888 ----a-w- C:\Windows\SysWow64\relog.exe
2016-08-04 02:42:59 19456 ----a-w- C:\Windows\System32\diskperf.exe
2016-08-04 02:42:59 17408 ----a-w- C:\Windows\SysWow64\diskperf.exe
2016-08-04 02:40:04 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
2016-08-04 02:40:04 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
2016-08-04 02:40:04 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
2016-08-04 02:40:04 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
2016-08-04 02:37:21 1866752 ----a-w- C:\Windows\System32\ExplorerFrame.dll
2016-08-04 02:37:21 1498624 ----a-w- C:\Windows\SysWow64\ExplorerFrame.dll
2016-08-04 02:37:03 1743360 ----a-w- C:\Windows\System32\sysmain.dll
2016-08-04 02:37:00 94656 ----a-w- C:\Windows\System32\drivers\mountmgr.sys
2016-08-04 02:36:53 11264 ----a-w- C:\Windows\System32\msmmsp.dll
2016-08-04 02:36:52 2560 ----a-w- C:\Windows\System32\drivers\en-US\mountmgr.sys.mui
2016-08-04 02:34:48 81560 ----a-w- C:\Windows\SysWow64\mscories.dll
2016-08-04 02:34:48 73880 ----a-w- C:\Windows\System32\mscories.dll
2016-08-04 02:34:48 1943696 ----a-w- C:\Windows\System32\dfshim.dll
2016-08-04 02:34:48 156824 ----a-w- C:\Windows\SysWow64\mscorier.dll
2016-08-04 02:34:48 156312 ----a-w- C:\Windows\System32\mscorier.dll
2016-08-04 02:34:48 1131664 ----a-w- C:\Windows\SysWow64\dfshim.dll
2016-08-04 02:34:45 1632256 ----a-w- C:\Windows\System32\dwmcore.dll
2016-08-04 02:34:44 1372160 ----a-w- C:\Windows\SysWow64\dwmcore.dll
2016-08-04 02:34:43 82944 ----a-w- C:\Windows\System32\dwmapi.dll
2016-08-04 02:34:43 67584 ----a-w- C:\Windows\SysWow64\dwmapi.dll
2016-08-04 02:34:39 288192 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2016-08-04 02:34:39 1903552 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2016-08-04 02:34:38 376768 ----a-w- C:\Windows\System32\drivers\netio.sys
2016-08-04 02:32:27 484864 ----a-w- C:\Windows\System32\wer.dll
2016-08-04 02:32:27 381440 ----a-w- C:\Windows\SysWow64\wer.dll
2016-08-04 02:32:24 793600 ----a-w- C:\Windows\SysWow64\TSWorkspace.dll
2016-08-04 02:32:24 1031168 ----a-w- C:\Windows\System32\TSWorkspace.dll
2016-08-04 02:31:35 155584 ----a-w- C:\Windows\System32\drivers\ataport.sys
2016-08-04 02:31:33 515584 ----a-w- C:\Windows\System32\timedate.cpl
2016-08-04 02:31:33 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2016-08-04 02:31:31 2543104 ----a-w- C:\Windows\System32\wpdshext.dll
2016-08-04 02:31:31 2311168 ----a-w- C:\Windows\SysWow64\wpdshext.dll
2016-08-04 02:31:30 878080 ----a-w- C:\Windows\System32\IMJP10K.DLL
2016-08-04 02:31:29 701440 ----a-w- C:\Windows\SysWow64\IMJP10K.DLL
2016-08-04 02:31:25 197120 ----a-w- C:\Windows\System32\credui.dll
2016-08-04 02:31:25 190464 ----a-w- C:\Windows\System32\SmartcardCredentialProvider.dll
2016-08-04 02:31:25 168960 ----a-w- C:\Windows\SysWow64\credui.dll
2016-08-04 02:31:25 152576 ----a-w- C:\Windows\SysWow64\SmartcardCredentialProvider.dll
2016-08-04 02:30:50 9728 ----a-w- C:\Windows\System32\Wdfres.dll
2016-08-04 02:30:50 785624 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2016-08-04 02:30:50 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2016-08-04 02:28:16 633856 ----a-w- C:\Windows\System32\comctl32.dll
2016-08-04 02:27:51 99840 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2016-08-04 02:26:42 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2016-08-04 02:24:49 141312 ----a-w- C:\Windows\System32\drivers\mrxdav.sys
2016-08-04 02:24:44 1987584 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2016-08-04 02:24:43 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll
2016-08-04 02:22:56 381440 ----a-w- C:\Windows\System32\mfds.dll
2016-08-04 02:21:20 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe
2016-08-04 02:21:14 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
