Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Virus/Malware assistance

This is a discussion on Virus/Malware assistance within the Resolved HJT Threads forums, part of the Tech Support Forum category. A friend asked me to help her rid her Windows 8.1 Laptop of whatever it has. I had her run


 
 
Thread Tools Search this Thread
Old 03-11-2016, 06:46 PM   #1
Registered Member
 
Join Date: Apr 2013
Posts: 81
OS: Win7 SP1 64 bit



A friend asked me to help her rid her Windows 8.1 Laptop of whatever it has. I had her run MalwareBytes on it before she gave it to me and it cleaned somewhere around 2000 issues, but the browsers are still being hijacked and she is getting popups telling her to call for help.

I was unable to run DDR.SCR on it, so at the suggestion of another thread here I ran FRST and the log is below, and the file addition.txt is attached. Thank you in advance!

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by Barbara (administrator) on BARBARA (11-03-2016 20:38:42)
Running from C:\Users\Barbara\Desktop
Loaded Profiles: Barbara (Available Profiles: Barbara)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
(McAfee, Inc.) C:\Program Files\McAfee\AppStats\MfeASUM.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfemms.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\AMCore\mcshield.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(McAfee, Inc.) C:\Program Files\McAfee\MSC\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpService.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\CSP\1.8.267.0\McCSPServiceHost.exe
(Dell Inc.) C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVault.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McAMTaskAgent.exe
(McAfee, Inc.) C:\Program Files\McAfee\VUL\McVulCtr.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Uniblue Systems Ltd) C:\Program Files (x86)\Uniblue\DriverScanner\dsmonitor.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Toaster.exe
(© 2015 Microsoft Corporation) C:\Users\Barbara\AppData\Local\Microsoft\BingSvc\BingSvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McUICnt.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\Core\mchost.exe
(McAfee, Inc.) C:\Program Files\McAfee\VirusScan\McVsShld.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\Core\mchost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1664000 2012-09-06] (IDT, Inc.)
HKLM\...\Run: [DellWPF] => C:\Program Files\Synaptics\SynTP\DellTouchpad.exe [4875576 2012-09-07] ()
HKLM\...\Run: [QuickSet] => C:\Program Files\Dell\QuickSet\QuickSet.exe [3759504 2012-07-20] (Dell Inc.)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161984 2014-04-20] (IvoSoft)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2917688 2012-09-07] (Synaptics Incorporated)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM-x32\...\Run: [CLMLServer_For_P2G8] => C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [111120 2012-06-07] (CyberLink)
HKLM-x32\...\Run: [CLVirtualDrive] => C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [491120 2012-07-04] (CyberLink Corp.)
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [143888 2012-06-01] (CyberLink Corp.)
HKLM-x32\...\Run: [BDRegion] => C:\Program Files (x86)\Cyberlink\Shared files\brs.exe [76912 2012-07-13] (cyberlink)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [285240 2012-10-24] (Intel Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist Corporate\1121\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [50599552 2016-02-10] (Skype Technologies S.A.)
HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\...\Run: [BingSvc] => C:\Users\Barbara\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2016-01-27] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\...\Run: [Chromium] => "c:\users\barbara\appdata\local\chromium\application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [S-1-5-21-3522491794-3342697391-1839454013-1002] => Proxy is enabled.
Tcpip\Parameters: [DhcpNameServer] 209.18.47.62 209.18.47.61
Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.8.4
Tcpip\..\Interfaces\{1F413C47-963F-473B-92AF-299A70A9E292}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{1F413C47-963F-473B-92AF-299A70A9E292}: [DhcpNameServer] 209.18.47.62 209.18.47.61
Tcpip\..\Interfaces\{ABADC05F-C4B2-445E-930B-B276D1C31BC5}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{ABADC05F-C4B2-445E-930B-B276D1C31BC5}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{AE8B0E0E-2995-4DDD-850B-F371386426C2}: [DhcpNameServer] 82.163.142.7
Tcpip\..\Interfaces\{D549937F-1833-4D98-8649-E285DBECF57F}: [DhcpNameServer] 82.163.142.7

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.palikan.com/?f=1&a=plk_coinisrs_16_10&cd=2XzuyEtN2Y1L1QzuyBzzyEyD0CyE0B0EyE0A0F0F0B0EyEyEtN0D0Tzu0StCyDtAtCtN1L2XzutAtFtCzztFtCtFyDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0AzzyDyBtDyEtBtGyD0DyEyCtGtAtB0BtAtGyBtBtDtAtG0Fzy0E0CyB0EyD0AtCyD0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByEyEtD0E0F0FyCtG0CtBtD0BtGyE0B0CzztG0AtDzz0EtGyE0CtB0FyEyEyB0C0CyEyBtA2QtN0A0LzutB&cr=1262681242&ir=
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3522491794-3342697391-1839454013-1002 -> DefaultScope {6586d803-df30-46d3-a89a-4136c8571d45} URL = hxxp://www.palikan.com/results.php?f=4&a=plk_coinisrs_16_10&cd=2XzuyEtN2Y1L1QzuyBzzyEyD0CyE0B0EyE0A0F0F0B0EyEyEtN0D0Tzu0StCyDtAtCtN1L2XzutAtFtCzztFtCtFyDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0AzzyDyBtDyEtBtGyD0DyEyCtGtAtB0BtAtGyBtBtDtAtG0Fzy0E0CyB0EyD0AtCyD0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByEyEtD0E0F0FyCtG0CtBtD0BtGyE0B0CzztG0AtDzz0EtGyE0CtB0FyEyEyB0C0CyEyBtA2QtN0A0LzutB&cr=1262681242&ir=&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3522491794-3342697391-1839454013-1002 -> {6586d803-df30-46d3-a89a-4136c8571d45} URL = hxxp://www.palikan.com/results.php?f=4&a=plk_coinisrs_16_10&cd=2XzuyEtN2Y1L1QzuyBzzyEyD0CyE0B0EyE0A0F0F0B0EyEyEtN0D0Tzu0StCyDtAtCtN1L2XzutAtFtCzztFtCtFyDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0AzzyDyBtDyEtBtGyD0DyEyCtGtAtB0BtAtGyBtBtDtAtG0Fzy0E0CyB0EyD0AtCyD0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByEyEtD0E0F0FyCtG0CtBtD0BtGyE0B0CzztG0AtDzz0EtGyE0CtB0FyEyEyB0C0CyEyBtA2QtN0A0LzutB&cr=1262681242&ir=&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3522491794-3342697391-1839454013-1002 -> {77A7C2CD-792F-48A6-8853-E48252606C2C} URL = hxxps://search.yahoo.com/search?fr=mcafee&type=C011US105D20130806&p={searchTerms}
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-01-08] (Microsoft Corporation)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2014-04-20] (IvoSoft)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-01-08] (Microsoft Corporation)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2016-02-11] (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2016-02-11] (McAfee, Inc.)
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2016-02-11] (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2016-02-11] (McAfee, Inc.)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-01-08] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-01-08] (Microsoft Corporation)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll [2015-11-10] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll [2015-11-10] (McAfee, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default
FF NewTab: about:newtab
FF DefaultSearchEngine: Palikan
FF DefaultSearchEngine.US: Bing
FF SearchEngineOrder.1: Secure Search
FF SearchEngineOrder.3: Bing
FF SelectedSearchEngine: Palikan
FF Homepage: hxxp://www.palikan.com/?f=1&a=plk_coinisrs_16_10&cd=2XzuyEtN2Y1L1QzuyBzzyEyD0CyE0B0EyE0A0F0F0B0EyEyEtN0D0Tzu0StCyDtAtCtN1L2XzutAtFtCzztFtCtFyDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0AzzyDyBtDyEtBtGyD0DyEyCtGtAtB0BtAtGyBtBtDtAtG0Fzy0E0CyB0EyD0AtCyD0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByEyEtD0E0F0FyCtG0CtBtD0BtGyE0B0CzztG0AtDzz0EtGyE0CtB0FyEyEyB0C0CyEyBtA2QtN0A0LzutB&cr=1262681242&ir=
FF Keyword.URL: hxxp://www.bing.com/search?FORM=SL5ADF&PC=SL5A&q=
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_21_0_0_182.dll [2016-03-10] ()
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2015-11-10] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_182.dll [2016-03-10] ()
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2015-11-10] ()
FF Plugin-x32: @mcafee.com/MVT -> C:\Program Files (x86)\McAfee\Supportability\MVT\NPMVTPlugin.dll [2015-08-18] (McAfee, Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3522491794-3342697391-1839454013-1002: @citrixonline.com/appdetectorplugin -> C:\Users\Barbara\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-09-02] (Citrix Online)
FF SearchPlugin: C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default\searchplugins\bing-.xml [2016-01-27]
FF SearchPlugin: C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default\searchplugins\McSiteAdvisor.xml [2015-05-29]
FF SearchPlugin: C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default\searchplugins\Palikan.xml [2016-03-11]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\McSiteAdvisor.xml [2015-05-29]
FF Extension: McAfee WebAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi [2015-12-29]
FF Extension: Bing Search - C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default\Extensions\[email protected] [2015-06-23] [not signed]
FF Extension: Bing Search - C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default\Extensions\[email protected] [2016-01-27]
FF Extension: Web United - C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default\Extensions\{855c4a9e-6004-4c31-87d1-5d858863e4a1}.xpi [2015-03-03] [not signed]
FF Extension: Skype - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2016-01-06]
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi [2016-03-03] [not signed]
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF HKLM-x32\...\Thunderbird\Extensions: [[email protected]] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2016-02-05] [not signed]

Chrome:
=======
CHR Profile: C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-07]
CHR Extension: (Google Drive) - C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-07]
CHR Extension: (YouTube) - C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-07]
CHR Extension: (Google Search) - C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-07]
CHR Extension: (SiteAdvisor) - C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2014-01-07]
CHR Extension: (Google Wallet) - C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-07]
CHR Extension: (Gmail) - C:\Users\Barbara\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-07]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2016-02-21]
CHR HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fkkcgfbgohboipdhliafmacjnhjbhmim] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2016-02-21]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 0274331457710010mcinstcleanup; C:\WINDOWS\TEMP\027433~1.EXE [883024 2015-05-04] (McAfee, Inc.)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1433216 2016-01-08] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1773696 2016-01-08] (Microsoft Corporation)
S2 CLKMSVC10_38F51D56; C:\Program Files (x86)\CyberLink\PowerDVD10\NavFilter\kmsvc.exe [236144 2012-07-13] (CyberLink)
R2 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2571352 2016-01-05] (Dell Inc.)
R2 DellDataVaultWiz; C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe [201816 2016-01-05] (Dell Inc.)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-08-27] (Dell Inc.)
S3 GoToAssist; C:\Program Files (x86)\Citrix\GoToAssist Corporate\1121\G2AC_Service.exe [310080 2015-09-02] (Citrix Online, a division of Citrix Systems, Inc.)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [451960 2015-11-02] (McAfee, Inc.)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [330136 2015-08-27] (Intel Corporation)
R2 Intel(R) Wireless Bluetooth(R) 4.0 Radio Management; C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe [157128 2013-09-18] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [158952 2016-02-11] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [863448 2015-11-10] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.8.267.0\McCSPServiceHost.exe [1696712 2016-02-23] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [451960 2015-11-02] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [451960 2015-11-02] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [679120 2015-10-20] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [451960 2015-11-02] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [451960 2015-11-02] (McAfee, Inc.)
R2 MfeASUM; C:\Program Files\McAfee\AppStats\MfeASUM.exe [335216 2013-08-08] (McAfee, Inc.)
R3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [233680 2015-09-21] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [378848 2015-10-21] (McAfee, Inc.)
R2 mfevtp; C:\windows\system32\mfevtps.exe [256840 2015-09-21] (McAfee, Inc.)
R2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [451960 2015-11-02] (McAfee, Inc.)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [254512 2012-04-24] ()
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1919336 2012-08-06] (SoftThinks SAS)
R2 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [31928 2016-01-12] (Dell Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 btmaux; C:\Windows\system32\DRIVERS\btmaux.sys [140600 2013-07-22] (Motorola Solutions, Inc.)
R3 btmhsf; C:\Windows\system32\DRIVERS\btmhsf.sys [1390904 2013-09-05] (Motorola Solutions, Inc.)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [80760 2015-09-23] (McAfee, Inc.)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
R3 DDDriver; C:\Windows\system32\drivers\DDDriver64Dcsa.sys [23760 2015-01-30] (Dell Computer Corporation)
R3 DellProf; C:\Windows\system32\drivers\DellProf.sys [24240 2015-05-22] (Dell Computer Corporation)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [207208 2015-05-19] (McAfee, Inc.)
S3 ISCT; C:\Windows\System32\drivers\ISCTD64.sys [46016 2012-07-25] ()
S3 lehidmini; C:\Windows\System32\drivers\leath_hid.sys [39704 2012-08-08] (Atheros)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [415976 2015-09-23] (McAfee, Inc.)
R1 MfeASKM; C:\Program Files\McAfee\AppStats\MfeASKM.sys [31408 2013-08-08] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [351120 2015-09-23] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [82072 2015-09-23] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [497888 2015-09-23] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [841944 2015-09-23] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [537192 2015-10-06] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [109480 2015-10-06] (McAfee, Inc.)
R3 mfesapsn; C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys [36968 2016-01-19] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [244544 2015-09-23] (McAfee, Inc.)
R3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew00.sys [3345376 2013-08-31] (Intel Corporation)
S3 qca_shb; C:\Windows\System32\drivers\qca_shb.sys [99328 2012-08-08] (Qualcomm Atheros Communications Inc.) [File not signed]
R0 rtcrfilt64; C:\Windows\System32\DRIVERS\rtcrfilt64.sys [19600 2012-09-04] (Realtek Semiconductor Corp.)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [41272 2012-09-07] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [43832 2012-09-07] (Synaptics Incorporated)
S3 SWDUMon; C:\Windows\system32\DRIVERS\SWDUMon.sys [13920 2015-12-02] ()
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
S3 PCDSRVC{3B54B31B-D06B6431-06020200}_0; \??\c:\program files\dell\supportassist\pcdsrvc_x64.pkms [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-11 20:38 - 2016-03-11 20:39 - 00025146 _____ C:\Users\Barbara\Desktop\FRST.txt
2016-03-11 20:38 - 2016-03-11 20:38 - 00000000 ____D C:\FRST
2016-03-11 20:37 - 2016-03-11 20:36 - 02374144 _____ (Farbar) C:\Users\Barbara\Desktop\FRST64.exe
2016-03-11 20:29 - 2016-03-11 20:25 - 00688992 _____ (Swearware) C:\Users\Barbara\Desktop\dds.scr
2016-03-11 09:39 - 2016-03-11 20:39 - 00000316 _____ C:\WINDOWS\Tasks\PriceFountainUpdateVer.job
2016-03-11 09:39 - 2016-03-11 09:39 - 00002650 _____ C:\WINDOWS\System32\Tasks\PriceFountainUpdateVer
2016-03-11 09:39 - 2016-03-11 09:39 - 00002007 _____ C:\Users\Barbara\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Booking .lnk
2016-03-11 09:39 - 2016-03-11 09:39 - 00002001 _____ C:\Users\Barbara\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\amazon .lnk
2016-03-11 09:39 - 2016-03-11 09:39 - 00000292 _____ C:\Users\Barbara\Desktop\Booking.URL
2016-03-11 09:39 - 2016-03-11 09:39 - 00000289 _____ C:\Users\Barbara\Desktop\amazon.URL
2016-03-11 09:39 - 2016-03-11 09:39 - 00000000 ____D C:\Users\Barbara\AppData\Roaming\PriceFountainUpdateVer
2016-03-11 09:39 - 2016-03-11 09:39 - 00000000 ____D C:\Users\Barbara\AppData\Local\BlockhouseIcebreaker
2016-03-10 21:41 - 2016-03-10 21:41 - 00001165 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-03-10 15:11 - 2016-03-10 15:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-03-10 15:10 - 2016-03-10 15:10 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-03-10 15:10 - 2016-03-10 15:10 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-03-10 15:09 - 2015-01-05 21:01 - 00072192 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ndproxy.sys
2016-03-10 15:09 - 2015-01-05 20:59 - 00080896 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\wanarp.sys
2016-03-10 15:09 - 2015-01-05 19:12 - 00185856 _____ (Microsoft Corporation) C:\WINDOWS\system32\rascfg.dll
2016-03-10 15:09 - 2015-01-05 19:02 - 00164864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rascfg.dll
2016-03-10 15:08 - 2016-02-20 09:45 - 01373184 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-03-10 15:08 - 2016-02-20 09:45 - 01168896 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-03-10 15:08 - 2016-02-20 09:45 - 00696832 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2016-03-10 15:08 - 2016-02-20 09:45 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2016-03-10 15:08 - 2016-02-20 09:45 - 00499200 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2016-03-10 15:08 - 2016-02-20 09:45 - 00076800 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2016-03-10 15:08 - 2016-02-05 13:06 - 00046768 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2016-03-10 15:08 - 2016-01-06 12:25 - 00416768 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv.sys
2016-03-10 15:08 - 2015-12-30 15:53 - 02017624 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ntfs.sys
2016-03-10 15:07 - 2016-02-08 15:05 - 20352512 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2016-03-10 15:07 - 2016-02-08 14:39 - 00496640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2016-03-10 15:07 - 2016-02-08 14:34 - 02280448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2016-03-10 15:07 - 2016-02-08 14:29 - 00099328 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\hlink.dll
2016-03-10 15:07 - 2016-02-08 14:28 - 00663552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2016-03-10 15:07 - 2016-02-08 14:10 - 04611072 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-03-10 15:07 - 2016-02-08 14:07 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2016-03-10 15:07 - 2016-02-08 14:05 - 25816576 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-03-10 15:07 - 2016-02-08 14:03 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2016-03-10 15:07 - 2016-02-08 14:02 - 13012480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2016-03-10 15:07 - 2016-02-08 14:02 - 00687104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2016-03-10 15:07 - 2016-02-08 14:01 - 02050560 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2016-03-10 15:07 - 2016-02-08 13:43 - 02121216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2016-03-10 15:07 - 2016-02-08 13:39 - 01311744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2016-03-10 15:07 - 2016-02-08 13:38 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2016-03-10 15:07 - 2016-02-08 12:27 - 02887680 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2016-03-10 15:07 - 2016-02-08 12:26 - 00571904 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2016-03-10 15:07 - 2016-02-08 12:16 - 06052352 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-03-10 15:07 - 2016-02-08 12:14 - 00108544 _____ (Microsoft Corporation) C:\WINDOWS\system32\hlink.dll
2016-03-10 15:07 - 2016-02-08 12:13 - 00817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2016-03-10 15:07 - 2016-02-08 11:51 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2016-03-10 15:07 - 2016-02-08 11:42 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2016-03-10 15:07 - 2016-02-08 11:37 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2016-03-10 15:07 - 2016-02-08 11:34 - 00798720 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2016-03-10 15:07 - 2016-02-08 11:33 - 14613504 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2016-03-10 15:07 - 2016-02-08 11:33 - 02123264 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2016-03-10 15:07 - 2016-02-08 11:19 - 02597376 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2016-03-10 15:07 - 2016-02-08 11:15 - 02880000 _____ (Microsoft Corporation) C:\WINDOWS\system32\actxprxy.dll
2016-03-10 15:07 - 2016-02-08 11:07 - 01546752 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2016-03-10 15:07 - 2016-02-08 10:55 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2016-03-10 15:07 - 2016-02-05 08:59 - 07784960 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
2016-03-10 15:07 - 2016-02-05 08:55 - 05264384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2016-03-10 15:07 - 2016-02-05 08:48 - 07075840 _____ (Microsoft Corporation) C:\WINDOWS\system32\glcndFilter.dll
2016-03-10 15:07 - 2016-02-05 08:47 - 05268480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\glcndFilter.dll
2016-03-10 15:07 - 2016-01-24 12:19 - 00419160 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\spaceport.sys
2016-03-10 15:07 - 2016-01-24 12:19 - 00378712 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\storport.sys
2016-03-10 15:07 - 2016-01-24 12:19 - 00331608 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\Classpnp.sys
2016-03-10 15:07 - 2016-01-24 05:57 - 01335296 _____ (Microsoft Corporation) C:\WINDOWS\system32\mispace.dll
2016-03-10 15:07 - 2016-01-24 05:45 - 01063424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mispace.dll
2016-03-10 15:07 - 2016-01-08 19:38 - 00091992 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbehci.sys
2016-03-10 15:07 - 2015-12-16 11:11 - 01200128 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Globalization.dll
2016-03-10 15:07 - 2015-12-16 10:51 - 00868864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Globalization.dll
2016-03-10 15:05 - 2016-02-11 08:21 - 00869576 _____ (Microsoft Corporation) C:\WINDOWS\system32\msvcr120_clr0400.dll
2016-03-10 15:05 - 2016-02-11 08:21 - 00678600 _____ (Microsoft Corporation) C:\WINDOWS\system32\msvcp120_clr0400.dll
2016-03-10 15:05 - 2016-02-11 08:20 - 00875720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msvcr120_clr0400.dll
2016-03-10 15:05 - 2016-02-11 08:20 - 00536776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msvcp120_clr0400.dll
2016-03-10 15:05 - 2016-02-06 10:58 - 00987648 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2016-03-10 15:05 - 2016-02-06 10:32 - 00801792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2016-03-10 15:05 - 2016-01-08 19:49 - 00218448 _____ (Microsoft Corporation) C:\WINDOWS\system32\rsaenh.dll
2016-03-10 15:05 - 2016-01-08 19:49 - 00192120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rsaenh.dll
2016-03-10 15:05 - 2016-01-06 17:46 - 00148752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wscapi.dll
2016-03-10 15:05 - 2016-01-06 17:45 - 00177712 _____ (Microsoft Corporation) C:\WINDOWS\system32\wscapi.dll
2016-03-10 15:05 - 2016-01-06 10:47 - 00146944 _____ (Microsoft Corporation) C:\WINDOWS\system32\wscsvc.dll
2016-03-10 15:04 - 2016-02-12 13:14 - 00136904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2016-03-10 15:04 - 2016-02-12 09:14 - 03708416 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2016-03-10 15:04 - 2016-02-12 08:55 - 00409088 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2016-03-10 15:04 - 2016-02-12 08:54 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
2016-03-10 15:04 - 2016-02-12 08:54 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
2016-03-10 15:04 - 2016-02-12 08:54 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
2016-03-10 15:04 - 2016-02-12 08:51 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
2016-03-10 15:04 - 2016-02-12 08:51 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
2016-03-10 15:04 - 2016-02-12 08:51 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
2016-03-10 15:04 - 2016-02-12 08:48 - 02244096 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2016-03-10 15:04 - 2016-02-12 08:47 - 00897024 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2016-03-10 15:04 - 2016-02-12 08:46 - 00726528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2016-03-10 15:04 - 2016-02-06 12:08 - 00031744 _____ (Microsoft Corporation) C:\WINDOWS\system32\seclogon.dll
2016-03-10 15:04 - 2016-02-05 13:07 - 00292696 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMASF.DLL
2016-03-10 15:04 - 2016-02-05 13:07 - 00243032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMASF.DLL
2016-03-10 15:04 - 2016-02-05 09:03 - 15432704 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmp.dll
2016-03-10 15:04 - 2016-02-05 09:00 - 13318144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wmp.dll
2016-03-10 15:04 - 2016-02-03 14:37 - 01661576 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole32.dll
2016-03-10 15:04 - 2016-02-03 14:36 - 01212248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ole32.dll
2016-03-10 15:04 - 2016-02-03 09:09 - 00086016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\olepro32.dll
2016-03-10 15:04 - 2016-02-03 09:00 - 00091136 _____ (Microsoft Corporation) C:\WINDOWS\system32\asycfilt.dll
2016-03-10 15:04 - 2016-02-03 09:00 - 00077824 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\asycfilt.dll
2016-03-10 15:04 - 2016-01-10 10:41 - 01707008 _____ (Microsoft Corporation) C:\WINDOWS\system32\comsvcs.dll
2016-03-10 15:04 - 2016-01-10 10:31 - 01344512 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\comsvcs.dll
2016-03-10 15:04 - 2015-12-30 14:49 - 00470360 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\netio.sys
2016-03-10 15:04 - 2015-11-19 08:33 - 00994760 _____ (Microsoft Corporation) C:\WINDOWS\system32\ucrtbase.dll
2016-03-10 15:04 - 2015-11-19 08:26 - 00922432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ucrtbase.dll
2016-03-10 15:03 - 2016-02-04 12:18 - 04174336 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2016-03-10 15:03 - 2016-02-04 12:18 - 00358912 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
2016-03-10 15:03 - 2016-02-04 12:12 - 00044032 _____ (Adobe Systems) C:\WINDOWS\system32\atmlib.dll
2016-03-10 15:03 - 2016-02-04 11:44 - 00301568 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\atmfd.dll
2016-03-10 15:03 - 2016-02-04 11:39 - 00035840 _____ (Adobe Systems) C:\WINDOWS\SysWOW64\atmlib.dll
2016-03-10 15:03 - 2016-02-04 11:24 - 00603648 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfds.dll
2016-03-10 15:03 - 2016-02-04 11:02 - 00483328 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfds.dll
2016-03-10 15:03 - 2016-01-31 13:16 - 00148832 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\USBSTOR.SYS
2016-03-10 15:03 - 2015-12-20 08:57 - 00839168 _____ (Microsoft Corporation) C:\WINDOWS\system32\netlogon.dll
2016-03-10 15:03 - 2015-12-20 08:56 - 00616960 _____ (Microsoft Corporation) C:\WINDOWS\system32\msra.exe
2016-03-10 15:03 - 2015-12-20 08:43 - 00696320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\netlogon.dll
2016-03-10 15:03 - 2015-04-30 19:13 - 06521800 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppsvc.exe
2016-03-10 15:03 - 2015-04-30 19:13 - 01488000 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppobjs.dll
2016-03-10 15:03 - 2015-04-30 19:13 - 00261376 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppwinob.dll
2016-03-10 15:02 - 2016-01-15 10:56 - 02487296 _____ (Microsoft Corporation) C:\WINDOWS\system32\storagewmi.dll
2016-03-10 15:02 - 2016-01-15 10:45 - 01482240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\storagewmi.dll
2016-03-10 15:02 - 2016-01-05 09:00 - 00570880 _____ (Microsoft Corporation) C:\WINDOWS\system32\winlogon.exe
2016-03-10 15:02 - 2015-06-09 16:39 - 00081920 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\BTHUSB.SYS
2016-03-10 15:02 - 2015-06-09 16:39 - 00053248 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthenum.sys
2016-03-10 15:02 - 2015-06-09 16:38 - 01201664 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthport.sys
2016-03-10 14:58 - 2016-03-10 14:58 - 00004020 _____ C:\WINDOWS\System32\Tasks\Intel Security DAT Reputation (AMCore) Post DAT update endpoint safety pulse
2016-03-10 13:28 - 2016-03-10 14:28 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-03-10 13:28 - 2016-03-10 13:28 - 00001120 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-03-10 13:28 - 2016-03-10 13:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-03-10 13:27 - 2016-03-10 13:28 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-03-10 13:27 - 2016-03-10 13:27 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-03-10 13:27 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-03-10 13:27 - 2015-10-05 09:50 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-03-10 13:27 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-03-10 10:35 - 2016-03-11 09:22 - 00003846 _____ C:\WINDOWS\System32\Tasks\Intel Security DAT Reputation (AMCore) periodic endpoint safety pulse
2016-03-08 12:16 - 2016-03-08 12:16 - 00010572 _____ C:\Users\Barbara\Documents\Soldiers Tale 03 19 16.xlsx
2016-03-07 15:46 - 2016-03-07 15:47 - 04728048 _____ () C:\Users\Barbara\Downloads\adblockplusie-1.0.exe
2016-03-07 14:58 - 2016-03-07 14:58 - 00000728 _____ C:\Users\Barbara\Documents\McAfee.txt
2016-03-07 14:40 - 2016-03-07 20:21 - 00000000 ____D C:\Program Files (x86)\LogMeIn Rescue RC - c1dc7e2b-d1f7-4b4e-9354-6f88a52d7511
2016-03-07 14:40 - 2016-03-07 14:40 - 00000248 _____ C:\rescue.info
2016-03-07 14:38 - 2016-03-07 14:59 - 00000000 ____D C:\Users\Barbara\AppData\Local\LogMeIn Rescue Applet
2016-03-07 14:37 - 2016-03-07 14:37 - 01616424 _____ (LogMeIn, Inc.) C:\Users\Barbara\Downloads\Support-LogMeInRescue(1).exe
2016-03-07 14:14 - 2016-03-07 14:14 - 01616424 _____ (LogMeIn, Inc.) C:\Users\Barbara\Downloads\Support-LogMeInRescue.exe
2016-03-06 17:29 - 2016-03-06 17:29 - 02372464 _____ (McAfee, Inc.) C:\Users\Barbara\Downloads\ProductDetection.exe
2016-03-05 09:17 - 2016-03-05 09:17 - 00020111 _____ C:\Users\Barbara\Downloads\Share a Song 2016.odt
2016-03-03 21:11 - 2016-03-07 20:21 - 00000000 ____D C:\Program Files\Reimage
2016-03-03 21:09 - 2016-03-03 21:09 - 00772016 _____ (Reimage®) C:\Users\Barbara\Downloads\ReimageRepair.exe
2016-03-03 21:09 - 2016-03-03 21:09 - 00772016 _____ (Reimage®) C:\Users\Barbara\Downloads\ReimageRepair (1).exe
2016-03-03 12:29 - 2016-03-07 20:21 - 00000000 ____D C:\ProgramData\86addbf5
2016-02-13 16:10 - 2016-03-10 21:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-02-10 22:17 - 2016-01-22 02:01 - 22365992 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2016-02-10 22:17 - 2016-01-22 01:11 - 19794896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll
2016-02-10 22:17 - 2016-01-21 23:25 - 14467072 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.dll
2016-02-10 22:17 - 2016-01-21 23:14 - 12879360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinui.dll
2016-02-10 22:17 - 2016-01-21 23:07 - 02778624 _____ (Microsoft Corporation) C:\WINDOWS\system32\authui.dll
2016-02-10 22:17 - 2016-01-21 22:58 - 02464256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
2016-02-10 22:17 - 2016-01-10 11:50 - 00062464 _____ (Microsoft Corporation) C:\WINDOWS\system32\cfgbkend.dll
2016-02-10 22:17 - 2016-01-10 11:31 - 00162304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msorcl32.dll
2016-02-10 22:17 - 2016-01-10 11:16 - 00898048 _____ (Microsoft Corporation) C:\WINDOWS\system32\CPFilters.dll
2016-02-10 22:17 - 2016-01-10 11:14 - 00048640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\cfgbkend.dll
2016-02-10 22:17 - 2016-01-10 11:12 - 00532480 _____ (Microsoft Corporation) C:\WINDOWS\system32\EncDec.dll
2016-02-10 22:17 - 2016-01-10 10:58 - 00166400 _____ (Microsoft Corporation) C:\WINDOWS\system32\mtxoci.dll
2016-02-10 22:17 - 2016-01-10 10:51 - 00702976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CPFilters.dll
2016-02-10 22:17 - 2016-01-10 10:49 - 00443392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\EncDec.dll
2016-02-10 22:17 - 2016-01-10 10:40 - 00116736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mtxoci.dll
2016-02-10 22:16 - 2016-01-10 13:37 - 00442720 _____ (Microsoft Corporation) C:\WINDOWS\system32\msv1_0.dll
2016-02-10 22:16 - 2016-01-10 12:39 - 00332640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msv1_0.dll
2016-02-10 22:16 - 2016-01-10 12:15 - 00401920 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb.sys
2016-02-10 22:16 - 2016-01-10 12:15 - 00202240 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb20.sys
2016-02-10 22:16 - 2016-01-10 11:43 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2016-02-10 22:16 - 2016-01-10 11:09 - 01442304 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2016-02-10 22:16 - 2016-01-10 11:09 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2016-02-10 22:16 - 2016-01-10 10:56 - 00186880 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpapisrv.dll
2016-02-10 22:15 - 2016-01-19 13:14 - 07453024 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-02-10 22:15 - 2016-01-19 13:13 - 02175008 _____ (Microsoft Corporation) C:\WINDOWS\system32\combase.dll
2016-02-10 22:15 - 2016-01-19 13:13 - 01063464 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinTypes.dll
2016-02-10 22:15 - 2016-01-19 13:12 - 01737088 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2016-02-10 22:15 - 2016-01-19 13:12 - 01133744 _____ (Microsoft Corporation) C:\WINDOWS\system32\KernelBase.dll
2016-02-10 22:15 - 2016-01-19 12:23 - 01564496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\combase.dll
2016-02-10 22:15 - 2016-01-19 12:23 - 01501496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2016-02-10 22:15 - 2016-01-19 12:23 - 00548024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WinTypes.dll
2016-02-10 22:15 - 2016-01-19 12:15 - 00246784 _____ (Microsoft Corporation) C:\WINDOWS\system32\microsoft-windows-system-events.dll
2016-02-10 22:15 - 2016-01-19 11:30 - 00862720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KernelBase.dll
2016-02-10 22:15 - 2016-01-19 10:37 - 00267776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wincorlib.dll
2016-02-10 22:15 - 2016-01-06 12:25 - 00140800 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxdav.sys
2016-02-10 22:15 - 2015-12-28 15:42 - 00713216 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinSync.dll
2016-02-10 22:15 - 2015-12-28 14:31 - 00578048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WinSync.dll
2016-02-10 22:14 - 2015-12-17 12:29 - 00131584 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpudd.dll
2016-02-10 22:14 - 2015-12-17 10:17 - 03547648 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpcorets.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-11 20:35 - 2014-04-20 19:00 - 00000000 ____D C:\Users\Barbara\AppData\Roaming\ClassicShell
2016-03-11 20:34 - 2015-09-02 12:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2016-03-11 20:32 - 2014-03-18 04:03 - 00865408 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-03-11 20:32 - 2013-08-22 07:36 - 00000000 ____D C:\WINDOWS\Inf
2016-03-11 20:32 - 2013-08-06 08:20 - 00003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3522491794-3342697391-1839454013-1002
2016-03-11 20:28 - 2015-03-03 15:18 - 00000292 _____ C:\WINDOWS\Tasks\dsmonitor.job
2016-03-11 20:28 - 2013-07-02 04:48 - 00000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2016-03-11 20:27 - 2014-06-20 14:36 - 00000000 __SHD C:\Users\Barbara\IntelGraphicsProfiles
2016-03-11 11:25 - 2014-05-02 06:02 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-03-11 09:26 - 2014-06-20 14:39 - 00003930 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{AB9A98D0-A7B1-4E4F-8D6A-FA41091254E0}
2016-03-11 09:26 - 2013-08-06 09:26 - 00000000 ____D C:\Program Files (x86)\McAfee
2016-03-10 21:41 - 2014-04-29 13:45 - 00001177 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-03-10 21:40 - 2014-04-29 13:45 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-03-10 18:27 - 2012-07-26 01:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-03-10 16:38 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\rescache
2016-03-10 16:03 - 2013-08-22 08:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-03-10 16:02 - 2013-08-22 08:44 - 00515384 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-03-10 15:58 - 2014-12-10 14:44 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-03-10 15:16 - 2013-08-16 13:32 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-03-10 15:16 - 2013-08-07 09:27 - 143659408 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-03-10 15:06 - 2015-12-09 19:28 - 00718336 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2016-03-10 15:06 - 2015-12-09 19:28 - 00372224 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2016-03-10 15:06 - 2015-12-09 19:28 - 00325632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2016-03-10 14:25 - 2014-05-02 06:02 - 00003718 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2016-03-10 14:18 - 2014-03-11 11:37 - 00000000 ____D C:\Users\Barbara\AppData\Local\ElevatedDiagnostics
2016-03-10 14:06 - 2013-08-22 07:25 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2016-03-10 14:04 - 2015-03-05 12:38 - 00000258 __RSH C:\ProgramData\ntuser.pol
2016-03-10 14:00 - 2015-03-03 15:04 - 00000000 ____D C:\Users\Barbara\AppData\Local\SmartWeb
2016-03-10 14:00 - 2012-07-26 02:12 - 00000000 ____D C:\WINDOWS\SchCache
2016-03-10 13:57 - 2015-03-04 16:23 - 00000000 ____D C:\ProgramData\Browser
2016-03-10 13:39 - 2015-10-31 11:26 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-03-09 14:14 - 2016-01-27 11:19 - 00000000 ___RD C:\Users\Barbara\Documents\Scanned Documents
2016-03-09 14:02 - 2013-08-22 09:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-03-09 14:02 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-03-08 16:49 - 2015-06-28 13:07 - 00003064 _____ C:\WINDOWS\System32\Tasks\McAfeeLogon
2016-03-08 16:49 - 2015-06-28 13:07 - 00000000 ____D C:\WINDOWS\System32\Tasks\McAfee
2016-03-08 12:19 - 2013-08-22 07:25 - 00262144 ___SH C:\WINDOWS\system32\config\ELAM
2016-03-08 01:00 - 2015-03-10 15:28 - 00829944 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-03-08 01:00 - 2015-03-10 15:28 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2016-03-07 20:20 - 2015-04-15 20:48 - 00000000 ___SD C:\WINDOWS\SysWOW64\GWX
2016-03-07 20:20 - 2015-04-15 20:48 - 00000000 ___SD C:\WINDOWS\system32\GWX
2016-03-07 20:20 - 2015-02-16 20:17 - 00000000 ____D C:\Users\Barbara\AppData\LocalLow\Inbox Toolbar
2016-03-07 20:20 - 2013-08-22 07:36 - 00000000 ____D C:\WINDOWS\system32\Sysprep
2016-03-07 20:08 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\registration
2016-03-07 15:01 - 2013-07-02 04:52 - 00000000 ____D C:\ProgramData\PCDr
2016-03-07 14:45 - 2016-02-05 20:10 - 00000150 _____ C:\WINDOWS\Reimage.ini
2016-03-06 14:15 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-03-02 14:26 - 2013-07-02 04:53 - 00000000 ____D C:\ProgramData\McAfee
2016-02-19 09:38 - 2013-12-14 11:52 - 00000000 ____D C:\Users\Barbara\AppData\Roaming\Skype
2016-02-19 09:38 - 2013-12-14 11:52 - 00000000 ____D C:\ProgramData\Skype
2016-02-17 12:52 - 2015-07-21 09:51 - 00003348 _____ C:\WINDOWS\System32\Tasks\McAfee Remediation (Prepare)
2016-02-10 22:33 - 2014-03-18 03:45 - 00000000 ____D C:\Program Files\Windows Journal
2016-02-10 22:33 - 2013-08-22 09:36 - 00000000 ___RD C:\WINDOWS\ToastData

==================== Files in the root of some directories =======

2015-03-07 11:03 - 2015-03-07 11:03 - 0000017 _____ () C:\Users\Barbara\AppData\Local\resmon.resmoncfg
2013-07-02 04:42 - 2013-07-02 04:43 - 0000119 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2013-07-02 04:38 - 2013-07-02 04:39 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2013-07-02 04:39 - 2013-07-02 04:40 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log
2013-07-02 04:37 - 2013-07-02 04:38 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
2013-07-02 04:40 - 2013-07-02 04:42 - 0000108 _____ () C:\ProgramData\{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}.log

Some files in TEMP:
====================
C:\Users\Barbara\AppData\Local\Temp\BallastExistent.dll
C:\Users\Barbara\AppData\Local\Temp\BingSvc.exe
C:\Users\Barbara\AppData\Local\Temp\BSvcProcessor.exe
C:\Users\Barbara\AppData\Local\Temp\BSvcUpdater.exe
C:\Users\Barbara\AppData\Local\Temp\DefaultPack.EXE
C:\Users\Barbara\AppData\Local\Temp\ReimageExpressSetup.exe
C:\Users\Barbara\AppData\Local\Temp\ReimagePackage.exe
C:\Users\Barbara\AppData\Local\Temp\sqlite3.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-03-10 16:14

==================== End of FRST.txt ============================
Attached Files
File Type: txt Addition.txt (31.9 KB, 285 views)
atrdriver is offline  
Sponsored Links
Advertisement
 
Old 03-14-2016, 12:18 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

**Note - Please do NOT upgrade your OS to Windows 10 until your machine is clean, and we have uninstalled all our removal tools. Thanks.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

What happened to Backup and Restore? - Windows Help

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Cleaning
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 03-14-2016, 01:08 PM   #3
Registered Member
 
Join Date: Apr 2013
Posts: 81
OS: Win7 SP1 64 bit



The log file was actually under c"\Program Files(x86)\AdwCleaner, but here it is...

BTW, I couldn't edit my original post and didn't want to add a reply to it, but I do not have a Windows 8 disk for this machine, although there is a recovery partition on it.



# AdwCleaner v5.102 - Logfile created 14/03/2016 at 14:59:56
# Updated 13/03/2016 by Xplode
# Database : 2016-03-13.2 [Local]
# Operating system : Windows 8.1 (x64)
# Username : Barbara - BARBARA
# Running from : C:\Users\Barbara\Desktop\AdwCleaner.exe
# Option : Clean
# Support : ToolsLib - Forum: Ask for help or share your experience.

***** [ Services ] *****

[-] Service Deleted : swdumon

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files\Reimage
[-] Folder Deleted : C:\Program Files (x86)\Smart Driver Updater
[-] Folder Deleted : C:\Program Files (x86)\Uniblue
[-] Folder Deleted : C:\ProgramData\Browser
[-] Folder Deleted : C:\ProgramData\NetEngine
[-] Folder Deleted : C:\ProgramData\86addbf5
[-] Folder Deleted : C:\Users\Barbara\AppData\Local\iac
[-] Folder Deleted : C:\Users\Barbara\AppData\Local\SmartWeb
[-] Folder Deleted : C:\Users\Barbara\AppData\LocalLow\iac
[-] Folder Deleted : C:\Users\Barbara\AppData\LocalLow\Inbox Toolbar
[-] Folder Deleted : C:\Users\Barbara\AppData\Roaming\Uniblue

***** [ Files ] *****

[-] File Deleted : C:\Users\Barbara\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\driverscanner.lnk
[-] File Deleted : C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default\searchplugins\palikan.xml
[-] File Deleted : C:\WINDOWS\Reimage.ini
[-] File Deleted : C:\WINDOWS\SysNative\drivers\swdumon.sys

***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : dsmonitor

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\handler\inbox
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A2970C7C-8392-4E6F-8B51-B763CF38E13C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B33BD6CF-BF4C-4CF0-AC84-B2974BC14ABD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B8445FED-900C-4137-AD15-DDD2F6306B62}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10ECCE17-29B5-4880-A8F5-EAD298611484}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2F4D7835-42B0-4BA7-9587-1B01393F78EE}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C1B9042-3D32-49A1-916B-0AA3A9CDDFD6}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2FF49ED5-A3EF-410B-918E-97DECEB5996D}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{A2970C7C-8392-4E6F-8B51-B763CF38E13C}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{B33BD6CF-BF4C-4CF0-AC84-B2974BC14ABD}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{30CBDB40-5B21-481B-A09B-F87CEF73F020}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{952EEDFD-A98B-4670-9BDD-3634C8846FC1}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B8445FED-900C-4137-AD15-DDD2F6306B62}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
[-] Key Deleted : HKCU\Software\Browser
[-] Key Deleted : HKCU\Software\PRODUCTSETUP
[-] Key Deleted : HKCU\Software\Reimage
[-] Key Deleted : HKCU\Software\Winferno
[-] Key Deleted : HKCU\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
[-] Key Deleted : HKLM\SOFTWARE\SLIMWARE UTILITIES, INC.
[-] Key Deleted : HKLM\SOFTWARE\SlimWare Utilities Inc
[-] Key Deleted : HKLM\SOFTWARE\SpeedBrowser
[-] Key Deleted : HKLM\SOFTWARE\Uniblue
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PriceFountain
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2F8CA82-2BD9-4513-B2D1-08A47914C1DA}_is1
[-] Key Deleted : [x64] HKLM\SOFTWARE\Reimage
[-] Key Deleted : HKU\.DEFAULT\Software\Browser
[-] Key Deleted : HKU\S-1-5-19\Software\Browser
[-] Key Deleted : HKU\S-1-5-20\Software\Browser
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]
[-] Data Restored : HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\Software\Microsoft\Internet Explorer\Main [Start Page]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6586d803-df30-46d3-a89a-4136c8571d45}
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
[-] Data Restored : HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\palikan.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\reimageplus.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Online Computer Repair | Reimage PC Repair | Windows Repair | Reimageplus.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\akamaihd.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\bestpriceninja.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\biggamecountdown.dl.tb.ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\bringmesports.dl.tb.ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\dotomi.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\eshopcomp.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\home.tb.ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mp.weixin.qq.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\nps.pastaleads.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\palikan.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\pastaleads.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\pricepeep.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\pstatic.bestpriceninja.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\pstatic.eshopcomp.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\qq.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\re-markable.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\re-markit.co
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\shopathome.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\static.pricepeep00.pricepeep.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\static.re-markable00.re-markable.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\static.re-markit00.re-markit.co
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\televisionfanatic.dl.tb.ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\webunited-a.akamaihd.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Ask.com - What's Your Question?
[-] Value Deleted : HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [CFO]

***** [ Web browsers ] *****

[-] [C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default\prefs.js] [Preference] Deleted : user_pref("browser.search.defaultenginename", "Palikan");
[-] [C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default\prefs.js] [Preference] Deleted : user_pref("browser.search.selectedEngine", "Palikan");
[-] [C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default\prefs.js] [Preference] Deleted : user_pref("browser.startup.homepage", "hxxp://www.palikan.com/?f=1&a=plk_coinisrs_16_10&cd=2XzuyEtN2Y1L1QzuyBzzyEyD0CyE0B0EyE0A0F0F0B0EyEyEtN0D0Tzu0StCyDtAtCtN1L2XzutAtFtCzztFtCtFyDtN1L1Czu1TtN1L1G1B1[...]

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

*************************

C:\Program Files (x86)\AdwCleaner\AdwCleaner[C1].txt - [10186 bytes] - [14/03/2016 14:59:56]
C:\Program Files (x86)\AdwCleaner\AdwCleaner[S1].txt - [11420 bytes] - [14/03/2016 14:57:28]

########## EOF - C:\Program Files (x86)\AdwCleaner\AdwCleaner[C1].txt - [10374 bytes] ##########
atrdriver is offline  
Sponsored Links
Advertisement
 
Old 03-14-2016, 04:17 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, atrdriver.
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    Task: {6112F16F-A300-4361-A26B-7E2B63B8791E} - \SmartWeb Upgrade Trigger Task -> No File <==== ATTENTION
    Task: {ADF8B54C-C52A-460D-8602-920EF3F57811} - System32\Tasks\SLOW-PCfighter64-Barbara-Notification => C:\Program Files\Fighters10119\SLOW-PCfighter 10119\Sync.exe
    Task: C:\WINDOWS\Tasks\PriceFountainUpdateVer.job => C:\Users\Barbara\AppData\Roaming\PRICEF~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
    Winlogon\Notify\igfxcui: igfxdev.dll [X]
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    ProxyEnable: [S-1-5-21-3522491794-3342697391-1839454013-1002] => Proxy is enabled.
    HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.palikan.com/?f=1&a=plk_coinisrs_16_10&cd=2XzuyEtN2Y1L1QzuyBzzyEyD0CyE0B0EyE0A0F0F0B0EyEyEtN0D0Tzu0StCyDtAtCtN1L2XzutAtFtCzztFtCtFyDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0AzzyDyBtDyEtBtGyD0DyEyCtGtAtB0BtAtGyBtBtDtAtG0Fzy0E0CyB0EyD0AtCyD0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByEyEtD0E0F0FyCtG0CtBtD0BtGyE0B0CzztG0AtDzz0EtGyE0CtB0FyEyEyB0C0CyEyBtA2QtN0A0LzutB&cr=1262681242&ir=
    SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-3522491794-3342697391-1839454013-1002 -> DefaultScope {6586d803-df30-46d3-a89a-4136c8571d45} URL = hxxp://www.palikan.com/results.php?f=4&a=plk_coinisrs_16_10&cd=2XzuyEtN2Y1L1QzuyBzzyEyD0CyE0B0EyE0A0F0F0B0EyEyEtN0D0Tzu0StCyDtAtCtN1L2XzutAtFtCzztFtCtFyDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0AzzyDyBtDyEtBtGyD0DyEyCtGtAtB0BtAtGyBtBtDtAtG0Fzy0E0CyB0EyD0AtCyD0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByEyEtD0E0F0FyCtG0CtBtD0BtGyE0B0CzztG0AtDzz0EtGyE0CtB0FyEyEyB0C0CyEyBtA2QtN0A0LzutB&cr=1262681242&ir=&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3522491794-3342697391-1839454013-1002 -> {6586d803-df30-46d3-a89a-4136c8571d45} URL = hxxp://www.palikan.com/results.php?f=4&a=plk_coinisrs_16_10&cd=2XzuyEtN2Y1L1QzuyBzzyEyD0CyE0B0EyE0A0F0F0B0EyEyEtN0D0Tzu0StCyDtAtCtN1L2XzutAtFtCzztFtCtFyDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0AzzyDyBtDyEtBtGyD0DyEyCtGtAtB0BtAtGyBtBtDtAtG0Fzy0E0CyB0EyD0AtCyD0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByEyEtD0E0F0FyCtG0CtBtD0BtGyE0B0CzztG0AtDzz0EtGyE0CtB0FyEyEyB0C0CyEyBtA2QtN0A0LzutB&cr=1262681242&ir=&q={searchTerms}
    Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - No File
    FF DefaultSearchEngine: Palikan
    FF SearchEngineOrder.1: Secure Search
    FF SelectedSearchEngine: Palikan
    FF Homepage: hxxp://www.palikan.com/?f=1&a=plk_coinisrs_16_10&cd=2XzuyEtN2Y1L1QzuyBzzyEyD0CyE0B0EyE0A0F0F0B0EyEyEtN0D0Tzu0StCyDtAtCtN1L2XzutAtFtCzztFtCtFyDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0AzzyDyBtDyEtBtGyD0DyEyCtGtAtB0BtAtGyBtBtDtAtG0Fzy0E0CyB0EyD0AtCyD0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByEyEtD0E0F0FyCtG0CtBtD0BtGyE0B0CzztG0AtDzz0EtGyE0CtB0FyEyEyB0C0CyEyBtA2QtN0A0LzutB&cr=1262681242&ir=
    FF SearchPlugin: C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default\searchplugins\Palikan.xml [2016-03-11]
    CHR HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fkkcgfbgohboipdhliafmacjnhjbhmim] - hxxps://clients2.google.com/service/update2/crx
    S2 0274331457710010mcinstcleanup; C:\WINDOWS\TEMP\027433~1.EXE [883024 2015-05-04] (McAfee, Inc.)
    2016-03-11 09:39 - 2016-03-11 20:39 - 00000316 _____ C:\WINDOWS\Tasks\PriceFountainUpdateVer.job
    2016-03-11 09:39 - 2016-03-11 09:39 - 00002650 _____ C:\WINDOWS\System32\Tasks\PriceFountainUpdateVer
    2016-03-11 09:39 - 2016-03-11 09:39 - 00000000 ____D C:\Users\Barbara\AppData\Roaming\PriceFountainUpdateVer
    2016-03-11 09:39 - 2016-03-11 09:39 - 00000000 ____D C:\Users\Barbara\AppData\Local\BlockhouseIcebreaker
    Reg: reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "CommonToolkitTray_Fighters10119" /f
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 03-14-2016, 05:32 PM   #5
Registered Member
 
Join Date: Apr 2013
Posts: 81
OS: Win7 SP1 64 bit



OK, ran that and the log is posted below. Just for information, when I start FRST64.exe it gives me a pop up Application Error that states "Exception EAccessViolation in module ERUNT.exe at 0003A3E. Access violation at address 00403A3E in module 'ERUNT.exe'. Write of address 0076005D." I click OK and it allows me to continue however. Also, while the fix was running the inside of the FRST64.exe window kept changing sizes. Probably not relevant, but thought I'd mention it.


Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Barbara (2016-03-14 19:14:35) Run:1
Running from C:\Users\Barbara\Desktop
Loaded Profiles: Barbara (Available Profiles: Barbara)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
createrestorepoint:
Task: {6112F16F-A300-4361-A26B-7E2B63B8791E} - \SmartWeb Upgrade Trigger Task -> No File <==== ATTENTION
Task: {ADF8B54C-C52A-460D-8602-920EF3F57811} - System32\Tasks\SLOW-PCfighter64-Barbara-Notification => C:\Program Files\Fighters10119\SLOW-PCfighter 10119\Sync.exe
Task: C:\WINDOWS\Tasks\PriceFountainUpdateVer.job => C:\Users\Barbara\AppData\Roaming\PRICEF~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Winlogon\Notify\igfxcui: igfxdev.dll [X]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
ProxyEnable: [S-1-5-21-3522491794-3342697391-1839454013-1002] => Proxy is enabled.
HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.palikan.com/?f=1&a=plk_coinisrs_16_10&cd=2XzuyEtN2Y1L1QzuyBzzyEyD0CyE0B0EyE0A0F0F0B0EyEyEtN0D0Tzu0StCyDtAtCtN1L2XzutAtFtCzztFtCtFyDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0AzzyDyBtDyEtBtGyD0DyEyCtGtAtB0BtAtGyBtBtDtAtG0Fzy0E0CyB0EyD0AtCyD0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByEyEtD0E0F0FyCtG0CtBtD0BtGyE0B0CzztG0AtDzz0EtGyE0CtB0FyEyEyB0C0CyEyBtA2QtN0A0LzutB&cr=1262681242&ir=
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3522491794-3342697391-1839454013-1002 -> DefaultScope {6586d803-df30-46d3-a89a-4136c8571d45} URL = hxxp://www.palikan.com/results.php?f=4&a=plk_coinisrs_16_10&cd=2XzuyEtN2Y1L1QzuyBzzyEyD0CyE0B0EyE0A0F0F0B0EyEyEtN0D0Tzu0StCyDtAtCtN1L2XzutAtFtCzztFtCtFyDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0AzzyDyBtDyEtBtGyD0DyEyCtGtAtB0BtAtGyBtBtDtAtG0Fzy0E0CyB0EyD0AtCyD0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByEyEtD0E0F0FyCtG0CtBtD0BtGyE0B0CzztG0AtDzz0EtGyE0CtB0FyEyEyB0C0CyEyBtA2QtN0A0LzutB&cr=1262681242&ir=&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3522491794-3342697391-1839454013-1002 -> {6586d803-df30-46d3-a89a-4136c8571d45} URL = hxxp://www.palikan.com/results.php?f=4&a=plk_coinisrs_16_10&cd=2XzuyEtN2Y1L1QzuyBzzyEyD0CyE0B0EyE0A0F0F0B0EyEyEtN0D0Tzu0StCyDtAtCtN1L2XzutAtFtCzztFtCtFyDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0AzzyDyBtDyEtBtGyD0DyEyCtGtAtB0BtAtGyBtBtDtAtG0Fzy0E0CyB0EyD0AtCyD0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByEyEtD0E0F0FyCtG0CtBtD0BtGyE0B0CzztG0AtDzz0EtGyE0CtB0FyEyEyB0C0CyEyBtA2QtN0A0LzutB&cr=1262681242&ir=&q={searchTerms}
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - No File
FF DefaultSearchEngine: Palikan
FF SearchEngineOrder.1: Secure Search
FF SelectedSearchEngine: Palikan
FF Homepage: hxxp://www.palikan.com/?f=1&a=plk_coinisrs_16_10&cd=2XzuyEtN2Y1L1QzuyBzzyEyD0CyE0B0EyE0A0F0F0B0EyEyEtN0D0Tzu0StCyDtAtCtN1L2XzutAtFtCzztFtCtFyDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0AzzyDyBtDyEtBtGyD0DyEyCtGtAtB0BtAtGyBtBtDtAtG0Fzy0E0CyB0EyD0AtCyD0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByEyEtD0E0F0FyCtG0CtBtD0BtGyE0B0CzztG0AtDzz0EtGyE0CtB0FyEyEyB0C0CyEyBtA2QtN0A0LzutB&cr=1262681242&ir=
FF SearchPlugin: C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default\searchplugins\Palikan.xml [2016-03-11]
CHR HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fkkcgfbgohboipdhliafmacjnhjbhmim] - hxxps://clients2.google.com/service/update2/crx
S2 0274331457710010mcinstcleanup; C:\WINDOWS\TEMP\027433~1.EXE [883024 2015-05-04] (McAfee, Inc.)
2016-03-11 09:39 - 2016-03-11 20:39 - 00000316 _____ C:\WINDOWS\Tasks\PriceFountainUpdateVer.job
2016-03-11 09:39 - 2016-03-11 09:39 - 00002650 _____ C:\WINDOWS\System32\Tasks\PriceFountainUpdateVer
2016-03-11 09:39 - 2016-03-11 09:39 - 00000000 ____D C:\Users\Barbara\AppData\Roaming\PriceFountainUpdateVer
2016-03-11 09:39 - 2016-03-11 09:39 - 00000000 ____D C:\Users\Barbara\AppData\Local\BlockhouseIcebreaker
Reg: reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "CommonToolkitTray_Fighters10119" /f
EmptyTemp:
end
*****************

Restore point was successfully created.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6112F16F-A300-4361-A26B-7E2B63B8791E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6112F16F-A300-4361-A26B-7E2B63B8791E}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SmartWeb Upgrade Trigger Task => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{ADF8B54C-C52A-460D-8602-920EF3F57811}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ADF8B54C-C52A-460D-8602-920EF3F57811}" => key removed successfully
C:\WINDOWS\System32\Tasks\SLOW-PCfighter64-Barbara-Notification => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SLOW-PCfighter64-Barbara-Notification" => key removed successfully
C:\WINDOWS\Tasks\PriceFountainUpdateVer.job => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui" => key removed successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6586d803-df30-46d3-a89a-4136c8571d45} => key not found.
HKCR\CLSID\{6586d803-df30-46d3-a89a-4136c8571d45} => key not found.
HKCR\PROTOCOLS\Handler\inbox => key not found.
HKCR\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27} => key not found.
Firefox DefaultSearchEngine removed successfully
Firefox SearchEngineOrder.1 removed successfully
FF SelectedSearchEngine: Palikan => not found
Firefox "homepage" removed successfully
"C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default\searchplugins\Palikan.xml" => not found.
"HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\SOFTWARE\Google\Chrome\Extensions\fkkcgfbgohboipdhliafmacjnhjbhmim" => key removed successfully
0274331457710010mcinstcleanup => service not found.
"C:\WINDOWS\Tasks\PriceFountainUpdateVer.job" => not found.
C:\WINDOWS\System32\Tasks\PriceFountainUpdateVer => moved successfully
C:\Users\Barbara\AppData\Roaming\PriceFountainUpdateVer => moved successfully
C:\Users\Barbara\AppData\Local\BlockhouseIcebreaker => moved successfully

========= reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "CommonToolkitTray_Fighters10119" /f =========

The operation completed successfully.



========= End of Reg: =========

EmptyTemp: => 2.6 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 19:27:40 ====
atrdriver is offline  
Old 03-15-2016, 11:43 AM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, atrdriver. Thanks for letting us know. How is the machine behaving now?

------------------------------------------------------
  • Launch Malwarebytes' Anti-Malware
  • On the Dashboard, click the Scan Now button.
  • A check for database updates will be performed.
  • After the update check completes, a Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
  • In most cases, a restart will be required and a prompt will be shown.
  • Wait for the prompt to restart the computer to appear, then click on Yes
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs
  • Double-click on the Scan Log which shows the Date and Time of the scan just performed.
  • Click Export
  • Click Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named File Saved should appear stating "Your file has been successfully exported".
  • Click Ok
  • Post that saved log in your next reply.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'Run ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan. Here's how
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Once the components have downloaded, tick the option Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked:
    • Scan Archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 03-15-2016, 05:07 PM   #7
Registered Member
 
Join Date: Apr 2013
Posts: 81
OS: Win7 SP1 64 bit



Sorry it took me so long to get back to you. The logs are pasted below. I did not close the eset scanner window, awaiting instructions on that.

The machine still seems a little slow, but as far as I can tell the popups seem to be gone, at least they haven't showed up while I have been working on it. I have not used it for anything except following the instructions to clean it.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/15/2016
Scan Time: 3:57 PM
Logfile: MWBytesLog.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.03.10.05
Rootkit Database: v2016.02.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Barbara

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 336401
Time Elapsed: 15 min, 47 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.PriceFountain, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{698F6107-7BFB-4B81-BD5F-97D13B259E4D}, Quarantined, [41dc11755544a98dc52c19f76f94b64a],
PUP.Optional.PriceFountain, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PriceFountainUpdateVer, Quarantined, [5ac33353534602348c66838dfd06ca36],
PUP.Optional.InstallCore, HKU\S-1-5-21-3522491794-3342697391-1839454013-1002\SOFTWARE\ICSW1.18, Quarantined, [ff1e25618c0da78f753a7695887caa56],

Registry Values: 1
PUP.Optional.PriceFountain, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{698F6107-7BFB-4B81-BD5F-97D13B259E4D}|Path, \PriceFountainUpdateVer, Quarantined, [41dc11755544a98dc52c19f76f94b64a]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.Palikan, C:\Users\Barbara\AppData\LocalLow\Microsoft\Internet Explorer\Services\Palikan.ico, Quarantined, [8e8fc7bfc7d2c4727b543342c3417888],

Physical Sectors: 0
(No malicious items detected)


(end)


C:\FRST\Quarantine\C\Users\Barbara\AppData\Local\BlockhouseIcebreaker\BallastExistent.dll a variant of Win32/DealPly.CI potentially unwanted application
C:\FRST\Quarantine\C\Users\Barbara\AppData\Local\BlockhouseIcebreaker\DirerTumbleweed.dat Win32/DealPly.CI potentially unwanted application
C:\FRST\Quarantine\C\Users\Barbara\AppData\Roaming\PriceFountainUpdateVer\UpdateProc\bkup.dat VBS/Kryptik.DY trojan
C:\Program Files (x86)\AdwCleaner\FileQuarantine\C\Program Files (x86)\Smart Driver Updater\SDUTray.exe.vir a variant of Win32/Adware.SpeedingUpMyPC.AL application
C:\Program Files (x86)\AdwCleaner\FileQuarantine\C\ProgramData\86addbf5\f9d4441c.dll.vir a variant of Win32/Adware.Adposhel.B application
C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application
C:\Users\Barbara\AppData\Local\Microsoft\Windows\FileHistory\Data\4202\C\Users\Barbara\Downloads\IE11-Windows6.1.exe a variant of Win32/InstallCore.ACZ potentially unwanted application
C:\Users\Barbara\AppData\Local\Microsoft\Windows\FileHistory\Data\5699\C\Users\Barbara\Downloads\adobe_flash_player.exe a variant of Win32/InstallCore.AFF.gen potentially unwanted application
C:\Users\Barbara\AppData\Local\Microsoft\Windows\FileHistory\Data\5700\C\Users\Barbara\Downloads\adobe_flash_player(1).exe a variant of Win32/InstallCore.AFF.gen potentially unwanted application
C:\Users\Barbara\AppData\LocalLow\TelevisionFanaticEI\Installr\Cache\2A208547.exe a variant of Win32/Toolbar.MyWebSearch.R potentially unwanted application
C:\Users\Barbara\AppData\Roaming\Fighters10119\Tray\AutoInstall\DM.exe a variant of Win32/SlowPCfighter.A potentially unwanted application
C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default\extensions\{855c4a9e-6004-4c31-87d1-5d858863e4a1}.xpi JS/BrowseFox.A potentially unwanted application
C:\Windows\Installer\{D1A4762A-11DF-4E7D-ADE7-C6D149BD8B37}\faq_8A71AEBB623B46A0B934103F1A762800.exe a variant of Win32/SlowPCfighter.A potentially unwanted application
C:\Windows\Installer\{D1A4762A-11DF-4E7D-ADE7-C6D149BD8B37}\LicenseShortcut_303A72A482D54D67B5D168C047EE3E11.exe a variant of Win32/SlowPCfighter.A potentially unwanted application
C:\Windows\Installer\{D1A4762A-11DF-4E7D-ADE7-C6D149BD8B37}\LogFilesCollectorS_95204E1E4B3B4767821B1FAD987C2D2D.exe a variant of Win32/SlowPCfighter.A potentially unwanted application
C:\Windows\Installer\{D1A4762A-11DF-4E7D-ADE7-C6D149BD8B37}\MainExe64Shortcut_B53671B5D9A445549437680533116875.exe a variant of Win32/SlowPCfighter.A potentially unwanted application
C:\Windows\Installer\{D1A4762A-11DF-4E7D-ADE7-C6D149BD8B37}\NewShortcut10_87735DA8B8974C24BDFBDDE8F2D2DF1A.exe a variant of Win32/SlowPCfighter.A potentially unwanted application
C:\Windows\Installer\{D1A4762A-11DF-4E7D-ADE7-C6D149BD8B37}\UninstallIcon.exe a variant of Win32/SlowPCfighter.A potentially unwanted application
atrdriver is offline  
Old 03-15-2016, 08:07 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, atrdriver. Some users complain of slowness after a cleaning. Use the machine for the next day or so and see if it improves.

You can keep the ESET malware definitions on your machine, if you want to use it later. If not, you can just uninstall it.

The Dell DataSafe find is a false positive from ESET.

Some of the ESET finds have already been quarantined by AdwCleaner or FRST. Those will get deleted when we uninstall those tools.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Users\Barbara\AppData\Local\Microsoft\Windows\FileHistory\Data\4202\C\Users\Barbara\Downloads\IE11-Windows6.1.exe"
"C:\Users\Barbara\AppData\Local\Microsoft\Windows\FileHistory\Data\5699\C\Users\Barbara\Downloads\adobe_flash_player.exe"
"C:\Users\Barbara\AppData\Local\Microsoft\Windows\FileHistory\Data\5700\C\Users\Barbara\Downloads\adobe_flash_player(1).exe"
"C:\Users\Barbara\AppData\LocalLow\TelevisionFanaticEI\Installr\Cache\2A208547.exe"
"C:\Users\Barbara\AppData\Roaming\Fighters10119\Tray\AutoInstall\DM.exe"
"C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\viwepmb2.default\extensions\{855c4a9e-6004-4c31-87d1-5d858863e4a1}.xpi"
"C:\Windows\Installer\{D1A4762A-11DF-4E7D-ADE7-C6D149BD8B37}\faq_8A71AEBB623B46A0B934103F1A762800.exe"
"C:\Windows\Installer\{D1A4762A-11DF-4E7D-ADE7-C6D149BD8B37}\LicenseShortcut_303A72A482D54D67B5D168C047EE3E11.exe"
"C:\Windows\Installer\{D1A4762A-11DF-4E7D-ADE7-C6D149BD8B37}\LogFilesCollectorS_95204E1E4B3B4767821B1FAD987C2D2D.exe"
"C:\Windows\Installer\{D1A4762A-11DF-4E7D-ADE7-C6D149BD8B37}\MainExe64Shortcut_B53671B5D9A445549437680533116875.exe"
"C:\Windows\Installer\{D1A4762A-11DF-4E7D-ADE7-C6D149BD8B37}\NewShortcut10_87735DA8B8974C24BDFBDDE8F2D2DF1A.exe"
"C:\Windows\Installer\{D1A4762A-11DF-4E7D-ADE7-C6D149BD8B37}\UninstallIcon.exe"


) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Right-click on fix.bat and choose 'Run as administrator' to allow it to run.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 03-16-2016, 12:27 AM   #9
Registered Member
 
Join Date: Apr 2013
Posts: 81
OS: Win7 SP1 64 bit



In the resulting CMD window it said

"Deleted Successfuly!!
Press any key to continue . . ."
atrdriver is offline  
Old 03-16-2016, 05:44 AM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, atrdriver. Use the machine as normal for the next day or so and see if the speed improves.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 03-16-2016, 05:59 AM   #11
Registered Member
 
Join Date: Apr 2013
Posts: 81
OS: Win7 SP1 64 bit



Like i said, this is a friends computer, so besides to look at websites there isn't much else I can do with it. It does appear that the browsers are opening faster now though, and I don't see any page hijacking going on anymore. It is looks like it appears to be clean to you I guess we can finish up and I will give it back to her.
atrdriver is offline  
Old 03-16-2016, 08:37 AM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Congratulations. Well done! Your logs appear clean. You should be good to go.

------------------------------------------------------
  • Press the Windows "logo" key and "R" key then type cleanmgr into the Run box and click OK.
  • If prompted, select your hard drive(usually C:\) then click 'OK'.
  • You should see the scanning screenshot for a few seconds.
  • Click 'Clean up system files'
  • If prompted by UAC, then click 'Yes'.
  • If prompted, select your hard drive(usually C:\) then click 'OK'.
  • You should see the scanning screenshot again, for a few seconds up to a few minutes.
  • Click on the 'More Options' tab, and click on the 'Clean up' button under the 'System Restore and Shadow Copies' section.
  • Click/tap on the 'Delete' button in the confirm deletion window, then press 'OK'.
  • Click/tap on the 'Delete files' button in the confirm deletion window.
This will remove all but the most recent System Restore Point.

------------------------------------------------------

Please read this and, if possible, contribute as much as you can:

Help BleepingComputer Defend Freedom of Speech

------------------------------------------------------

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.
  • Run AdwCleaner and select Uninstall
  • Confirm by clicking Yes
------------------------------------------------------

Press the Windows "logo" key and "R" key then copy/paste the following single-line command into the Run box and click OK:

cmd /c rd /s /q "C:\FRST"

A DOS window will open and close again, this is normal.

------------------------------------------------------

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Keep MBAM, update and run a Scan('Threat Scan' by default, or 'Scan Now' under the Dashboard tab) weekly.

Empty your Recycle Bin if it does not do so automatically.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

------------------------------------------------------

Make sure you backup your system, so possible reformatting in the future isn't necessary:

What happened to Backup and Restore? - Windows Help

https://blogs.technet.com/b/keithmaye...poftheday.aspx

------------------------------------------------------

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 0.0.0.0, which is the IP of your local computer. See guide for Windows 8/Windows 10 here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 03-16-2016, 09:01 AM   #13
Registered Member
 
Join Date: Apr 2013
Posts: 81
OS: Win7 SP1 64 bit



Thank you so much for your assistance !!
atrdriver is offline  
Old 03-16-2016, 09:18 AM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're very welcome, atrdriver! Glad to have helped.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Is there remote assistance in Windows 8?
I am trying to help a newbie who is running Windows 8. It came to mind that I could help him best by getting him to open remote assistance, so I could control his cursor and he could watch on his screen where to move his cursor for desired effect. BUT- I dont know; Does Windows 8 even have some...
chap0367 Other Operating systems 1 09-09-2013 10:06 AM
remote assistance did not work in widows 7
Remote assistance did not work in widows 7.pls help step by step.How to change password in remote assistance invitation.
jasimkhan Windows 7 , Windows Vista Support 4 11-12-2011 12:33 PM
Assistance with slow loading websites
Greetings all who might be of assistance. My current problem effect Firefox/Chrome and IE9 however my browser of choice is Firefox Recently I purchased two identical PCs running on windows 7 64. After setting up my router (and confirming with technical support at belkin it was set up...
Thebigyin Mozilla/Firefox Browsers 1 08-10-2011 04:07 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 11:21 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts