computer under attack!

Red_Earth · Oct 10, 2015

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:08-10-2015
Ran by user (administrator) on USER-PC (09-10-2015 19:14:21)
Running from C:\Users\user\Downloads
Loaded Profiles: user (Available Profiles: user)
Platform: Microsoft Windows 7 Ultimate (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieCtrl.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
() C:\Windows\Temp\~ECED.tmp.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
() C:\ProgramData\taskhost.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\Run: [VjcYNwLhFDE6] => regsvr32.exe /s "C:\PROGRA~2\VjcYNwLhFDE6.dll"
HKLM\...\Run: [Chrome] => C:\ProgramData\taskhost.exe [5120 2015-10-06] ()
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\...\Run: [SandboxieControl] => C:\Program Files\Sandboxie\SbieCtrl.exe [543432 2013-10-16] (Sandboxie Holdings, LLC)
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6490904 2015-08-19] (Piriform Ltd)
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-18\...\Run: [Chrome] => C:\ProgramData\taskhost.exe [5120 2015-10-06] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.txt [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.txt [2015-08-22] ()
BootExecute: autocheck autochk * sdnclean.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{20396C80-FAE6-446D-A19D-054238E5CE4E}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{6C1E3C77-1C84-43C7-8007-77C8B6A57208}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-23] (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-23] (Google Inc.)
Toolbar: HKU\S-1-5-21-2083325841-3239248121-869660377-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-23] (Google Inc.)

FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default
FF DefaultSearchEngine: Ask Web Search
FF SelectedSearchEngine: Ask Web Search
FF Homepage: hxxp://home.tb.ask.com/index.jhtml?ptb=5511A651-82A3-4CC4-907D-C555A1F8DFCE&n=781b8b1b&p2=^ZX^foxyyy^YYA^us
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-09-23] ()
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-19] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-19] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\ask-web-search.xml [2015-07-09]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_mkkgj.html [2015-08-22]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_mkkgj.txt [2015-08-22]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_qnhwg.html [2015-08-22]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_qnhwg.txt [2015-08-22]
FF Extension: Ghostery - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\Extensions\firefox@ghostery.com.xpi [2015-05-16]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-05-31]
CHR Extension: (Google Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-05-31]
CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-05-31]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-05-31]
CHR Extension: (Google Search) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-05-31]
CHR Extension: (Google Sheets) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-05-31]
CHR Extension: (Google Docs Offline) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-27]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-05-31]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-05-31]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-31]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [130248 2013-10-16] (Sandboxie Holdings, LLC)
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [159840 2013-10-16] (Sandboxie Holdings, LLC)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-09 19:14 - 2015-10-09 19:14 - 00009112 _____ C:\Users\user\Downloads\FRST.txt
2015-10-09 19:14 - 2015-10-09 19:14 - 00000000 ____D C:\Users\user\Downloads\FRST-OlderVersion
2015-10-09 19:13 - 2015-10-09 19:14 - 01698304 _____ (Farbar) C:\Users\user\Downloads\FRST.exe
2015-10-09 19:13 - 2015-10-09 19:14 - 00000000 ____D C:\FRST
2015-10-09 19:13 - 2015-10-09 19:13 - 00000736 _____ C:\Windows\system32\DB3841779606
2015-10-09 14:59 - 2015-10-09 14:59 - 01822048 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent (1).exe
2015-10-06 18:32 - 2015-10-06 18:32 - 00005120 _____ C:\ProgramData\taskhost.exe
2015-10-06 18:31 - 2015-10-06 18:31 - 00004096 _____ C:\ProgramData\VjcYNwLhFDE6.dll
2015-10-06 07:12 - 2015-10-06 07:12 - 00000056 _____ C:\Windows\setupact.log
2015-10-06 07:12 - 2015-10-06 07:12 - 00000000 _____ C:\Windows\setuperr.log
2015-10-02 12:33 - 2015-10-02 12:33 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent(1).exe
2015-10-02 12:28 - 2015-10-09 15:07 - 00000000 ____D C:\Users\user\AppData\LocalLow\uTorrent
2015-10-02 12:26 - 2015-10-02 12:27 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent.exe
2015-09-30 21:31 - 2015-10-02 06:56 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-09-20 14:54 - 2015-09-20 14:54 - 00000000 ____D C:\Program Files\Common Files\AV
2015-09-20 14:54 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe
2015-09-20 14:47 - 2015-09-20 14:47 - 00002131 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-09-20 14:47 - 2015-09-20 14:47 - 00002119 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2015-09-20 14:47 - 2015-09-20 14:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-09-20 14:47 - 2013-09-20 10:49 - 00018968 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean.exe
2015-09-20 14:34 - 2015-09-20 14:37 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\user\Downloads\spybot-2.4.exe
2015-09-20 14:03 - 2015-09-20 14:03 - 00000965 _____ C:\Users\Public\Desktop\CCleaner.lnk
2015-09-20 14:03 - 2015-09-20 14:03 - 00000000 ____D C:\Program Files\CCleaner
2015-09-20 14:02 - 2015-09-20 14:03 - 06667640 _____ (Piriform Ltd) C:\Users\user\Downloads\ccsetup509.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-09 19:09 - 2015-05-18 19:08 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-09 19:08 - 2015-05-18 19:08 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-09 19:08 - 2015-05-16 16:59 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-10-09 19:08 - 2013-12-03 02:48 - 00384875 _____ C:\Windows\WindowsUpdate.log
2015-10-09 19:08 - 2009-07-13 23:34 - 00013776 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-09 19:08 - 2009-07-13 23:34 - 00013776 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-09 15:04 - 2015-05-31 20:38 - 00000000 ____D C:\Users\user\AppData\Roaming\vlc
2015-10-09 12:41 - 2015-08-25 06:42 - 03616964 _____ C:\Windows\system32\CFG3841779606
2015-10-06 07:12 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-05 16:57 - 2015-07-22 07:03 - 00000000 ____D C:\Windows\Minidump
2015-10-05 14:45 - 2013-12-02 23:58 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-04 15:53 - 2015-08-31 19:45 - 00000000 ____D C:\Users\user\AppData\Roaming\tor
2015-10-02 06:56 - 2014-02-21 00:48 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-10-01 06:38 - 2014-02-21 00:58 - 00001536 _____ C:\Windows\Sandboxie.ini
2015-09-27 14:35 - 2015-05-18 19:08 - 00002129 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-09-23 06:48 - 2015-08-23 11:02 - 18819272 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerInstaller.exe
2015-09-23 06:48 - 2015-05-16 16:59 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-09-23 06:48 - 2015-05-16 16:59 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-09-20 14:54 - 2015-07-26 18:46 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy 2
2015-09-20 14:47 - 2015-07-26 18:46 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2015-09-20 14:03 - 2015-07-26 18:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-09-19 18:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\system32\wfp
2015-09-19 18:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\system32\NDF
2015-09-19 18:07 - 2015-05-18 19:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-09-19 18:07 - 2015-05-18 19:07 - 00000000 ____D C:\Users\user\AppData\Local\Google
2015-09-19 18:07 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\registration
2015-09-19 18:07 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\AppCompat

==================== Files in the root of some directories =======

2015-08-22 16:45 - 2015-08-22 16:45 - 0005081 _____ () C:\Users\user\AppData\Roaming\restore_files_mkkgj.html
2015-08-22 16:45 - 2015-08-22 16:45 - 0002253 _____ () C:\Users\user\AppData\Roaming\restore_files_mkkgj.txt
2015-08-22 07:05 - 2015-08-22 07:05 - 0003822 _____ () C:\Users\user\AppData\Roaming\restore_files_qnhwg.html
2015-08-22 07:05 - 2015-08-22 07:05 - 0002170 _____ () C:\Users\user\AppData\Roaming\restore_files_qnhwg.txt
2015-08-23 09:12 - 2015-08-23 09:12 - 0003822 _____ () C:\Users\user\AppData\Local\restore_files_bjvdg.html
2015-08-23 09:12 - 2015-08-23 09:12 - 0002170 _____ () C:\Users\user\AppData\Local\restore_files_bjvdg.txt
2015-08-23 08:41 - 2015-08-23 08:41 - 0003822 _____ () C:\Users\user\AppData\Local\restore_files_hvdux.html
2015-08-23 08:41 - 2015-08-23 08:41 - 0002170 _____ () C:\Users\user\AppData\Local\restore_files_hvdux.txt
2015-08-22 16:29 - 2015-08-22 16:43 - 0005081 _____ () C:\Users\user\AppData\Local\restore_files_mkkgj.html
2015-08-22 16:29 - 2015-08-22 16:43 - 0002253 _____ () C:\Users\user\AppData\Local\restore_files_mkkgj.txt
2015-08-22 06:48 - 2015-08-22 07:01 - 0003822 _____ () C:\Users\user\AppData\Local\restore_files_qnhwg.html
2015-08-22 06:48 - 2015-08-22 07:01 - 0002170 _____ () C:\Users\user\AppData\Local\restore_files_qnhwg.txt
2015-08-23 09:02 - 2015-08-23 09:03 - 0429427 _____ (Boxer Software) C:\ProgramData\716C5D6A.EX
2015-08-23 09:10 - 2015-08-23 09:12 - 0003822 _____ () C:\ProgramData\restore_files_bjvdg.html
2015-08-23 09:10 - 2015-08-23 09:12 - 0002170 _____ () C:\ProgramData\restore_files_bjvdg.txt
2015-08-23 10:02 - 2015-08-23 10:03 - 0003822 _____ () C:\ProgramData\restore_files_fmlub.html
2015-08-23 10:02 - 2015-08-23 10:03 - 0002170 _____ () C:\ProgramData\restore_files_fmlub.txt
2015-08-23 08:39 - 2015-08-23 08:41 - 0003822 _____ () C:\ProgramData\restore_files_hvdux.html
2015-08-23 08:39 - 2015-08-23 08:41 - 0002170 _____ () C:\ProgramData\restore_files_hvdux.txt
2015-08-22 16:29 - 2015-08-22 16:29 - 0005081 _____ () C:\ProgramData\restore_files_mkkgj.html
2015-08-22 16:29 - 2015-08-22 16:29 - 0002253 _____ () C:\ProgramData\restore_files_mkkgj.txt
2015-08-22 06:46 - 2015-08-22 06:48 - 0003822 _____ () C:\ProgramData\restore_files_qnhwg.html
2015-08-22 06:46 - 2015-08-22 06:48 - 0002170 _____ () C:\ProgramData\restore_files_qnhwg.txt
2015-08-23 10:01 - 2015-08-23 10:01 - 0003822 _____ () C:\ProgramData\restore_files_swkdn.html
2015-08-23 10:01 - 2015-08-23 10:01 - 0002170 _____ () C:\ProgramData\restore_files_swkdn.txt
2015-10-06 18:32 - 2015-10-06 18:32 - 0005120 _____ () C:\ProgramData\taskhost.exe
2015-10-06 18:31 - 2015-10-06 18:31 - 0004096 _____ () C:\ProgramData\VjcYNwLhFDE6.dll