2016-08-04 02:19:58 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2016-08-04 02:18:18 346624 ----a-w- C:\Windows\System32\WSManMigrationPlugin.dll
2016-08-04 02:17:42 30720 ----a-w- C:\Windows\System32\cryptdlg.dll
2016-08-04 02:17:42 24576 ----a-w- C:\Windows\SysWow64\cryptdlg.dll
2016-08-04 02:17:32 405504 ----a-w- C:\Windows\System32\gdi32.dll
2016-08-04 02:17:32 312832 ----a-w- C:\Windows\SysWow64\gdi32.dll
2016-08-04 02:17:00 950720 ----a-w- C:\Windows\System32\drivers\ndis.sys
2016-08-04 02:14:57 903168 ----a-w- C:\Windows\SysWow64\certutil.exe
2016-08-04 02:13:56 79360 ----a-w- C:\Windows\System32\clfsw32.dll
2016-08-04 02:12:54 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2016-08-04 02:11:43 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
2016-08-04 02:11:43 830464 ----a-w- C:\Windows\System32\nshwfp.dll
2016-08-04 02:11:43 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll
2016-08-04 02:11:43 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
2016-08-04 02:11:43 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
2016-08-04 02:02:54 99480 ----a-w- C:\Windows\SysWow64\infocardapi.dll
2016-08-04 02:02:54 619672 ----a-w- C:\Windows\SysWow64\icardagt.exe
2016-08-04 02:02:54 171160 ----a-w- C:\Windows\System32\infocardapi.dll
2016-08-04 02:02:54 1389208 ----a-w- C:\Windows\System32\icardagt.exe
2016-08-04 02:02:53 8856 ----a-w- C:\Windows\SysWow64\icardres.dll
2016-08-04 02:02:53 8856 ----a-w- C:\Windows\System32\icardres.dll
2016-08-04 02:02:34 35480 ----a-w- C:\Windows\SysWow64\TsWpfWrp.exe
2016-08-04 02:02:34 35480 ----a-w- C:\Windows\System32\TsWpfWrp.exe
2016-08-04 01:55:57 461312 ----a-w- C:\Windows\System32\scavengeui.dll
2016-08-04 01:49:19 465920 ----a-w- C:\Windows\System32\WMPhoto.dll
2016-08-04 01:49:19 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll
2016-08-04 01:41:02 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2016-08-04 01:41:02 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2016-08-04 01:41:02 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2016-08-03 20:37:34 -------- d-----w- C:\8631b8470b73a0923ee1e77443cb93
2016-08-03 19:23:53 -------- d-----w- C:\Users\Steve\AppData\Local\Mozilla
2016-08-03 19:15:55 68608 ----a-w- C:\Windows\System32\taskhost.exe
2016-08-03 19:13:26 1887232 ----a-w- C:\Windows\System32\d3d11.dll
2016-08-03 19:13:26 1505280 ----a-w- C:\Windows\SysWow64\d3d11.dll
2016-08-03 19:00:21 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2016-08-03 19:00:18 -------- d-----w- C:\Program Files\Microsoft Security Client
2016-08-03 18:21:50 -------- d-----w- C:\164804f8c9aef8923cc5fe9accc363
2016-08-03 18:11:39 -------- d-----w- C:\Users\Steve\AppData\Local\Google
2016-08-03 16:22:05 -------- d-----w- C:\Windows\System32\drivers\N360x64\0501000.01D
2016-08-03 15:26:18 -------- d-----w- C:\5a718084973f127f614a1d
2016-08-03 15:24:35 -------- d-----w- C:\Users\Steve\AppData\Local\DSG_Retail_Ltd
2016-08-03 15:24:23 -------- d-----w- C:\Users\Steve\AppData\Local\ATI
2016-07-27 22:03:56 462296 ----a-w- C:\Windows\System32\drivers\vsdatant.sys
.
==================== Find3M ====================
.
2016-08-03 19:14:41 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2016-08-02 06:47:38 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2016-08-02 06:47:27 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2016-08-02 06:32:37 66560 ----a-w- C:\Windows\System32\iesetup.dll
2016-08-02 06:31:55 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2016-08-02 06:31:49 417792 ----a-w- C:\Windows\System32\html.iec
2016-08-02 06:31:32 572416 ----a-w- C:\Windows\System32\vbscript.dll
2016-08-02 06:31:14 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2016-08-02 06:19:01 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2016-08-02 06:19:01 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
