PDA

View Full Version : Browser redirects



Blackhawk2
2018-12-21, 03:05
A little background. This was my son's computer and he was having troubles with it for a while. He has since joined the Navy, so I naturally took his laptop and tried to clean it as best I could. I was forever getting different redirects in IE, most of them to fake Adobe Flashplayer update sites. After getting sick of seeing this about every 5 minutes, I completely wiped it out and re-installed Windows 7. even after a fresh install, still getting browser redirects, some to the fake Adobe site and others suggesting that my computer is infected. Here are my scans, looks like I may have an issue...:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 20.12.2018
Ran by Eric (administrator) on ERIC-PC (20-12-2018 18:34:10)
Running from C:\Users\Eric\Desktop
Loaded Profiles: Eric (Available Profiles: Eric)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\BCMWLTRY.EXE
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DDVRulesProcessor.exe
(PC-Doctor, Inc.) C:\Program Files\Dell\SupportAssistAgent\PCDr\SupportAssist\6.0.6992.1382\DSAPI.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(PC-Doctor, Inc.) C:\Program Files\Dell\SupportAssistAgent\PCDr\SupportAssist\6.0.6992.1382\pcdrwi.exe
(Dell Inc.) C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DDVCollectorSvcApi.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5249024 2010-02-02] (Dell Inc.)
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [555352 2013-02-21] (Alps Electric Co., Ltd.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1002984 2016-11-14] (Microsoft Corporation)
HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [6788032 2018-04-20] (Safer-Networking Ltd.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [266552 2018-11-15] (Apple Inc.)
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\S-1-5-18\...\RunOnce: [SPReview] => "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"hxxp://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
BootExecute: autocheck autochk * sdnclean.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [122128 2015-08-12] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{9D84EDBD-2C82-4809-A6AD-CA2B80FF9AF8}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{C69D3F31-BF57-4F73-976B-79F7F692F8C5}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKU\S-1-5-21-176189476-422782663-3432535527-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_32_0_0_101.dll [2018-12-09] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Credential Vault Host Control Service; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [826272 2012-04-25] (Broadcom Corporation)
R2 Credential Vault Host Storage; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [31648 2012-04-25] (Broadcom Corporation)
R2 DDVCollectorSvcApi; C:\Program Files\Dell\DellDataVault\DDVCollectorSvcApi.exe [172528 2018-10-22] (Dell Inc.)
R2 DDVDataCollector; C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe [2404336 2018-10-22] (Dell Inc.)
R2 DDVRulesProcessor; C:\Program Files\Dell\DellDataVault\DDVRulesProcessor.exe [189424 2018-10-22] (Dell Inc.)
R2 Dell Hardware Support; C:\Program Files\Dell\SupportAssistAgent\PCDr\SupportAssist\6.0.6992.1382\DSAPI.exe [1002816 2018-10-31] (PC-Doctor, Inc.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [5073376 2018-09-19] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [103696 2016-11-14] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [280864 2016-11-14] (Microsoft Corporation)
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [3892256 2018-04-20] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [3943664 2018-04-20] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [233712 2018-02-06] (Safer-Networking Ltd.)
R2 SupportAssistAgent; C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [38872 2018-10-25] (Dell Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)
R2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [4539392 2010-02-02] (Dell Inc.) [File not signed]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2010-02-02] (Broadcom Corporation)
R3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [40296 2012-04-25] (Broadcom Corporation)
R3 DDDriver; C:\Windows\System32\drivers\DDDriver32Dcsa.sys [30912 2018-05-08] (Dell Inc.)
R3 DellProf; C:\Windows\System32\drivers\DellProf.sys [30520 2018-05-08] (Dell Computer Corporation)
S3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [56552 2018-10-28] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [229568 2018-12-20] (Malwarebytes)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [252808 2016-08-25] (Microsoft Corporation)
S3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [1321568 2012-08-17] (Ralink Technology Corp.)
R0 stdcfltn; C:\Windows\System32\DRIVERS\stdcfltn.sys [18992 2015-01-09] (ST Microelectronics)
R3 ST_ACCEL; C:\Windows\System32\DRIVERS\ST_Accel.sys [87728 2015-05-21] (STMicroelectronics)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-12-20 18:34 - 2018-12-20 18:34 - 000008913 _____ C:\Users\Eric\Desktop\FRST.txt
2018-12-20 18:33 - 2018-12-20 18:34 - 000000000 ____D C:\FRST
2018-12-20 18:32 - 2018-12-20 18:32 - 000229568 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-12-20 18:31 - 2018-12-20 18:31 - 000000207 _____ C:\Windows\tweaking.com-regbackup-ERIC-PC-Windows-7-Professional-(32-bit).dat
2018-12-20 18:31 - 2018-12-20 18:31 - 000000000 ____D C:\RegBackup
2018-12-20 18:30 - 2018-12-20 18:30 - 000017367 _____ C:\Windows\Tweaking.com - Registry Backup Setup Log.txt
2018-12-20 18:30 - 2018-12-20 18:30 - 000002201 _____ C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2018-12-20 18:30 - 2018-12-20 18:30 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2018-12-20 18:30 - 2018-12-20 18:30 - 000000000 ____D C:\Program Files\Tweaking.com
2018-12-20 18:29 - 2018-12-20 18:29 - 005198336 _____ (AVAST Software) C:\Users\Eric\Desktop\aswMBR.exe
2018-12-20 18:28 - 2018-12-20 18:28 - 005766144 _____ (Tweaking.com) C:\Users\Eric\Desktop\tweaking.com_registry_backup_setup.exe
2018-12-20 18:28 - 2018-12-20 18:28 - 001778176 _____ (Farbar) C:\Users\Eric\Desktop\FRST.exe
2018-12-19 22:46 - 2012-04-25 22:05 - 000308624 _____ C:\Windows\system32\brcmbsp.dll
2018-12-19 22:46 - 2012-04-25 22:05 - 000208264 _____ C:\Windows\system32\bipbsp.dll
2018-12-19 22:45 - 2018-12-19 22:45 - 000000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_cvusbdrv_01009.Wdf
2018-12-19 22:45 - 2018-12-19 22:45 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Broadcom
2018-12-19 22:45 - 2018-12-19 22:45 - 000000000 ____D C:\ProgramData\Broadcom
2018-12-19 22:45 - 2018-12-19 22:45 - 000000000 ____D C:\Program Files\Broadcom Corporation
2018-12-19 22:15 - 2018-12-19 22:51 - 000000000 ____D C:\Program Files\ST Microelectronics
2018-12-19 22:15 - 2018-12-19 22:15 - 000000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_ST_Accel_01009.Wdf
2018-12-19 22:15 - 2018-12-19 22:15 - 000000000 ____D C:\Program Files\STMicroelectronics
2018-12-19 22:15 - 2018-12-19 22:15 - 000000000 ____D C:\Program Files\DIFX
2018-12-19 22:15 - 2015-05-21 15:04 - 000087728 _____ (STMicroelectronics) C:\Windows\system32\Drivers\ST_Accel.sys
2018-12-19 22:15 - 2015-05-21 15:04 - 000069808 _____ (ST Microelectronics) C:\Windows\system32\stdcfltnco08.dll
2018-12-19 22:15 - 2015-01-09 10:25 - 000018992 _____ (ST Microelectronics) C:\Windows\system32\Drivers\stdcfltn.sys
2018-12-19 21:58 - 2018-12-14 17:14 - 000348760 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2018-12-19 21:58 - 2018-12-14 00:58 - 020280832 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2018-12-19 21:58 - 2018-12-14 00:51 - 002724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2018-12-19 21:58 - 2018-12-14 00:51 - 000004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2018-12-19 21:58 - 2018-12-14 00:41 - 000498176 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2018-12-19 21:58 - 2018-12-14 00:41 - 000062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2018-12-19 21:58 - 2018-12-14 00:40 - 000341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2018-12-19 21:58 - 2018-12-14 00:40 - 000047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2018-12-19 21:58 - 2018-12-14 00:39 - 000064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2018-12-19 21:58 - 2018-12-14 00:38 - 002295808 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2018-12-19 21:58 - 2018-12-14 00:35 - 000047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2018-12-19 21:58 - 2018-12-14 00:35 - 000030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2018-12-19 21:58 - 2018-12-14 00:34 - 000476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2018-12-19 21:58 - 2018-12-14 00:33 - 000663040 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2018-12-19 21:58 - 2018-12-14 00:33 - 000115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2018-12-19 21:58 - 2018-12-14 00:33 - 000104960 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2018-12-19 21:58 - 2018-12-14 00:32 - 000620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2018-12-19 21:58 - 2018-12-14 00:29 - 000668160 