View Full Version : computer under attack!
Red_Earth
2015-10-10, 03:39
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:08-10-2015
Ran by user (administrator) on USER-PC (09-10-2015 19:14:21)
Running from C:\Users\user\Downloads
Loaded Profiles: user (Available Profiles: user)
Platform: Microsoft Windows 7 Ultimate (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieCtrl.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
() C:\Windows\Temp\~ECED.tmp.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
() C:\ProgramData\taskhost.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\Run: [VjcYNwLhFDE6] => regsvr32.exe /s "C:\PROGRA~2\VjcYNwLhFDE6.dll"
HKLM\...\Run: [Chrome] => C:\ProgramData\taskhost.exe [5120 2015-10-06] ()
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\...\Run: [SandboxieControl] => C:\Program Files\Sandboxie\SbieCtrl.exe [543432 2013-10-16] (Sandboxie Holdings, LLC)
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6490904 2015-08-19] (Piriform Ltd)
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-18\...\Run: [Chrome] => C:\ProgramData\taskhost.exe [5120 2015-10-06] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.txt [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.txt [2015-08-22] ()
BootExecute: autocheck autochk * sdnclean.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{20396C80-FAE6-446D-A19D-054238E5CE4E}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{6C1E3C77-1C84-43C7-8007-77C8B6A57208}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Internet Explorer:
==================
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-23] (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-23] (Google Inc.)
Toolbar: HKU\S-1-5-21-2083325841-3239248121-869660377-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-23] (Google Inc.)
FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default
FF DefaultSearchEngine: Ask Web Search
FF SelectedSearchEngine: Ask Web Search
FF Homepage: hxxp://home.tb.ask.com/index.jhtml?ptb=5511A651-82A3-4CC4-907D-C555A1F8DFCE&n=781b8b1b&p2=^ZX^foxyyy^YYA^us
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-09-23] ()
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-19] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-19] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\ask-web-search.xml [2015-07-09]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_mkkgj.html [2015-08-22]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_mkkgj.txt [2015-08-22]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_qnhwg.html [2015-08-22]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_qnhwg.txt [2015-08-22]
FF Extension: Ghostery - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\Extensions\firefox@ghostery.com.xpi [2015-05-16]
Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-05-31]
CHR Extension: (Google Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-05-31]
CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-05-31]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-05-31]
CHR Extension: (Google Search) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-05-31]
CHR Extension: (Google Sheets) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-05-31]
CHR Extension: (Google Docs Offline) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-27]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-05-31]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-05-31]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-31]
==================== Services (Whitelisted) ========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [130248 2013-10-16] (Sandboxie Holdings, LLC)
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] (Microsoft Corporation)
===================== Drivers (Whitelisted) ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [159840 2013-10-16] (Sandboxie Holdings, LLC)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-10-09 19:14 - 2015-10-09 19:14 - 00009112 _____ C:\Users\user\Downloads\FRST.txt
2015-10-09 19:14 - 2015-10-09 19:14 - 00000000 ____D C:\Users\user\Downloads\FRST-OlderVersion
2015-10-09 19:13 - 2015-10-09 19:14 - 01698304 _____ (Farbar) C:\Users\user\Downloads\FRST.exe
2015-10-09 19:13 - 2015-10-09 19:14 - 00000000 ____D C:\FRST
2015-10-09 19:13 - 2015-10-09 19:13 - 00000736 _____ C:\Windows\system32\DB3841779606
2015-10-09 14:59 - 2015-10-09 14:59 - 01822048 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent (1).exe
2015-10-06 18:32 - 2015-10-06 18:32 - 00005120 _____ C:\ProgramData\taskhost.exe
2015-10-06 18:31 - 2015-10-06 18:31 - 00004096 _____ C:\ProgramData\VjcYNwLhFDE6.dll
2015-10-06 07:12 - 2015-10-06 07:12 - 00000056 _____ C:\Windows\setupact.log
2015-10-06 07:12 - 2015-10-06 07:12 - 00000000 _____ C:\Windows\setuperr.log
2015-10-02 12:33 - 2015-10-02 12:33 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent(1).exe
2015-10-02 12:28 - 2015-10-09 15:07 - 00000000 ____D C:\Users\user\AppData\LocalLow\uTorrent
2015-10-02 12:26 - 2015-10-02 12:27 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent.exe
2015-09-30 21:31 - 2015-10-02 06:56 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-09-20 14:54 - 2015-09-20 14:54 - 00000000 ____D C:\Program Files\Common Files\AV
2015-09-20 14:54 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe
2015-09-20 14:47 - 2015-09-20 14:47 - 00002131 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-09-20 14:47 - 2015-09-20 14:47 - 00002119 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2015-09-20 14:47 - 2015-09-20 14:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-09-20 14:47 - 2013-09-20 10:49 - 00018968 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean.exe
2015-09-20 14:34 - 2015-09-20 14:37 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\user\Downloads\spybot-2.4.exe
2015-09-20 14:03 - 2015-09-20 14:03 - 00000965 _____ C:\Users\Public\Desktop\CCleaner.lnk
2015-09-20 14:03 - 2015-09-20 14:03 - 00000000 ____D C:\Program Files\CCleaner
2015-09-20 14:02 - 2015-09-20 14:03 - 06667640 _____ (Piriform Ltd) C:\Users\user\Downloads\ccsetup509.exe
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-10-09 19:09 - 2015-05-18 19:08 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-09 19:08 - 2015-05-18 19:08 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-09 19:08 - 2015-05-16 16:59 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-10-09 19:08 - 2013-12-03 02:48 - 00384875 _____ C:\Windows\WindowsUpdate.log
2015-10-09 19:08 - 2009-07-13 23:34 - 00013776 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-09 19:08 - 2009-07-13 23:34 - 00013776 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-09 15:04 - 2015-05-31 20:38 - 00000000 ____D C:\Users\user\AppData\Roaming\vlc
2015-10-09 12:41 - 2015-08-25 06:42 - 03616964 _____ C:\Windows\system32\CFG3841779606
2015-10-06 07:12 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-05 16:57 - 2015-07-22 07:03 - 00000000 ____D C:\Windows\Minidump
2015-10-05 14:45 - 2013-12-02 23:58 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-04 15:53 - 2015-08-31 19:45 - 00000000 ____D C:\Users\user\AppData\Roaming\tor
2015-10-02 06:56 - 2014-02-21 00:48 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-10-01 06:38 - 2014-02-21 00:58 - 00001536 _____ C:\Windows\Sandboxie.ini
2015-09-27 14:35 - 2015-05-18 19:08 - 00002129 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-09-23 06:48 - 2015-08-23 11:02 - 18819272 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerInstaller.exe
2015-09-23 06:48 - 2015-05-16 16:59 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-09-23 06:48 - 2015-05-16 16:59 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-09-20 14:54 - 2015-07-26 18:46 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy 2
2015-09-20 14:47 - 2015-07-26 18:46 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2015-09-20 14:03 - 2015-07-26 18:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-09-19 18:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\system32\wfp
2015-09-19 18:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\system32\NDF
2015-09-19 18:07 - 2015-05-18 19:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-09-19 18:07 - 2015-05-18 19:07 - 00000000 ____D C:\Users\user\AppData\Local\Google
2015-09-19 18:07 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\registration
2015-09-19 18:07 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\AppCompat
==================== Files in the root of some directories =======
2015-08-22 16:45 - 2015-08-22 16:45 - 0005081 _____ () C:\Users\user\AppData\Roaming\restore_files_mkkgj.html
2015-08-22 16:45 - 2015-08-22 16:45 - 0002253 _____ () C:\Users\user\AppData\Roaming\restore_files_mkkgj.txt
2015-08-22 07:05 - 2015-08-22 07:05 - 0003822 _____ () C:\Users\user\AppData\Roaming\restore_files_qnhwg.html
2015-08-22 07:05 - 2015-08-22 07:05 - 0002170 _____ () C:\Users\user\AppData\Roaming\restore_files_qnhwg.txt
2015-08-23 09:12 - 2015-08-23 09:12 - 0003822 _____ () C:\Users\user\AppData\Local\restore_files_bjvdg.html
2015-08-23 09:12 - 2015-08-23 09:12 - 0002170 _____ () C:\Users\user\AppData\Local\restore_files_bjvdg.txt
2015-08-23 08:41 - 2015-08-23 08:41 - 0003822 _____ () C:\Users\user\AppData\Local\restore_files_hvdux.html
2015-08-23 08:41 - 2015-08-23 08:41 - 0002170 _____ () C:\Users\user\AppData\Local\restore_files_hvdux.txt
2015-08-22 16:29 - 2015-08-22 16:43 - 0005081 _____ () C:\Users\user\AppData\Local\restore_files_mkkgj.html
2015-08-22 16:29 - 2015-08-22 16:43 - 0002253 _____ () C:\Users\user\AppData\Local\restore_files_mkkgj.txt
2015-08-22 06:48 - 2015-08-22 07:01 - 0003822 _____ () C:\Users\user\AppData\Local\restore_files_qnhwg.html
2015-08-22 06:48 - 2015-08-22 07:01 - 0002170 _____ () C:\Users\user\AppData\Local\restore_files_qnhwg.txt
2015-08-23 09:02 - 2015-08-23 09:03 - 0429427 _____ (Boxer Software) C:\ProgramData\716C5D6A.EX
2015-08-23 09:10 - 2015-08-23 09:12 - 0003822 _____ () C:\ProgramData\restore_files_bjvdg.html
2015-08-23 09:10 - 2015-08-23 09:12 - 0002170 _____ () C:\ProgramData\restore_files_bjvdg.txt
2015-08-23 10:02 - 2015-08-23 10:03 - 0003822 _____ () C:\ProgramData\restore_files_fmlub.html
2015-08-23 10:02 - 2015-08-23 10:03 - 0002170 _____ () C:\ProgramData\restore_files_fmlub.txt
2015-08-23 08:39 - 2015-08-23 08:41 - 0003822 _____ () C:\ProgramData\restore_files_hvdux.html
2015-08-23 08:39 - 2015-08-23 08:41 - 0002170 _____ () C:\ProgramData\restore_files_hvdux.txt
2015-08-22 16:29 - 2015-08-22 16:29 - 0005081 _____ () C:\ProgramData\restore_files_mkkgj.html
2015-08-22 16:29 - 2015-08-22 16:29 - 0002253 _____ () C:\ProgramData\restore_files_mkkgj.txt
2015-08-22 06:46 - 2015-08-22 06:48 - 0003822 _____ () C:\ProgramData\restore_files_qnhwg.html
2015-08-22 06:46 - 2015-08-22 06:48 - 0002170 _____ () C:\ProgramData\restore_files_qnhwg.txt
2015-08-23 10:01 - 2015-08-23 10:01 - 0003822 _____ () C:\ProgramData\restore_files_swkdn.html
2015-08-23 10:01 - 2015-08-23 10:01 - 0002170 _____ () C:\ProgramData\restore_files_swkdn.txt
2015-10-06 18:32 - 2015-10-06 18:32 - 0005120 _____ () C:\ProgramData\taskhost.exe
2015-10-06 18:31 - 2015-10-06 18:31 - 0004096 _____ () C:\ProgramData\VjcYNwLhFDE6.dll
==================== Bamital & volsnap =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2015-10-01 21:22
==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x86) Version:08-10-2015
Ran by user (2015-10-09 19:15:05)
Running from C:\Users\user\Downloads
Microsoft Windows 7 Ultimate (X86) (2013-12-03 04:56:25)
Boot Mode: Normal
==========================================================