2016-08-02 06:18:44 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2016-08-02 06:18:32 6047744 ----a-w- C:\Windows\System32\jscript9.dll
2016-08-02 06:11:45 969216 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2016-08-02 06:03:48 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2016-08-02 06:00:28 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2016-08-02 05:51:57 497664 ----a-w- C:\Windows\SysWow64\vbscript.dll
2016-08-02 05:51:49 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2016-08-02 05:51:12 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2016-08-02 05:51:03 341504 ----a-w- C:\Windows\SysWow64\html.iec
2016-08-02 05:50:11 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2016-08-02 05:41:43 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2016-08-02 05:41:24 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2016-08-02 05:37:29 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2016-08-02 05:36:40 2131456 ----a-w- C:\Windows\System32\inetcpl.cpl
2016-08-02 05:29:16 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2016-08-02 05:23:24 2868224 ----a-w- C:\Windows\System32\wininet.dll
2016-08-02 05:21:20 4608000 ----a-w- C:\Windows\SysWow64\jscript9.dll
2016-08-02 05:14:32 2055680 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2016-08-02 05:14:02 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2016-08-02 04:56:28 2393088 ----a-w- C:\Windows\SysWow64\wininet.dll
2016-07-27 19:25:34 504488 ------w- C:\Windows\System32\MpSigStub.exe
2016-07-08 15:37:53 95464 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2016-07-08 15:37:53 154856 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2016-07-08 15:17:01 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2016-07-08 15:17:01 666112 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2016-07-08 15:03:44 64000 ----a-w- C:\Windows\System32\auditpol.exe
2016-07-08 14:57:09 159744 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2016-07-08 14:56:37 291328 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2016-07-08 14:56:34 129536 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2016-07-08 14:55:51 30720 ----a-w- C:\Windows\System32\lsass.exe
2016-07-08 14:55:06 50176 ----a-w- C:\Windows\SysWow64\auditpol.exe
2016-07-08 14:50:51 36352 ----a-w- C:\Windows\SysWow64\cryptbase.dll
2016-06-26 00:35:09 41704 ----a-w- C:\Windows\System32\CompatTelRunner.exe
2016-06-26 00:27:39 756736 ----a-w- C:\Windows\System32\win32spl.dll
2016-06-26 00:27:32 344576 ----a-w- C:\Windows\System32\ntprint.dll
2016-06-26 00:27:26 970240 ----a-w- C:\Windows\System32\localspl.dll
2016-06-26 00:27:25 22528 ----a-w- C:\Windows\System32\inetppui.dll
2016-06-26 00:27:25 166400 ----a-w- C:\Windows\System32\inetpp.dll
2016-06-26 00:27:07 1208320 ----a-w- C:\Windows\System32\aeinv.dll
2016-06-25 19:54:03 497152 ----a-w- C:\Windows\SysWow64\win32spl.dll
2016-06-25 19:53:56 297472 ----a-w- C:\Windows\SysWow64\ntprint.dll
2016-06-25 19:53:05 48640 ----a-w- C:\Windows\System32\wpnpinst.exe
2016-06-25 19:53:04 61952 ----a-w- C:\Windows\System32\ntprint.exe
2016-06-25 19:41:53 61952 ----a-w- C:\Windows\SysWow64\ntprint.exe
2016-06-22 1329 268800 ----a-w- C:\Windows\System32\centel.dll
2016-06-17 18:24:29 571904 ----a-w- C:\Windows\System32\generaltel.dll
2016-06-17 18:24:29 544256 ----a-w- C:\Windows\System32\devinv.dll
2016-06-17 18:24:29 294912 ----a-w- C:\Windows\System32\invagent.dll
2016-06-17 18:24:28 76800 ----a-w- C:\Windows\System32\acmigration.dll
2016-06-17 18:24:28 219136 ----a-w- C:\Windows\System32\aepic.dll
2016-06-17 18:24:28 1490432 ----a-w- C:\Windows\System32\appraiser.dll
2016-06-14 15:21:17 2560 ----a-w- C:\Windows\apppatch\AcRes.dll
.
============= FINISH: 0:08:37.06 ===============
Attached Thumbnails
Click image for larger version