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2018-12-19 21:58 - 2018-12-14 00:26 - 000416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2018-12-19 21:58 - 2018-12-14 00:23 - 000060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2018-12-19 21:58 - 2018-12-14 00:22 - 000091136 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2018-12-19 21:58 - 2018-12-14 00:22 - 000073216 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2018-12-19 21:58 - 2018-12-14 00:20 - 000168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2018-12-19 21:58 - 2018-12-14 00:19 - 000279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2018-12-19 21:58 - 2018-12-14 00:19 - 000076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2018-12-19 21:58 - 2018-12-14 00:18 - 004494848 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2018-12-19 21:58 - 2018-12-14 00:18 - 000130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2018-12-19 21:58 - 2018-12-14 00:14 - 013681152 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2018-12-19 21:58 - 2018-12-14 00:13 - 000230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2018-12-19 21:58 - 2018-12-14 00:11 - 002059776 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2018-12-19 21:58 - 2018-12-14 00:11 - 000696320 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2018-12-19 21:58 - 2018-12-14 00:11 - 000692224 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2018-12-19 21:58 - 2018-12-14 00:10 - 001155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2018-12-19 21:58 - 2018-12-13 23:58 - 004386816 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2018-12-19 21:58 - 2018-12-13 23:54 - 001330176 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2018-12-19 21:58 - 2018-12-13 23:52 - 000710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2018-12-14 16:26 - 2018-12-14 16:26 - 000001747 _____ C:\Users\Public\Desktop\iTunes.lnk
2018-12-14 16:26 - 2018-12-14 16:26 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2018-12-14 16:26 - 2018-12-14 16:26 - 000000000 ____D C:\Program Files\iPod
2018-12-14 16:25 - 2018-12-14 16:26 - 000000000 ____D C:\Program Files\iTunes
2018-12-12 00:25 - 2018-12-05 20:35 - 002405376 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2018-12-12 00:25 - 2018-11-28 15:50 - 012574208 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2018-12-12 00:25 - 2018-11-28 15:50 - 011411968 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2018-12-12 00:25 - 2018-11-28 15:38 - 000008192 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll
2018-12-12 00:25 - 2018-11-28 15:38 - 000004608 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx
2018-12-12 00:25 - 2018-11-28 15:38 - 000004608 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll
2018-12-12 00:25 - 2018-11-11 10:50 - 000189672 _____ (Microsoft Corporation) C:\Windows\system32\halmacpi.dll
2018-12-12 00:25 - 2018-11-11 10:50 - 000189672 _____ (Microsoft Corporation) C:\Windows\system32\hal.dll
2018-12-12 00:25 - 2018-11-11 10:49 - 004054760 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2018-12-12 00:25 - 2018-11-11 10:49 - 003960040 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2018-12-12 00:25 - 2018-11-11 10:49 - 000162536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msrpc.sys
2018-12-12 00:25 - 2018-11-11 10:49 - 000137960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2018-12-12 00:25 - 2018-11-11 10:49 - 000136424 _____ (Microsoft Corporation) C:\Windows\system32\halacpi.dll
2018-12-12 00:25 - 2018-11-11 10:49 - 000067304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2018-12-12 00:25 - 2018-11-11 10:47 - 001310528 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 001063424 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 000655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 000554496 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 000400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 000261120 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 000254464 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 000223232 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 000172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 000146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 000141312 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 000099840 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 000070144 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 000060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 000050176 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 000043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2018-12-12 00:25 - 2018-11-11 10:45 - 000022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2018-12-12 00:25 - 2018-11-11 10:44 - 000690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2018-12-12 00:25 - 2018-11-11 10:44 - 000644096 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2018-12-12 00:25 - 2018-11-11 10:44 - 000307200 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2018-12-12 00:25 - 2018-11-11 10:44 - 000082432 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2018-12-12 00:25 - 2018-11-11 10:44 - 000050688 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2018-12-12 00:25 - 2018-11-11 10:44 - 000038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2018-12-12 00:25 - 2018-11-11 10:44 - 000017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2018-12-12 00:25 - 2018-11-11 10:44 - 000006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2018-12-12 00:25 - 2018-11-11 10:20 - 000097792 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2018-12-12 00:25 - 2018-11-11 10:20 - 000050688 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2018-12-12 00:25 - 2018-11-11 10:20 - 000029696 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2018-12-12 00:25 - 2018-11-11 10:20 - 000016896 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2018-12-12 00:25 - 2018-11-11 10:19 - 000050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2018-12-12 00:25 - 2018-11-11 10:17 - 000262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2018-12-12 00:25 - 2018-11-11 10:17 - 000107008 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\videoprt.sys
2018-12-12 00:25 - 2018-11-11 10:15 - 000226304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2018-12-12 00:25 - 2018-11-11 10:14 - 000125952 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2018-12-12 00:25 - 2018-11-11 10:14 - 000098816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2018-12-12 00:25 - 2018-11-11 10:14 - 000069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2018-12-12 00:25 - 2018-11-11 10:14 - 000036352 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2018-12-12 00:25 - 2018-11-11 10:14 - 000022016 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2018-12-12 00:25 - 2018-11-11 10:14 - 000015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2018-12-12 00:25 - 2018-11-11 10:13 - 000055296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\amdk8.sys
2018-12-12 00:25 - 2018-11-11 10:13 - 000053760 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\intelppm.sys
2018-12-12 00:25 - 2018-11-11 10:13 - 000053248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\viac7.sys
2018-12-12 00:25 - 2018-11-11 10:13 - 000052736 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\amdppm.sys
2018-12-12 00:25 - 2018-11-11 10:13 - 000052224 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\processr.sys
2018-12-12 00:25 - 2018-11-08 10:43 - 001391104 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2018-12-12 00:25 - 2018-11-08 10:43 - 001241088 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2018-12-12 00:25 - 2018-11-08 10:43 - 000002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml6r.dll
2018-12-12 00:25 - 2018-11-08 10:43 - 000002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2018-12-12 00:25 - 2018-11-05 22:20 - 000002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2018-12-12 00:25 - 2018-10-06 09:50 - 000309480 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2018-12-12 00:25 - 2018-10-06 09:44 - 000111616 _____ (Microsoft Corporation) C:\Windows\system32\t2embed.dll
2018-12-12 00:25 - 2018-10-06 09:43 - 000071680 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2018-12-12 00:25 - 2018-10-06 09:43 - 000026112 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2018-12-12 00:25 - 2018-10-06 09:43 - 000010240 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2018-12-12 00:25 - 2018-10-06 09:16 - 000034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2018-12-09 13:05 - 2018-12-09 13:15 - 000842240 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2018-12-09 13:05 - 2018-12-09 13:15 - 000175104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2018-12-09 13:05 - 2018-12-09 13:15 - 000000000 ____D C:\Windows\system32\Macromed
2018-12-09 13:05 - 2018-12-09 13:05 - 000000000 ____D C:\Users\Eric\AppData\Roaming\Macromedia
2018-12-09 13:04 - 2018-12-09 13:15 - 000000000 ____D C:\Users\Eric\AppData\Local\Adobe
2018-12-05 05:40 - 2018-12-12 03:28 - 000269440 _____ C:\Windows\system32\FNTCACHE.DAT