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-10-01 21:22

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version:08-10-2015
Ran by user (2015-10-09 19:15:05)
Running from C:\Users\user\Downloads
Microsoft Windows 7 Ultimate (X86) (2013-12-03 04:56:25)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-2083325841-3239248121-869660377-500 - Administrator - Disabled)
Guest (S-1-5-21-2083325841-3239248121-869660377-501 - Limited - Disabled)
user (S-1-5-21-2083325841-3239248121-869660377-1000 - Administrator - Enabled) => C:\Users\user

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 19 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 19.0.0.185 - Adobe Systems Incorporated)
Adobe Flash Player 19 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 19.0.0.185 - Adobe Systems Incorporated)
Audacity 2.1.0 (HKLM\...\Audacity_is1) (Version: 2.1.0 - Audacity Team)
CCleaner (HKLM\...\CCleaner) (Version: 5.09 - Piriform)
FlashCut CNC 3 (HKLM\...\{3D977399-5981-462B-A47E-7EA6DF472C84}) (Version: 3.0.7991 - )
Google Chrome (HKLM\...\Google Chrome) (Version: 45.0.2454.101 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.6904.2028 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.24.7 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.28.15 - Google Inc.) Hidden
Mozilla Firefox 41.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 41.0.1 (x86 en-US)) (Version: 41.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 41.0.1.5750 - Mozilla)
Sandboxie 4.06 (32-bit) (HKLM\...\Sandboxie) (Version: 4.06 - Sandboxie Holdings, LLC)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.1 - VideoLAN)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Restore Points =========================

02-09-2015 18:02:33 Scheduled Checkpoint
09-09-2015 21:02:49 Scheduled Checkpoint
17-09-2015 17:20:18 Scheduled Checkpoint
24-09-2015 21:06:02 Scheduled Checkpoint
01-10-2015 21:29:18 Scheduled Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:04 - 2009-06-10 16:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {08AD9823-5BE4-451E-8A3B-2453186050AE} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {51E7EA72-7F13-451C-A4F0-8EB787A98834} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {5FFD2335-5EC0-4AB4-8CD3-86A936DFACED} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {B8C34CBC-35DC-4DE4-9414-9C4AAC684B11} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-08-19] (Piriform Ltd)
Task: {BC510C08-B5B7-45C6-8E10-4369C7ADEF4E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {C244040A-CD9D-4FFB-AADB-A56088BBF45D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-09-23] (Adobe Systems Incorporated)
Task: {D6B9AECD-45A8-4C6A-9953-063848528046} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

2015-07-26 18:46 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2015-07-26 18:46 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
2015-07-26 18:46 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2015-09-20 14:47 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2015-09-20 14:47 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2015-10-06 18:30 - 2015-10-06 18:30 - 00004096 _____ () C:\Windows\TEMP\~ECED.tmp.exe
2015-10-06 18:32 - 2015-10-06 18:32 - 00005120 _____ () C:\ProgramData\taskhost.exe

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\user\Desktop\USDF Region 6 3rd Level Freestyle Champs Prescription and LIz.avi.aaa:TOC.WMV

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2083325841-3239248121-869660377-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{146EED79-38FC-46E9-B0E7-475D0F4B35B9}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{7ECE3F12-8821-4161-86EE-D3595DB6DD95}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{270D27C4-A42F-4EB8-BBB1-2DD1C4700592}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
FirewallRules: [{13536BCF-935B-40C1-B136-CECE63D9B4A1}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{C2CA02A6-95B7-46B8-9CA4-942B56A8F0C7}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{BCF2EBC8-E806-4EC9-9FD5-2008A67E3687}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{260DD4DF-6237-4E59-8078-DE165E8B3040}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{D01181C8-43D3-409E-9535-F16252C1BE64}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2AAEC011-3B36-4309-8C5A-B98483A6B455}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (10/09/2015 03:04:08 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: bec

Start Time: 01d102cd4b208838

Termination Time: 16

Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe

Report Id: e3dacfcb-6ec0-11e5-8ff0-0016418fd44e

Error: (10/09/2015 11:19:15 AM) (Source: System Restore) (EventID: 8211) (User: )
Description: The scheduled restore point could not be created. Additional information: (0x81000101).

Error: (10/09/2015 11:19:15 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x81000101).

Error: (10/02/2015 08:26:11 PM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
The content index catalog is corrupt. 0xc0041801 (0xc0041801)

Error: (10/02/2015 08:26:11 PM) (Source: Windows Search Service) (EventID: 7040) (User: )
Description: The search service has detected corrupted data files in the index {id=2350}. The service will attempt to automatically correct this problem by rebuilding the index.

Details:
The content index catalog is corrupt. 0xc0041801 (0xc0041801)

Error: (10/02/2015 12:53:50 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: a04

Start Time: 01d0fd3a3ba624b5

Termination Time: 29

Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe

Report Id: 86ed4303-692e-11e5-80c1-0016418fd44e

Error: (10/02/2015 12:36:22 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: e38

Start Time: 01d0fd388b4eef10

Termination Time: 16

Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe

Report Id: 0c491d4d-692c-11e5-80c1-0016418fd44e

Error: (10/01/2015 07:54:26 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 41.0.1.5750, time stamp: 0x560b37be
Faulting module name: mozglue.dll, version: 41.0.1.5750, time stamp: 0x560b229d
Exception code: 0x80000003
Fault offset: 0x0000ec7f
Faulting process id: 0xcd0
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (10/01/2015 07:28:28 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 41.0.1.5750 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: ec8

Start Time: 01d0fca7c91dba3b

Termination Time: 11

Application Path: C:\Program Files\Mozilla Firefox\firefox.exe

Report Id:

Error: (09/28/2015 11:53:43 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 41.0.0.5738 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 630

Start Time: 01d0f97f6c5a0d22

Termination Time: 34

Application Path: C:\Program Files\Mozilla Firefox\firefox.exe

Report Id: 77bd087d-6601-11e5-bc43-0016418fd44e

System errors:
=============
Error: (10/09/2015 07:12:52 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC :0" could not be registered on the interface with IP address 192.168.0.3.
The computer with the IP address 192.168.0.2 did not allow the name to be claimed by
this computer.

Error: (10/09/2015 07:08:42 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC :0" could not be registered on the interface with IP address 192.168.0.3.
The computer with the IP address 192.168.0.2 did not allow the name to be claimed by
this computer.

Error: (10/09/2015 07:08:42 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC :20" could not be registered on the interface with IP address 192.168.0.3.
The computer with the IP address 192.168.0.2 did not allow the name to be claimed by
this computer.

Error: (10/09/2015 07:08:42 PM) (Source: Server) (EventID: 2505) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{6C1E3C77-1C84-43C7-8007-77C8B6A57208} because another computer on the network has the same name. The server could not start.

Error: (10/08/2015 04:29:28 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC :0" could not be registered on the interface with IP address 192.168.0.3.
The computer with the IP address 192.168.0.2 did not allow the name to be claimed by
this computer.

Error: (10/08/2015 04:29:27 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC :20" could not be registered on the interface with IP address 192.168.0.3.
The computer with the IP address 192.168.0.2 did not allow the name to be claimed by
this computer.

Error: (10/08/2015 04:29:27 PM) (Source: Server) (EventID: 2505) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{6C1E3C77-1C84-43C7-8007-77C8B6A57208} because another computer on the network has the same name. The server could not start.