Name:	Shortcuts 1.jpg
Views:	50
Size:	47.5 KB
ID:	290401  
Attached Images
 
Attached Files
File Type: txt attach.txt (8.7 KB, 18 views)
jamestt is offline  
Sponsored Links
Advertisement
 
Old 08-22-2016, 08:08 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

**Note - Please do NOT upgrade your OS to Windows 10 until your machine is clean, and we have uninstalled all our removal tools. Thanks.

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Clean
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download Farbar Recovery Scan Tool and save it to your desktop.
  • Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 08-23-2016, 04:26 AM   #3
Registered Member
 
Join Date: Jul 2010
Posts: 184
OS: Windows 7



Hi Chemist, thank you for the reply.

Regarding AdwCleaner, i have run that previously and i have cleaned what it found, the files are currently in quarantine, please see attachment. I have hesitated in cleaning out the quarantine as it picked up registry keys and i'm currently having an issue with 'notification area icons' and i'm unsure if that is related to the keys adwcleaner detected. The issue i have is that programs that i have uninstalled still remain on the list, see attachment, this also happened with Norton that came preinstalled, i used the norton removal tool but the icon was still there, although now the icon has disappeared. I have attached an image of some icons that i have since uninstalled but they still remain on the icon list for some reason. Is this issue related to the registry keys AdwCleaner picked up? I doubt it but thought i'd make sure before deleting them from quarantine. Should i go ahead and remove them?

I have also done a new scan with Adwcleaner and it has found no infections.

Thanks again.
Attached Thumbnails
Click image for larger version

Name:	Notification Area Icons.jpg
Views:	82
Size:	26.9 KB
ID:	290489  
Attached Files
File Type: txt Addition.txt (23.8 KB, 45 views)
File Type: txt AdwCleaner[C0].txt (1.6 KB, 20 views)
File Type: txt FRST.txt (143.6 KB, 33 views)
jamestt is offline  
Sponsored Links
Advertisement
 
Old 08-23-2016, 01:36 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello jamestt. You're welcome. Yes, you can empty AdwCleaner's quarantine. They are not related to those icons that remain.

Click the magnifying glass in the upper-right Google search bar > Change Search Settings > highlight Bing > Remove

------------------------------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook_x64.exe to run it. (Vista/Win7/Win8/Win10 users, right-click > Run as administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
    Code:
    :regfind
    hitmanpro
    liveupdate
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 08-23-2016, 02:01 PM   #5
Registered Member
 
Join Date: Jul 2010
Posts: 184
OS: Windows 7



Hi, Systemlook scan done, log attached.
Attached Files
File Type: txt SystemLook.txt (3.5 KB, 18 views)
jamestt is offline  
Old 08-24-2016, 04:35 AM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, jamestt.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

https://windows.microsoft.com/en-us/w...#1TC=windows-7

Also, if you haven't done so already, create a system repair disc. It's really easy and quick.

How To Create a Windows 7 System Repair Disc [Easy]

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe
  • If asked to change 'Encoding:' to 'Unicode:', please agree and save it.

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    Task: {EDC6F06C-EBC6-46F1-A134-B00D0C98996B} - System32\Tasks\{E5C23C54-CDE7-4415-BCE5-3574513F7345} => pcalua.exe -a C:\Applications\Tools\DockBar\uninstallapp.exe -d C:\Applications\Tools\DockBar
    C:\Applications\Tools\DockBar
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Support\GET THE KNOWHOW™.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBKHW"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Support\LiveDrive.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBLIVEDRIVE"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Shopping\Currys.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBCRY"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Shopping\Dixons.co.uk.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBDIX"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Shopping\PC World.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBPCW"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Shopping\Pixmania.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBPIX"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Internet\Power up your PC with the UK’s fastest broadband.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBVIRGIN"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Entertainment\eMusic.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBEMU"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Entertainment\The Times & Sunday Times digital subscription.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBTIMESONLINE"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Entertainment\WE KNOWHOW™ TO BRING YOU GREAT MOVIES AND TV!.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBKHM"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Entertainment\WHSmith eBooks.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBWHS"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Entertainment\YouTube.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBYT"
    C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar
    HKU\S-1-5-21-3300330202-2625169188-2110648829-1000\...\Run: [Reminder] => C:\Program Files (x86)\TTG\Reminder\Reminder.exe [1638496 2010-11-25] (DSG Retail Ltd)
    HKU\S-1-5-21-3300330202-2625169188-2110648829-1000\...\Run: [Offers] => C:\Program Files (x86)\TTG\Offers\Offers.exe [1210880 2011-08-10] (DSG Retail Ltd)
    HKU\S-1-5-21-3300330202-2625169188-2110648829-1000\...\Run: [Recovery Backup Wizard] => C:\Program Files (x86)\TTG\Reminder\Reminder.exe [1638496 2010-11-25] (DSG Retail Ltd)
    HKU\S-1-5-21-3300330202-2625169188-2110648829-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Reminder] => C:\Program Files (x86)\TTG\Reminder\Reminder.exe [1638496 2010-11-25] (DSG Retail Ltd)
    HKU\S-1-5-21-3300330202-2625169188-2110648829-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Offers] => C:\Program Files (x86)\TTG\Offers\Offers.exe [1210880 2011-08-10] (DSG Retail Ltd)
    HKU\S-1-5-21-3300330202-2625169188-2110648829-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Recovery Backup Wizard] => C:\Program Files (x86)\TTG\Reminder\Reminder.exe [1638496 2010-11-25] (DSG Retail Ltd)
    C:\Program Files (x86)\TTG
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-2b0cdb98
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-2b0cdb98
    HKU\S-1-5-21-3300330202-2625169188-2110648829-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-2b0cdb98
    HKU\S-1-5-21-3300330202-2625169188-2110648829-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-2b0cdb98
    SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-2b0cdb98&q={searchTerms}
    SearchScopes: HKLM -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-2b0cdb98&q={searchTerms}
    SearchScopes: HKLM-x32 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-2b0cdb98&q={searchTerms}
    SearchScopes: HKLM-x32 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-2b0cdb98&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3300330202-2625169188-2110648829-1000 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-2b0cdb98&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3300330202-2625169188-2110648829-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-2b0cdb98&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3300330202-2625169188-2110648829-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-2b0cdb98&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3300330202-2625169188-2110648829-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-2b0cdb98&q={searchTerms}
    FF DefaultSearchEngine: Bing Powered Search
    FF SelectedSearchEngine: Bing Powered Search
    FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [No File]
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
    FF SearchPlugin: C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\pns92rxq.new\searchplugins\bing powered search.xml [2016-08-17]
    S3 FoxAwdWINFLASH64; \??\C:\Program Files (x86)\Foxconn\FOX LiveUpdate\FoxAwdWINFLASH64.SYS [X]
    S3 FXDrv32; \??\C:\Program Files (x86)\Foxconn\FOX LiveUpdate\FXDrv64.sys [X]
    C:\Program Files (x86)\Foxconn
    C:\ProgramData\HitmanPro
    C:\ProgramData\KNOWHOW
    C:\Program Files (x86)\KNOWHOW
    [-HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Foxconn\FOX LiveUpdate]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FoxAwdWINFLASH64]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FXDrv32]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\FoxAwdWINFLASH64]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\FXDrv32]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FoxAwdWINFLASH64]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FXDrv32]
    Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DockBar" /f
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 08-24-2016, 06:23 AM   #7
Registered Member
 
Join Date: Jul 2010
Posts: 184
OS: Windows 7



All adware etc seems to have been removed, offers and Dockbar from startup too, thanks.