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-12-20 17:55 - 2009-07-13 22:34 - 000014032 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-12-20 17:55 - 2009-07-13 22:34 - 000014032 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-12-20 17:46 - 2018-10-27 07:41 - 000000000 ____D C:\Program Files\Spybot - Search & Destroy 2
2018-12-20 17:46 - 2009-07-13 22:53 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-12-20 17:44 - 2018-10-28 14:23 - 000861668 _____ C:\Windows\ntbtlog.txt
2018-12-20 04:07 - 2009-07-13 20:37 - 000000000 ____D C:\Windows\rescache
2018-12-19 22:46 - 2009-07-13 20:37 - 000000000 ____D C:\Windows\inf
2018-12-19 22:15 - 2018-10-25 20:37 - 000000000 ___HD C:\Program Files\InstallShield Installation Information
2018-12-19 21:59 - 2009-07-13 20:37 - 000000000 ____D C:\PerfLogs
2018-12-19 21:37 - 2018-10-27 07:41 - 000000000 ____D C:\ProgramData\Spybot - Search & Destroy
2018-12-12 03:34 - 2018-10-25 19:09 - 000781298 _____ C:\Windows\system32\PerfStringBackup.INI
2018-12-12 03:08 - 2018-10-25 18:29 - 000000000 ____D C:\Windows\system32\MRT
2018-12-12 03:05 - 2018-10-25 18:29 - 134209608 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2018-12-10 16:04 - 2018-10-25 18:24 - 000499424 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2018-12-09 17:47 - 2009-07-13 20:04 - 000454774 ____R C:\Windows\system32\Drivers\etc\hosts.20181219-213350.backup
2018-11-26 01:36 - 2018-10-26 17:20 - 000000000 _____ C:\Windows\system32\SpyWareFolderstoFilter.txt

