Jump to content


Photo

Computer keeps crashing and runs slowly


  • Please log in to reply
95 replies to this topic

#1 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 30 March 2017 - 11:46 AM

Hi,

My computer keeps crashing and running slowly with slow scrolling and lots of whirring noises in the background. 

I've scanned with Malwarebytes and it hasn't found anything. I enclose the latest log, plus the others that you requested.

Windows defender deleted automatically some infections.

I also ran Roguekiller and it kept crashing after about 12 minutes having found 6 infections.

I tried it in safe mode and it completed and I deleted the malware but the problem persists, so I would be grateful for some help.

I enclose the logs:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 3/30/2017
Scan Time: 5:08 PM
Logfile: malwarebytes log.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2017.03.30.05
Rootkit Database: v2017.03.11.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: eddie
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 459280
Time Elapsed: 40 min, 18 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
Result of Security Analysis by Rocket Grannie (x86) Updated: 21st March, 2017
Running from:C:\Users\eddie\Downloads (18:06:26 - 03/30/2017)
***---------------------------------------------------------***
Microsoft Windows 10 Home X64
UAC is Enabled!
Internet Explorer 11
Default Browser: Microsoft Edge
***------------Antivirus - Antispyware - Firewall-----------***
Windows Firewall (Enabled)
*No other Firewall Installed*
***-------Security Programs - Browsers - Miscellaneous------***
Adobe Flash Player 24 NPAPI (version 24.0.0.221) is *out of Date*
Firefox (version 52)
Google Chrome (version 55)
Java (version 8.0.1210.13)
Microsoft Silverlight (version 5.1)
Opera (version 40)
 
Malwarebytes Anti-Malware version (version 2.2.1.1043) is *out of Date*
Windows Live Essentials (version 15.4.3502.0922) is *out of Date*
Windows Live Essentials (version 15.4.3502.0922) is *out of Date*
 
***----------------Analysis Complete-------------------------***
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by eddie (administrator) on EH (30-03-2017 17:00:41)
Running from C:\Users\eddie\Downloads
Loaded Profiles: eddie (Available Profiles: eddie & DefaultAppPool)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
(SEIKO EPSON CORPORATION) C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(SEIKO EPSON CORPORATION) C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(McAfee, Inc.) C:\Program Files\TrueKey\McTkSchedulerService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(McAfee, Inc.) C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.12.112.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgentUserBroker.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1051_none_7f2bf7ea21d201b2\TiWorker.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Corporation) C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.239.431.0.exe
(Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
(Farbar) C:\Users\eddie\Downloads\FRST64 (1).exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10920552 2010-06-22] (Realtek Semiconductor)
HKLM\...\Run: [mwlDaemon] => C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552 2010-05-27] (Egis Technology Inc.)
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [860040 2011-01-05] (Acer Incorporated)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-10-12] (Microsoft Corporation)
HKLM-x32\...\Run: [EgisUpdate] => C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201584 2010-03-11] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] => C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [407920 2010-03-11] (Egis Technology Inc.)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [975952 2010-08-10] (Dritek System Inc.)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2313408 2016-04-07] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKLM\...\Policies\Explorer: [NoSetTaskbar] 0
HKLM\...\Policies\Explorer: [NoDeletePrinter] 0
HKLM\...\Policies\Explorer: [NoDFSTab] 0
HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
HKLM\...\Policies\Explorer: [NoEncryptOnMove] 0
HKLM\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 0
HKLM\...\Policies\Explorer: [NoHardwareTab] 0
HKLM\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoDeletePrinter] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoDFSTab] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoEncryptOnMove] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoResolveSearch] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoHardwareTab] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\System32\Acer.scr [453152 2009-12-24] ()
Lsa: [Notification Packages] scecli C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-04-01] ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-04-01] ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-04-01] ()
ShellIconOverlayIdentifiers: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll [2010-05-27] (Egis Technology Inc.)
ShellIconOverlayIdentifiers-x32: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files (x86)\EgisTec MyWinLocker\x86\psdprotect.dll [2010-05-27] (Egis Technology Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{604d8546-b3f4-4103-98c2-eb0147a643e1}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{c7df49a0-6ed0-4cbe-a411-31ab0cafdee1}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=131351051986745399&GUID=1CF400F0-D723-4B12-9630-2C62121F22A3
SearchScopes: HKU\S-1-5-21-430072569-3085444723-2816121149-1000 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-430072569-3085444723-2816121149-1000 -> {3411790C-FE37-4FB4-AE93-875EC539C513} URL = hxxps://fr.search.yahoo.com/search?p={searchTerms}&intl=fr&fr=yset_ie_syc_oracle&type=orcl_default&partnerexternal-oracle=external-oracle
BHO-x32: True Key Helper -> {0F4B8786-5502-4803-8EBC-F652A1153BB6} -> C:\Program Files\Intel Security\True Key\MSIE\truekey_ie.dll [2017-02-08] (Intel Security)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\ssv.dll [2017-01-27] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-01-27] (Oracle Corporation)
Toolbar: HKLM-x32 - True Key - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - C:\Program Files\Intel Security\True Key\MSIE\truekey_ie.dll [2017-02-08] (Intel Security)
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
 
FireFox:
========
FF DefaultProfile: vxxzpzjj.Default User
FF ProfilePath: C:\Users\eddie\AppData\Roaming\Mozilla\Firefox\Profiles\wrbmdaum.default-1401536782745 [2017-03-30]
FF NewTab: Mozilla\Firefox\Profiles\wrbmdaum.default-1401536782745 -> about:newtab
FF ProfilePath: C:\Users\eddie\AppData\Roaming\Mozilla\Firefox\Profiles\mqpc19y9.default-1419782358567 [2016-11-16]
FF NewTab: Mozilla\Firefox\Profiles\mqpc19y9.default-1419782358567 -> about:newtab
FF Extension: (Flash Protected-Mode Testing) - C:\Users\eddie\AppData\Roaming\Mozilla\Firefox\Profiles\mqpc19y9.default-1419782358567\Extensions\flash-protectedmode-beta35@experiments.mozilla.org.xpi [2014-12-28] [not signed]
FF ProfilePath: C:\Users\eddie\AppData\Roaming\Mozilla\Firefox\Profiles\hrycc2jf.default-1426499126421 [2016-11-16]
FF NewTab: Mozilla\Firefox\Profiles\hrycc2jf.default-1426499126421 -> about:newtab
FF ProfilePath: C:\Users\eddie\AppData\Roaming\Mozilla\Firefox\Profiles\iivakdjh.default-1432626449904 [2016-11-16]
FF NewTab: Mozilla\Firefox\Profiles\iivakdjh.default-1432626449904 -> about:newtab
FF ProfilePath: C:\Users\eddie\AppData\Roaming\Mozilla\Firefox\Profiles\mjwkykkj.default-1434305276277 [2016-11-16]
FF ProfilePath: C:\Users\eddie\AppData\Roaming\Mozilla\Firefox\Profiles\vxxzpzjj.Default User [2017-03-30]
FF Extension: (Bitdefender QuickScan) - C:\Users\eddie\AppData\Roaming\Mozilla\Firefox\Profiles\vxxzpzjj.Default User\Extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2016-11-11]
FF Extension: (Site Deployment Checker) - C:\Users\eddie\AppData\Roaming\Mozilla\Firefox\Profiles\vxxzpzjj.Default User\features\{07d78b7f-274d-4696-80a5-b61049bd3835}\deployment-checker@mozilla.org.xpi [2017-03-30]
FF Extension: (Java Console) - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2017-03-08] [not signed]
FF Extension: (Java Console) - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2017-03-08] [not signed]
FF Extension: (Site Deployment Checker) - C:\Program Files (x86)\Mozilla Firefox\browser\features\deployment-checker@mozilla.org.xpi [2017-03-30] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_24_0_0_221.dll [2017-03-08] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50905.0\npctrl.dll [2017-02-10] ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2016-04-07] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_221.dll [2017-03-08] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-01-27] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-01-27] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50905.0\npctrl.dll [2017-02-10] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-03-30] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-03-30] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2016-04-07] (Adobe Systems)
 
Chrome: 
=======
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Profile: C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default [2017-03-30]
CHR Extension: (Google Docs) - C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-03-28]
CHR Extension: (Google Drive) - C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-03-28]
CHR Extension: (YouTube) - C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-03-28]
CHR Extension: (Yahoo Partner) - C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdbpcigaolookbahgdofnimidinicfid [2017-03-28]
CHR Extension: (Google Docs Offline) - C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-03-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-28]
CHR Extension: (Gmail) - C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-03-28]
CHR Extension: (Chrome Media Router) - C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-28]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fdbpcigaolookbahgdofnimidinicfid] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AdobeUpdateService; C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe [694464 2016-04-07] (Adobe Systems Incorporated)
R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2227312 2017-02-27] (Adobe Systems, Incorporated)
S3 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-05-27] (Egis Technology Inc.)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [7183632 2016-07-18] (TeamViewer GmbH)
R2 TrueKey; C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe [996824 2017-02-06] (McAfee, Inc.)
R2 TrueKeyScheduler; C:\Program Files\TrueKey\McTkSchedulerService.exe [16248 2017-02-06] (McAfee, Inc.)
S3 TrueKeyServiceHelper; C:\Program Files\TrueKey\McAfee.TrueKey.ServiceHelper.exe [86864 2017-02-06] (McAfee, Inc.)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103712 2017-03-04] (Microsoft Corporation)
S2 InstallerService; C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe -originalversion 4.4.127.0 [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 epp; C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys [115832 2016-07-21] (Emsisoft Ltd)
S3 MEMOQDRV; C:\WINDOWS\System32\drivers\memoqdrv.sys [30584 2010-01-20] (BCPC)
R1 MpKsl67a4976d; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{61559E1F-80DA-44F7-AD03-5712E8CE0B30}\MpKsl67a4976d.sys [44928 2017-03-30] (Microsoft Corporation)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
S3 PSKMAD; C:\WINDOWS\System32\DRIVERS\PSKMAD.sys [47632 2013-04-29] (Panda Security, S.L.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2017-03-30] ()
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2017-03-30] (Zemana Ltd.)
U3 idsvc; no ImagePath
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-03-30 17:00 - 2017-03-30 17:00 - 02424832 _____ (Farbar) C:\Users\eddie\Downloads\FRST64 (1).exe
2017-03-30 16:59 - 2017-03-30 16:59 - 01766912 _____ (Farbar) C:\Users\eddie\Downloads\FRST.exe
2017-03-30 16:43 - 2017-03-30 16:44 - 00524248 _____ (F-Secure Corporation) C:\Users\eddie\Downloads\6E39.tmp
2017-03-30 16:43 - 2017-03-30 16:43 - 00524248 _____ (F-Secure Corporation) C:\Users\eddie\Downloads\D4B3.tmp
2017-03-30 15:30 - 2017-03-30 15:31 - 05766464 _____ (Zemana Ltd. ) C:\Users\eddie\Downloads\Zemana.AntiMalware.Setup (1).exe
2017-03-30 15:27 - 2017-03-30 15:27 - 00203680 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zamguard64.sys
2017-03-30 15:26 - 2017-03-30 15:26 - 05766464 _____ (Zemana Ltd. ) C:\Users\eddie\Downloads\Zemana.AntiMalware.Setup.exe
2017-03-30 12:27 - 2017-03-30 12:28 - 32824320 _____ (Tweaking.com) C:\Users\eddie\Downloads\tweaking.com_windows_repair_aio_setup (1).exe
2017-03-30 09:46 - 2017-03-30 09:46 - 35099168 _____ (Adlice Software ) C:\Users\eddie\Downloads\setup (3).exe
2017-03-30 09:43 - 2017-03-30 10:02 - 00001295 _____ C:\Users\eddie\Desktop\Google Chrome.lnk
2017-03-30 09:25 - 2017-03-30 09:47 - 00000903 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2017-03-30 09:24 - 2017-03-30 09:25 - 35099168 _____ (Adlice Software ) C:\Users\eddie\Downloads\setup (2).exe
2017-03-30 09:14 - 2017-03-30 09:16 - 35099168 _____ (Adlice Software ) C:\Users\eddie\Downloads\setup.exe
2017-03-30 08:40 - 2017-03-30 08:40 - 00002348 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-03-30 08:40 - 2017-03-30 08:40 - 00002336 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-03-30 08:39 - 2017-03-30 08:39 - 00003416 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2017-03-30 08:39 - 2017-03-30 08:39 - 00003292 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2017-03-29 22:03 - 2017-03-29 22:04 - 04089296 _____ C:\Users\eddie\Downloads\4AC9.tmp
2017-03-29 22:03 - 2017-03-29 22:03 - 04089296 _____ C:\Users\eddie\Downloads\4A3B.tmp
2017-03-29 17:10 - 2017-03-29 17:10 - 04089296 _____ C:\Users\eddie\Downloads\AdwCleaner (10).exe
2017-03-29 15:55 - 2017-03-29 15:55 - 00134301 _____ C:\Users\eddie\Downloads\blank_tshirt_v2_red.pdf
2017-03-29 15:52 - 2017-03-29 15:52 - 00161723 _____ C:\Users\eddie\Downloads\T-Shirt (6).pdf
2017-03-28 18:58 - 2017-03-28 18:58 - 04031440 _____ C:\Users\eddie\Downloads\AdwCleaner (9).exe
2017-03-27 17:44 - 2017-03-30 09:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-03-27 17:44 - 2017-03-30 09:47 - 00000000 ____D C:\Program Files\RogueKiller
2017-03-27 17:42 - 2017-03-27 17:43 - 35099168 _____ (Adlice Software ) C:\Users\eddie\Downloads\setup (1).exe
2017-03-27 17:24 - 2017-03-27 17:25 - 04031440 _____ C:\Users\eddie\Downloads\AdwCleaner (8).exe
2017-03-26 18:46 - 2017-03-26 18:46 - 01535288 _____ C:\Users\eddie\Downloads\eage_2015_-_a_geophysical_workflow_for_effective_prospect_assessment_-_case_study_-_henke_-hassan.pdf
2017-03-26 15:07 - 2017-03-26 15:07 - 00000207 _____ C:\WINDOWS\tweaking.com-regbackup-EH-Windows-10-Home-(64-bit).dat
2017-03-26 15:07 - 2017-03-26 15:07 - 00000000 ____D C:\RegBackup
2017-03-26 14:08 - 2017-03-30 12:32 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-03-26 14:04 - 2017-03-30 12:29 - 00381154 _____ C:\WINDOWS\Tweaking.com - Windows Repair Setup Log.txt
2017-03-26 14:04 - 2017-03-26 14:04 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
2017-03-26 14:03 - 2017-03-26 14:04 - 32824320 _____ (Tweaking.com) C:\Users\eddie\Downloads\tweaking.com_windows_repair_aio_setup.exe
2017-03-26 13:24 - 2017-03-26 13:24 - 04031440 _____ C:\Users\eddie\Downloads\AdwCleaner (7).exe
2017-03-26 09:33 - 2017-03-26 09:33 - 00536520 _____ (Hola Networks Ltd.) C:\Users\eddie\Downloads\Hola-Setup (1).exe
2017-03-25 18:56 - 2017-03-25 18:56 - 04031440 _____ C:\Users\eddie\Downloads\AdwCleaner (6).exe
2017-03-25 18:51 - 2017-03-25 18:52 - 04031440 _____ C:\Users\eddie\Downloads\AdwCleaner (5).exe
2017-03-24 21:02 - 2017-03-24 21:02 - 04031440 _____ C:\Users\eddie\Downloads\AdwCleaner (4).exe
2017-03-24 20:21 - 2017-03-24 20:21 - 11141180 _____ C:\Users\eddie\Desktop\R0003.wav
2017-03-24 16:44 - 2017-03-24 16:44 - 00041689 _____ C:\Users\eddie\Downloads\wetransfer-d5c195.zip
2017-03-24 16:43 - 2017-03-24 16:43 - 00021366 _____ C:\Users\eddie\Downloads\Win7_64bit.zip
2017-03-21 15:56 - 2017-03-21 15:57 - 04031440 _____ C:\Users\eddie\Downloads\AdwCleaner (3).exe
2017-03-20 20:42 - 2017-03-20 20:42 - 04031440 _____ C:\Users\eddie\Downloads\AdwCleaner (2).exe
2017-03-19 17:54 - 2017-03-19 17:55 - 04031440 _____ C:\Users\eddie\Downloads\AdwCleaner (1).exe
2017-03-19 17:48 - 2017-03-19 17:48 - 04031440 _____ C:\Users\eddie\Downloads\AdwCleaner.exe
2017-03-19 10:45 - 2017-03-19 10:45 - 00536520 _____ (Hola Networks Ltd.) C:\Users\eddie\Downloads\Hola-Setup.exe
2017-03-19 10:43 - 2017-03-19 10:44 - 01281696 _____ (UCWeb Inc.) C:\Users\eddie\Downloads\UCBrowser_V6.1.2015.1007_windows_pf101_(Build17022118).exe
2017-03-15 21:32 - 2017-03-04 09:40 - 00965472 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ReAgent.dll
2017-03-15 21:32 - 2017-03-04 09:09 - 01969912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\hevcdecoder.dll
2017-03-15 21:32 - 2017-03-04 09:04 - 01362512 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wmpmde.dll
2017-03-15 21:32 - 2017-03-04 09:02 - 00184416 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\IPHLPAPI.DLL
2017-03-15 21:32 - 2017-03-04 08:56 - 00263472 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Storage.ApplicationData.dll
2017-03-15 21:32 - 2017-03-04 08:53 - 02256080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2017-03-15 21:32 - 2017-03-04 08:53 - 01431232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.ApplicationModel.Store.dll
2017-03-15 21:32 - 2017-03-04 08:53 - 00975744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinapi.appcore.dll
2017-03-15 21:32 - 2017-03-04 08:53 - 00861024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LicenseManager.dll
2017-03-15 21:32 - 2017-03-04 08:53 - 00781152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WWAHost.exe
2017-03-15 21:32 - 2017-03-04 08:53 - 00493912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSyncHost.exe
2017-03-15 21:32 - 2017-03-04 08:52 - 00549088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SHCore.dll
2017-03-15 21:32 - 2017-03-04 08:52 - 00272720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wintrust.dll
2017-03-15 21:32 - 2017-03-04 08:47 - 20969928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll
2017-03-15 21:32 - 2017-03-04 08:47 - 06667528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.Protection.PlayReady.dll
2017-03-15 21:32 - 2017-03-04 08:47 - 01557808 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winmde.dll
2017-03-15 21:32 - 2017-03-04 08:45 - 00173408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\basecsp.dll
2017-03-15 21:32 - 2017-03-04 08:42 - 01260784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msctf.dll
2017-03-15 21:32 - 2017-03-04 08:42 - 00276832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\input.dll
2017-03-15 21:32 - 2017-03-04 08:40 - 00306800 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.MediaControl.dll
2017-03-15 21:32 - 2017-03-04 08:36 - 05685760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2017-03-15 21:32 - 2017-03-04 08:30 - 00095232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserDataTimeUtil.dll
2017-03-15 21:32 - 2017-03-04 08:30 - 00051712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\usoapi.dll
2017-03-15 21:32 - 2017-03-04 08:30 - 00034304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LaunchWinApp.exe
2017-03-15 21:32 - 2017-03-04 08:29 - 00112640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mssitlb.dll
2017-03-15 21:32 - 2017-03-04 08:29 - 00091648 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msctfp.dll
2017-03-15 21:32 - 2017-03-04 08:29 - 00039424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\XInputUap.dll
2017-03-15 21:32 - 2017-03-04 08:29 - 00019968 _____ C:\WINDOWS\SysWOW64\GamePanelExternalHook.dll
2017-03-15 21:32 - 2017-03-04 08:28 - 00224256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ExSMime.dll
2017-03-15 21:32 - 2017-03-04 08:27 - 00045056 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ddrawex.dll
2017-03-15 21:32 - 2017-03-04 08:26 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UIRibbonRes.dll
2017-03-15 21:32 - 2017-03-04 08:26 - 00177664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Web.Diagnostics.dll
2017-03-15 21:32 - 2017-03-04 08:26 - 00156672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserDeviceRegistration.dll
2017-03-15 21:32 - 2017-03-04 08:26 - 00147456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\VCardParser.dll
2017-03-15 21:32 - 2017-03-04 08:26 - 00065024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Gaming.UI.GameBar.dll
2017-03-15 21:32 - 2017-03-04 08:26 - 00047104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Shell.Search.UriHandler.dll
2017-03-15 21:32 - 2017-03-04 08:26 - 00025600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\netiougc.exe
2017-03-15 21:32 - 2017-03-04 08:25 - 00255488 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\unimdm.tsp
2017-03-15 21:32 - 2017-03-04 08:25 - 00251904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mscandui.dll
2017-03-15 21:32 - 2017-03-04 08:25 - 00136192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WinRtTracing.dll
2017-03-15 21:32 - 2017-03-04 08:25 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BrowserSettingSync.dll
2017-03-15 21:32 - 2017-03-04 08:25 - 00097792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.System.SystemManagement.dll
2017-03-15 21:32 - 2017-03-04 08:25 - 00057344 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WPDShServiceObj.dll
2017-03-15 21:32 - 2017-03-04 08:25 - 00030208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tbauth.dll
2017-03-15 21:32 - 2017-03-04 08:24 - 00223232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\scksp.dll
2017-03-15 21:32 - 2017-03-04 08:24 - 00093184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msctfui.dll
2017-03-15 21:32 - 2017-03-04 08:24 - 00088576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserDeviceRegistration.Ngc.dll
2017-03-15 21:32 - 2017-03-04 08:24 - 00022016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TokenBrokerCookies.exe
2017-03-15 21:32 - 2017-03-04 08:23 - 00531456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iprtrmgr.dll
2017-03-15 21:32 - 2017-03-04 08:23 - 00392192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Gaming.Input.dll
2017-03-15 21:32 - 2017-03-04 08:23 - 00315904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Gaming.XboxLive.Storage.dll
2017-03-15 21:32 - 2017-03-04 08:23 - 00299520 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserDataAccountApis.dll
2017-03-15 21:32 - 2017-03-04 08:23 - 00291840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Search.ProtocolHandler.MAPI2.dll
2017-03-15 21:32 - 2017-03-04 08:23 - 00172032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\netiohlp.dll
2017-03-15 21:32 - 2017-03-04 08:22 - 00822784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakradiag.dll
2017-03-15 21:32 - 2017-03-04 08:22 - 00237568 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SyncSettings.dll
2017-03-15 21:32 - 2017-03-04 08:22 - 00212992 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\cemapi.dll
2017-03-15 21:32 - 2017-03-04 08:22 - 00183296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SearchFilterHost.exe
2017-03-15 21:32 - 2017-03-04 08:21 - 01243136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.FaceAnalysis.dll
2017-03-15 21:32 - 2017-03-04 08:21 - 00631296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\main.cpl
2017-03-15 21:32 - 2017-03-04 08:21 - 00575488 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\nshwfp.dll
2017-03-15 21:32 - 2017-03-04 08:21 - 00389632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schannel.dll
2017-03-15 21:32 - 2017-03-04 08:21 - 00196608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tapi32.dll
2017-03-15 21:32 - 2017-03-04 08:21 - 00185856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Security.Authentication.Identity.Provider.dll
2017-03-15 21:32 - 2017-03-04 08:20 - 00632832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\sud.dll
2017-03-15 21:32 - 2017-03-04 08:20 - 00534528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PCPTpm12.dll
2017-03-15 21:32 - 2017-03-04 08:20 - 00506880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DevicePairing.dll
2017-03-15 21:32 - 2017-03-04 08:20 - 00426496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.ApplicationModel.Wallet.dll
2017-03-15 21:32 - 2017-03-04 08:20 - 00426496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\OneDriveSettingSyncProvider.dll
2017-03-15 21:32 - 2017-03-04 08:20 - 00424960 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msutb.dll
2017-03-15 21:32 - 2017-03-04 08:20 - 00368128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wlanui.dll
2017-03-15 21:32 - 2017-03-04 08:20 - 00218624 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WwaApi.dll
2017-03-15 21:32 - 2017-03-04 08:20 - 00206336 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vaultcli.dll
2017-03-15 21:32 - 2017-03-04 08:20 - 00175616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.Scanners.dll
2017-03-15 21:32 - 2017-03-04 08:19 - 00714752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mssvp.dll
2017-03-15 21:32 - 2017-03-04 08:19 - 00635904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9diag.dll
2017-03-15 21:32 - 2017-03-04 08:19 - 00431616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\efswrt.dll
2017-03-15 21:32 - 2017-03-04 08:19 - 00414208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winspool.drv
2017-03-15 21:32 - 2017-03-04 08:19 - 00318464 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SearchFolder.dll
2017-03-15 21:32 - 2017-03-04 08:19 - 00181760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tcpipcfg.dll
2017-03-15 21:32 - 2017-03-04 08:18 - 01231360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wcnwiz.dll
2017-03-15 21:32 - 2017-03-04 08:18 - 00819200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppContracts.dll
2017-03-15 21:32 - 2017-03-04 08:18 - 00747520 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.Ocr.dll
2017-03-15 21:32 - 2017-03-04 08:18 - 00567808 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ChatApis.dll
2017-03-15 21:32 - 2017-03-04 08:18 - 00548352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ddraw.dll
2017-03-15 21:32 - 2017-03-04 08:18 - 00284672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.ApplicationModel.dll
2017-03-15 21:32 - 2017-03-04 08:18 - 00254464 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mssphtb.dll
2017-03-15 21:32 - 2017-03-04 08:18 - 00253952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.ApplicationModel.Store.TestingFramework.dll
2017-03-15 21:32 - 2017-03-04 08:18 - 00140800 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mssph.dll
2017-03-15 21:32 - 2017-03-04 08:18 - 00074752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\updatepolicy.dll
2017-03-15 21:32 - 2017-03-04 08:17 - 00529920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\StructuredQuery.dll
2017-03-15 21:32 - 2017-03-04 08:17 - 00297472 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SearchProtocolHost.exe
2017-03-15 21:32 - 2017-03-04 08:16 - 01456640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\GdiPlus.dll
2017-03-15 21:32 - 2017-03-04 08:16 - 00968704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Unistore.dll
2017-03-15 21:32 - 2017-03-04 08:16 - 00858112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\EmailApis.dll
2017-03-15 21:32 - 2017-03-04 08:16 - 00850432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rasgcw.dll
2017-03-15 21:32 - 2017-03-04 08:16 - 00846336 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WebcamUi.dll
2017-03-15 21:32 - 2017-03-04 08:16 - 00816640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NaturalLanguage6.dll
2017-03-15 21:32 - 2017-03-04 08:16 - 00762880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mprddm.dll
2017-03-15 21:32 - 2017-03-04 08:16 - 00760832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\appwiz.cpl
2017-03-15 21:32 - 2017-03-04 08:16 - 00711680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2017-03-15 21:32 - 2017-03-04 08:16 - 00636928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winhttp.dll
2017-03-15 21:32 - 2017-03-04 08:16 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Security.Authentication.Web.Core.dll
2017-03-15 21:32 - 2017-03-04 08:15 - 01543680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mmc.exe
2017-03-15 21:32 - 2017-03-04 08:15 - 00509440 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2017-03-15 21:32 - 2017-03-04 08:15 - 00336384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\azroleui.dll
2017-03-15 21:32 - 2017-03-04 08:14 - 00236032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WsmWmiPl.dll
2017-03-15 21:32 - 2017-03-04 08:13 - 07626752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinui.dll
2017-03-15 21:32 - 2017-03-04 08:13 - 04613120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.dll
2017-03-15 21:32 - 2017-03-04 08:13 - 02458112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\themecpl.dll
2017-03-15 21:32 - 2017-03-04 08:13 - 01228288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\usercpl.dll
2017-03-15 21:32 - 2017-03-04 08:13 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppointmentApis.dll
2017-03-15 21:32 - 2017-03-04 08:13 - 00256512 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\thumbcache.dll
2017-03-15 21:32 - 2017-03-04 08:12 - 00886272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\aadtb.dll
2017-03-15 21:32 - 2017-03-04 08:12 - 00884224 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2017-03-15 21:32 - 2017-03-04 08:12 - 00700416 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Storage.Search.dll
2017-03-15 21:32 - 2017-03-04 08:12 - 00589312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.Sensors.dll
2017-03-15 21:32 - 2017-03-04 08:11 - 01323008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wsp_fs.dll
2017-03-15 21:32 - 2017-03-04 08:11 - 01320448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\comsvcs.dll
2017-03-15 21:32 - 2017-03-04 08:11 - 01137152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wsp_health.dll
2017-03-15 21:32 - 2017-03-04 08:11 - 00355328 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\RTMediaFrame.dll
2017-03-15 21:32 - 2017-03-04 08:10 - 00300544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\regedit.exe
2017-03-15 21:32 - 2017-03-04 08:10 - 00259584 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msdtcuiu.dll
2017-03-15 21:32 - 2017-03-04 08:09 - 00570368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\clusapi.dll
2017-03-15 21:32 - 2017-03-04 08:07 - 02748928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mispace.dll
2017-03-15 21:32 - 2017-03-04 08:07 - 02643456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tquery.dll
2017-03-15 21:32 - 2017-03-04 08:07 - 01255936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AzureSettingSyncProvider.dll
2017-03-15 21:32 - 2017-03-04 08:06 - 02153984 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\storagewmi.dll
2017-03-15 21:32 - 2017-03-04 08:06 - 00090624 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\olepro32.dll
2017-03-15 21:32 - 2017-03-04 08:05 - 07468544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mstscax.dll
2017-03-15 21:32 - 2017-03-04 08:05 - 03520512 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\xpsrchvw.exe
2017-03-15 21:32 - 2017-03-04 08:05 - 01133568 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vssapi.dll
2017-03-15 21:32 - 2017-03-04 08:05 - 00458752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wlidprov.dll
2017-03-15 21:32 - 2017-03-04 08:05 - 00298496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\resutils.dll
2017-03-15 21:32 - 2017-03-04 08:04 - 00719872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wsp_sr.dll
2017-03-15 21:32 - 2017-03-04 08:03 - 06044672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2017-03-15 21:32 - 2017-03-04 08:03 - 03666432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2017-03-15 21:32 - 2017-03-04 08:03 - 00409600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMVSENCD.DLL
2017-03-15 21:32 - 2017-03-04 08:03 - 00359936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mtxclu.dll
2017-03-15 21:32 - 2017-03-04 08:02 - 01170944 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.Speech.dll
2017-03-15 21:32 - 2017-03-04 08:02 - 01004544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Input.Inking.dll
2017-03-15 21:32 - 2017-03-04 08:02 - 00580608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\hgcpl.dll
2017-03-15 21:32 - 2017-03-04 08:02 - 00510464 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PhotoScreensaver.scr
2017-03-15 21:32 - 2017-03-04 08:01 - 03478528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UIRibbon.dll
2017-03-15 21:32 - 2017-03-04 08:01 - 02682880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\netshell.dll
2017-03-15 21:32 - 2017-03-04 08:01 - 02646528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CertEnroll.dll
2017-03-15 21:32 - 2017-03-04 08:01 - 01988096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mssrch.dll
2017-03-15 21:32 - 2017-03-04 08:01 - 01656320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.Perception.dll
2017-03-15 21:32 - 2017-03-04 08:01 - 01595904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2017-03-15 21:32 - 2017-03-04 08:01 - 01556992 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Immersive.dll
2017-03-15 21:32 - 2017-03-04 08:01 - 01293312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMPDMC.exe
2017-03-15 21:32 - 2017-03-04 08:01 - 01232384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.Maps.dll
2017-03-15 21:32 - 2017-03-04 08:01 - 01154560 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Pimstore.dll
2017-03-15 21:32 - 2017-03-04 08:01 - 01013248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Web.Http.dll
2017-03-15 21:32 - 2017-03-04 08:01 - 00827904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinui.appcore.dll
2017-03-15 21:32 - 2017-03-04 08:01 - 00773120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SearchIndexer.exe
2017-03-15 21:32 - 2017-03-04 08:01 - 00620544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.dll
2017-03-15 21:32 - 2017-03-04 08:01 - 00560640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserLanguagesCpl.dll
2017-03-15 21:32 - 2017-03-04 08:01 - 00422400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinapi.dll
2017-03-15 21:32 - 2017-03-04 08:00 - 04557824 _____ (Microsoft) C:\WINDOWS\SysWOW64\dbgeng.dll
2017-03-15 21:32 - 2017-03-04 08:00 - 02996736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\win32kfull.sys
2017-03-15 21:32 - 2017-03-04 08:00 - 02483200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2017-03-15 21:32 - 2017-03-04 08:00 - 02026496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2017-03-15 21:32 - 2017-03-04 08:00 - 01883648 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Logon.dll
2017-03-15 21:32 - 2017-03-04 08:00 - 01170944 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.Phone.dll
2017-03-15 21:32 - 2017-03-04 08:00 - 00862208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSyncCore.dll
2017-03-15 21:32 - 2017-03-04 08:00 - 00850944 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ContactApis.dll
2017-03-15 21:32 - 2017-03-04 08:00 - 00798208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
2017-03-15 21:32 - 2017-03-04 08:00 - 00711680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Search.dll
2017-03-15 21:32 - 2017-03-04 08:00 - 00691200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TokenBroker.dll
2017-03-15 21:32 - 2017-03-04 08:00 - 00598528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Web.dll
2017-03-15 21:32 - 2017-03-04 08:00 - 00444416 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSync.dll
2017-03-15 21:32 - 2017-03-04 07:57 - 03106304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mstsc.exe
2017-03-15 21:32 - 2017-03-04 07:57 - 00783360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TSWorkspace.dll
2017-03-15 21:32 - 2017-03-04 07:57 - 00449024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TpmCoreProvisioning.dll
2017-03-15 21:32 - 2017-03-04 07:57 - 00299008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\RADCUI.dll
2017-03-15 21:31 - 2017-03-04 09:57 - 00484584 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AudioSes.dll
2017-03-15 21:31 - 2017-03-04 09:57 - 00315744 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\atmfd.dll
2017-03-15 21:31 - 2017-03-04 09:57 - 00192352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\aepic.dll
2017-03-15 21:31 - 2017-03-04 09:09 - 02206496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msmpeg2vdec.dll
2017-03-15 21:31 - 2017-03-04 09:09 - 00497416 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dnsapi.dll
2017-03-15 21:31 - 2017-03-04 09:06 - 01706488 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KernelBase.dll
2017-03-15 21:31 - 2017-03-04 09:04 - 02048496 _____ C:\WINDOWS\SysWOW64\CoreUIComponents.dll
2017-03-15 21:31 - 2017-03-04 08:56 - 00248992 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\policymanager.dll
2017-03-15 21:31 - 2017-03-04 08:54 - 02277288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\d3d11.dll
2017-03-15 21:31 - 2017-03-04 08:54 - 00524776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxgi.dll
2017-03-15 21:31 - 2017-03-04 08:53 - 05722320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\windows.storage.dll
2017-03-15 21:31 - 2017-03-04 08:53 - 00313568 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wlanapi.dll
2017-03-15 21:31 - 2017-03-04 08:53 - 00136032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CloudExperienceHostUser.dll
2017-03-15 21:31 - 2017-03-04 08:51 - 01980768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msxml6.dll
2017-03-15 21:31 - 2017-03-04 08:51 - 00576408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wer.dll
2017-03-15 21:31 - 2017-03-04 08:50 - 00846560 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WinTypes.dll
2017-03-15 21:31 - 2017-03-04 08:47 - 04023000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfcore.dll
2017-03-15 21:31 - 2017-03-04 08:47 - 01853224 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfmp4srcsnk.dll
2017-03-15 21:31 - 2017-03-04 08:47 - 01360456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetsrc.dll
2017-03-15 21:31 - 2017-03-04 08:47 - 01344448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfsrcsnk.dll
2017-03-15 21:31 - 2017-03-04 08:47 - 01277856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfasfsrcsnk.dll
2017-03-15 21:31 - 2017-03-04 08:47 - 01202384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfmpeg2srcsnk.dll
2017-03-15 21:31 - 2017-03-04 08:47 - 01123912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfplat.dll
2017-03-15 21:31 - 2017-03-04 08:47 - 00981376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetcore.dll
2017-03-15 21:31 - 2017-03-04 08:47 - 00976184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfds.dll
2017-03-15 21:31 - 2017-03-04 08:47 - 00952416 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfsvr.dll
2017-03-15 21:31 - 2017-03-04 08:47 - 00640976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\evr.dll
2017-03-15 21:31 - 2017-03-04 08:47 - 00530480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mf.dll
2017-03-15 21:31 - 2017-03-04 08:47 - 00374448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MFPlay.dll
2017-03-15 21:31 - 2017-03-04 08:47 - 00352760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MMDevAPI.dll
2017-03-15 21:31 - 2017-03-04 08:47 - 00034088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CompPkgSup.dll
2017-03-15 21:31 - 2017-03-04 08:46 - 04312248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\explorer.exe
2017-03-15 21:31 - 2017-03-04 08:46 - 00321792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LockAppHost.exe
2017-03-15 21:31 - 2017-03-04 08:45 - 00112120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gpapi.dll
2017-03-15 21:31 - 2017-03-04 08:42 - 01415240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32full.dll
2017-03-15 21:31 - 2017-03-04 08:42 - 00545944 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontdrvhost.exe
2017-03-15 21:31 - 2017-03-04 08:30 - 01631232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.Resources.dll
2017-03-15 21:31 - 2017-03-04 08:30 - 00026112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\odbcconf.dll
2017-03-15 21:31 - 2017-03-04 08:27 - 00275968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\accountaccessor.dll
2017-03-15 21:31 - 2017-03-04 08:27 - 00141824 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.Radios.dll
2017-03-15 21:31 - 2017-03-04 08:27 - 00055296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\findnetprinters.dll
2017-03-15 21:31 - 2017-03-04 08:26 - 00156672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BcastDVRHelper.dll
2017-03-15 21:31 - 2017-03-04 08:26 - 00138240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DisplayManager.dll
2017-03-15 21:31 - 2017-03-04 08:26 - 00123904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Networking.HostName.dll
2017-03-15 21:31 - 2017-03-04 08:26 - 00038912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wfdprov.dll
2017-03-15 21:31 - 2017-03-04 08:25 - 00175104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\puiapi.dll
2017-03-15 21:31 - 2017-03-04 08:25 - 00152064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MCCSEngineShared.dll
2017-03-15 21:31 - 2017-03-04 08:24 - 00328192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\daxexec.dll
2017-03-15 21:31 - 2017-03-04 08:24 - 00142336 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.WiFi.dll
2017-03-15 21:31 - 2017-03-04 08:24 - 00129024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.SerialCommunication.dll
2017-03-15 21:31 - 2017-03-04 08:24 - 00087040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Networking.ServiceDiscovery.Dnssd.dll
2017-03-15 21:31 - 2017-03-04 08:23 - 00506368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\bcastdvr.exe
2017-03-15 21:31 - 2017-03-04 08:23 - 00374784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.LowLevel.dll
2017-03-15 21:31 - 2017-03-04 08:23 - 00334848 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DavSyncProvider.dll
2017-03-15 21:31 - 2017-03-04 08:23 - 00231936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.ApplicationModel.LockScreen.dll
2017-03-15 21:31 - 2017-03-04 08:23 - 00184320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserMgrProxy.dll
2017-03-15 21:31 - 2017-03-04 08:22 - 01299968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MSVPXENC.dll
2017-03-15 21:31 - 2017-03-04 08:22 - 00332288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MapConfiguration.dll
2017-03-15 21:31 - 2017-03-04 08:22 - 00265728 _____ C:\WINDOWS\SysWOW64\Windows.Perception.Stub.dll
2017-03-15 21:31 - 2017-03-04 08:22 - 00231424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CloudBackupSettings.dll
2017-03-15 21:31 - 2017-03-04 08:22 - 00230912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\icm32.dll
2017-03-15 21:31 - 2017-03-04 08:22 - 00117760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AuthBroker.dll
2017-03-15 21:31 - 2017-03-04 08:22 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DafPrintProvider.dll
2017-03-15 21:31 - 2017-03-04 08:21 - 00670208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.PointOfService.dll
2017-03-15 21:31 - 2017-03-04 08:21 - 00609280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.Import.dll
2017-03-15 21:31 - 2017-03-04 08:21 - 00483840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.AllJoyn.dll
2017-03-15 21:31 - 2017-03-04 08:21 - 00298496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Internal.Management.dll
2017-03-15 21:31 - 2017-03-04 08:21 - 00202752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.HumanInterfaceDevice.dll
2017-03-15 21:31 - 2017-03-04 08:20 - 13873664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.dll
2017-03-15 21:31 - 2017-03-04 08:20 - 00562176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.SmartCards.dll
2017-03-15 21:31 - 2017-03-04 08:20 - 00386048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.WiFiDirect.dll
2017-03-15 21:31 - 2017-03-04 08:20 - 00325120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\oleacc.dll
2017-03-15 21:31 - 2017-03-04 08:20 - 00284672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\apprepsync.dll
2017-03-15 21:31 - 2017-03-04 08:20 - 00271360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\deviceaccess.dll
2017-03-15 21:31 - 2017-03-04 08:20 - 00125952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\apprepapi.dll
2017-03-15 21:31 - 2017-03-04 08:19 - 00498688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mbsmsapi.dll
2017-03-15 21:31 - 2017-03-04 08:19 - 00390656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CredProvDataModel.dll
2017-03-15 21:31 - 2017-03-04 08:19 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.Picker.dll
2017-03-15 21:31 - 2017-03-04 08:19 - 00226816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dhcpcore6.dll
2017-03-15 21:31 - 2017-03-04 08:18 - 00896512 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontext.dll
2017-03-15 21:31 - 2017-03-04 08:18 - 00525824 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PrintDialogs.dll
2017-03-15 21:31 - 2017-03-04 08:18 - 00314368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.Usb.dll
2017-03-15 21:31 - 2017-03-04 08:18 - 00198656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\indexeddbserver.dll
2017-03-15 21:31 - 2017-03-04 08:17 - 00661504 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WpcWebFilter.dll
2017-03-15 21:31 - 2017-03-04 08:17 - 00238080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AboveLockAppHost.dll
2017-03-15 21:31 - 2017-03-04 08:16 - 00526336 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mscms.dll
2017-03-15 21:31 - 2017-03-04 08:16 - 00500224 _____ (Microsoft Corporation) C

Attached Files



#2 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 30 March 2017 - 04:51 PM

Hello winston66 and welcome to SpywareInfo Forum.
I'm Android 8888 and I'll be helping you. Please ask questions if anything is unclear.

I see you have Team Viewer installed. This is a remote access program, and is a potential risk if unneeded or unused. If not needed, I would recommend uninstalling it. If you decide to keep it, be sure you have a strong password of at least 8 characters (more is better), including at least one lower case letter, one upper case letter, at least one number, and at least one special character (upper case on the number keys).


Please remove the following extensions from Google Chrome:
Chrome Web Store Payments
Chrome Media Router
 
Click on the Chrome menu (the icon with three vertical dots) on the browser toolbar.
Click Tools and select Extensions.
Click the trash can icon in Chrome Web Store Payments and Chrome Media Router.
A confirmation dialog appears, click Remove.

 

Next,

 

Please perform the following fix with FRST.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Press the Windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and click the OK button.
Please copy the entire contents of the code box below. To do this highlight the contents of the box and right click on it and select Copy.
Paste this into the open Notepad.
 

Start
CloseProcesses:

CreateRestorePoint:

EmptyTemp:
HKLM\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKLM\...\Policies\Explorer: [NoSetTaskbar] 0
HKLM\...\Policies\Explorer: [NoDeletePrinter] 0
HKLM\...\Policies\Explorer: [NoDFSTab] 0
HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
HKLM\...\Policies\Explorer: [NoEncryptOnMove] 0
HKLM\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 0
HKLM\...\Policies\Explorer: [NoHardwareTab] 0
HKLM\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoDeletePrinter] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoDFSTab] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoEncryptOnMove] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoResolveSearch] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoHardwareTab] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoInternetOpenWith] 1
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=131351051986745399&GUID=1CF400F0-D723-4B12-9630-2C62121F22A3
SearchScopes: HKU\S-1-5-21-430072569-3085444723-2816121149-1000 -> {3411790C-FE37-4FB4-AE93-875EC539C513} URL = hxxps://fr.search.yahoo.com/search?p={searchTerms}&intl=fr&fr=yset_ie_syc_oracle&type=orcl_default&partnerexternal-oracle=external-oracle
FF NewTab: Mozilla\Firefox\Profiles\wrbmdaum.default-1401536782745 -> about:newtab
FF NewTab: Mozilla\Firefox\Profiles\mqpc19y9.default-1419782358567 -> about:newtab
FF NewTab: Mozilla\Firefox\Profiles\hrycc2jf.default-1426499126421 -> about:newtab
FF NewTab: Mozilla\Firefox\Profiles\iivakdjh.default-1432626449904 -> about:newtab
FF Extension: (Java Console) - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2017-03-08] [not signed]
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Extension: (Chrome Web Store Payments) - C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-28]    
CHR Extension: (Chrome Media Router) - C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-28]
S2 InstallerService; C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe -originalversion 4.4.127.0 [X]
U3 idsvc; no ImagePath
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
Task: {155FD0C4-E86E-408A-B17F-3A9E3069C662} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {18DB92AF-9F76-43C9-A8A9-B6F2E32A7BBC} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION
Task: {198CC7EB-AB2F-4A07-B3A2-6E3539906430} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {21DC01BF-78F9-4BE5-9E0D-A064CD9884C7} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {27FFD92F-3382-47E9-B6B6-B33D557980CB} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {2C140CCA-F1F4-453B-A078-2CA84D04C9FA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {32DB4263-CCE9-48EB-A403-E06C2250BBBD} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {3EB1BA3B-FD23-4B59-ACD4-F48BD54C71D7} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {658A9CE7-38CF-4DF7-835A-E575BD554FD6} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {67508C3D-C2B5-42D0-B8AC-2B074AEA569B} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {9DB0208C-AD66-4E78-8607-7367AB17356A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {AEB18A8B-A9FC-464D-8802-602CC2863E10} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {D4B0B0D2-B2F1-4863-B666-7F0FC4DF1A25} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {D653D269-49D1-464C-93E6-1A0383D6F4D9} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {D65E8FFC-CA1A-4D2B-82B4-83372694C92E} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {FAFAD28F-810B-47E3-B1BA-41F12F737192} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\Public\Desktop\Acer Accessory Store.lnk -> C:\Program Files\Acer Accessory Store\StartURL.exe () -> hxxp://store.acer-euro.com/gb?utm_source=Icon&utm_medium=Icon&utm_campaign=Acer%2BInternal
AlternateDataStreams: C:\Users\eddie\Downloads\cispremium_only_installer (1).exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\eddie\Downloads\cispremium_only_installer (1).exe:$CmdZnID [26]
127.0.0.1 localhost
FirewallRules: [{1879679C-0274-47E4-B133-743AD754987D}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
FirewallRules: [{54E87D07-11A7-4CCC-8109-A54FC5166667}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
FirewallRules: [{3D3EDE53-75E3-42B9-9624-302767880E13}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
FirewallRules: [{EE77EDF0-E3B2-4F83-AFF1-E682B0549268}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
C:\Program Files (x86)\AVG\AVG2012
C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
C:\Program Files (x86)\AVG\AVG2013
C:\Program Files (x86)\AVG
End

Save the file as fixlist.txt in to the same folder as FRST64.
Right-click the FRST64 icon and select Run as administrator to run the tool.
Click the Fix button only once and wait.
When finished FRST will generate a log on the Desktop (fixlog.txt). Please post it in your next reply.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
 

 

Please download Malwarebytes Anti-Rootkit BETA and save it to your Desktop.

  • Right-click on the icon and select Run as administrator to start the extraction of the program;
  • Click Yes to accept the security warning that may appear;
  • Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
  • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
  • Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
  • Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
  • Please copy and paste the entire contents of that log in your next reply;

 

To summarize, please post the entire contents of:
fixlog.txt;
mbar-log.

Let me also know how is your computer running. Does it still slow with noises and crashing?

Thank you.

 

Android 8888

 


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#3 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 31 March 2017 - 02:02 AM

Hi Android 8888.

Thank you very much for the assistance.

Firstly, late last night I lost Chrome (blank screen) so switched to Firefox.

I left the computer on overnight and Chrome was back again ?

I have not found any trace of chrome webstore or chrome media route in extensions.

The only enabled ones there are google docs and google docs office.

 

I'm sorry but I've tried and tried to put the tool you posted into the FRST folder but don't know how to do it.

The only place I can find FRST is in downloads and the one with the 30/03/2017 date is FRST (1) 

Can you please give ABC instructions.

 

I enclose below the Mbar log. The scan was trouble free.

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2017.03.31.02
  rootkit: v2017.03.11.01
 
Windows 10 x64 NTFS
Internet Explorer 11.953.14393.0
eddie :: EH [administrator]
 
3/31/2017 8:03:20 AM
mbar-log-2017-03-31 (08-03-20).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 459605
Time elapsed: 39 minute(s), 55 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
The computer is very quiet now and appears to be running okay.
 
Kind regards
 
Winston66


#4 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 31 March 2017 - 02:55 AM

Hi Android 8888

 

I've just come across something odd.

I have just tried logging into a site called Money am, which is potentially a share dealing site, although I just use it for information and my password will not work.

I have requested a new one from the link on the site, which by now should be in my in box.



#5 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 31 March 2017 - 03:22 AM

Hi Android 8888

 

I've just had a screen freeze again, which lasted about a minute with lots of whirring sound.

I had trouble typing this first time in chrome browser. Letters displayed about 20secs after they were typed and then the screen froze completely and then Chrome blacked out once again.

I'm now back in Firefox.

Regards,

 

Winston66


Edited by winston66, 31 March 2017 - 04:46 AM.


#6 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 31 March 2017 - 03:33 AM

Hi again.

 

Latest update. Firefox crashed so I rebooted and tried Chrome again which now works.

 

 

 

Regards,

 

Winston66



#7 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 31 March 2017 - 04:28 AM

Hi again Android 8888

 

I went onto a football website Arsenal news now and this appeared.

I don't know if it is genuine or not:

 

Votre Windows (Windows 10) est infecté par (3) virus. Le pré-scan a trouvé des traces de (2) logiciels malveillants et (1) hameçonnage / espiogiciel. Dégâts du système: 28,1% - La suppression immédiate est resquise!

La suppression de (3) Virus est nécessaire immédiatement pour éviter d'autres dommages au système, la perte des applications, de photos ou d'autres fichiers. 

Des traces de (1) Hameçonnage/Espiogiciel ont été trouvés sur votre Windows (Windows 10). Les informations personnels et bancaires sont à risque.

 

I don't know if you understand french but basically I've got 3 viruses, 2 sortware infections and a phishing spyware. 28.1% of the system has been damaged.

 

Kind regards,

 

Winston66


Edited by winston66, 31 March 2017 - 04:46 AM.


#8 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 31 March 2017 - 05:52 AM

Hello winston66.
 

I enclose below the Mbar log. The scan was trouble free.

Good work. This is a good sign.

Okay, I'll give instructions step by step on how to proceed to run the fix script with the Farbar Recovery Scan Tool (FRST).

FRST can work within any folder but was designed to obtain greater reliability when running from the Desktop such as most part of the malware removal tools.

So please move your FRST64 executable file from the downloads folder to your computer's Desktop. There is no problem in doing this because after the cleaning process we will remove all the tools that were used, including the Farbar tool.

Now press the Windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and click the OK button.
Please copy the entire contents of the code box below. To do this highlight the contents of the box and right click on it and select Copy. NOTE: Do not include the word "Quote".
Paste this into the open Notepad file.
 

Start
CloseProcesses:
CreateRestorePoint:
EmptyTemp:
HKLM\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKLM\...\Policies\Explorer: [NoSetTaskbar] 0
HKLM\...\Policies\Explorer: [NoDeletePrinter] 0
HKLM\...\Policies\Explorer: [NoDFSTab] 0
HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
HKLM\...\Policies\Explorer: [NoEncryptOnMove] 0
HKLM\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 0
HKLM\...\Policies\Explorer: [NoHardwareTab] 0
HKLM\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoDeletePrinter] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoDFSTab] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoEncryptOnMove] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoResolveSearch] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoHardwareTab] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoInternetOpenWith] 1
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=131351051986745399&GUID=1CF400F0-D723-4B12-9630-2C62121F22A3
SearchScopes: HKU\S-1-5-21-430072569-3085444723-2816121149-1000 -> {3411790C-FE37-4FB4-AE93-875EC539C513} URL = hxxps://fr.search.yahoo.com/search?p={searchTerms}&intl=fr&fr=yset_ie_syc_oracle&type=orcl_default&partnerexternal-oracle=external-oracle
FF NewTab: Mozilla\Firefox\Profiles\wrbmdaum.default-1401536782745 -> about:newtab
FF NewTab: Mozilla\Firefox\Profiles\mqpc19y9.default-1419782358567 -> about:newtab
FF NewTab: Mozilla\Firefox\Profiles\hrycc2jf.default-1426499126421 -> about:newtab
FF NewTab: Mozilla\Firefox\Profiles\iivakdjh.default-1432626449904 -> about:newtab
FF Extension: (Java Console) - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2017-03-08] [not signed]
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Extension: (Chrome Web Store Payments) - C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-28]    
CHR Extension: (Chrome Media Router) - C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-28]
S2 InstallerService; C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe -originalversion 4.4.127.0 [X]
U3 idsvc; no ImagePath
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
Task: {155FD0C4-E86E-408A-B17F-3A9E3069C662} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {18DB92AF-9F76-43C9-A8A9-B6F2E32A7BBC} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION
Task: {198CC7EB-AB2F-4A07-B3A2-6E3539906430} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {21DC01BF-78F9-4BE5-9E0D-A064CD9884C7} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {27FFD92F-3382-47E9-B6B6-B33D557980CB} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {2C140CCA-F1F4-453B-A078-2CA84D04C9FA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {32DB4263-CCE9-48EB-A403-E06C2250BBBD} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {3EB1BA3B-FD23-4B59-ACD4-F48BD54C71D7} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {658A9CE7-38CF-4DF7-835A-E575BD554FD6} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {67508C3D-C2B5-42D0-B8AC-2B074AEA569B} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {9DB0208C-AD66-4E78-8607-7367AB17356A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {AEB18A8B-A9FC-464D-8802-602CC2863E10} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {D4B0B0D2-B2F1-4863-B666-7F0FC4DF1A25} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {D653D269-49D1-464C-93E6-1A0383D6F4D9} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {D65E8FFC-CA1A-4D2B-82B4-83372694C92E} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {FAFAD28F-810B-47E3-B1BA-41F12F737192} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\Public\Desktop\Acer Accessory Store.lnk -> C:\Program Files\Acer Accessory Store\StartURL.exe () -> hxxp://store.acer-euro.com/gb?utm_source=Icon&utm_medium=Icon&utm_campaign=Acer%2BInternal
AlternateDataStreams: C:\Users\eddie\Downloads\cispremium_only_installer (1).exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\eddie\Downloads\cispremium_only_installer (1).exe:$CmdZnID [26]
127.0.0.1 localhost
FirewallRules: [{1879679C-0274-47E4-B133-743AD754987D}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
FirewallRules: [{54E87D07-11A7-4CCC-8109-A54FC5166667}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
FirewallRules: [{3D3EDE53-75E3-42B9-9624-302767880E13}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
FirewallRules: [{EE77EDF0-E3B2-4F83-AFF1-E682B0549268}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
C:\Program Files (x86)\AVG\AVG2012
C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
C:\Program Files (x86)\AVG\AVG2013
C:\Program Files (x86)\AVG
End

 

Now save the Notepad file with the name fixlist.txt in to the same folder as FRST64 which in this case it will be in your computer's Desktop.
Right-click the FRST64 icon and select Run as administrator to start the tool.
Click the Fix button only once and wait.

When finished FRST64 will generate a log on the Desktop (fixlog.txt).
Please post the entire contents of the fixlog.txt log in your reply.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.


Next,

Please download Junkware Removal Tool and save it to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Rright-click on the icon and select Run as administrator.
  • The tool will open and check for updates. You will see the Disclaimer.
  • Press any key to continue and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your next reply.


Next,

Please download AdwCleaner by Xplode and save it to your Desktop.

  • Close all open programs and internet browsers.
  • Right-click on the icon and chose Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Click I Agree on the disclaimer to accept the Terms of Use.
  • Click the Scan button to start the scan and wait for the process to complete.
  • Click the Logfile button and the report will open in Notepad.
  • NOTE: If you get an error message, it means that nothing was found. Exit from AdwCleaner.
  • Click on the Clean button and follow the prompts.
  • A log file will automatically open after the scan has finished and the PC has rebooted.
  • Please post the content of that log file in your next reply.
  • You can find the log file at C:\AdwCleaner[Cn].txt (n is a number).

 

Please try to run RogueKiller again in Normal mode and provide the Scan log. Please DO NOT remove anything it finds.

  • Close all programs and browsers.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • Right-click on the RogueKiller icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Scan tab and then click the Start Scan button.
  • Wait until the scan has finished. This may take some time consuming.
  • Once finished click on Open Report. It will open a new window.
  • Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your Desktop.
  • Close RogueKiller.
  • Please copy and paste the contents of RKlog.txt to your next reply.

Please post the contents of:
The fixlog.txt;
The JRT log.
The AdwCleaner clean log;
The RKlog.txt

Can you tell me where that sound seems to come from? Does it appear to come from the fan or from the hard disk drive? Are you able to check that?

 

Thank you.

 

Android 8888


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#9 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 31 March 2017 - 06:23 AM

Hi Android 8888.

I'm sorry I'm still having problems with the fixlist txt.

Perhaps you can tell me what I'm doing wrong.

In the notepad window with the fix copied I click file at the top of page and save as.

In the window that opens I highlight desktop in the left hand column and in file name it says fixlist and below that save as file type - text docs txt

I have tries both with fixlist and by adding txt onto it.

Do I need to save the Save as file type to All files ?

I then right click the FRST64 icon on the desktop and get to the opening window.

The search window is empty. I have types both fixlist and fixlist seperately into the box and it tells me that no fixlist.txt found and that it should be in the same director/folder as the tool.

Where am I going wrong please and would you want me to run the scan from scratch or work with the previous one.

Sorry for the confusion.

Regards,

Winston66



#10 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 31 March 2017 - 06:43 AM

Hi Android 8888

 

Here's the latest log

 

Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.2 (03.10.2017)
Operating System: Windows 10 Home x64 
Ran by eddie (Administrator) on Fri 03/31/2017 at 13:35:07.83
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 0 
 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 03/31/2017 at 13:37:50.92
End of JRT log
 
Regards Winston66


#11 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 31 March 2017 - 06:50 AM

Hi once again.

Here's the adware log file.

I'm showing 1 infection my end.

# AdwCleaner v6.045 - Logfile created 31/03/2017 at 13:47:06
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-03-30.1 [Local]
# Operating System : Windows 10 Home  (X64)
# Username : eddie - EH
# Running from : C:\Users\eddie\Desktop\adwcleaner_6.045.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
No malicious folders found.
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Web data] - uk.ask.com
 
*************************
 
C:\AdwCleaner\AdwCleaner[C10].txt - [753 Bytes] - [05/11/2015 16:21:49]
C:\AdwCleaner\AdwCleaner[C11].txt - [1025 Bytes] - [09/11/2015 09:51:04]
C:\AdwCleaner\AdwCleaner[C12].txt - [753 Bytes] - [30/11/2015 09:17:15]
C:\AdwCleaner\AdwCleaner[C13].txt - [753 Bytes] - [12/12/2015 18:26:57]
C:\AdwCleaner\AdwCleaner[C14].txt - [3110 Bytes] - [15/08/2016 14:45:56]
C:\AdwCleaner\AdwCleaner[C15].txt - [3708 Bytes] - [09/03/2017 19:24:39]
C:\AdwCleaner\AdwCleaner[C16].txt - [3603 Bytes] - [12/03/2017 15:36:14]
C:\AdwCleaner\AdwCleaner[C17].txt - [3754 Bytes] - [13/03/2017 18:52:35]
C:\AdwCleaner\AdwCleaner[C18].txt - [4184 Bytes] - [17/03/2017 20:03:40]
C:\AdwCleaner\AdwCleaner[C19].txt - [4639 Bytes] - [19/03/2017 17:58:46]
C:\AdwCleaner\AdwCleaner[C1].txt - [3977 Bytes] - [02/08/2016 16:18:16]
C:\AdwCleaner\AdwCleaner[C20].txt - [5400 Bytes] - [26/03/2017 13:29:25]
C:\AdwCleaner\AdwCleaner[C21].txt - [5219 Bytes] - [29/03/2017 22:11:06]
C:\AdwCleaner\AdwCleaner[C8].txt - [2432 Bytes] - [21/10/2015 10:53:56]
C:\AdwCleaner\AdwCleaner[C9].txt - [13688 Bytes] - [03/11/2015 17:13:24]
C:\AdwCleaner\AdwCleaner[R10].txt - [2645 Bytes] - [27/07/2015 10:21:48]
C:\AdwCleaner\AdwCleaner[R11].txt - [2705 Bytes] - [27/07/2015 10:26:04]
C:\AdwCleaner\AdwCleaner[R8].txt - [3434 Bytes] - [06/07/2015 16:49:32]
C:\AdwCleaner\AdwCleaner[R9].txt - [3493 Bytes] - [06/07/2015 16:51:18]
C:\AdwCleaner\AdwCleaner[S12].txt - [3136 Bytes] - [15/08/2016 14:44:19]
C:\AdwCleaner\AdwCleaner[S13].txt - [2917 Bytes] - [21/10/2015 10:52:38]
C:\AdwCleaner\AdwCleaner[S14].txt - [13607 Bytes] - [03/11/2015 17:11:14]
C:\AdwCleaner\AdwCleaner[S15].txt - [1308 Bytes] - [05/11/2015 16:17:08]
C:\AdwCleaner\AdwCleaner[S16].txt - [1556 Bytes] - [09/11/2015 09:48:57]
C:\AdwCleaner\AdwCleaner[S17].txt - [1556 Bytes] - [09/11/2015 09:50:12]
C:\AdwCleaner\AdwCleaner[S18].txt - [661 Bytes] - [30/11/2015 09:16:15]
C:\AdwCleaner\AdwCleaner[S19].txt - [661 Bytes] - [02/12/2015 20:20:57]
C:\AdwCleaner\AdwCleaner[S1].txt - [3798 Bytes] - [02/08/2016 16:15:41]
C:\AdwCleaner\AdwCleaner[S20].txt - [661 Bytes] - [12/12/2015 18:23:51]
C:\AdwCleaner\AdwCleaner[S21].txt - [655 Bytes] - [09/01/2016 20:43:21]
C:\AdwCleaner\AdwCleaner[S22].txt - [2987 Bytes] - [15/08/2016 14:53:29]
C:\AdwCleaner\AdwCleaner[S23].txt - [3646 Bytes] - [09/03/2017 19:23:50]
C:\AdwCleaner\AdwCleaner[S24].txt - [3197 Bytes] - [09/03/2017 20:32:08]
C:\AdwCleaner\AdwCleaner[S25].txt - [3271 Bytes] - [10/03/2017 20:50:14]
C:\AdwCleaner\AdwCleaner[S26].txt - [3824 Bytes] - [12/03/2017 15:22:52]
C:\AdwCleaner\AdwCleaner[S27].txt - [3662 Bytes] - [12/03/2017 15:32:41]
C:\AdwCleaner\AdwCleaner[S28].txt - [3566 Bytes] - [12/03/2017 15:44:07]
C:\AdwCleaner\AdwCleaner[S29].txt - [3640 Bytes] - [12/03/2017 18:48:41]
C:\AdwCleaner\AdwCleaner[S30].txt - [3876 Bytes] - [13/03/2017 18:52:02]
C:\AdwCleaner\AdwCleaner[S31].txt - [3863 Bytes] - [13/03/2017 21:15:30]
C:\AdwCleaner\AdwCleaner[S32].txt - [3937 Bytes] - [14/03/2017 01:01:27]
C:\AdwCleaner\AdwCleaner[S33].txt - [4012 Bytes] - [14/03/2017 20:07:09]
C:\AdwCleaner\AdwCleaner[S34].txt - [4086 Bytes] - [15/03/2017 17:14:01]
C:\AdwCleaner\AdwCleaner[S35].txt - [4292 Bytes] - [17/03/2017 20:03:17]
C:\AdwCleaner\AdwCleaner[S36].txt - [4308 Bytes] - [18/03/2017 13:46:34]
C:\AdwCleaner\AdwCleaner[S37].txt - [4856 Bytes] - [19/03/2017 17:51:05]
C:\AdwCleaner\AdwCleaner[S38].txt - [4698 Bytes] - [19/03/2017 17:57:37]
C:\AdwCleaner\AdwCleaner[S39].txt - [4603 Bytes] - [20/03/2017 20:45:28]
C:\AdwCleaner\AdwCleaner[S40].txt - [4676 Bytes] - [21/03/2017 15:59:49]
C:\AdwCleaner\AdwCleaner[S41].txt - [4751 Bytes] - [24/03/2017 21:05:24]
C:\AdwCleaner\AdwCleaner[S42].txt - [4824 Bytes] - [25/03/2017 18:59:47]
C:\AdwCleaner\AdwCleaner[S43].txt - [5377 Bytes] - [26/03/2017 13:27:36]
C:\AdwCleaner\AdwCleaner[S44].txt - [5047 Bytes] - [27/03/2017 17:32:18]
C:\AdwCleaner\AdwCleaner[S45].txt - [5121 Bytes] - [28/03/2017 19:03:51]
C:\AdwCleaner\AdwCleaner[S46].txt - [5195 Bytes] - [29/03/2017 17:13:17]
C:\AdwCleaner\AdwCleaner[S47].txt - [5326 Bytes] - [29/03/2017 22:10:53]
C:\AdwCleaner\AdwCleaner[S48].txt - [5417 Bytes] - [30/03/2017 08:24:55]
C:\AdwCleaner\AdwCleaner[S49].txt - [5493 Bytes] - [31/03/2017 13:27:07]
C:\AdwCleaner\AdwCleaner[S50].txt - [5320 Bytes] - [31/03/2017 13:47:06]
C:\AdwCleaner\AdwCleaner[S5].txt - [3569 Bytes] - [06/07/2015 16:52:18]
C:\AdwCleaner\AdwCleaner[S6].txt - [2778 Bytes] - [27/07/2015 10:27:40]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S50].txt - [5540 Bytes] ##########
 
regards,
 
Winston66


#12 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 31 March 2017 - 06:52 AM

Okay, no problem with that.

 

Please follow my steps.

 

I suppose you have already moved FRST64 to the computer's Desktop.

 

Open Notepad.

Copy and paste the entire content of the Quote box in my previous post to the notepad file.

Then on the top menu click on File and select Save as. It will open a new window.

Search for the Desktop and select it (this is where you will save the file to).

Now on the File name address box, just type fixlist leave all the rest as it is and click the Save button. Check to see if the fixlist.txt file is placed on the Desktop.

 

Now, right-click on FRST64 and select Run as administrator to start the tool.

Click the Fix button and wait until the fix is complete.

After the scan has finished, it will open a Notepad file named fixlog.txt

Copy and paste the entire content of that file in your reply.

 

Is it clear for you now?

 

p.s. I'll be out for a while. Be back in one hour.

 

Thank you.


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#13 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 31 March 2017 - 08:04 AM

Hi Android 8888,

The first scan of RK crashed at around the same time as a Windows defender window told me they had detected and were dealing with malware.

So I turned it off and re scanned. HERE IS THE LOG:

 

Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 03/31/2017 14:12:41 (Duration : 00:32:00)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 0 ¤¤¤
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS545050B9A300 +++++
--- User ---
[MBR] fbcb1350eb7aecd74d1611ca27a8e87b
[BSP] 05dceed3571d7c16494d87e0a658715a : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15360 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31459328 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31664128 | Size: 461478 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
My adware cleaner window has frozen on the scan results page, so I will have to re boot to clear it. The infection is still showing on it as I took no action.
Windows Defender quarantined the following ,should I delete it.
 
Behavior:Win32 Powerserve.D
 
Error code 0x80070057
The parameter is incorrect
Category - Suspicious behavior
Description - Program is dangerous and executes commands from an attacker.
Items - behavior:pid 4592: 50247080127395
process : pid: 4592 : Process stat 131354348325115913          
 
 
Regards
winston66 


#14 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 31 March 2017 - 08:31 AM

Hi Android 8888

 

Thanks for that. It wasn't saving to desktop but I've worked out how to default the setting now. I also believe although it was showing desktop in the file save window, I had to click it again for it to send it to desktop.

Sorry for the inconvenience and her's the log.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by eddie (31-03-2017 15:09:40) Run:8
Running from C:\Users\eddie\Desktop
Loaded Profiles: eddie (Available Profiles: eddie & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
CloseProcesses:
CreateRestorePoint:
EmptyTemp:
HKLM\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKLM\...\Policies\Explorer: [NoSetTaskbar] 0
HKLM\...\Policies\Explorer: [NoDeletePrinter] 0
HKLM\...\Policies\Explorer: [NoDFSTab] 0
HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
HKLM\...\Policies\Explorer: [NoEncryptOnMove] 0
HKLM\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 0
HKLM\...\Policies\Explorer: [NoHardwareTab] 0
HKLM\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoDeletePrinter] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoDFSTab] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoEncryptOnMove] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoResolveSearch] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoHardwareTab] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\...\Policies\Explorer: [NoInternetOpenWith] 1
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=131351051986745399&GUID=1CF400F0-D723-4B12-9630-2C62121F22A3
SearchScopes: HKU\S-1-5-21-430072569-3085444723-2816121149-1000 -> {3411790C-FE37-4FB4-AE93-875EC539C513} URL = hxxps://fr.search.yahoo.com/search?p={searchTerms}&intl=fr&fr=yset_ie_syc_oracle&type=orcl_default&partnerexternal-oracle=external-oracle
FF NewTab: Mozilla\Firefox\Profiles\wrbmdaum.default-1401536782745 -> about:newtab
FF NewTab: Mozilla\Firefox\Profiles\mqpc19y9.default-1419782358567 -> about:newtab
FF NewTab: Mozilla\Firefox\Profiles\hrycc2jf.default-1426499126421 -> about:newtab
FF NewTab: Mozilla\Firefox\Profiles\iivakdjh.default-1432626449904 -> about:newtab
FF Extension: (Java Console) - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2017-03-08] [not signed]
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Extension: (Chrome Web Store Payments) - C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-28]    
CHR Extension: (Chrome Media Router) - C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-28]
S2 InstallerService; C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe -originalversion 4.4.127.0 [X]
U3 idsvc; no ImagePath
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
Task: {155FD0C4-E86E-408A-B17F-3A9E3069C662} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {18DB92AF-9F76-43C9-A8A9-B6F2E32A7BBC} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION
Task: {198CC7EB-AB2F-4A07-B3A2-6E3539906430} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {21DC01BF-78F9-4BE5-9E0D-A064CD9884C7} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {27FFD92F-3382-47E9-B6B6-B33D557980CB} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {2C140CCA-F1F4-453B-A078-2CA84D04C9FA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {32DB4263-CCE9-48EB-A403-E06C2250BBBD} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {3EB1BA3B-FD23-4B59-ACD4-F48BD54C71D7} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {658A9CE7-38CF-4DF7-835A-E575BD554FD6} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {67508C3D-C2B5-42D0-B8AC-2B074AEA569B} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {9DB0208C-AD66-4E78-8607-7367AB17356A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {AEB18A8B-A9FC-464D-8802-602CC2863E10} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {D4B0B0D2-B2F1-4863-B666-7F0FC4DF1A25} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {D653D269-49D1-464C-93E6-1A0383D6F4D9} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {D65E8FFC-CA1A-4D2B-82B4-83372694C92E} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {FAFAD28F-810B-47E3-B1BA-41F12F737192} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\Public\Desktop\Acer Accessory Store.lnk -> C:\Program Files\Acer Accessory Store\StartURL.exe () -> hxxp://store.acer-euro.com/gb?utm_source=Icon&utm_medium=Icon&utm_campaign=Acer%2BInternal
AlternateDataStreams: C:\Users\eddie\Downloads\cispremium_only_installer (1).exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\eddie\Downloads\cispremium_only_installer (1).exe:$CmdZnID [26]
127.0.0.1 localhost
FirewallRules: [{1879679C-0274-47E4-B133-743AD754987D}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
FirewallRules: [{54E87D07-11A7-4CCC-8109-A54FC5166667}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
FirewallRules: [{3D3EDE53-75E3-42B9-9624-302767880E13}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
FirewallRules: [{EE77EDF0-E3B2-4F83-AFF1-E682B0549268}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
C:\Program Files (x86)\AVG\AVG2012
C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
C:\Program Files (x86)\AVG\AVG2013
C:\Program Files (x86)\AVG
End
*****************
 
Processes closed successfully.
Restore point was successfully created.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDevMgrUpdate => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSetTaskbar => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDeletePrinter => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDFSTab => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoChangeStartMenu => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoEncryptOnMove => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoRunasInstallPrompt => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoResolveSearch => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoHardwareTab => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoStartMenuSubFolders => value removed successfully
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDevMgrUpdate => value removed successfully
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSetTaskbar => value removed successfully
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDeletePrinter => value removed successfully
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDFSTab => value removed successfully
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoChangeStartMenu => value removed successfully
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoEncryptOnMove => value removed successfully
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoRunasInstallPrompt => value removed successfully
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoResolveSearch => value removed successfully
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoHardwareTab => value removed successfully
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoStartMenuSubFolders => value removed successfully
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoInternetOpenWith => value removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Search Page => value removed successfully
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page => value removed successfully
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-430072569-3085444723-2816121149-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3411790C-FE37-4FB4-AE93-875EC539C513} => key removed successfully
HKCR\CLSID\{3411790C-FE37-4FB4-AE93-875EC539C513} => key not found. 
Firefox "newtab" removed successfully
Firefox "newtab" removed successfully
Firefox "newtab" removed successfully
Firefox "newtab" removed successfully
C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} => moved successfully
Chrome DefaultSearchURL => removed successfully
Chrome DefaultSearchKeyword => removed successfully
Chrome DefaultSuggestURL => removed successfully
C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\System\CurrentControlSet\Services\InstallerService => key removed successfully
InstallerService => service removed successfully
HKLM\System\CurrentControlSet\Services\idsvc => key removed successfully
idsvc => service removed successfully
HKLM\System\CurrentControlSet\Services\ZAM => key removed successfully
ZAM => service removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{155FD0C4-E86E-408A-B17F-3A9E3069C662} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{155FD0C4-E86E-408A-B17F-3A9E3069C662} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{18DB92AF-9F76-43C9-A8A9-B6F2E32A7BBC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{18DB92AF-9F76-43C9-A8A9-B6F2E32A7BBC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-Weekend => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{198CC7EB-AB2F-4A07-B3A2-6E3539906430} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{198CC7EB-AB2F-4A07-B3A2-6E3539906430} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\SvcRestartTask => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{21DC01BF-78F9-4BE5-9E0D-A064CD9884C7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{21DC01BF-78F9-4BE5-9E0D-A064CD9884C7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{27FFD92F-3382-47E9-B6B6-B33D557980CB} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{27FFD92F-3382-47E9-B6B6-B33D557980CB} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2C140CCA-F1F4-453B-A078-2CA84D04C9FA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2C140CCA-F1F4-453B-A078-2CA84D04C9FA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{32DB4263-CCE9-48EB-A403-E06C2250BBBD} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{32DB4263-CCE9-48EB-A403-E06C2250BBBD} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3EB1BA3B-FD23-4B59-ACD4-F48BD54C71D7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3EB1BA3B-FD23-4B59-ACD4-F48BD54C71D7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{658A9CE7-38CF-4DF7-835A-E575BD554FD6} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{658A9CE7-38CF-4DF7-835A-E575BD554FD6} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{67508C3D-C2B5-42D0-B8AC-2B074AEA569B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{67508C3D-C2B5-42D0-B8AC-2B074AEA569B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9DB0208C-AD66-4E78-8607-7367AB17356A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9DB0208C-AD66-4E78-8607-7367AB17356A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AEB18A8B-A9FC-464D-8802-602CC2863E10} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AEB18A8B-A9FC-464D-8802-602CC2863E10} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D4B0B0D2-B2F1-4863-B666-7F0FC4DF1A25} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D4B0B0D2-B2F1-4863-B666-7F0FC4DF1A25} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D653D269-49D1-464C-93E6-1A0383D6F4D9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D653D269-49D1-464C-93E6-1A0383D6F4D9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D65E8FFC-CA1A-4D2B-82B4-83372694C92E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D65E8FFC-CA1A-4D2B-82B4-83372694C92E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FAFAD28F-810B-47E3-B1BA-41F12F737192} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FAFAD28F-810B-47E3-B1BA-41F12F737192} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\rundetector => key removed successfully
C:\Users\Public\Desktop\Acer Accessory Store.lnk => Shortcut argument removed successfully.
C:\Users\eddie\Downloads\cispremium_only_installer (1).exe => ":$CmdTcID" ADS removed successfully.
C:\Users\eddie\Downloads\cispremium_only_installer (1).exe => ":$CmdZnID" ADS removed successfully.
127.0.0.1 localhost => Error: No automatic fix found for this entry.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1879679C-0274-47E4-B133-743AD754987D} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{54E87D07-11A7-4CCC-8109-A54FC5166667} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3D3EDE53-75E3-42B9-9624-302767880E13} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{EE77EDF0-E3B2-4F83-AFF1-E682B0549268} => value removed successfully
"C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe" => not found.
"C:\Program Files (x86)\AVG\AVG2012" => not found.
"C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe" => not found.
C:\Program Files (x86)\AVG\AVG2013 => moved successfully
C:\Program Files (x86)\AVG => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 41251007 B
Java, Flash, Steam htmlcache => 725 B
Windows/system/drivers => 831423 B
Edge => 14540542 B
Chrome => 354131005 B
Firefox => 446599702 B
Opera => 12907968 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 17682 B
NetworkService => 31570306 B
eddie => 103472097 B
DefaultAppPool => 0 B
 
RecycleBin => 116907131 B
EmptyTemp: => 1 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 15:15:57 ====
 
I see you are in Tavira. We had a great time on the Algarve in 1988 (showing my age) and liked Tavira a lot. I remember having a very simple but delicious grilled sardine salad on one of the beaches and when we returned to the car in the evening everyone had a transistor radio to listen to the football.
 
Kind regards.
 
Winston66


#15 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 31 March 2017 - 08:41 AM

Hi winston66, I'm back!

 

The RogueKiller log is clean. Good!

 

 

My adware cleaner window has frozen on the scan results page, so I will have to re boot to clear it. The infection is still showing on it as I took no action.
Windows Defender quarantined the following ,should I delete it.

Perform another scan with AdwCleaner and clean up the entry in Web browsers.

Don't worry about Windows Defender quarantine. If it quarantined the item, then it is not active anymore and can't cause any damage.

 

Did you read my last instructions? Please perform the fix with FRST64 and post the fixlog.txt

 

Thank you.

 


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#16 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 31 March 2017 - 08:53 AM

Ooops... I didn't saw your reply. Sorry.

 

Wait while I examine your fixlog.txt and then I'll give you further instructions.

 

p.s. I born here and Yes I remember that time in the 80's. Also great years for me. However the city has grown a lot but everything else is the same... good beach, good Mediterranean food... I hope you can come back one day.


Edited by Android 8888, 31 March 2017 - 08:55 AM.

Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#17 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 31 March 2017 - 08:55 AM

Hi Android 8888
 
I posted the fix just before your last post.
I also tried posting this but had to give up because the type kept freezing and finally wouldn't type at all.
I tries to post I have noticed that this site appears to give me problems. I don't know if it's the sole cause but when I go onto it the cursor arrow flickers and the slowness, whirring noises and freezing starts.
hxxs://www.google.co.uk/#q=sdx+share+price&*
 and more specifically a visit to this appears to trigger things:
hxxp://www.lse.co.uk/SharePrice.asp?shareprice=SDX
 
Any thoughts ?
I will re run the adware cleaner.
Kind regards,
 
Winston66

Edited by Rocket Grannie, 13 April 2017 - 05:58 PM.
Disabled live links


#18 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 31 March 2017 - 09:06 AM

Hi Android 8888,

 

Here's the latest adwcleaner log:

 

# AdwCleaner v6.045 - Logfile created 31/03/2017 at 16:01:35
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-03-30.1 [Local]
# Operating System : Windows 10 Home  (X64)
# Username : eddie - EH
# Running from : C:\Users\eddie\Desktop\adwcleaner_6.045 (4).exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: uk.ask.com
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C10].txt - [753 Bytes] - [05/11/2015 16:21:49]
C:\AdwCleaner\AdwCleaner[C11].txt - [1025 Bytes] - [09/11/2015 09:51:04]
C:\AdwCleaner\AdwCleaner[C12].txt - [753 Bytes] - [30/11/2015 09:17:15]
C:\AdwCleaner\AdwCleaner[C13].txt - [753 Bytes] - [12/12/2015 18:26:57]
C:\AdwCleaner\AdwCleaner[C14].txt - [3110 Bytes] - [15/08/2016 14:45:56]
C:\AdwCleaner\AdwCleaner[C15].txt - [3708 Bytes] - [09/03/2017 19:24:39]
C:\AdwCleaner\AdwCleaner[C16].txt - [3603 Bytes] - [12/03/2017 15:36:14]
C:\AdwCleaner\AdwCleaner[C17].txt - [3754 Bytes] - [13/03/2017 18:52:35]
C:\AdwCleaner\AdwCleaner[C18].txt - [4184 Bytes] - [17/03/2017 20:03:40]
C:\AdwCleaner\AdwCleaner[C19].txt - [4639 Bytes] - [19/03/2017 17:58:46]
C:\AdwCleaner\AdwCleaner[C1].txt - [3977 Bytes] - [02/08/2016 16:18:16]
C:\AdwCleaner\AdwCleaner[C20].txt - [5400 Bytes] - [26/03/2017 13:29:25]
C:\AdwCleaner\AdwCleaner[C21].txt - [5219 Bytes] - [29/03/2017 22:11:06]
C:\AdwCleaner\AdwCleaner[C22].txt - [1820 Bytes] - [31/03/2017 16:01:35]
C:\AdwCleaner\AdwCleaner[C8].txt - [2432 Bytes] - [21/10/2015 10:53:56]
C:\AdwCleaner\AdwCleaner[C9].txt - [13688 Bytes] - [03/11/2015 17:13:24]
C:\AdwCleaner\AdwCleaner[R10].txt - [2645 Bytes] - [27/07/2015 10:21:48]
C:\AdwCleaner\AdwCleaner[R11].txt - [2705 Bytes] - [27/07/2015 10:26:04]
C:\AdwCleaner\AdwCleaner[R8].txt - [3434 Bytes] - [06/07/2015 16:49:32]
C:\AdwCleaner\AdwCleaner[R9].txt - [3493 Bytes] - [06/07/2015 16:51:18]
C:\AdwCleaner\AdwCleaner[S12].txt - [3136 Bytes] - [15/08/2016 14:44:19]
C:\AdwCleaner\AdwCleaner[S13].txt - [2917 Bytes] - [21/10/2015 10:52:38]
C:\AdwCleaner\AdwCleaner[S14].txt - [13607 Bytes] - [03/11/2015 17:11:14]
C:\AdwCleaner\AdwCleaner[S15].txt - [1308 Bytes] - [05/11/2015 16:17:08]
C:\AdwCleaner\AdwCleaner[S16].txt - [1556 Bytes] - [09/11/2015 09:48:57]
C:\AdwCleaner\AdwCleaner[S17].txt - [1556 Bytes] - [09/11/2015 09:50:12]
C:\AdwCleaner\AdwCleaner[S18].txt - [661 Bytes] - [30/11/2015 09:16:15]
C:\AdwCleaner\AdwCleaner[S19].txt - [661 Bytes] - [02/12/2015 20:20:57]
C:\AdwCleaner\AdwCleaner[S1].txt - [3798 Bytes] - [02/08/2016 16:15:41]
C:\AdwCleaner\AdwCleaner[S20].txt - [661 Bytes] - [12/12/2015 18:23:51]
C:\AdwCleaner\AdwCleaner[S21].txt - [655 Bytes] - [09/01/2016 20:43:21]
C:\AdwCleaner\AdwCleaner[S22].txt - [2987 Bytes] - [15/08/2016 14:53:29]
C:\AdwCleaner\AdwCleaner[S23].txt - [3646 Bytes] - [09/03/2017 19:23:50]
C:\AdwCleaner\AdwCleaner[S24].txt - [3197 Bytes] - [09/03/2017 20:32:08]
C:\AdwCleaner\AdwCleaner[S25].txt - [3271 Bytes] - [10/03/2017 20:50:14]
C:\AdwCleaner\AdwCleaner[S26].txt - [3824 Bytes] - [12/03/2017 15:22:52]
C:\AdwCleaner\AdwCleaner[S27].txt - [3662 Bytes] - [12/03/2017 15:32:41]
C:\AdwCleaner\AdwCleaner[S28].txt - [3566 Bytes] - [12/03/2017 15:44:07]
C:\AdwCleaner\AdwCleaner[S29].txt - [3640 Bytes] - [12/03/2017 18:48:41]
C:\AdwCleaner\AdwCleaner[S30].txt - [3876 Bytes] - [13/03/2017 18:52:02]
C:\AdwCleaner\AdwCleaner[S31].txt - [3863 Bytes] - [13/03/2017 21:15:30]
C:\AdwCleaner\AdwCleaner[S32].txt - [3937 Bytes] - [14/03/2017 01:01:27]
C:\AdwCleaner\AdwCleaner[S33].txt - [4012 Bytes] - [14/03/2017 20:07:09]
C:\AdwCleaner\AdwCleaner[S34].txt - [4086 Bytes] - [15/03/2017 17:14:01]
C:\AdwCleaner\AdwCleaner[S35].txt - [4292 Bytes] - [17/03/2017 20:03:17]
C:\AdwCleaner\AdwCleaner[S36].txt - [4308 Bytes] - [18/03/2017 13:46:34]
C:\AdwCleaner\AdwCleaner[S37].txt - [4856 Bytes] - [19/03/2017 17:51:05]
C:\AdwCleaner\AdwCleaner[S38].txt - [4698 Bytes] - [19/03/2017 17:57:37]
C:\AdwCleaner\AdwCleaner[S39].txt - [4603 Bytes] - [20/03/2017 20:45:28]
C:\AdwCleaner\AdwCleaner[S40].txt - [4676 Bytes] - [21/03/2017 15:59:49]
C:\AdwCleaner\AdwCleaner[S41].txt - [4751 Bytes] - [24/03/2017 21:05:24]
C:\AdwCleaner\AdwCleaner[S42].txt - [4824 Bytes] - [25/03/2017 18:59:47]
C:\AdwCleaner\AdwCleaner[S43].txt - [5377 Bytes] - [26/03/2017 13:27:36]
C:\AdwCleaner\AdwCleaner[S44].txt - [5047 Bytes] - [27/03/2017 17:32:18]
C:\AdwCleaner\AdwCleaner[S45].txt - [5121 Bytes] - [28/03/2017 19:03:51]
C:\AdwCleaner\AdwCleaner[S46].txt - [5195 Bytes] - [29/03/2017 17:13:17]
C:\AdwCleaner\AdwCleaner[S47].txt - [5326 Bytes] - [29/03/2017 22:10:53]
C:\AdwCleaner\AdwCleaner[S48].txt - [5417 Bytes] - [30/03/2017 08:24:55]
C:\AdwCleaner\AdwCleaner[S49].txt - [5493 Bytes] - [31/03/2017 13:27:07]
C:\AdwCleaner\AdwCleaner[S50].txt - [5620 Bytes] - [31/03/2017 13:47:06]
C:\AdwCleaner\AdwCleaner[S51].txt - [5698 Bytes] - [31/03/2017 16:01:14]
C:\AdwCleaner\AdwCleaner[S5].txt - [3569 Bytes] - [06/07/2015 16:52:18]
C:\AdwCleaner\AdwCleaner[S6].txt - [2778 Bytes] - [27/07/2015 10:27:40]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C22].txt - [5511 Bytes] ##########
 
regards,
 
winston66


#19 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 31 March 2017 - 09:21 AM

Sorry, I believe this is the one with a bit more detail:

 

# AdwCleaner v6.045 - Logfile created 31/03/2017 at 16:01:14
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-03-30.1 [Local]
# Operating System : Windows 10 Home  (X64)
# Username : eddie - EH
# Running from : C:\Users\eddie\Desktop\adwcleaner_6.045 (4).exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
No malicious folders found.
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\eddie\AppData\Local\Google\Chrome\User Data\Default\Web data] - uk.ask.com
 
*************************
 
C:\AdwCleaner\AdwCleaner[C10].txt - [753 Bytes] - [05/11/2015 16:21:49]
C:\AdwCleaner\AdwCleaner[C11].txt - [1025 Bytes] - [09/11/2015 09:51:04]
C:\AdwCleaner\AdwCleaner[C12].txt - [753 Bytes] - [30/11/2015 09:17:15]
C:\AdwCleaner\AdwCleaner[C13].txt - [753 Bytes] - [12/12/2015 18:26:57]
C:\AdwCleaner\AdwCleaner[C14].txt - [3110 Bytes] - [15/08/2016 14:45:56]
C:\AdwCleaner\AdwCleaner[C15].txt - [3708 Bytes] - [09/03/2017 19:24:39]
C:\AdwCleaner\AdwCleaner[C16].txt - [3603 Bytes] - [12/03/2017 15:36:14]
C:\AdwCleaner\AdwCleaner[C17].txt - [3754 Bytes] - [13/03/2017 18:52:35]
C:\AdwCleaner\AdwCleaner[C18].txt - [4184 Bytes] - [17/03/2017 20:03:40]
C:\AdwCleaner\AdwCleaner[C19].txt - [4639 Bytes] - [19/03/2017 17:58:46]
C:\AdwCleaner\AdwCleaner[C1].txt - [3977 Bytes] - [02/08/2016 16:18:16]
C:\AdwCleaner\AdwCleaner[C20].txt - [5400 Bytes] - [26/03/2017 13:29:25]
C:\AdwCleaner\AdwCleaner[C21].txt - [5219 Bytes] - [29/03/2017 22:11:06]
C:\AdwCleaner\AdwCleaner[C8].txt - [2432 Bytes] - [21/10/2015 10:53:56]
C:\AdwCleaner\AdwCleaner[C9].txt - [13688 Bytes] - [03/11/2015 17:13:24]
C:\AdwCleaner\AdwCleaner[R10].txt - [2645 Bytes] - [27/07/2015 10:21:48]
C:\AdwCleaner\AdwCleaner[R11].txt - [2705 Bytes] - [27/07/2015 10:26:04]
C:\AdwCleaner\AdwCleaner[R8].txt - [3434 Bytes] - [06/07/2015 16:49:32]
C:\AdwCleaner\AdwCleaner[R9].txt - [3493 Bytes] - [06/07/2015 16:51:18]
C:\AdwCleaner\AdwCleaner[S12].txt - [3136 Bytes] - [15/08/2016 14:44:19]
C:\AdwCleaner\AdwCleaner[S13].txt - [2917 Bytes] - [21/10/2015 10:52:38]
C:\AdwCleaner\AdwCleaner[S14].txt - [13607 Bytes] - [03/11/2015 17:11:14]
C:\AdwCleaner\AdwCleaner[S15].txt - [1308 Bytes] - [05/11/2015 16:17:08]
C:\AdwCleaner\AdwCleaner[S16].txt - [1556 Bytes] - [09/11/2015 09:48:57]
C:\AdwCleaner\AdwCleaner[S17].txt - [1556 Bytes] - [09/11/2015 09:50:12]
C:\AdwCleaner\AdwCleaner[S18].txt - [661 Bytes] - [30/11/2015 09:16:15]
C:\AdwCleaner\AdwCleaner[S19].txt - [661 Bytes] - [02/12/2015 20:20:57]
C:\AdwCleaner\AdwCleaner[S1].txt - [3798 Bytes] - [02/08/2016 16:15:41]
C:\AdwCleaner\AdwCleaner[S20].txt - [661 Bytes] - [12/12/2015 18:23:51]
C:\AdwCleaner\AdwCleaner[S21].txt - [655 Bytes] - [09/01/2016 20:43:21]
C:\AdwCleaner\AdwCleaner[S22].txt - [2987 Bytes] - [15/08/2016 14:53:29]
C:\AdwCleaner\AdwCleaner[S23].txt - [3646 Bytes] - [09/03/2017 19:23:50]
C:\AdwCleaner\AdwCleaner[S24].txt - [3197 Bytes] - [09/03/2017 20:32:08]
C:\AdwCleaner\AdwCleaner[S25].txt - [3271 Bytes] - [10/03/2017 20:50:14]
C:\AdwCleaner\AdwCleaner[S26].txt - [3824 Bytes] - [12/03/2017 15:22:52]
C:\AdwCleaner\AdwCleaner[S27].txt - [3662 Bytes] - [12/03/2017 15:32:41]
C:\AdwCleaner\AdwCleaner[S28].txt - [3566 Bytes] - [12/03/2017 15:44:07]
C:\AdwCleaner\AdwCleaner[S29].txt - [3640 Bytes] - [12/03/2017 18:48:41]
C:\AdwCleaner\AdwCleaner[S30].txt - [3876 Bytes] - [13/03/2017 18:52:02]
C:\AdwCleaner\AdwCleaner[S31].txt - [3863 Bytes] - [13/03/2017 21:15:30]
C:\AdwCleaner\AdwCleaner[S32].txt - [3937 Bytes] - [14/03/2017 01:01:27]
C:\AdwCleaner\AdwCleaner[S33].txt - [4012 Bytes] - [14/03/2017 20:07:09]
C:\AdwCleaner\AdwCleaner[S34].txt - [4086 Bytes] - [15/03/2017 17:14:01]
C:\AdwCleaner\AdwCleaner[S35].txt - [4292 Bytes] - [17/03/2017 20:03:17]
C:\AdwCleaner\AdwCleaner[S36].txt - [4308 Bytes] - [18/03/2017 13:46:34]
C:\AdwCleaner\AdwCleaner[S37].txt - [4856 Bytes] - [19/03/2017 17:51:05]
C:\AdwCleaner\AdwCleaner[S38].txt - [4698 Bytes] - [19/03/2017 17:57:37]
C:\AdwCleaner\AdwCleaner[S39].txt - [4603 Bytes] - [20/03/2017 20:45:28]
C:\AdwCleaner\AdwCleaner[S40].txt - [4676 Bytes] - [21/03/2017 15:59:49]
C:\AdwCleaner\AdwCleaner[S41].txt - [4751 Bytes] - [24/03/2017 21:05:24]
C:\AdwCleaner\AdwCleaner[S42].txt - [4824 Bytes] - [25/03/2017 18:59:47]
C:\AdwCleaner\AdwCleaner[S43].txt - [5377 Bytes] - [26/03/2017 13:27:36]
C:\AdwCleaner\AdwCleaner[S44].txt - [5047 Bytes] - [27/03/2017 17:32:18]
C:\AdwCleaner\AdwCleaner[S45].txt - [5121 Bytes] - [28/03/2017 19:03:51]
C:\AdwCleaner\AdwCleaner[S46].txt - [5195 Bytes] - [29/03/2017 17:13:17]
C:\AdwCleaner\AdwCleaner[S47].txt - [5326 Bytes] - [29/03/2017 22:10:53]
C:\AdwCleaner\AdwCleaner[S48].txt - [5417 Bytes] - [30/03/2017 08:24:55]
C:\AdwCleaner\AdwCleaner[S49].txt - [5493 Bytes] - [31/03/2017 13:27:07]
C:\AdwCleaner\AdwCleaner[S50].txt - [5620 Bytes] - [31/03/2017 13:47:06]
C:\AdwCleaner\AdwCleaner[S51].txt - [5398 Bytes] - [31/03/2017 16:01:14]
C:\AdwCleaner\AdwCleaner[S5].txt - [3569 Bytes] - [06/07/2015 16:52:18]
C:\AdwCleaner\AdwCleaner[S6].txt - [2778 Bytes] - [27/07/2015 10:27:40]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S51].txt - [5618 Bytes] ##########
 
regards,
 
winston66


#20 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 31 March 2017 - 10:50 AM

The FRST fix went successfully and the AdwCleaner cleaned up the infected item.

 

At this point I will ask you to read the instructions in the following links to clean the cache and history and reset your Firefox and Chrome browsers.

 

Mozilla Firefox:

How to clear browser history

How to reset Mozilla Firefox browser

 

Google Chrome:

How to delete browser history

How to reset Google Chrome

 

 

Now, perform a scan with Sophos Virus Removal Tool to search for remnants of infection. This is a thorough scan and can take some time to complete.

 

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.

  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
  • Disconnect from the Internet or physically unplug your Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • If any threats are found click Details, then View Log file (bottom left-hand corner).
  • Copy and paste its contents in your next reply and note any errors encountered.
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup.
  • Click Exit to close the program.
  • If no threats were found, please confirm that result.

Note: Whenever necessary, the log will be in the following location:

C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.

 

Thank you.
 


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#21 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 31 March 2017 - 03:05 PM

Hi Android 8888

 

I've tried quite a few times but the install wizard keeps showing the message:

"error 1606. could not access network location data."

I keep re trying but the same message re appears.

 

Kind regards

 

Winston66


Edited by winston66, 31 March 2017 - 03:06 PM.


#22 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 31 March 2017 - 05:26 PM

Hello winston66.

Did you clear the cache and history and reset your Internet browsers? If not please do it now before the next step.


NOTE: Before following to steps below, please disable your Antivirus software or any other real-time security software that you have enabled.

 

  • Download the portable version of Windows Repair All-In-One save it to your computer's Desktop and double click the file to extract it there;
  • Now reboot the computer in Safe Mode with Networking;
  • Go in the tweaking.com_windows_repair_aio folder, then Tweaking.com - Windows Repair folder, right-click on Repair_Windows.exe and select Run as Administrator;
  • Click Yes to accept the User Account Control security warning;
  • On the top bar go to the Step 3: Optional tab and click the Open Check Disk At Next Boot;
  • It will open a window named "Check Disk (chkdsk) At Next Boot";
  • Click the Add To Next Boot button;
  • Close that window and click on Reboot to Safe Mode button;
  • When the Check Disk is complete, and once in Safe Mode open Windows Repair All-In-One;
  • Go to the Step 4: Optional tab and select the Do It button to run System File Checker (SFC) on your system;
  • When the SFC is complete go to the +Repairs tab and click the Open Repairs button.
  • Let the Registry back up complete, and move on to the check-list window;
  • Leave all the items checked by default;
  • Click on the Start Repairs button and let the scan execute;
  • If you are being prompted with a Security Warning, allow it to go through;
  • Once the repair is complete, it'll ask you to restart your computer, please do it;

 

After performing the fixes above, please describe in detail how is the computer running and what issues remain on it at this point.

Thank you.

Android 8888


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#23 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 01 April 2017 - 01:08 AM

Hi Android 8888,

 

I've double checked the resets and the clearing of cache and cookies. i've even deleted browsing history etc.

I also have opera installed which I've never used but have uninstalled it.

I'm now going to uninstall Firefox (I can always re install it later).

I still get the error code message ?

Do you want me to run the Windows Repair all in one before we sort out the Sophos problem or wait.

 

Kind regards,

 

Winston



#24 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 01 April 2017 - 04:29 AM

Hello winston66.

 

Do not run Windows Repair AIO yet.

 

Please wait for further instructions.

 

Thank you.

 

Android 8888


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#25 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 01 April 2017 - 04:47 AM

Hello Android 8888

 

Will do.

Regards,

 

winston


Edited by winston66, 01 April 2017 - 09:14 AM.


#26 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 01 April 2017 - 11:53 AM

Hello winston66.

 

Sorry for the late reply.

 

Please proceed as follow:

Backup the Windows Registry:

  • Please download ERUNT from here
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Use the default install settings but say NO to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK.
  • Then click on YES to create the folder.
  • Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Next,

Press the Windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and click the OK button.
Please copy the entire contents of the code box below. To do this highlight the contents of the box and right click on it and select Copy.
Paste this into the open Notepad.
 

Start
ExportKey: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
ExportKey: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
End

 

Save the file as fixlist.txt in to the same location as FRST64 (your computer's Desktop).
Right-click the FRST64 icon and select Run as administrator to run the tool.
Click the Fix button only once and wait.
When finished FRST will generate a log on the Desktop (fixlog.txt). Please post its entire content in your next reply.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

Please post the entire content of fixlog.txt and note any errors encountered.

 

Let me review the log and wait for further instructions.

Thank you.

 


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#27 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 01 April 2017 - 12:16 PM

Hi Android 8888,

 

No problem with the delay.

I've been reading the weekend press and doing a bit of research on the internet today without any noticeable problems.

But I went onto that site that I pointed out to you yesterday (LSE) and all the problems re started, finalising in a complete screen freeze, so I had to manually switch the computer off and re boot. No noticeable problems since. Any ideas as to waht might be going on ?

 

I enclose the latest log below:

 

 Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017

Ran by eddie (01-04-2017 19:10:44) Run:9
Running from C:\Users\eddie\Desktop
Loaded Profiles: eddie (Available Profiles: eddie & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
ExportKey: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
ExportKey: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
End
*****************
 
================== ExportKey: ===================
 
[HKUS-1-5-21-430072569-3085444723-2816121149-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"AppData"="%USERPROFILE%\AppData\Roaming"
"Desktop"="%USERPROFILE%\Desktop"
"Favorites"="%USERPROFILE%\Favorites"
"History"="%USERPROFILE%\AppData\Local\Microsoft\Windows\History"
"Local AppData"="%USERPROFILE%\AppData\Local"
"My Music"="%USERPROFILE%\Music"
"My Pictures"="%USERPROFILE%\Pictures"
"My Video"="%USERPROFILE%\Videos"
"NetHood"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Network Shortcuts"
"Personal"="%USERPROFILE%\Documents"
"PrintHood"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Printer Shortcuts"
"Programs"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
"Recent"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent"
"SendTo"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\SendTo"
"Start Menu"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu"
"Startup"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
"Templates"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Templates"
"{374DE290-123F-4565-9164-39C4925E467B}"="%USERPROFILE%\Downloads"
"Cache"="C:\Users\eddie\AppData\Local\Microsoft\Windows\INetCache"
"Cookies"="C:\Users\eddie\AppData\Local\Microsoft\Windows\INetCookies"
 
=== End of ExportKey ===
================== ExportKey: ===================
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Common AppData"="%ProgramData%"
"Common Desktop"="%PUBLIC%\Desktop"
"Common Documents"="%PUBLIC%\Documents"
"Common Programs"="%ProgramData%\Microsoft\Windows\Start Menu\Programs"
"Common Start Menu"="%ProgramData%\Microsoft\Windows\Start Menu"
"Common Startup"="%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup"
"Common Templates"="%ProgramData%\Microsoft\Windows\Templates"
"CommonMusic"="%PUBLIC%\Music"
"CommonPictures"="%PUBLIC%\Pictures"
"CommonVideo"="%PUBLIC%\Videos"
"{3D644C9B-1FB8-4f30-9B45-F670235F79C0}"="%PUBLIC%\Downloads"
 
=== End of ExportKey ===
 
==== End of Fixlog 19:10:45 ====
 
I'll be going out at around 8.30pm french time. It is currently 7.15 pm.
 
Kind regards,
 
winston66


#28 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 01 April 2017 - 03:23 PM

Hello again.

I will ask you to download and run the following fix tool from Microsoft to see if we can solve the problem with the installation of Sophos Virus Removal Tool.

  • Please download this Microsoft fix application from here and save it to your computer's Desktop.
  • Double-click on the file MicrosoftProgram_Install_and_Uninstall.meta.diagcab to start the program. It will open a new window.
  • Click on the Next button. The tool will start detecting if there are any problems.
  • Click "Install" and wait for the result.
  • When the list of installed programs populates, select anything in the list related to the product you are trying to install (Sophos), then click Next and "Yes, try uninstall".(Note that you can only select one item at a time, so if there are multiple entries for the product you are trying to install, such as the main program and the language pack, you will need to re-run the tool to uninstall each item).
  • Close the application.
  • Once everything related to the Sophos product has been removed using the tool, attempt the install again.

If you did not see any entry related to Sophos, just let me know.

Please tell me if you were able to install and run Sophos Virus Removal Tool using this method.

Thank you.


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#29 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 02 April 2017 - 02:49 AM

Hi Android 8888,

 

The fix worked and Sophos installed okay and came up clean.

I disabled the screen saver and hope there was nothing else running which may have interfered ?

I will now run the windows repair programme and report back.

 

Regards,

 

winston66



#30 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 02 April 2017 - 03:46 AM

Hi Android 8888

It will probably not surprise you that I'm having problems with the windows repair tool :)

Do I have to put the computer in safe mode from the outset or does the tool do it automatically ?

Please advise.

 

Regards,

 

winston66



#31 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 02 April 2017 - 04:19 AM

Hi Android 8888

 

I've removed the programme and re installed it.

I noticed I went into safe mode the first time without enabling networking.

So I am about to go into safemode with networking and then  run the tool again.

Previously, I got to the run as administrator bit okay but cannot locate the Step3 Optional tab. It doesn't appear to be there, so obviously there's something I'm not doing correctly.

Regards,

 

winston66



#32 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 02 April 2017 - 06:24 AM

Hi Android 8888

 

I managed to get the program to run.

It appears that after clicking run as administrator it just wouldn't run.

I was looking for the 3.Optional tab in the original window and not the one that should have appeared after I clicked RAA.

I noticed that the internet was disconnected and so re connected it and it then started to run.

On the subsequent re boot it was de connected again, so I left it like that.

In all there were 43 repairs and the final report showed that 42/43 had been repaired.

Initial reactions suggests that everything is running fine, good speeds and smooth scrolling.

I'm keeping well away from the LSE site though:)

 

Kind regards,

 

windston66



#33 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 02 April 2017 - 06:25 AM

Hi winston66.

 

I'm glad you were able to solve the problem with Sophos. If its log came clear, that is a good sign and your computer appear to be clean and free of malware.

 

I checked and I have tried to go through those sites from the links you posted in post #17 and there are no problem with them.

 

If you are still having freezes and crashes on the computer you can run Windows Repair.

 

"Step 3: Optional" is there on the top menu after Windows Repair AIO starts.

If you follow step by step the instructions in my post #22 you will have no problems to run those fixes.

 

If you still have problems or if anything is unclear, please let me know in detail.

 

At this point, what issues or concerns do you still have on the computer?

 

Thank you.

 

Android 8888

 


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#34 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 02 April 2017 - 06:28 AM

p.s.: I'll be out for some hours and will be back later.

 

Regards.

 

Android 8888


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#35 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 02 April 2017 - 07:17 AM

Hi Android 8888

 

I think my post crossed with yours again 6.24am and 6.25am. 32 & 33.

 

Regards,

 

winston66


Edited by winston66, 02 April 2017 - 08:33 AM.


#36 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 02 April 2017 - 11:25 AM

Hello.
 

I think my post crossed with yours again 6.24am and 6.25am. 32 & 33.

Yes it seems so. Sometimes happens.


You have some programs which need to be updated. Outdated applications contain vulnerabilities that can be exploited by malware and often are one of the main reason to get infected without the user's consent. I suggest that you perform the following updates.

Adobe Flash Player 24 NPAPI (version 24.0.0.221).
The latest version is 25.0.0.127 and you can download it from here

Malwarebytes version is out of date. The latest version is 3.
Please uninstall the version 2 of Malwarebytes (MBAM) through the Programs and Features applet.
Then download Malwarebytes version 3 from here and install it on your computer.

 

Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.

Keep it installed and up-to-date and perform a regular scan on you system.


You can now delete the tools that were used and any logs they created.

Follow the instructions below to download and execute DelFix.

  • Download DelFix and move the executable to your Desktop;
  • Right-click on DelFix.exe and select Run as Administrator;
  • Check the following options :
    • Remove disinfection tools (this option will remove the tools used in the cleaning process).
    • Create registry backup (this option will create a backup from the Windows Registry).
    • Purge system restore (this option will remove all previous and possibly infected restore points, and will create a new and clean restore point of your system).
    • Reset system settings (this option will reset any system settings back to default that were changed either by us during cleansing or by malware infection).
  • Once the options mentioned above are checked, click on Run;
  • After DelFix is done running, a log will open. Please copy and paste the entire content of the output log in your next reply;

 

Is everything running well? Are there any issues or concerns with your computer?


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#37 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 02 April 2017 - 12:01 PM

Hi Android 8888,

 

I've got the latest Adobe Flash installed and deleted and re installed the latest Malwarebytes.

The trial appeared to start anyway and it has already blocked "cdn anti toolbar.com" - I don't know where that came from and it also detected and quarantined :

6.41pm    PUP Optional.Reimage           C/program Files

6.42pm                                 ditto

 

Again, I haven't a clue how they have arrived. I had your tab open plus two google tabs ?????

 

Other than that, I've used the computer most of the late afternoon and evening and it's really smooth and fast.

 

I normally keep 7-8 tabs operating during the day - is this good practice ?

 

I enclose the log

 

regards,

 

winston66

 

# DelFix v1.013 - Logfile created 02/04/2017 at 18:48:13
# Updated 17/04/2016 by Xplode
# Username : eddie - EH
# Operating System : Windows 10 Home  (64 bits)
 
~ Removing disinfection tools ...
 
Deleted : C:\FRST
Deleted : C:\zoek_backup
Deleted : C:\AdwCleaner
Deleted : C:\RegBackup
Deleted : C:\Users\eddie\Downloads\FRST-OlderVersion
Deleted : C:\Users\eddie\Desktop\mbar
Deleted : C:\ComboFix.txt
Deleted : C:\TDSSKiller.3.0.0.44_18.05.2015_17.30.06_log.txt
Deleted : C:\TDSSKiller.3.0.0.44_18.05.2015_17.32.43_log.txt
Deleted : C:\TDSSKiller.3.0.0.44_18.05.2015_17.33.37_log.txt
Deleted : C:\TDSSKiller.3.0.0.44_25.05.2015_19.48.42_log.txt
Deleted : C:\TDSSKiller.3.0.0.44_25.05.2015_19.49.24_log.txt
Deleted : C:\TDSSKiller.3.0.0.44_25.05.2015_19.55.04_log.txt
Deleted : C:\TDSSKiller.3.0.0.44_27.03.2015_07.42.00_log.txt
Deleted : C:\zoek-results.log
Deleted : C:\Users\eddie\Desktop\adwcleaner_6.045 (1).exe
Deleted : C:\Users\eddie\Desktop\adwcleaner_6.045 (2).exe
Deleted : C:\Users\eddie\Desktop\adwcleaner_6.045 (3).exe
Deleted : C:\Users\eddie\Desktop\adwcleaner_6.045 (4).exe
Deleted : C:\Users\eddie\Desktop\adwcleaner_6.045.exe
Deleted : C:\Users\eddie\Desktop\Fixlog.txt
Deleted : C:\Users\eddie\Desktop\FRST64 (1) - Shortcut.lnk
Deleted : C:\Users\eddie\Desktop\FRST64.exe
Deleted : C:\Users\eddie\Desktop\JRT (1).exe
Deleted : C:\Users\eddie\Desktop\JRT.exe
Deleted : C:\Users\eddie\Desktop\JRT.txt
Deleted : C:\Users\eddie\Desktop\rkill.exe
Deleted : C:\Users\eddie\Desktop\Rkill.txt
Deleted : C:\Users\eddie\Desktop\rkill64.exe
Deleted : C:\Users\Public\Desktop\RogueKiller.lnk
Deleted : C:\Users\eddie\Downloads\Addition.txt
Deleted : C:\Users\eddie\Downloads\dds.scr
Deleted : C:\Users\eddie\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Users\eddie\Downloads\FRST.exe
Deleted : C:\Users\eddie\Downloads\FRST.txt
Deleted : C:\Users\eddie\Downloads\FRST64 (1).exe
Deleted : C:\Users\eddie\Downloads\FRST64 (1).txt
Deleted : C:\Users\eddie\Downloads\FRST64.exe
Deleted : C:\Users\eddie\Downloads\JRT (1).exe
Deleted : C:\Users\eddie\Downloads\JRT.exe
Deleted : C:\Users\eddie\Downloads\MiniToolBox.exe
Deleted : C:\Users\eddie\Downloads\RGSA (1).exe
Deleted : C:\Users\eddie\Downloads\RGSA.exe
Deleted : C:\Users\eddie\Downloads\SALog.txt
Deleted : C:\Users\eddie\Downloads\SecurityCheck.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware
 
~ Creating registry backup ... OK
 
~ Cleaning system restore ...
 
Deleted : RP #34 [Scheduled Checkpoint | 03/24/2017 08:12:12]
Deleted : RP #35 [JRT Pre-Junkware Removal | 03/31/2017 11:35:11]
Deleted : RP #38 [Installed Sophos Virus Removal Tool. | 03/31/2017 19:38:05]
Deleted : RP #39 [Installed Sophos Virus Removal Tool. | 03/31/2017 19:48:39]
Deleted : RP #41 [Installed Sophos Virus Removal Tool. | 04/02/2017 05:48:47]
 
New restore point created !
 
~ Resetting system settings ... OK
 
########## - EOF - ##########


#38 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 02 April 2017 - 12:47 PM

Hi Android 8888

 

The same PUP has appeared (reimage) and I have a red malwarebytes window telling me that I have to reboot to complete the quarantine process.

 

Regards,

 

winston66



#39 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 02 April 2017 - 12:57 PM

Hi.
 

 

The same PUP has appeared (reimage) and I have a red malwarebytes window telling me that I have to reboot to complete the quarantine process.

Please accept that and restart the computer.

 

 

Again, I haven't a clue how they have arrived. I had your tab open plus two google tabs ?????

That depends. It can be discharged itself only by the fact that you visit a particular site with dubious reputation. Sometimes you don't even have to click anything to these programs install themselves. That's why they're called PUP.

 

But if Malwarebytes detected it and quarantined it, you don't need to worry about that as it is not active anymore. Also, you can delete the quarantined items if you wish.
 

 

Other than that, I've used the computer most of the late afternoon and evening and it's really smooth and fast.

That is good! It appears to be running well then.
 

 

I normally keep 7-8 tabs operating during the day - is this good practice ?

As long as you are not on dubios sites (piracy, peer-2-peer, etc.) I do not see any problem in doing that. However keep in mind that many browsers or tabs open can take a considerable amount of memory RAM which may become necessary to run other applications. Other than these considerations I don't see any problem with that practice.


Okay, the Delfix log indicates it ran well, cleaned up the tools, purged System Restore and created a new and clean Restore Point. You can also manually delete the logs that may not have been removed by Delfix.


If all is running well and if you do not have more issues with your computer, below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please consider using these ideas to help secure your computer.

Keep your AntiVirus program up-to-date.

Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:
Keep Malwarebytes Anti-Malware (MBAM) update and perform a regular scan to your system as it will make it harder for malware to reside on your computer.
A tutorial on using MBAM can be found here and a complete guide here

Please Note: Only the paid for version has real time capabilities.
A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster, available here

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure.

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Another most feared threat at the moment is an infection by a Ransomware. A Ransomware infection is a program that ransoms the data or functionality of your computer until you perform an action. This action is typically to pay a ransom in the form of Bitcoins or another payment method. I advise you to read more info on this terrible threat here and here.

Please keep your programs up to date. This applies to your security programs, Adobe Flash Player, Adobe Reader, Java and all your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC.

Run a program like Personal Software Inspector (PSI) or FileHippo Update Checker to see what programs need to be updated.

Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety.

Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware.

Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety.

Don't click on links received in instant message programs.

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available here

For much more useful and complete information, please read the following links to fully understand PC Security and Best Practices:
How did I get infected in the first place
Answers to common security questions - Best Practices

Hopefully these steps will help to keep you error and malware free. If you run into more difficulty, we will certainly do what we can to help.

Happy surfing! default_cool.png

Android8888


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#40 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 02 April 2017 - 01:13 PM

Hi Android 8888,

One final oddity that I've noticed is that when I re boot the internet disconnects each time.

This is no big deal as it's easy to re connect but why is this happening now please.

 

Kind regards,

 

Winston66



#41 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 02 April 2017 - 01:33 PM

Can you explain in detail what is disconnecting from the Internet? Do you mean the computer or the router/modem device? Besides, are you using a modem or a router for Internet connection?


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#42 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 02 April 2017 - 01:45 PM

Hi Android 8888

 

On the bottom toolbar there is the internet connection logo which looks like radio waves (((( but at an angle.

When I re boot there is an asterisk next to it and when I click on the icon the internet access window opens with available connections. My secure connection is my livebox router 8f16 and it has either connected,secured displayed or unconnected.  If I click on it a window opens giving me the option to disconnect or connect depending on its situation.

In typing this I believe I've noticed the problem, there is a box which is empty saying connect automatically. I've now ticked this, so would imagine it will be ok now.

So, I would like to thank you very much for you kind assistance and for completing the work so quickly.

Sorry I was a little slow on some things.

All the very best.

Kind regards,

 

winston66



#43 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 02 April 2017 - 01:58 PM

Hello winston66.

 

 

In typing this I believe I've noticed the problem, there is a box which is empty saying connect automatically. I've now ticked this, so would imagine it will be ok now.

I was just about to suggest this. I'm glad you have solved it. :good:

 

 

 

So, I would like to thank you very much for you kind assistance and for completing the work so quickly.

You are very welcome! :hi:

 

Regards,

 

Android 8888


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#44 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 08 April 2017 - 10:34 AM

Hi Android 8888

 

Sorry to bother you again but I just ran a scan of MWB, the premium version of which I've had on trial and running since you kindly cleaned up the computer, and to my surprise it has found 112 PUP's.

I don't know where they have come from, or how they got through the protections undetected ?

Could you please advise what I should do ?

 

Kind regards,

 

winston66

 

 

ps I enclose the log of the MWB scan:

 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 4/8/17
Scan Time: 2:19 PM
Logfile: mwb080417.txt
Administrator: Yes
 
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.96
Update Package Version: 1.0.1686
License: Trial
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: EH\eddie
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 482258
Time Elapsed: 14 min, 59 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 35
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\REI_AxControl.ReiEngine, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\REI_AxControl.ReiEngine.1, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKU\S-1-5-21-430072569-3085444723-2816121149-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{10ECCE17-29B5-4880-A8F5-EAD298611484}, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, No Action By User, [965], [332494],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, No Action By User, [965], [332494],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, No Action By User, [965], [332494],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Reimage Repair, No Action By User, [965], [327201],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\APPID\REI_AxControl.DLL, No Action By User, [965], [327193],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\REI_AxControl.DLL, No Action By User, [965], [327193],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\REIMAGE\Reimage Repair, No Action By User, [965], [336077],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\REIMAGE.EXE, No Action By User, [965], [327200],1.0.1686
PUP.Optional.Reimage, HKU\S-1-5-21-430072569-3085444723-2816121149-1000\SOFTWARE\REIMAGE\PC REPAIR, No Action By User, [965], [327204],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\REIMAGE\REIMAGE PROTECTOR, No Action By User, [965], [332504],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\REI_AxControl.DLL, No Action By User, [965], [327193],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\REIMAGE.EXE, No Action By User, [965], [327200],1.0.1686
PUP.Optional.Reimage, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ReimageRealTimeProtector, No Action By User, [965], [327202],1.0.1686
PUP.Optional.Reimage, HKU\S-1-5-21-430072569-3085444723-2816121149-1000\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\Reimage - Windows Problem Relief., No Action By User, [965], [327203],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{49D0F05B-9E27-4F3B-8A42-D479D17D016D}, No Action By User, [965], [332365],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{55487ED1-D0EE-4F14-A8C3-7EB08D4C9CC3}, No Action By User, [965], [332363],1.0.1686
PUP.Optional.Reimage, HKU\S-1-5-21-430072569-3085444723-2816121149-1000\SOFTWARE\Reimage, No Action By User, [965], [357494],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Reimage Reminder, No Action By User, [965], [332362],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ReimageUpdater, No Action By User, [965], [332364],1.0.1686
 
Registry Value: 6
PUP.Optional.Reimage, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\REIMAGE.EXE|, No Action By User, [965], [327200],1.0.1686
PUP.Optional.Reimage, HKU\S-1-5-21-430072569-3085444723-2816121149-1000\SOFTWARE\REIMAGE\PC REPAIR|QUITMESSAGE, No Action By User, [965], [327204],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\REIMAGE\REIMAGE PROTECTOR|CFLPATH, No Action By User, [965], [332504],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\REIMAGE.EXE|, No Action By User, [965], [327200],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{49D0F05B-9E27-4F3B-8A42-D479D17D016D}|PATH, No Action By User, [965], [332365],1.0.1686
PUP.Optional.Reimage, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{55487ED1-D0EE-4F14-A8C3-7EB08D4C9CC3}|PATH, No Action By User, [965], [332363],1.0.1686
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 16
PUP.Optional.Reimage, C:\ProgramData\Reimage Protector\Results, No Action By User, [965], [327186],1.0.1686
PUP.Optional.Reimage, C:\PROGRAMDATA\REIMAGE PROTECTOR, No Action By User, [965], [327186],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\Microsoft.VC90.CRT, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Protector, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\PROGRAM FILES\REIMAGE, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\rei\Results\EXE1.8.4.9\RUN20170402_0959, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\Temp\20170402_0959\DownloaderTemp, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\AV\Microsoft.VC90.CRT, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\Results\EXE1.8.4.9, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\Temp\20170402_0959, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\Results, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\Temp, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\AV, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\REI, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\REIMAGE REPAIR, No Action By User, [965], [327185],1.0.1686
 
File: 55
PUP.Optional.Reimage, C:\PROGRAM FILES\REIMAGE\REIMAGE REPAIR\REI_AXCONTROL.DLL, No Action By User, [965], [327205],1.0.1686
PUP.Optional.Reimage, C:\PROGRAMDATA\REIMAGE PROTECTOR\CFL.REI, No Action By User, [965], [327186],1.0.1686
PUP.Optional.Reimage, C:\ProgramData\Reimage Protector\Results\active_protection.txt, No Action By User, [965], [327186],1.0.1686
PUP.Optional.Reimage, C:\ProgramData\Reimage Protector\Results\ProtectorPackage.log, No Action By User, [965], [327186],1.0.1686
PUP.Optional.Reimage, C:\ProgramData\Reimage Protector\Results\ProtectorUpdater.log, No Action By User, [965], [327186],1.0.1686
PUP.Optional.Reimage, C:\ProgramData\Reimage Protector\Results\url_setting_definitions.txt, No Action By User, [965], [327186],1.0.1686
PUP.Optional.Reimage, C:\WINDOWS\TEMP\REIMAGE.LOG, No Action By User, [965], [334717],1.0.1686
PUP.Optional.SpeedItUp, C:\WINDOWS\REIMAGE.INI, No Action By User, [1053], [329423],1.0.1686
PUP.Optional.Reimage, C:\WINDOWS\SYSTEM32\TASKS\REIMAGEUPDATER, No Action By User, [965], [327190],1.0.1686
PUP.Optional.Reimage, C:\WINDOWS\SYSTEM32\TASKS\REIMAGE REMINDER, No Action By User, [965], [327188],1.0.1686
PUP.Optional.Reimage, C:\PROGRAM FILES\REIMAGE\REIMAGE REPAIR\REIMAGEICON.ICO, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Protector\ProtectorUpdater.exe, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Protector\ReiProtectorM.exe, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Protector\ReiScanner.exe, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\Microsoft.VC90.CRT\msvcr90.dll, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\LZMA.EXE, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\Reimage Repair.url, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\Reimage.exe, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\ReimageSafeMode.exe, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\Reimage_SafeMode.ico, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\Reimage_uninstall.ico, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\Reimage_website.ico, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\REI_AxControl.inf, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\savapi3.dll, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\uninst.exe, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\Program Files\Reimage\Reimage Repair\version.rei, No Action By User, [965], [327184],1.0.1686
PUP.Optional.Reimage, C:\REI\AV\HBEDV.KEY, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\AV\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\AV\Microsoft.VC90.CRT\msvcr90.dll, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\AV\avupdate.conf, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\AV\avupdate.exe, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\AV\avupdate_msg.avr, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\AV\savapi3_restart.exe, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\AV\savapi3_start.exe, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\AV\savapi3_stop.exe, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\Results\EXE1.8.4.9\RUN20170402_0959\debug-repair-2.log, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\Results\EXE1.8.4.9\RUN20170402_0959\debug-repair.log, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\Results\EXE1.8.4.9\RUN20170402_0959\Info_EnvironmentVars.res, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\Results\EXE1.8.4.9\RUN20170402_0959\Info_Installed.rec, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\Results\EXE1.8.4.9\RUN20170402_0959\out.log, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\Temp\20170402_0959\ApplicationList.ini, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\About.txt, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\cfl.rei, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\rei1849nvt.ini, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\reimage.qsr, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\rei\SupportInfoTool.ini, No Action By User, [965], [327187],1.0.1686
PUP.Optional.Reimage, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\REIMAGE REPAIR\REIMAGE REPAIR.LNK, No Action By User, [965], [327185],1.0.1686
PUP.Optional.Reimage, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reimage Repair\Help & Support.lnk, No Action By User, [965], [327185],1.0.1686
PUP.Optional.Reimage, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reimage Repair\Run in safe mode.lnk, No Action By User, [965], [327185],1.0.1686
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)

Edited by winston66, 08 April 2017 - 10:47 AM.


#45 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 08 April 2017 - 08:13 PM

Hello winston66 and welcome back!

The items that Malwarebytes flagged are related to the program Reimage PC Repair.

 

This software application is known as a system optimizer which claims to produce "miracles" on your computer's performance and solve problems that do not exist, such as increasing the speed of the system, cleaning up the Registry, repair system files, etc.

 

Sometimes they use intentional false positives to convince users that their systems have lots of problems but in reality they do not contribute to any improvement in your computer's performance.

You can read further information about it in the following links:
https://blog.malware...tional-reimage/
https://forums.malwa...reimage-repair/

If you wish to keep it I strongly advise you to not use the Registry cleaner option whether from this or any others similar programs. I personally don't trust in these type of programs. If you pointed to those preventions that I mentioned in my last post of this topic, most likely you will not need these type of programs.

I can see that Malwarebytes log did not remove the items it found (No Action By User).

To remove them all please proceed as follow:

  • Open Malwarebytes;
  • On the left pane select Settings;
  • Select the Protection tab;
  • Scroll down to Scan Options and ensure Scan for Rootkits is on and leave all other settings to default.
  • Go back to DashBoard and select the blue Scan Now tab; Note: The scan may take some time to finish, so please be patient.
  • When the scan completes if potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selectedbutton.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), give it a name and save it to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
  • Please copy and paste the log in your next reply.

 

Do you have any further questions about it?

Thank you.

Android 8888


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#46 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 09 April 2017 - 01:44 AM

Hi Android 8888,

 

Thanks for the continued assistance.

I actioned the rootkit tool in MWB and the scan appears to be clean. I enclose the log.

The big mystery and concern for me is where are these PUP's coming from.

I haven't knowingly downloaded the Reimage program. 

I use investment forums mainly for oil companies and sometimes posters publish a link to a company presentation or one of the sector analysts doing an interview with a Company director.

Could these be unsafe.

I post below one such example, which I haven't opened.

I copy and pasted it but the post wouldn't send so I have removed it. Does this suggest that it was dodgy or does your site automatically block links ?

Kind regards,
winston66
Malwarebytes
www.malwarebytes.com
 
-Log Details-
 
 
Scan Date: 4/9/17
Scan Time: 8:02 AM
Logfile: MWB090417.txt
Administrator: Yes
 
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.96
Update Package Version: 1.0.1690
License: Trial
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: EH\eddie
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 483365
Time Elapsed: 19 min, 18 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)
 
ps I also recall, I went onto a site on Saturday morning and it told me I needed to install the latest version of Adobe flash to play a video. Could this have been the problem ?
 
regards,
 
winston66

Edited by winston66, 09 April 2017 - 04:27 AM.


#47 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 09 April 2017 - 02:08 AM

duplicated


Edited by winston66, 09 April 2017 - 03:03 AM.


#48 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 09 April 2017 - 04:36 PM

Hello winston66.

Thank you for posting the Malwarebytes log and for keeping me informed.

 

I post below one such example, which I haven't opened.
I copy and pasted it but the post wouldn't send so I have removed it. Does this suggest that it was dodgy or does your site automatically block links ?

If the site is not reliable or potentially malicious or have illegal content, then a Moderator or Administrator will deactivate it or remove it so that other users do not get their systems infected by clicking the link(s). But this is not done automatically by the SpywareInfo Forum site it self. So I don't know what could have happened in your case.
 

 

ps I also recall, I went onto a site on Saturday morning and it told me I needed to install the latest version of Adobe flash to play a video. Could this have been the problem ?

Well, I can't give you that for sure, but it may have been what happened.

 

If you do not know how reliable a Website or file is, you can always submit them to Virus Total. And avoid clicking on those appealing warnings immediately to download any program.

 

Here is a good article to read on How to avoid Potentially Unwanted Programs:
https://blog.malware...anted-programs/
 

 

You can configure Malwarebytes to treat the PUPs detection as malware:

Start Malwarebytes;
On the left pane select "Settings";
Click on the Protection tab;
Scroll down a bit until Potential Threat Protection;
Under "Potentially Unwanted Programs (PUPs)" select 'Treat PUPs as malware (recommended)';
Close Malwarebytes.


You can also block PUPs with your Windows Defender Antivirus:
http://www.thewindow...wanted-programs


Or block an application from accessing the Internet without your consent through Windows Firewall:
https://www.howtogee...ndows-firewall/
 

 

Always be aware that despite all protection programs and security settings you can use, the best protection is prevention.

 

 

Is your computer running well at this point?

 

 

Android 8888


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#49 winston66

winston66

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 10 April 2017 - 12:30 AM

Hi Android 8888,

 

Thanks for your reply and the advice.

The computer appears to be running fine now.

I ran MWB 3 or 4 times yesterday, just to try and see if I could determine where the PUPs came from by a process of elimination. They were all clean. however the program crashed a couple of times and I believe this was because it was clashing with Windows Defender. I disabled WD and MWB ran okay.

 

Thanks very much once again.

 

Kind regards,

 

winston66



#50 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 976 posts

Posted 10 April 2017 - 10:24 AM

Thanks for your reply and the advice.

You're welcome!
 

 

The computer appears to be running fine now.

I'm glad to hear that.
 

 

however the program crashed a couple of times and I believe this was because it was clashing with Windows Defender. I disabled WD and MWB ran okay.

Be aware that unlike the Premium version or Windows Defender built in Windows 10, the Malwarebytes 3.0 Free version that you are using has no Real Time protection. I suggest you enable Windows Defender so your system can get Real Time protection.

You can try to solve that issue by adding some exclusions for the Malwarebytes folder to Windows Defender Antivirus and then add exclusions for the Windows Defender folders in Malwarebytes. When you add exclusions (files, folders or websites) to a security program it means that they (files, folders or websites) will never be scanned while they are in the exclusions list.


Please read the information in the link below and see if it can help you on how to exclude folders in Malwarebytes. Then try to add exclusions to Malwarebytes for the Windows Defender folders:

https://www.howtogee...ther-antivirus/


The Windows Defender folders to add to "Exclusions" under Settings in MBAM are:
C:\Program Files\Windows Defender
C:\Program Files (x86)\Windows Defender


Read the instructions in the link below, scroll down a bit and read "5. To Exclude a Folder" to know how to add the folder C:\Program Files\Malwarebytes\Anti-Malware to "Exclusions" in Windows Defender:
Add or Remove Windows Defender Exclusions in Windows 10


After performing the steps above, restart your computer and you should be able to run Malwarebytes along with Windows Defender enabled without problems.


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!