Error: (10/07/2015 03:44:48 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC :20" could not be registered on the interface with IP address 192.168.0.3.
The computer with the IP address 192.168.0.2 did not allow the name to be claimed by
this computer.

Error: (10/07/2015 03:44:48 PM) (Source: Server) (EventID: 2505) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{6C1E3C77-1C84-43C7-8007-77C8B6A57208} because another computer on the network has the same name. The server could not start.

Error: (10/06/2015 09:34:47 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC :0" could not be registered on the interface with IP address 192.168.0.3.
The computer with the IP address 192.168.0.2 did not allow the name to be claimed by
this computer.

==================== Memory info ===========================

Processor: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz
Percentage of memory in use: 73%
Total physical RAM: 2037.97 MB
Available physical RAM: 544.35 MB
Total Virtual: 4075.95 MB
Available Virtual: 2649.18 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:298.09 GB) (Free:254.68 GB) NTFS ==>[drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 298.1 GB) (Disk ID: B848D491)
Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

My computer is running very slow and is not opening programs that it used to. It will not let me run spybot and it wont let me run ASWMBR. exe
Please help.

Juliet · Oct 11, 2015

P2P Warning

------------------------------
I see you have peer-to-peer (P2P) file sharing software installed on your computer (uTorrent). I advise you avoid P2P file sharing programmes; they are a security risk which can make your computer susceptible to malware. File sharing networks are thoroughly infected and infested with malware - worms, backdoor Trojans, IRCBots, and rootkits propagate via P2P file sharing networks, gaming, and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. The best way to reduce the risk of infection is to avoid these types of web sites and not use P2P applications. Please read the following articles for more information.

Your P2P software can be removed by following the instructions below.

Press the Windows Key

+ r on your keyboard at the same time. Type appwiz.cpl and click OK.
Search for the aforementioned programme(s), right-click and click Uninstall.

If you choose not to, please refrain from using the programme(s) during this process.

~~~~~~~~~~~~`

If you can download these next tools to desktop, and then have problems ttrying to get them to run, please boot into safe mode and try again.

Download Malwarebytes' Anti-Malware TO YOUR DESKTOP

Windows XP : Double click on the icon to run it.
Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
On the Dashboard click on Update Now
Go to the Setting Tab
Under Setting go to Detection and Protection
Under PUP and PUM make sure both are set to show Treat Detections as Malware
Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
Then on the Dashboard click on Scan
Make sure to select THREAT SCAN
Then click on Scan
When the scan is finished and the log pops up...select Copy to Clipboard
Please paste the log back into this thread for review
Exit Malwarebytes

1. Open up Malwarebytes and you will be on the Dashboard
2. Click on the History Tab
3. Then click on Application Logs
4. Double click on the SCAN LOG (Not Protection Log ) you just ran
5. When it opens it will look like this

~~~~~~~~~~

AdwCleaner

Please download AdwCleaner and save the file to your Desktop.
Right-Click AdwCleaner.exe and select
Run as administrator to run the programme.
Follow the prompts.
Click Scan.
Upon completion, click Report. A log (AdwCleaner[SX].txt) will open. Briefly check the log for anything you know to be legitimate.
Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
Follow the prompts and allow your computer to reboot.
After rebooting, a log (AdwCleaner[SX].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Junkware Removal Tool
or from here http://downloads.malwarebytes.org/file/jrt
to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

please post
MalwareBytes log
AdwCleaner[CX].txt
JRT.txt

Red_Earth · Oct 12, 2015

okay, understood.

Utorrent had already been uninstalled by the time I had started this thread, but to be sure, I followed the instructions for removing Utorrent, and it did not appear as an option for uninstall. I have the .exe for malwarebytes, and one of the problems is I cannot get it to run. I also cannot get spybot to run scan. I have run the adwCleaner, and the results follow. (although I did not see a report button, this is the log it gave me.)

# AdwCleaner v5.013 - Logfile created 12/10/2015 at 14:03:00
# Updated 09/10/2015 by Xplode
# Database : 2015-10-09.3 [Server]
# Operating system : Windows 7 Ultimate (x86)
# Username : user - USER-PC
# Running from : C:\Users\user\Downloads\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

[-] File Deleted : C:\ProgramData\VjcYNwLhFDE6.dll
[-] File Deleted : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\ask-web-search.xml

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1

***** [ Web browsers ] *****

[-] [C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\prefs.js] [Preference] Deleted : user_pref("browser.search.defaultenginename", "Ask Web Search");
[-] [C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\prefs.js] [Preference] Deleted : user_pref("browser.search.selectedEngine", "Ask Web Search");
[-] [C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\prefs.js] [Preference] Deleted : user_pref("browser.startup.homepage", "hxxp://home.tb.ask.com/index.jhtml?ptb=5511A651-82A3-4CC4-907D-C555A1F8DFCE&n=781b8b1b&p2=^ZX^foxyyy^YYA^us");
[-] [C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled", false);
[-] [C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "");
[-] [C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark.lastInstalled", "radiorage@mindspark.com");
[-] [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2318 bytes] ##########

junkware reprt will follow

Red_Earth · Oct 12, 2015

failed

I could not run the JRT file, even as administrator. It says nothing; it just doesn'topen or run.

Juliet · Oct 12, 2015

By chance did you try safe mode?

Could be your computers onboard protection is interring.

Turn Windows Defender on or off
http://windows.microsoft.com/en-us/...on-off#turn-windows-defender-on-off=windows-7
~~~~~~~~~~~~

I want you to find FRST.txt and Addition.txt (from previous run) and send or drag them to the recycle bin.

~~~~~~~~~~~~`

Right-Click FRST.exe / FRST64.exe and select

Run as administrator to run the programme.
Click Yes to the disclaimer.
Ensure the Addition.txt box is checked.
Click the Scan button and let the programme run.
Upon completion, click OK, then OK on the Addition.txt pop up screen.
Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.

Red_Earth · Oct 12, 2015

safe mode isnt allowing me either

I open in safe mode and malwarebytes and JRT wont run and spybot wont do a scan. also windows defender will not allow me to select tools. it wont highlight as an option. It also wont update. Here is my new FRST logs though.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:12-10-2015
Ran by user (administrator) on USER-PC (12-10-2015 17:30:22)
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Platform: Microsoft Windows 7 Ultimate (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\Run: [VjcYNwLhFDE6] => regsvr32.exe /s "C:\PROGRA~2\VjcYNwLhFDE6.dll"
HKLM\...\Run: [Chrome] => C:\ProgramData\taskhost.exe [5120 2015-10-06] ()
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\...\Run: [SandboxieControl] => C:\Program Files\Sandboxie\SbieCtrl.exe [543432 2013-10-16] (Sandboxie Holdings, LLC)
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6490904 2015-08-19] (Piriform Ltd)
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\...\Run: [Chrome] => C:\ProgramData\taskhost.exe [5120 2015-10-06] ()
HKU\S-1-5-18\...\Run: [Chrome] => C:\ProgramData\taskhost.exe [5120 2015-10-06] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_mkkgj.txt [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.html [2015-08-22] ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_qnhwg.txt [2015-08-22] ()
BootExecute: autocheck autochk * sdnclean.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{20396C80-FAE6-446D-A19D-054238E5CE4E}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{6C1E3C77-1C84-43C7-8007-77C8B6A57208}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKU\S-1-5-21-2083325841-3239248121-869660377-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-23] (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-23] (Google Inc.)
Toolbar: HKU\S-1-5-21-2083325841-3239248121-869660377-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-23] (Google Inc.)

FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default
FF Homepage: hxxps://www.google.com/?gws_rd=ssl
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-09-23] ()
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-19] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-19] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_mkkgj.html [2015-08-22]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_mkkgj.txt [2015-08-22]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_qnhwg.html [2015-08-22]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\searchplugins\restore_files_qnhwg.txt [2015-08-22]
FF Extension: Ghostery - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\Extensions\firefox@ghostery.com.xpi [2015-05-16]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-05-31]
CHR Extension: (Google Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-05-31]
CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-05-31]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-05-31]
CHR Extension: (Google Search) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-05-31]
CHR Extension: (Google Sheets) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-05-31]
CHR Extension: (Google Docs Offline) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-27]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-05-31]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-05-31]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-31]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [130248 2013-10-16] (Sandboxie Holdings, LLC)
S2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [159840 2013-10-16] (Sandboxie Holdings, LLC)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-12 17:30 - 2015-10-12 17:30 - 00008187 _____ C:\Users\user\Desktop\FRST.txt
2015-10-12 17:29 - 2015-10-12 17:29 - 01699840 _____ (Farbar) C:\Users\user\Desktop\FRST.exe
2015-10-12 17:29 - 2015-10-12 17:29 - 00000000 ____D C:\Users\user\Desktop\FRST-OlderVersion
2015-10-12 17:27 - 2015-10-12 17:28 - 00003355 _____ C:\Windows\system32\DB3841779606
2015-10-12 17:26 - 2015-10-12 17:26 - 00000640 _____ C:\Users\user\Desktop\AdwCleaner[S3].txt
2015-10-12 14:31 - 2015-10-12 14:31 - 01801288 _____ (Malwarebytes) C:\Users\user\Desktop\JRT.exe
2015-10-12 13:59 - 2015-10-12 17:25 - 00000000 ____D C:\AdwCleaner
2015-10-12 13:59 - 2015-10-12 13:59 - 01682432 _____ C:\Users\user\Desktop\AdwCleaner.exe
2015-10-10 18:34 - 2015-10-12 14:04 - 00000168 _____ C:\Windows\setupact.log
2015-10-10 18:34 - 2015-10-10 18:34 - 00000000 _____ C:\Windows\setuperr.log
2015-10-10 15:20 - 2015-10-10 15:20 - 00000000 ____D C:\Users\user\Documents\ProcAlyzer Dumps
2015-10-10 13:10 - 2015-10-12 17:20 - 00017595 _____ C:\Windows\WindowsUpdate.log
2015-10-09 20:42 - 2015-10-09 20:42 - 00000355 _____ C:\Users\user\Desktop\Computer - Shortcut.lnk
2015-10-09 20:41 - 2015-10-09 20:53 - 00000000 ____D C:\Users\user\Desktop\flac
2015-10-09 20:10 - 2015-10-09 20:10 - 00000207 _____ C:\Windows\tweaking.com-regbackup-USER-PC-Windows-7-Ultimate-(32-bit).dat
2015-10-09 20:10 - 2015-10-09 20:10 - 00000000 ____D C:\RegBackup
2015-10-09 19:38 - 2015-10-09 19:38 - 05200384 _____ (AVAST Software) C:\Users\user\Downloads\aswmbr (2).exe
2015-10-09 19:27 - 2015-10-09 19:27 - 00002181 _____ C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2015-10-09 19:27 - 2015-10-09 19:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2015-10-09 19:26 - 2015-10-09 19:26 - 04687448 _____ (Tweaking.com) C:\Users\user\Downloads\tweaking.com_registry_backup_setup.exe
2015-10-09 19:26 - 2015-10-09 19:26 - 00000000 ____D C:\Program Files\Tweaking.com
2015-10-09 19:20 - 2015-10-09 19:20 - 05200384 _____ (AVAST Software) C:\Users\user\Downloads\aswmbr (1).exe
2015-10-09 19:17 - 2015-10-09 19:18 - 05200384 _____ (AVAST Software) C:\Users\user\Downloads\aswmbr.exe
2015-10-09 19:15 - 2015-10-09 19:15 - 00017372 _____ C:\Users\user\Downloads\Addition.txt
2015-10-09 19:14 - 2015-10-09 19:15 - 00018107 _____ C:\Users\user\Downloads\FRST.txt
2015-10-09 19:14 - 2015-10-09 19:14 - 00000000 ____D C:\Users\user\Downloads\FRST-OlderVersion
2015-10-09 19:13 - 2015-10-12 17:30 - 00000000 ____D C:\FRST
2015-10-09 19:13 - 2015-10-09 19:14 - 01698304 _____ (Farbar) C:\Users\user\Downloads\FRST.exe
2015-10-09 14:59 - 2015-10-09 14:59 - 01822048 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent (1).exe
2015-10-06 18:32 - 2015-10-06 18:32 - 00005120 _____ C:\ProgramData\taskhost.exe
2015-10-02 12:33 - 2015-10-02 12:33 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent(1).exe
2015-10-02 12:28 - 2015-10-09 15:07 - 00000000 ____D C:\Users\user\AppData\LocalLow\uTorrent
2015-10-02 12:26 - 2015-10-02 12:27 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent.exe
2015-09-30 21:31 - 2015-10-02 06:56 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-09-20 14:54 - 2015-09-20 14:54 - 00000000 ____D C:\Program Files\Common Files\AV
2015-09-20 14:54 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe
2015-09-20 14:47 - 2015-10-10 15:27 - 00002119 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2015-09-20 14:47 - 2015-09-20 14:47 - 00002131 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-09-20 14:47 - 2015-09-20 14:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-09-20 14:47 - 2013-09-20 10:49 - 00018968 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean.exe
2015-09-20 14:34 - 2015-09-20 14:37 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\user\Downloads\spybot-2.4.exe
2015-09-20 14:03 - 2015-09-20 14:03 - 00000965 _____ C:\Users\Public\Desktop\CCleaner.lnk
2015-09-20 14:03 - 2015-09-20 14:03 - 00000000 ____D C:\Program Files\CCleaner
2015-09-20 14:02 - 2015-09-20 14:03 - 06667640 _____ (Piriform Ltd) C:\Users\user\Downloads\ccsetup509.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-12 17:20 - 2009-07-13 23:34 - 00013776 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-12 17:20 - 2009-07-13 23:34 - 00013776 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-12 17:02 - 2015-05-18 19:08 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-12 17:02 - 2015-05-18 19:08 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-12 17:02 - 2015-05-16 16:59 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-10-12 14:04 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-11 11:41 - 2015-08-25 06:42 - 03620460 _____ C:\Windows\system32\CFG3841779606
2015-10-11 08:29 - 2014-02-21 00:58 - 00001536 _____ C:\Windows\Sandboxie.ini
2015-10-10 15:26 - 2015-07-26 18:46 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2015-10-09 15:04 - 2015-05-31 20:38 - 00000000 ____D C:\Users\user\AppData\Roaming\vlc
2015-10-05 16:57 - 2015-07-22 07:03 - 00000000 ____D C:\Windows\Minidump
2015-10-05 14:45 - 2013-12-02 23:58 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-04 15:53 - 2015-08-31 19:45 - 00000000 ____D C:\Users\user\AppData\Roaming\tor
2015-10-02 06:56 - 2014-02-21 00:48 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-09-27 14:35 - 2015-05-18 19:08 - 00002129 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-09-23 06:48 - 2015-08-23 11:02 - 18819272 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerInstaller.exe
2015-09-23 06:48 - 2015-05-16 16:59 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-09-23 06:48 - 2015-05-16 16:59 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-09-20 14:54 - 2015-07-26 18:46 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy 2
2015-09-20 14:03 - 2015-07-26 18:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-09-19 18:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\system32\wfp
2015-09-19 18:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\system32\NDF
2015-09-19 18:07 - 2015-05-18 19:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-09-19 18:07 - 2015-05-18 19:07 - 00000000 ____D C:\Users\user\AppData\Local\Google
2015-09-19 18:07 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\registration
2015-09-19 18:07 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\AppCompat

==================== Files in the root of some directories =======

2015-08-22 16:45 - 2015-08-22 16:45 - 0005081 _____ () C:\Users\user\AppData\Roaming\restore_files_mkkgj.html
2015-08-22 16:45 - 2015-08-22 16:45 - 0002253 _____ () C:\Users\user\AppData\Roaming\restore_files_mkkgj.txt
2015-08-22 07:05 - 2015-08-22 07:05 - 0003822 _____ () C:\Users\user\AppData\Roaming\restore_files_qnhwg.html
2015-08-22 07:05 - 2015-08-22 07:05 - 0002170 _____ () C:\Users\user\AppData\Roaming\restore_files_qnhwg.txt
2015-08-23 09:12 - 2015-08-23 09:12 - 0003822 _____ () C:\Users\user\AppData\Local\restore_files_bjvdg.html
2015-08-23 09:12 - 2015-08-23 09:12 - 0002170 _____ () C:\Users\user\AppData\Local\restore_files_bjvdg.txt
2015-08-23 08:41 - 2015-08-23 08:41 - 0003822 _____ () C:\Users\user\AppData\Local\restore_files_hvdux.html
2015-08-23 08:41 - 2015-08-23 08:41 - 0002170 _____ () C:\Users\user\AppData\Local\restore_files_hvdux.txt
2015-08-22 16:29 - 2015-08-22 16:43 - 0005081 _____ () C:\Users\user\AppData\Local\restore_files_mkkgj.html
2015-08-22 16:29 - 2015-08-22 16:43 - 0002253 _____ () C:\Users\user\AppData\Local\restore_files_mkkgj.txt
2015-08-22 06:48 - 2015-08-22 07:01 - 0003822 _____ () C:\Users\user\AppData\Local\restore_files_qnhwg.html
2015-08-22 06:48 - 2015-08-22 07:01 - 0002170 _____ () C:\Users\user\AppData\Local\restore_files_qnhwg.txt
2015-08-23 09:02 - 2015-08-23 09:03 - 0429427 _____ (Boxer Software) C:\ProgramData\716C5D6A.EX
2015-08-23 09:10 - 2015-08-23 09:12 - 0003822 _____ () C:\ProgramData\restore_files_bjvdg.html
2015-08-23 09:10 - 2015-08-23 09:12 - 0002170 _____ () C:\ProgramData\restore_files_bjvdg.txt
2015-08-23 10:02 - 2015-08-23 10:03 - 0003822 _____ () C:\ProgramData\restore_files_fmlub.html
2015-08-23 10:02 - 2015-08-23 10:03 - 0002170 _____ () C:\ProgramData\restore_files_fmlub.txt
2015-08-23 08:39 - 2015-08-23 08:41 - 0003822 _____ () C:\ProgramData\restore_files_hvdux.html
2015-08-23 08:39 - 2015-08-23 08:41 - 0002170 _____ () C:\ProgramData\restore_files_hvdux.txt
2015-08-22 16:29 - 2015-08-22 16:29 - 0005081 _____ () C:\ProgramData\restore_files_mkkgj.html
2015-08-22 16:29 - 2015-08-22 16:29 - 0002253 _____ () C:\ProgramData\restore_files_mkkgj.txt
2015-08-22 06:46 - 2015-08-22 06:48 - 0003822 _____ () C:\ProgramData\restore_files_qnhwg.html
2015-08-22 06:46 - 2015-08-22 06:48 - 0002170 _____ () C:\ProgramData\restore_files_qnhwg.txt
2015-08-23 10:01 - 2015-08-23 10:01 - 0003822 _____ () C:\ProgramData\restore_files_swkdn.html
2015-08-23 10:01 - 2015-08-23 10:01 - 0002170 _____ () C:\ProgramData\restore_files_swkdn.txt
2015-10-06 18:32 - 2015-10-06 18:32 - 0005120 _____ () C:\ProgramData\taskhost.exe

