Jump to content


Photo

Help with Trojan/Virus Please


  • This topic is locked This topic is locked
4 replies to this topic

#1 chefwerblin

chefwerblin

    New Member

  • Members
  • 2 posts

Posted 10 November 2016 - 06:53 PM

Hi there,

 

I have a trojan or virus that I cannot seem to shake. I downloaded SpyHunter4 and ran a full scan, cleaned and rebooted the system. When I do a standard boot, I get a strange Desktop Manager screen pop up that cannot be closed, if I try to open any type of internet browser, I get a large warning notice on the right bottom corner of my screen. I really don't know what else to do.

 

This is the result of my Farbar. I can't run DDS because I am on Windows 8.1

Thanks for your help!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 04-11-2016
Ran by Andrew (administrator) on WERBLIN (10-11-2016 18:20:08)
Running from C:\Users\Andrew\Downloads
Loaded Profiles: Andrew (Available Profiles: Andrew)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Zune Launcher] => C:\Program Files\Zune\ZuneLauncher.exe [163552 2011-08-05] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [598552 2016-06-22] (Oracle Corporation)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [MegaPanel] => C:\Program Files (x86)\National Consumer Panel\NCP Internet Transporter\HSTrans.exe [2113536 2011-03-21] (NCP)
HKU\S-1-5-21-1539042780-2021664212-3557231818-1001\...\MountPoints2: {a18d1d20-63bc-11e6-825a-40f02f4a35b5} - "E:\VerizonWirelessUpgradeAssistantSetup.exe" -a
HKU\S-1-5-21-1539042780-2021664212-3557231818-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Users\Andrew\Desktop\dds.scr
HKU\S-1-5-18\...\Run: [WinResSync] => C:\Windows\system32\regsvr32.exe /s "C:\Users\Andrew\AppData\Roaming\Microsoft\Protect\887ed5ff-558f-4421-a80c-0e629cebde75.rs"
HKU\S-1-5-18\...\RunOnce: [WinResSync] => C:\Windows\system32\regsvr32.exe /s "C:\Users\Andrew\AppData\Roaming\Microsoft\Protect\887ed5ff-558f-4421-a80c-0e629cebde75.rs"
Lsa: [Notification Packages] scecli C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2016-10-31]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.427\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaskSchd.lnk [2016-11-10]
ShortcutTarget: TaskSchd.lnk -> C:\Program Files (x86)\Windows Apps\PowerSaver\PowerSaver.exe (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: 0.0.0.1 mssplus.mcafee.com
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{01D20F0B-E41C-4DC5-8B2B-2A952E6DD6FD}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-1539042780-2021664212-3557231818-1001\Software\Microsoft\Internet Explorer\Main,Start Page = 
BHO-x32: True Key Helper -> {0F4B8786-5502-4803-8EBC-F652A1153BB6} -> C:\Program Files\Intel Security\True Key\MSIE\truekey_ie.dll [2016-07-15] (Intel Security)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-08-02] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-08-02] (Oracle Corporation)
Toolbar: HKLM-x32 - True Key - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - C:\Program Files\Intel Security\True Key\MSIE\truekey_ie.dll [2016-07-15] (Intel Security)
Toolbar: HKU\S-1-5-21-1539042780-2021664212-3557231818-1001 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} -  No File
 
