safeman Posted August 25, 2014 ID:870877 Share Posted August 25, 2014 New computer. Some of the included software from the manufacturer has "ATTENTION" flags in the Addition.txt file. Need fixing? Note that I uninstalled the Microsoft Reader App since this log was run. I have attached the logs. They are too long to post.Addition.txtFRST.txt Link to post Share on other sites More sharing options...
Psychotic Posted August 25, 2014 ID:870922 Share Posted August 25, 2014 Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding. Scan with Gmer rootkit scannerPlease download Gmer from here by clicking on the "Download EXE" Button.Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. In the right panel, you will see several boxes that have been checked. Uncheck the following ...Sections IAT/EAT Show All ( should be unchecked by default )[*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries Link to post Share on other sites More sharing options...
safeman Posted August 25, 2014 Author ID:871104 Share Posted August 25, 2014 Hey Marius - I downloaded randomly named GMER.exe and tried to run the program a couple of times. Each time I immediately get a blue screen that the system needs to reboot and an error message "WHEA_Uncorrectable_Error." I ran the event viewer and found this message: The computer has rebooted from a bugcheck. The bugcheck was: 0x00000124 (0x0000000000000000, 0xffffe00134aa9028, 0x00000000fe000000, 0x0000000000801136). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 082514-7343-01. What should I do? Link to post Share on other sites More sharing options...
Psychotic Posted August 26, 2014 ID:871408 Share Posted August 26, 2014 Skip Gmer: Please download Malwarebytes Anti-Rootkit from hereUnzip the contents to a folder in a convenient location. Open the folder where the contents were unzipped and run mbar.exe Follow the instructions in the wizard to update and allow the program to scan your computer for threats. If any threats are found, don´t click the Cleanup button - rather save the log and post it up in your topic. Link to post Share on other sites More sharing options...
safeman Posted August 26, 2014 Author ID:871489 Share Posted August 26, 2014 --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1012 © Malwarebytes Corporation 2011-2012 OS version: 6.3.9200 Windows 8.1 x64 Account is Administrative Internet Explorer version: 11.0.9600.17239 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, H:\ DRIVE_FIXED CPU speed: 2.394000 GHz Memory total: 17057144832, free: 14623326208 Downloaded database version: v2014.08.26.02 Downloaded database version: v2014.08.21.01 ======================================= Initializing... Done! Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: This drive is a GPT Drive. MBR Signature: 55AA Disk Signature: 96DFABA3 GPT Protective MBR Partition information: Partition 0 type is EFI-GPT (0xee) Partition is NOT ACTIVE. Partition starts at LBA: 1 Numsec = 4294967295 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 GPT Partition information: GPT Header Signature 4546492050415254 GPT Header Revision 65536 Size 92 CRC 1925365281 GPT Header CurrentLba = 1 BackupLba 1953525167 GPT Header FirstUsableLba 34 LastUsableLba 1953525134 GPT Header Guid 4c22965e-2ca5-4aec-af9f-a68b46a1ec74 GPT Header Contains 128 partition entries starting at LBA 2 GPT Header Partition entry size = 128 Backup GPT header Signature 4546492050415254 Backup GPT header Revision 65536 Size 92 CRC 1925365281 Backup GPT header CurrentLba = 1953525167 BackupLba 1 Backup GPT header FirstUsableLba 34 LastUsableLba 1953525134 Backup GPT header Guid 4c22965e-2ca5-4aec-af9f-a68b46a1ec74 Backup GPT header Contains 128 partition entries starting at LBA 1953525135 Backup GPT header Partition entry size = 128 Partition 0 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 Partition ID 26951cb3-7fa3-4acd-b667-47c3af17ec89 FirstLBA 2048 Last LBA 1953521663 Attributes 0 Partition Name Basic data partition Disk Size: 1000204886016 bytes Sector size: 512 bytes Done! Drive 1 This is a System drive Scanning MBR on drive 1... Inspecting partition table: This drive is a GPT Drive. MBR Signature: 55AA Disk Signature: 18DEE794 GPT Protective MBR Partition information: Partition 0 type is EFI-GPT (0xee) Partition is NOT ACTIVE. Partition starts at LBA: 1 Numsec = 4294967295 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 GPT Partition information: GPT Header Signature 4546492050415254 GPT Header Revision 65536 Size 92 CRC 636994961 GPT Header CurrentLba = 1 BackupLba 500118191 GPT Header FirstUsableLba 34 LastUsableLba 500118158 GPT Header Guid 77bfcc8b-3074-4a78-95e4-12479c1f3924 GPT Header Contains 128 partition entries starting at LBA 2 GPT Header Partition entry size = 128 Backup GPT header Signature 4546492050415254 Backup GPT header Revision 65536 Size 92 CRC 636994961 Backup GPT header CurrentLba = 500118191 BackupLba 1 Backup GPT header FirstUsableLba 34 LastUsableLba 500118158 Backup GPT header Guid 77bfcc8b-3074-4a78-95e4-12479c1f3924 Backup GPT header Contains 128 partition entries starting at LBA 500118159 Backup GPT header Partition entry size = 128 Partition 0 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b Partition ID 8dc66ecc-8974-46d0-b5fb-47c9d4d7bf4 FirstLBA 2048 Last LBA 206847 Attributes 0 Partition Name EFI system partition GPT Partition 0 is bootable Partition 1 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac Partition ID 72e1492-21de-49fe-a947-7582d2266dee FirstLBA 206848 Last LBA 2050047 Attributes 1 Partition Name Basic data partition Partition 2 Type e3c9e316-b5c-4db8-817d-f92df0215ae Partition ID 17a25a41-e124-4bec-b06b-56e07ec59293 FirstLBA 2050048 Last LBA 2312191 Attributes 0 Partition Name Microsoft reserved partition Partition 3 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 Partition ID 6ba3fb57-56af-46e0-ae5a-33d2d962115 FirstLBA 2312192 Last LBA 458151935 Attributes 0 Partition Name Basic data partition Partition 4 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac Partition ID bd2666b1-80fe-47ab-9a72-10ac121617f8 FirstLBA 458153984 Last LBA 500117503 Attributes 1 Partition Name Basic data partition Disk Size: 256060514304 bytes Sector size: 512 bytes Done! Drive 2 Scanning MBR on drive 2... Inspecting partition table: MBR Signature: 55AA Disk Signature: F44AE551 Partition information: Partition 0 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 2048 Numsec = 3907024896 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 2000398934016 bytes Sector size: 512 bytes Done! Scan finished Link to post Share on other sites More sharing options...
Psychotic Posted August 26, 2014 ID:871593 Share Posted August 26, 2014 Fix with FRST (normal mode)WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Download the attached fixlist.txt and save it to the location where FRST is saved to.Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply. Full System Scan with Malwarebytes Antimalware If not existing, please download Malwarebytes Anti-Malware to your desktop.Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.At the end, be sure a checkmark is placed next to the following:Launch Malwarebytes Anti-MalwareA 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.Click Finish.If the program is already installed:Run Malwarebytes AntimalwareOn the Dashboard, click the 'Update Now >>' linkAfter the update completes, click the 'Scan Now >>' button.Or, on the Dashboard, click the Scan Now >> button.If an update is available, click the Update Now button.A Threat Scan will begin.When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.In most cases, a restart will be required.Wait for the prompt to restart the computer to appear, then click on Yes.After the restart once you are back at your desktop, open MBAM once more.Click on the History tab > Application Logs.Double click on the scan log which shows the Date and time of the scan just performed.Click 'Copy to Clipboard'Paste the contents of the clipboard into your reply. fixlist.txt Link to post Share on other sites More sharing options...
safeman Posted August 26, 2014 Author ID:871597 Share Posted August 26, 2014 Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/26/2014 Scan Time: 1:06:54 PM Logfile: Administrator: Yes Version: 2.00.2.1012 Malware Database: v2014.08.26.05 Rootkit Database: v2014.08.21.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 8.1 CPU: x64 File System: NTFS User: Warren Scan Type: Threat Scan Result: Completed Objects Scanned: 303060 Time Elapsed: 4 min, 27 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
safeman Posted August 26, 2014 Author ID:871602 Share Posted August 26, 2014 Did not know personal protection was disabled - enabled now and re-scan Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 8/26/2014Scan Time: 1:20:55 PMLogfile:Administrator: YesVersion: 2.00.2.1012Malware Database: v2014.08.26.06Rootkit Database: v2014.08.21.01License: PremiumMalware Protection: EnabledMalicious Website Protection: EnabledSelf-protection: EnabledOS: Windows 8.1CPU: x64File System: NTFSUser: WarrenScan Type: Threat ScanResult: CompletedObjects Scanned: 303258Time Elapsed: 4 min, 45 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
Psychotic Posted August 27, 2014 ID:871829 Share Posted August 27, 2014 what about the FRST fix? Link to post Share on other sites More sharing options...
safeman Posted August 27, 2014 Author ID:871949 Share Posted August 27, 2014 Yes I agree. How to proceed? Please provide the proper instructions. Link to post Share on other sites More sharing options...
safeman Posted August 27, 2014 Author ID:871954 Share Posted August 27, 2014 I have attached the logs from a fresh scan.Addition.txtFRST.txt Link to post Share on other sites More sharing options...
Psychotic Posted August 28, 2014 ID:872329 Share Posted August 28, 2014 I need to see what FRST removed when running the fix provided here.Did you run it? Link to post Share on other sites More sharing options...
safeman Posted August 28, 2014 Author ID:872408 Share Posted August 28, 2014 OOPS! Did not see that. Sorry! Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-08-2014 03Ran by Warren at 2014-08-28 08:08:55 Run:1Running from C:\Users\Warren\DesktopBoot Mode: Normal==============================================Content of fixlist:*****************Task: {1EE3E7AF-D480-4262-A7EF-AB3BB03C9C7C} - \ASUS Splendid ColorU No Task File <==== ATTENTIONTask: {444D20A4-585D-41A6-9D51-2C842AFBC43B} - \RTKCPL No Task File <==== ATTENTIONTask: {51A7FB2D-0912-41A2-9CAE-66104C648698} - \ASUS InstantOn Config No Task File <==== ATTENTIONTask: {6145A03B-7202-4EA3-9D55-920968976BFD} - \ASUS Live Update1 No Task File <==== ATTENTIONTask: {7657AD04-317C-40EE-92CE-636A849FE1F4} - \AsusVibeSchedule No Task File <==== ATTENTIONTask: {92931D66-A7F3-408D-A960-E1DFD1490903} - \Update Checker No Task File <==== ATTENTIONTask: {93438055-4048-4BD1-8725-784FB0FA9FD3} - \ASUS Splendid ACMON No Task File <==== ATTENTIONTask: {93601C82-2DB8-4B8F-8133-010EEDF593A0} - \UMonitor Task No Task File <==== ATTENTIONTask: {AD638744-EF6F-4305-B29A-1CC765678928} - \ASUS USB Charger Plus No Task File <==== ATTENTIONTask: {C884BFC3-165D-4008-9DD8-2E85D44E89EE} - \P4GIntlCtrl No Task File <==== ATTENTIONTask: {CBD4784A-0A5A-45AA-A53E-0990B06A9D5C} - \ASUS Live Update2 No Task File <==== ATTENTIONTask: {DC6A80E8-C1C1-41E0-9902-CB6D4A06363D} - \RtHDVBg No Task File <==== ATTENTIONTask: {EC01CB52-F377-4E24-B40E-452845D2AAF3} - \ASUS P4G No Task File <==== ATTENTIONAlternateDataStreams: C:\Users\Warren\Local Settings:3r26VSHFPQZuT09GiAcR4AlternateDataStreams: C:\Users\Warren\Local Settings:daqDEAWa0PAf8XIHvxmp2Xn7AlternateDataStreams: C:\Users\Warren\AppData\Local:3r26VSHFPQZuT09GiAcR4AlternateDataStreams: C:\Users\Warren\AppData\Local:daqDEAWa0PAf8XIHvxmp2Xn7AlternateDataStreams: C:\Users\Warren\AppData\Local\Application Data:3r26VSHFPQZuT09GiAcR4AlternateDataStreams: C:\Users\Warren\AppData\Local\Application Data:daqDEAWa0PAf8XIHvxmp2Xn7C:\ProgramData\SetStretch.exeC:\ProgramData\SetStretch.VBS2014-08-22 10:22 - 2013-02-19 19:08 - 00000000 ___HD () C:\Users\Warren\AppData\Local\kjcBjCLfQ8T7h2014-08-22 10:22 - 2013-02-13 04:20 - 00000000 ___HD () C:\Users\Warren\AppData\Local\nEHEWE7uey2014-08-22 10:22 - 2012-11-09 20:08 - 00000000 ___HD () C:\Users\Warren\AppData\Local\1VJTRIVNDNiE2014-08-22 11:12 - 2014-08-22 11:12 - 00005111 _____ () C:\ProgramData\hwjqxkkr.zva2014-08-22 11:12 - 2014-08-22 11:12 - 00000000 ____D () C:\Users\Warren\AppData\Local\MovaviEmptyTemp:*****************"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1EE3E7AF-D480-4262-A7EF-AB3BB03C9C7C}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1EE3E7AF-D480-4262-A7EF-AB3BB03C9C7C}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASUS Splendid ColorU" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{444D20A4-585D-41A6-9D51-2C842AFBC43B}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{444D20A4-585D-41A6-9D51-2C842AFBC43B}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RTKCPL" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{51A7FB2D-0912-41A2-9CAE-66104C648698}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{51A7FB2D-0912-41A2-9CAE-66104C648698}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASUS InstantOn Config" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6145A03B-7202-4EA3-9D55-920968976BFD}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6145A03B-7202-4EA3-9D55-920968976BFD}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASUS Live Update1" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{7657AD04-317C-40EE-92CE-636A849FE1F4}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7657AD04-317C-40EE-92CE-636A849FE1F4}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AsusVibeSchedule" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{92931D66-A7F3-408D-A960-E1DFD1490903}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{92931D66-A7F3-408D-A960-E1DFD1490903}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Update Checker" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{93438055-4048-4BD1-8725-784FB0FA9FD3}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{93438055-4048-4BD1-8725-784FB0FA9FD3}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASUS Splendid ACMON" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{93601C82-2DB8-4B8F-8133-010EEDF593A0}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{93601C82-2DB8-4B8F-8133-010EEDF593A0}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UMonitor Task" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{AD638744-EF6F-4305-B29A-1CC765678928}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD638744-EF6F-4305-B29A-1CC765678928}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASUS USB Charger Plus" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C884BFC3-165D-4008-9DD8-2E85D44E89EE}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C884BFC3-165D-4008-9DD8-2E85D44E89EE}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\P4GIntlCtrl" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CBD4784A-0A5A-45AA-A53E-0990B06A9D5C}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CBD4784A-0A5A-45AA-A53E-0990B06A9D5C}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASUS Live Update2" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{DC6A80E8-C1C1-41E0-9902-CB6D4A06363D}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DC6A80E8-C1C1-41E0-9902-CB6D4A06363D}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RtHDVBg" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{EC01CB52-F377-4E24-B40E-452845D2AAF3}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EC01CB52-F377-4E24-B40E-452845D2AAF3}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASUS P4G" => Key deleted successfully."C:\Users\Warren\Local Settings" => ":3r26VSHFPQZuT09GiAcR4" ADS not found."C:\Users\Warren\Local Settings" => ":daqDEAWa0PAf8XIHvxmp2Xn7" ADS not found.C:\Users\Warren\AppData\Local => ":3r26VSHFPQZuT09GiAcR4" ADS removed successfully.C:\Users\Warren\AppData\Local => ":daqDEAWa0PAf8XIHvxmp2Xn7" ADS removed successfully."C:\Users\Warren\AppData\Local\Application Data" => ":3r26VSHFPQZuT09GiAcR4" ADS not found."C:\Users\Warren\AppData\Local\Application Data" => ":daqDEAWa0PAf8XIHvxmp2Xn7" ADS not found.C:\ProgramData\SetStretch.exe => Moved successfully.C:\ProgramData\SetStretch.VBS => Moved successfully.C:\Users\Warren\AppData\Local\kjcBjCLfQ8T7h => Moved successfully.C:\Users\Warren\AppData\Local\nEHEWE7uey => Moved successfully.C:\Users\Warren\AppData\Local\1VJTRIVNDNiE => Moved successfully.C:\ProgramData\hwjqxkkr.zva => Moved successfully.C:\Users\Warren\AppData\Local\Movavi => Moved successfully.EmptyTemp: => Removed 1.4 GB temporary data.The system needed a reboot.==== End of Fixlog ==== Link to post Share on other sites More sharing options...
Psychotic Posted August 28, 2014 ID:872419 Share Posted August 28, 2014 Ok, now run the MBAM scan and fix! Link to post Share on other sites More sharing options...
safeman Posted August 28, 2014 Author ID:872422 Share Posted August 28, 2014 Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 8/28/2014Scan Time: 9:03:38 AMLogfile:Administrator: YesVersion: 2.00.2.1012Malware Database: v2014.08.28.02Rootkit Database: v2014.08.21.01License: PremiumMalware Protection: EnabledMalicious Website Protection: EnabledSelf-protection: EnabledOS: Windows 8.1CPU: x64File System: NTFSUser: WarrenScan Type: Threat ScanResult: CompletedObjects Scanned: 302493Time Elapsed: 5 min, 12 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
Psychotic Posted August 28, 2014 ID:872430 Share Posted August 28, 2014 Great! Scan with ESET Online ScanPlease go to here to run the online scannner from ESET. Turn off the real time scanner of any existing antivirus program while performing the online scanTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the activex control to installClick StartMake sure that the option Remove found threats is unticked Click on Advanced Settings and ensure these options are ticked:Scan for potentially unwanted applicationsScan for potentially unsafe applicationsEnable Anti-Stealth Technology[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic. Link to post Share on other sites More sharing options...
safeman Posted August 28, 2014 Author ID:872437 Share Posted August 28, 2014 Online scanner on Internet Explorer will not install ActiveX Control. Should I download the trial scanner? Link to post Share on other sites More sharing options...
safeman Posted August 28, 2014 Author ID:872448 Share Posted August 28, 2014 Running version for browsers other than IE. Link to post Share on other sites More sharing options...
safeman Posted August 28, 2014 Author ID:872490 Share Posted August 28, 2014 D:\My New Documents\Desktop OLD\winzip16-64.exe probably a variant of Win32/Systweak potentially unwanted applicationD:\My New Documents\Flash Drive\wavepadsetup_v5.68.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe applicationD:\My New Downloads\ccsetup416.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application Link to post Share on other sites More sharing options...
safeman Posted August 28, 2014 Author ID:872498 Share Posted August 28, 2014 winzip16-64.exe - I do not use this anymore - Old Installer.wavepadsetup_v5.68.exe - I do not use this anymore - Old Installer.ccsetup416.exe - I unclicked this application when I installed CCleaner. Can I simply delete these three files? Thanks! Link to post Share on other sites More sharing options...
Psychotic Posted August 29, 2014 ID:872750 Share Posted August 29, 2014 Yes, simply delete them! Then we can do the cleanup - if you are facing any issues, report that immediately.Delete junk with adwCleanerPlease download AdwCleaner to your desktop.Run adwcleaner.exe Hit Scan and wait for the scan to finish. Confirm the message but don´t uncheck anything. Hit Clean When the run is finished, it will open up a text file Please post its contents within your next reply You´ll find the log file at C:\AdwCleaner[s1].txt alsoDelete junk with JRT Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts. Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator". The tool will open and start scanning your system. Please be patient as this can take a while to complete depending on your system's specifications. On completion, a log (JRT.txt) is saved to your desktop and will automatically open. Post the contents of JRT.txt into your next message.SecurityCheckReboot your system before starting!Please download SecurityCheck: LINK1 LINK2Save it to your desktop, start it and follow the instructions in the window. After the scan finished the (checkup.txt) will open. Copy its content to your thread. Link to post Share on other sites More sharing options...
safeman Posted August 29, 2014 Author ID:872831 Share Posted August 29, 2014 # AdwCleaner v3.308 - Report created 29/08/2014 at 08:01:00# Updated 20/08/2014 by Xplode# Operating System : Windows 8.1 (64 bits)# Username : Warren - MY-MACHINE# Running from : C:\Users\Warren\Desktop\AdwCleaner.exe# Option : Clean***** [ Services ] ********** [ Files / Folders ] ********** [ Scheduled Tasks ] ********** [ Shortcuts ] ********** [ Registry ] ********** [ Browsers ] *****-\\ Internet Explorer v11.0.9600.17239-\\ Mozilla Firefox v31.0 (x86 en-US)[ File : C:\Users\Warren\AppData\Roaming\Mozilla\Firefox\Profiles\4w3dkdwu.default\prefs.js ]*************************AdwCleaner[R0].txt - [910 octets] - [24/08/2014 23:23:36]AdwCleaner[R1].txt - [969 octets] - [24/08/2014 23:24:15]AdwCleaner[R2].txt - [970 octets] - [28/08/2014 13:15:25]AdwCleaner[R3].txt - [1090 octets] - [29/08/2014 08:00:15]AdwCleaner[s0].txt - [1031 octets] - [24/08/2014 23:25:18]AdwCleaner[s1].txt - [1030 octets] - [28/08/2014 13:16:56]AdwCleaner[s2].txt - [1012 octets] - [29/08/2014 08:01:00]########## EOF - C:\AdwCleaner\AdwCleaner[s2].txt - [1072 octets] ########## Link to post Share on other sites More sharing options...
safeman Posted August 29, 2014 Author ID:872833 Share Posted August 29, 2014 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by ThisisuVersion: 6.1.4 (04.06.2014:1)OS: Windows 8.1 x64Ran by Warren on Fri 08/29/2014 at 8:06:24.25~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Services~~~ Registry Values~~~ Registry Keys~~~ Files~~~ FoldersSuccessfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"~~~ FireFoxEmptied folder: C:\Users\Warren\AppData\Roaming\mozilla\firefox\profiles\4w3dkdwu.default\minidumps [1 files]~~~ Event Viewer Logs were cleared~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on Fri 08/29/2014 at 8:13:54.36End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Link to post Share on other sites More sharing options...
safeman Posted August 29, 2014 Author ID:872835 Share Posted August 29, 2014 Results of screen317's Security Check version 0.99.87 x64 (UAC is enabled) Internet Explorer 11 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Panda Free Antivirus Windows Defender WMI entry may not exist for antivirus; attempting automatic update.`````````Anti-malware/Other Utilities Check:````````` Adobe Flash Player 14.0.0.179 Mozilla Firefox (31.0)````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbam.exe Malwarebytes Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: %````````````````````End of Log`````````````````````` Link to post Share on other sites More sharing options...
safeman Posted August 30, 2014 Author ID:873233 Share Posted August 30, 2014 Am I clean now? The Panda Free Antivirus automatically disables Windows Defender. Windows Defender does run if I disable Panda Free Antivirus. Link to post Share on other sites More sharing options...
Recommended Posts