Files to move or delete:
====================
C:\ProgramData\taskhost.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-10-12 13:47

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version:12-10-2015
Ran by user (2015-10-12 17:30:59)
Running from C:\Users\user\Desktop
Microsoft Windows 7 Ultimate (X86) (2013-12-03 04:56:25)
Boot Mode: Safe Mode (with Networking)
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-2083325841-3239248121-869660377-500 - Administrator - Disabled)
Guest (S-1-5-21-2083325841-3239248121-869660377-501 - Limited - Disabled)
user (S-1-5-21-2083325841-3239248121-869660377-1000 - Administrator - Enabled) => C:\Users\user

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 19 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 19.0.0.185 - Adobe Systems Incorporated)
Adobe Flash Player 19 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 19.0.0.185 - Adobe Systems Incorporated)
Audacity 2.1.0 (HKLM\...\Audacity_is1) (Version: 2.1.0 - Audacity Team)
CCleaner (HKLM\...\CCleaner) (Version: 5.09 - Piriform)
FlashCut CNC 3 (HKLM\...\{3D977399-5981-462B-A47E-7EA6DF472C84}) (Version: 3.0.7991 - )
Google Chrome (HKLM\...\Google Chrome) (Version: 45.0.2454.101 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.6904.2028 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.24.7 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.28.15 - Google Inc.) Hidden
Mozilla Firefox 41.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 41.0.1 (x86 en-US)) (Version: 41.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 41.0.1.5750 - Mozilla)
Sandboxie 4.06 (32-bit) (HKLM\...\Sandboxie) (Version: 4.06 - Sandboxie Holdings, LLC)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Tweaking.com - Registry Backup (HKLM\...\Tweaking.com - Registry Backup) (Version: 3.2.2 - Tweaking.com)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.1 - VideoLAN)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Restore Points =========================

17-09-2015 17:20:18 Scheduled Checkpoint
24-09-2015 21:06:02 Scheduled Checkpoint
01-10-2015 21:29:18 Scheduled Checkpoint
10-10-2015 03:26:41 Scheduled Checkpoint

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:04 - 2009-06-10 16:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {08AD9823-5BE4-451E-8A3B-2453186050AE} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {51E7EA72-7F13-451C-A4F0-8EB787A98834} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {5FFD2335-5EC0-4AB4-8CD3-86A936DFACED} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {B8C34CBC-35DC-4DE4-9414-9C4AAC684B11} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-08-19] (Piriform Ltd)
Task: {BC510C08-B5B7-45C6-8E10-4369C7ADEF4E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {C244040A-CD9D-4FFB-AADB-A56088BBF45D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-09-23] (Adobe Systems Incorporated)
Task: {D6B9AECD-45A8-4C6A-9953-063848528046} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

2015-07-26 18:46 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2015-07-26 18:46 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\user\Desktop\USDF Region 6 3rd Level Freestyle Champs Prescription and LIz.avi.aaa:TOC.WMV

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2083325841-3239248121-869660377-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{146EED79-38FC-46E9-B0E7-475D0F4B35B9}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{7ECE3F12-8821-4161-86EE-D3595DB6DD95}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{270D27C4-A42F-4EB8-BBB1-2DD1C4700592}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
FirewallRules: [{13536BCF-935B-40C1-B136-CECE63D9B4A1}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{C2CA02A6-95B7-46B8-9CA4-942B56A8F0C7}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{BCF2EBC8-E806-4EC9-9FD5-2008A67E3687}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{260DD4DF-6237-4E59-8078-DE165E8B3040}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{D01181C8-43D3-409E-9535-F16252C1BE64}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2AAEC011-3B36-4309-8C5A-B98483A6B455}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Faulty Device Manager Devices =============

Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (10/09/2015 03:04:08 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: bec

Start Time: 01d102cd4b208838

Termination Time: 16

Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe

Report Id: e3dacfcb-6ec0-11e5-8ff0-0016418fd44e

Error: (10/09/2015 11:19:15 AM) (Source: System Restore) (EventID: 8211) (User: )
Description: The scheduled restore point could not be created. Additional information: (0x81000101).

Error: (10/09/2015 11:19:15 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x81000101).

Error: (10/02/2015 08:26:11 PM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
The content index catalog is corrupt. 0xc0041801 (0xc0041801)

Error: (10/02/2015 08:26:11 PM) (Source: Windows Search Service) (EventID: 7040) (User: )
Description: The search service has detected corrupted data files in the index {id=2350}. The service will attempt to automatically correct this problem by rebuilding the index.

Details:
The content index catalog is corrupt. 0xc0041801 (0xc0041801)

Error: (10/02/2015 12:53:50 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: a04

Start Time: 01d0fd3a3ba624b5

Termination Time: 29

Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe

Report Id: 86ed4303-692e-11e5-80c1-0016418fd44e

Error: (10/02/2015 12:36:22 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: e38

Start Time: 01d0fd388b4eef10

Termination Time: 16

Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe

Report Id: 0c491d4d-692c-11e5-80c1-0016418fd44e

Error: (10/01/2015 07:54:26 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 41.0.1.5750, time stamp: 0x560b37be
Faulting module name: mozglue.dll, version: 41.0.1.5750, time stamp: 0x560b229d
Exception code: 0x80000003
Fault offset: 0x0000ec7f
Faulting process id: 0xcd0
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (10/01/2015 07:28:28 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 41.0.1.5750 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: ec8

Start Time: 01d0fca7c91dba3b

Termination Time: 11

Application Path: C:\Program Files\Mozilla Firefox\firefox.exe

Report Id:

Error: (09/28/2015 11:53:43 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 41.0.0.5738 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 630

Start Time: 01d0f97f6c5a0d22

Termination Time: 34

Application Path: C:\Program Files\Mozilla Firefox\firefox.exe

Report Id: 77bd087d-6601-11e5-bc43-0016418fd44e

System errors:
=============
Error: (10/12/2015 05:21:20 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (10/12/2015 05:21:20 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (10/12/2015 05:21:18 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (10/12/2015 05:21:18 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (10/12/2015 05:21:17 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:
%%1068

Error: (10/12/2015 05:21:16 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (10/12/2015 05:21:16 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (10/12/2015 05:21:15 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (10/12/2015 05:21:09 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (10/12/2015 05:21:04 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
discache
spldr
Wanarpv6

==================== Memory info ===========================

Processor: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz
Percentage of memory in use: 32%
Total physical RAM: 2037.97 MB
Available physical RAM: 1368.57 MB
Total Virtual: 4075.95 MB
Available Virtual: 3476.58 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:298.09 GB) (Free:249.88 GB) NTFS ==>[drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 298.1 GB) (Disk ID: B848D491)
Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Juliet · Oct 13, 2015

Let's see if this helps.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [VjcYNwLhFDE6] => regsvr32.exe /s "C:\PROGRA~2\VjcYNwLhFDE6.dll"
2015-10-09 14:59 - 2015-10-09 14:59 - 01822048 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent (1).exe
2015-10-02 12:33 - 2015-10-02 12:33 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent(1).exe
2015-10-02 12:28 - 2015-10-09 15:07 - 00000000 ____D C:\Users\user\AppData\LocalLow\uTorrent
2015-10-02 12:26 - 2015-10-02 12:27 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent.exe
C:\ProgramData\taskhost.exe
AlternateDataStreams: C:\Users\user\Desktop\USDF Region 6 3rd Level Freestyle Champs Prescription and LIz.avi.aaa:TOC.WMV
FirewallRules: [{13536BCF-935B-40C1-B136-CECE63D9B4A1}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{C2CA02A6-95B7-46B8-9CA4-942B56A8F0C7}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{BCF2EBC8-E806-4EC9-9FD5-2008A67E3687}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{260DD4DF-6237-4E59-8078-DE165E8B3040}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{D01181C8-43D3-409E-9535-F16252C1BE64}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2AAEC011-3B36-4309-8C5A-B98483A6B455}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
EmptyTemp:
Hosts:
End

Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~~~~``

Malwarebytes Anti-Rootkit

Download Malwarebytes Anti-Rootkit
Once the file has been downloaded, right click on the downloaded file and select the Extract all menu option.
Follow the instructions to extract the ZIP file to a folder called mbar-versionnumber on your desktop.
Once the ZIP file has been extracted, open the folder and when that folder opens, double-click on the mbar folder.
Double-click on the mbar.exe file to launch Malwarebytes Anti-Rootkit.
After you double-click on the mbar.exe file, you may receive a User Account Control (UAC) message if you are sure you wish to allow the program to run. Please allow to start Malwarebytes Anti-Rootkit correctly.
Malwarebytes Anti-Rootkit will now install necessary drivers that are required for the program to operate correctly.
If you receive a DDA driver message like could not load DDA driver, click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer and will start automatically.