==================== Accounts: =============================
Administrator (S-1-5-21-2083325841-3239248121-869660377-500 - Administrator - Disabled)
Guest (S-1-5-21-2083325841-3239248121-869660377-501 - Limited - Disabled)
user (S-1-5-21-2083325841-3239248121-869660377-1000 - Administrator - Enabled) => C:\Users\user
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Adobe Flash Player 19 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 19.0.0.185 - Adobe Systems Incorporated)
Adobe Flash Player 19 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 19.0.0.185 - Adobe Systems Incorporated)
Audacity 2.1.0 (HKLM\...\Audacity_is1) (Version: 2.1.0 - Audacity Team)
CCleaner (HKLM\...\CCleaner) (Version: 5.09 - Piriform)
FlashCut CNC 3 (HKLM\...\{3D977399-5981-462B-A47E-7EA6DF472C84}) (Version: 3.0.7991 - )
Google Chrome (HKLM\...\Google Chrome) (Version: 45.0.2454.101 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.6904.2028 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.24.7 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.28.15 - Google Inc.) Hidden
Mozilla Firefox 41.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 41.0.1 (x86 en-US)) (Version: 41.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 41.0.1.5750 - Mozilla)
Sandboxie 4.06 (32-bit) (HKLM\...\Sandboxie) (Version: 4.06 - Sandboxie Holdings, LLC)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.1 - VideoLAN)
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== Restore Points =========================
02-09-2015 18:02:33 Scheduled Checkpoint
09-09-2015 21:02:49 Scheduled Checkpoint
17-09-2015 17:20:18 Scheduled Checkpoint
24-09-2015 21:06:02 Scheduled Checkpoint
01-10-2015 21:29:18 Scheduled Checkpoint
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-13 21:04 - 2009-06-10 16:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {08AD9823-5BE4-451E-8A3B-2453186050AE} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {51E7EA72-7F13-451C-A4F0-8EB787A98834} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {5FFD2335-5EC0-4AB4-8CD3-86A936DFACED} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {B8C34CBC-35DC-4DE4-9414-9C4AAC684B11} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-08-19] (Piriform Ltd)
Task: {BC510C08-B5B7-45C6-8E10-4369C7ADEF4E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {C244040A-CD9D-4FFB-AADB-A56088BBF45D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-09-23] (Adobe Systems Incorporated)
Task: {D6B9AECD-45A8-4C6A-9953-063848528046} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
==================== Loaded Modules (Whitelisted) ==============
2015-07-26 18:46 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2015-07-26 18:46 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
2015-07-26 18:46 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2015-09-20 14:47 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2015-09-20 14:47 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2015-10-06 18:30 - 2015-10-06 18:30 - 00004096 _____ () C:\Windows\TEMP\~ECED.tmp.exe
2015-10-06 18:32 - 2015-10-06 18:32 - 00005120 _____ () C:\ProgramData\taskhost.exe
==================== Alternate Data Streams (Whitelisted) =========
(If an entry is included in the fixlist, only the ADS will be removed.)
AlternateDataStreams: C:\Users\user\Desktop\USDF Region 6 3rd Level Freestyle Champs Prescription and LIz.avi.aaa:TOC.WMV
==================== Safe Mode (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
==================== EXE Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)
==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==
(Currently there is no automatic fix for this section.)
==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [{146EED79-38FC-46E9-B0E7-475D0F4B35B9}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{7ECE3F12-8821-4161-86EE-D3595DB6DD95}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{270D27C4-A42F-4EB8-BBB1-2DD1C4700592}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
FirewallRules: [{13536BCF-935B-40C1-B136-CECE63D9B4A1}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{C2CA02A6-95B7-46B8-9CA4-942B56A8F0C7}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{BCF2EBC8-E806-4EC9-9FD5-2008A67E3687}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{260DD4DF-6237-4E59-8078-DE165E8B3040}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{D01181C8-43D3-409E-9535-F16252C1BE64}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2AAEC011-3B36-4309-8C5A-B98483A6B455}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (10/09/2015 03:04:08 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: bec
Start Time: 01d102cd4b208838
Termination Time: 16
Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
Report Id: e3dacfcb-6ec0-11e5-8ff0-0016418fd44e
Error: (10/09/2015 11:19:15 AM) (Source: System Restore) (EventID: 8211) (User: )
Description: The scheduled restore point could not be created. Additional information: (0x81000101).
Error: (10/09/2015 11:19:15 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x81000101).
Error: (10/02/2015 08:26:11 PM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.
Details:
The content index catalog is corrupt. 0xc0041801 (0xc0041801)
Error: (10/02/2015 08:26:11 PM) (Source: Windows Search Service) (EventID: 7040) (User: )
Description: The search service has detected corrupted data files in the index {id=2350}. The service will attempt to automatically correct this problem by rebuilding the index.
Details:
The content index catalog is corrupt. 0xc0041801 (0xc0041801)
Error: (10/02/2015 12:53:50 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: a04
Start Time: 01d0fd3a3ba624b5
Termination Time: 29
Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
Report Id: 86ed4303-692e-11e5-80c1-0016418fd44e
Error: (10/02/2015 12:36:22 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: e38
Start Time: 01d0fd388b4eef10
Termination Time: 16
Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
Report Id: 0c491d4d-692c-11e5-80c1-0016418fd44e
Error: (10/01/2015 07:54:26 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 41.0.1.5750, time stamp: 0x560b37be
Faulting module name: mozglue.dll, version: 41.0.1.5750, time stamp: 0x560b229d
Exception code: 0x80000003
Fault offset: 0x0000ec7f
Faulting process id: 0xcd0
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3
Error: (10/01/2015 07:28:28 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 41.0.1.5750 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: ec8
Start Time: 01d0fca7c91dba3b
Termination Time: 11
Application Path: C:\Program Files\Mozilla Firefox\firefox.exe
Report Id:
Error: (09/28/2015 11:53:43 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 41.0.0.5738 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 630
Start Time: 01d0f97f6c5a0d22
Termination Time: 34
Application Path: C:\Program Files\Mozilla Firefox\firefox.exe
Report Id: 77bd087d-6601-11e5-bc43-0016418fd44e
System errors:
=============
Error: (10/09/2015 07:12:52 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC :0" could not be registered on the interface with IP address 192.168.0.3.
The computer with the IP address 192.168.0.2 did not allow the name to be claimed by
this computer.
Error: (10/09/2015 07:08:42 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC :0" could not be registered on the interface with IP address 192.168.0.3.
The computer with the IP address 192.168.0.2 did not allow the name to be claimed by
this computer.
Error: (10/09/2015 07:08:42 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC :20" could not be registered on the interface with IP address 192.168.0.3.
The computer with the IP address 192.168.0.2 did not allow the name to be claimed by
this computer.
Error: (10/09/2015 07:08:42 PM) (Source: Server) (EventID: 2505) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{6C1E3C77-1C84-43C7-8007-77C8B6A57208} because another computer on the network has the same name. The server could not start.
Error: (10/08/2015 04:29:28 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC :0" could not be registered on the interface with IP address 192.168.0.3.
The computer with the IP address 192.168.0.2 did not allow the name to be claimed by
this computer.
Error: (10/08/2015 04:29:27 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC :20" could not be registered on the interface with IP address 192.168.0.3.
The computer with the IP address 192.168.0.2 did not allow the name to be claimed by
this computer.
Error: (10/08/2015 04:29:27 PM) (Source: Server) (EventID: 2505) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{6C1E3C77-1C84-43C7-8007-77C8B6A57208} because another computer on the network has the same name. The server could not start.
Error: (10/07/2015 03:44:48 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC :20" could not be registered on the interface with IP address 192.168.0.3.
The computer with the IP address 192.168.0.2 did not allow the name to be claimed by
this computer.
Error: (10/07/2015 03:44:48 PM) (Source: Server) (EventID: 2505) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{6C1E3C77-1C84-43C7-8007-77C8B6A57208} because another computer on the network has the same name. The server could not start.
Error: (10/06/2015 09:34:47 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC :0" could not be registered on the interface with IP address 192.168.0.3.
The computer with the IP address 192.168.0.2 did not allow the name to be claimed by
this computer.
==================== Memory info ===========================
Processor: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz
Percentage of memory in use: 73%
Total physical RAM: 2037.97 MB
Available physical RAM: 544.35 MB
Total Virtual: 4075.95 MB
Available Virtual: 2649.18 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:298.09 GB) (Free:254.68 GB) NTFS ==>[drive with boot components (obtained from BCD)]
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 298.1 GB) (Disk ID: B848D491)
Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)
==================== End of Addition.txt ============================
My computer is running very slow and is not opening programs that it used to. It will not let me run spybot and it wont let me run ASWMBR. exe
Please help.
http://i.imgur.com/goGMWSt.gifP2P Warning
------------------------------
I see you have peer-to-peer (P2P) file sharing software installed on your computer (uTorrent). I advise you avoid P2P file sharing programmes; they are a security risk which can make your computer susceptible to malware. File sharing networks are thoroughly infected and infested with malware - worms (http://en.wikipedia.org/wiki/Computer_worm), backdoor Trojans (http://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99), IRCBots (http://en.wikipedia.org/wiki/IRC_bot), and rootkits (http://en.wikipedia.org/wiki/Rootkit) propagate via P2P file sharing networks, gaming, and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. The best way to reduce the risk of infection is to avoid these types of web sites and not use P2P applications. Please read the following articles for more information.
Risks of File-Sharing Technology (http://www.us-cert.gov/cas/tips/ST05-007.html)
P2P Software User Advisories (http://aresgalaxy.sourceforge.net/p2prisks.htm)
More malware is traveling on P2P networks these days (http://www.computerworld.com/s/article/9240067/More_malware_is_traveling_on_P2P_networks_these_days)
Your P2P software can be removed by following the instructions below.
Press the Windows Key http://i.imgur.com/pdKOQKY.png + r on your keyboard at the same time. Type appwiz.cpl and click OK.
Search for the aforementioned programme(s), right-click and click Uninstall.
If you choose not to, please refrain from using the programme(s) during this process.
~~~~~~~~~~~~`
If you can download these next tools to desktop, and then have problems ttrying to get them to run, please boot into safe mode and try again.
Download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) TO YOUR DESKTOP
Windows XP : Double click on the icon to run it.
Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
http://i24.photobucket.com/albums/c30/ken545/0841859c-1a35-4dbd-b41a-e720629e3e22_zpst0yckuua.png
On the Dashboard click on Update Now
Go to the Setting Tab
Under Setting go to Detection and Protection
Under PUP and PUM make sure both are set to show Treat Detections as Malware
Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
Then on the Dashboard click on Scan
Make sure to select THREAT SCAN
Then click on Scan
When the scan is finished and the log pops up...select Copy to Clipboard
Please paste the log back into this thread for review
Exit Malwarebytes
1. Open up Malwarebytes and you will be on the Dashboard
2. Click on the History Tab
3. Then click on Application Logs
4. Double click on the SCAN LOG (Not Protection Log ) you just ran
5. When it opens it will look like this
http://i24.photobucket.com/albums/c30/ken545/MBAM%20Export_zpsjbtttjun.jpg
~~~~~~~~~~
http://i.imgur.com/BY4dvz9.png AdwCleaner
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) and save the file to your Desktop.
Right-Click AdwCleaner.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Follow the prompts.
Click Scan.
Upon completion, click Report. A log (AdwCleaner[SX].txt) will open. Briefly check the log for anything you know to be legitimate.
Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
Follow the prompts and allow your computer to reboot.
After rebooting, a log (AdwCleaner[SX].txt) will open. Copy the contents of the log and paste in your next reply.
-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/)
or from here http://downloads.malwarebytes.org/file/jrt
to your desktop.
Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
please post
MalwareBytes log
AdwCleaner[CX].txt
JRT.txt
Red_Earth
2015-10-12, 22:30
Utorrent had already been uninstalled by the time I had started this thread, but to be sure, I followed the instructions for removing Utorrent, and it did not appear as an option for uninstall. I have the .exe for malwarebytes, and one of the problems is I cannot get it to run. I also cannot get spybot to run scan. I have run the adwCleaner, and the results follow. (although I did not see a report button, this is the log it gave me.)
# AdwCleaner v5.013 - Logfile created 12/10/2015 at 14:03:00
# Updated 09/10/2015 by Xplode
# Database : 2015-10-09.3 [Server]
# Operating system : Windows 7 Ultimate (x86)
# Username : user - USER-PC
# Running from : C:\Users\user\Downloads\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum
***** [ Services ] *****
***** [ Folders ] *****
***** [ Files ] *****
[-] File Deleted : C:\ProgramData\VjcYNwLhFDE6.dll
[-] File Deleted : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\ask-web-search.xml
***** [ DLLs ] *****
***** [ Shortcuts ] *****
***** [ Scheduled tasks ] *****
***** [ Registry ] *****
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
***** [ Web browsers ] *****
[-] [C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\prefs.js] [Preference] Deleted : user_pref("browser.search.defaultenginename", "Ask Web Search");
[-] [C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\prefs.js] [Preference] Deleted : user_pref("browser.search.selectedEngine", "Ask Web Search");
[-] [C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\prefs.js] [Preference] Deleted : user_pref("browser.startup.homepage", "hxxp://home.tb.ask.com/index.jhtml?ptb=5511A651-82A3-4CC4-907D-C555A1F8DFCE&n=781b8b1b&p2=^ZX^foxyyy^YYA^us");
[-] [C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled", false);
[-] [C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "");
[-] [C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark.lastInstalled", "radiorage@mindspark.com");
[-] [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
*************************
:: Winsock settings cleared
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2318 bytes] ##########
junkware reprt will follow
Red_Earth
2015-10-12, 22:39
I could not run the JRT file, even as administrator. It says nothing; it just doesn'topen or run.
By chance did you try safe mode?
Could be your computers onboard protection is interring.
Turn Windows Defender on or off
http://windows.microsoft.com/en-us/windows/turn-windows-defender-on-off#turn-windows-defender-on-off=windows-7
~~~~~~~~~~~~
I want you to find FRST.txt and Addition.txt (from previous run) and send or drag them to the recycle bin.
~~~~~~~~~~~~`
Right-Click FRST.exe / FRST64.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Click Yes to the disclaimer.
Ensure the Addition.txt box is checked.
Click the Scan button and let the programme run.
Upon completion, click OK, then OK on the Addition.txt pop up screen.
Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
Red_Earth
2015-10-13, 01:38
I open in safe mode and malwarebytes and JRT wont run and spybot wont do a scan. also windows defender will not allow me to select tools. it wont highlight as an option. It also wont update. Here is my new FRST logs though.
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:12-10-2015
Ran by user (administrator) on USER-PC (12-10-2015 17:30:22)
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Platform: Microsoft Windows 7 Ultimate (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\Run: [VjcYNwLhFDE6] => regsvr32.exe /s "C:\PROGRA~2\VjcYNwLhFDE6.dll"
HKLM\...\Run: [Chrome] => C:\ProgramData\taskhost.exe [5120 2015-10-06] ()
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\...\Run: [SandboxieControl] => C:\Program Files\Sandboxie\SbieCtrl.exe [543432 2013-10-16] (Sandboxie Holdings, LLC)
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6490904 2015-08-19] (Piriform Ltd)
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\...\Run: [Chrome] => C:\ProgramData\taskhost.exe [5120 2015-10-06] ()
HKU\S-1-5-18\...\Run: [Chrome] => C:\ProgramData\taskhost.exe [5120 2015-10-06] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.txt [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.txt [2015-08-22] ()
BootExecute: autocheck autochk * sdnclean.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{20396C80-FAE6-446D-A19D-054238E5CE4E}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{6C1E3C77-1C84-43C7-8007-77C8B6A57208}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Internet Explorer:
==================
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-23] (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-23] (Google Inc.)
Toolbar: HKU\S-1-5-21-2083325841-3239248121-869660377-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-23] (Google Inc.)
FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default
FF Homepage: hxxps://www.google.com/?gws_rd=ssl
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-09-23] ()
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-19] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-19] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_mkkgj.html [2015-08-22]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_mkkgj.txt [2015-08-22]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_qnhwg.html [2015-08-22]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_qnhwg.txt [2015-08-22]
FF Extension: Ghostery - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\Extensions\firefox@ghostery.com.xpi [2015-05-16]
Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-05-31]
CHR Extension: (Google Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-05-31]
CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-05-31]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-05-31]
CHR Extension: (Google Search) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-05-31]
CHR Extension: (Google Sheets) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-05-31]
CHR Extension: (Google Docs Offline) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-27]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-05-31]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-05-31]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-31]
==================== Services (Whitelisted) ========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [130248 2013-10-16] (Sandboxie Holdings, LLC)
S2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] (Microsoft Corporation)
===================== Drivers (Whitelisted) ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [159840 2013-10-16] (Sandboxie Holdings, LLC)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-10-12 17:30 - 2015-10-12 17:30 - 00008187 _____ C:\Users\user\Desktop\FRST.txt
2015-10-12 17:29 - 2015-10-12 17:29 - 01699840 _____ (Farbar) C:\Users\user\Desktop\FRST.exe
2015-10-12 17:29 - 2015-10-12 17:29 - 00000000 ____D C:\Users\user\Desktop\FRST-OlderVersion
2015-10-12 17:27 - 2015-10-12 17:28 - 00003355 _____ C:\Windows\system32\DB3841779606
2015-10-12 17:26 - 2015-10-12 17:26 - 00000640 _____ C:\Users\user\Desktop\AdwCleaner[S3].txt
2015-10-12 14:31 - 2015-10-12 14:31 - 01801288 _____ (Malwarebytes) C:\Users\user\Desktop\JRT.exe
2015-10-12 13:59 - 2015-10-12 17:25 - 00000000 ____D C:\AdwCleaner
2015-10-12 13:59 - 2015-10-12 13:59 - 01682432 _____ C:\Users\user\Desktop\AdwCleaner.exe
2015-10-10 18:34 - 2015-10-12 14:04 - 00000168 _____ C:\Windows\setupact.log
2015-10-10 18:34 - 2015-10-10 18:34 - 00000000 _____ C:\Windows\setuperr.log
2015-10-10 15:20 - 2015-10-10 15:20 - 00000000 ____D C:\Users\user\Documents\ProcAlyzer Dumps
2015-10-10 13:10 - 2015-10-12 17:20 - 00017595 _____ C:\Windows\WindowsUpdate.log
2015-10-09 20:42 - 2015-10-09 20:42 - 00000355 _____ C:\Users\user\Desktop\Computer - Shortcut.lnk
2015-10-09 20:41 - 2015-10-09 20:53 - 00000000 ____D C:\Users\user\Desktop\flac
2015-10-09 20:10 - 2015-10-09 20:10 - 00000207 _____ C:\Windows\tweaking.com-regbackup-USER-PC-Windows-7-Ultimate-(32-bit).dat
2015-10-09 20:10 - 2015-10-09 20:10 - 00000000 ____D C:\RegBackup
2015-10-09 19:38 - 2015-10-09 19:38 - 05200384 _____ (AVAST Software) C:\Users\user\Downloads\aswmbr (2).exe
2015-10-09 19:27 - 2015-10-09 19:27 - 00002181 _____ C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2015-10-09 19:27 - 2015-10-09 19:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2015-10-09 19:26 - 2015-10-09 19:26 - 04687448 _____ (Tweaking.com) C:\Users\user\Downloads\tweaking.com_registry_backup_setup.exe
2015-10-09 19:26 - 2015-10-09 19:26 - 00000000 ____D C:\Program Files\Tweaking.com
2015-10-09 19:20 - 2015-10-09 19:20 - 05200384 _____ (AVAST Software) C:\Users\user\Downloads\aswmbr (1).exe
2015-10-09 19:17 - 2015-10-09 19:18 - 05200384 _____ (AVAST Software) C:\Users\user\Downloads\aswmbr.exe
2015-10-09 19:15 - 2015-10-09 19:15 - 00017372 _____ C:\Users\user\Downloads\Addition.txt
2015-10-09 19:14 - 2015-10-09 19:15 - 00018107 _____ C:\Users\user\Downloads\FRST.txt
2015-10-09 19:14 - 2015-10-09 19:14 - 00000000 ____D C:\Users\user\Downloads\FRST-OlderVersion
2015-10-09 19:13 - 2015-10-12 17:30 - 00000000 ____D C:\FRST
2015-10-09 19:13 - 2015-10-09 19:14 - 01698304 _____ (Farbar) C:\Users\user\Downloads\FRST.exe
2015-10-09 14:59 - 2015-10-09 14:59 - 01822048 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent (1).exe
2015-10-06 18:32 - 2015-10-06 18:32 - 00005120 _____ C:\ProgramData\taskhost.exe
2015-10-02 12:33 - 2015-10-02 12:33 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent(1).exe
2015-10-02 12:28 - 2015-10-09 15:07 - 00000000 ____D C:\Users\user\AppData\LocalLow\uTorrent
2015-10-02 12:26 - 2015-10-02 12:27 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent.exe
2015-09-30 21:31 - 2015-10-02 06:56 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-09-20 14:54 - 2015-09-20 14:54 - 00000000 ____D C:\Program Files\Common Files\AV
2015-09-20 14:54 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe
2015-09-20 14:47 - 2015-10-10 15:27 - 00002119 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2015-09-20 14:47 - 2015-09-20 14:47 - 00002131 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-09-20 14:47 - 2015-09-20 14:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-09-20 14:47 - 2013-09-20 10:49 - 00018968 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean.exe
2015-09-20 14:34 - 2015-09-20 14:37 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\user\Downloads\spybot-2.4.exe
2015-09-20 14:03 - 2015-09-20 14:03 - 00000965 _____ C:\Users\Public\Desktop\CCleaner.lnk
2015-09-20 14:03 - 2015-09-20 14:03 - 00000000 ____D C:\Program Files\CCleaner
2015-09-20 14:02 - 2015-09-20 14:03 - 06667640 _____ (Piriform Ltd) C:\Users\user\Downloads\ccsetup509.exe
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-10-12 17:20 - 2009-07-13 23:34 - 00013776 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-12 17:20 - 2009-07-13 23:34 - 00013776 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-12 17:02 - 2015-05-18 19:08 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-12 17:02 - 2015-05-18 19:08 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-12 17:02 - 2015-05-16 16:59 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-10-12 14:04 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-11 11:41 - 2015-08-25 06:42 - 03620460 _____ C:\Windows\system32\CFG3841779606
2015-10-11 08:29 - 2014-02-21 00:58 - 00001536 _____ C:\Windows\Sandboxie.ini
2015-10-10 15:26 - 2015-07-26 18:46 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2015-10-09 15:04 - 2015-05-31 20:38 - 00000000 ____D C:\Users\user\AppData\Roaming\vlc
2015-10-05 16:57 - 2015-07-22 07:03 - 00000000 ____D C:\Windows\Minidump
2015-10-05 14:45 - 2013-12-02 23:58 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-04 15:53 - 2015-08-31 19:45 - 00000000 ____D C:\Users\user\AppData\Roaming\tor
2015-10-02 06:56 - 2014-02-21 00:48 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-09-27 14:35 - 2015-05-18 19:08 - 00002129 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-09-23 06:48 - 2015-08-23 11:02 - 18819272 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerInstaller.exe
2015-09-23 06:48 - 2015-05-16 16:59 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-09-23 06:48 - 2015-05-16 16:59 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-09-20 14:54 - 2015-07-26 18:46 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy 2
2015-09-20 14:03 - 2015-07-26 18:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-09-19 18:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\system32\wfp
2015-09-19 18:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\system32\NDF
2015-09-19 18:07 - 2015-05-18 19:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-09-19 18:07 - 2015-05-18 19:07 - 00000000 ____D C:\Users\user\AppData\Local\Google
2015-09-19 18:07 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\registration
2015-09-19 18:07 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\AppCompat
==================== Files in the root of some directories =======
2015-08-22 16:45 - 2015-08-22 16:45 - 0005081 _____ () C:\Users\user\AppData\Roaming\restore_files_mkkgj.html
2015-08-22 16:45 - 2015-08-22 16:45 - 0002253 _____ () C:\Users\user\AppData\Roaming\restore_files_mkkgj.txt
2015-08-22 07:05 - 2015-08-22 07:05 - 0003822 _____ () C:\Users\user\AppData\Roaming\restore_files_qnhwg.html
2015-08-22 07:05 - 2015-08-22 07:05 - 0002170 _____ () C:\Users\user\AppData\Roaming\restore_files_qnhwg.txt
2015-08-23 09:12 - 2015-08-23 09:12 - 0003822 _____ () C:\Users\user\AppData\Local\restore_files_bjvdg.html
2015-08-23 09:12 - 2015-08-23 09:12 - 0002170 _____ () C:\Users\user\AppData\Local\restore_files_bjvdg.txt
2015-08-23 08:41 - 2015-08-23 08:41 - 0003822 _____ () C:\Users\user\AppData\Local\restore_files_hvdux.html
2015-08-23 08:41 - 2015-08-23 08:41 - 0002170 _____ () C:\Users\user\AppData\Local\restore_files_hvdux.txt
2015-08-22 16:29 - 2015-08-22 16:43 - 0005081 _____ () C:\Users\user\AppData\Local\restore_files_mkkgj.html
2015-08-22 16:29 - 2015-08-22 16:43 - 0002253 _____ () C:\Users\user\AppData\Local\restore_files_mkkgj.txt
2015-08-22 06:48 - 2015-08-22 07:01 - 0003822 _____ () C:\Users\user\AppData\Local\restore_files_qnhwg.html
2015-08-22 06:48 - 2015-08-22 07:01 - 0002170 _____ () C:\Users\user\AppData\Local\restore_files_qnhwg.txt
2015-08-23 09:02 - 2015-08-23 09:03 - 0429427 _____ (Boxer Software) C:\ProgramData\716C5D6A.EX
2015-08-23 09:10 - 2015-08-23 09:12 - 0003822 _____ () C:\ProgramData\restore_files_bjvdg.html
2015-08-23 09:10 - 2015-08-23 09:12 - 0002170 _____ () C:\ProgramData\restore_files_bjvdg.txt
2015-08-23 10:02 - 2015-08-23 10:03 - 0003822 _____ () C:\ProgramData\restore_files_fmlub.html
2015-08-23 10:02 - 2015-08-23 10:03 - 0002170 _____ () C:\ProgramData\restore_files_fmlub.txt
2015-08-23 08:39 - 2015-08-23 08:41 - 0003822 _____ () C:\ProgramData\restore_files_hvdux.html
2015-08-23 08:39 - 2015-08-23 08:41 - 0002170 _____ () C:\ProgramData\restore_files_hvdux.txt
2015-08-22 16:29 - 2015-08-22 16:29 - 0005081 _____ () C:\ProgramData\restore_files_mkkgj.html
2015-08-22 16:29 - 2015-08-22 16:29 - 0002253 _____ () C:\ProgramData\restore_files_mkkgj.txt
2015-08-22 06:46 - 2015-08-22 06:48 - 0003822 _____ () C:\ProgramData\restore_files_qnhwg.html
2015-08-22 06:46 - 2015-08-22 06:48 - 0002170 _____ () C:\ProgramData\restore_files_qnhwg.txt
2015-08-23 10:01 - 2015-08-23 10:01 - 0003822 _____ () C:\ProgramData\restore_files_swkdn.html
2015-08-23 10:01 - 2015-08-23 10:01 - 0002170 _____ () C:\ProgramData\restore_files_swkdn.txt
2015-10-06 18:32 - 2015-10-06 18:32 - 0005120 _____ () C:\ProgramData\taskhost.exe
Files to move or delete:
====================
C:\ProgramData\taskhost.exe
==================== Bamital & volsnap =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2015-10-12 13:47
==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x86) Version:12-10-2015
Ran by user (2015-10-12 17:30:59)
Running from C:\Users\user\Desktop
Microsoft Windows 7 Ultimate (X86) (2013-12-03 04:56:25)
Boot Mode: Safe Mode (with Networking)
==========================================================
==================== Accounts: =============================
Administrator (S-1-5-21-2083325841-3239248121-869660377-500 - Administrator - Disabled)
Guest (S-1-5-21-2083325841-3239248121-869660377-501 - Limited - Disabled)
user (S-1-5-21-2083325841-3239248121-869660377-1000 - Administrator - Enabled) => C:\Users\user
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Adobe Flash Player 19 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 19.0.0.185 - Adobe Systems Incorporated)
Adobe Flash Player 19 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 19.0.0.185 - Adobe Systems Incorporated)
Audacity 2.1.0 (HKLM\...\Audacity_is1) (Version: 2.1.0 - Audacity Team)
CCleaner (HKLM\...\CCleaner) (Version: 5.09 - Piriform)
FlashCut CNC 3 (HKLM\...\{3D977399-5981-462B-A47E-7EA6DF472C84}) (Version: 3.0.7991 - )
Google Chrome (HKLM\...\Google Chrome) (Version: 45.0.2454.101 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.6904.2028 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.24.7 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.28.15 - Google Inc.) Hidden
Mozilla Firefox 41.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 41.0.1 (x86 en-US)) (Version: 41.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 41.0.1.5750 - Mozilla)
Sandboxie 4.06 (32-bit) (HKLM\...\Sandboxie) (Version: 4.06 - Sandboxie Holdings, LLC)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Tweaking.com - Registry Backup (HKLM\...\Tweaking.com - Registry Backup) (Version: 3.2.2 - Tweaking.com)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.1 - VideoLAN)
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== Restore Points =========================
17-09-2015 17:20:18 Scheduled Checkpoint
24-09-2015 21:06:02 Scheduled Checkpoint
01-10-2015 21:29:18 Scheduled Checkpoint
10-10-2015 03:26:41 Scheduled Checkpoint
==================== Hosts content: ===============================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-13 21:04 - 2009-06-10 16:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {08AD9823-5BE4-451E-8A3B-2453186050AE} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {51E7EA72-7F13-451C-A4F0-8EB787A98834} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {5FFD2335-5EC0-4AB4-8CD3-86A936DFACED} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {B8C34CBC-35DC-4DE4-9414-9C4AAC684B11} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-08-19] (Piriform Ltd)
Task: {BC510C08-B5B7-45C6-8E10-4369C7ADEF4E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {C244040A-CD9D-4FFB-AADB-A56088BBF45D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-09-23] (Adobe Systems Incorporated)
Task: {D6B9AECD-45A8-4C6A-9953-063848528046} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
==================== Loaded Modules (Whitelisted) ==============
2015-07-26 18:46 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2015-07-26 18:46 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
==================== Alternate Data Streams (Whitelisted) =========
(If an entry is included in the fixlist, only the ADS will be removed.)