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-12-14 00:16

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 20.12.2018
Ran by Eric (20-12-2018 18:34:58)
Running from C:\Users\Eric\Desktop
Microsoft Windows 7 Professional Service Pack 1 (X86) (2018-10-25 23:35:18)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-176189476-422782663-3432535527-500 - Administrator - Disabled)
Eric (S-1-5-21-176189476-422782663-3432535527-1000 - Administrator - Enabled) => C:\Users\Eric
Guest (S-1-5-21-176189476-422782663-3432535527-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-176189476-422782663-3432535527-1002 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {71A27EC9-3DA6-45FC-60A7-004F623C6189}
AS: Spybot - Search and Destroy (Disabled - Out of date) {4C1D9672-63FE-5C90-371E-8FDA591C5B75}
AS: Microsoft Security Essentials (Enabled - Up to date) {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 32 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 32.0.0.101 - Adobe Systems Incorporated)
Apple Application Support (32-bit) (HKLM\...\{80B42CAA-28C0-4FBD-A46E-D61F45E2F9FC}) (Version: 7.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{ABDE67C4-5876-4CDB-82A9-0CBACECC1C4A}) (Version: 12.1.0.25 - Apple Inc.)
Apple Software Update (HKLM\...\{A30EA700-5515-48F0-88B0-9E99DC356B88}) (Version: 2.6.0.1 - Apple Inc.)
Bonjour (HKLM\...\{D168AAD0-6686-47C1-B599-CDD4888B9D1A}) (Version: 3.1.0.1 - Apple Inc.)
Cisco EAP-FAST Module (HKLM\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
Dell ControlVault Host Components Installer (HKLM\...\{718A9DB6-1B7D-4E40-AD74-E19FDAA8AFD5}) (Version: 2.2.509.141 - Broadcom Corporation)
Dell SupportAssist (HKLM\...\{5A18ABE3-52D1-4CA5-9169-25EC7E789582}) (Version: 3.0.2.48 - Dell Inc.)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 8.1200.101.127 - ALPS ELECTRIC CO., LTD.)
DW WLAN Card Utility (HKLM\...\DW WLAN Card Utility) (Version: 5.60.48.35 - Dell Inc.)
Intel(R) Network Connections Drivers (HKLM\...\PROSet) (Version: 14.8 - Intel)
Intel(R) Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2993 - Intel Corporation)
iTunes (HKLM\...\{E9B408B4-59AE-4757-9054-8DD4A5768E5D}) (Version: 12.9.2.6 - Apple Inc.)
Malwarebytes version 3.6.1.2711 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.6.1.2711 - Malwarebytes)
Microsoft .NET Framework 4.7.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.03062 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.10.209.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Ralink RT2870 Wireless LAN Card (HKLM\...\{28DA7D8B-F9A4-4F18-8AA0-551B1E084D0D}) (Version: 1.5.24.0 - Ralink)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.7.64.0 - Safer-Networking Ltd.)
ST Microelectronics 3 Axis Digital Accelerometer Solution (HKLM\...\{9C24F411-9CA7-4A8A-91F3-F08A4A38EB31}) (Version: 4.11.0067 - ST Microelectronics)
Tweaking.com - Registry Backup (HKLM\...\Tweaking.com - Registry Backup) (Version: 3.5.3 - Tweaking.com)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers1: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files\Spybot - Search & Destroy 2\SDECon32.dll [2018-02-06] (Safer-Networking Ltd.)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-09-19] (Malwarebytes)
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2013-02-01] (Intel Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-09-19] (Malwarebytes)
ContextMenuHandlers6: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files\Spybot - Search & Destroy 2\SDECon32.dll [2018-02-06] (Safer-Networking Ltd.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {036B5D03-2569-4677-B4D2-B77EA1F60156} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe [2018-04-20] (Safer-Networking Ltd.)
Task: {27996A72-3141-418F-9692-26E7DA846D94} - System32\Tasks\{6611DC6A-69C3-4005-A145-DB734DA6494A} => C:\Windows\system32\pcalua.exe -a "C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistInstaller.exe" -c launchui
Task: {349E65C3-7AAD-42CF-B63C-F85ADF906B78} - System32\Tasks\Adobe Flash Player NPAPI Notifier => C:\Windows\system32\Macromed\Flash\FlashUtil32_32_0_0_101_Plugin.exe [2018-12-09] (Adobe Systems Incorporated)
Task: {5338BC77-FEC1-4CAE-A26C-33B2E35D0BD9} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\\MpCmdRun.exe [2016-11-14] (Microsoft Corporation)
Task: {80350217-0A1D-4DD0-9B48-FC722D839B12} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe [2018-04-20] (Safer-Networking Ltd.)
Task: {B4178062-61C8-4562-A3F9-73C5B2E369F0} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe [2018-04-20] (Safer-Networking Ltd.)
Task: {E8345A4C-00BD-4AF4-A49F-91E2DC146AC5} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2018-01-08] (Apple Inc.)
Task: {EAA6EA38-CD1E-41AB-B22D-42C8362A2593} - System32\Tasks\Dell SupportAssistAgent AutoUpdate => C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistInstaller.exe [2018-10-25] (Dell Inc.)
Task: {F858A576-13D3-4B70-9BF6-91BA8335FE00} - System32\Tasks\Microsoft\Windows\Setup\EOSNotify => C:\Windows\system32\EOSNotify.exe [2016-06-25] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2018-11-01 05:28 - 2018-11-01 05:28 - 001042744 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2018-10-21 01:17 - 2018-10-21 01:17 - 000076088 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2012-01-10 20:12 - 2012-01-10 20:12 - 000094208 _____ () C:\Windows\System32\IccLibDll.dll
2018-11-29 13:42 - 2018-11-29 13:42 - 001042744 _____ () C:\Program Files\iTunes\libxml2.dll
2018-11-29 13:42 - 2018-11-29 13:42 - 000076088 _____ () C:\Program Files\iTunes\zlib1.dll
2018-10-27 07:48 - 2018-10-28 13:13 - 002225368 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2018-10-31 10:36 - 2018-10-31 10:36 - 002014024 _____ () C:\Program Files\Dell\SupportAssistAgent\PCDr\SupportAssist\6.0.6992.1382\libprotobuf.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\.DEFAULT\...\dell.com -> dell.com
IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7943 more sites.

IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-176189476-422782663-3432535527-1000\...\123simsen.com -> www.123simsen.com

There are 7943 more sites.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 20:04 - 2018-12-19 21:33 - 000454774 ____R C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123haustiereundmehr.com
127.0.0.1 123moviedownload.com
127.0.0.1 www.123moviedownload.com

There are 15610 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-176189476-422782663-3432535527-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Eric\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

If an entry is included in the fixlist, it will be removed.


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{C4248880-2FBE-4C65-BED6-5871FAB21BB6}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{CE77FDC7-76BF-42A4-AAE9-53AABBF7822A}] => (Allow) C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe
FirewallRules: [{5822ED7D-134C-4890-B9BB-68A7B9A7B099}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{4FEAF54D-904A-4EFA-B5C7-F06E5A7DF2EF}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{CF355582-AA6A-4476-A5A8-A33E212A11DC}] => (Allow) C:\Program Files\iTunes\iTunes.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Restore Points =========================

11-12-2018 05:58:46 Windows Update
12-12-2018 03:00:13 Windows Update
15-12-2018 07:36:23 Windows Update
18-12-2018 22:04:01 Windows Update
19-12-2018 22:15:05 Installed ST Microelectronics 3 Axis Digital Accelerometer Solut଍F
19-12-2018 22:45:01 Installed Dell ControlVault Host Components Installer.
20-12-2018 03:00:25 Windows Update

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/20/2018 05:11:08 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.9600.19230 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: e94

Start Time: 01d4988400a6df19

Termination Time: 0

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id:

Error: (12/19/2018 10:43:22 PM) (Source: Dell System Detect) (EventID: 0) (User: )
Description: <Exception><Message>FileDialog returned path: C:\Users\Eric\Desktop</Message><SysInfo STag="8PLCRM1" SMBIOSMajVer="2" SMBIOSMinVer="6" SMBIOSBIOSVer="A17" SMBIOSPresent="True" Rel_Date="20170512000000.000000+000" DSDVersion="" Vendor="Dell Inc." PName="Latitude E6410" Ident_Num="ERIC-PC" TimeZone="(UTC-06:00) Central Time (US & Canada)" OSName="Microsoft Windows 7 Professional"/><HostIP>10.0.0.169</HostIP></Exception>

Error: (12/19/2018 10:43:13 PM) (Source: Dell System Detect) (EventID: 0) (User: )
Description: <Exception><Message>FileDialog Started</Message><SysInfo STag="8PLCRM1" SMBIOSMajVer="2" SMBIOSMinVer="6" SMBIOSBIOSVer="A17" SMBIOSPresent="True" Rel_Date="20170512000000.000000+000" DSDVersion="" Vendor="Dell Inc." PName="Latitude E6410" Ident_Num="ERIC-PC" TimeZone="(UTC-06:00) Central Time (US & Canada)" OSName="Microsoft Windows 7 Professional"/><HostIP>10.0.0.169</HostIP></Exception>

Error: (12/19/2018 08:53:55 PM) (Source: SupportAssistAgent) (EventID: 0) (User: )
Description: An exception occurred in session change of service start: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.TypeLoadException: Could not find Windows Runtime type 'Windows.UI.Notifications.ToastNotificationManager'. ---> System.PlatformNotSupportedException: Operation is not supported on this platform.
--- End of inner exception stack trace ---
at Dell.Services.SupportAssist.Notification.Command.NotificationCommand.<DeleteNotificationWhileUninstall>d__23.MoveNext()
at System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[TStateMachine](TStateMachine& stateMachine)
at Dell.Services.SupportAssist.Notification.Command.NotificationCommand.DeleteNotificationWhileUninstall()
at Dell.Services.SupportAssist.Notification.Command.NotificationCommand.ShowNotificationsOnSessionUnlock(SessionChangeDescription changeDescription)
at Dell.Services.SupportAssist.Notification.NotificationManager.ShowNotificationsOnSessionUnlock(SessionChangeDescription changeDescription)
at Dell.Services.SupportAssist.SupportAssistAgentCore.SupportAssistProcessor.ShowNotificationsOnSessionUnlock(SessionChangeDescription changeDescription)
at Dell.Services.SupportAssist.Bootstrapper.BootStrapper.SessionChangeAction(SessionChangeDescription changeDescription)
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at Dell.Services.SupportAssist.SupportAssistAgent.BootStrapperMinimized.SessionChangeAction(SessionChangeDescription changeDescription)
at Dell.Services.SupportAssist.SupportAssistAgent.SupportAssistAgent.OnSessionChange(SessionChangeDescription changeDescription)

Error: (12/19/2018 08:27:36 PM) (Source: Windows Search Service) (EventID: 3084) (User: )
Description: Failed to load protocol handler File. Error description: (HRESULT : 0x80041501).