FireFox:
========
FF DefaultProfile: tfk4owqi.default
FF ProfilePath: C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\tfk4owqi.default [2016-11-10]
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\tfk4owqi.default -> Yahoo!
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\tfk4owqi.default -> Yahoo!
FF Extension: (All Aboard) - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\tfk4owqi.default\Extensions\@all-aboard-v1 [2016-08-01]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_23_0_0_205.dll [2016-10-27] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_205.dll [2016-10-27] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-08-02] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-08-02] (Oracle Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-07] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-07] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin ProgramFiles/Appdata: C:\Users\Andrew\AppData\Roaming\mozilla\plugins\npatgpc.dll [2016-09-06] (Cisco WebEx LLC)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default [2016-11-10]
CHR Extension: (Google Slides) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-08-07]
CHR Extension: (Google Docs) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-08-07]
CHR Extension: (Google Drive) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-08-07]
CHR Extension: (YouTube) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-08-07]
CHR Extension: (Honey) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmnlcjabgnpnenekpadlanbbkooimhnj [2016-11-07]
CHR Extension: (eBay) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\bnadbgmffcofipfljniafanjcafjlbom [2016-08-07]
CHR Extension: (Classic Games) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpckajjkmjncafjlkielcgheibdlnfgc [2016-08-07]
CHR Extension: (Adblock Plus) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-10-30]
CHR Extension: (Spotify - Music for every moment) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnkjkdjlofllcpbemipjbcpfnglbgieh [2016-08-07]
CHR Extension: (PanicButton) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\faminaibgiklngmfpfbhmokfmnglamcm [2016-08-07]
CHR Extension: (Pandora) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbangkleohkafngihneedemihgfeikcl [2016-08-07]
CHR Extension: (Google Sheets) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-08-07]
CHR Extension: (Google Docs Offline) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-08-08]
CHR Extension: (TweetDeck by Twitter) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbdpomandigafcibbmofojjchbcdagbl [2016-08-07]
CHR Extension: (The Weather Channel for Chrome) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\iflpcokdamgefbghpdipcibmhlkdopop [2016-08-07]
CHR Extension: (Cisco WebEx Extension) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2016-09-06]
CHR Extension: (Wikibuy) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nenlahapcbofgnanklpelkaejcehkggg [2016-11-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-07]
CHR Extension: (Bubble Shooter Exclusive) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pfaogkfljpdfmodbmbogiiblppijleen [2016-08-07]
CHR Extension: (Gmail) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-08-07]
CHR Extension: (Chrome Media Router) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-25]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [29728 2016-08-15] (HP Inc.)
S2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [344168 2015-05-06] (Intel Corporation)
S2 IntelBCAsvc; C:\Program Files\Intel\BCA\pabeSvc64.exe [3026584 2016-05-06] (Intel® Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.427\McCHSvc.exe [329480 2016-10-13] (McAfee, Inc.)
S2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [859816 2016-11-08] (Enigma Software Group USA, LLC.)
S2 TrueKey; C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe [908256 2016-07-22] (McAfee, Inc.)
S2 TrueKeyScheduler; C:\Program Files\TrueKey\McTkSchedulerService.exe [15736 2016-07-22] (McAfee, Inc.)
S3 TrueKeyServiceHelper; C:\Program Files\TrueKey\McAfee.TrueKey.ServiceHelper.exe [86864 2016-07-22] (McAfee, Inc.)
S3 vmicguestinterface; C:\Windows\System32\ICSvc.dll [524800 2014-11-21] (Microsoft Corporation)
S3 vmicheartbeat; C:\Windows\System32\ICSvc.dll [524800 2014-11-21] (Microsoft Corporation)
S3 vmickvpexchange; C:\Windows\System32\ICSvc.dll [524800 2014-11-21] (Microsoft Corporation)
S3 vmicshutdown; C:\Windows\System32\ICSvc.dll [524800 2014-11-21] (Microsoft Corporation)
S3 vmictimesync; C:\Windows\System32\ICSvc.dll [524800 2014-11-21] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
S2 InstallerService; C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe [X]