AlternateDataStreams: C:\Users\user\Desktop\USDF Region 6 3rd Level Freestyle Champs Prescription and LIz.avi.aaa:TOC.WMV
==================== Safe Mode (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"
==================== EXE Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)
==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==
(Currently there is no automatic fix for this section.)
==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [{146EED79-38FC-46E9-B0E7-475D0F4B35B9}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{7ECE3F12-8821-4161-86EE-D3595DB6DD95}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{270D27C4-A42F-4EB8-BBB1-2DD1C4700592}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
FirewallRules: [{13536BCF-935B-40C1-B136-CECE63D9B4A1}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{C2CA02A6-95B7-46B8-9CA4-942B56A8F0C7}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{BCF2EBC8-E806-4EC9-9FD5-2008A67E3687}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{260DD4DF-6237-4E59-8078-DE165E8B3040}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{D01181C8-43D3-409E-9535-F16252C1BE64}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2AAEC011-3B36-4309-8C5A-B98483A6B455}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
==================== Faulty Device Manager Devices =============
Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
==================== Event log errors: =========================
Application errors:
==================
Error: (10/09/2015 03:04:08 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: bec
Start Time: 01d102cd4b208838
Termination Time: 16
Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
Report Id: e3dacfcb-6ec0-11e5-8ff0-0016418fd44e
Error: (10/09/2015 11:19:15 AM) (Source: System Restore) (EventID: 8211) (User: )
Description: The scheduled restore point could not be created. Additional information: (0x81000101).
Error: (10/09/2015 11:19:15 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x81000101).
Error: (10/02/2015 08:26:11 PM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.
Details:
The content index catalog is corrupt. 0xc0041801 (0xc0041801)
Error: (10/02/2015 08:26:11 PM) (Source: Windows Search Service) (EventID: 7040) (User: )
Description: The search service has detected corrupted data files in the index {id=2350}. The service will attempt to automatically correct this problem by rebuilding the index.
Details:
The content index catalog is corrupt. 0xc0041801 (0xc0041801)
Error: (10/02/2015 12:53:50 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: a04
Start Time: 01d0fd3a3ba624b5
Termination Time: 29
Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
Report Id: 86ed4303-692e-11e5-80c1-0016418fd44e
Error: (10/02/2015 12:36:22 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: e38
Start Time: 01d0fd388b4eef10
Termination Time: 16
Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
Report Id: 0c491d4d-692c-11e5-80c1-0016418fd44e
Error: (10/01/2015 07:54:26 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 41.0.1.5750, time stamp: 0x560b37be
Faulting module name: mozglue.dll, version: 41.0.1.5750, time stamp: 0x560b229d
Exception code: 0x80000003
Fault offset: 0x0000ec7f
Faulting process id: 0xcd0
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3
Error: (10/01/2015 07:28:28 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 41.0.1.5750 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: ec8
Start Time: 01d0fca7c91dba3b
Termination Time: 11
Application Path: C:\Program Files\Mozilla Firefox\firefox.exe
Report Id:
Error: (09/28/2015 11:53:43 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 41.0.0.5738 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 630
Start Time: 01d0f97f6c5a0d22
Termination Time: 34
Application Path: C:\Program Files\Mozilla Firefox\firefox.exe
Report Id: 77bd087d-6601-11e5-bc43-0016418fd44e
System errors:
=============
Error: (10/12/2015 05:21:20 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068
Error: (10/12/2015 05:21:20 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068
Error: (10/12/2015 05:21:18 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068
Error: (10/12/2015 05:21:18 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068
Error: (10/12/2015 05:21:17 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:
%%1068
Error: (10/12/2015 05:21:16 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
Error: (10/12/2015 05:21:16 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}
Error: (10/12/2015 05:21:15 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}
Error: (10/12/2015 05:21:09 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}
Error: (10/12/2015 05:21:04 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
discache
spldr
Wanarpv6
==================== Memory info ===========================
Processor: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz
Percentage of memory in use: 32%
Total physical RAM: 2037.97 MB
Available physical RAM: 1368.57 MB
Total Virtual: 4075.95 MB
Available Virtual: 3476.58 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:298.09 GB) (Free:249.88 GB) NTFS ==>[drive with boot components (obtained from BCD)]
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 298.1 GB) (Disk ID: B848D491)
Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)
==================== End of Addition.txt ============================
Let's see if this helps.
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [VjcYNwLhFDE6] => regsvr32.exe /s "C:\PROGRA~2\VjcYNwLhFDE6.dll"
2015-10-09 14:59 - 2015-10-09 14:59 - 01822048 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent (1).exe
2015-10-02 12:33 - 2015-10-02 12:33 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent(1).exe
2015-10-02 12:28 - 2015-10-09 15:07 - 00000000 ____D C:\Users\user\AppData\LocalLow\uTorrent
2015-10-02 12:26 - 2015-10-02 12:27 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent.exe
C:\ProgramData\taskhost.exe
AlternateDataStreams: C:\Users\user\Desktop\USDF Region 6 3rd Level Freestyle Champs Prescription and LIz.avi.aaa:TOC.WMV
FirewallRules: [{13536BCF-935B-40C1-B136-CECE63D9B4A1}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{C2CA02A6-95B7-46B8-9CA4-942B56A8F0C7}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{BCF2EBC8-E806-4EC9-9FD5-2008A67E3687}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{260DD4DF-6237-4E59-8078-DE165E8B3040}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{D01181C8-43D3-409E-9535-F16252C1BE64}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2AAEC011-3B36-4309-8C5A-B98483A6B455}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
EmptyTemp:
Hosts:
End
Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
~~~~~~~~~~~~~~~``
http://i1269.photobucket.com/albums/jj590/OCD-WTT/bullseye_zpse9eaf36e.gif Malwarebytes Anti-Rootkit
Download Malwarebytes Anti-Rootkit (http://downloads.malwarebytes.org/file/mbar)
Once the file has been downloaded, right click on the downloaded file and select the Extract all menu option.
Follow the instructions to extract the ZIP file to a folder called mbar-versionnumber on your desktop.
Once the ZIP file has been extracted, open the folder and when that folder opens, double-click on the mbar folder.
Double-click on the mbar.exe file to launch Malwarebytes Anti-Rootkit.
After you double-click on the mbar.exe file, you may receive a User Account Control (UAC) message if you are sure you wish to allow the program to run. Please allow to start Malwarebytes Anti-Rootkit correctly.
Malwarebytes Anti-Rootkit will now install necessary drivers that are required for the program to operate correctly.
If you receive a DDA driver message like could not load DDA driver, click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer and will start automatically.
http://i1269.photobucket.com/albums/jj590/OCD-WTT/MBAMAnti-Rootkit1_zps4613be8c.png
Please click by the introduction screen on the Next button to continue.
http://i1269.photobucket.com/albums/jj590/OCD-WTT/MBAMAnti-Rootkit2update_zpsf85fca28.png
Next you will see the Update Database screen.
Click on the Update button so Malwarebytes Anti-Rootkit can download the latest definition updates.
http://i1269.photobucket.com/albums/jj590/OCD-WTT/MBAMAnti-Rootkitupdatecomplete_zpscf9f4cdb.png
When the update has finished, click on the Next button.
http://i1269.photobucket.com/albums/jj590/OCD-WTT/MBAMAnti-Rootkitscan_zps9b346fe7.png
Next you can select some basic scanning options. Make sure the Drivers, Sectors, and System scan targets are selected before you click on the Scan button.
Malwarebytes Anti-Rootkit will now start scanning your computer for rootkits. This scan can take some time, so please be patient.
http://i1269.photobucket.com/albums/jj590/OCD-WTT/MBAMAnti-Rootkitscan-results_zps9f0fdf8e.png
When the scan with Malwarebytes Anti-Rootkit is finished, the program will display a screen with the results from the scan.
Make sure everything is selected and that the option to create a restore point is checked.
Next click on the Cleanup button. Malwarebytes Anti-Rootkit will then prompt you to reboot your computer.
Click on Yes button to restart your computer.
~~~~~~~~~~~~~~
Please post these 2 logs when done.
We're having severe storms with lightning, possibility of losing power.
Might not make it back here till morning.
Red_Earth
2015-10-13, 20:56
Fix result of Farbar Recovery Scan Tool (x86) Version:12-10-2015
Ran by user (2015-10-13 12:50:24) Run:1
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Boot Mode: Safe Mode (with Networking)
==============================================
fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [VjcYNwLhFDE6] => regsvr32.exe /s "C:\PROGRA~2\VjcYNwLhFDE6.dll"
2015-10-09 14:59 - 2015-10-09 14:59 - 01822048 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent (1).exe
2015-10-02 12:33 - 2015-10-02 12:33 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent(1).exe
2015-10-02 12:28 - 2015-10-09 15:07 - 00000000 ____D C:\Users\user\AppData\LocalLow\uTorrent
2015-10-02 12:26 - 2015-10-02 12:27 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent.exe
C:\ProgramData\taskhost.exe
AlternateDataStreams: C:\Users\user\Desktop\USDF Region 6 3rd Level Freestyle Champs Prescription and LIz.avi.aaa:TOC.WMV
FirewallRules: [{13536BCF-935B-40C1-B136-CECE63D9B4A1}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{C2CA02A6-95B7-46B8-9CA4-942B56A8F0C7}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{BCF2EBC8-E806-4EC9-9FD5-2008A67E3687}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{260DD4DF-6237-4E59-8078-DE165E8B3040}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{D01181C8-43D3-409E-9535-F16252C1BE64}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2AAEC011-3B36-4309-8C5A-B98483A6B455}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
EmptyTemp:
Hosts:
End
*****************
Error: Restore point can only be created in normal mode.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\VjcYNwLhFDE6 => value removed successfully.
C:\Users\user\Downloads\uTorrent (1).exe => moved successfully
C:\Users\user\Downloads\uTorrent(1).exe => moved successfully
C:\Users\user\AppData\LocalLow\uTorrent => moved successfully
C:\Users\user\Downloads\uTorrent.exe => moved successfully
C:\ProgramData\taskhost.exe => moved successfully
C:\Users\user\Desktop\USDF Region 6 3rd Level Freestyle Champs Prescription and LIz.avi.aaa => ":TOC.WMV" ADS removed successfully..
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{13536BCF-935B-40C1-B136-CECE63D9B4A1} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C2CA02A6-95B7-46B8-9CA4-942B56A8F0C7} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BCF2EBC8-E806-4EC9-9FD5-2008A67E3687} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{260DD4DF-6237-4E59-8078-DE165E8B3040} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D01181C8-43D3-409E-9535-F16252C1BE64} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2AAEC011-3B36-4309-8C5A-B98483A6B455} => value removed successfully.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 66.2 MB temporary data Removed.