Error: (12/19/2018 08:26:54 PM) (Source: Desktop Window Manager) (EventID: 9020) (User: )
Description: The Desktop Window Manager has encountered a fatal error (0x8007000e)

Error: (12/19/2018 01:28:20 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SDUpdate.exe, version: 2.7.64.98, time stamp: 0x5ad9aa54
Faulting module name: KERNELBASE.dll, version: 6.1.7601.24291, time stamp: 0x5be78231
Exception code: 0x0eedfade
Fault offset: 0x0000845d
Faulting process id: 0x38c
Faulting application start time: 0x01d497d0f472e1fa
Faulting application path: C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 3d6fafff-03c4-11e9-b92f-0026b9ded3d5

Error: (12/15/2018 08:59:16 AM) (Source: ESENT) (EventID: 482) (User: )
Description: taskhost (2796) WebCacheLocal: An attempt to write to the file "C:\Users\Eric\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" at offset 4521984 (0x0000000000450000) for 32768 (0x00008000) bytes failed after 0 seconds with system error 8 (0x00000008): "Not enough storage is available to process this command. ". The write operation will fail with error -1011 (0xfffffc0d). If this error persists then the file may be damaged and may need to be restored from a previous backup.


System errors:
=============
Error: (12/20/2018 06:33:03 PM) (Source: Disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (12/20/2018 06:33:00 PM) (Source: Disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (12/20/2018 06:32:58 PM) (Source: Disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (12/20/2018 06:32:55 PM) (Source: Disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (12/20/2018 06:32:53 PM) (Source: Disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (12/20/2018 06:32:50 PM) (Source: Disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (12/20/2018 06:32:48 PM) (Source: Disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (12/20/2018 06:32:45 PM) (Source: Disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz
Percentage of memory in use: 43%
Total physical RAM: 3509.86 MB
Available physical RAM: 1981.59 MB
Total Virtual: 7018.09 MB
Available Virtual: 4710.43 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:149.01 GB) (Free:109.05 GB) NTFS ==>[drive with boot components (obtained from BCD)]


==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 149.1 GB) (Disk ID: 8958630B)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=149 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2018-12-20 18:40:07
-----------------------------
18:40:07.426 OS Version: Windows 6.1.7601 Service Pack 1
18:40:07.426 Number of processors: 4 586 0x2502
18:40:07.426 ComputerName: ERIC-PC UserName: Eric
18:40:40.373 Initialize success
18:40:40.451 VM: initialized successfully
18:40:40.467 VM: Intel CPU supported
18:40:46.843 VM: disk I/O atapi.sys
18:43:20.856 AVAST engine defs: 17030301
18:43:32.964 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:43:32.979 Disk 0 Vendor: ST9160314AS D005DEM1 Size: 152627MB BusType: 3
18:43:33.151 Disk 0 MBR read successfully
18:43:33.167 Disk 0 MBR scan
18:43:33.229 Disk 0 Windows 7 default MBR code
18:43:33.229 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
18:43:33.354 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 152586 MB offset 80325
18:43:33.354 Disk 0 default boot code
18:43:33.401 Disk 0 scanning sectors +312576705
18:43:33.775 Disk 0 scanning C:\Windows\system32\drivers
18:43:58.298 Service scanning
18:44:41.354 Modules scanning
18:44:41.354 Disk 0 trace - called modules:
18:44:41.385 ntkrnlpa.exe CLASSPNP.SYS disk.sys stdcfltn.sys ataport.SYS halmacpi.dll pciide.sys PCIIDEX.SYS atapi.sys
18:44:41.401 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865e0440]
18:44:41.401 3 CLASSPNP.SYS[8c00459e] -> nt!IofCallDriver -> [0x865e0a28]
18:44:41.417 5 stdcfltn.sys[8c5f18a4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x856ec908]
18:44:42.181 AVAST engine scan C:\Windows
18:44:44.911 AVAST engine scan C:\Windows\system32
18:45:15.752 File: C:\Windows\system32\csrsrv.dll **INFECTED** Win32:Aluroot-B [Rtk]
18:51:07.308 AVAST engine scan C:\Windows\system32\drivers
18:51:30.474 AVAST engine scan C:\Users\Eric
18:53:02.065 AVAST engine scan C:\ProgramData
18:55:21.123 Disk 0 statistics 2366704/0/0 @ 3.74 MB/s
18:55:21.139 Scan finished successfully
18:55:36.240 Disk 0 MBR has been saved successfully to "C:\Users\Eric\Desktop\MBR.dat"
18:55:36.287 The log file has been saved successfully to "C:\Users\Eric\Desktop\aswMBR.txt"

Juliet
2018-12-21, 19:41
Mostly what I think I saw, might be a false positive.


~~~~~~~~~~~~~~~~~~`
http://i.imgur.com/zcMPezJ.pngAdwCleaner - Fix Mode

Download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/dl/125/) and move it to your Desktop
Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
Accept the EULA (I accept), then click on Scan
Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean & Repair button. This will kill all the active processes
Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


~~~~~~~~~~~~~~~~~~`

http://i.imgur.com/RQKuhw1.pngRogueKiller

Download the right version of RogueKiller (http://www.adlice.com/download/roguekiller/#download) for your Windows version (32 or 64-bit)
Once done, move the executable file to your Desktop, right-click on it and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
Wait for the scan to complete
On completion, the results will be displayed
Check every single entry (threat found), and click on the Remove Selected button
On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
This will open the report in Notepad. Copy/paste its content in your next reply

created by Aura

Please post these 2 logs when finished.

Blackhawk2
2018-12-22, 00:40
Thanks for the reply Juliet! here are thye results of both scans:

# -------------------------------
# Malwarebytes AdwCleaner 7.2.6.0
# -------------------------------
# Build: 12-18-2018
# Database: 2018-12-21.2 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 12-21-2018
# Duration: 00:00:01
# OS: Windows 7 Professional
# Cleaned: 1
# Failed: 0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\driversupport.com

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [1335 octets] - [21/12/2018 16:11:59]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

RogueKiller Anti-Malware V13.0.17.0 [Dec 17 2018] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits
Started in : Normal mode
User : Eric [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Standard Scan, Delete -- Date : 2018/12/21 16:37:17 (Duration : 00:17:04)

いいいいいいいいいいいい Delete いいいいいいいいいいいい
[PUM.StartMenu (Potentially Malicious)] HKEY_USERS\S-1-5-21-176189476-422782663-3432535527-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyGames -- -> Replaced (1)
[PUP.Gen0|PUP.Gen1 (Potentially Malicious)] Uninstall BitGuard.lnk -- %SystemDrive%\$Recycle.Bin\S-1-5-21-176189476-422782663-3432535527-1000\$R921XZV\Quarantine\rQF69AzBla\Uninstall BitGuard.lnk (lnk => C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\uninstall.exe []) -> Deleted

Juliet
2018-12-22, 01:16
Let's check for remnants


Open Malwarebytes Anti-Malware

click the Settings tab, then at the top choose Protection and tick Scan for rootkits.
Click the Dashboard tab, choose Scan, Threat Scan is checked and click Start Scan.
If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
Upon completion of the scan (or after the reboot), click the Reports tab.
Double-click the Scan Log.
At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

You can access the logs by going in the "Reports" tab, clicking on the latest "Scan" entry (the one with detections), then clicking on the "Export" button in the bottom-left corner and select "Copy to clipboard". After that, all you have to do is paste it here

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Emsisoft Emergency Kit - Fix Mode
Follow the instructions below to run a scan using the Emsisoft Emergency Kit.

Download the Emsisoft Emergency Kit (https://www.emsisoft.com/en/software/eek/download/) and execute it. From there, click on the Install button to extract the program in the EEK folder;
Once the extraction is complete, the EEK folder will open. Right-click on http://i.imgur.com/G0tu5D9.pngstart emergency kit scanner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
EEK will suggest that you run an online update before using the program. Click on Yes to launch it.
After the update, click on Malware Scan under 2. Scan and accept to let EEK detect PUPs (click on Yes).
Once the scan is complete, make sure that every item in the list is checked, and click on the Quarantine selected button;
If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
After the restart, open EEK again (in the C:\EEK folder);
This time, click on Logs;
From there, go under the Quarantine Log tab, and click on the Export button;
Save the log on your desktop, then open it, and copy/paste its content in your next reply;

Please post these 2 logs when finished.

Also, tell me how the computer is now.

Blackhawk2
2018-12-22, 02:18
Sorry that took a while. First time I ran EEK, got a BSOD. Never had that before. Second time worked though. Here are the results:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/21/18
Scan Time: 5:25 PM
Log File: c15cb574-0577-11e9-b5c7-0026b9ded3d5.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.482
Update Package Version: 1.0.8433
License: Free

-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Eric-PC\Eric

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 161330
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 7 min, 4 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Emsisoft Emergency Kit 2018.6.0.8742 stable [en-us]
OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 32-bit Edition)

Forensics log

Date Component Action Details
12/21/2018 6:13:41 PM Scanner Scan finished Scanned 70075 objects and found nothing.
12/21/2018 6:07:28 PM User ERIC-PC\Eric Scan started Malware Scan
12/21/2018 5:57:25 PM Scanner Scanning Is in progress.
12/21/2018 5:56:32 PM User ERIC-PC\Eric Setting modified "Detect PUPs" has been changed to "Enabled".
12/21/2018 5:56:32 PM User ERIC-PC\Eric Scan started Malware Scan
12/21/2018 5:55:49 PM User Update Downloaded and installed 74 files (25327 kb) (1 min. 13 sec.).
12/21/2018 5:54:36 PM Core Notification "Recommended Reading:5 Privacy tools to keep your data safe and secure during the holidays".
12/21/2018 5:54:31 PM User Update Failed with error "Server returned error" (0 sec.).

Blackhawk2
2018-12-22, 02:20
forgot to mention, MBAM has not detected anything in the last few scans I have done, even before getting on here for assistance.

Juliet
2018-12-22, 13:20
tell me how the computer is now

Blackhawk2
2018-12-22, 16:24
It seems to be OK. Haven't had any redirects in the last day. The only thing was that BSOD when I ran EEK.

Juliet
2018-12-22, 17:49
Should be in a good shape.
Let's do
SFC /SCANNOW Command - System File Checker
https://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html

Blackhawk2
2018-12-22, 20:35
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>sfc /scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

C:\Windows\system32>

Juliet
2018-12-23, 13:45
I think we can close this out now.


Please download DelFix (https://www.bleepingcomputer.com/download/delfix/) or from Here (http://www.bleepingcomputer.com/download/delfix/) and save the file to your Desktop.
Double-click DelFix.exe to run the programme.
Place a checkmark next to the following items:
Activate UAC
Remove disinfection tools
Click the Run button.
-- This will remove the specialized tools we used to disinfect your system.
Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).

************


Answers to common security questions - Best Practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/) by quietman7, MVP
How Malware Spreads - How did I get infected? (http://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-did-i-get-infected/) by quietman7, MVP
Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/) by Lawrence Abrams, MVP
How to Prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) by miekiemoes, MVP
How to backup and restore your data using Cobian Backup (http://www.bleepingcomputer.com/tutorials/backup-and-restore-data-with-cobian-backup/) by YourHighness
Slow Computer/browser? It May Not Be Malware (http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/) by quietman7, MVP


AdBlock (https://adblockplus.org/en/firefox) is a browser add-on that blocks annoying banners, pop-ups and video ads.
http://i.imgur.com/E8I37RF.pngCryptoPrevent (https://www.foolishit.com/) places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware.
http://i.imgur.com/EG85Vjt.png Malwarebytes Anti-Exploit (https://www.malwarebytes.org/antiexploit/) (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
http://i.imgur.com/6YRrgUC.png Malwarebytes Anti-Malware Premium (https://www.malwarebytes.org/) (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
http://i.imgur.com/jv4nhMJ.png NoScript (http://noscript.net/) is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
http://i.imgur.com/3O8r9Uq.png (http://www.sandboxie.com/) Sandboxie (http://www.sandboxie.com/) isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
http://i.imgur.com/DgW1XL2.png Secunia PSI (http://secunia.com/vulnerability_scanning/personal/) will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.

http://i.imgur.com/sHjS79L.png Unchecky (http://unchecky.com/) automatically removes checkmarks for bunlded software in programme installers; helping you avoid adware and PUPs.

Blackhawk2
2018-12-23, 18:28
well, just got another browser redirect to a "Norton" site. said my computer was infected....

Blackhawk2
2018-12-23, 18:35
now, just got another one from website uaf6hnatulan.com wanting me to install player 154582681.hta. This one is the fake flashplayer one that I keep getting.... That's 2 redirects within 5 minutes. I was just on yahoo .com when it happened the main page. Not really doing anything.

Juliet
2018-12-23, 22:50
Follow the instructions in the thread below. Make sure to download the MBAR version linked in it.
Pay no attention to the title of the topic.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

Run the scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after.

Also
**************************
Please click HERE (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/) to download Kaspersky Virus Removal Tool.

Double click on the file you just downloaded and let it install.
It will install to your desktop (be patient; it may take a while).
Accept license agreement and click "Start" button.
Click on Settings button

In Scan scope leave pre-checked items as they're and also checkmark My Computer
In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection


Click on Automatic Scan tab and then click on Start scanning button.
Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
When the scan is done NO log will be produced.
Click on Report button then on Automatic Scan report tab.[
Right click anywhere within right pane, click Select All then right click again and click Copy.
This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
You can save this on the desktop.
Post the contents of the document in your next reply.

Please post these 2 logs when finished.

Also, tell me how the computer is now.

Juliet
2018-12-23, 23:40
I was just on yahoo .com

"scareware." Designed to generate alerts and scare you to the point where you will contact and pay for the removal of infections that do not exist.
There was an active java script on that page.

Hardening your web browser means to install extensions that will help it protect itself (and your system on the same occasion) against Exploit Kits, MiTM attacks, etc. but also you at the same time. Here are a few extensions that I recommend you to install.

uBlock Origin: Efficient multi-purpose blocker that is lightweight on RAM and CPU usage (Google Chrome, Mozilla Firefox, Microsoft Edge, Opera and most Chromium and Firefox-based browsers)
Read over the link below
https://www.bleepingcomputer.com/forums/t/673424/can-ublock-origin-block-tracking-analytics/


NoScript: NoScript is a script blocker (Java, Flash, JavaScript, etc.) for Mozilla Firefox and Firefox-based browsers (Mozilla Firefox and Firefox-based web browsers)

https://noscript.net/

Blackhawk2
2018-12-24, 00:06
The link for Kaspersky comes up 404 when I click your link. But here is the MBAR scan result.

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org

Database version:
main: v2018.12.23.04
rootkit: v2018.12.23.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.19230
Eric :: ERIC-PC [administrator]

12/23/2018 3:40:04 PM
mbar-log-2018-12-23 (15-40-04).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 149839
Time elapsed: 19 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)


I also saw your links to some blockers. I only have IE installed on this computer. Do you recommend a different browser?

Juliet
2018-12-24, 00:31
Try this link for Kaspersky
https://usa.kaspersky.com/downloads/thank-you/free-virus-removal-tool

Myself I use Firefox
https://www.mozilla.org/en-US/firefox/new/

Try it and see if you like it.
Many addons can be applied.

Blackhawk2
2018-12-24, 02:48
I cannot do anything with the report, but it says no threats found...

It seems to be ok again, just weird that it randomly redirected twice after being good for a day or so.

I guess I will try a different browser and see if that helps.

Juliet
2018-12-24, 13:29
No threats found is good news.


I guess I will try a different browser and see if that helps.
Also try the script blocker, it can stop a ton of pop ups.

Blackhawk2
2018-12-24, 19:21
downloaded firefox and added ad block plus add on. Seems much better, by that I mean no redirects and seems to be much faster. Fingers crossed!!!

Juliet
2018-12-24, 19:36
yeah
it's an early Christmas present.http://i.imgur.com/SakDYGv.gif

Juliet
2019-01-01, 14:23
How's it going?

Juliet
2019-01-08, 00:31
still with me?

Juliet
2019-01-08, 20:20
Glad we could help. http://i.imgur.com/SakDYGv.gif
Since this issue appears resolved ... this Topic is closed.