Active Malwarebytes--quarantined a few to many files

Discussion in 'Malware Removal' started by Briab Guy, Nov 1, 2017.

  1. Briab Guy

    Briab Guy

    Joined:
    Sep 23, 1999
    Messages:
    991
    I have been using Malware-bytes for a "long" time with no ill effects. Until now.

    I was

    cleaning out some files.. MB scanned and showed some bad files. I clked

    to quarantine them and went to heat up my coffee. Came back and it was on 1,000 and

    xxx number file. OOOPS. I knew I had a problem. Long story short I should have never

    rebooted the box because after I couldn't log in as a Admin. Just a Guest. SCREWED!

    I got past the log on problem today. I started this easy

    small job on Sat. I can now get in to the PC and fix some things.


    Problem #1 is I can't get Malwarebytes started.
    can't find answer at Malwayebytes site.
    uninstall?Reinstall?
    do a system restore?
    Lions and Tigers and Bears, What the heck to do?

    Can I UN-
    quarantine those files some how?

    Windows 7 Home
    Premium, Lenovo Z565 PC.
    Version is: 2.0.4.1028 Got that from add remove, but I think its a later version.

    thanks as always
     
  2. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    664
    Location:
    Daly City, CA
    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =================================

    I wouldn't try to unquarantine anything since we don't know what we're dealing here with.
    Let's try to take a look at your computer from the outside.

    NOTE 1. Use another working computer to download Farbar Recovery Scan Tool and save it to USB flash drive.
    NOTE 2. Install Panda USB Vaccine, or BitDefender’s USB Immunizer on GOOD computer to protect it from any infected USB device.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 10 If you're having problems accessing System Recovery Options create Windows 10 USB or DVD as described here: How to download Windows 10 and create your own installation USB flash drive or DVD and boot from it.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt. To access Advanced Boot Options start and shut down computer TWICE. On third start you should see Advanced Boot Options.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note:
      Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  3. Briab Guy

    Briab Guy

    Joined:
    Sep 23, 1999
    Messages:
    991
    You just gave me a great "how to..." List! I have saved a lot of programs and ways to do troubleshooting/fixing in a folder but have never compiled it as this.
    I thank you
    Brian

    I will save what you ave given me and use some now, like the USB tool etc..

    I have the PC working pretty good now. They have 2 anti-virus apps running at same time--I disabled 1 and will let them uninstall which ever one they don't want. That is how this PC and many others I work on come to me. And no one seems to want advice until their PC is boogered :)
    I can not get Malwarebytes to start. I am thinking to uninstall and reload newer Ver. I am not absolutely sure it was the culprit but it was the last thing to run. I made a restore point while I have a good boot just in case.
    Sound reasonable?
    thanks again
     
  4. glc

    glc Forum Administrator Staff Member

    Joined:
    May 26, 2000
    Messages:
    35,008
    Location:
    Joplin MO
    Briab - please follow the instructions from Broni exactly if you post in this forum. Did you read the sticky thread?
     
  5. Briab Guy

    Briab Guy

    Joined:
    Sep 23, 1999
    Messages:
    991
    Yes and I will go in the order it is given
    Thanks
     
  6. Briab Guy

    Briab Guy

    Joined:
    Sep 23, 1999
    Messages:
    991
    here we go;;;
    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 01-11-2017
    Ran by SYSTEM on MININT-KJFK3HN (02-11-2017 16:40:27)
    Running from F:\
    Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
    Internet Explorer Version 11
    Boot Mode: Recovery
    Default: ControlSet001
    ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

    Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11842152 2011-05-03] (Realtek Semiconductor)
    HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2212456 2011-05-03] (Realtek Semiconductor)
    HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2057000 2010-02-17] (Synaptics Incorporated)
    HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
    HKLM\...\RunOnce: [RealProtect] => C:\Program Files\McAfee\Real Protect\RealProtect.exe [7109896 2017-11-01] (McAfee, Inc.)
    GroupPolicy: Restriction <==== ATTENTION

    ==================== Services (Whitelisted) ====================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
    S2 HDD & SSD access service; C:\Program Files (x86)\Common Files\BinarySense\disksvc.exe [171848 2011-01-21] (BinarySense Ltd.)
    S3 Lequidication; C:\Program Files (x86)\Lequidication\Lequidication.exe [4377560 2014-11-26] ()
    S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.599\McCHSvc.exe [404376 2017-09-05] (McAfee, Inc.)
    S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
    S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)
    S3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [279848 2007-06-27] (Nero AG)
    S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