S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [4282904 2015-05-11] (Qualcomm Atheros Communications, Inc.)
R0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [15920 2016-11-08] (Enigma Software Group USA, LLC.)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-11-08] ()
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [129312 2014-10-10] (Intel Corporation)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [34544 2014-11-04] (Synaptics Incorporated)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-11-10 18:20 - 2016-11-10 18:20 - 00013128 _____ C:\Users\Andrew\Downloads\FRST.txt
2016-11-10 18:20 - 2016-11-10 18:20 - 00000000 ____D C:\FRST
2016-11-10 18:19 - 2016-11-10 18:19 - 02410496 _____ (Farbar) C:\Users\Andrew\Downloads\FRST64.exe
2016-11-10 18:18 - 2016-11-10 18:18 - 00688992 _____ (Swearware) C:\Users\Andrew\Downloads\dds.com
2016-11-10 18:17 - 2016-11-10 18:18 - 00688992 _____ (Swearware) C:\Users\Andrew\Downloads\dds.scr
2016-11-09 17:20 - 2016-11-09 17:22 - 00421830 _____ C:\TDSSKiller.3.1.0.12_09.11.2016_17.20.04_log.txt
2016-11-08 21:08 - 2016-11-08 21:09 - 00009964 _____ C:\native log.txt
2016-11-08 21:06 - 2016-11-08 21:56 - 00000000 ___HD C:\TzAaBQKFlccXclcK
2016-11-08 20:35 - 2016-11-08 20:35 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter
2016-11-08 20:35 - 2016-11-08 20:35 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\Enigma Software Group
2016-11-08 20:35 - 2016-11-08 20:35 - 00000000 ____D C:\sh4ldr
2016-11-08 20:35 - 2016-11-08 20:35 - 00000000 _____ C:\autoexec.bat
2016-11-08 20:34 - 2016-11-08 20:34 - 00022704 _____ C:\Windows\system32\Drivers\EsgScanner.sys
2016-11-08 20:34 - 2016-11-08 20:34 - 00000000 ____D C:\Program Files\Enigma Software Group
2016-11-08 19:24 - 2016-11-08 19:24 - 00000000 ____D C:\Windows\pss
2016-11-08 18:15 - 2016-11-10 17:37 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2016-11-08 18:15 - 2016-11-09 18:12 - 00035742 _____ C:\Windows\ZAM.krnl.trace
2016-11-08 18:15 - 2016-11-09 18:12 - 00007990 _____ C:\Windows\ZAM_Guard.krnl.trace
2016-11-08 18:15 - 2016-11-08 18:15 - 00000000 ____D C:\Users\Andrew\AppData\Local\Zemana
2016-11-08 18:12 - 2016-11-08 18:12 - 00005176 _____ C:\Windows\system32\.crusader
2016-11-08 18:06 - 2016-11-08 21:09 - 00000000 ____D C:\Windows\xBooster
2016-11-08 18:06 - 2016-11-08 18:06 - 00000000 ____D C:\Windows\cSysSecure
2016-11-08 17:47 - 2016-11-08 18:07 - 00000000 ____D C:\ProgramData\HitmanPro
2016-11-08 17:07 - 2016-11-10 18:16 - 00680842 _____ C:\Windows\ntbtlog.txt
2016-11-08 16:00 - 2016-11-08 16:00 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-11-08 15:59 - 2016-11-08 15:59 - 00002790 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2016-11-08 15:54 - 2016-11-08 17:44 - 00000000 ____D C:\AdwCleaner
2016-11-07 22:11 - 2016-11-07 22:11 - 00000000 ____D C:\Users\Andrew\AppData\Local\ElevatedDiagnostics
2016-11-07 21:39 - 2016-11-07 21:39 - 00004196 _____ C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome.lnk
2016-11-07 21:23 - 2016-11-07 21:23 - 00000000 ____D C:\Windows\system32\aimo
2016-11-07 21:12 - 2016-11-07 21:12 - 00003426 _____ C:\Windows\System32\Tasks\UCBrowserUpdater
2016-11-07 21:12 - 2016-11-07 21:12 - 00002568 _____ C:\Windows\System32\Tasks\UCBrowserUpdaterCore
2016-11-07 21:10 - 2016-11-08 17:10 - 00000000 ____D C:\Users\Andrew\AppData\LocalLow\Company
2016-11-07 21:10 - 2016-11-07 21:10 - 00000000 ____D C:\Users\Andrew\AppData\Local\Tempfolder
2016-11-07 21:07 - 2016-11-08 21:09 - 00000000 ____D C:\Windows\SysWOW64\DiscCleaner
2016-11-07 21:06 - 2016-11-07 21:06 - 00000000 ____D C:\Program Files (x86)\Windows Apps
2016-11-07 21:06 - 2016-11-07 21:06 - 00000000 _____ C:\TOSTACK
2016-11-07 21:01 - 2016-11-07 21:15 - 00000000 ____D C:\Windows\system32\SSL
2016-11-01 19:44 - 2016-11-01 19:52 - 00000000 ____D C:\Users\Andrew\Documents\UserTesting
2016-11-01 19:43 - 2016-11-01 19:47 - 00000000 ____D C:\Users\Andrew\AppData\Local\UserTestingPlugin
2016-11-01 19:42 - 2016-11-01 19:44 - 17797624 _____ C:\Users\Andrew\Downloads\InstallUserTesting-v2.0.exe
2016-10-31 15:04 - 2016-10-31 15:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus
2016-10-30 19:54 - 2016-10-30 19:55 - 00013529 _____ C:\Users\Andrew\Desktop\Tempo Pasta.odt
2016-10-24 21:27 - 2016-10-30 20:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-10-14 23:29 - 2016-10-28 16:04 - 00828408 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-10-14 23:29 - 2016-10-28 16:04 - 00176632 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-10-11 22:03 - 2016-09-12 18:48 - 00085680 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2016-10-11 22:03 - 2016-09-09 08:38 - 01629184 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2016-10-11 22:03 - 2016-09-09 08:38 - 01226752 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2016-10-11 22:03 - 2016-09-09 08:38 - 00586752 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2016-10-11 22:03 - 2016-09-09 08:38 - 00575488 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2016-10-11 22:03 - 2016-09-09 08:38 - 00314368 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2016-10-11 22:03 - 2016-09-09 08:38 - 00273408 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2016-10-11 22:03 - 2016-09-09 08:38 - 00224256 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2016-10-11 22:03 - 2016-09-09 08:38 - 00129024 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2016-10-11 22:03 - 2016-08-27 14:44 - 22360288 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2016-10-11 22:03 - 2016-08-27 14:44 - 02755504 _____ (Microsoft Corporation) C:\Windows\explorer.exe
2016-10-11 22:03 - 2016-08-27 14:44 - 00133256 _____ (Microsoft Corporation) C:\Windows\system32\RestoreOptIn.exe
2016-10-11 22:03 - 2016-08-27 13:26 - 19789232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2016-10-11 22:03 - 2016-08-27 13:26 - 02411048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
2016-10-11 22:03 - 2016-08-27 13:26 - 00113656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RestoreOptIn.exe
2016-10-11 22:03 - 2016-08-27 11:09 - 14466560 _____ (Microsoft Corporation) C:\Windows\system32\twinui.dll
2016-10-11 22:03 - 2016-08-27 10:55 - 12879360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.dll
2016-10-11 21:05 - 2016-09-30 19:22 - 07444312 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-10-11 21:05 - 2016-09-30 02:55 - 25765376 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-10-11 21:05 - 2016-09-30 01:25 - 02895360 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-10-11 21:05 - 2016-09-30 01:25 - 00576000 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-10-11 21:05 - 2016-09-30 01:12 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-10-11 21:05 - 2016-09-30 01:09 - 06048256 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-10-11 21:05 - 2016-09-30 00:47 - 20306944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-10-11 21:05 - 2016-09-30 00:42 - 00498688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-10-11 21:05 - 2016-09-30 00:41 - 01033216 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2016-10-11 21:05 - 2016-09-30 00:38 - 02286592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-10-11 21:05 - 2016-09-30 00:33 - 00724992 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-10-11 21:05 - 2016-09-30 00:33 - 00378880 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-10-11 21:05 - 2016-09-30 00:32 - 00806912 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-10-11 21:05 - 2016-09-30 00:31 - 02131456 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-10-11 21:05 - 2016-09-30 00:21 - 15257088 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-10-11 21:05 - 2016-09-30 00:17 - 02920960 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-10-11 21:05 - 2016-09-30 00:12 - 04608512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-10-11 21:05 - 2016-09-30 00:11 - 00880640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2016-10-11 21:05 - 2016-09-30 00:06 - 00330752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2016-10-11 21:05 - 2016-09-30 00:05 - 02055680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-10-11 21:05 - 2016-09-30 00:05 - 01544192 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-10-11 21:05 - 2016-09-30 00:05 - 00693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-10-11 21:05 - 2016-09-30 00:03 - 13653504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-10-11 21:05 - 2016-09-29 23:46 - 02444288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-10-11 21:05 - 2016-09-29 23:43 - 01312768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-10-11 21:05 - 2016-09-17 13:16 - 00103424 _____ (Microsoft Corporation) C:\Windows\system32\adsmsext.dll
2016-10-11 21:05 - 2016-09-17 12:53 - 00445440 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2016-10-11 21:05 - 2016-09-17 12:21 - 00089600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adsmsext.dll
2016-10-11 21:05 - 2016-09-17 12:03 - 00324096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2016-10-11 21:05 - 2016-09-17 12:02 - 01446400 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-10-11 21:05 - 2016-09-13 20:53 - 01663184 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2016-10-11 21:05 - 2016-09-13 20:53 - 01523208 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2016-10-11 21:05 - 2016-09-13 20:53 - 01490112 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2016-10-11 21:05 - 2016-09-13 20:53 - 01358952 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2016-10-11 21:05 - 2016-09-12 17:03 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\offreg.dll
2016-10-11 21:05 - 2016-09-12 16:01 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\offreg.dll
2016-10-11 21:05 - 2016-09-09 09:17 - 04170752 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-10-11 21:05 - 2016-09-08 15:41 - 00121176 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tm.sys
2016-10-11 21:05 - 2016-09-08 09:00 - 00140800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2016-10-11 21:05 - 2016-09-08 09:00 - 00138240 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dfsc.sys
2016-10-11 21:05 - 2016-09-07 17:07 - 01988096 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2016-10-11 21:05 - 2016-09-07 16:59 - 01754112 _____ (Microsoft Corporation) C:\Windows\system32\GdiPlus.dll
2016-10-11 21:05 - 2016-09-07 16:59 - 01377792 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2016-10-11 21:05 - 2016-09-07 16:57 - 01560064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2016-10-11 21:05 - 2016-09-07 16:56 - 01491456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\GdiPlus.dll
2016-10-11 21:05 - 2016-08-31 12:22 - 03754496 _____ (Microsoft Corporation) C:\Windows\system32\MSVidCtl.dll
2016-10-11 21:05 - 2016-08-31 11:33 - 02410496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSVidCtl.dll
2016-10-11 21:05 - 2016-08-27 11:33 - 02881536 _____ (Microsoft Corporation) C:\Windows\system32\actxprxy.dll
2016-10-11 21:05 - 2016-08-27 11:11 - 01049600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\actxprxy.dll
2016-10-11 21:05 - 2016-08-25 15:50 - 00747008 _____ (Microsoft Corporation) C:\Windows\system32\ntshrui.dll
2016-10-11 21:05 - 2016-08-25 14:40 - 00678400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntshrui.dll
2016-10-11 21:05 - 2016-08-20 17:24 - 02778624 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2016-10-11 21:05 - 2016-08-20 17:12 - 02463744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2016-10-11 21:05 - 2016-08-12 19:05 - 09323008 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2016-10-11 21:05 - 2016-08-12 19:03 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vwifibus.sys
2016-10-11 21:05 - 2016-08-12 19:02 - 00071680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vwififlt.sys
2016-10-11 21:05 - 2016-08-12 19:01 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vwifimp.sys
2016-10-11 21:05 - 2016-08-12 17:35 - 00222208 _____ (Microsoft Corporation) C:\Windows\system32\rastapi.dll
2016-10-11 21:05 - 2016-08-12 17:19 - 09323008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmploc.DLL
2016-10-11 21:05 - 2016-08-12 16:47 - 15431168 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2016-10-11 21:05 - 2016-08-12 16:17 - 00207872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rastapi.dll
2016-10-11 21:05 - 2016-08-12 15:52 - 13317120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmp.dll
2016-10-11 21:05 - 2016-08-11 20:58 - 02315496 _____ (Microsoft Corporation) C:\Windows\system32\d3d11.dll
2016-10-11 21:05 - 2016-08-11 20:58 - 01946176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2016-10-11 21:05 - 2016-08-11 13:33 - 00096256 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\parport.sys
2016-10-11 21:05 - 2016-08-11 13:33 - 00083456 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\serial.sys
2016-10-11 21:05 - 2016-08-11 13:33 - 00023040 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\serenum.sys
2016-10-11 21:05 - 2016-08-11 12:17 - 01574912 _____ (Microsoft Corporation) C:\Windows\system32\wbengine.exe
2016-10-11 21:05 - 2016-08-11 08:39 - 00445765 _____ C:\Windows\system32\ApnDatabase.xml
2016-10-11 21:05 - 2016-08-11 00:46 - 00420184 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\spaceport.sys
2016-10-11 21:05 - 2016-08-03 10:42 - 01317888 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Media.Streaming.dll
2016-10-11 21:05 - 2016-08-03 10:36 - 01102848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Media.Streaming.dll
2016-10-11 21:05 - 2016-08-03 10:36 - 00289792 _____ (Microsoft Corporation) C:\Windows\system32\PlayToDevice.dll
2016-10-11 21:05 - 2016-08-03 10:33 - 00215552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PlayToDevice.dll
2016-10-11 21:05 - 2016-07-30 12:12 - 02896384 _____ (Microsoft Corporation) C:\Windows\system32\esent.dll
2016-10-11 21:05 - 2016-07-30 11:36 - 02537472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\esent.dll
2016-10-11 21:05 - 2016-07-23 13:18 - 01220096 _____ (Microsoft Corporation) C:\Windows\system32\twinui.appcore.dll
2016-10-11 21:05 - 2016-07-23 13:12 - 00954880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.appcore.dll
2016-10-11 21:04 - 2016-09-30 00:32 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-10-11 21:04 - 2016-09-29 23:54 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-10-11 21:04 - 2016-09-29 23:42 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2016-10-11 21:04 - 2016-07-26 08:40 - 00162850 _____ C:\Windows\SysWOW64\C_932.NLS
2016-10-11 21:04 - 2016-07-26 08:40 - 00162850 _____ C:\Windows\system32\C_932.NLS
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-11-10 18:17 - 2014-11-21 03:44 - 00863592 _____ C:\Windows\system32\PerfStringBackup.INI
2016-11-10 18:17 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\Inf
2016-11-10 17:42 - 2013-08-22 09:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-11-10 17:42 - 2013-08-22 08:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2016-11-10 17:40 - 2016-08-07 21:29 - 00000938 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-11-10 17:40 - 2016-08-01 20:00 - 00000000 ____D C:\Users\Andrew\OneDrive
2016-11-10 17:39 - 2016-08-07 21:28 - 00000934 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-11-10 17:39 - 2016-08-01 19:58 - 00000000 __SHD C:\Users\Andrew\IntelGraphicsProfiles
2016-11-10 17:09 - 2016-08-02 15:49 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\uTorrent
2016-11-09 18:04 - 2016-08-01 21:06 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-11-09 17:33 - 2016-08-03 04:12 - 00000000 ____D C:\Windows\system32\MRT
2016-11-09 17:33 - 2013-08-22 10:20 - 00000000 ____D C:\Windows\CbsTemp
2016-11-09 17:31 - 2016-08-03 04:12 - 141011376 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-11-09 17:20 - 2016-08-01 20:00 - 00003926 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{07112854-DCCA-4BF8-AFCA-BF8CF584F142}
2016-11-08 22:55 - 2016-08-01 20:04 - 00003600 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1539042780-2021664212-3557231818-1001
2016-11-08 21:12 - 2016-08-07 21:29 - 00002215 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-11-08 21:09 - 2016-08-01 19:58 - 00000000 ____D C:\Users\Andrew
2016-11-08 20:56 - 2016-09-22 08:34 - 00000000 ____D C:\Users\Andrew\Downloads\TV
2016-11-08 16:54 - 2016-07-29 14:15 - 00000000 ____D C:\Windows\Panther
2016-11-07 22:11 - 2016-08-03 11:30 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\vlc
2016-11-07 21:35 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\system32\NDF
2016-11-07 21:23 - 2016-08-07 16:05 - 00000352 _____ C:\Windows\Tasks\HPCeeScheduleForAndrew.job
2016-11-07 16:14 - 2016-08-07 16:05 - 00003168 _____ C:\Windows\System32\Tasks\HPCeeScheduleForAndrew
2016-11-01 19:42 - 2016-08-08 16:38 - 00000000 ____D C:\Users\Andrew\Documents\UMI
2016-10-31 19:10 - 2016-08-07 21:28 - 00000000 ____D C:\Users\Andrew\AppData\Local\Google
2016-10-31 18:11 - 2016-08-17 10:03 - 00000000 ____D C:\Users\Andrew\Downloads\Movies
2016-10-31 15:26 - 2016-10-09 19:36 - 00000000 ____D C:\Users\Andrew\AppData\LocalLow\uTorrent
2016-10-31 15:04 - 2016-08-15 11:14 - 00001980 _____ C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2016-10-31 15:04 - 2016-08-01 22:26 - 00000000 ____D C:\Program Files\McAfee Security Scan
2016-10-30 20:54 - 2016-10-10 21:08 - 00000000 ____D C:\Users\Andrew\AppData\Local\Spotify
2016-10-30 20:54 - 2016-08-01 20:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-10-30 20:53 - 2016-10-10 21:07 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\Spotify
2016-10-27 20:22 - 2016-08-03 00:06 - 00485032 _____ (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-10-27 00:04 - 2016-08-01 21:06 - 00003718 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-10-27 00:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-10-27 00:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\system32\Macromed
2016-10-26 18:30 - 2016-08-17 10:03 - 00000000 ____D C:\Users\Andrew\Downloads\Movies Watched
2016-10-16 10:53 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\rescache
2016-10-15 16:53 - 2016-08-01 20:19 - 00000000 ___RD C:\Users\Andrew\Podcasts
2016-10-14 23:28 - 2013-08-22 09:44 - 00364880 _____ C:\Windows\system32\FNTCACHE.DAT
2016-10-14 23:23 - 2016-08-08 03:18 - 00000000 ____D C:\Windows\system32\appraiser
2016-10-14 23:23 - 2014-11-21 10:56 - 00000000 ___SD C:\Windows\system32\CompatTel
2016-10-14 23:23 - 2013-08-22 10:36 - 00000000 ___RD C:\Windows\ToastData
2016-10-14 14:56 - 2014-11-21 04:15 - 00474112 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll
2016-10-14 14:36 - 2016-10-09 21:05 - 00027973 _____ C:\Users\Andrew\Desktop\Music List.odt
2016-10-14 09:05 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\AppReadiness
 
==================== Files in the root of some directories =======
 
2016-08-07 15:47 - 2016-08-07 15:47 - 0000057 _____ () C:\ProgramData\Ament.ini
 
Some files in TEMP:
====================
C:\Users\Andrew\AppData\Local\Temp\AnonymizerGadgetSetup.1.000.1680.exe
C:\Users\Andrew\AppData\Local\Temp\cpa.exe
C:\Users\Andrew\AppData\Local\Temp\cubecc.exe
C:\Users\Andrew\AppData\Local\Temp\diskpower-installer.exe
C:\Users\Andrew\AppData\Local\Temp\gamesInstall.exe
C:\Users\Andrew\AppData\Local\Temp\global_installer.exe
C:\Users\Andrew\AppData\Local\Temp\HitmanPro.exe
C:\Users\Andrew\AppData\Local\Temp\installer1.exe
C:\Users\Andrew\AppData\Local\Temp\OneSystemCare.exe
C:\Users\Andrew\AppData\Local\Temp\setup.exe
C:\Users\Andrew\AppData\Local\Temp\wait.exe
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-11-08 21:06
 
==================== End of FRST.txt ============================


#2 chefwerblin

chefwerblin

    New Member

  • Members
  • 2 posts

Posted 10 November 2016 - 07:21 PM

Also if you need a screenshot of what I described, I can post that as well.



#3 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 23,257 posts
  • Gender:Female


Posted 10 November 2016 - 08:44 PM

Don't know whats going on really

I get a strange Desktop Manager screen pop up that cannot be closed

 
When it does that can you right click on the tool bar to bring up task manager?
Possibly locate the .exe thats running and end task on it?
 
I see so many tools have been run on the machine,  by chance are you receiving help at another forum?
 
Also, part of the Farbar Recovery Scan Tool =>Addition.txt isn't posted for me to see.
~~~~~~~~~~~`

Go into add/remove programs and delete/remove SpyHunter <= not reccomended

~~~~~~~~~~~~~~

Running from C:\Users\Andrew\Downloads

It's best we move Farbar's to desktop.

Please go to your downloads folder, locate Farbar Recovery Scan Tool, right click and select CUT
Go to an open spot on your desktop, right click and select PASTE
You should now have Farbar Recovery Scan Tool on your desktop.


Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)


FRSTfix.JPG

 

start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-18\...\Run: [WinResSync] => C:\Windows\system32\regsvr32.exe /s "C:\Users\Andrew\AppData\Roaming\Microsoft\Protect\887ed5ff-558f-4421-a80c-0e629cebde75.rs"
HKU\S-1-5-18\...\RunOnce: [WinResSync] => C:\Windows\system32\regsvr32.exe /s "C:\Users\Andrew\AppData\Roaming\Microsoft\Protect\887ed5ff-558f-4421-a80c-0e629cebde75.rs"
BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-08-02] (Oracle Corporation)
BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-08-02] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1539042780-2021664212-3557231818-1001 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - No File
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-08-02] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-08-02] (Oracle Corporation)
C:\Users\Andrew\AppData\Local\Temp\AnonymizerGadgetSetup.1.000.1680.exe
C:\Users\Andrew\AppData\Local\Temp\cpa.exe
C:\Users\Andrew\AppData\Local\Temp\cubecc.exe
C:\Users\Andrew\AppData\Local\Temp\diskpower-installer.exe
C:\Users\Andrew\AppData\Local\Temp\gamesInstall.exe
C:\Users\Andrew\AppData\Local\Temp\global_installer.exe
C:\Users\Andrew\AppData\Local\Temp\HitmanPro.exe
C:\Users\Andrew\AppData\Local\Temp\installer1.exe
C:\Users\Andrew\AppData\Local\Temp\OneSystemCare.exe
C:\Users\Andrew\AppData\Local\Temp\setup.exe
C:\Users\Andrew\AppData\Local\Temp\wait.exe
EmptyTemp:
Hosts:
End


Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
~~~~~~~~~~~~``

Please download Emsisoft Emergency Kit and save it to your desktop.
Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop.
  • Leave all settings as they are and click the Extract button at the bottom.
  • A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates.
  • Please click Yes so that it downloads the latest database updates.
  • When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.
  • Click on Scan to be taken to the scan options.
  • If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.
  • Click on the Malware Scan button to start the scan.
  • When the scan is completed click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop, and copy it to your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
~~
please post
Fixlog.txt
Eset log
Addition.txt
Please do not PM me for HJT help, we all benefit from posting on the open board.
Want to help others? Join the ClassRoom and learn how.
MS - MVP Consumer Security 2009 - 2016, Windows Insider MVP 2017

#4 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 23,257 posts
  • Gender:Female


Posted 10 November 2016 - 08:46 PM

I forgot

Let's update your Java

Go to add/remove programs list look for and uninstall your current version of Java

https://www.java.com/en/download/
The above link is for the most recent version
Please do not PM me for HJT help, we all benefit from posting on the open board.
Want to help others? Join the ClassRoom and learn how.
MS - MVP Consumer Security 2009 - 2016, Windows Insider MVP 2017

#5 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 23,257 posts
  • Gender:Female


Posted 11 December 2016 - 08:00 AM

Glad we could help. :)sparkle.gif

Since this issue appears resolved ... this Topic is closed.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Want to help others? Join the ClassRoom and learn how.
MS - MVP Consumer Security 2009 - 2016, Windows Insider MVP 2017




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users