The system needed a reboot.
==== End of Fixlog 12:50:34 ====
Red_Earth
2015-10-13, 21:04
I downloaded MBAR from the hyperlink, and again, when prompted it does not open or run.
Red_Earth
2015-10-13, 21:06
the instructions were for a zip file but the hyperlink lead me to an exe download. I ran the exe and was given the popup that says will i allow program to make changes and i say allow and it does nothing.
See if you can search and find
mbar-log-(the date ran).txt
The below scanner can run and work in safe mode and or normal mode.
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
I have a question
I see these files but cannot find much info on what they might be related to. Is it for some type of restore tool?
C:\ProgramData\restore_files_bjvdg.html
C:\ProgramData\restore_files_bjvdg.txt
C:\ProgramData\restore_files_fmlub.html
C:\ProgramData\restore_files_fmlub.txt
C:\ProgramData\restore_files_hvdux.html
C:\ProgramData\restore_files_hvdux.txt
C:\ProgramData\restore_files_mkkgj.html
C:\ProgramData\restore_files_mkkgj.txt
C:\ProgramData\restore_files_qnhwg.html
C:\ProgramData\restore_files_qnhwg.txt
C:\ProgramData\restore_files_swkdn.html
C:\ProgramData\restore_files_swkdn.txt
~~
Also
Also please download Windows Repair (all in one) from here (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)
http://www.bleepstatic.com/download/screenshots/w/windows-repair-all-in-one-portable/step-4-tab.jpg
Install the program then go to step 4 and create a new system restore point and new registry backup.
Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:
http://i1.ifrm.com/228/109/upload/p22001645.gif
NEXT
On the the Start Repairs tab => Click the Start
http://www.bleepstatic.com/download/screenshots/w/windows-repair-all-in-one-portable/start-repairs-tab.jpg
Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):
http://i1.ifrm.com/228/109/upload/p22001647.gif
Click on box next to the Restart System when Finished. Then click on Start.
I know I've posted several things for you to do but I wanted to post this while it was on my mind.
http://i.imgur.com/3yRzEme.png Event Log Viewer
Please download VEW (http://images.malwareremoval.com/vino/VEW.exe) and save the file to your Desktop.
Right-click VEW.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Under Select log to query, place a checkmark next to:
Application
System
Under Select type to list, place a checkmark next to:
Critical
Error
Information
Under Number or date events, place a checkmark next to:
Number of Events and set to 20.
Click Run.
Upon completion, a log (VEW.txt) will open. Copy the contents of the log and paste in your next reply.
Red_Earth
2015-10-16, 18:22
it has been three days... did I lose you?
Red_Earth
2015-10-16, 18:23
oops sorry. i didnt realize you had in fact replied
yes, I kinda rambled off a few things to do :)
Red_Earth
2015-10-17, 02:37
ComboFix 15-10-15.01 - user 10/16/2015 19:26:03.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.1323 [GMT -5:00]
Running from: c:\users\user\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\716C5D6A.EX
c:\users\Public\Favorites\restore_files_bjvdg.html
c:\users\Public\Favorites\restore_files_fmlub.html
c:\users\Public\Favorites\restore_files_hvdux.html
c:\users\Public\Favorites\restore_files_mkkgj.html
c:\users\Public\Favorites\restore_files_qnhwg.html
c:\users\Public\Favorites\restore_files_swkdn.html
c:\windows\wininit.ini
.
.
\\.\PhysicalDrive0 - Bootkit Cidox was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2015-09-17 to 2015-10-17 )))))))))))))))))))))))))))))))
.
.
2015-10-17 00:31 . 2015-10-17 00:33 -------- d-----w- c:\users\user\AppData\Local\temp
2015-10-12 18:59 . 2015-10-12 22:25 -------- d-----w- C:\AdwCleaner
2015-10-10 01:10 . 2015-10-10 01:10 -------- d-----w- C:\RegBackup
2015-10-10 00:26 . 2015-10-10 00:26 -------- d-----w- c:\program files\Tweaking.com
2015-10-10 00:13 . 2015-10-13 17:51 -------- d-----w- C:\FRST
2015-09-20 19:54 . 2015-09-20 19:54 -------- d-----w- c:\program files\Common Files\AV
2015-09-20 19:03 . 2015-09-20 19:03 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-10-17 00:02 . 2015-05-16 21:59 780488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-10-17 00:02 . 2015-05-16 21:59 142536 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-10-17 00:02 . 2015-08-23 16:02 3996360 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2015-08-20 09:18 . 2015-09-02 11:32 9234960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{04CF7845-9F16-42DA-8744-864BC1B9294F}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2013-10-16 543432]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2015-08-19 6490904]
"SpybotPostWindows10UpgradeReInstall"="c:\program files\Common Files\AV\Spybot - Search and Destroy\Test.exe" [2015-07-28 1011200]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
restore_files_mkkgj.html [2015-8-22 5081]
restore_files_mkkgj.txt [2015-8-22 2253]
restore_files_qnhwg.html [2015-8-22 3822]
restore_files_qnhwg.txt [2015-8-22 2170]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-10-16 09:05 997704 ----a-w- c:\program files\Google\Chrome\Application\46.0.2490.71\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-10-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-05-16 00:02]
.
2015-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-05-19 16:47]
.
2015-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-05-19 16:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = localhost:8080
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/?gws_rd=ssl
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Chrome - c:\progra~2\taskhost.exe
HKLM-Run-Chrome - c:\progra~2\taskhost.exe
HKU-Default-Run-Chrome - c:\progra~2\taskhost.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sandboxie\SbieSvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2015-10-16 19:35:09 - machine was rebooted
ComboFix-quarantined-files.txt 2015-10-17 00:35
.
Pre-Run: 266,880,491,520 bytes free
Post-Run: 266,791,280,640 bytes free
.
- - End Of File - - 9984B18A4A04C30C686DE2BE9297A25C
8F558EB6672622401DA993E1E865C861
Red_Earth
2015-10-17, 03:35
I believe the restore files you mentioned are malicious. Every time I reboot screens popup mentioning them. Windows repair did not find any issues. The log for VEW follows:
Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 16/10/2015 8:30:41 PM
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 17/10/2015 1:04:52 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: svchost.exe_WinDefend, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: msvcrt.dll, version: 7.0.7600.16385, time stamp: 0x4a5bda6f Exception code: 0xc0000005 Fault offset: 0x0000ab84 Faulting process id: 0x670 Faulting application start time: 0x01d108756c21b920 Faulting application path: C:\Windows\System32\svchost.exe Faulting module path: C:\Windows\system32\msvcrt.dll Report Id: 11dc1418-746b-11e5-95cc-0016418fd44e
Log: 'Application' Date/Time: 16/10/2015 7:51:01 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: vlc.exe, version: 2.2.1.0, time stamp: 0x00000004 Faulting module name: libqt4_plugin.dll, version: 2.2.1.0, time stamp: 0x00020002 Exception code: 0x40000015 Fault offset: 0x007ca10a Faulting process id: 0x1268 Faulting application start time: 0x01d1084bf6e4b795 Faulting application path: C:\Program Files\VideoLAN\VLC\vlc.exe Faulting module path: C:\Program Files\VideoLAN\VLC\plugins\gui\libqt4_plugin.dll Report Id: 39a05618-743f-11e5-9e30-0016418fd44e
Log: 'Application' Date/Time: 09/10/2015 8:04:08 PM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: bec Start Time: 01d102cd4b208838 Termination Time: 16 Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe Report Id: e3dacfcb-6ec0-11e5-8ff0-0016418fd44e
Log: 'Application' Date/Time: 09/10/2015 4:19:15 PM
Type: Error Category: 0
Event: 8211 Source: System Restore
The scheduled restore point could not be created. Additional information: (0x81000101).
Log: 'Application' Date/Time: 09/10/2015 4:19:15 PM
Type: Error Category: 0
Event: 8193 Source: System Restore
Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x81000101).
Log: 'Application' Date/Time: 03/10/2015 1:26:11 AM
Type: Error Category: 1
Event: 7042 Source: Microsoft-Windows-Search
The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.
Details:
The content index catalog is corrupt. 0xc0041801 (0xc0041801)
Log: 'Application' Date/Time: 03/10/2015 1:26:11 AM
Type: Error Category: 1
Event: 7040 Source: Microsoft-Windows-Search
The search service has detected corrupted data files in the index {id=2350}. The service will attempt to automatically correct this problem by rebuilding the index.
Details:
The content index catalog is corrupt. 0xc0041801 (0xc0041801)
Log: 'Application' Date/Time: 02/10/2015 5:53:50 PM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: a04 Start Time: 01d0fd3a3ba624b5 Termination Time: 29 Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe Report Id: 86ed4303-692e-11e5-80c1-0016418fd44e
Log: 'Application' Date/Time: 02/10/2015 5:36:22 PM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: e38 Start Time: 01d0fd388b4eef10 Termination Time: 16 Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe Report Id: 0c491d4d-692c-11e5-80c1-0016418fd44e
Log: 'Application' Date/Time: 02/10/2015 12:54:26 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.1.5750, time stamp: 0x560b37be Faulting module name: mozglue.dll, version: 41.0.1.5750, time stamp: 0x560b229d Exception code: 0x80000003 Fault offset: 0x0000ec7f Faulting process id: 0xcd0 Faulting application start time: 0x01d0fcacb708f42c Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 2066e7b4-68a0-11e5-a3c5-0016418fd44e
Log: 'Application' Date/Time: 02/10/2015 12:28:28 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program firefox.exe version 41.0.1.5750 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: ec8 Start Time: 01d0fca7c91dba3b Termination Time: 11 Application Path: C:\Program Files\Mozilla Firefox\firefox.exe Report Id:
Log: 'Application' Date/Time: 28/09/2015 4:53:43 PM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program firefox.exe version 41.0.0.5738 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: 630 Start Time: 01d0f97f6c5a0d22 Termination Time: 34 Application Path: C:\Program Files\Mozilla Firefox\firefox.exe Report Id: 77bd087d-6601-11e5-bc43-0016418fd44e
Log: 'Application' Date/Time: 28/09/2015 4:53:43 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0xe1c Faulting application start time: 0x01d0fa0e25b42fd1 Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 79b9551d-6601-11e5-bc43-0016418fd44e
Log: 'Application' Date/Time: 27/09/2015 3:13:00 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: svchost.exe_SysMain, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: sysmain.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdb23 Exception code: 0xc0000005 Fault offset: 0x00042bfa Faulting process id: 0x358 Faulting application start time: 0x01d0f8beb5205dc5 Faulting application path: C:\Windows\System32\svchost.exe Faulting module path: c:\windows\system32\sysmain.dll Report Id: a7ec7fdb-64c5-11e5-a781-0016418fd44e
Log: 'Application' Date/Time: 27/09/2015 12:32:00 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0xaac Faulting application start time: 0x01d0f8a6b02fbaec Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 2a4de6e0-64af-11e5-bbc2-0016418fd44e
Log: 'Application' Date/Time: 27/09/2015 12:32:00 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program firefox.exe version 41.0.0.5738 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: 9a0 Start Time: 01d0f8a525319699 Termination Time: 127 Application Path: C:\Program Files\Mozilla Firefox\firefox.exe Report Id: 27b7c8ff-64af-11e5-bbc2-0016418fd44e
Log: 'Application' Date/Time: 25/09/2015 5:05:13 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0xb90 Faulting application start time: 0x01d0f74da50acce0 Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 0072674c-6343-11e5-a381-0016418fd44e
Log: 'Application' Date/Time: 25/09/2015 2:36:23 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0xa48 Faulting application start time: 0x01d0f73ad74e3638 Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 359da133-632e-11e5-a381-0016418fd44e
Log: 'Application' Date/Time: 24/09/2015 7:35:02 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0x714 Faulting application start time: 0x01d0f6ff1b141ef9 Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 58d106d8-62f3-11e5-a381-0016418fd44e
Log: 'Application' Date/Time: 24/09/2015 6:58:55 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0xbf0 Faulting application start time: 0x01d0f6fa5bf281ea Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 4d3fe876-62ee-11e5-a381-0016418fd44e
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Information Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 17/10/2015 1:26:20 AM
Type: Information Category: 0
Event: 1 Source: SecurityCenter
The Windows Security Center Service has started.
