Jump to content


Photo

Malwarebytes 3.0.4 /and possible malware


  • This topic is locked This topic is locked
19 replies to this topic

#1 me82

me82

    Member

  • Members
  • 209 posts

Posted 20 December 2016 - 04:06 PM

I am using a pc that was upgraded from xp to windows  pro 7 and i did a scan on it using junkware first and it didn't get much off computer, then i downloaded malwarebytes the free version but it has trial version. it got some malware off  when i restarted my pc and opened up google chrome the index file came up not normal google screen so i reset google and it shows normal again.

 

 

This happens whenever i do a malwarebytes scan where just the index file come . It happened in firefox too and i had to go in settings and refresh firefox.

 

 

 

 

Also the safesearch toolbar did not get removed in google chrome , I tried adware removal tool as well and i it took off was ask.com and aol.com.    So i went in google extensions and downloaded adblocker( Stands) And went to google homepage and the safesearch toolbar does not show anymore because of the adblocker



#2 me82

me82

    Member

  • Members
  • 209 posts

Posted 20 December 2016 - 04:08 PM

I did a search on internet to get off the safesearch toolbar but it requires going in the registry deleting the safeseach entries pol file, and i don't want to go in the registry and mess up my computer.   Even though the toolbar doesn't show anymore that doesn't mean its off my computer right?



#3 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 23,186 posts
  • Gender:Female


Posted 20 December 2016 - 04:22 PM

I did a search on internet to get off the safesearch toolbar but it requires going in the registry deleting the safeseach entries pol file, and i don't want to go in the registry and mess up my computer.   Even though the toolbar doesn't show anymore that doesn't mean its off my computer right?

It's possible bits and pieces could still be on there.
I'm going to move this topic to the HJT forum (Have I Been Hijacked?) and have you run a tool that searches the registry, then we can easily remove items that need to go.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Want to help others? Join the ClassRoom and learn how.
MS - MVP Consumer Security 2009 - 2016, Windows Insider MVP 2017

#4 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 23,186 posts
  • Gender:Female


Posted 20 December 2016 - 04:25 PM

All tools that I have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
and the click the "Select Folder" button. Click OK to get out of the Options menu.

xlK5Hdb.pngFarbar Recovery Scan Tool (FRST) Scan
  • Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
  • Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
  • Right-Click FRST.exe / FRST64.exe and select AVOiBNU.jpgRun as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.


Please do not PM me for HJT help, we all benefit from posting on the open board.
Want to help others? Join the ClassRoom and learn how.
MS - MVP Consumer Security 2009 - 2016, Windows Insider MVP 2017

#5 me82

me82

    Member

  • Members
  • 209 posts

Posted 20 December 2016 - 04:28 PM

This (stands) adblocker for google does wonders :clap:



#6 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 23,186 posts
  • Gender:Female


Posted 20 December 2016 - 04:29 PM

good deal
Please do not PM me for HJT help, we all benefit from posting on the open board.
Want to help others? Join the ClassRoom and learn how.
MS - MVP Consumer Security 2009 - 2016, Windows Insider MVP 2017

