computer under attack!
- Thread starter Red_Earth
- Start date
- Status
I know I've given you alot to do, after running those 2 tools, try to update and then run MBAM (Malwarebytes' Anti-Malware) again.
It's late here and I have a 6 year old ready to go to bed. I'll have to check back in the morning.
It's my hope the computer is starting to run better?
It's late here and I have a 6 year old ready to go to bed. I'll have to check back in the morning.
It's my hope the computer is starting to run better?
Last edited:
CF log
ComboFix 15-10-15.01 - user 10/16/2015 22:04:37.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.1271 [GMT -5:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2015-09-17 to 2015-10-17 )))))))))))))))))))))))))))))))
.
.
2015-10-17 03:10 . 2015-10-17 03:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-10-17 01:41 . 2015-09-16 10:43 8884144 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DC19DD17-70D4-4535-888D-90465C567C67}\mpengine.dll
2015-10-17 01:04 . 2015-09-16 10:43 8884144 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{10CC0889-972C-46E6-9D93-866837795410}\mpengine.dll
2015-10-17 00:31 . 2015-10-17 03:10 -------- d-----w- c:\users\user\AppData\Local\temp
2015-10-12 18:59 . 2015-10-12 22:25 -------- d-----w- C:\AdwCleaner
2015-10-10 01:10 . 2015-10-10 01:10 -------- d-----w- C:\RegBackup
2015-10-10 00:26 . 2015-10-17 00:40 -------- d-----w- c:\program files\Tweaking.com
2015-10-10 00:13 . 2015-10-13 17:51 -------- d-----w- C:\FRST
2015-09-20 19:54 . 2015-09-20 19:54 -------- d-----w- c:\program files\Common Files\AV
2015-09-20 19:03 . 2015-09-20 19:03 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-10-17 00:02 . 2015-05-16 21:59 780488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-10-17 00:02 . 2015-05-16 21:59 142536 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-10-17 00:02 . 2015-08-23 16:02 3996360 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2015-08-20 09:18 . 2015-09-02 11:32 9234960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{04CF7845-9F16-42DA-8744-864BC1B9294F}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2013-10-16 543432]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2015-08-19 6490904]
"SpybotPostWindows10UpgradeReInstall"="c:\program files\Common Files\AV\Spybot - Search and Destroy\Test.exe" [2015-07-28 1011200]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
restore_files_mkkgj.html [2015-8-22 5081]
restore_files_mkkgj.txt [2015-8-22 2253]
restore_files_qnhwg.html [2015-8-22 3822]
restore_files_qnhwg.txt [2015-8-22 2170]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss]
@="Service"
.
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-10-16 09:05 997704 ----a-w- c:\program files\Google\Chrome\Application\46.0.2490.71\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-10-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-05-16 00:02]
.
2015-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-05-19 16:47]
.
2015-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-05-19 16:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = localhost:8080
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/?gws_rd=ssl
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-AppXSvc
SafeBoot-ClipSvc
SafeBoot-WSService
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-10-16 22:13:34
ComboFix-quarantined-files.txt 2015-10-17 03:13
ComboFix2.txt 2015-10-17 00:35
.
Pre-Run: 275,599,224,832 bytes free
Post-Run: 275,549,126,656 bytes free
.
- - End Of File - - 74FB0251404458ADE88AF808BE27C782
8F558EB6672622401DA993E1E865C861
ComboFix 15-10-15.01 - user 10/16/2015 22:04:37.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.1271 [GMT -5:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2015-09-17 to 2015-10-17 )))))))))))))))))))))))))))))))
.
.
2015-10-17 03:10 . 2015-10-17 03:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-10-17 01:41 . 2015-09-16 10:43 8884144 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DC19DD17-70D4-4535-888D-90465C567C67}\mpengine.dll
2015-10-17 01:04 . 2015-09-16 10:43 8884144 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{10CC0889-972C-46E6-9D93-866837795410}\mpengine.dll
2015-10-17 00:31 . 2015-10-17 03:10 -------- d-----w- c:\users\user\AppData\Local\temp
2015-10-12 18:59 . 2015-10-12 22:25 -------- d-----w- C:\AdwCleaner
2015-10-10 01:10 . 2015-10-10 01:10 -------- d-----w- C:\RegBackup
2015-10-10 00:26 . 2015-10-17 00:40 -------- d-----w- c:\program files\Tweaking.com
2015-10-10 00:13 . 2015-10-13 17:51 -------- d-----w- C:\FRST
2015-09-20 19:54 . 2015-09-20 19:54 -------- d-----w- c:\program files\Common Files\AV
2015-09-20 19:03 . 2015-09-20 19:03 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-10-17 00:02 . 2015-05-16 21:59 780488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-10-17 00:02 . 2015-05-16 21:59 142536 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-10-17 00:02 . 2015-08-23 16:02 3996360 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2015-08-20 09:18 . 2015-09-02 11:32 9234960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{04CF7845-9F16-42DA-8744-864BC1B9294F}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2013-10-16 543432]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2015-08-19 6490904]
"SpybotPostWindows10UpgradeReInstall"="c:\program files\Common Files\AV\Spybot - Search and Destroy\Test.exe" [2015-07-28 1011200]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
restore_files_mkkgj.html [2015-8-22 5081]
restore_files_mkkgj.txt [2015-8-22 2253]
restore_files_qnhwg.html [2015-8-22 3822]
restore_files_qnhwg.txt [2015-8-22 2170]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss]
@="Service"
.
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-10-16 09:05 997704 ----a-w- c:\program files\Google\Chrome\Application\46.0.2490.71\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-10-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-05-16 00:02]
.
2015-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-05-19 16:47]
.
2015-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-05-19 16:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = localhost:8080
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/?gws_rd=ssl
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-AppXSvc
SafeBoot-ClipSvc
SafeBoot-WSService
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-10-16 22:13:34
ComboFix-quarantined-files.txt 2015-10-17 03:13
ComboFix2.txt 2015-10-17 00:35
.
Pre-Run: 275,599,224,832 bytes free
Post-Run: 275,549,126,656 bytes free
.
- - End Of File - - 74FB0251404458ADE88AF808BE27C782
8F558EB6672622401DA993E1E865C861
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)
Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
Post this log when finished.
Tell me what the computer is doing now, is it running any better?
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)
Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
Post this log when finished.
Tell me what the computer is doing now, is it running any better?
farbar log
Fix result of Farbar Recovery Scan Tool (x86) Version:17-10-2015
Ran by user (2015-10-17 15:12:35) Run:2
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Boot Mode: Normal
==============================================
fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.txt [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.txt [2015-08-22] ()
EmptyTemp:
Hosts:
End
*****************
Restore point was successfully created.
Processes closed successfully.
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.html => moved successfully
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.txt => moved successfully
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.html => moved successfully
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.txt => moved successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 718.1 MB temporary data Removed.
The system needed a reboot.
==== End of Fixlog 15:13:00 ====
Fix result of Farbar Recovery Scan Tool (x86) Version:17-10-2015
Ran by user (2015-10-17 15:12:35) Run:2
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Boot Mode: Normal
==============================================
fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.txt [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.txt [2015-08-22] ()
EmptyTemp:
Hosts:
End
*****************
Restore point was successfully created.
Processes closed successfully.
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.html => moved successfully
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.txt => moved successfully
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.html => moved successfully
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.txt => moved successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 718.1 MB temporary data Removed.
The system needed a reboot.
==== End of Fixlog 15:13:00 ====
yahoo, yabba dabba do
we're getting there.
I might have posted these instructions before, no big deal, let's run them again. Could be things it couldn't find before it can now.
If one wont run go to the next.
Open MBAM
- On the Dashboard click on Update Now
- Go to the Setting Tab
- Under Setting go to Detection and Protection
- Under PUP and PUM make sure both are set to show Treat Detections as Malware
- Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
- Then on the Dashboard click on Scan
- Make sure to select THREAT SCAN
- Then click on Scan
- When the scan is finished and the log pops up...select Copy to Clipboard
- Please paste the log back into this thread for review
- Exit Malwarebytes
~~~~~~~~~~~~~~~~~~~~~~``
1. Open up Malwarebytes and you will be on the Dashboard
2. Click on the History Tab
3. Then click on Application Logs
4. Double click on the SCAN LOG (Not Protection Log ) you just ran
5. When it opens it will look like this
6. Then click on Export
7. On the drop down list click on Copy to Clipboard
8. Then paste the log back into this thread
On completion of the scan (or after the reboot), start MBAM,
Click History, then Application Logs, then check the Select box by the first Scan Log in the list and then click on the log to highlight it.
Click Export, select text file and save to the desktop as MBAM.txt and post in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Please download AdwCleaner and save the file to your Desktop.
- Right-Click AdwCleaner.exe and select Run as administrator to run the programme.
- Follow the prompts.
- Click Scan.
- Upon completion, click Report. A log (AdwCleaner[SX].txt) will open. Briefly check the log for anything you know to be legitimate.
- Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
- Follow the prompts and allow your computer to reboot.
- After rebooting, a log (AdwCleaner[SX].txt) will open. Copy the contents of the log and paste in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please download Junkware Removal Tool
or from here http://downloads.malwarebytes.org/file/jrt
to your desktop.
- Shut down your protection software now to avoid potential conflicts.
- Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
- The tool will open and start scanning your system.
- Please be patient as this can take a while to complete depending on your system's specifications.
- On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
- Post the contents of JRT.txt into your next message.
please post
MBAM.txt
AdwCleaner[CX].txt
JRT.txt
woohoo
it finally let me run the mbam.exe
Malwarebytes ran and it found no threats.
heres the log you asked for:Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 10/18/2015
Scan Time: 2:31 PM
Logfile:
Administrator: Yes
Version: 2.2.0.1024
Malware Database: v2015.10.18.04
Rootkit Database: v2015.10.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 7
CPU: x86
File System: NTFS
User: user
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 285075
Time Elapsed: 6 min, 6 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)
(end)
it finally let me run the mbam.exe
Malwarebytes ran and it found no threats.
heres the log you asked for:Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 10/18/2015
Scan Time: 2:31 PM
Logfile:
Administrator: Yes
Version: 2.2.0.1024
Malware Database: v2015.10.18.04
Rootkit Database: v2015.10.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 7
CPU: x86
File System: NTFS
User: user
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 285075
Time Elapsed: 6 min, 6 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)
(end)
jrt log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.4 (09.28.2015:1)
OS: Windows 7 Ultimate x86
Ran by user on Sun 10/18/2015 at 14:59:22.03
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Tasks
~~~ Registry Values
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
~~~ Files
~~~ Folders
~~~ FireFox
Emptied folder: C:\Users\user\AppData\Roaming\mozilla\firefox\profiles\vk605143.default\minidumps [24 files]
~~~ Chrome
[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 10/18/2015 at 15:01:35.56
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.4 (09.28.2015:1)
OS: Windows 7 Ultimate x86
Ran by user on Sun 10/18/2015 at 14:59:22.03
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Tasks
~~~ Registry Values
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
~~~ Files
~~~ Folders
~~~ FireFox
Emptied folder: C:\Users\user\AppData\Roaming\mozilla\firefox\profiles\vk605143.default\minidumps [24 files]
~~~ Chrome
[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 10/18/2015 at 15:01:35.56
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now for the Piece-de-resistance
What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.
ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.
What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.
- Please download ESET Online Scan and save the file to your Desktop.
- Temporarily disable your anti-virus software. For instructions, please refer to the following link.
- Double-click esetsmartinstaller_enu.exe to run the programme.
- Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
- Agree to the Terms of Use once more and click Start. Allow components to download.
- Place a checkmark next to Enable detection of potentially unwanted applications.
- Click Advanced settings. Place a checkmark next to:
- Scan archives
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
- Ensure Remove found threats is unchecked.
- Click Start.
- Wait for the scan to finish. Please be patient as this can take some time.
- Upon completion, click . If no threats were found, skip the next two bullet points.
- Click and save the file to your Desktop, naming it something such as "MyEsetScan".
- Push the Back button.
- Place a checkmark next to and click
.
- Re-enable your anti-virus software.
- Copy the contents of the log and paste in your next reply.
- Status