Log: 'Application' Date/Time: 17/10/2015 1:26:19 AM
Type: Information Category: 1
Event: 1003 Source: Microsoft-Windows-Search
The Windows Search Service started.
Log: 'Application' Date/Time: 17/10/2015 1:26:15 AM
Type: Information Category: 0
Event: 0 Source: gupdate
The event description cannot be found.
Log: 'Application' Date/Time: 17/10/2015 1:26:13 AM
Type: Information Category: 3
Event: 302 Source: ESENT
Windows (3388) Windows: The database engine has successfully completed recovery steps.
Log: 'Application' Date/Time: 17/10/2015 1:26:13 AM
Type: Information Category: 3
Event: 301 Source: ESENT
Windows (3388) Windows: The database engine has begun replaying logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log.
Log: 'Application' Date/Time: 17/10/2015 1:26:12 AM
Type: Information Category: 3
Event: 300 Source: ESENT
Windows (3388) Windows: The database engine is initiating recovery steps.
Log: 'Application' Date/Time: 17/10/2015 1:26:12 AM
Type: Information Category: 1
Event: 102 Source: ESENT
Windows (3388) Windows: The database engine (6.01.7600.0000) started a new instance (0).
Log: 'Application' Date/Time: 17/10/2015 1:26:01 AM
Type: Information Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 17/10/2015 1:26:01 AM
Type: Information Category: 0
Event: 4104 Source: Microsoft-Windows-Winlogon
Accessing Windows in Notification period.
Log: 'Application' Date/Time: 17/10/2015 1:24:15 AM
Type: Information Category: 0
Event: 902 Source: Microsoft-Windows-Security-SPP
The Software Protection service has started. 6.1.7600.16385
Log: 'Application' Date/Time: 17/10/2015 1:24:15 AM
Type: Information Category: 0
Event: 1003 Source: Microsoft-Windows-Security-SPP
The Software Protection service has completed licensing status check. Application Id=55c92734-d682-4d71-983e-d6ec3f16059f Licensing Status=
1: 022a1afb-b893-4190-92c3-8f69a49839fb, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
2: 7cfd4696-69a9-4af7-af36-ff3d12b6b6c8, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
3: a0cde89c-3304-4157-b61c-c8ad785d1fad, 1, 1 [(0 )(1 )(2 [0x00000000, 0, 0], [( 5 0xC004F009 30 0)( 5 0xC004F009 30 0)( 1 0x00000000 0 0 msft:rm/algorithm/flags/1.0 0x00000000 0)(?)(?)( 9 0x00000000 0xC004F009)])]
4: ac96e1a8-6cc4-4310-a4ff-332ce77fb5b8, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
5: cfb3e52c-d707-4861-af51-11b27ee6169c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
6: 4a8149bb-7d61-49f4-8822-82c7bf88d64b, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
7: afd5f68f-b70f-4000-a21d-28dbc8be8b07, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
Log: 'Application' Date/Time: 17/10/2015 1:24:15 AM
Type: Information Category: 0
Event: 1066 Source: Microsoft-Windows-Security-SPP
Initialization status for service objects. C:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/2005, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/licenserenewal/1.0, 0x00000000, 0x00000000
Log: 'Application' Date/Time: 17/10/2015 1:24:14 AM
Type: Information Category: 0
Event: 900 Source: Microsoft-Windows-Security-SPP
The Software Protection service is starting.
Log: 'Application' Date/Time: 17/10/2015 1:24:14 AM
Type: Information Category: 0
Event: 5617 Source: Microsoft-Windows-WMI
Windows Management Instrumentation Service subsystems initialized successfully
Log: 'Application' Date/Time: 17/10/2015 1:24:06 AM
Type: Information Category: 0
Event: 1531 Source: Microsoft-Windows-User Profiles Service
The User Profile Service has started successfully.
Log: 'Application' Date/Time: 17/10/2015 1:24:10 AM
Type: Information Category: 0
Event: 5615 Source: Microsoft-Windows-WMI
Windows Management Instrumentation Service started sucessfully
Log: 'Application' Date/Time: 17/10/2015 1:24:06 AM
Type: Information Category: 0
Event: 4625 Source: Microsoft-Windows-EventSystem
The EventSystem sub system is suppressing duplicate event log entries for a duration of 86400 seconds. The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\EventSystem\EventLog.
Log: 'Application' Date/Time: 17/10/2015 1:23:32 AM
Type: Information Category: 0
Event: 1532 Source: Microsoft-Windows-User Profiles Service
The User Profile Service has stopped.
Log: 'Application' Date/Time: 17/10/2015 1:23:31 AM
Type: Information Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 17/10/2015 1:23:31 AM
Type: Information Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <Sens> was unavailable to handle a notification event.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 17/10/2015 1:11:26 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 17/10/2015 12:19:23 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 14/10/2015 3:47:21 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 14/10/2015 3:31:37 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 14/10/2015 12:59:05 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 12/10/2015 7:02:57 PM
Type: Critical Category: 64
Event: 10111 Source: Microsoft-Windows-DriverFrameworks-UserMode
The device Microsoft Usbccid Smartcard Reader (O2 Micro OZ776/777) (location Port_#0002.Hub_#0008) is offline due to a user-mode driver crash. Windows will attempt to restart the device 5 more times. Please contact the device manufacturer for more information about this problem.
Log: 'System' Date/Time: 12/10/2015 7:02:57 PM
Type: Critical Category: 64
Event: 10110 Source: Microsoft-Windows-DriverFrameworks-UserMode
A problem has occurred with one or more user-mode drivers and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices.
Log: 'System' Date/Time: 11/10/2015 1:25:31 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 10/10/2015 6:08:03 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 06/10/2015 12:12:49 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 04/10/2015 10:31:17 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 03/10/2015 12:02:04 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 03/10/2015 4:40:37 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 03/10/2015 4:38:35 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 03/10/2015 12:43:12 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 02/10/2015 11:56:19 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 27/09/2015 7:58:10 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 27/09/2015 12:51:46 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 17/10/2015 1:13:17 AM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
Log: 'System' Date/Time: 17/10/2015 1:13:17 AM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
Log: 'System' Date/Time: 17/10/2015 1:13:16 AM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
Log: 'System' Date/Time: 17/10/2015 1:13:15 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
Log: 'System' Date/Time: 17/10/2015 1:13:15 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
Log: 'System' Date/Time: 17/10/2015 1:13:14 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Log: 'System' Date/Time: 17/10/2015 1:13:08 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
Log: 'System' Date/Time: 17/10/2015 1:13:03 AM
Type: Error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
Log: 'System' Date/Time: 17/10/2015 1:11:31 AM
Type: Error Category: 0
Event: 6008 Source: EventLog
The previous system shutdown at 8:09:13 PM on ?10/?16/?2015 was unexpected.
Log: 'System' Date/Time: 17/10/2015 1:05:14 AM
Type: Error Category: 0
Event: 7031 Source: Service Control Manager
The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
Log: 'System' Date/Time: 17/10/2015 12:32:13 AM
Type: Error Category: 0
Event: 29 Source: volsnap
The shadow copies of volume C: were aborted during detection.
Log: 'System' Date/Time: 17/10/2015 12:32:20 AM
Type: Error Category: 0
Event: 6008 Source: EventLog
The previous system shutdown at 7:30:51 PM on ?10/?16/?2015 was unexpected.
Log: 'System' Date/Time: 17/10/2015 12:31:31 AM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 17/10/2015 12:29:20 AM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 17/10/2015 12:25:56 AM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 17/10/2015 12:24:01 AM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 17/10/2015 12:19:53 AM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
Log: 'System' Date/Time: 17/10/2015 12:19:53 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
Log: 'System' Date/Time: 17/10/2015 12:19:51 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
Log: 'System' Date/Time: 17/10/2015 12:19:50 AM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Information Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 17/10/2015 1:29:04 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Application Experience service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:33 AM
Type: Information Category: 0
Event: 206 Source: Microsoft-Windows-Application-Experience
The Program Compatibility Assistant service successfully performed phase two initialization.
Log: 'System' Date/Time: 17/10/2015 1:26:23 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Windows Update service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:19 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The HomeGroup Provider service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:19 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Security Center service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:19 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Function Discovery Resource Publication service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:19 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Function Discovery Provider Host service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:16 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Windows Search service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:15 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The SSDP Discovery service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:15 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Google Update Service (gupdate) service entered the stopped state.
Log: 'System' Date/Time: 17/10/2015 1:26:14 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Google Update Service (gupdate) service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:14 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Portable Device Enumerator Service service entered the stopped state.
Log: 'System' Date/Time: 17/10/2015 1:26:14 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Windows Media Player Network Sharing Service service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:14 AM
Type: Information Category: 0
Event: 14204 Source: Microsoft-Windows-WMPNSS-Service
Service 'WMPNetworkSvc' started.
Log: 'System' Date/Time: 17/10/2015 1:26:11 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Windows Font Cache Service service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:24:24 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Computer Browser service entered the stopped state.