Just to note, after the fix i decided to do a system restore as i noticed the recovery backup wizard was removed, backup wizard is the utility i used to restore my comp back to factory settings. The system restore was unsuccessful though, stating error 0x80070005. That said, it's not a real problem as i did successfully copy the backup to disc and usb when i restored my comp back to factory settings, so never mind. Just out of curiosity, will the removal of backup wizard have removed the ability to use the backup tools on my hard drive? See here on step 2. Again, i have it on disc so it's necessarily a problem but just asking for the sake of knowledge.

Thanks again for all the help, very much appreciated.

Fix log attached.
Attached Files
File Type: txt Fixlog.txt (16.4 KB, 22 views)
jamestt is offline  
Old 08-24-2016, 06:43 AM   #8
Registered Member
 
Join Date: Jul 2010
Posts: 184
OS: Windows 7



Quote:
Originally Posted by jamestt View Post
so it's necessarily a problem but just asking for the sake of knowledge.
*not necessarily a problem.
jamestt is offline  
Old 08-24-2016, 01:51 PM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, jamestt. You're welcome. Your backup tools should still work.
  • Double-click SystemLook_x64.exe to run it. (Vista/Win7/Win8/Win10 users, right-click > Run as administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
    Code:
    :filefind
    reminder.exe
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 08-24-2016, 04:18 PM   #10
Registered Member
 
Join Date: Jul 2010
Posts: 184
OS: Windows 7



Hi chemist, scan log attached.
Attached Files
File Type: txt SystemLook.txt (716 Bytes, 19 views)
jamestt is offline  
Old 08-24-2016, 09:07 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, jamestt. Do you still see the music icons you attached in your first post? I forgot about those.

After doing the following, you should have recovery backup wizard back. Let me know.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the quotebox below into Notepad:

Quote:
@echo off
md "C:\Program Files (x86)\TTG\Reminder"
copy "C:\FRST\Quarantine\C\Program Files (x86)\TTG\Reminder\Reminder.exe" "C:\Program Files (x86)\TTG\Reminder"
del %0
Save this Notepad file as copy.bat and choose to Save as type: - All Files to your desktop then close the Notepad file.
It should look like this:

Right-click on copy.bat and choose 'Run as administrator' to allow it to run. A DOS window will open and close again, this is normal.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad(don't forget to copy and paste REGEDIT4):

Code:
REGEDIT4

[HKEY_USERS\S-1-5-21-3300330202-2625169188-2110648829-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="C:\Program Files (x86)\TTG\Reminder\Reminder.exe"
"Recovery Backup Wizard"="C:\Program Files (x86)\TTG\Reminder\Reminder.exe"

[HKEY_USERS\S-1-5-21-3300330202-2625169188-2110648829-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="C:\Program Files (x86)\TTG\Reminder\Reminder.exe"
"Recovery Backup Wizard"="C:\Program Files (x86)\TTG\Reminder\Reminder.exe"
Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 08-25-2016, 03:56 AM   #12
Registered Member
 
Join Date: Jul 2010
Posts: 184
OS: Windows 7



Ok, i've done the above but recovery backup wizard still does not load. When i click on backup wizard now i get the message in attachment 1. This message was not appearing before, what i was getting before was basically the windows looking for a missing file message. The message gives me the option to continue or quit, i tried continuing but the box just closes and nothing happens.

The above happens when i click on recovery backup wizard under Advent in the start menu. See attachment 2.

Just to note, i could try a system restore from safe mode, no idea if it will work or not but apparently it's worked for some when they have received the error code i received when i tried to restore. Let me know what you think.