    ===================== Drivers (Whitelisted) ======================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-12-06] (Malwarebytes Corporation)
    S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-24] (Microsoft Corporation)
    S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
    S1 cherimoya; system32\drivers\cherimoya.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2017-11-02 16:39 - 2017-11-02 16:40 - 000000000 ____D C:\FRST
    2017-11-02 12:09 - 2017-11-02 12:09 - 000002075 _____ C:\Users\Public\Desktop\HDD Temperature v.4.lnk
    2017-11-02 12:09 - 2017-11-02 12:09 - 000000000 ____D C:\Program Files (x86)\BinarySense
    2017-11-02 00:14 - 2017-11-02 00:14 - 000000000 ____D C:\Windows\System32\MpEngineStore
    2017-11-01 21:10 - 2017-11-02 12:10 - 000000000 ____D C:\Users\BRI\Downloads\NOV 2017 clean
    2017-11-01 21:09 - 2017-11-01 21:09 - 000003249 _____ C:\Users\BRI\Desktop\startuplist n ov 2017.txt
    2017-11-01 21:07 - 2017-11-01 21:07 - 000007555 _____ C:\Users\BRI\Desktop\hijackthis.log NOV 2017 admin.txt
    2017-11-01 21:06 - 2017-11-01 21:06 - 000003228 _____ C:\Windows\System32\Tasks\{D9BCFABC-E447-4460-BFC5-F95BDC5F8CCF}
    2017-11-01 20:17 - 2017-11-02 00:14 - 000001781 _____ C:\Users\BRI\Desktop\cherimoya.txt
    2017-11-01 19:46 - 2017-11-01 19:46 - 000000053 _____ C:\Users\BRI\Desktop\Event ID 41 'Kernel-Power'.txt
    2017-11-01 16:09 - 2017-11-01 16:09 - 000002892 _____ C:\Windows\System32\Tasks\{BB30FCB2-A0E0-45A7-A563-FB0D091A333E}
    2017-11-01 16:09 - 2017-11-01 16:09 - 000002892 _____ C:\Windows\System32\Tasks\{B77ED341-02BF-436A-A548-6D428AB8927D}
    2017-11-01 14:57 - 2017-11-01 14:57 - 000000000 ____D C:\Users\BRI\AppData\Roaming\Ahead
    2017-11-01 14:53 - 2010-11-20 05:24 - 000345088 _____ (Microsoft Corporation) C:\Windows\System32\sethc.exe
    2017-11-01 12:39 - 2017-11-01 12:39 - 000002124 _____ C:\Users\Public\Desktop\Belarc Advisor.lnk
    2017-11-01 12:38 - 2017-11-01 12:38 - 005031816 _____ C:\Users\BRI\Downloads\advisorinstaller.exe
    2017-10-30 10:09 - 2017-10-30 10:09 - 000109296 _____ C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
    2017-10-30 10:09 - 2017-10-30 10:09 - 000000000 ____D C:\Users\test\AppData\Roaming\Apple Computer
    2017-10-30 10:09 - 2017-10-30 10:09 - 000000000 ____D C:\Users\test\AppData\Roaming\Adobe
    2017-10-30 10:08 - 2017-10-30 10:09 - 000000000 ____D C:\users\test
    2017-10-30 10:08 - 2017-10-30 10:08 - 000000020 ___SH C:\Users\test\ntuser.ini
    2017-10-30 10:08 - 2017-10-30 10:08 - 000000000 ____D C:\Users\test\AppData\Local\VirtualStore
    2017-10-30 10:08 - 2014-06-27 17:43 - 000000000 ____D C:\Users\test\AppData\Local\Microsoft Help
    2017-10-30 10:08 - 2009-07-13 23:44 - 000000000 ____D C:\Users\test\AppData\Roaming\Media Center Programs
    2017-10-29 15:16 - 2017-11-01 12:36 - 000000000 ____D C:\Users\GUEST-1\Desktop\ophcrack-vista-livecd-3.6.0 iso zip
    2017-10-29 13:40 - 2017-10-29 13:40 - 000109296 _____ C:\Users\teest user\AppData\Local\GDIPFONTCACHEV1.DAT
    2017-10-29 13:40 - 2017-10-29 13:40 - 000000000 ____D C:\Users\teest user\AppData\Roaming\Apple Computer
    2017-10-29 13:39 - 2017-10-29 20:59 - 000000000 ____D C:\users\teest user
    2017-10-29 13:39 - 2017-10-29 13:39 - 000000000 ____D C:\Users\teest user\AppData\Roaming\Adobe
    2017-10-29 13:39 - 2017-10-29 13:39 - 000000000 ____D C:\Users\teest user\AppData\Local\VirtualStore
    2017-10-29 13:39 - 2014-06-27 17:43 - 000000000 ____D C:\Users\teest user\AppData\Local\Microsoft Help
    2017-10-29 13:39 - 2009-07-13 23:44 - 000000000 ____D C:\Users\teest user\AppData\Roaming\Media Center Programs
    2017-10-28 13:52 - 2017-10-28 13:52 - 000157136 _____ C:\Windows\ntbtlog.txt
    2017-10-27 18:20 - 2017-10-27 18:20 - 000000000 ____D C:\Old Firefox Data
    2017-10-27 10:12 - 2017-10-27 10:12 - 000000000 ____D C:\ProgramData\MB2Migration
    2017-10-27 10:12 - 2017-10-27 10:12 - 000000000 ____D C:\Program Files\Malwarebytes
    2017-10-27 09:55 - 2017-10-27 09:55 - 000000000 ____D C:\Program Files (x86)\Belarc
    2017-10-27 09:46 - 2017-10-27 09:46 - 000000000 ____D C:\Program Files (x86)\GUM1B3D.tmp
    2017-10-26 14:33 - 2017-11-01 14:57 - 000000000 ____D C:\Users\BRI\AppData\Local\Ahead
    2017-10-26 14:33 - 2017-10-26 14:33 - 000000096 _____ C:\Users\BRI\AppData\default.pls

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2017-11-02 12:15 - 2009-07-13 21:13 - 000006190 _____ C:\Windows\System32\PerfStringBackup.INI
    2017-11-02 12:09 - 2014-01-15 17:02 - 000000908 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3391234477-3154659029-2313981676-1000UA.job
    2017-11-02 11:47 - 2013-10-01 12:32 - 000000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2017-11-02 11:32 - 2009-07-13 20:45 - 000021680 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2017-11-02 11:32 - 2009-07-13 20:45 - 000021680 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2017-11-02 11:29 - 2016-12-11 16:07 - 000000000 ____D C:\Users\BRI\AppData\LocalLow\Mozilla
    2017-11-02 11:25 - 2013-10-01 12:32 - 000000892 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2017-11-02 11:25 - 2009-07-13 21:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
    2017-11-01 21:35 - 2014-04-24 10:53 - 000000000 ____D C:\Users\Guest\AppData\Roaming\isafe
    2017-11-01 21:20 - 2014-01-24 12:09 - 000000000 ____D C:\ProgramData\ijdoimhlfjkpicpegmpgbbboefofjmgg
    2017-11-01 21:13 - 2014-04-23 13:57 - 000000563 _____ C:\Windows\Tasks\RegCure Pro_sch_48A67D70-CB32-11E3-8CC5-B870F4010848.job
    2017-11-01 20:50 - 2014-12-06 17:09 - 000000000 ____D C:\Program Files (x86)\stinger
    2017-11-01 20:41 - 2014-12-06 17:09 - 000000000 ____D C:\Program Files\McAfee
    2017-11-01 16:15 - 2016-11-18 08:49 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2017-11-01 16:15 - 2014-12-08 11:11 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2017-11-01 16:09 - 2014-01-15 17:02 - 000000856 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3391234477-3154659029-2313981676-1000Core.job
    2017-11-01 12:37 - 2016-11-19 13:17 - 000000000 ____D C:\Users\GUEST-1\AppData\LocalLow\Mozilla
    2017-11-01 12:20 - 2016-02-08 16:29 - 000000000 ____D C:\Users\BRI\AppData\Roaming\Skype
    2017-11-01 10:20 - 2009-07-13 21:08 - 000032570 _____ C:\Windows\Tasks\SCHEDLGU.TXT
    2017-11-01 10:16 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\inf
    2017-10-31 08:14 - 2014-06-14 11:34 - 000000000 ____D C:\users\GUEST-1
    2017-10-29 22:42 - 2017-09-26 23:56 - 000000000 ____D C:\ProgramData\McAfee Security Scan
    2017-10-29 22:42 - 2014-06-14 11:27 - 000000000 ____D C:\users\BRI
    2017-10-29 22:42 - 2014-06-07 15:24 - 000000000 ____D C:\users\Administrator
    2017-10-29 22:42 - 2014-04-24 10:53 - 000000000 ____D C:\users\Guest
    2017-10-29 22:42 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\registration
    2017-10-29 20:59 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\AppCompat
    2017-10-28 17:47 - 2009-07-13 23:45 - 000000000 ____D C:\Windows\ShellNew
    2017-10-28 15:18 - 2015-05-31 10:41 - 000004312 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2017-10-28 15:18 - 2013-09-30 20:43 - 000803328 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2017-10-28 15:18 - 2013-09-30 20:43 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2017-10-28 15:18 - 2013-09-30 20:43 - 000000000 ____D C:\Windows\SysWOW64\Macromed
    2017-10-28 15:18 - 2013-09-30 20:43 - 000000000 ____D C:\Windows\System32\Macromed
    2017-10-27 15:47 - 2015-06-04 14:35 - 000000000 ____D C:\Program Files\iTunes
    2017-10-27 15:47 - 2015-06-04 14:34 - 000000000 ____D C:\Windows\System32\Tasks\Apple
    2017-10-27 15:47 - 2015-06-04 14:34 - 000000000 ____D C:\Program Files (x86)\Apple Software Update
    2017-10-27 15:47 - 2015-06-04 14:33 - 000000000 ____D C:\Program Files\Bonjour
    2017-10-27 15:47 - 2014-12-04 17:04 - 000000000 __SHD C:\Program Files (x86)\Lequidication
    2017-10-27 15:47 - 2014-12-04 17:04 - 000000000 ____D C:\Users\BRI\AppData\LocalLow\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}
    2017-10-27 15:47 - 2014-12-02 17:43 - 000000000 ____D C:\Windows\Minidump
    2017-10-27 15:47 - 2014-06-26 13:57 - 000000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
    2017-10-27 15:47 - 2014-06-26 13:33 - 000000000 ____D C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF
    2017-10-27 15:47 - 2014-06-12 11:36 - 000000000 ____D C:\Windows\System32\Tasks\Games
    2017-10-27 15:47 - 2014-06-09 17:19 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\eCyber
    2017-10-27 15:47 - 2014-06-09 17:12 - 000000000 ____D C:\Program Files (x86)\Roxio
    2017-10-27 15:47 - 2014-06-07 15:27 - 000000000 ____D C:\Users\Administrator\AppData\Local\MoboGenie
    2017-10-27 15:47 - 2014-06-07 15:25 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\isafe
    2017-10-27 15:47 - 2014-01-22 14:14 - 000000000 ____D C:\Program Files (x86)\Mobogenie
    2017-10-27 15:47 - 2013-10-01 12:33 - 000000000 ____D C:\Program Files\CCleaner
    2017-10-27 15:47 - 2009-07-13 21:09 - 000000000 ____D C:\Windows\System32\Tasks\WPD
    2017-10-27 15:45 - 2014-06-12 11:36 - 000000000 ____D C:\Users\Administrator\AppData\Local\Microsoft Games
    2017-10-27 15:45 - 2014-06-12 10:40 - 000000000 ____D C:\Users\Administrator\AppData\Local\CyberLink
    2017-10-27 15:45 - 2013-10-01 12:34 - 000000000 ____D C:\ProgramData\Malwarebytes
    2017-10-27 11:18 - 2014-04-23 13:57 - 000000000 ____D C:\ProgramData\ParetoLogic
    2017-10-27 11:11 - 2014-12-04 17:04 - 000000000 ____D C:\Users\BRI\AppData\LocalLow\Company
    2017-10-27 11:10 - 2013-12-25 13:09 - 000000000 ____D C:\ProgramData\APN

    Some files in TEMP:
    ====================
    2014-06-12 10:28 - 2014-04-10 22:59 - 000080296 _____ () C:\Users\Administrator\AppData\Local\Temp\nsvF799.tmp.exe
    2016-02-08 16:40 - 2016-02-08 16:40 - 000144008 _____ (© 2015 Microsoft Corporation) C:\Users\BRI\AppData\Local\Temp\BingSvc.exe
    2016-02-08 16:40 - 2016-02-08 16:40 - 001118360 _____ (© 2015 Microsoft Corporation) C:\Users\BRI\AppData\Local\Temp\BSvcProcessor.exe
    2016-02-08 16:40 - 2016-02-08 16:40 - 000170128 _____ (© 2015 Microsoft Corporation) C:\Users\BRI\AppData\Local\Temp\BSvcUpdater.exe
    2017-05-15 17:56 - 2017-05-15 17:56 - 001285888 _____ ( ) C:\Users\BRI\AppData\Local\Temp\ICReinstall_adobe_flash_setup(1).exe
    2017-04-24 16:14 - 2017-04-24 16:14 - 014456872 _____ (Microsoft Corporation) C:\Users\BRI\AppData\Local\Temp\vc_redist.x86.exe

    ==================== Known DLLs (Whitelisted) =========================


    ==================== Bamital & volsnap ======================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    C:\Windows\System32\dnsapi.dll => MD5 is legit
    C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== Association (Whitelisted) =============


    ==================== Restore Points =========================

    Restore point date: 2017-10-27 11:27
    Restore point date: 2017-10-27 12:07
    Restore point date: 2017-10-28 15:20
    Restore point date: 2017-10-29 11:15
    Restore point date: 2017-10-29 18:11
    Restore point date: 2017-10-30 10:20
    Restore point date: 2017-11-01 15:47
    Restore point date: 2017-11-02 11:36
    Restore point date: 2017-11-02 11:41
    Restore point date: 2017-11-02 12:09
    Restore point date: 2017-11-02 12:09

    ==================== Memory info ===========================

    Percentage of memory in use: 19%
    Total physical RAM: 2810.9 MB
    Available physical RAM: 2274.41 MB
    Total Virtual: 2809.05 MB
    Available Virtual: 2263.43 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:297.99 GB) (Free:251.3 GB) NTFS
    Drive f: (LEXAR) (Removable) (Total:14.61 GB) (Free:14.61 GB) FAT32
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from drive)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 4BE9BCC0)
    Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (MBR Code: Windows XP) (Size: 14.6 GB) (Disk ID: C3072E18)
    Partition 1: (Not Active) - (Size=14.6 GB) - (Type=0C)

    LastRegBack: 2017-10-31 08:57

    ==================== End of FRST.txt ============================
     
  7. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    664
    Location:
    Daly City, CA
    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7/8/10: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the OTLPE CD.
    Run FRST(FRST64) and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
     

    Attached Files:

  8. Briab Guy

    Briab Guy

    Joined:
    Sep 23, 1999
    Messages:
    991
    Broni,
    At every turn this PC has cursed me :)
    If I go to the System Recovery Options first how do I run the FRST(FRST64) ?
    DAA;


    Fix result of Farbar Recovery Scan Tool (x64) Version: 01-11-2017
    Ran by SYSTEM (03-11-2017 21:25:50) Run:1
    Running from f:\
    Boot Mode: Recovery
    ==============================================

    fixlist content:
    *****************
    GroupPolicy: Restriction <==== ATTENTION
    S1 cherimoya; system32\drivers\cherimoya.sys [X]
    2014-06-12 10:28 - 2014-04-10 22:59 - 000080296 _____ () C:\Users\Administrator\AppData\Local\Temp\nsvF799.tmp.exe
    2016-02-08 16:40 - 2016-02-08 16:40 - 000144008 _____ (� 2015 Microsoft Corporation) C:\Users\BRI\AppData\Local\Temp\BingSvc.exe
    2016-02-08 16:40 - 2016-02-08 16:40 - 001118360 _____ (� 2015 Microsoft Corporation) C:\Users\BRI\AppData\Local\Temp\BSvcProcessor.exe
    2016-02-08 16:40 - 2016-02-08 16:40 - 000170128 _____ (� 2015 Microsoft Corporation) C:\Users\BRI\AppData\Local\Temp\BSvcUpdater.exe
    2017-05-15 17:56 - 2017-05-15 17:56 - 001285888 _____ ( ) C:\Users\BRI\AppData\Local\Temp\ICReinstall_adobe_flash_setup(1).exe
    2017-04-24 16:14 - 2017-04-24 16:14 - 014456872 _____ (Microsoft Corporation) C:\Users\BRI\AppData\Local\Temp\vc_redist.x86.exe

    *****************

    C:\Windows\System32\GroupPolicy\Machine => moved successfully
    C:\Windows\System32\GroupPolicy\GPT.ini => moved successfully
    C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
    HKLM\System\ControlSet001\Services\cherimoya => key removed successfully
    cherimoya => service removed successfully
    C:\Users\Administrator\AppData\Local\Temp\nsvF799.tmp.exe => moved successfully
    C:\Users\BRI\AppData\Local\Temp\BingSvc.exe => moved successfully
    C:\Users\BRI\AppData\Local\Temp\BSvcProcessor.exe => moved successfully
    C:\Users\BRI\AppData\Local\Temp\BSvcUpdater.exe => moved successfully
    C:\Users\BRI\AppData\Local\Temp\ICReinstall_adobe_flash_setup(1).exe => moved successfully
    C:\Users\BRI\AppData\Local\Temp\vc_redist.x86.exe => moved successfully

    ==== End of Fixlog 21:25:50 ====
     
    Last edited: Nov 3, 2017
  9. Briab Guy

    Briab Guy

    Joined:
    Sep 23, 1999
    Messages:
    991
    cherimoya
    nsvF799.tmp.exe
    BingSvc.exe
    BSvcProcessor.exe
    BSvcUpdater.exe
    ICReinstall_adobe_flash_setup(1).exe
    vc_redist.x86.exe

    is it safe to say that with these gone
    the PC is clean?
    thanks
     
  10. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    664
    Location:
    Daly City, CA
    We'll run some more checks but I need to know if you can boot normally to administrative account.

    If so...

    [​IMG] Download RogueKiller from one of the following links and save it to your Desktop:

    Link 1
    Link 2
    • Close all the running programs
    • Double click on downloaded setup.exe file to install the program.
    • Click on Start Scan button.
    • Click on another Start Scan button.
    • Wait until the Status box shows Scan Finished
    • Click on Remove Selected.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    [​IMG] Please download Malwarebytes to your desktop.
    • Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
    • Then click Finish.
    • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
    • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
    • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
    • Restart your computer when prompted to do so.
    • The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.
    [​IMG] Please download AdwCleaner by Xplode and save to your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
      Vista/Windows 7/8/10 users right-click and select Run As Administrator
    • The tool will start to update the database if one is required.
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Logfile button.
    • A window will open which lists the logs of your scans.
    • Click on the Scan tab.
    • Double-click the most recent scan which will be at the top of the list....the log will appear.
    • Review the results...see note below
    • After reviewing the log, click on the Clean button.
    • Press OK when asked to close all programs and follow the onscreen prompts.
    • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    • After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
    • To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.
    • Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
    • A copy of all logfiles are saved to C:\AdwCleaner.
    -- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.
     
  11. Briab Guy

    Briab Guy

    Joined:
    Sep 23, 1999
    Messages:
    991
    I can log on with a user that has Admin rights not the actual Administrator
    so much for being clean

    RogueKiller V12.11.22.0 (x64) [Oct 30 2017] (Free) by Adlice Software
    mail : Contact - Adlice Software
    Feedback : Adlice forum - Home
    Website : RogueKiller Anti-Malware Free Download - Official Website
    Blog : Adlice Software - The Best Security Software, for FREE

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : BRI [Administrator]
    Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
    Mode : Scan -- Date : 11/04/2017 13:29:15 (Duration : 00:18:22)

    ¤¤¤ Processes : 0 ¤¤¤

    ¤¤¤ Registry : 64 ¤¤¤
    [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52} (C:\Program Files (x86)\surf slide\bin\{701fedb9-78f9-4f55-91f9-de6c537e6fdc}64.dll) -> Found
    [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\IePlugin -> Found
    [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\ParetoLogic -> Found
    [PUP.SearchProtect|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\SEARCHPROTECT -> Found
    [PUP.SweetIM|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\SWEETIM -> Found
    [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Taronja -> Found
    [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Tutorials -> Found
    [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\v9Software -> Found
    [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Visualbee -> Found
    [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\WAJAM -> Found
    [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
    [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0} -> Found
    [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C} -> Found
    [PUP.Ask|PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\AskPartnerNetwork -> Found
    [PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\IM -> Found
    [PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\ImInstaller -> Found
    [PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\PCTechHotline -> Found
    [PUP.SweetIM|PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\SweetIM -> Found
    [PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\Wajam -> Found
    [PUP.Ask|PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\AskPartnerNetwork -> Found
    [PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\IM -> Found
    [PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\ImInstaller -> Found
    [PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\PCTechHotline -> Found
    [PUP.SweetIM|PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\SweetIM -> Found
    [PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\Wajam -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\AnyProtect -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\InstallCore -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\onesoftperday -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\Red Sky -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\Softonic -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\StormWatch -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\AnyProtect -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\InstallCore -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\onesoftperday -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\Red Sky -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\Softonic -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\StormWatch -> Found
    [PUP.Ask|PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\AskPartnerNetwork -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\IM -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\ImInstaller -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\PCTechHotline -> Found
    [PUP.SweetIM|PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\SweetIM -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\Wajam -> Found
    [PUP.Ask|PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\AskPartnerNetwork -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\IM -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\ImInstaller -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\PCTechHotline -> Found
    [PUP.SweetIM|PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\SweetIM -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\Wajam -> Found
    [PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
    [PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-19\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-19\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-20\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-20\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
    [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{614925F9-841A-53FE-A28F-DC30FA07239B} -> Found
    [PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HLNFD -> Found
    [PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hlnfd -> Found
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:9880;https=127.0.0.1:9880 -> Found
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:9880;https=127.0.0.1:9880 -> Found

    ¤¤¤ Tasks : 8 ¤¤¤
    [PUP.Gen0|PUP.Gen1] %WINDIR%\Tasks\APSnotifierPP1.job -- C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe (--notifier2 A1) -> Found
    [PUP.Gen0|PUP.Gen1] %WINDIR%\Tasks\APSnotifierPP2.job -- C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe (--notifier2 B1) -> Found
    [PUP.Gen0|PUP.Gen1] %WINDIR%\Tasks\APSnotifierPP3.job -- C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe (--notifier2 C1) -> Found
    [PUP.Gen1] %WINDIR%\Tasks\RegCure Pro_sch_48A67D70-CB32-11E3-8CC5-B870F4010848.job -- C:\Program Files (x86)\ParetoLogic\RegCure Pro\RegCurePro.exe ( /schedule:"48A67D70-CB32-11E3-8CC5-B870F4010848") -> Found
    [PUP.Gen1] \APSnotifierPP1 -- C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe (--notifier2 A1) -> Found
    [PUP.Gen1] \APSnotifierPP2 -- C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe (--notifier2 B1) -> Found
    [PUP.Gen1] \APSnotifierPP3 -- C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe (--notifier2 C1) -> Found
    [PUP.Gen1] \RegCure Pro_sch_48A67D70-CB32-11E3-8CC5-B870F4010848 -- C:\Program Files (x86)\ParetoLogic\RegCure Pro\RegCurePro.exe (/schedule:"48A67D70-CB32-11E3-8CC5-B870F4010848") -> Found

    ¤¤¤ Files : 10 ¤¤¤
    [PUP.Gen1][Folder] C:\ProgramData\APN -> Found
    [PUP.Gen1][Folder] C:\ProgramData\ParetoLogic -> Found
    [Adw.NetFilter][File] C:\Windows\System32\drivers\netfilter64.sys -> Found
    [PUP.Gen1][Folder] C:\ProgramData\APN -> Found
    [PUP.Gen1][Folder] C:\ProgramData\ParetoLogic -> Found
    [PUP.Gen1][File] C:\$Recycle.Bin\S-1-5-21-3391234477-3154659029-2313981676-1000\$RIK3ZO5.lnk [[email protected]] C:\Users\BRI\AppData\Roaming\VOPackage\VOPackage.exe /deploy -> Found
    [PUP.Conduit|PUP.Gen1][Folder] C:\Program Files\Conduit -> Found
    [PUP.Gen1][Folder] C:\Program Files\Uninstaller -> Found
    [PUP.Gen1][Folder] C:\Program Files (x86)\Mobogenie -> Found
    [PUP.Gen1][Folder] C:\Program Files (x86)\predm -> Found

    ¤¤¤ WMI : 0 ¤¤¤

    ¤¤¤ Hosts File : 0 ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: TOSHIBA MK3265GSX SATA Disk Device +++++
    --- User ---
    [MBR] fe03ae148ae7df68f677b3fce3135514
    [BSP] f4fbc3eeb1c0c50ec1283cea5cd28389 : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 305143 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    User = LL1 ... OK
    User = LL2 ... OK
    ********************************************************************************
    ****************************************************************************************
    *********************************************************************************
    THIS IS THE [SO] TXT
    BELOW IS CO txt

    # AdwCleaner 7.0.4.0 - Logfile created on Sat Nov 04 18:31:18 2017
    # Updated on 2017/27/10 by Malwarebytes
    # Database: 11-03-2017.2
    # Running on Windows 7 Home Premium (X64)
    # Mode: scan
    # Support: Customer Support & Help Center

    ***** [ Services ] *****

    No malicious services found.

    ***** [ Folders ] *****

    PUP.Optional.Legacy, C:\Users\Administrator\AppData\Local\Mobogenie
    PUP.Optional.Legacy, C:\Users\Administrator\AppData\Roaming\eCyber
    PUP.Optional.Legacy, C:\Users\Administrator\AppData\Roaming\iSafe
    PUP.Optional.Legacy, C:\Users\Guest\AppData\Roaming\iSafe
    PUP.Optional.AuslogicsDriverUpdater, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
    PUP.Optional.AuslogicsDriverUpdater, C:\Program Files (x86)\Auslogics
    PUP.Optional.AuslogicsDriverUpdater, C:\Users\BRI\AppData\Roaming\Auslogics
    PUP.Optional.AuslogicsDriverUpdater, C:\Users\GUEST-1\AppData\Roaming\Auslogics
    PUP.Adware.Heuristic, C:\ProgramData\5592c465d53f7737


    ***** [ Files ] *****

    PUP.Optional.Legacy, C:\user.js
    PUP.Optional.Legacy, C:\Users\Administrator\daemonprocess.txt
    PUP.Optional.Legacy, C:\Users\Guest\daemonprocess.txt
    PUP.Optional.Legacy, C:\END
    PUP.Optional.Legacy, C:\Windows\SysNative\log\iSafeKrnlCall.log
    PUP.Optional.Legacy, C:\Users\Administrator\AppData\LocalLow\SkwConfig.bin
    PUP.Optional.Legacy, C:\Users\Guest\AppData\LocalLow\SkwConfig.bin
    PUP.Optional.AuslogicsDiskDefrag, C:\Users\Administrator\Desktop\Auslogics Disk Defrag.lnk
    PUP.Optional.AuslogicsDiskDefrag, C:\Users\GUEST-1\Desktop\Auslogics Disk Defrag.lnk


    ***** [ DLL ] *****

    No malicious DLLs found.

    ***** [ WMI ] *****

    No malicious WMI found.

    ***** [ Shortcuts ] *****

    No malicious shortcuts found.

    ***** [ Tasks ] *****

    PUP.Optional.Legacy, RPC


    ***** [ Registry ] *****

    PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\DOMStorage\shoppingate.info
    PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com
    PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.superfish.com
    PUP.Optional.Legacy, [Key] - HKU\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\MediaPlayerplus
    PUP.Optional.Legacy, [Key] - HKU\S-1-5-18\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\MediaPlayerplus
    PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1
    PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{6EC77D09-02CB-4E1F-E3C4-FB141B2610B3}
    PUP.Optional.Legacy, [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | {FED6A736-129B-49C7-857E-25FC91E87DB3}
    PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}
    PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}
    PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\TypeLib\{14EF423E-3EE8-44AE-9337-07AC3F27B744}
    PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}
    PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\AppID\{425F4ABF-B8E4-402D-9E49-06E494EB8DBF}
    PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
    PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
    PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
    PUP.Optional.Legacy, [Key] - HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application
    PUP.Optional.Legacy, [Key] - HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application
    PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd
    PUP.Optional.Legacy, [Key] - HKLM\SYSTEM\CurrentControlSet\Control\iSafeKrnlBoot
    PUP.Optional.SofTonicAssistant, [Key] - HKCU\Software\Microsoft\Internet Explorer\DOMStorage\seamonkey.sd.en.softonic.com
    PUP.Optional.SofTonicAssistant, [Key] - HKCU\Software\Microsoft\Internet Explorer\DOMStorage\softonic.com
    PUP.Optional.SofTonicAssistant, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\softonic.com
    PUP.Optional.SupTab, [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | {3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}
    PUP.Optional.AppEnable.A, [Key] - HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
    PUP.Optional.AppEnable.A, [Key] - HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
    PUP.Optional.AppEnable.A, [Key] - HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
    PUP.Optional.AppEnable.A, [Key] - HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
    PUP.Optional.AuslogicsDriverUpdater, [Key] - HKU\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\Auslogics
    PUP.Optional.AuslogicsDriverUpdater, [Key] - HKCU\Software\Auslogics
    PUP.Optional.BrowseFox.A, [Key] - HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}


    ***** [ Firefox (and derivatives) ] *****

    No malicious Firefox entries.

    ***** [ Chromium (and derivatives) ] *****

    No malicious Chromium entries.

    *************************



    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########
    *******************************************************************************
    *****************************************************************************************
    ********************************************************************************
    THIS IS THE [CO] TXT

    # AdwCleaner 7.0.4.0 - Logfile created on Sat Nov 04 18:36:20 2017
    # Updated on 2017/27/10 by Malwarebytes
    # Running on Windows 7 Home Premium (X64)
    # Mode: clean
    # Support: Customer Support & Help Center

    ***** [ Services ] *****

    No malicious services deleted.

    ***** [ Folders ] *****

    Deleted: C:\Users\Administrator\AppData\Local\Mobogenie
    Deleted: C:\Users\Administrator\AppData\Roaming\eCyber
    Deleted: C:\Users\Administrator\AppData\Roaming\iSafe
    Deleted: C:\Users\Guest\AppData\Roaming\iSafe
    Deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
    Deleted: C:\Program Files (x86)\Auslogics
    Deleted: C:\Users\BRI\AppData\Roaming\Auslogics
    Deleted: C:\Users\GUEST-1\AppData\Roaming\Auslogics
    Deleted: C:\ProgramData\5592c465d53f7737


    ***** [ Files ] *****

    Deleted: C:\\user.js
    Deleted: C:\Users\Administrator\daemonprocess.txt
    Deleted: C:\Users\Guest\daemonprocess.txt
    Deleted: C:\END
    Deleted: C:\Windows\SysNative\log\iSafeKrnlCall.log
    Deleted: C:\Users\Administrator\AppData\LocalLow\SkwConfig.bin
    Deleted: C:\Users\Guest\AppData\LocalLow\SkwConfig.bin
    Deleted: C:\Users\Administrator\Desktop\Auslogics Disk Defrag.lnk
    Deleted: C:\Users\GUEST-1\Desktop\Auslogics Disk Defrag.lnk


    ***** [ DLL ] *****

    No malicious DLLs cleaned.

    ***** [ WMI ] *****

    No malicious WMI cleaned.

    ***** [ Shortcuts ] *****

    No malicious shortcuts cleaned.

    ***** [ Tasks ] *****

    Deleted: RPC


    ***** [ Registry ] *****

    Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\DOMStorage\shoppingate.info
    Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com
    Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.superfish.com
    Deleted: [Key] - HKU\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\MediaPlayerplus
    Deleted: [Key] - HKU\S-1-5-18\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\MediaPlayerplus
    Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1
    Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{6EC77D09-02CB-4E1F-E3C4-FB141B2610B3}
    Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID|{FED6A736-129B-49C7-857E-25FC91E87DB3}
    Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}
    Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}
    Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{14EF423E-3EE8-44AE-9337-07AC3F27B744}
    Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}
    Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\{425F4ABF-B8E4-402D-9E49-06E494EB8DBF}
    Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
    Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
    Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
    Deleted: [Key] - HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application
    Deleted: [Key] - HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application
    Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd
    Deleted: [Key] - HKLM\SYSTEM\CurrentControlSet\Control\iSafeKrnlBoot
    Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\DOMStorage\seamonkey.sd.en.softonic.com
    Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\DOMStorage\softonic.com
    Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\softonic.com
    Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID|{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}
    Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
    Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
    Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
    Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
    Deleted: [Key] - HKU\S-1-5-21-3391234477-3154659029-2313981676-1004\Software\Auslogics
    Deleted: [Key] - HKCU\Software\Auslogics
    Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}


    ***** [ Firefox (and derivatives) ] *****

    No malicious Firefox entries deleted.

    ***** [ Chromium (and derivatives) ] *****

    No malicious Chromium entries deleted.

    *************************

    ::Tracing keys deleted
    ::Winsock settings cleared
    ::Additional Actions: 0



    *************************

    C:/AdwCleaner/AdwCleaner[S0].txt - [5484 B] - [2017/11/4 18:31:18]


    ########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########
     
    Last edited: Nov 4, 2017
  12. Briab Guy

    Briab Guy

    Joined:
    Sep 23, 1999
    Messages:
    991
    This is the Malwarebvytes file
     

    Attached Files:

    Last edited: Nov 4, 2017
  13. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    664
    Location:
    Daly City, CA
  14. Briab Guy

    Briab Guy

    Joined:
    Sep 23, 1999
    Messages:
    991
    yeah, I got weak knees. I'm not as confident as I used to be and MB was what was running when it crashed on me .
    I have ran it again and let it remove files. It left 776 files after the first clean up. I will run again to get out the rest.
    I am posting the files it left behind. they are all PUP files so probably not going to do any harm when I remove them.
    This is the most infected PC I ever cleaned out. And took the longest. Then, it belongs to a 16yr old girl.

    Thanks one more time for your help
    Brian
    quick question,
    what programs do you use to do maintenance on your PC? Malware,adware etc...
     

    Attached Files:

    Last edited: Nov 5, 2017
  15. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    664
    Location:
    Daly City, CA
    It still says "No Action By User".
     
  16. Briab Guy

    Briab Guy

    Joined:
    Sep 23, 1999
    Messages:
    991
    Threats Detected: 776
    Threats Quarantined: 776
    thats the last of 1631. I should have kept track of how many other bad files there were.
    I was going to leave some bad files so I could show Bre how to run MB and some other programs, but getting a teenager to sit down and learn "how to..." probably will not happen.

    thanks again, it is appreciated
    if you have time, what programs do you think are best to run to keep on top of this stuff?
    I run my browser sandboxed, and it seems to work. But I try to help other ppl and your advice would help.
     

    Attached Files:

  17. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    664
    Location:
    Daly City, CA
    Good :)
    I'll post some hints at the end of this topic.

    Re-run Farbar Recovery Scan Tool (FRST/FRST64) you ran at the very beginning of this topic.

    • Double click to run it.
    • Make sure you checkmark Addition.txt box.
    • Press Scan button.
    • Scan will create two logs, FRST.txt and Addition.txt in the same directory the tool is run. Please copy and paste them to your reply.

    Run it normally, from Windows not from USB drive.