Log: 'System' Date/Time: 17/10/2015 1:24:21 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:24:19 AM
Type: Information Category: 7005
Event: 20003 Source: Microsoft-Windows-UserPnp
Driver Management has concluded the process to add Service tunnel for Device Instance ID ROOT\*ISATAP\0002 with the following status: 0.
Log: 'System' Date/Time: 17/10/2015 1:24:18 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Computer Browser service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:24:14 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Bluetooth Support Service service entered the running state.
Evidence of a pretty bad infection here.
I see a few items located in the startup folder that needs to be removed.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
restore_files_mkkgj.html [2015-8-22 5081]
restore_files_mkkgj.txt [2015-8-22 2253]
restore_files_qnhwg.html [2015-8-22 3822]
restore_files_qnhwg.txt [2015-8-22 2170]
I'm going to try and have this script remove it, if it doesn't might need to go through MSCONFIG and look through your startups list.
Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.
Click on this link Here (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.
Registry::
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
"restore_files_mkkgj.html"=-
"restore_files_mkkgj.txt"=-
"restore_files_qnhwg.html"=-
"restore_files_qnhwg.txt"=-
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
If there are internet issues afterward:
*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.
Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
~~~~~~~~~~~~~~~`
Download the latest version of TDSSKiller from here (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your Desktop.
http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe
http://www.bleepingcomputer.com/download/tdsskiller/dl/4/
Doubleclick on TDSSKiller.exe to run the application
https://dl.dropbox.com/u/73555776/tdss%20start.JPG
Then click on Change parameters.
https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG
Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
Click the Start Scan button.
If a suspicious object is detected, the default action will be Skip, click on Continue.
https://dl.dropbox.com/u/73555776/tdss%20threat.JPG
If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Get the report by selecting Reports
https://dl.dropbox.com/u/73555776/tdss%20report.JPG
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
~~
Please post these 2 logs when finished.
Red_Earth
2015-10-17, 04:52
thank you im working on it now
I know I've given you alot to do, after running those 2 tools, try to update and then run MBAM (Malwarebytes' Anti-Malware) again.
It's late here and I have a 6 year old ready to go to bed. I'll have to check back in the morning.
It's my hope the computer is starting to run better?
Red_Earth
2015-10-17, 05:17
ComboFix 15-10-15.01 - user 10/16/2015 22:04:37.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.1271 [GMT -5:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2015-09-17 to 2015-10-17 )))))))))))))))))))))))))))))))
.
.
2015-10-17 03:10 . 2015-10-17 03:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-10-17 01:41 . 2015-09-16 10:43 8884144 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DC19DD17-70D4-4535-888D-90465C567C67}\mpengine.dll
2015-10-17 01:04 . 2015-09-16 10:43 8884144 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{10CC0889-972C-46E6-9D93-866837795410}\mpengine.dll
2015-10-17 00:31 . 2015-10-17 03:10 -------- d-----w- c:\users\user\AppData\Local\temp
2015-10-12 18:59 . 2015-10-12 22:25 -------- d-----w- C:\AdwCleaner
2015-10-10 01:10 . 2015-10-10 01:10 -------- d-----w- C:\RegBackup
2015-10-10 00:26 . 2015-10-17 00:40 -------- d-----w- c:\program files\Tweaking.com
2015-10-10 00:13 . 2015-10-13 17:51 -------- d-----w- C:\FRST
2015-09-20 19:54 . 2015-09-20 19:54 -------- d-----w- c:\program files\Common Files\AV
2015-09-20 19:03 . 2015-09-20 19:03 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-10-17 00:02 . 2015-05-16 21:59 780488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-10-17 00:02 . 2015-05-16 21:59 142536 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-10-17 00:02 . 2015-08-23 16:02 3996360 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2015-08-20 09:18 . 2015-09-02 11:32 9234960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{04CF7845-9F16-42DA-8744-864BC1B9294F}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2013-10-16 543432]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2015-08-19 6490904]
"SpybotPostWindows10UpgradeReInstall"="c:\program files\Common Files\AV\Spybot - Search and Destroy\Test.exe" [2015-07-28 1011200]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
restore_files_mkkgj.html [2015-8-22 5081]
restore_files_mkkgj.txt [2015-8-22 2253]
restore_files_qnhwg.html [2015-8-22 3822]
restore_files_qnhwg.txt [2015-8-22 2170]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss]
@="Service"
.
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-10-16 09:05 997704 ----a-w- c:\program files\Google\Chrome\Application\46.0.2490.71\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-10-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-05-16 00:02]
.
2015-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-05-19 16:47]
.
2015-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-05-19 16:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = localhost:8080
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/?gws_rd=ssl
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-AppXSvc
SafeBoot-ClipSvc
SafeBoot-WSService
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-10-16 22:13:34
ComboFix-quarantined-files.txt 2015-10-17 03:13
ComboFix2.txt 2015-10-17 00:35
.
Pre-Run: 275,599,224,832 bytes free
Post-Run: 275,549,126,656 bytes free
.
- - End Of File - - 74FB0251404458ADE88AF808BE27C782
8F558EB6672622401DA993E1E865C861
Red_Earth
2015-10-17, 05:27
No threats found
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)
start
CreateRestorePoint:
CloseProcesses:
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.txt [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.txt [2015-08-22] ()
EmptyTemp:
Hosts:
End
Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
Post this log when finished.
Tell me what the computer is doing now, is it running any better?
Red_Earth
2015-10-17, 22:16
Fix result of Farbar Recovery Scan Tool (x86) Version:17-10-2015
Ran by user (2015-10-17 15:12:35) Run:2
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Boot Mode: Normal
==============================================
fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.txt [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.txt [2015-08-22] ()
EmptyTemp:
Hosts:
End
*****************
Restore point was successfully created.
Processes closed successfully.
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.html => moved successfully
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.txt => moved successfully
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.html => moved successfully
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.txt => moved successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 718.1 MB temporary data Removed.
The system needed a reboot.
==== End of Fixlog 15:13:00 ====
Red_Earth
2015-10-17, 22:18
The computer rebooted after this last farbar run. Upon reboot, for the first time in a long time, windows opened without the extra popup windows. Should I try to run the programs that it wouldnt run before eg; spybot, malwarebytes?
The computer rebooted after this last farbar run. Upon reboot, for the first time in a long time, windows opened without the extra popup windows. Should I try to run the programs that it wouldnt run before eg; spybot, malwarebytes?
yahoo, yabba dabba do
we're getting there.
I might have posted these instructions before, no big deal, let's run them again. Could be things it couldn't find before it can now.
If one wont run go to the next.
Open MBAM
On the Dashboard click on Update Now
Go to the Setting Tab
Under Setting go to Detection and Protection
Under PUP and PUM make sure both are set to show Treat Detections as Malware
Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
Then on the Dashboard click on Scan
Make sure to select THREAT SCAN
Then click on Scan
When the scan is finished and the log pops up...select Copy to Clipboard
Please paste the log back into this thread for review
Exit Malwarebytes
~~~~~~~~~~~~~~~~~~~~~~``
http://i24.photobucket.com/albums/c30/ken545/MBAM%20Application_zps7zm0ftdm.png (http://s24.photobucket.com/user/ken545/media/MBAM%20Application_zps7zm0ftdm.png.html)
1. Open up Malwarebytes and you will be on the Dashboard
2. Click on the History Tab
3. Then click on Application Logs
4. Double click on the SCAN LOG (Not Protection Log ) you just ran
5. When it opens it will look like this
http://i24.photobucket.com/albums/c30/ken545/MBAM%20Export_zpsjbtttjun.jpg (http://s24.photobucket.com/user/ken545/media/MBAM%20Export_zpsjbtttjun.jpg.html)
6. Then click on Export
7. On the drop down list click on Copy to Clipboard
8. Then paste the log back into this thread
On completion of the scan (or after the reboot), start MBAM,
Click History, then Application Logs, then check the Select box by the first Scan Log in the list and then click on the log to highlight it.
Click Export, select text file and save to the desktop as MBAM.txt and post in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://i.imgur.com/BY4dvz9.png AdwCleaner
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) and save the file to your Desktop.
Right-Click AdwCleaner.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Follow the prompts.
Click Scan.
Upon completion, click Report. A log (AdwCleaner[SX].txt) will open. Briefly check the log for anything you know to be legitimate.
Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
Follow the prompts and allow your computer to reboot.
After rebooting, a log (AdwCleaner[SX].txt) will open. Copy the contents of the log and paste in your next reply.
-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/)
or from here http://downloads.malwarebytes.org/file/jrt
to your desktop.
Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
please post
MBAM.txt
AdwCleaner[CX].txt
JRT.txt
Red_Earth
2015-10-18, 22:46
it finally let me run the mbam.exe
Malwarebytes ran and it found no threats.
heres the log you asked for:Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 10/18/2015
Scan Time: 2:31 PM
Logfile:
Administrator: Yes
Version: 2.2.0.1024
Malware Database: v2015.10.18.04
Rootkit Database: v2015.10.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 7
CPU: x86
File System: NTFS
User: user
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 285075
Time Elapsed: 6 min, 6 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)
(end)
Red_Earth
2015-10-18, 22:56
no threats!
Red_Earth
2015-10-18, 23:02
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.4 (09.28.2015:1)
OS: Windows 7 Ultimate x86
Ran by user on Sun 10/18/2015 at 14:59:22.03
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Tasks
~~~ Registry Values
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
~~~ Files
~~~ Folders
~~~ FireFox
Emptied folder: C:\Users\user\AppData\Roaming\mozilla\firefox\profiles\vk605143.default\minidumps [24 files]
~~~ Chrome
[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 10/18/2015 at 15:01:35.56
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now for the Piece-de-resistance
What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.
http://i.imgur.com/GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.
Please download ESET Online Scan (http://download.eset.com/special/eos/esetsmartinstaller_enu.exe) and save the file to your Desktop.
Temporarily disable your anti-virus software. For instructions, please refer to the following link (http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/).
Double-click esetsmartinstaller_enu.exe to run the programme.
Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
Agree to the Terms of Use once more and click Start. Allow components to download.
Place a checkmark next to Enable detection of potentially unwanted applications.
Click Advanced settings. Place a checkmark next to:
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology
Ensure Remove found threats is unchecked.
Click Start.
Wait for the scan to finish. Please be patient as this can take some time.
Upon completion, click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png. If no threats were found, skip the next two bullet points.
Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
Push the Back button.
Place a checkmark next to http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/SzOC1p0.png.pagespeed.ce.OWDP45O6oG.png.
Re-enable your anti-virus software.
Copy the contents of the log and paste in your next reply.
Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif
Since this issue appears resolved ... this Topic is closed.