Regarding the music icons, yep all gone!
Attached Thumbnails
Click image for larger version

Name:	Picture 1.jpg
Views:	65
Size:	46.2 KB
ID:	290729  
Attached Images
 
jamestt is offline  
Old 08-25-2016, 04:35 AM   #13
Registered Member
 
Join Date: Jul 2010
Posts: 184
OS: Windows 7



Hi Chemist, some strange things happened so i decided to try the restore from safe mode to before the FRST fix and it worked. What happened was that i received a random BSOD that i had never had before and i also received a critical update from windows update that later disappeared which i found very strange. So i kind of panicked and thought i'd try the restore from safe mode and thankfully it worked from there.

The good news is Recovery Backup Wizard is back working but the bad news is that all the adware is of course back.
jamestt is offline  
Old 08-25-2016, 05:25 AM   #14
Registered Member
 
Join Date: Jul 2010
Posts: 184
OS: Windows 7



Just going over some of the folders in Dockbar, i think some are worth keeping. I think only Family, Entertainment and shopping are worth deleting. Should i delete all those files manually? I have found where they are located. If i delete all the shortcuts and link launchers would that be ok or should i do a scan of some sort to delete them all?

Also, offers and dockbar are obviously back on startup.

I've attached the pictures of the folders i'm referring to above.
Attached Files
File Type: rar Pics.rar (95.7 KB, 15 views)
jamestt is offline  
Old 08-26-2016, 04:10 AM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, jamestt.

Quote:
Just to note, after the fix i decided to do a system restore as i noticed the recovery backup wizard was removed, backup wizard is the utility i used to restore my comp back to factory settings.
Quote:
some strange things happened so i decided to try the restore from safe mode to before the FRST fix and it worked
Please let me know what's happening before doing a system restore or factory settings restore.

Every time you do that, we have to start all over. I can fix things without doing restores.

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Clean
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download Farbar Recovery Scan Tool and save it to your desktop.
  • Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 08-26-2016, 05:00 AM   #16
Registered Member
 
Join Date: Jul 2010
Posts: 184
OS: Windows 7



Yeah i understand, sorry. I just thought it might be easier to start fresh away from trying to recover the backup wizard and the BSOD. But yeah i understand, i'll wait for your say so next time.

Scans attached.
Attached Files
File Type: txt Addition.txt (23.9 KB, 19 views)
File Type: txt FRST.txt (140.9 KB, 14 views)
jamestt is offline  
Old 08-26-2016, 06:52 AM   #17
Registered Member
 
Join Date: Jul 2010
Posts: 184
OS: Windows 7



Adaware found no infections.
jamestt is offline  
Old 08-26-2016, 08:10 AM   #18
Registered Member
 
Join Date: Jul 2010
Posts: 184
OS: Windows 7



Quote:
Originally Posted by jamestt View Post
Adaware found no infections.
*AdwCleaner
jamestt is offline  
Old 08-27-2016, 11:36 AM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, jamestt. You're very welcome.
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe
  • If asked to change 'Encoding:' to 'Unicode:', please agree and save it.