Please click by the introduction screen on the Next button to continue.

Next you will see the Update Database screen.
Click on the Update button so Malwarebytes Anti-Rootkit can download the latest definition updates.

When the update has finished, click on the Next button.

Next you can select some basic scanning options. Make sure the Drivers, Sectors, and System scan targets are selected before you click on the Scan button.
Malwarebytes Anti-Rootkit will now start scanning your computer for rootkits. This scan can take some time, so please be patient.

When the scan with Malwarebytes Anti-Rootkit is finished, the program will display a screen with the results from the scan.
Make sure everything is selected and that the option to create a restore point is checked.
Next click on the Cleanup button. Malwarebytes Anti-Rootkit will then prompt you to reboot your computer.
Click on Yes button to restart your computer.

~~~~~~~~~~~~~~

Please post these 2 logs when done.

Juliet · Oct 13, 2015

We're having severe storms with lightning, possibility of losing power.

Might not make it back here till morning.

Red_Earth · Oct 13, 2015

frst fixlog

Fix result of Farbar Recovery Scan Tool (x86) Version:12-10-2015
Ran by user (2015-10-13 12:50:24) Run:1
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Boot Mode: Safe Mode (with Networking)

==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [VjcYNwLhFDE6] => regsvr32.exe /s "C:\PROGRA~2\VjcYNwLhFDE6.dll"
2015-10-09 14:59 - 2015-10-09 14:59 - 01822048 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent (1).exe
2015-10-02 12:33 - 2015-10-02 12:33 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent(1).exe
2015-10-02 12:28 - 2015-10-09 15:07 - 00000000 ____D C:\Users\user\AppData\LocalLow\uTorrent
2015-10-02 12:26 - 2015-10-02 12:27 - 01821536 _____ (BitTorrent Inc.) C:\Users\user\Downloads\uTorrent.exe
C:\ProgramData\taskhost.exe
AlternateDataStreams: C:\Users\user\Desktop\USDF Region 6 3rd Level Freestyle Champs Prescription and LIz.avi.aaa:TOC.WMV
FirewallRules: [{13536BCF-935B-40C1-B136-CECE63D9B4A1}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{C2CA02A6-95B7-46B8-9CA4-942B56A8F0C7}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{BCF2EBC8-E806-4EC9-9FD5-2008A67E3687}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{260DD4DF-6237-4E59-8078-DE165E8B3040}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{D01181C8-43D3-409E-9535-F16252C1BE64}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2AAEC011-3B36-4309-8C5A-B98483A6B455}] => (Allow) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe
EmptyTemp:
Hosts:
End
*****************

Error: Restore point can only be created in normal mode.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\VjcYNwLhFDE6 => value removed successfully.
C:\Users\user\Downloads\uTorrent (1).exe => moved successfully
C:\Users\user\Downloads\uTorrent(1).exe => moved successfully
C:\Users\user\AppData\LocalLow\uTorrent => moved successfully
C:\Users\user\Downloads\uTorrent.exe => moved successfully
C:\ProgramData\taskhost.exe => moved successfully
C:\Users\user\Desktop\USDF Region 6 3rd Level Freestyle Champs Prescription and LIz.avi.aaa => ":TOC.WMV" ADS removed successfully..
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{13536BCF-935B-40C1-B136-CECE63D9B4A1} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C2CA02A6-95B7-46B8-9CA4-942B56A8F0C7} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BCF2EBC8-E806-4EC9-9FD5-2008A67E3687} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{260DD4DF-6237-4E59-8078-DE165E8B3040} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D01181C8-43D3-409E-9535-F16252C1BE64} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2AAEC011-3B36-4309-8C5A-B98483A6B455} => value removed successfully.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 66.2 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 12:50:34 ====

Red_Earth · Oct 13, 2015

Mbar

I downloaded MBAR from the hyperlink, and again, when prompted it does not open or run.

Red_Earth · Oct 13, 2015

zip

the instructions were for a zip file but the hyperlink lead me to an exe download. I ran the exe and was given the popup that says will i allow program to make changes and i say allow and it does nothing.

Juliet · Oct 13, 2015

See if you can search and find
mbar-log-(the date ran).txt

The below scanner can run and work in safe mode and or normal mode.

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks

When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Juliet · Oct 13, 2015

I have a question
I see these files but cannot find much info on what they might be related to. Is it for some type of restore tool?

C:\ProgramData\restore_files_bjvdg.html
C:\ProgramData\restore_files_bjvdg.txt
C:\ProgramData\restore_files_fmlub.html
C:\ProgramData\restore_files_fmlub.txt
C:\ProgramData\restore_files_hvdux.html
C:\ProgramData\restore_files_hvdux.txt
C:\ProgramData\restore_files_mkkgj.html
C:\ProgramData\restore_files_mkkgj.txt
C:\ProgramData\restore_files_qnhwg.html
C:\ProgramData\restore_files_qnhwg.txt
C:\ProgramData\restore_files_swkdn.html
C:\ProgramData\restore_files_swkdn.txt

~~

Also

Also please download Windows Repair (all in one) from here

Install the program then go to step 4 and create a new system restore point and new registry backup.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

NEXT
On the the Start Repairs tab => Click the Start

Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

Click on box next to the Restart System when Finished. Then click on Start.

Juliet · Oct 14, 2015

I know I've posted several things for you to do but I wanted to post this while it was on my mind.

Event Log Viewer

Please download VEW and save the file to your Desktop.
Right-click VEW.exe and select
Run as administrator to run the programme.
Under Select log to query, place a checkmark next to:
Application
System

Under Select type to list, place a checkmark next to:

Critical
Error
Information
Under Number or date events, place a checkmark next to:
Number of Events and set to 20.
Click Run.
Upon completion, a log (VEW.txt) will open. Copy the contents of the log and paste in your next reply.

Red_Earth · Oct 16, 2015

3 days

it has been three days... did I lose you?

Red_Earth · Oct 16, 2015

oops

oops sorry. i didnt realize you had in fact replied

Juliet · Oct 16, 2015

yes, I kinda rambled off a few things to do

Red_Earth · Oct 17, 2015

combo fix log

ComboFix 15-10-15.01 - user 10/16/2015 19:26:03.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.1323 [GMT -5:00]
Running from: c:\users\user\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\716C5D6A.EX
c:\users\Public\Favorites\restore_files_bjvdg.html
c:\users\Public\Favorites\restore_files_fmlub.html
c:\users\Public\Favorites\restore_files_hvdux.html
c:\users\Public\Favorites\restore_files_mkkgj.html
c:\users\Public\Favorites\restore_files_qnhwg.html
c:\users\Public\Favorites\restore_files_swkdn.html
c:\windows\wininit.ini
.
.
\\.\PhysicalDrive0 - Bootkit Cidox was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2015-09-17 to 2015-10-17 )))))))))))))))))))))))))))))))
.
.
2015-10-17 00:31 . 2015-10-17 00:33 -------- d-----w- c:\users\user\AppData\Local\temp
2015-10-12 18:59 . 2015-10-12 22:25 -------- d-----w- C:\AdwCleaner
2015-10-10 01:10 . 2015-10-10 01:10 -------- d-----w- C:\RegBackup
2015-10-10 00:26 . 2015-10-10 00:26 -------- d-----w- c:\program files\Tweaking.com
2015-10-10 00:13 . 2015-10-13 17:51 -------- d-----w- C:\FRST
2015-09-20 19:54 . 2015-09-20 19:54 -------- d-----w- c:\program files\Common Files\AV
2015-09-20 19:03 . 2015-09-20 19:03 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-10-17 00:02 . 2015-05-16 21:59 780488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-10-17 00:02 . 2015-05-16 21:59 142536 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-10-17 00:02 . 2015-08-23 16:02 3996360 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2015-08-20 09:18 . 2015-09-02 11:32 9234960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{04CF7845-9F16-42DA-8744-864BC1B9294F}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2013-10-16 543432]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2015-08-19 6490904]
"SpybotPostWindows10UpgradeReInstall"="c:\program files\Common Files\AV\Spybot - Search and Destroy\Test.exe" [2015-07-28 1011200]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
restore_files_mkkgj.html [2015-8-22 5081]
restore_files_mkkgj.txt [2015-8-22 2253]
restore_files_qnhwg.html [2015-8-22 3822]
restore_files_qnhwg.txt [2015-8-22 2170]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-10-16 09:05 997704 ----a-w- c:\program files\Google\Chrome\Application\46.0.2490.71\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-10-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-05-16 00:02]
.
2015-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-05-19 16:47]
.
2015-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-05-19 16:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = localhost:8080
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/?gws_rd=ssl
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Chrome - c:\progra~2\taskhost.exe
HKLM-Run-Chrome - c:\progra~2\taskhost.exe
HKU-Default-Run-Chrome - c:\progra~2\taskhost.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sandboxie\SbieSvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2015-10-16 19:35:09 - machine was rebooted
ComboFix-quarantined-files.txt 2015-10-17 00:35
.
Pre-Run: 266,880,491,520 bytes free
Post-Run: 266,791,280,640 bytes free
.
- - End Of File - - 9984B18A4A04C30C686DE2BE9297A25C
8F558EB6672622401DA993E1E865C861

Red_Earth · Oct 17, 2015

vew

I believe the restore files you mentioned are malicious. Every time I reboot screens popup mentioning them. Windows repair did not find any issues. The log for VEW follows:

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 16/10/2015 8:30:41 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 17/10/2015 1:04:52 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: svchost.exe_WinDefend, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: msvcrt.dll, version: 7.0.7600.16385, time stamp: 0x4a5bda6f Exception code: 0xc0000005 Fault offset: 0x0000ab84 Faulting process id: 0x670 Faulting application start time: 0x01d108756c21b920 Faulting application path: C:\Windows\System32\svchost.exe Faulting module path: C:\Windows\system32\msvcrt.dll Report Id: 11dc1418-746b-11e5-95cc-0016418fd44e

Log: 'Application' Date/Time: 16/10/2015 7:51:01 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: vlc.exe, version: 2.2.1.0, time stamp: 0x00000004 Faulting module name: libqt4_plugin.dll, version: 2.2.1.0, time stamp: 0x00020002 Exception code: 0x40000015 Fault offset: 0x007ca10a Faulting process id: 0x1268 Faulting application start time: 0x01d1084bf6e4b795 Faulting application path: C:\Program Files\VideoLAN\VLC\vlc.exe Faulting module path: C:\Program Files\VideoLAN\VLC\plugins\gui\libqt4_plugin.dll Report Id: 39a05618-743f-11e5-9e30-0016418fd44e

Log: 'Application' Date/Time: 09/10/2015 8:04:08 PM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: bec Start Time: 01d102cd4b208838 Termination Time: 16 Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe Report Id: e3dacfcb-6ec0-11e5-8ff0-0016418fd44e

Log: 'Application' Date/Time: 09/10/2015 4:19:15 PM
Type: Error Category: 0
Event: 8211 Source: System Restore
The scheduled restore point could not be created. Additional information: (0x81000101).

Log: 'Application' Date/Time: 09/10/2015 4:19:15 PM
Type: Error Category: 0
Event: 8193 Source: System Restore
Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x81000101).

Log: 'Application' Date/Time: 03/10/2015 1:26:11 AM
Type: Error Category: 1
Event: 7042 Source: Microsoft-Windows-Search
The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
The content index catalog is corrupt. 0xc0041801 (0xc0041801)

Log: 'Application' Date/Time: 03/10/2015 1:26:11 AM
Type: Error Category: 1
Event: 7040 Source: Microsoft-Windows-Search
The search service has detected corrupted data files in the index {id=2350}. The service will attempt to automatically correct this problem by rebuilding the index.

Details:
The content index catalog is corrupt. 0xc0041801 (0xc0041801)

Log: 'Application' Date/Time: 02/10/2015 5:53:50 PM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: a04 Start Time: 01d0fd3a3ba624b5 Termination Time: 29 Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe Report Id: 86ed4303-692e-11e5-80c1-0016418fd44e

Log: 'Application' Date/Time: 02/10/2015 5:36:22 PM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: e38 Start Time: 01d0fd388b4eef10 Termination Time: 16 Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe Report Id: 0c491d4d-692c-11e5-80c1-0016418fd44e

Log: 'Application' Date/Time: 02/10/2015 12:54:26 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.1.5750, time stamp: 0x560b37be Faulting module name: mozglue.dll, version: 41.0.1.5750, time stamp: 0x560b229d Exception code: 0x80000003 Fault offset: 0x0000ec7f Faulting process id: 0xcd0 Faulting application start time: 0x01d0fcacb708f42c Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 2066e7b4-68a0-11e5-a3c5-0016418fd44e

Log: 'Application' Date/Time: 02/10/2015 12:28:28 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program firefox.exe version 41.0.1.5750 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: ec8 Start Time: 01d0fca7c91dba3b Termination Time: 11 Application Path: C:\Program Files\Mozilla Firefox\firefox.exe Report Id:

Log: 'Application' Date/Time: 28/09/2015 4:53:43 PM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program firefox.exe version 41.0.0.5738 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: 630 Start Time: 01d0f97f6c5a0d22 Termination Time: 34 Application Path: C:\Program Files\Mozilla Firefox\firefox.exe Report Id: 77bd087d-6601-11e5-bc43-0016418fd44e

Log: 'Application' Date/Time: 28/09/2015 4:53:43 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0xe1c Faulting application start time: 0x01d0fa0e25b42fd1 Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 79b9551d-6601-11e5-bc43-0016418fd44e

Log: 'Application' Date/Time: 27/09/2015 3:13:00 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: svchost.exe_SysMain, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: sysmain.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdb23 Exception code: 0xc0000005 Fault offset: 0x00042bfa Faulting process id: 0x358 Faulting application start time: 0x01d0f8beb5205dc5 Faulting application path: C:\Windows\System32\svchost.exe Faulting module path: c:\windows\system32\sysmain.dll Report Id: a7ec7fdb-64c5-11e5-a781-0016418fd44e

Log: 'Application' Date/Time: 27/09/2015 12:32:00 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0xaac Faulting application start time: 0x01d0f8a6b02fbaec Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 2a4de6e0-64af-11e5-bbc2-0016418fd44e

Log: 'Application' Date/Time: 27/09/2015 12:32:00 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program firefox.exe version 41.0.0.5738 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: 9a0 Start Time: 01d0f8a525319699 Termination Time: 127 Application Path: C:\Program Files\Mozilla Firefox\firefox.exe Report Id: 27b7c8ff-64af-11e5-bbc2-0016418fd44e

Log: 'Application' Date/Time: 25/09/2015 5:05:13 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0xb90 Faulting application start time: 0x01d0f74da50acce0 Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 0072674c-6343-11e5-a381-0016418fd44e

Log: 'Application' Date/Time: 25/09/2015 2:36:23 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0xa48 Faulting application start time: 0x01d0f73ad74e3638 Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 359da133-632e-11e5-a381-0016418fd44e

Log: 'Application' Date/Time: 24/09/2015 7:35:02 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0x714 Faulting application start time: 0x01d0f6ff1b141ef9 Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 58d106d8-62f3-11e5-a381-0016418fd44e

Log: 'Application' Date/Time: 24/09/2015 6:58:55 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0xbf0 Faulting application start time: 0x01d0f6fa5bf281ea Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 4d3fe876-62ee-11e5-a381-0016418fd44e

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Information Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 17/10/2015 1:26:20 AM
Type: Information Category: 0
Event: 1 Source: SecurityCenter
The Windows Security Center Service has started.

Log: 'Application' Date/Time: 17/10/2015 1:26:19 AM
Type: Information Category: 1
Event: 1003 Source: Microsoft-Windows-Search
The Windows Search Service started.

Log: 'Application' Date/Time: 17/10/2015 1:26:15 AM
Type: Information Category: 0
Event: 0 Source: gupdate
The event description cannot be found.

Log: 'Application' Date/Time: 17/10/2015 1:26:13 AM
Type: Information Category: 3
Event: 302 Source: ESENT
Windows (3388) Windows: The database engine has successfully completed recovery steps.

Log: 'Application' Date/Time: 17/10/2015 1:26:13 AM
Type: Information Category: 3
Event: 301 Source: ESENT
Windows (3388) Windows: The database engine has begun replaying logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log.

Log: 'Application' Date/Time: 17/10/2015 1:26:12 AM
Type: Information Category: 3
Event: 300 Source: ESENT
Windows (3388) Windows: The database engine is initiating recovery steps.

Log: 'Application' Date/Time: 17/10/2015 1:26:12 AM
Type: Information Category: 1
Event: 102 Source: ESENT
Windows (3388) Windows: The database engine (6.01.7600.0000) started a new instance (0).

Log: 'Application' Date/Time: 17/10/2015 1:26:01 AM
Type: Information Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 17/10/2015 1:26:01 AM
Type: Information Category: 0
Event: 4104 Source: Microsoft-Windows-Winlogon
Accessing Windows in Notification period.

Log: 'Application' Date/Time: 17/10/2015 1:24:15 AM
Type: Information Category: 0
Event: 902 Source: Microsoft-Windows-Security-SPP
The Software Protection service has started. 6.1.7600.16385

Log: 'Application' Date/Time: 17/10/2015 1:24:15 AM
Type: Information Category: 0
Event: 1003 Source: Microsoft-Windows-Security-SPP
The Software Protection service has completed licensing status check. Application Id=55c92734-d682-4d71-983e-d6ec3f16059f Licensing Status=
1: 022a1afb-b893-4190-92c3-8f69a49839fb, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
2: 7cfd4696-69a9-4af7-af36-ff3d12b6b6c8, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
3: a0cde89c-3304-4157-b61c-c8ad785d1fad, 1, 1 [(0 )(1 )(2 [0x00000000, 0, 0], [( 5 0xC004F009 30 0)( 5 0xC004F009 30 0)( 1 0x00000000 0 0 msft:rm/algorithm/flags/1.0 0x00000000 0)(?)(?)( 9 0x00000000 0xC004F009)])]
4: ac96e1a8-6cc4-4310-a4ff-332ce77fb5b8, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
5: cfb3e52c-d707-4861-af51-11b27ee6169c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
6: 4a8149bb-7d61-49f4-8822-82c7bf88d64b, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
7: afd5f68f-b70f-4000-a21d-28dbc8be8b07, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]

Log: 'Application' Date/Time: 17/10/2015 1:24:15 AM
Type: Information Category: 0
Event: 1066 Source: Microsoft-Windows-Security-SPP
Initialization status for service objects. C:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/2005, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/licenserenewal/1.0, 0x00000000, 0x00000000

Log: 'Application' Date/Time: 17/10/2015 1:24:14 AM
Type: Information Category: 0
Event: 900 Source: Microsoft-Windows-Security-SPP
The Software Protection service is starting.

Log: 'Application' Date/Time: 17/10/2015 1:24:14 AM
Type: Information Category: 0
Event: 5617 Source: Microsoft-Windows-WMI
Windows Management Instrumentation Service subsystems initialized successfully

Log: 'Application' Date/Time: 17/10/2015 1:24:06 AM
Type: Information Category: 0
Event: 1531 Source: Microsoft-Windows-User Profiles Service
The User Profile Service has started successfully.

Log: 'Application' Date/Time: 17/10/2015 1:24:10 AM
Type: Information Category: 0
Event: 5615 Source: Microsoft-Windows-WMI
Windows Management Instrumentation Service started sucessfully

Log: 'Application' Date/Time: 17/10/2015 1:24:06 AM
Type: Information Category: 0
Event: 4625 Source: Microsoft-Windows-EventSystem
The EventSystem sub system is suppressing duplicate event log entries for a duration of 86400 seconds. The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\EventSystem\EventLog.

Log: 'Application' Date/Time: 17/10/2015 1:23:32 AM
Type: Information Category: 0
Event: 1532 Source: Microsoft-Windows-User Profiles Service
The User Profile Service has stopped.

Log: 'Application' Date/Time: 17/10/2015 1:23:31 AM
Type: Information Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 17/10/2015 1:23:31 AM
Type: Information Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <Sens> was unavailable to handle a notification event.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 17/10/2015 1:11:26 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 17/10/2015 12:19:23 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 14/10/2015 3:47:21 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 14/10/2015 3:31:37 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 14/10/2015 12:59:05 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 12/10/2015 7:02:57 PM
Type: Critical Category: 64
Event: 10111 Source: Microsoft-Windows-DriverFrameworks-UserMode
The device Microsoft Usbccid Smartcard Reader (O2 Micro OZ776/777) (location Port_#0002.Hub_#0008) is offline due to a user-mode driver crash. Windows will attempt to restart the device 5 more times. Please contact the device manufacturer for more information about this problem.

Log: 'System' Date/Time: 12/10/2015 7:02:57 PM
Type: Critical Category: 64
Event: 10110 Source: Microsoft-Windows-DriverFrameworks-UserMode
A problem has occurred with one or more user-mode drivers and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices.

Log: 'System' Date/Time: 11/10/2015 1:25:31 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 10/10/2015 6:08:03 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 06/10/2015 12:12:49 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 04/10/2015 10:31:17 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 03/10/2015 12:02:04 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 03/10/2015 4:40:37 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 03/10/2015 4:38:35 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 03/10/2015 12:43:12 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 02/10/2015 11:56:19 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 27/09/2015 7:58:10 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 27/09/2015 12:51:46 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 17/10/2015 1:13:17 AM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 17/10/2015 1:13:17 AM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 17/10/2015 1:13:16 AM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 17/10/2015 1:13:15 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

Log: 'System' Date/Time: 17/10/2015 1:13:15 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Log: 'System' Date/Time: 17/10/2015 1:13:14 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 17/10/2015 1:13:08 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

Log: 'System' Date/Time: 17/10/2015 1:13:03 AM
Type: Error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6

Log: 'System' Date/Time: 17/10/2015 1:11:31 AM
Type: Error Category: 0
Event: 6008 Source: EventLog
The previous system shutdown at 8:09:13 PM on ?10/?16/?2015 was unexpected.

Log: 'System' Date/Time: 17/10/2015 1:05:14 AM
Type: Error Category: 0
Event: 7031 Source: Service Control Manager
The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Log: 'System' Date/Time: 17/10/2015 12:32:13 AM
Type: Error Category: 0
Event: 29 Source: volsnap
The shadow copies of volume C: were aborted during detection.

Log: 'System' Date/Time: 17/10/2015 12:32:20 AM
Type: Error Category: 0
Event: 6008 Source: EventLog
The previous system shutdown at 7:30:51 PM on ?10/?16/?2015 was unexpected.

Log: 'System' Date/Time: 17/10/2015 12:31:31 AM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Log: 'System' Date/Time: 17/10/2015 12:29:20 AM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Log: 'System' Date/Time: 17/10/2015 12:25:56 AM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Log: 'System' Date/Time: 17/10/2015 12:24:01 AM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Log: 'System' Date/Time: 17/10/2015 12:19:53 AM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 17/10/2015 12:19:53 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

Log: 'System' Date/Time: 17/10/2015 12:19:51 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Log: 'System' Date/Time: 17/10/2015 12:19:50 AM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Information Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 17/10/2015 1:29:04 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Application Experience service entered the running state.

Log: 'System' Date/Time: 17/10/2015 1:26:33 AM
Type: Information Category: 0
Event: 206 Source: Microsoft-Windows-Application-Experience
The Program Compatibility Assistant service successfully performed phase two initialization.

Log: 'System' Date/Time: 17/10/2015 1:26:23 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Windows Update service entered the running state.

Log: 'System' Date/Time: 17/10/2015 1:26:19 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The HomeGroup Provider service entered the running state.

Log: 'System' Date/Time: 17/10/2015 1:26:19 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Security Center service entered the running state.

Log: 'System' Date/Time: 17/10/2015 1:26:19 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Function Discovery Resource Publication service entered the running state.

Log: 'System' Date/Time: 17/10/2015 1:26:19 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Function Discovery Provider Host service entered the running state.

Log: 'System' Date/Time: 17/10/2015 1:26:16 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Windows Search service entered the running state.

Log: 'System' Date/Time: 17/10/2015 1:26:15 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The SSDP Discovery service entered the running state.

Log: 'System' Date/Time: 17/10/2015 1:26:15 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Google Update Service (gupdate) service entered the stopped state.

Log: 'System' Date/Time: 17/10/2015 1:26:14 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Google Update Service (gupdate) service entered the running state.

Log: 'System' Date/Time: 17/10/2015 1:26:14 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Portable Device Enumerator Service service entered the stopped state.

Log: 'System' Date/Time: 17/10/2015 1:26:14 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Windows Media Player Network Sharing Service service entered the running state.

Log: 'System' Date/Time: 17/10/2015 1:26:14 AM
Type: Information Category: 0
Event: 14204 Source: Microsoft-Windows-WMPNSS-Service
Service 'WMPNetworkSvc' started.

Log: 'System' Date/Time: 17/10/2015 1:26:11 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Windows Font Cache Service service entered the running state.

Log: 'System' Date/Time: 17/10/2015 1:24:24 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Computer Browser service entered the stopped state.

Log: 'System' Date/Time: 17/10/2015 1:24:21 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.

Log: 'System' Date/Time: 17/10/2015 1:24:19 AM
Type: Information Category: 7005
Event: 20003 Source: Microsoft-Windows-UserPnp
Driver Management has concluded the process to add Service tunnel for Device Instance ID ROOT\*ISATAP\0002 with the following status: 0.

Log: 'System' Date/Time: 17/10/2015 1:24:18 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Computer Browser service entered the running state.

Log: 'System' Date/Time: 17/10/2015 1:24:14 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Bluetooth Support Service service entered the running state.

Juliet · Oct 17, 2015

Evidence of a pretty bad infection here.

I see a few items located in the startup folder that needs to be removed.

c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

restore_files_mkkgj.html [2015-8-22 5081]
restore_files_mkkgj.txt [2015-8-22 2253]
restore_files_qnhwg.html [2015-8-22 3822]
restore_files_qnhwg.txt [2015-8-22 2170]

I'm going to try and have this script remove it, if it doesn't might need to go through MSCONFIG and look through your startups list.

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Registry::
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
"restore_files_mkkgj.html"=-
"restore_files_mkkgj.txt"=-
"restore_files_qnhwg.html"=-
"restore_files_qnhwg.txt"=-

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If there are internet issues afterward:

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.

~~~~~~~~~~~~~~~`

Download the latest version of TDSSKiller from here and save it to your Desktop.

http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe

http://www.bleepingcomputer.com/download/tdsskiller/dl/4/

Doubleclick on TDSSKiller.exe to run the application
Then click on Change parameters.
Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
Click the Start Scan button.
If a suspicious object is detected, the default action will be Skip, click on Continue.
If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Get the report by selecting Reports
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

~~

Please post these 2 logs when finished.

computer under attack!

New member

Security Expert-emeritus

New member

New member

Security Expert-emeritus

New member

Security Expert-emeritus

Security Expert-emeritus

New member

New member

New member

Security Expert-emeritus

Security Expert-emeritus

Security Expert-emeritus

New member

New member

Security Expert-emeritus

New member

New member

Security Expert-emeritus