#7 me82

me82

    Member

  • Members
  • 209 posts

Posted 20 December 2016 - 04:44 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-12-2016
Ran by Owner (administrator) on OWNER-PC (20-12-2016 16:41:33)
Running from C:\Users\Owner\Desktop
Loaded Profiles: Owner (Available Profiles: Owner)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2786768 2016-11-29] (Malwarebytes)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{9D69391E-5B78-4298-B9EB-3BDF78BF7400}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
HKU\S-1-5-21-961524124-1411212058-1041103660-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\pmwkzvnz.default-1482205545460 [2016-12-20]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default [2016-12-20]
CHR Extension: (Google Slides) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-11-05]
CHR Extension: (Google Docs) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-11-05]
CHR Extension: (Google Drive) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-11-05]
CHR Extension: (YouTube) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-11-05]
CHR Extension: (Google Sheets) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-11-05]
CHR Extension: (Fair Ads (by STANDS)) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gagfkmknmijppikpcikmbbkdkhggcmge [2016-12-20]
CHR Extension: (Google Docs Offline) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-11-05]
CHR Extension: (Fair AdBlocker (by STANDS)) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgblnfidahcdcjddiepkckcfdhpknnjh [2016-12-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-11-05]
CHR Extension: (Gmail) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-11-05]
CHR Extension: (Chrome Media Router) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-19]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-11-29] (Malwarebytes)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 E100B; C:\Windows\System32\DRIVERS\efe5b32e.sys [192256 2009-06-10] (Intel Corporation)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77408 2016-11-29] ()
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [176064 2016-12-17] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [102856 2016-12-20] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [43968 2016-12-20] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [250816 2016-12-20] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [81696 2016-12-20] (Malwarebytes)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-20 16:41 - 2016-12-20 16:42 - 00006779 _____ C:\Users\Owner\Desktop\FRST.txt
2016-12-20 16:41 - 2016-12-20 16:41 - 00000000 ____D C:\FRST
2016-12-20 16:39 - 2016-12-20 16:39 - 02420224 _____ (Farbar) C:\Users\Owner\Desktop\FRST64.exe
2016-12-19 22:45 - 2016-12-19 22:45 - 00000000 ____D C:\Users\Owner\Desktop\Old Firefox Data
2016-12-19 22:02 - 2016-12-19 22:33 - 00000000 ____D C:\AdwCleaner
2016-12-19 21:59 - 2016-12-19 22:00 - 03910208 _____ C:\Users\Owner\Downloads\adwcleaner(2).exe
2016-12-17 13:07 - 2016-12-17 13:07 - 05659917 _____ (Swearware) C:\Users\Owner\Downloads\ComboFix.exe
2016-12-17 12:52 - 2016-12-20 14:51 - 00102856 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2016-12-17 12:52 - 2016-12-20 14:51 - 00081696 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2016-12-17 12:52 - 2016-12-17 12:52 - 00176064 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2016-12-17 12:51 - 2016-12-20 14:51 - 00250816 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-12-17 12:51 - 2016-12-20 14:51 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-12-17 12:51 - 2016-12-17 12:51 - 00001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2016-12-17 12:51 - 2016-12-17 12:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2016-12-17 12:51 - 2016-12-17 12:51 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-12-17 12:51 - 2016-12-17 12:51 - 00000000 ____D C:\Program Files\Malwarebytes
2016-12-17 12:51 - 2016-11-29 06:27 - 00077408 _____ C:\Windows\system32\Drivers\mbae64.sys
2016-12-17 12:33 - 2016-12-17 12:33 - 01631928 _____ (Malwarebytes) C:\Users\Owner\Downloads\JRT.exe
2016-12-14 21:06 - 2016-12-20 00:19 - 00000000 ____D C:\Users\Owner\AppData\LocalLow\Mozilla
2016-12-11 01:14 - 2016-12-19 22:34 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-20 14:58 - 2009-07-13 23:45 - 00021280 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-20 14:58 - 2009-07-13 23:45 - 00021280 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-20 14:50 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-19 22:34 - 2016-10-31 13:19 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-12-17 13:09 - 2016-11-03 16:21 - 00000000 ____D C:\Users\Owner\AppData\Local\ElevatedDiagnostics
2016-12-17 12:58 - 2016-10-31 13:55 - 00002187 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-12-17 12:58 - 2016-10-31 13:55 - 00002187 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-12-17 12:58 - 2016-10-31 13:20 - 00001151 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-12-17 12:58 - 2016-10-31 13:19 - 00001163 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-12-17 12:58 - 2016-10-31 13:15 - 00001447 _____ C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-12-17 12:58 - 2016-10-31 13:15 - 00001413 _____ C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2016-12-17 12:16 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2016-12-17 12:00 - 2016-10-31 13:54 - 00003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-12-17 12:00 - 2016-10-31 13:53 - 00003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-12-17 11:46 - 2016-11-14 20:00 - 00001945 _____ C:\Windows\epplauncher.mif
2016-12-11 01:16 - 2016-11-03 07:45 - 00000000 ____D C:\Users\Owner\AppData\Local\Google
2016-12-10 23:45 - 2009-07-14 00:13 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
 
==================== Files in the root of some directories =======
 
2016-11-05 15:04 - 2016-11-05 15:04 - 0000000 _____ () C:\Users\Owner\AppData\Local\{17C1B774-83E0-4D5B-9952-55D0E7B5581A}
 
Some files in TEMP:
====================
C:\Users\Owner\AppData\Local\Temp\libeay32.dll
C:\Users\Owner\AppData\Local\Temp\msvcr120.dll
C:\Users\Owner\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2016-12-19 22:33
 
==================== End of FRST.txt ============================


#8 me82

me82

    Member

  • Members
  • 209 posts

Posted 20 December 2016 - 04:45 PM

dditional scan result of Farbar Recovery Scan Tool (x64) Version: 17-12-2016
Ran by Owner (20-12-2016 16:42:48)
Running from C:\Users\Owner\Desktop
Windows 7 Professional Service Pack 1 (X64) (2016-10-31 18:12:56)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-961524124-1411212058-1041103660-500 - Administrator - Disabled)
Guest (S-1-5-21-961524124-1411212058-1041103660-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-961524124-1411212058-1041103660-1002 - Limited - Enabled)
Owner (S-1-5-21-961524124-1411212058-1041103660-1001 - Administrator - Enabled) => C:\Users\Owner
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 16.04 (x64) (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov)
Adobe Flash Player 10 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 10.3.181.14 - Adobe Systems Incorporated)
Dell System Detect (HKU\S-1-5-21-961524124-1411212058-1041103660-1001\...\58d94f3ce2c27db0) (Version: 7.11.0.6 - Dell)
Gigabyte Wireless LAN Card (HKLM-x32\...\{2C564A58-BD28-4926-95E1-EC7812FCA44F}) (Version: 1.00.0000 - Gigabyte)
Google Chrome (HKLM-x32\...\{16C1182D-6E13-3989-A4BC-360B106D5C4E}) (Version: 54.0.2840.71 - Google, Inc.)
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
Malwarebytes version 3.0.4.1269 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.4.1269 - Malwarebytes)
Microsoft .NET Framework 4.6.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01590 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 50.1.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 50.1.0 (x86 en-US)) (Version: 50.1.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 50.1.0.6186 - Mozilla)
OpenOffice 4.1.3 (HKLM-x32\...\{EEA30AEB-8BA7-465B-85D4-098BB99733E7}) (Version: 4.13.9783 - Apache Software Foundation)
Revo Uninstaller 2.0.1 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.0.1 - VS Revo Group, Ltd.)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0FF23161-EB9E-4AB3-93EC-E0C5F6A10961} - System32\Tasks\{0BC15F45-0E9A-4980-B72C-8F0726195EB6} => pcalua.exe -a "C:\Users\Owner\Desktop\Dell driver software\PROSet.exe" -d "C:\Users\Owner\Desktop\Dell driver software"
Task: {21D0A833-C8DA-416E-9F39-466C7976A40B} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-10-31] (Google Inc.)
Task: {32E4A7E2-E17E-4190-B103-4CB7EC80D21E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-10-31] (Google Inc.)
Task: {8A4E1E6B-F689-47C4-AB88-0FDE06508D23} - System32\Tasks\{18A18759-B6F5-4E7F-B704-7492ACD8B881} => pcalua.exe -a C:\Users\Owner\Desktop\PROSet.exe -d C:\Users\Owner\Desktop
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-12-17 12:51 - 2016-11-29 06:27 - 02259232 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
2016-12-17 12:51 - 2016-11-29 06:27 - 02247632 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2016-12-17 12:51 - 2016-11-29 06:27 - 02813904 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\arwlib.dll
2016-12-17 12:51 - 2016-11-08 09:46 - 00693248 _____ () C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\qtquickcontrolsplugin.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-961524124-1411212058-1041103660-1001\...\dell.com -> dell.com
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-961524124-1411212058-1041103660-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{866803FD-2C6D-4482-8773-1BED7A76011E}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{9E10EE46-C05B-437E-96F5-8E56D6E5B315}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{F4EF756C-B155-4620-93A2-5370AE5D94F5}] => C:\Program Files (x86)\SrpnFiles\SrpnFiles.exe
FirewallRules: [{225C20D6-FB3D-47A7-B85B-3F1695D86273}] => C:\Program Files (x86)\SrpnFiles\SrpnFiles.exe
FirewallRules: [{94FAB7E2-3330-46AF-BCE3-28EC66D42C41}] => C:\Program Files (x86)\SrpnFiles\downloader.exe
FirewallRules: [{F9300FBC-C47A-4721-BDAF-1A873F9361A8}] => C:\Program Files (x86)\SrpnFiles\downloader.exe
FirewallRules: [{0AC08974-A0D6-4E54-A31A-6F6A1C009353}] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
31-10-2016 13:13:08 Windows Update
31-10-2016 13:59:39 Installed Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
05-11-2016 12:22:07 Installed Intel® Network Connections.
05-11-2016 12:46:04 Installed Gigabyte Wireless LAN Card
05-11-2016 15:19:55 Installed Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
05-11-2016 15:22:46 Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
05-11-2016 15:25:13 Installed OpenOffice 4.1.3
05-11-2016 17:21:51 Installed Kaspersky Anti-Virus 2010.
14-11-2016 20:02:31 Revo Uninstaller's restore point - Kaspersky Anti-Virus 2010
14-11-2016 20:19:08 Windows Update
14-11-2016 23:10:21 Windows Update
17-12-2016 12:35:49 JRT Pre-Junkware Removal
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/20/2016 03:21:17 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: A problem prevented Customer Experience Improvement Program data from being sent to Microsoft, (Error 80004005).
 
Error: (12/20/2016 02:52:17 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (12/19/2016 10:36:44 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (12/19/2016 06:30:31 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: A problem prevented Customer Experience Improvement Program data from being sent to Microsoft, (Error 80004005).
 
Error: (12/19/2016 05:38:36 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: A problem prevented Customer Experience Improvement Program data from being sent to Microsoft, (Error 80004005).
 
Error: (12/19/2016 05:02:49 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (12/17/2016 01:01:24 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (12/17/2016 11:47:55 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: A problem prevented Customer Experience Improvement Program data from being sent to Microsoft, (Error 80004005).
 
Error: (12/17/2016 11:20:59 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (12/14/2016 09:04:07 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
 
System errors:
=============
Error: (12/19/2016 10:33:33 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
 
Error: (12/19/2016 10:33:33 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
 
Error: (12/19/2016 10:33:32 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
 
Error: (12/17/2016 11:40:46 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Event-ID 2001
 
Error: (12/17/2016 11:35:36 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.
 
Error: (12/17/2016 11:34:36 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.
 
Error: (12/17/2016 11:33:36 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.
 
Error: (12/17/2016 11:32:36 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.
 
Error: (12/17/2016 11:31:36 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.
 
Error: (12/17/2016 11:30:36 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Pentium® 4 CPU 2.80GHz
Percentage of memory in use: 53%
Total physical RAM: 2038.15 MB
Available physical RAM: 942.88 MB
Total Virtual: 4076.3 MB
Available Virtual: 2643.93 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:74.43 GB) (Free:53.41 GB) NTFS
Drive f: () (Fixed) (Total:74.44 GB) (Free:74.35 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: FC78FC78)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=74.4 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 74.5 GB) (Disk ID: 41AB2316)
Partition 1: (Not Active) - (Size=55 MB) - (Type=DE)
Partition 2: (Active) - (Size=74.4 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================


#9 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 23,186 posts
  • Gender:Female


Posted 20 December 2016 - 07:57 PM

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)


FRSTfix.JPG

 

start
CreateRestorePoint:
CloseProcesses:
C:\Users\Owner\AppData\Local\Temp\libeay32.dll
C:\Users\Owner\AppData\Local\Temp\msvcr120.dll
C:\Users\Owner\AppData\Local\Temp\sqlite3.dll
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "
EmptyTemp:
Hosts:
End


Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Want to help others? Join the ClassRoom and learn how.
MS - MVP Consumer Security 2009 - 2016, Windows Insider MVP 2017

#10 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 23,186 posts
  • Gender:Female


Posted 20 December 2016 - 07:59 PM

I didn't see any residual references to safesearch toolbar.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Want to help others? Join the ClassRoom and learn how.
MS - MVP Consumer Security 2009 - 2016, Windows Insider MVP 2017

#11 me82

me82

    Member

  • Members
  • 209 posts

Posted 20 December 2016 - 09:12 PM

when i installed the adblocker it went away from the homepage. (Safeseach)

 

From tomsguide.com it said to Press and hold Windows key and R (Win+R)

Copy and paste: %systemroot%\System32\GroupPolicy/Machine
Delete : Registry.pol

Restart the computer. and this link    https://www.techsupp...e-removal-help/



#12 me82

me82

    Member

  • Members
  • 209 posts

Posted 20 December 2016 - 09:32 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 17-12-2016
Ran by Owner (20-12-2016 21:20:52) Run:1
Running from C:\Users\Owner\Desktop
Loaded Profiles: Owner (Available Profiles: Owner)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
C:\Users\Owner\AppData\Local\Temp\libeay32.dll
C:\Users\Owner\AppData\Local\Temp\msvcr120.dll
C:\Users\Owner\AppData\Local\Temp\sqlite3.dll
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "
EmptyTemp:
Hosts:
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Users\Owner\AppData\Local\Temp\libeay32.dll => moved successfully
C:\Users\Owner\AppData\Local\Temp\msvcr120.dll => moved successfully
C:\Users\Owner\AppData\Local\Temp\sqlite3.dll => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\Public\Desktop\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 6407355 B
Java, Flash, Steam htmlcache => 456 B
Windows/system/drivers => 812787576 B
Edge => 0 B
Chrome => 386651845 B
Firefox => 204182951 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B


#13 me82

me82

    Member

  • Members
  • 209 posts

Posted 20 December 2016 - 09:46 PM

what about my browsers not opening normally after i run a scan in malwarebytes   Do i have to disable malwarebytes first then open my browser



#14 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 23,186 posts
  • Gender:Female


Posted 21 December 2016 - 06:14 AM

Download Zemana AntiMalware:
  • open the program and without changing any options, press Scan
  • after the scan is finished, if threats are detected press Next to remove them
Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.
  • open Zemana AntiMalware again and locate the latest report
  • please paste the contents into your reply.
========================

Open Chrome

1- Type about:config in URL and Enter
2- Find: browser.newtab.url
3- Change it to: about:newtab

close chrome, open the browser again and see if this corrects.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Want to help others? Join the ClassRoom and learn how.
MS - MVP Consumer Security 2009 - 2016, Windows Insider MVP 2017

#15 me82

me82

    Member

  • Members
  • 209 posts

Posted 21 December 2016 - 11:14 AM

My browsers are fine now, its just the new malwarebytes,   When i did 2 scans a couple of days ago and deleted what it found restarted the computer , and open browser it showed index file . and then reset browswers it shows normal.    



#16 me82

me82

    Member

  • Members
  • 209 posts

Posted 21 December 2016 - 11:16 AM

I will hold off on doing the zemana antimalware



#17 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 23,186 posts
  • Gender:Female


Posted 21 December 2016 - 03:42 PM

Thats OK

They do have a dedicated forum for

Malwarebytes 3.0

Have questions or problems with Malwarebytes 3.0 (previously known as Malwarebytes Anti-Malware)? Post them here.
https://forums.malwa...alwarebytes-30/
Please do not PM me for HJT help, we all benefit from posting on the open board.
Want to help others? Join the ClassRoom and learn how.
MS - MVP Consumer Security 2009 - 2016, Windows Insider MVP 2017

#18 me82

me82

    Member

  • Members
  • 209 posts

Posted 22 December 2016 - 12:19 AM

ok I see where there is a patch for some of the issues with malwarebytes



#19 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 23,186 posts
  • Gender:Female


Posted 22 December 2016 - 07:23 AM

DelFix
  • Please download DelFix or from Here and save the file to your Desktop.
  • Double-click DelFix.exe to run the programme.
  • Place a checkmark next to the following items:
  • Activate UAC
  • Remove disinfection tools
  • Click the Run button.
  • -- This will remove the specialized tools we used to disinfect your system.
    Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete
    ).
*********************
Please do not PM me for HJT help, we all benefit from posting on the open board.
Want to help others? Join the ClassRoom and learn how.
MS - MVP Consumer Security 2009 - 2016, Windows Insider MVP 2017

#20 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 23,186 posts
  • Gender:Female


Posted 26 December 2016 - 06:20 AM

Glad we could help. :)sparkle.gif

Since this issue appears resolved ... this Topic is closed.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Want to help others? Join the ClassRoom and learn how.
MS - MVP Consumer Security 2009 - 2016, Windows Insider MVP 2017




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users