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    Task: {EDC6F06C-EBC6-46F1-A134-B00D0C98996B} - System32\Tasks\{E5C23C54-CDE7-4415-BCE5-3574513F7345} => pcalua.exe -a C:\Applications\Tools\DockBar\uninstallapp.exe -d C:\Applications\Tools\DockBar
    C:\Applications\Tools\DockBar
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Support\GET THE KNOWHOW™.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBKHW"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Support\LiveDrive.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBLIVEDRIVE"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Shopping\Currys.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBCRY"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Shopping\Dixons.co.uk.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBDIX"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Shopping\PC World.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBPCW"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Shopping\Pixmania.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBPIX"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Internet\Power up your PC with the UK’s fastest broadband.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBVIRGIN"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Entertainment\eMusic.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBEMU"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Entertainment\The Times & Sunday Times digital subscription.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBTIMESONLINE"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Entertainment\WE KNOWHOW™ TO BRING YOU GREAT MOVIES AND TV!.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBKHM"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Entertainment\WHSmith eBooks.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBWHS"
    ShortcutWithArgument: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar\Shortcuts\Entertainment\YouTube.lnk -> C:\Applications\Tools\LinkLauncher\LinkLauncher.exe (Microsoft) -> "hxxp://comms.dsgioemcomputing.com/?model=Q411ADVDBYT"
    C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\DockBar
    FirewallRules: [{862E6E92-F967-4F2A-8CAA-C21C5EC26B63}] => (Allow) C:\Users\Steve\AppData\Local\Temp\7zSD6DD.tmp\SymNRT.exe
    FirewallRules: [{F10E5E14-57C9-424D-BE8D-4F933FB6D950}] => (Allow) C:\Users\Steve\AppData\Local\Temp\7zSD6DD.tmp\SymNRT.exe
    HKU\S-1-5-21-3300330202-2625169188-2110648829-1000\...\Run: [Offers] => C:\Program Files (x86)\TTG\Offers\Offers.exe [1210880 2011-08-10] (DSG Retail Ltd)
    C:\Program Files (x86)\TTG\Offers
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-2b0cdb98
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-2b0cdb98
    HKU\S-1-5-21-3300330202-2625169188-2110648829-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-2b0cdb98
    SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-2b0cdb98&q={searchTerms}
    SearchScopes: HKLM -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-2b0cdb98&q={searchTerms}
    SearchScopes: HKLM-x32 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-2b0cdb98&q={searchTerms}
    SearchScopes: HKLM-x32 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-2b0cdb98&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3300330202-2625169188-2110648829-1000 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-2b0cdb98&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3300330202-2625169188-2110648829-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-2b0cdb98&q={searchTerms}
    FF DefaultSearchEngine: Bing Powered Search
    FF SelectedSearchEngine: Bing Powered Searc
    FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [No File]
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
    S3 FoxAwdWINFLASH64; \??\C:\Program Files (x86)\Foxconn\FOX LiveUpdate\FoxAwdWINFLASH64.SYS [X]
    S3 FXDrv32; \??\C:\Program Files (x86)\Foxconn\FOX LiveUpdate\FXDrv64.sys [X]
    C:\Program Files (x86)\Foxconn
    C:\ProgramData\HitmanPro
    C:\ProgramData\KNOWHOW
    C:\Program Files (x86)\KNOWHOW
    [-HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Foxconn\FOX LiveUpdate]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FoxAwdWINFLASH64]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FXDrv32]
    Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DockBar" /f
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 08-27-2016, 12:13 PM   #20
Registered Member
 
Join Date: Jul 2010
Posts: 184
OS: Windows 7



Hi, fix complete and all seems to be running fine. Log attached.
Attached Files
File Type: txt Fixlog.txt (13.1 KB, 20 views)
jamestt is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Microsoft Will Not Fix Power Management Issues with New Surface Devices Until...
Microsoft Will Not Fix Power Management Issues with New Surface Devices Until Next Year https://www.thurrott.com/mobile/microsoft-surface/62772/microsoft-will-not-fix-power-management-issues-with-new-surface-devices-until-next-year
JMH3143 Computer Security News 0 12-05-2015 07:07 PM
Cannot open anything?!
My mother managed to get a trojan/virus and after removing the infected files (An error I assume!) I can now open nothing at all. Everything comes up with the 'open with' box. I've searched for fixes on various forums but I can't find a solution. The laptop is from her work after she retired...
OllySims Resolved HJT Threads 16 07-04-2011 06:17 PM
video streaming issues
I have for the last four days been experiencing some extremely slow video streaming problems with all website involving flash (netflix, youtube, hulu, etc.). The video will play for about 2 minutes and then stop, then play again for 2 minutes, then stop. Buffering is extremely slow, even...
ece421 Windows 7 , Windows Vista Support 0 07-02-2011 06:33 PM
I got lots of issues...I don't know where to begin..
Okay, Im currently having a whole lotta issues with my laptop. I don't know if it is Virus's or Spyware that is causing the problems. I don't know if its just my computer acting up. Im not sure. So I wasn't really sure where I should post my question. If I posted in the wrong section, please...
MissLaniSMS Windows 7 , Windows Vista Support 1 02-08-2011 08:55 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:27 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts