Jump to content


Photo

Extremely slow PC to open files, apps, website browsing

Started by azuleno , Nov 28 2017 05:23 PM

  • This topic is locked This topic is locked
21 replies to this topic

#1 azuleno

azuleno

    Advanced Member

  • Full Member
  • PipPipPip
  • 232 posts

Posted 28 November 2017 - 05:23 PM

My PC is extremely slow for almost anything. Including 'closing' files (!?). As requested:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 27-11-2017
Ran by angeles (administrator) on ANGELES-PC (28-11-2017 17:34:01)
Running from C:\Users\angeles\Desktop
Loaded Profiles: angeles (Available Profiles: angeles & Guest)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Egis Technology Inc. ) C:\Program Files (x86)\EgisTec Port Locker\Egishlpsvc.exe
(Egis Technology Inc. ) C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe
(Egis Technology Inc. ) C:\Program Files (x86)\EgisTec BioExcess\EgisService.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Coupons.com Inc.) C:\Program Files (x86)\Coupons\CouponPrinterService.exe
(Acresso Software Inc.) C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
(Motorola Mobility LLC) C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Motorola Mobility LLC) C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Motorola) C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
(Rosetta Stone Ltd.) C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(CANON INC.) C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart 6510 series\Bin\ScanToPCActivationApp.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Akamai Technologies, Inc.) C:\Users\angeles\AppData\Local\Akamai\netsession_win.exe
(Akamai Technologies, Inc.) C:\Users\angeles\AppData\Local\Akamai\netsession_win.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Vimicro) C:\Program Files (x86)\USB Camera\VM331_STI.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
(Egis Technology Inc. ) C:\Program Files (x86)\EgisTec Port Locker\EgisPLTSR.exe
(Lenovo) C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
(CyberLink) C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Egis Technology Inc. ) C:\Program Files (x86)\EgisTec BioExcess\EgisTSR.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
(Apple Inc.) C:\Program Files (x86)\AirPort\APAgent.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(AVAST Software s.r.o.) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11772520 2011-01-04] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2538280 2010-12-22] (Synaptics Incorporated)
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [9769888 2012-05-13] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [5908928 2012-05-13] (Lenovo(beijing) Limited)
HKLM\...\Run: [Lenovo EE Boot Optimizer] => C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe [114688 2012-05-13] (Lenovo)
HKLM\...\Run: [MFNetworkScanUtility] => C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE [486552 2012-09-27] (CANON INC.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [213832 2017-08-27] (AVAST Software)
HKLM-x32\...\Run: [331BigDog] => C:\Program Files (x86)\USB Camera\VM331_STI.EXE [536576 2010-01-15] (Vimicro)
HKLM-x32\...\Run: [EgisTecPMMUpdate] => C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [407920 2010-11-05] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] => C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [202096 2010-11-05] (Egis Technology Inc.)
HKLM-x32\...\Run: [VitaKeyTSR] => C:\Program Files (x86)\EgisTec BioExcess\EgisTSR.exe [383344 2010-12-13] (Egis Technology Inc. )
HKLM-x32\...\Run: [PLTSR] => C:\Program Files (x86)\EgisTec Port Locker\EgisPLTSR.exe [364400 2010-10-22] (Egis Technology Inc. )
HKLM-x32\...\Run: [VeriFaceManager] => C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe [329056 2012-05-13] (Lenovo)
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [136488 2010-12-24] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] => C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe [224352 2010-12-24] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2010-07-26] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePRCShortCut] => C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-13] (CyberLink Corp.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [673616 2009-04-07] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [AirPort Base Station Agent] => C:\Program Files (x86)\AirPort\APAgent.exe [771360 2009-11-11] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\System32\igfxdev.dll (Intel Corporation)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\...\Run: [HP Photosmart 6510 series (NET)] => C:\Program Files\HP\HP Photosmart 6510 series\Bin\ScanToPCActivationApp.exe [2676584 2011-09-16] (Hewlett-Packard Co.)
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\...\Run: [HLBackupScheduler] => "C:\Program Files\Verizon Cloud\Verizon Cloud Service.exe"
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\...\Run: [Akamai NetSession Interface] => C:\Users\angeles\AppData\Local\Akamai\netsession_win.exe [4490200 2017-09-08] (Akamai Technologies, Inc.)
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-05-13] (Google Inc.)
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\...\Run: [SynchronossPC] => C:\Program Files\Verizon\VerizonCloud\VerizonCloud.exe [2182584 2015-10-22] ()
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27832264 2017-10-06] (Skype Technologies S.A.)
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\...\MountPoints2: {4ba2ed90-1d4e-11e6-82db-f0def1ef5697} - E:\VerizonWirelessUpgradeAssistantSetup.exe -a
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\...\MountPoints2: {769b85bc-d38d-11e3-844e-f0def1ef5697} - E:\MotorolaDeviceManagerSetup.exe -a
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\...\MountPoints2: {9d7dd305-ea87-11e3-918c-f0def1ef5697} - E:\MotorolaDeviceManagerSetup.exe -a
Lsa: [Notification Packages] scecli EgisPwdFilter EgisDSPwdFilter EgisPLPwdFilter
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2015-09-05]
Startup: C:\Users\angeles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2015-09-25]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk [2012-05-13]
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk [2012-05-13]
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: 0.0.0.1 mssplus.mcafee.com
Tcpip\Parameters: [DhcpNameServer] 10.0.1.1
Tcpip\..\Interfaces\{A3ADE3C5-E878-4AE2-87ED-79F75B8C1A53}: [DhcpNameServer] 10.0.1.1
Tcpip\..\Interfaces\{E02990FE-281F-45B5-8531-874E32735C34}: [DhcpNameServer] 10.128.128.128
 
Internet Explorer:
==================
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=UP22&ocid=UP22DHP
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com/
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LENN&bmod=LENN
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3876371430-4153257343-302851002-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3876371430-4153257343-302851002-1000 -> 1F82560E7A284F3B9D81B2C56FB0F4D8 URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LENN_enUS498
SearchScopes: HKU\S-1-5-21-3876371430-4153257343-302851002-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3876371430-4153257343-302851002-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LENN_enUS498
BHO: EgisPBIE Class -> {7B51CCBE-4AF9-44A6-BDAB-D7F7E4C4E6F9} -> C:\Program Files (x86)\EgisTec BioExcess\x64\EgisPBIE.dll [2010-12-13] (Egis Technology Inc.)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2017-08-27] (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-25] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll [2014-11-24] (Oracle Corporation)
BHO-x32: EgisPBIE Class -> {7B51CCBE-4AF9-44A6-BDAB-D7F7E4C4E6F9} -> C:\Program Files (x86)\EgisTec BioExcess\EgisPBIE.dll [2010-12-13] (Egis Technology Inc.)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2017-08-27] (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-25] (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-11-24] (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-25] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-25] (Google Inc.)
Toolbar: HKU\S-1-5-21-3876371430-4153257343-302851002-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-25] (Google Inc.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2017-07-18] (Skype Technologies)
 
FireFox:
========
FF ProfilePath: C:\Users\angeles\AppData\Roaming\Mozilla\Firefox\Profiles\tqhyv03k.default [2017-11-28]
FF Homepage: Mozilla\Firefox\Profiles\tqhyv03k.default -> google.com/
FF Extension: (Avast SafePrice) - C:\Users\angeles\AppData\Roaming\Mozilla\Firefox\Profiles\tqhyv03k.default\Extensions\sp@avast.com.xpi [2017-08-27]
FF Extension: (Avast Online Security) - C:\Users\angeles\AppData\Roaming\Mozilla\Firefox\Profiles\tqhyv03k.default\Extensions\wrc@avast.com.xpi [2017-08-27]
FF SearchPlugin: C:\Users\angeles\AppData\Roaming\Mozilla\Firefox\Profiles\tqhyv03k.default\searchplugins\bingp.xml [2014-12-06]
FF HKLM-x32\...\Firefox\Extensions: [{41ecbc0b-34d5-4cd4-935f-253a30e2cb7e}] - C:\Program Files (x86)\EgisTec BioExcess\FFExt
FF Extension: ( Online Accounts Extension ) - C:\Program Files (x86)\EgisTec BioExcess\FFExt [2012-05-13] [Lagacy] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_27_0_0_187.dll [2017-11-28] ()
FF Plugin: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll [2011-02-25] (Best Buy)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_27_0_0_187.dll [2017-11-28] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-20] ()
FF Plugin-x32: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll [2011-02-25] (Best Buy)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll [2014-11-24] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll [2014-11-24] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-09] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-27] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-27] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2017-11-01] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3876371430-4153257343-302851002-1000: @citrixonline.com/appdetectorplugin -> C:\Users\angeles\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2013-09-25] (Citrix Online)
FF Plugin HKU\S-1-5-21-3876371430-4153257343-302851002-1000: SkypePlugin -> C:\Users\angeles\AppData\Local\SkypePlugin\7.7.0.219\npGatewayNpapi.dll [2015-09-23] (Skype Technologies S.A.)
FF Plugin HKU\S-1-5-21-3876371430-4153257343-302851002-1000: SkypePlugin64 -> C:\Users\angeles\AppData\Local\SkypePlugin\7.7.0.219\npGatewayNpapi-x64.dll [2015-09-23] (Skype Technologies S.A.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2014-10-01] (Coupons, Inc.)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> msn.com
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=__PARAM__DF&PC=__PARAM__&q={searchTerms}
CHR DefaultSearchKeyword: Default -> bing.com
CHR DefaultSuggestURL: Default -> hxxp://www.bing.com/osjson.aspx?FORM=__PARAM__DF&PC=__PARAM__&query={searchTerms}
CHR Profile: C:\Users\angeles\AppData\Local\Google\Chrome\User Data\Default [2017-11-28]
CHR Extension: (Docs) - C:\Users\angeles\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-19]
CHR Extension: (Google Drive) - C:\Users\angeles\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (Skype Calling) - C:\Users\angeles\AppData\Local\Google\Chrome\User Data\Default\Extensions\blakpkgjpemejpbmfiglncklihnhjkij [2015-11-15]
CHR Extension: (YouTube) - C:\Users\angeles\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-28]
CHR Extension: (Google Search) - C:\Users\angeles\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-15]
CHR Extension: (Savings Button: Deals + Cash Back) - C:\Users\angeles\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlmebkoiahbppacaicbgncnjhbpdfkcc [2017-11-28]
CHR Extension: (Avast SafePrice) - C:\Users\angeles\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2017-11-28]
CHR Extension: (Bing) - C:\Users\angeles\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2017-11-28]
CHR Extension: (Google Docs Offline) - C:\Users\angeles\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-16]
CHR Extension: (Avast Online Security) - C:\Users\angeles\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-10-19]
CHR Extension: (Chrome Web Store Payments) - C:\Users\angeles\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-09-16]
CHR Extension: (Gmail) - C:\Users\angeles\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-02]
CHR Extension: (Chrome Media Router) - C:\Users\angeles\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-11-28]
CHR HKU\S-1-5-21-3876371430-4153257343-302851002-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 0094031378412970mcinstcleanup; C:\Users\angeles\AppData\Local\Temp\009403~1.EXE [833616 2013-01-30] (McAfee, Inc.) <==== ATTENTION
R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7430992 2017-08-27] (AVAST Software s.r.o.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [263312 2017-08-27] (AVAST Software)
R2 CouponPrinterService; C:\Program Files (x86)\Coupons\CouponPrinterService.exe [179184 2014-10-15] (Coupons.com Inc.)
R2 EgisTec Service Help; C:\Program Files (x86)\EgisTec Port Locker\Egishlpsvc.exe [327024 2010-10-22] (Egis Technology Inc. )
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.163\McCHSvc.exe [289256 2015-07-31] (McAfee, Inc.)
R2 Motorola Device Manager; C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [137528 2013-11-15] (Motorola Mobility LLC)
R2 PST Service; C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [65657 2011-09-02] (Motorola) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 aswbidsdriver; C:\windows\system32\drivers\aswbidsdrivera.sys [320008 2017-08-27] (AVAST Software s.r.o.)
R0 aswbidsh; C:\windows\system32\drivers\aswbidsha.sys [198976 2017-08-27] (AVAST Software s.r.o.)
R0 aswblog; C:\windows\system32\drivers\aswbloga.sys [343288 2017-08-27] (AVAST Software s.r.o.)
R0 aswbuniv; C:\windows\system32\drivers\aswbuniva.sys [57728 2017-08-27] (AVAST Software s.r.o.)
S3 aswHwid; C:\windows\system32\drivers\aswHwid.sys [46984 2017-08-27] (AVAST Software)
R1 aswKbd; C:\windows\system32\drivers\aswKbd.sys [41800 2017-08-27] (AVAST Software)
R2 aswMonFlt; C:\windows\system32\drivers\aswMonFlt.sys [146704 2017-08-27] (AVAST Software)
R1 aswRdr; C:\windows\system32\drivers\aswRdr2.sys [110352 2017-08-27] (AVAST Software)
R0 aswRvrt; C:\windows\system32\drivers\aswRvrt.sys [84392 2017-08-27] (AVAST Software)
R1 aswSnx; C:\windows\system32\drivers\aswSnx.sys [1015880 2017-08-27] (AVAST Software)
R1 aswSP; C:\windows\system32\drivers\aswSP.sys [585608 2017-08-27] (AVAST Software)
R2 aswStm; C:\windows\system32\drivers\aswStm.sys [198768 2017-08-27] (AVAST Software)
R0 aswVmm; C:\windows\system32\drivers\aswVmm.sys [361336 2017-08-27] (AVAST Software)
R1 ESProtectionDriver; C:\windows\system32\drivers\mbae64.sys [77432 2017-11-01] ()
R2 MBAMChameleon; C:\windows\System32\Drivers\MbamChameleon.sys [193464 2017-11-28] (Malwarebytes)
R3 MBAMFarflt; C:\windows\System32\DRIVERS\farflt.sys [110016 2017-11-28] (Malwarebytes)
R3 MBAMProtection; C:\windows\System32\DRIVERS\mbam.sys [46008 2017-11-28] (Malwarebytes)
R0 MBAMSwissArmy; C:\windows\System32\Drivers\mbamswissarmy.sys [253880 2017-11-28] (Malwarebytes)
R3 MBAMWebProtection; C:\windows\System32\DRIVERS\mwac.sys [84256 2017-11-28] (Malwarebytes)
R2 NPF; C:\windows\System32\drivers\npf.sys [47632 2009-10-21] (CACE Technologies, Inc.)
R3 vm331avs; C:\windows\System32\Drivers\vm331avs.sys [228224 2010-10-21] (Vimicro Corporation)
R3 vmuvcflt; C:\windows\System32\Drivers\vmuvcflt.sys [8320 2010-08-16] (Vimicro Corporation)
U3 BcmSqlStartupSvc; no ImagePath
U2 CLKMSVC10_3A60B698; no ImagePath
U2 CLKMSVC10_C3B3B687; no ImagePath
U2 DriverService; no ImagePath
U2 IAStorDataMgrSvc; no ImagePath
U2 iATAgentService; no ImagePath
U2 idealife Update Service; no ImagePath
U3 IGRS; no ImagePath
U2 IviRegMgr; no ImagePath
U2 nvUpdatusService; no ImagePath
U2 Oasis2Service; no ImagePath
U2 PCCarerService; no ImagePath
U2 ReadyComm.DirectRouter; no ImagePath
U2 RichVideo; no ImagePath
U2 RtLedService; no ImagePath
U2 SeaPort; no ImagePath
U2 SoftwareService; no ImagePath
U3 SQLWriter; no ImagePath
U2 Stereo Service; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-11-28 17:34 - 2017-11-28 17:55 - 000027675 _____ C:\Users\angeles\Desktop\FRST.txt
2017-11-28 17:31 - 2017-11-28 17:34 - 000000000 ____D C:\FRST
2017-11-28 12:40 - 2017-11-28 12:40 - 002391552 _____ (Farbar) C:\Users\angeles\Desktop\FRST64.exe
2017-11-28 12:37 - 2017-11-28 12:37 - 000000000 ____D C:\ProgramData\SWCUTemp
2017-11-28 12:34 - 2017-11-28 12:34 - 000110016 _____ (Malwarebytes) C:\windows\system32\Drivers\farflt.sys
2017-11-28 03:44 - 2017-11-28 12:50 - 000084256 _____ (Malwarebytes) C:\windows\system32\Drivers\mwac.sys
2017-11-28 03:25 - 2017-11-28 03:25 - 126925120 ____C (Microsoft Corporation) C:\windows\system32\MRT-KB890830.exe
2017-11-28 01:05 - 2017-11-28 01:05 - 000142460 _____ C:\Users\angeles\Desktop\Malwarebytes 2017-11-28.txt
2017-11-28 00:37 - 2017-10-17 21:34 - 000134376 _____ (Microsoft Corporation) C:\windows\system32\CompatTelRunner.exe
2017-11-28 00:37 - 2017-10-17 21:30 - 000605184 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2017-11-28 00:37 - 2017-10-15 17:04 - 000407392 _____ (Microsoft Corporation) C:\windows\system32\centel.dll
2017-11-28 00:37 - 2017-10-04 08:04 - 002023936 _____ (Microsoft Corporation) C:\windows\system32\aitstatic.exe
2017-11-28 00:37 - 2017-10-04 08:04 - 001570304 _____ (Microsoft Corporation) C:\windows\system32\appraiser.dll
2017-11-28 00:37 - 2017-10-04 08:04 - 000670208 _____ (Microsoft Corporation) C:\windows\system32\generaltel.dll
2017-11-28 00:37 - 2017-10-04 08:04 - 000603648 _____ (Microsoft Corporation) C:\windows\system32\devinv.dll
2017-11-28 00:37 - 2017-10-04 08:04 - 000370688 _____ (Microsoft Corporation) C:\windows\system32\invagent.dll
2017-11-28 00:37 - 2017-10-04 08:04 - 000241664 _____ (Microsoft Corporation) C:\windows\system32\aepic.dll
2017-11-28 00:37 - 2017-10-04 08:04 - 000181760 _____ (Microsoft Corporation) C:\windows\system32\acmigration.dll
2017-11-28 00:08 - 2017-11-28 00:08 - 000193464 _____ (Malwarebytes) C:\windows\system32\Drivers\MbamChameleon.sys
2017-11-28 00:07 - 2017-11-28 12:35 - 000046008 _____ (Malwarebytes) C:\windows\system32\Drivers\mbam.sys
2017-11-28 00:07 - 2017-11-28 00:07 - 000253880 _____ (Malwarebytes) C:\windows\system32\Drivers\mbamswissarmy.sys
2017-11-28 00:06 - 2017-11-28 00:06 - 000001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-11-28 00:06 - 2017-11-28 00:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-11-28 00:06 - 2017-11-28 00:06 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-11-28 00:06 - 2017-11-28 00:06 - 000000000 ____D C:\Program Files\Malwarebytes
2017-11-28 00:06 - 2017-11-01 08:54 - 000077432 _____ C:\windows\system32\Drivers\mbae64.sys
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-11-28 17:42 - 2012-11-11 14:53 - 000000000 ____D C:\Users\angeles\AppData\Roaming\Skype
2017-11-28 17:38 - 2016-04-13 16:57 - 000000642 _____ C:\windows\Tasks\G2MUploadTask-S-1-5-21-3876371430-4153257343-302851002-1000.job
2017-11-28 17:25 - 2014-12-07 15:12 - 000004312 _____ C:\windows\System32\Tasks\Adobe Flash Player Updater
2017-11-28 17:25 - 2014-12-07 15:07 - 000803328 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2017-11-28 17:25 - 2014-12-07 15:07 - 000144896 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-11-28 17:25 - 2014-12-07 15:07 - 000000000 ____D C:\windows\system32\Macromed
2017-11-28 17:25 - 2012-05-13 11:42 - 000000000 ____D C:\windows\SysWOW64\Macromed
2017-11-28 17:23 - 2016-04-13 16:57 - 000000546 _____ C:\windows\Tasks\G2MUpdateTask-S-1-5-21-3876371430-4153257343-302851002-1000.job
2017-11-28 17:06 - 2012-05-13 11:43 - 000000000 ____D C:\ProgramData\VeriFace
2017-11-28 12:55 - 2009-07-13 23:45 - 000028928 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-11-28 12:55 - 2009-07-13 23:45 - 000028928 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-11-28 12:44 - 2017-08-27 11:08 - 000004172 _____ C:\windows\System32\Tasks\Avast Emergency Update
2017-11-28 12:41 - 2009-07-14 00:13 - 000782510 _____ C:\windows\system32\PerfStringBackup.INI
2017-11-28 12:41 - 2009-07-13 22:20 - 000000000 ____D C:\windows\inf
2017-11-28 12:38 - 2015-12-07 16:57 - 000000000 ___RD C:\Users\angeles\Verizon Cloud Sync
2017-11-28 12:33 - 2014-05-28 11:48 - 000000000 ____D C:\Temp
2017-11-28 12:33 - 2012-05-13 11:57 - 002456225 _____ C:\windows\system32\fastboot.set
2017-11-28 12:32 - 2012-08-21 22:18 - 000000000 ____D C:\Users\angeles
2017-11-28 12:32 - 2009-07-14 00:08 - 000000006 ____H C:\windows\Tasks\SA.DAT
2017-11-28 10:34 - 2013-09-20 17:16 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2017-11-28 10:30 - 2015-01-30 20:11 - 000004476 _____ C:\windows\System32\Tasks\Adobe Acrobat Update Task
2017-11-28 09:08 - 2017-07-26 19:48 - 000000000 ____D C:\Users\angeles\AppData\Local\GoToMeeting
2017-11-28 07:47 - 2012-11-11 14:53 - 000000000 ____D C:\ProgramData\Skype
2017-11-28 07:24 - 2009-07-13 22:20 - 000000000 ____D C:\windows\system32\NDF
2017-11-28 03:34 - 2014-12-11 19:10 - 000000000 ____D C:\windows\system32\appraiser
2017-11-28 03:26 - 2013-08-08 09:08 - 000000000 ____D C:\windows\system32\MRT
2017-11-28 03:24 - 2012-08-24 13:53 - 126925120 ____C (Microsoft Corporation) C:\windows\system32\MRT.exe
2017-11-28 03:21 - 2014-02-26 07:49 - 000775124 _____ C:\windows\SysWOW64\PerfStringBackup.INI
2017-11-27 23:59 - 2012-05-13 11:53 - 000002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-11-27 23:55 - 2016-04-13 16:57 - 000003676 _____ C:\windows\System32\Tasks\G2MUploadTask-S-1-5-21-3876371430-4153257343-302851002-1000
2017-11-27 23:55 - 2016-04-13 16:57 - 000003580 _____ C:\windows\System32\Tasks\G2MUpdateTask-S-1-5-21-3876371430-4153257343-302851002-1000
2017-11-27 18:56 - 2012-05-13 11:53 - 000003330 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-11-27 18:56 - 2012-05-13 11:53 - 000003202 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
 
Some files in TEMP:
====================
2013-09-05 15:29 - 2013-01-30 14:24 - 000833616 _____ (McAfee, Inc.) C:\Users\angeles\AppData\Local\Temp\0094031378412970mcinst.exe
2014-05-12 06:55 - 2014-05-12 06:55 - 000037096 _____ (Conexant Systems Inc.) C:\Users\angeles\AppData\Local\Temp\cxtvrate.dll
2009-12-01 16:44 - 2009-12-01 16:44 - 000081408 _____ (eMPIA Technology, Inc.) C:\Users\angeles\AppData\Local\Temp\emmon.exe
2015-02-15 18:17 - 2015-02-15 18:17 - 000762000 _____ (Installer Application                                       ) C:\Users\angeles\AppData\Local\Temp\ICReinstall_hdyoutubedownloader_setup.exe
2013-09-05 16:35 - 2013-09-05 16:35 - 000999768 _____ (Solid State Networks) C:\Users\angeles\AppData\Local\Temp\install_reader11_en_mssa_aih.exe
2016-07-20 11:13 - 2016-07-20 11:13 - 000741440 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u101-windows-au.exe
2015-03-18 18:45 - 2015-03-18 18:46 - 000561576 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u40-windows-au.exe
2015-04-19 17:18 - 2015-04-19 17:18 - 000562088 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u45-windows-au.exe
2015-07-15 11:13 - 2015-07-15 11:13 - 000563808 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u51-windows-au.exe
2015-08-27 22:13 - 2015-08-27 22:13 - 000585824 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u60-windows-au.exe
2016-02-05 18:05 - 2016-02-05 18:05 - 000736352 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u73-windows-au.exe
2016-03-25 11:13 - 2016-03-25 11:13 - 000736320 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u77-windows-au.exe
2016-04-20 11:13 - 2016-06-25 22:13 - 000739904 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u91-windows-au.exe
2014-05-27 14:18 - 2014-05-28 11:43 - 033586888 ____N (Motorola Mobility) C:\Users\angeles\AppData\Local\Temp\MotoCast_Installer_2.0405.exe
2014-12-07 22:08 - 2014-12-07 22:08 - 001015320 _____ (NCH Software) C:\Users\angeles\AppData\Local\Temp\mpsetup.exe
2011-03-14 07:31 - 2011-03-14 07:31 - 000149352 ____R (Microsoft Corporation) C:\Users\angeles\AppData\Local\Temp\ose00000.exe
2014-11-02 10:00 - 2017-03-05 09:29 - 056756184 _____ (Skype Technologies S.A.) C:\Users\angeles\AppData\Local\Temp\SkypeSetup.exe
2015-02-13 21:47 - 2015-02-13 21:47 - 000008704 _____ (Microsoft Corporation) C:\Users\angeles\AppData\Local\Temp\SpOrder.dll
2006-05-22 13:10 - 2006-05-22 13:10 - 000455600 ____R (Macrovision Corporation) C:\Users\angeles\AppData\Local\Temp\_is5F69.exe
2006-10-28 19:10 - 2006-10-28 19:10 - 000455600 ____R (Macrovision Corporation) C:\Users\angeles\AppData\Local\Temp\_isE7DA.exe
2016-10-20 04:07 - 2016-10-20 04:07 - 044295032 _____ (Google Inc.) C:\Users\angeles\AppData\Local\Temp\{069E215A-3C5A-4D32-A4CA-CD5286D384ED}-54.0.2840.71_chrome_installer.exe
2017-06-23 01:56 - 2017-06-23 01:56 - 016115816 _____ (Google Inc.) C:\Users\angeles\AppData\Local\Temp\{13F7BABC-D8D9-4801-BB0D-870AC03856D0}-59.0.3071.115_58.0.3029.110_chrome_updater.exe
2015-11-17 16:56 - 2015-11-17 16:56 - 009654157 _____ () C:\Users\angeles\AppData\Local\Temp\{6BA2B92A-7B81-49F2-B80D-AC2C2CECD6B3}-46.0.2490.86_chrome_installer.exe
2017-07-22 17:49 - 2017-07-22 17:50 - 000739904 _____ (Oracle Corporation) C:\Users\Guest\AppData\Local\Temp\jre-8u141-windows-au.exe
2015-07-15 11:13 - 2015-07-15 11:13 - 000562272 _____ (Oracle Corporation) C:\Users\Guest\AppData\Local\Temp\jre-8u45-windows-au.exe
2016-02-05 18:05 - 2016-02-05 18:05 - 000644704 _____ (Oracle Corporation) C:\Users\Guest\AppData\Local\Temp\jre-8u71-windows-au.exe
2015-08-02 00:52 - 2015-08-02 00:52 - 000122880 _____ () C:\Users\Guest\AppData\Local\Temp\mp3el.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\SysWOW64\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-11-27 20:34
 
==================== End of FRST.txt ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 27-11-2017
Ran by angeles (28-11-2017 17:59:22)
Running from C:\Users\angeles\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2012-08-22 03:18:24)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3876371430-4153257343-302851002-500 - Administrator - Disabled)
angeles (S-1-5-21-3876371430-4153257343-302851002-1000 - Administrator - Enabled) => C:\Users\angeles
Guest (S-1-5-21-3876371430-4153257343-302851002-501 - Limited - Enabled) => C:\Users\Guest
HomeGroupUser$ (S-1-5-21-3876371430-4153257343-302851002-1002 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
ABBYY FineReader 6.0 Sprint (HKLM-x32\...\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}) (Version: 6.00.1395.4512 - ABBYY Software House)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.0.0.4080 - Adobe Systems Incorporated)
Adobe Flash Player 27 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 27.0.0.187 - Adobe Systems Incorporated)
Adobe Flash Player 27 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 27.0.0.187 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.23) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.23 - Adobe Systems Incorporated)
AirPort (HKLM-x32\...\{AA68AAAE-41F0-40B5-8896-5947F5FD6889}) (Version: 5.6.1.2 - Apple Inc.)
Akamai NetSession Interface (HKU\S-1-5-21-3876371430-4153257343-302851002-1000\...\Akamai) (Version:  - Akamai Technologies, Inc)
Apple Application Support (HKLM-x32\...\{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}) (Version: 3.0.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{787136D2-F0F8-4625-AA3F-72D7795AC842}) (Version: 7.1.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Avast Free Antivirus (HKLM-x32\...\Avast Antivirus) (Version: 17.5.2303 - AVAST Software)
Best Buy pc app (HKLM\...\{FBBC4667-2521-4E78-B1BD-8706F774549B}) (Version: 3.2.0.0 - Best Buy) Hidden
Best Buy pc app (HKLM-x32\...\{FBBC4667-2521-4E78-B1BD-8706F774549B}) (Version: 3.2.0.0 - Best Buy) Hidden
BioExcess (HKLM\...\{A000F75A-A246-44A7-8079-9E9E7F9054B2}) (Version: 7.0.67.0 - Egis Technology Inc.) Hidden
BioExcess (HKLM-x32\...\{E6CB67CC-71D2-46b9-8D43-A4641A9EECB2}) (Version: 7.0.67.0 - Egis Technology Inc.) Hidden
BioExcess (HKLM-x32\...\InstallShield_{E6CB67CC-71D2-46b9-8D43-A4641A9EECB2}) (Version: 7.0.67.0 - Egis Technology Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Canon Laser Printer/Scanner/Fax Extended Survey Program (HKLM\...\{8A16FF47-A5FC-49A8-96B5-31180D317059}) (Version: 1.1.4 - CANON INC.) Hidden
Canon Laser Printer/Scanner/Fax Extended Survey Program (HKLM\...\Canon Laser Printer/Scanner/Fax Extended Survey Program) (Version: 1.1.4.10001 - CANON INC.)
Canon MF Toolbox 4.9.1.1.mf14 (HKLM-x32\...\{6767DFEE-8909-453A-B553-C7693912B2EB}) (Version: 4.9.1.1.mf14 - CANON INC.)
Canon MF8200C Series (HKLM\...\{C2938963-3BB0-41cd-9769-E28814C59075}) (Version: 4.2.0.0 - CANON INC.)
Citrix Online Launcher (HKLM-x32\...\{09DA5EE2-7E46-4DC4-96F9-BFEE50D40659}) (Version: 1.0.408 - Citrix)
Coupon Printer for Windows (HKLM-x32\...\Coupon Printer for Windows5.0.1.3) (Version: 5.0.1.3 - Coupons.com Incorporated)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.1.3623 - CyberLink Corp.)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
EgisTec ES603 WDM Driver (HKLM-x32\...\InstallShield_{AE4167B0-F589-4D2A-BF05-E181D543C49F}) (Version: 3.0.10.4 - Egis Technology Inc.)
Elgato Video Capture (HKLM-x32\...\{2E551F69-B2B5-4B59-82B3-45A91E47026F}) (Version: 1.13.6.116 - Elgato Systems GmbH)
Energy Management (HKLM-x32\...\{D0956C11-0F60-43FE-99AD-524E833471BB}) (Version: 6.0.2.1 - Lenovo) Hidden
Energy Management (HKLM-x32\...\InstallShield_{D0956C11-0F60-43FE-99AD-524E833471BB}) (Version: 6.0.2.1 - Lenovo)
Epson Copy Utility 3.5 (HKLM-x32\...\{AA72FB28-73B4-49E5-B6B4-E78F44BBD0AD}) (Version: 3.5.0.0 - )
Epson Event Manager (HKLM-x32\...\{48F22622-1CC2-4A83-9C1E-644DD96F832D}) (Version: 2.30.01 - SEIKO EPSON Corporation)
EPSON Perfection V600 Photo Scanner Driver Update (HKLM-x32\...\{EBBE3D90-9344-43A7-A548-91BA02B3B7CD}) (Version:  - )
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - )
ES603 WDM Driver (HKLM-x32\...\{AE4167B0-F589-4D2A-BF05-E181D543C49F}) (Version: 3.0.10.4 - Egis Technology Inc.) Hidden
ffdshow [rev 2527] [2008-12-19] (HKLM-x32\...\ffdshow_is1) (Version: 1.0 - )
Free YouTube Downloader 4.0.312 (HKLM-x32\...\{A7E19604-93AF-4611-8C9F-CE509C2B286F}_is1) (Version:  - HOW Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 62.0.3202.94 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{18455581-E099-4BA8-BC6B-F34B2F06600C}) (Version: 1.0.0 - Google Inc.) Hidden
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.8231.2252 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
GoToMeeting 8.17.0.7943 (HKU\S-1-5-21-3876371430-4153257343-302851002-1000\...\GoToMeeting) (Version: 8.17.0.7943 - LogMeIn, Inc.)
HP FWUpdateEDO2 (HKLM-x32\...\{415FA9AD-DA10-4ABE-97B6-5051D4795C90}) (Version: 1.2.0.0 - Hewlett-Packard)
HP Photosmart 6510 series Basic Device Software (HKLM\...\{B53F9744-F0FB-44A6-9739-335CDAB4488A}) (Version: 25.0.621.0 - Hewlett-Packard Co.)
HP Update (HKLM-x32\...\{97486FBE-A3FC-4783-8D55-EA37E9D171CC}) (Version: 5.005.000.002 - Hewlett-Packard)
HPDiagnosticAlert (HKLM-x32\...\{846B5DED-DC8C-4E1A-B5B4-9F5B39A0CACE}) (Version: 1.00.0000 - Microsoft) Hidden
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2342 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.1.5.1001 - Intel Corporation)
iTunes (HKLM\...\{B8BA155B-1E75-405F-9CB4-8A99615D09DC}) (Version: 11.1.5.5 - Apple Inc.)
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Junk Mail filter update (HKLM-x32\...\{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}) (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Lenovo EasyCamera (HKLM-x32\...\{ADE16A9D-FBDC-4ecc-B6BD-9C31E51D0332}) (Version: 13.10.1201.1 - Vimicro)
Lenovo EE Boot Optimizer (HKLM\...\Lenovo EE Boot Optimizer) (Version: 0.0.1.6 - Lenovo)
Lenovo OneKey Recovery (HKLM\...\{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 7.0.1628 - CyberLink Corp.) Hidden
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 7.0.1628 - CyberLink Corp.)
Lenovo Security Suite (HKLM-x32\...\{0034859F-8E01-4C1D-BE77-F891C4786FBC}) (Version: 2.0.11.0 - Lenovo) Hidden
Lenovo Security Suite (HKLM-x32\...\InstallShield_{0034859F-8E01-4C1D-BE77-F891C4786FBC}) (Version: 2.0.11.0 - Lenovo)
Lenovo_Wireless_Driver (HKLM-x32\...\{28ABE740-47F3-441B-9437-852F6A64EFF8}) (Version: 1.02.01 - Lenovo)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.11.163.2 - McAfee, Inc.)
Mesh Runtime (HKLM-x32\...\{8C6D6116-B724-4810-8F2D-D047E6B7D68E}) (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.7 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02053 - Microsoft Corporation)
Microsoft Office Home and Student 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
MixPad Multitrack Recording Software (HKLM-x32\...\MixPad) (Version: 3.73 - NCH Software)
Motorola Device Manager (HKLM-x32\...\{28DB8373-C1BB-444F-A427-A55585A12ED7}) (Version: 2.4.5 - Motorola Mobility)
Motorola Device Software Update (HKLM-x32\...\{894AB83D-A9AF-4E54-BFF3-A7262A0A6C13}) (Version: 13.09.3001 - Motorola Mobility) Hidden
Motorola Mobile Drivers Installation 6.3.0 (HKLM\...\{759E6A2F-1F01-45EF-A0C4-22F1B56CB975}) (Version: 6.3.0 - Motorola Mobility LLC)
Mozilla Firefox 49.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 49.0.2 (x86 en-US)) (Version: 49.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 49.0.2.6136 - Mozilla)
MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
Port Locker (HKLM\...\{1F494B8A-D6E6-4540-9A74-F773B63164A6}) (Version: 1.0.5.24 - Egis Technology Inc.) Hidden
Port Locker (HKLM-x32\...\{A6FEE06D-C7E1-48CB-A9DF-1E317CF83CA4}) (Version: 1.0.5.24 - Egis Technology Inc.) Hidden
Port Locker (HKLM-x32\...\InstallShield_{A6FEE06D-C7E1-48CB-A9DF-1E317CF83CA4}) (Version: 1.0.5.24 - Egis Technology Inc.)
Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 5.6.0.7303 - CyberLink Corp.)
Realtek Ethernet Controller Driver For Windows 7 (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.21.531.2010 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6282 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Reader Driver (HKLM-x32\...\{62BBB2F0-E220-4821-A564-730807D2C34D}) (Version: 6.1.7600.10008 - Realtek Semiconductor Corp.)
Rosetta Stone Language Training (HKLM-x32\...\{00384623-4937-4D7D-BDD9-23513D1C50AB}) (Version: 5.0.37.0 - Rosetta Stone, Ltd)
Rosetta Stone Ltd Services (HKLM-x32\...\{3165E4A6-D5DE-46B0-8597-D55E2B826B84}) (Version: 3.2.21 - Rosetta Stone Ltd.)
SafeZone Stable 4.58.2552.909 (HKLM-x32\...\SafeZone 4.58.2552.909) (Version: 4.58.2552.909 - Avast Software) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype Web Plugin (HKLM-x32\...\{0F7D4832-16AE-4857-A6FA-2B141D75A59B}) (Version: 7.7.0.219 - Skype Technologies S.A.)
Skype™ 7.40 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.40.151 - Skype Technologies S.A.)
Streaming Video Recorder V2.1.2 (HKLM\...\{2CD65167-671F-49A3-B6C7-3B919DF028E2}_is1) (Version: 2.1.2 - Apowersoft)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.2.7.0 - Synaptics Incorporated)
TherapyEd's OT Exams 7th Edition (HKLM-x32\...\{D8E37409-0F2A-5104-267D-308638C67CEE}) (Version: 1.0 - Spearhead Global Inc.) Hidden
TherapyEd's OT Exams 7th Edition (HKLM-x32\...\TherapyEdsOTExams7e.32B9EDC2FDCC15847C4D6FB43F849BB889AADE68.1) (Version: 1.0 - Spearhead Global Inc.)
VeriFace (HKLM-x32\...\VeriFace) (Version: 4.0.0.1224 - Lenovo)
Verizon Cloud (HKLM\...\Verizon Cloud) (Version: 15.3.6.13 - Verizon)
Video Capture all v5.09.1202.00 (HKLM-x32\...\Software_Elgato_Video Capture all) (Version: 5.09.1202.00 - Elgato Systems)
Video Capture v5.09.1202.00 (HKLM-x32\...\Video Capture v5.09.1202.00) (Version: 5.09.1202.00 - Elgato Systems)
Watchtower Library 2014 - Italiano (HKLM-x32\...\{18AEA7C7-E30E-4786-BEB7-1FF0D818705A}) (Version: 16.0 - Watchtower Bible and Tract Society of Pennsylvania, Inc.)
WavePad Sound Editor (HKLM-x32\...\WavePad) (Version: 5.96 - NCH Software)
Windows Driver Package - Lenovo (ACPIVPC) System  (12/02/2010 6.1.0.1) (HKLM\...\EA12B1FB53CE4E387C31A85236C41EF559B5E392) (Version: 12/02/2010 6.1.0.1 - Lenovo)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-3876371430-4153257343-302851002-1000_Classes\CLSID\{81CD4B70-A8AB-48FC-826C-8F76A1A06829}\InprocServer32 -> C:\Users\angeles\AppData\Local\SkypePlugin\7.7.0.219\GatewayActiveX-x64.dll (Skype Technologies S.A.)
CustomCLSID: HKU\S-1-5-21-3876371430-4153257343-302851002-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\angeles\AppData\Local\Citrix\GoToMeeting\5530\G2MOutlookAddin64.dll => No File
CustomCLSID: HKU\S-1-5-21-3876371430-4153257343-302851002-1000_Classes\CLSID\{CBF9CD8C-2714-4F36-B76A-43E6C7547BC2}\localserver32 -> C:\Users\angeles\AppData\Local\SkypePlugin\7.7.0.219\EdgeCalling.exe (Skype Technologies S.A.)
CustomCLSID: HKU\S-1-5-21-3876371430-4153257343-302851002-1000_Classes\CLSID\{D779CCB8-300C-4160-B101-D6A5FD73294E}\localserver32 -> C:\Users\angeles\AppData\Local\SkypePlugin\7.7.0.219\GatewayVersion-x64.exe (Skype Technologies S.A.)
ShellIconOverlayIdentifiers: [ SncrOverlays (InSync)] -> {5F4A6070-DB92-4C56-A487-F3850430608F} => C:\Program Files\Verizon\VerizonCloud\x64\Sncr.Overlays.dll [2015-10-22] (Synchronoss Technologies Inc.)
ShellIconOverlayIdentifiers: [ SncrOverlays (Pending)] -> {EE73A341-C788-4A6B-B1EF-DDBFC0F190B6} => C:\Program Files\Verizon\VerizonCloud\x64\Sncr.Overlays.dll [2015-10-22] (Synchronoss Technologies Inc.)
ShellIconOverlayIdentifiers: [ SncrOverlays (Syncing)] -> {28CDCD88-B179-49D6-8B21-1A9AF9C0AE13} => C:\Program Files\Verizon\VerizonCloud\x64\Sncr.Overlays.dll [2015-10-22] (Synchronoss Technologies Inc.)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-08-27] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-08-27] (AVAST Software)
ShellIconOverlayIdentifiers: [VeriFace Enc] -> {771C7324-DA80-49D3-8017-753B0AF60951} => C:\windows\system32\IcnOvrly.dll [2012-05-13] ()
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-08-27] (AVAST Software)
ContextMenuHandlers1: [VerizonCtxMenu] -> {8CA825D9-C7DB-4833-9901-E7400521CE04} => C:\Program Files\Verizon\VerizonCloud\x64\Sncr.ContextMenus.dll [2015-10-22] (Synchronoss Technologies Inc.)
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-08-27] (AVAST Software)
ContextMenuHandlers3: [EgisShellExt] -> {4AC48C52-DA87-48AB-BE92-96E4F0070CEA} => C:\Program Files (x86)\EgisTec BioExcess\x64\EgisShellExt.dll [2010-12-13] (Egis Technology Inc. )
ContextMenuHandlers3: [IkeyShlExt] -> {F1E551D1-822B-40e6-B4D8-A9B4A48AA07A} => C:\windows\system32\SimpleExt.dll [2012-05-13] ()
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4: [VerizonCtxMenu] -> {8CA825D9-C7DB-4833-9901-E7400521CE04} => C:\Program Files\Verizon\VerizonCloud\x64\Sncr.ContextMenus.dll [2015-10-22] (Synchronoss Technologies Inc.)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\windows\system32\igfxpph.dll [2011-03-25] (Intel Corporation)
ContextMenuHandlers5: [VerizonCtxMenu] -> {8CA825D9-C7DB-4833-9901-E7400521CE04} => C:\Program Files\Verizon\VerizonCloud\x64\Sncr.ContextMenus.dll [2015-10-22] (Synchronoss Technologies Inc.)
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-08-27] (AVAST Software)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers6: [VerizonCtxMenu] -> {8CA825D9-C7DB-4833-9901-E7400521CE04} => C:\Program Files\Verizon\VerizonCloud\x64\Sncr.ContextMenus.dll [2015-10-22] (Synchronoss Technologies Inc.)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {1205D537-C32B-41AF-A3BA-64E69A8A215F} - System32\Tasks\{696DADA3-B522-4B59-B

#2 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,198 posts

Posted 29 November 2017 - 06:44 AM

Hello azuleno.
Welcome to SpywareInfo Forum.
I'm Android 8888 and I'll be helping you. Please ask questions if anything is unclear.

I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier.


Open Google Chrome;
Type chrome://extensions in the address bar and press Enter;
Click the trash can icon by the following extensions:

Avast SafePrice
Avast Online Security
Bing
Coupon Printer for Windows
Savings Button: Deals + Cash Back

A confirmation dialog appears, click Remove.



NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Press the Windows key + R on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and click the OK button.
Please copy the entire contents of the code box below. To do this highlight the contents of the box and right click on it and select Copy.
Paste this into the open Notepad.
 

Start::

CreateRestorePoint:
CloseProcesses:
EmptyTemp:
(Coupons.com Inc.) C:\Program Files (x86)\Coupons\CouponPrinterService.exe
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LENN&bmod=LENN
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3876371430-4153257343-302851002-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3876371430-4153257343-302851002-1000 -> 1F82560E7A284F3B9D81B2C56FB0F4D8 URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LENN_enUS498
SearchScopes: HKU\S-1-5-21-3876371430-4153257343-302851002-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3876371430-4153257343-302851002-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LENN_enUS498
FF SearchPlugin: C:\Users\angeles\AppData\Roaming\Mozilla\Firefox\Profiles\tqhyv03k.default\searchplugins\bingp.xml [2014-12-06]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2014-10-01] (Coupons, Inc.)
CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=__PARAM__DF&PC=__PARAM__&q={searchTerms}
CHR DefaultSuggestURL: Default -> hxxp://www.bing.com/osjson.aspx?FORM=__PARAM__DF&PC=__PARAM__&query={searchTerms}
CHR HKU\S-1-5-21-3876371430-4153257343-302851002-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
S2 0094031378412970mcinstcleanup; C:\Users\angeles\AppData\Local\Temp\009403~1.EXE [833616 2013-01-30] (McAfee, Inc.) <==== ATTENTION
R2 CouponPrinterService; C:\Program Files (x86)\Coupons\CouponPrinterService.exe [179184 2014-10-15] (Coupons.com Inc.)
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
U3 BcmSqlStartupSvc; no ImagePath
U2 CLKMSVC10_3A60B698; no ImagePath
U2 CLKMSVC10_C3B3B687; no ImagePath
U2 DriverService; no ImagePath
U2 IAStorDataMgrSvc; no ImagePath
U2 iATAgentService; no ImagePath
U2 idealife Update Service; no ImagePath
U3 IGRS; no ImagePath
U2 IviRegMgr; no ImagePath
U2 nvUpdatusService; no ImagePath
U2 Oasis2Service; no ImagePath
U2 PCCarerService; no ImagePath
U2 ReadyComm.DirectRouter; no ImagePath
U2 RichVideo; no ImagePath
U2 RtLedService; no ImagePath
U2 SeaPort; no ImagePath
U2 SoftwareService; no ImagePath
U3 SQLWriter; no ImagePath
U2 Stereo Service; no ImagePath
2013-09-05 15:29 - 2013-01-30 14:24 - 000833616 _____ (McAfee, Inc.) C:\Users\angeles\AppData\Local\Temp\0094031378412970mcinst.exe
2014-05-12 06:55 - 2014-05-12 06:55 - 000037096 _____ (Conexant Systems Inc.) C:\Users\angeles\AppData\Local\Temp\cxtvrate.dll
2009-12-01 16:44 - 2009-12-01 16:44 - 000081408 _____ (eMPIA Technology, Inc.) C:\Users\angeles\AppData\Local\Temp\emmon.exe
2015-02-15 18:17 - 2015-02-15 18:17 - 000762000 _____ (Installer Application) C:\Users\angeles\AppData\Local\Temp\ICReinstall_hdyoutubedownloader_setup.exe
2013-09-05 16:35 - 2013-09-05 16:35 - 000999768 _____ (Solid State Networks) C:\Users\angeles\AppData\Local\Temp\install_reader11_en_mssa_aih.exe
2016-07-20 11:13 - 2016-07-20 11:13 - 000741440 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u101-windows-au.exe
2015-03-18 18:45 - 2015-03-18 18:46 - 000561576 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u40-windows-au.exe
2015-04-19 17:18 - 2015-04-19 17:18 - 000562088 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u45-windows-au.exe
2015-07-15 11:13 - 2015-07-15 11:13 - 000563808 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u51-windows-au.exe
2015-08-27 22:13 - 2015-08-27 22:13 - 000585824 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u60-windows-au.exe
2016-02-05 18:05 - 2016-02-05 18:05 - 000736352 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u73-windows-au.exe
2016-03-25 11:13 - 2016-03-25 11:13 - 000736320 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u77-windows-au.exe
2016-04-20 11:13 - 2016-06-25 22:13 - 000739904 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u91-windows-au.exe
2014-05-27 14:18 - 2014-05-28 11:43 - 033586888 ____N (Motorola Mobility) C:\Users\angeles\AppData\Local\Temp\MotoCast_Installer_2.0405.exe
2014-12-07 22:08 - 2014-12-07 22:08 - 001015320 _____ (NCH Software) C:\Users\angeles\AppData\Local\Temp\mpsetup.exe
2011-03-14 07:31 - 2011-03-14 07:31 - 000149352 ____R (Microsoft Corporation) C:\Users\angeles\AppData\Local\Temp\ose00000.exe
2014-11-02 10:00 - 2017-03-05 09:29 - 056756184 _____ (Skype Technologies S.A.) C:\Users\angeles\AppData\Local\Temp\SkypeSetup.exe
2015-02-13 21:47 - 2015-02-13 21:47 - 000008704 _____ (Microsoft Corporation) C:\Users\angeles\AppData\Local\Temp\SpOrder.dll
2006-05-22 13:10 - 2006-05-22 13:10 - 000455600 ____R (Macrovision Corporation) C:\Users\angeles\AppData\Local\Temp\_is5F69.exe
2006-10-28 19:10 - 2006-10-28 19:10 - 000455600 ____R (Macrovision Corporation) C:\Users\angeles\AppData\Local\Temp\_isE7DA.exe
2016-10-20 04:07 - 2016-10-20 04:07 - 044295032 _____ (Google Inc.) C:\Users\angeles\AppData\Local\Temp\{069E215A-3C5A-4D32-A4CA-CD5286D384ED}-54.0.2840.71_chrome_installer.exe
2017-06-23 01:56 - 2017-06-23 01:56 - 016115816 _____ (Google Inc.) C:\Users\angeles\AppData\Local\Temp\{13F7BABC-D8D9-4801-BB0D-870AC03856D0}-59.0.3071.115_58.0.3029.110_chrome_updater.exe
2015-11-17 16:56 - 2015-11-17 16:56 - 009654157 _____ () C:\Users\angeles\AppData\Local\Temp\{6BA2B92A-7B81-49F2-B80D-AC2C2CECD6B3}-46.0.2490.86_chrome_installer.exe
2017-07-22 17:49 - 2017-07-22 17:50 - 000739904 _____ (Oracle Corporation) C:\Users\Guest\AppData\Local\Temp\jre-8u141-windows-au.exe
2015-07-15 11:13 - 2015-07-15 11:13 - 000562272 _____ (Oracle Corporation) C:\Users\Guest\AppData\Local\Temp\jre-8u45-windows-au.exe
2016-02-05 18:05 - 2016-02-05 18:05 - 000644704 _____ (Oracle Corporation) C:\Users\Guest\AppData\Local\Temp\jre-8u71-windows-au.exe
2015-08-02 00:52 - 2015-08-02 00:52 - 000122880 _____ () C:\Users\Guest\AppData\Local\Temp\mp3el.exe
Best Buy pc app (HKLM\...\{FBBC4667-2521-4E78-B1BD-8706F774549B}) (Version: 3.2.0.0 - Best Buy) Hidden
Best Buy pc app (HKLM-x32\...\{FBBC4667-2521-4E78-B1BD-8706F774549B}) (Version: 3.2.0.0 - Best Buy) Hidden
CustomCLSID: HKU\S-1-5-21-3876371430-4153257343-302851002-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\angeles\AppData\Local\Citrix\GoToMeeting\5530\G2MOutlookAddin64.dll => No File
CMD: ipconfig /flushdns
EmptyTemp:
End::

Save the file as fixlist.txt in to the same location as FRST64.exe.
Right-click the FRST64.exe icon and select Run as administrator to run the tool.
Click the Fix button only once and wait.
When finished FRST will generate a log (Fixlog.txt) on the same folder where FRST64.exe is located. Please post its content to your next reply.

NOTE. It's important that both files, FRST64.exe and fixlist.txt are in the same location or the fix will not work.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.


Next,

Open Google Chrome;
Type chrome://extensions in the address bar and press Enter;
Click the trash can icon by the following extensions:

Best Buy pc app

A confirmation dialog appears, click Remove.


Next,

  • Please download AdwCleaner and move it to your Desktop.
  • Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users).
  • Accept the EULA (I accept), then click on Scan.
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes.
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it.
  • After the restart, a log will open when logging in.
  • Please copy and paste the content of that log in your next reply.

 

 

Next,

  • Open Malwarebytes;
  • On the left pane select Settings;
  • Select the Protection tab;
  • Scroll down to Scan Options and ensure 'Scan for Rootkits' is on and leave all other settings to default.
  • Go back to DashBoard and select the blue Scan Now tab;
  • When the scan completes if potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selectedbutton.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), give it a name and save it to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
  • Please copy and paste the entire contents of the log in your next reply.

 

 

In your next reply please post the contents of the following logs:
Fixlog.txt
AdwCleaner clean log.
Malwarebytes log.

Please let me know in detail how is the computer running at this point.

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#3 azuleno

azuleno

    Advanced Member

  • Full Member
  • PipPipPip
  • 232 posts

Posted 30 November 2017 - 11:06 PM

Hi Android 8888: 

 

Couldn't find in chrome://extensions the following:

 

Coupon Printer for Windows
Savings Button: Deals + Cash Back

 

So I continued with the instructions after that. Below are the logs for Fixlog + Malwarebytes. As hard as I tried to, ADW Cleaner was downloading like nothing I've seen before. It would seemingly download fine, but when opening and starting to scan, the exe file and all would vanish (!?) from the folder where it had been downloaded. Tried downloading in multiple folders since I started to get over and over 'Insufficient Permissions' error so I could not download such, thus no log was obtained.  I also struggle with Malware Bytes, but eventually got it going, so I did get a log.

 

BTW, I had to resort to starting the PC in Safe Mode since it seems like it may be getting worse. Microsoft Windows gets stuck often, harder to open even Notepad. Hard to reboot, so typically I have to force shutdown by switching off the PC. Here are the logs:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 30-11-2017
Ran by angeles (30-11-2017 16:15:52) Run:1
Running from C:\Users\angeles\Desktop
Loaded Profiles: angeles (Available Profiles: angeles & Guest)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
(Coupons.com Inc.) C:\Program Files (x86)\Coupons\CouponPrinterService.exe
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LENN&bmod=LENN
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3876371430-4153257343-302851002-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3876371430-4153257343-302851002-1000 -> 1F82560E7A284F3B9D81B2C56FB0F4D8 URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LENN_enUS498
SearchScopes: HKU\S-1-5-21-3876371430-4153257343-302851002-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3876371430-4153257343-302851002-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LENN_enUS498
FF SearchPlugin: C:\Users\angeles\AppData\Roaming\Mozilla\Firefox\Profiles\tqhyv03k.default\searchplugins\bingp.xml [2014-12-06]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2014-10-01] (Coupons, Inc.)
CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=__PARAM__DF&PC=__PARAM__&q={searchTerms}
CHR DefaultSuggestURL: Default -> hxxp://www.bing.com/osjson.aspx?FORM=__PARAM__DF&PC=__PARAM__&query={searchTerms}
CHR HKU\S-1-5-21-3876371430-4153257343-302851002-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
S2 0094031378412970mcinstcleanup; C:\Users\angeles\AppData\Local\Temp\009403~1.EXE [833616 2013-01-30] (McAfee, Inc.) <==== ATTENTION
R2 CouponPrinterService; C:\Program Files (x86)\Coupons\CouponPrinterService.exe [179184 2014-10-15] (Coupons.com Inc.)
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
U3 BcmSqlStartupSvc; no ImagePath
U2 CLKMSVC10_3A60B698; no ImagePath
U2 CLKMSVC10_C3B3B687; no ImagePath
U2 DriverService; no ImagePath
U2 IAStorDataMgrSvc; no ImagePath
U2 iATAgentService; no ImagePath
U2 idealife Update Service; no ImagePath
U3 IGRS; no ImagePath
U2 IviRegMgr; no ImagePath
U2 nvUpdatusService; no ImagePath
U2 Oasis2Service; no ImagePath
U2 PCCarerService; no ImagePath
U2 ReadyComm.DirectRouter; no ImagePath
U2 RichVideo; no ImagePath
U2 RtLedService; no ImagePath
U2 SeaPort; no ImagePath
U2 SoftwareService; no ImagePath
U3 SQLWriter; no ImagePath
U2 Stereo Service; no ImagePath
2013-09-05 15:29 - 2013-01-30 14:24 - 000833616 _____ (McAfee, Inc.) C:\Users\angeles\AppData\Local\Temp\0094031378412970mcinst.exe
2014-05-12 06:55 - 2014-05-12 06:55 - 000037096 _____ (Conexant Systems Inc.) C:\Users\angeles\AppData\Local\Temp\cxtvrate.dll
2009-12-01 16:44 - 2009-12-01 16:44 - 000081408 _____ (eMPIA Technology, Inc.) C:\Users\angeles\AppData\Local\Temp\emmon.exe
2015-02-15 18:17 - 2015-02-15 18:17 - 000762000 _____ (Installer Application) C:\Users\angeles\AppData\Local\Temp\ICReinstall_hdyoutubedownloader_setup.exe
2013-09-05 16:35 - 2013-09-05 16:35 - 000999768 _____ (Solid State Networks) C:\Users\angeles\AppData\Local\Temp\install_reader11_en_mssa_aih.exe
2016-07-20 11:13 - 2016-07-20 11:13 - 000741440 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u101-windows-au.exe
2015-03-18 18:45 - 2015-03-18 18:46 - 000561576 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u40-windows-au.exe
2015-04-19 17:18 - 2015-04-19 17:18 - 000562088 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u45-windows-au.exe
2015-07-15 11:13 - 2015-07-15 11:13 - 000563808 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u51-windows-au.exe
2015-08-27 22:13 - 2015-08-27 22:13 - 000585824 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u60-windows-au.exe
2016-02-05 18:05 - 2016-02-05 18:05 - 000736352 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u73-windows-au.exe
2016-03-25 11:13 - 2016-03-25 11:13 - 000736320 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u77-windows-au.exe
2016-04-20 11:13 - 2016-06-25 22:13 - 000739904 _____ (Oracle Corporation) C:\Users\angeles\AppData\Local\Temp\jre-8u91-windows-au.exe
2014-05-27 14:18 - 2014-05-28 11:43 - 033586888 ____N (Motorola Mobility) C:\Users\angeles\AppData\Local\Temp\MotoCast_Installer_2.0405.exe
2014-12-07 22:08 - 2014-12-07 22:08 - 001015320 _____ (NCH Software) C:\Users\angeles\AppData\Local\Temp\mpsetup.exe
2011-03-14 07:31 - 2011-03-14 07:31 - 000149352 ____R (Microsoft Corporation) C:\Users\angeles\AppData\Local\Temp\ose00000.exe
2014-11-02 10:00 - 2017-03-05 09:29 - 056756184 _____ (Skype Technologies S.A.) C:\Users\angeles\AppData\Local\Temp\SkypeSetup.exe
2015-02-13 21:47 - 2015-02-13 21:47 - 000008704 _____ (Microsoft Corporation) C:\Users\angeles\AppData\Local\Temp\SpOrder.dll
2006-05-22 13:10 - 2006-05-22 13:10 - 000455600 ____R (Macrovision Corporation) C:\Users\angeles\AppData\Local\Temp\_is5F69.exe
2006-10-28 19:10 - 2006-10-28 19:10 - 000455600 ____R (Macrovision Corporation) C:\Users\angeles\AppData\Local\Temp\_isE7DA.exe
2016-10-20 04:07 - 2016-10-20 04:07 - 044295032 _____ (Google Inc.) C:\Users\angeles\AppData\Local\Temp\{069E215A-3C5A-4D32-A4CA-CD5286D384ED}-54.0.2840.71_chrome_installer.exe
2017-06-23 01:56 - 2017-06-23 01:56 - 016115816 _____ (Google Inc.) C:\Users\angeles\AppData\Local\Temp\{13F7BABC-D8D9-4801-BB0D-870AC03856D0}-59.0.3071.115_58.0.3029.110_chrome_updater.exe
2015-11-17 16:56 - 2015-11-17 16:56 - 009654157 _____ () C:\Users\angeles\AppData\Local\Temp\{6BA2B92A-7B81-49F2-B80D-AC2C2CECD6B3}-46.0.2490.86_chrome_installer.exe
2017-07-22 17:49 - 2017-07-22 17:50 - 000739904 _____ (Oracle Corporation) C:\Users\Guest\AppData\Local\Temp\jre-8u141-windows-au.exe
2015-07-15 11:13 - 2015-07-15 11:13 - 000562272 _____ (Oracle Corporation) C:\Users\Guest\AppData\Local\Temp\jre-8u45-windows-au.exe
2016-02-05 18:05 - 2016-02-05 18:05 - 000644704 _____ (Oracle Corporation) C:\Users\Guest\AppData\Local\Temp\jre-8u71-windows-au.exe
2015-08-02 00:52 - 2015-08-02 00:52 - 000122880 _____ () C:\Users\Guest\AppData\Local\Temp\mp3el.exe
Best Buy pc app (HKLM\...\{FBBC4667-2521-4E78-B1BD-8706F774549B}) (Version: 3.2.0.0 - Best Buy) Hidden
Best Buy pc app (HKLM-x32\...\{FBBC4667-2521-4E78-B1BD-8706F774549B}) (Version: 3.2.0.0 - Best Buy) Hidden
CustomCLSID: HKU\S-1-5-21-3876371430-4153257343-302851002-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\angeles\AppData\Local\Citrix\GoToMeeting\5530\G2MOutlookAddin64.dll => No File
CMD: ipconfig /flushdns
EmptyTemp:
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Program Files (x86)\Coupons\CouponPrinterService.exe => No running process found
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => key removed successfully
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully
HKLM\Software\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\1F82560E7A284F3B9D81B2C56FB0F4D8 => key removed successfully
HKLM\Software\Classes\CLSID\1F82560E7A284F3B9D81B2C56FB0F4D8 => key not found
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully
HKLM\Software\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} => key removed successfully
HKLM\Software\Classes\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} => key not found
"C:\Users\angeles\AppData\Roaming\Mozilla\Firefox\Profiles\tqhyv03k.default\searchplugins\bingp.xml" => not found.
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll => moved successfully
Chrome DefaultSearchURL => removed successfully
Chrome DefaultSuggestURL => removed successfully
HKU\S-1-5-21-3876371430-4153257343-302851002-1000\SOFTWARE\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki => key removed successfully
HKLM\System\CurrentControlSet\Services\0094031378412970mcinstcleanup => key removed successfully
0094031378412970mcinstcleanup => service removed successfully
CouponPrinterService => Service stopped successfully.
HKLM\System\CurrentControlSet\Services\CouponPrinterService => key removed successfully
CouponPrinterService => service removed successfully
HKLM\System\CurrentControlSet\Services\rpcapd => key removed successfully
rpcapd => service removed successfully
HKLM\System\CurrentControlSet\Services\BcmSqlStartupSvc => key removed successfully
BcmSqlStartupSvc => service removed successfully
HKLM\System\CurrentControlSet\Services\CLKMSVC10_3A60B698 => key removed successfully
CLKMSVC10_3A60B698 => service removed successfully
HKLM\System\CurrentControlSet\Services\CLKMSVC10_C3B3B687 => key removed successfully
CLKMSVC10_C3B3B687 => service removed successfully
HKLM\System\CurrentControlSet\Services\DriverService => key removed successfully
DriverService => service removed successfully
HKLM\System\CurrentControlSet\Services\IAStorDataMgrSvc => key removed successfully
IAStorDataMgrSvc => service removed successfully
HKLM\System\CurrentControlSet\Services\iATAgentService => key removed successfully
iATAgentService => service removed successfully
HKLM\System\CurrentControlSet\Services\idealife Update Service => key removed successfully
idealife Update Service => service removed successfully
HKLM\System\CurrentControlSet\Services\IGRS => key removed successfully
IGRS => service removed successfully
HKLM\System\CurrentControlSet\Services\IviRegMgr => key removed successfully
IviRegMgr => service removed successfully
HKLM\System\CurrentControlSet\Services\nvUpdatusService => key removed successfully
nvUpdatusService => service removed successfully
HKLM\System\CurrentControlSet\Services\Oasis2Service => key removed successfully
Oasis2Service => service removed successfully
HKLM\System\CurrentControlSet\Services\PCCarerService => key removed successfully
PCCarerService => service removed successfully
HKLM\System\CurrentControlSet\Services\ReadyComm.DirectRouter => key removed successfully
ReadyComm.DirectRouter => service removed successfully
HKLM\System\CurrentControlSet\Services\RichVideo => key removed successfully
RichVideo => service removed successfully
HKLM\System\CurrentControlSet\Services\RtLedService => key removed successfully
RtLedService => service removed successfully
HKLM\System\CurrentControlSet\Services\SeaPort => key removed successfully
SeaPort => service removed successfully
HKLM\System\CurrentControlSet\Services\SoftwareService => key removed successfully
SoftwareService => service removed successfully
HKLM\System\CurrentControlSet\Services\SQLWriter => key removed successfully
SQLWriter => service removed successfully
HKLM\System\CurrentControlSet\Services\Stereo Service => key removed successfully
Stereo Service => service removed successfully
C:\Users\angeles\AppData\Local\Temp\0094031378412970mcinst.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\cxtvrate.dll => moved successfully
C:\Users\angeles\AppData\Local\Temp\emmon.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\ICReinstall_hdyoutubedownloader_setup.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\install_reader11_en_mssa_aih.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\jre-8u101-windows-au.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\jre-8u40-windows-au.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\jre-8u45-windows-au.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\jre-8u51-windows-au.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\jre-8u60-windows-au.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\jre-8u73-windows-au.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\jre-8u77-windows-au.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\jre-8u91-windows-au.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\MotoCast_Installer_2.0405.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\mpsetup.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\ose00000.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\SkypeSetup.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\SpOrder.dll => moved successfully
C:\Users\angeles\AppData\Local\Temp\_is5F69.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\_isE7DA.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\{069E215A-3C5A-4D32-A4CA-CD5286D384ED}-54.0.2840.71_chrome_installer.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\{13F7BABC-D8D9-4801-BB0D-870AC03856D0}-59.0.3071.115_58.0.3029.110_chrome_updater.exe => moved successfully
C:\Users\angeles\AppData\Local\Temp\{6BA2B92A-7B81-49F2-B80D-AC2C2CECD6B3}-46.0.2490.86_chrome_installer.exe => moved successfully
C:\Users\Guest\AppData\Local\Temp\jre-8u141-windows-au.exe => moved successfully
C:\Users\Guest\AppData\Local\Temp\jre-8u45-windows-au.exe => moved successfully
C:\Users\Guest\AppData\Local\Temp\jre-8u71-windows-au.exe => moved successfully
C:\Users\Guest\AppData\Local\Temp\mp3el.exe => moved successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FBBC4667-2521-4E78-B1BD-8706F774549B}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FBBC4667-2521-4E78-B1BD-8706F774549B}\\SystemComponent => value removed successfully
HKU\S-1-5-21-3876371430-4153257343-302851002-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309} => key removed successfully
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 508859584 B
Java, Flash, Steam htmlcache => 46977 B
Windows/system/drivers => 35167767220 B
Edge => 0 B
Chrome => 890509763 B
Firefox => 3512339 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 127878 B
systemprofile32 => 66228 B
LocalService => 140076 B
NetworkService => 651154 B
angeles => 1294146477 B
Guest => 7617180 B
 
RecycleBin => 3427314 B
EmptyTemp: => 35.3 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 16:23:47 ====
 
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 11/30/17
Scan Time: 7:24 PM
Log File: 10557ffa-d62e-11e7-bbba-f0def1ef5697.json
Administrator: Yes
 
-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.236
Update Package Version: 1.0.3385
License: Trial
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: angeles-PC\angeles
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 390248
Threats Detected: 2
Threats Quarantined: 2
Time Elapsed: 50 min, 56 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 2
PUP.Optional.Bundler, C:\USERS\ANGELES\DESKTOP\FOTOS\1989 9 SEPTIEMBRE 2DWNLOADS\DOWNLOADS\FREEYOUTUBEDOWNLOADERTR.EXE, Delete-on-Reboot, [146], [88469],1.0.3385
PUP.Optional.BundleInstaller.OI, C:\USERS\ANGELES\DESKTOP\FOTOS\1989 9 SEPTIEMBRE 2DWNLOADS\DOWNLOADS\MPLAYER_SETUP.EXE, Delete-on-Reboot, [7084], [85975],1.0.3385
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)

#4 azuleno

azuleno

    Advanced Member

  • Full Member
  • PipPipPip
  • 232 posts

Posted 01 December 2017 - 07:54 AM

One more piece of important information. Since I was unable to do much with the 'sick' PC, I transferred the logs from the 'sick' PC (in Safe Mode, otherwise nothing was working), and sent them using another PC. 


#5 azuleno

azuleno

    Advanced Member

  • Full Member
  • PipPipPip
  • 232 posts

Posted 01 December 2017 - 01:49 PM

In yet another twist of events, I found that even in Safe Mode, none of the MS Office (Word, XL, PPT) work. The file opens, then an MS Office license box pops up briefly and soon thereafter an error box saying "Microsoft Office cannot verify the license for this application. A repair attempt failed or was cancelled by the user.   The application will now shut down."

 
I noticed that the preview feature does show the file (I assume it is only a 'viewer' so why not). I copied on USB some of these files and they are readable and editable on a good PC.
 
**Latest!** I tried to open a Notepad file on the malfunctioning PC. I let it do its thing spinning its wheels for who knows, like half an hour. I just saw the Notepad file finally had opened a few seconds ago. I will try the same with MS Office files. I will keep you updated. More of this unusually slow behaviour may be trickling your way in the next few hours. 
 
Thanks!

#6 azuleno

azuleno

    Advanced Member

  • Full Member
  • PipPipPip
  • 232 posts

Posted 01 December 2017 - 03:48 PM

Hi Android 8888, one more finding. I restarted in regular mode (not safe mode) and as I mentioned above, Notepad opened after a looong time. So, decided to open an Excel file, to find, after another very long time that I got a 'Microsoft Office Activation Wizard' window for 'Microsoft Office Home and Student 2010 - Activation Wizard'. The message 'Thank you for installing MS Office Home & Student 2010. Activation is required ...' bugs me. This software we purchased a long time ago. Options given are to activate the software over the internet (recommended, of course), or by telephone. As I mentioned above, I cannot any longer connect to the internet so I am using a separate PC to communicate with you. So, that is the latest :-(    Have we done some irreversible damage to MS Office? I was able to open Excel and connect to the internet just a couple of days when this whole fixing process was started. Your thoughts are appreciated.


#7 azuleno

azuleno

    Advanced Member

  • Full Member
  • PipPipPip
  • 232 posts

Posted 01 December 2017 - 03:50 PM

Hmmmm, just for kicks tried the activation via phone, just to get a message saying that Telephone Activation is no longer supported for the MS Office on the PC. I got the installation ID so I will copy for what it is worth.


#8 azuleno

azuleno

    Advanced Member

  • Full Member
  • PipPipPip
  • 232 posts

Posted 01 December 2017 - 05:12 PM

Android 8888,  well... things are looking better all of the sudden! Monkeying around, I tried to test the MS Office activation via internet, and somehow it approved the authentication -- just like that! since I didnt have internet connection at that moment. Kept trying the opening of documents (Notepad, Word, etc.). An hour ago things were still bleak, slow... and things are getting better, opening faster. Hopefully for good. I am going to restart and see if things hold. 


#9 azuleno

azuleno

    Advanced Member

  • Full Member
  • PipPipPip
  • 232 posts

Posted 02 December 2017 - 12:44 PM

Android 8888, bear with me. As of today Sat Dec 2, 2017 1:40pm ET, the PC is  sort of the same as before, BUT I was able to download and Scan ADWCleaner. Maybe things got out of sequence, but I am attaching the logs I got from the ADWCleaner. Please advice on the best steps based on the current status of the system. Just to get you a sense of how things are, saving files takes between 10 to 15 minutes to 'prepare' the system and give you the Save option. Never mind if you want to change to another folder to change the file, that will add another 5 to 10 minutes. With that said, I hope you have a good day :-) , and here are the logs:

 

# AdwCleaner 7.0.5.0 - Logfile created on Sat Dec 02 16:19:15 2017
# Updated on 2017/29/11 by Malwarebytes 
# Running on Windows 7 Home Premium (X64)
# Mode: clean
 
***** [ Services ] *****
 
No malicious services deleted.
 
***** [ Folders ] *****
 
Deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
Deleted: C:\Program Files (x86)\Coupons
Deleted: C:\ProgramData\Partner
Deleted: C:\ProgramData\Application Data\Partner
Deleted: C:\Users\All Users\Partner
 
 
***** [ Files ] *****
 
Deleted: C:\Users\angeles\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Free YouTube Downloader.lnk
 
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
No malicious tasks deleted.
 
***** [ Registry ] *****
 
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.1.3
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries deleted.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries deleted.
 
*************************
 
::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0
 
 
 
*************************
 
C:/AdwCleaner/AdwCleaner[S0].txt - [1738 B] - [2017/12/2 16:18:14]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########
 
 
# AdwCleaner 7.0.5.0 - Logfile created on Sat Dec 02 16:18:14 2017
# Updated on 2017/29/11 by Malwarebytes 
# Database: 11-29-2017.1
# Running on Windows 7 Home Premium (X64)
# Mode: scan
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
PUP.Optional.Spigot.Generic, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
PUP.Optional.Spigot.Generic, C:\Program Files (x86)\Coupons
Adware.LoadMoney, C:\ProgramData\Partner
Adware.LoadMoney, C:\ProgramData\Application Data\Partner
Adware.LoadMoney, C:\Users\All Users\Partner
 
 
***** [ Files ] *****
 
PUP.Optional.BestYouTubeDownloader, C:\Users\angeles\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Free YouTube Downloader.lnk
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.1.3
PUP.Optional.WebWatcher, [Key] - HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}
PUP.Optional.WebWatcher, [Key] - HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}
PUP.Optional.WebWatcher, [Key] - HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries.
 
*************************
 
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########

#10 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,198 posts

Posted 03 December 2017 - 05:17 PM

Hello azuleno.
 

Couldn't find in chrome://extensions the following:
 

Coupon Printer for Windows
Savings Button: Deals + Cash Back


These are not Chrome Extensions but installed applications. Sorry, it was my mistake.
Please remove them (if present) through Start > Control Panel > Programs and Features

 

 

Please download RogueKiller_portable64.exe by Tigzy and save it to your computer Desktop.

  • Now close all programs and Internet browsers and disconnect any USB or external drives from the computer before you run this scan!
  • Right-click on the file RogueKiller_portable64.exe and select Run as administrator to start the tool.
  • Click Yes to accept the User Account Control security warning that may appear.
  • Once the tool is open, click the 'Scan' tab menu and the click the Start Scan button.
  • Wait until the scan has finished. Note: This scan may take some time to complete;
  • Warning: Do NOT remove any entry it found. They are not all bad and need to be carefully analyzed.
  • Once finished the results will be displayed. Click on the Open Report button. It will open a new window.
  • Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your computer Desktop.
  • Close RogueKiller.

Please copy and paste the contents of RKlog.txt to your next reply.

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#11 azuleno

azuleno

    Advanced Member

  • Full Member
  • PipPipPip
  • 232 posts

Posted 04 December 2017 - 04:17 PM

Hi Android 8888,

 

The Coupon Printer for Windows and Savings Button: Deals + Cash Back were not there. 

 

Hard Booting (as bad as it may be) seems to be right now the only way to get the PC going. If off, then turning on; or from hibernation, it hangs up and doesn't do much for a long time. Even hard booting took about 6-8 minutes before I was able to open Chrome. I guess might be the old WIndows 7 (?)

 

Here is the RKlog:

 

RogueKiller V12.11.27.0 (x64) [Dec  4 2017] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : angeles [Administrator]
Started from : C:\Users\angeles\Desktop\RogueKiller_portable64.exe
Mode : Scan -- Date : 12/04/2017 12:12:26 (Duration : 00:48:02)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 12 ¤¤¤
[PUP.Coupons|PUP.Gen0|VT.Detected] (X64) HKEY_CLASSES_ROOT\CLSID\{1A53AD8B-D0B9-4E7F-88E4-50C07A65F2DC} (C:\windows\COUPON~2.OCX) -> Found
[PUP.Coupons|PUP.Gen0|VT.Detected] (X64) HKEY_CLASSES_ROOT\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC} (C:\windows\COUPON~2.OCX) -> Found
[PUP.BestBuy] (X64) HKEY_LOCAL_MACHINE\Software\Best Buy -> Found
[PUP.BestBuy] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Best Buy pc app -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.1.1 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A3ADE3C5-E878-4AE2-87ED-79F75B8C1A53} | DhcpNameServer : 10.0.1.1 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E02990FE-281F-45B5-8531-874E32735C34} | DhcpNameServer : 10.128.128.128 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{E02990FE-281F-45B5-8531-874E32735C34} | DhcpNameServer : 10.128.128.128 ([])  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {3B49C880-4AAC-4AF8-84E3-8C569646D8C4} : v2.10|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\angeles\AppData\Local\Temp\nsr4A6D.tmp\CnetInstaller-75795949.exe|Name=proinstaller573048236| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {73B5BC33-5960-44E4-888A-620DC155E7D6} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\angeles\AppData\Local\Temp\nsr4A6D.tmp\CnetInstaller-75795949.exe|Name=proinstaller573048236| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {3B49C880-4AAC-4AF8-84E3-8C569646D8C4} : v2.10|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\angeles\AppData\Local\Temp\nsr4A6D.tmp\CnetInstaller-75795949.exe|Name=proinstaller573048236| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {73B5BC33-5960-44E4-888A-620DC155E7D6} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\angeles\AppData\Local\Temp\nsr4A6D.tmp\CnetInstaller-75795949.exe|Name=proinstaller573048236| [x] -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 6 ¤¤¤
[PUP.BestBuy|PUP.Gen0][Folder] C:\ProgramData\Best Buy pc app -> Found
[PUP.BestBuy|PUP.Gen0][Folder] C:\Users\angeles\AppData\Local\Best Buy pc app -> Found
[PUP.Gen1][Folder] C:\Users\angeles\AppData\Local\Free YouTube Downloader -> Found
[PUP.BestBuy|PUP.Gen0][Folder] C:\ProgramData\Best Buy pc app -> Found
[PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free YouTube Downloader -> Found
[PUP.Gen1][Folder] C:\Program Files (x86)\Free YouTube Downloader -> Found
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST320LT020-9YG142 +++++
--- User ---
[MBR] f0574b2dd9202124b648317c799f8dfe
[BSP] f95b97c3f18f2b593a4bf9c2f2f2d0e4 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 200 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 411648 | Size: 260243 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 533389312 | Size: 29692 MB
3 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 594198528 | Size: 15109 MB
User = LL1 ... OK
User = LL2 ... OK

#12 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,198 posts

Posted 04 December 2017 - 07:12 PM

Hi azuleno.

We are not finished yet.

RogueKiller found several entries that need to be removed. Please remove them as follow:

  • Re-run RogueKiller and perform a new scan;
  • Once finished the results will be displayed;
  • Check-mark ONLY the following entries, and click on the Remove Selected button:

    the following entries in Registry:
    [PUP.Coupons|PUP.Gen0|VT.Detected] (X64) HKEY_CLASSES_ROOT\CLSID\{1A53AD8B-D0B9-4E7F-88E4-50C07A65F2DC} (C:\windows\COUPON~2.OCX) -> Found
    [PUP.Coupons|PUP.Gen0|VT.Detected] (X64) HKEY_CLASSES_ROOT\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC} (C:\windows\COUPON~2.OCX) -> Found
    [PUP.BestBuy] (X64) HKEY_LOCAL_MACHINE\Software\Best Buy -> Found
    [PUP.BestBuy] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Best Buy pc app -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {3B49C880-4AAC-4AF8-84E3-8C569646D8C4} : v2.10|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\angeles\AppData\Local\Temp\nsr4A6D.tmp\CnetInstaller-75795949.exe|Name=proinstaller573048236| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {73B5BC33-5960-44E4-888A-620DC155E7D6} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\angeles\AppData\Local\Temp\nsr4A6D.tmp\CnetInstaller-75795949.exe|Name=proinstaller573048236| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {3B49C880-4AAC-4AF8-84E3-8C569646D8C4} : v2.10|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\angeles\AppData\Local\Temp\nsr4A6D.tmp\CnetInstaller-75795949.exe|Name=proinstaller573048236| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {73B5BC33-5960-44E4-888A-620DC155E7D6} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\angeles\AppData\Local\Temp\nsr4A6D.tmp\CnetInstaller-75795949.exe|Name=proinstaller573048236| [x] -> Found

    the following entries in Files:
    [PUP.BestBuy|PUP.Gen0][Folder] C:\ProgramData\Best Buy pc app -> Found
    [PUP.BestBuy|PUP.Gen0][Folder] C:\Users\angeles\AppData\Local\Best Buy pc app -> Found
    [PUP.Gen1][Folder] C:\Users\angeles\AppData\Local\Free YouTube Downloader -> Found
    [PUP.BestBuy|PUP.Gen0][Folder] C:\ProgramData\Best Buy pc app -> Found
    [PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free YouTube Downloader -> Found
    [PUP.Gen1][Folder] C:\Program Files (x86)\Free YouTube Downloader -> Found
     
  • Click on the Open Report button; It will open a new window.
  • Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your computer Desktop.

Close RogueKiller.

Please copy and paste the contents of RKlog.txt to your next reply.

 

Next,

Please download Zemana Antimalware and save it to your Desktop.
 

  • Right-click on the icon and select Run as administrator to install the program.
  • Click Yes to accept the UAC security warning that may appear.
  • Select the language and click the OK button.
  • Click the Next button, accept the EULA warning and follow the instructions to continue and install the program.
  • Once the installation is complete it will start automatically. Wait a few seconds until the update of signature database is complete.
  • Without changing any options, click Scan to begin.
  • After the short scan is finished, if threats are detected click Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
  • Click on the Back button.
  • On the top right corner click on Reports icon (the one with three bars) and double click on the latest report.
  • Now click File > Save As, then choose your computer's Desktop and click the Save button.

Please copy and paste the contents of the saved report in your next reply.

To summarize please post the contents of the following logs for my review:
RKlog.txt
Zemana log.

Thank you.

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#13 azuleno

azuleno

    Advanced Member

  • Full Member
  • PipPipPip
  • 232 posts

Posted 05 December 2017 - 08:54 PM

Android 8888,

 

Here are the reports. I have to admit that I struggled immensely to get them to work, and BTW, the Roguekiller I did the Scan in Safe Mode because for what seem to be dozens of attempts in Normal Mode, the RK wasn't working. It took me also many attempts to install the Zemana (only in Normal Mode would work). I don't know if the instructions' last three (or four?) steps may be out of sync a bit, but because of the sequence of events, this is what I had to do:

 

After the Zemana Scan, one malicious file was detected. You requested to reboot, but I was concerned given all the problems I had experienced, to not be able to get the repost, so I clicked on the 'Back' button prior to reboot. I clicked Reports, no 'latest reports' showed up, except the following information, which I had to type myself. The malicious file was quarantined.

 

First the RK report, followed by MY TRANSCRIPT of the Zemana findings. I did reboot the PC. It seems to be moving along much better. 

 
Now that things are running better, please let me know if I shall re-run any of the Malware Applications.
 

 

RogueKiller V12.11.27.0 (x64) [Dec  4 2017] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : angeles [Administrator]
Started from : C:\Users\angeles\Desktop\RogueKiller_portable64.exe
Mode : Delete -- Date : 12/05/2017 19:12:56 (Duration : 00:30:21)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 13 ¤¤¤
[PUP.Coupons|PUP.Gen0|VT.Detected] (X64) HKEY_CLASSES_ROOT\CLSID\{1A53AD8B-D0B9-4E7F-88E4-50C07A65F2DC} (C:\windows\COUPON~2.OCX) -> Deleted
[PUP.Coupons|PUP.Gen0|VT.Detected] (X64) HKEY_CLASSES_ROOT\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC} (C:\windows\COUPON~2.OCX) -> Deleted
[PUP.BestBuy] (X64) HKEY_LOCAL_MACHINE\Software\Best Buy -> Deleted
[PUP.BestBuy] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Best Buy pc app -> Deleted
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.1.1 ([])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A3ADE3C5-E878-4AE2-87ED-79F75B8C1A53} | DhcpNameServer : 10.0.1.1 ([])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E02990FE-281F-45B5-8531-874E32735C34} | DhcpNameServer : 10.128.128.128 ([])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{A3ADE3C5-E878-4AE2-87ED-79F75B8C1A53} | DhcpNameServer : 10.0.1.1 ([])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{E02990FE-281F-45B5-8531-874E32735C34} | DhcpNameServer : 10.128.128.128 ([])  -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {3B49C880-4AAC-4AF8-84E3-8C569646D8C4} : v2.10|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\angeles\AppData\Local\Temp\nsr4A6D.tmp\CnetInstaller-75795949.exe|Name=proinstaller573048236| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {73B5BC33-5960-44E4-888A-620DC155E7D6} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\angeles\AppData\Local\Temp\nsr4A6D.tmp\CnetInstaller-75795949.exe|Name=proinstaller573048236| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {3B49C880-4AAC-4AF8-84E3-8C569646D8C4} : v2.10|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\angeles\AppData\Local\Temp\nsr4A6D.tmp\CnetInstaller-75795949.exe|Name=proinstaller573048236| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {73B5BC33-5960-44E4-888A-620DC155E7D6} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\angeles\AppData\Local\Temp\nsr4A6D.tmp\CnetInstaller-75795949.exe|Name=proinstaller573048236| [x] -> Deleted
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 6 ¤¤¤
[PUP.BestBuy|PUP.Gen0][Folder] C:\ProgramData\Best Buy pc app -> Removed at reboot [91]
[PUP.BestBuy|PUP.Gen0][Folder] C:\ProgramData\Best Buy pc app\3.2.0420.05 -> ERROR [5]
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\Best Buy pc app Launcher.exe -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\Best Buy pc app.application -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\Best Buy pc app.lnk -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\BestBuyPcAppDetector.ocx -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\ClickOnceUninstaller.exe -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll -> Deleted
[PUP.BestBuy|PUP.Gen0][Folder] C:\Users\angeles\AppData\Local\Best Buy pc app -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\Users\angeles\AppData\Local\Best Buy pc app\Resources\PCImagePersistedData.xml -> Deleted
[PUP.BestBuy|PUP.Gen0][Folder] C:\Users\angeles\AppData\Local\Best Buy pc app\Resources -> Deleted
[PUP.Gen1][Folder] C:\Users\angeles\AppData\Local\Free YouTube Downloader -> Deleted
[PUP.Gen1][File] C:\Users\angeles\AppData\Local\Free YouTube Downloader\Downloads.data -> Deleted
[PUP.Gen1][File] C:\Users\angeles\AppData\Local\Free YouTube Downloader\Settings.data -> Deleted
[PUP.Gen1][Folder] C:\Users\angeles\AppData\Local\Free YouTube Downloader\Temp -> Deleted
[PUP.BestBuy|PUP.Gen0][Folder] C:\ProgramData\Best Buy pc app -> Removed at reboot [91]
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\AppIcon.ico.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\AppMeasurement_DotNET_Strong.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Best Buy pc app.exe.config.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Best Buy pc app.exe.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Best Buy pc app.exe.manifest -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\BestBuySoftwareInstaller.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Common.dll.config.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Common.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\CommunicationNet.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Controls.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\FluidKit.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Interop.IWshRuntimeLibrary.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Ionic.Zip.Reduced.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Localization.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Microsoft.Practices.Composite.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Microsoft.Practices.Composite.Presentation.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Microsoft.Practices.Composite.UnityExtensions.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Microsoft.Practices.EnterpriseLibrary.Common.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Microsoft.Practices.EnterpriseLibrary.Logging.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Microsoft.Practices.ObjectBuilder2.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Microsoft.Practices.ServiceLocation.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Microsoft.Practices.Unity.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Microsoft.Practices.Unity.Interception.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\pc app Installer.exe.config.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\pc app Installer.exe.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImage.Modules.Default.dll.config.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImage.Modules.Default.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImage.Modules.GeekSquad.Common.dll.config.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImage.Modules.GeekSquad.Common.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImage.Modules.GeekSquad.Controller.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImage.Modules.GeekSquad.ViewModels.dll.config.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImage.Modules.GeekSquad.ViewModels.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImage.Modules.GeekSquad.Views.dll.config.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImage.Modules.GeekSquad.Views.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImage.Modules.Home.dll.config.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImage.Modules.Home.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImage.Modules.Omniture.dll.config.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImage.Modules.Omniture.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImage.Modules.Update.dll.config.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImage.Modules.Update.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImageInfrastructure.dll.config.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\PCImageInfrastructure.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][Folder] C:\ProgramData\Best Buy pc app\3.2.0420.05\Resources -> ERROR [5]
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\Restarter.exe.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\SecureDownloadAPI.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\SecureDownloadAPI64.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\SecureDownloadAPIHelper.exe.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\SharpBITS.Base.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\ViewModels.dll.config.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\ViewModels.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][File] C:\ProgramData\Best Buy pc app\3.2.0420.05\WCFCompression.dll.deploy -> Deleted
[PUP.BestBuy|PUP.Gen0][Folder] C:\ProgramData\Best Buy pc app\3.2.0420.05 -> Removed at reboot [91]
[PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free YouTube Downloader -> Deleted
[PUP.Gen1][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free YouTube Downloader\Free YouTube Downloader.lnk -> Deleted
[PUP.Gen1][Folder] C:\Program Files (x86)\Free YouTube Downloader -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\BouncyCastle.Crypto.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\es\FreeYouTubeDownloader.Localization.resources.dll -> Deleted
[PUP.Gen1][Folder] C:\Program Files (x86)\Free YouTube Downloader\es -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\ffmpeg.exe -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\ffprobe.exe -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\FreeYouTubeDownloader.Analyzer.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\FreeYouTubeDownloader.Analyzer.pdb -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\FreeYouTubeDownloader.Common.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\FreeYouTubeDownloader.Common.pdb -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\FreeYouTubeDownloader.Converter.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\FreeYouTubeDownloader.Converter.pdb -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\FreeYouTubeDownloader.Debug.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\FreeYouTubeDownloader.Debug.pdb -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\FreeYouTubeDownloader.Downloader.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\FreeYouTubeDownloader.Downloader.pdb -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\FreeYouTubeDownloader.exe -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\FreeYouTubeDownloader.Localization.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\FreeYouTubeDownloader.Localization.pdb -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\FreeYouTubeDownloader.pdb -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\Ionic.Zip.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\Microsoft.WindowsAPICodePack.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\Microsoft.WindowsAPICodePack.Shell.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\Newtonsoft.Json.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\Newtonsoft.Json.pdb -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\Newtonsoft.Json.xml -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\ObjectListView.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\pt\FreeYouTubeDownloader.Localization.resources.dll -> Deleted
[PUP.Gen1][Folder] C:\Program Files (x86)\Free YouTube Downloader\pt -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\Readme.txt -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\ru\FreeYouTubeDownloader.Localization.resources.dll -> Deleted
[PUP.Gen1][Folder] C:\Program Files (x86)\Free YouTube Downloader\ru -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\SplitButton.dll -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\uk\FreeYouTubeDownloader.Localization.resources.dll -> Deleted
[PUP.Gen1][Folder] C:\Program Files (x86)\Free YouTube Downloader\uk -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\unins000.dat -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\unins000.exe -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\Uninstall.txt -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\YouTubeDownloader.exe -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\YouTubeDownloader.exe.config -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\YouTubeDownloader.ico -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\YouTubeDownloader.pdb -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\YouTubeDownloader.vshost.exe -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\YouTubeDownloader.vshost.exe.config -> Deleted
[PUP.Gen1][File] C:\Program Files (x86)\Free YouTube Downloader\YouTubeDownloader.vshost.exe.manifest -> Deleted
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST320LT020-9YG142 +++++
--- User ---
[MBR] f0574b2dd9202124b648317c799f8dfe
[BSP] f95b97c3f18f2b593a4bf9c2f2f2d0e4 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 200 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 411648 | Size: 260243 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 533389312 | Size: 29692 MB
3 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 594198528 | Size: 15109 MB
User = LL1 ... OK
User = LL2 ... OK
 

 

Zemana
Quarantine
Path                                               Detection                                  Date and time
C:\Windows\CouponPrinter.ocx     Adware:Win32/Coupons!Ep      12/5/2017 - 9:28:07 PM

#14 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,198 posts

Posted 06 December 2017 - 06:31 AM

Hello.

 

The tools were supposed to run in Normal Mode. Anyway you did well in running them in Safe Mode.

 
The log shows that RogueKiller removed several infected entries. Thank you for reporting Zemana results.
 
Now please re-run Malwarebytes and perform another scan;

When the scan completes if potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.

While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), give it a name and save it to your Desktop.

The log can also be viewed by clicking the log to select it, then clicking the View Report button.

 

Please copy and paste the entire contents of the log in your next reply.

 

 

 

Next,
 
Please scan your computer with ESET Online Scanner to search for leftovers. This is a very thorough scan but it's worth it. It may take several hours to finish so please be patient.

  • Click on this link to open ESET Online Scanner in a new window.
    • Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    • Close all your programs and browsers and disconnect any USB flash drives from the computer.
    • Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    • Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.
  • Check mark Download latest version of ESET Online Scanner and click the Accept button.
  • Click Yes to accept any security warnings that may appear.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
  • Then click Advanced settings and check mark the following options:
    • Enable detection of potentially unsafe applications
    • Clean threats automatically
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • Note: If nothing is found, it will not produce a log.
     

Please re-enable your antivirus program.
 
 
To summarize, in your next reply please post the new Malwarebytes log and the ESET log (if it produced one) and let me know in detail the state of the computer at this point.

 

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#15 azuleno

azuleno

    Advanced Member

  • Full Member
  • PipPipPip
  • 232 posts

Posted 06 December 2017 - 09:56 PM

Hi Android 8888,

 

The computer seems to be a bit better every time we have done extra steps. Only thing I noticed today, prior to performing the MalwareBYtes and ESETScan, I left the PC in hybernation mode and when I went to wake up the PC, it was not very responsive, so I rebooted. So far after that it is behaving well. Here are the logs. BTW, at the end of the ESETScan the instructions you gave me were a bit different from what I saw on the ESETScan box. There was no **Export** but there was a copy to .txt option, which I assume is the equivalent. I did not delete everything (I hesitated since the scan took 5 hours!!). The log seems to indicate that the found threats were deleted. No **Back** or **Finish** button, but I did get the log in text format, and it is below:

 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 12/6/17
Scan Time: 5:06 PM
Log File: bfccd60c-dad1-11e7-a047-f0def1ef5697.json
Administrator: Yes
 
-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.236
Update Package Version: 1.0.3427
License: Trial
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: angeles-PC\angeles
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 296226
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 23 min, 12 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)
 
 
spsC:\AdwCleaner\Quarantine\1xVPfvJcrg\uninstall.exe a variant of Win32/Adware.Coupons.AA application cleaned by deleting
C:\FRST\Quarantine\C\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll.xBAD a variant of Win32/Adware.Coupons.AA application cleaned by deleting
C:\FRST\Quarantine\C\Users\angeles\AppData\Local\Temp\ICReinstall_hdyoutubedownloader_setup.exe.xBAD a variant of Win32/InstallCore.ACZ potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Users\angeles\AppData\Local\Temp\mpsetup.exe.xBAD a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted
C:\Program Files (x86)\Google\Chrome\Application\plugins\npMozCouponPrinter.dll a variant of Win32/Adware.Coupons.AA application cleaned by deleting
C:\Program Files (x86)\NCH Software\MixPad\mixpad.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application cleaned by deleting
C:\Program Files (x86)\NCH Software\MixPad\mixpadsetup_v3.73.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted
C:\Program Files (x86)\NCH Software\WavePad\wavepad.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application cleaned by deleting
C:\Program Files (x86)\NCH Software\WavePad\wavepadsetup_v5.96.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted
 

#16 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,198 posts

Posted 07 December 2017 - 03:49 PM

Hi azuleno.
 
Good news!
Malwarebytes found no threats and ESET cleaned all the remnants it found. At this stage your computer appear to be clean! :good:

Now it's time to search for updates. Outdated programs contains security vulnerabilities that are exploited by malware in order to infect the computer without the user's knowledge. Usually this is one of the ways that more contributes to the infection of your computer.

Please download Security Analysis by Rocket Grannie from here

  • Save it to your computer Desktop.
  • Close your security software to avoid potential conflicts.
  • Double click RGSA.exe
  • Click OK on the copyright-disclaimer.
  • When finished, a Notepad window will open with the results of the scan.
  • The log named SALog.txt can also be found on the Desktop or in the same folder from where the tool is run if installed elsewhere.
  • Please copy and paste the contents of that log in your next reply.
  • Note: If you get a Warning from Windows about running the program, click on More info and then click Run Anyway to run it even though Windows says it might put your PC at risk.

 

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#17 azuleno

azuleno

    Advanced Member

  • Full Member
  • PipPipPip
  • 232 posts

Posted 07 December 2017 - 05:13 PM

Hi Android 8888,

 

One comment before I post the log. If I power up the PC either from the off position, or from hybernation, the system seems to hang and not do anything even after 12+ minutes. Some activity is happening as I see some icons populating the icon bar at the bottom of the monitor. If I click on the web browser (Explorer, Firefox or Chrome) the icon lightens up as if it was responding, only to go 'dormant' in around 5 seconds. I can try and try multiple times and still the same, no opening of much any programs, sometimes not even Notepad documents . . . until I do a hard reboot (hit the power button off, then on again). After another 6 minutes or so (antiquated Windows 7) the PC will then work just fine. Just wondering if such lack of response may be due to anything in particular that you can think of.  Here is the log:

 

Result of Security Analysis by Rocket Grannie (x86) Updated: 4th December, 2017
Running from:C:\Users\angeles\Desktop (18:02:43 - 12/07/2017)
***---------------------------------------------------------***
Microsoft Windows 7 Home Premium X64 Service Pack 1
UAC is Enabled
Internet Explorer 11
Default Browser: Firefox
***------------Antivirus - Antispyware - Firewall-----------***
Avast Antivirus (Disabled - up to Date)
Malwarebytes (Disabled - up to Date)
Malwarebytes (Disabled - up to Date)
Malwarebytes (Disabled - up to Date)
Windows Defender (Disabled - up to Date)
Avast Antivirus (Disabled - up to Date)
Malwarebytes (Disabled - up to Date)
Windows Firewall (Enabled)
No other Firewall Installed
***-------Security Programs - Browsers - Miscellaneous------***
Adobe Flash Player NPAPI (27.0.0.187)
Adobe Reader XI (11.0.23)
Google Chrome (62.0.3202.94)
Java (8.0.250)
Malwarebytes (3.3.1.2183)
Microsoft Silverlight (5.1.50907.0)
Mozilla Firefox (57.0)
Windows Live Essentials (15.4.3502.0922) ==> is out of Date ==> is no longer supported
 
***----------------Analysis Complete-------------------------***

#18 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,198 posts

Posted 10 December 2017 - 12:13 PM

Hello azuleno.

 

Thanks for the log. I see the Avast Antivirus is disabled. Please re-enable it (if you have not already done it).
 

Just wondering if such lack of response may be due to anything in particular that you can think of.

The main cause is the disk I/O (Input/Output) reading and writing. Reading and writing to a physical disk is much slower than from RAM (Random Access Memory). When your computer resumes from disk (hibernation) it also has to power up the components which may cause some slowdown. This is highly dependent on the amount of RAM and the type of drive (HDD or SSD) installed on the computer.

 

You can read more about it here.
 

Besides that, are there any issues or concerns with the computer?

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#19 azuleno

azuleno

    Advanced Member

  • Full Member
  • PipPipPip
  • 232 posts

Posted 10 December 2017 - 08:43 PM

Hi Android 8888,

 

The PC seems to be doing fine. Will have to deal with the I/O reading + writing and see how things feel in the next few days. But things are up and running. Awesome job! I have been using spywareinfoforum since 2004 . . . as needed. I deeply appreciate your work. As always, I will make a donation. You are awesome. Thanks! Have a good day and week. 


#20 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,198 posts

Posted 11 December 2017 - 05:41 AM

I'm glad to hear the computer is running well. Thank you for the donation.

You can now delete the tools we used by running DelFix. It's a little program that will remove all tools and then will delete itself on its own.

  • Download DelFix and move it to your computer Desktop;
  • Right-click on DelFix.exe and select Run as Administrator;
  • Check the following options :
    • Remove disinfection tools (this option will remove the tools used in the cleaning process).
    • Create registry backup (this option will create a backup from the Windows Registry).
    • Purge system restore (this option will remove all previous and possibly infected restore points, and will create a new and clean restore point of your system).
    • Reset system settings (this option will reset any system settings back to default that were changed either by us during cleansing or by malware infection).
  • Once the options mentioned above are checked, click on Run;
  • After DelFix is done running, a log will open. Close and delete it, I don't need to see it.

 

 

 

If all is well with the computer, below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please consider using these ideas to help secure your computer.

Keep your Windows Operating System up-to-date.

Keep your AntiVirus program up-to-date.

Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Keep Malwarebytes Anti-Malware (MBAM) update and perform a regular scan to your system as it will make it harder for malware to reside on your computer.
A tutorial on using MBAM can be found here and a complete guide here

Please Note: Only the paid for version has real time capabilities. Please go here and scroll down to find a comparison list of the two versions.

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster, available here

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure.

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

One of the most feared threat at the moment is a Ransomware infection. A Ransomware is a program that ransoms the data or functionality of your computer until you perform an action. This action is typically to pay a ransom in the form of Bitcoins or another payment method. I advise you to read more info on this terrible threat here and here.

Please keep your programs up to date. Vulnerabilities are often exploited in order to install malware on your PC.

Run a program like Personal Software Inspector (PSI) or FileHippo Update Checker to see what programs need to be updated.

Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety.

Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware.

Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety.

Don't click on links received in instant message programs.

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available here

For much more useful and complete information, please read the following links to fully understand PC Security and Best Practices:
How did I get infected in the first place
Answers to common security questions - Best Practices

Hopefully these steps will help to keep your computer free of malware. If you run into more difficulty, we will certainly do what we can to help.

Happy surfing, stay safe and Merry Christmas! :thumbup:

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#21 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,198 posts

Posted 31 August 2018 - 09:26 AM

Glad we could help.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else, please begin a new topic.


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#22 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,198 posts

Posted 31 August 2018 - 09:41 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.
Back to Resolved or inactive PC Troubleshooting


  1. SpywareInfo Forum
  2. General Computing Issues
  3. PC Checkup and Troubleshooting
  4. Resolved or inactive PC Troubleshooting
  5. Privacy Policy
Member of UNITE
Support SpywareInfo Forum - click the button