Jump to content

Remove malware from my Windows 7 PC


Marcel

Recommended Posts

Thanks in advance to anybody who can help!

I've recently been suffering from pop up flashing windows (BestSaveForyou)  and a page loading automatically when I try to load webpages (DiesccountTextteNssII), screen shots attached below.

When I click tools, manage ad-ons the two programs mentioned above are publisher unknown. When I highlight these programs the disable box stays grey and I'm unable to disable it. I've ran spy-bot and malwarbytes and neither seem to be able to detect the code?  I've also checked to see if I could delete the programs from my uninstall a program in my control panel but they don't show up there either. Do I have to reinstall my OS?

Thanks,

Marcel

post-183190-0-91829700-1423522991_thumb.

post-183190-0-98818500-1423523009_thumb.

Link to post
Share on other sites

Hello and :welcome:

I'm Radek and I'll try to help you with your issue.

Before we start please note the following:

  • Analysis and research take some time, also sometimes real life gets in the way, please be patient.
  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Paste the logs in your posts, attachments make my work harder and more complicated.
  • Stay with me to the end, the absence of symtoms doesn't mean that your machine is fully operational.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
I can't foresee everything, so if anything unexpected happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

warning.gif Rules and policies

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.


51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

Please download and install Malwarebytes Anti-Malware, or re-run it if you already have it installed.

  • First of all select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.
Save the file to your desktop and include its content in your next reply.
Link to post
Share on other sites

Below is the output of the scan log as you requested.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/9/2015
Scan Time: 12:31:06 PM
Logfile: Scan Log.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.09.09
Rootkit Database: v2015.02.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Marcel

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 326548
Time Elapsed: 16 min, 17 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 5
PUP.Optional.MyScrapNook.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{23119123-0854-469D-807A-171568457991}, Quarantined, [3934ba62b4d61026a851dc60699ad729],
PUP.Optional.MyScrapNook.A, HKLM\SOFTWARE\CLASSES\TypeLib\{03119103-0854-469D-807A-171568457991}, Quarantined, [ee7f26f6f991c76faa4fc973f21154ac],
PUP.Optional.ConduitSearchProtect, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\CltMngSvc, Quarantined, [b1bc35e72d5d51e58ef107ddea1aa65a],
PUP.Optional.Wajam.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Wajam Internet Enhancer Service, Quarantined, [5f0e4ecebfcb2016b20303feb253b54b],
PUP.Optional.Feven.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\Freeven pro, Quarantined, [3c31ff1def9b191d4be52d979172cd33],

Registry Values: 0
(No malicious items detected)

Registry Data: 1
Rogue.Multiple, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|AppInit_DLLs,  c:\progra~2\searchprotect\searchprotect\bin\spvc32loader.dll c:\progra~3\46710485\bita521.tmp, Good: (), Bad: (c:\progra~3\46710485\bita521.tmp),Replaced,[67066cb0fd8d53e3b276f34df40f9d63]

Folders: 23
Rogue.Multiple, C:\ProgramData\46710485, Quarantined, [67066cb0fd8d53e3b276f34df40f9d63],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Search, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Shopping, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Uninstall Wajam, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.WeatherAlerts, C:\Users\Marcel\AppData\Local\WeatherAlerts, Quarantined, [cca169b3c1c90c2a1fa879d8dc270bf5],
PUP.Optional.Extutil.A, C:\Users\Marcel\AppData\Local\Temp\D7ADFCCA-EE7E-442C-9999-C4D14FEF360B, Quarantined, [b1bc4bd190fa92a404d9a1c5c043a957],
PUP.Optional.Managera.A, C:\Users\Marcel\AppData\Local\Temp\38fdaae5-8e0e-493c-88ec-e05c3be06e42, Quarantined, [a5c80c10addd84b25c821e4807fce917],
PUP.Optional.ShopperMaster.A, C:\ProgramData\ShopperMaster, Quarantined, [58151804e2a8d561eab5cc9cbd46b54b],
PUP.Optional.ShopperMaster.A, C:\Program Files (x86)\ShopperMaster, Quarantined, [3e2f42da5634c0765050cc9c9b68e818],
PUP.Optional.Goobzo, C:\Program Files (x86)\Common Files\Goobzo, Quarantined, [93da9488880275c1978cb0c1c93aea16],
PUP.Optional.Goobzo, C:\Program Files\Common Files\Goobzo, Quarantined, [f17c49d381094cea988b244d986bcd33],
PUP.Optional.FlashCoupon.A, C:\ProgramData\FlashCoupon, Quarantined, [6607ba6297f31c1a4885b2bf6c979868],
PUP.Optional.FlashCoupon.A, C:\Program Files (x86)\FlashCoupon, Quarantined, [afbea27aa1e90f27ae20ff72f80b926e],
PUP.Optional.ChampionDeals.A, C:\ProgramData\ChampionDeals, Quarantined, [3a330b115535a2947f2c156012f13ac6],
PUP.Optional.SoftCoup.A, C:\ProgramData\SoftCoup, Quarantined, [e18c43d9f298c076255e611b2cd739c7],
PUP.Optional.SoftCoup.A, C:\Program Files (x86)\SoftCoup, Quarantined, [d39ab26aeaa067cf5d274f2de61d38c8],
PUP.Optional.LuckyShopper.A, C:\ProgramData\LuckyShopper, Quarantined, [026bf3294f3b1620fc9f3747877c06fa],
PUP.Optional.LuckyShopper.A, C:\Program Files (x86)\LuckyShopper, Quarantined, [4e1f6daf3159a096f4a80678897a7090],
PUP.Optional.Astromenda.A, C:\Users\Marcel\AppData\Local\Astromenda, Quarantined, [7cf14ece0b7f1a1c644cd2b0e41fd62a],
PUP.Optional.NewPlayer.A, C:\Users\Marcel\AppData\Local\com\NewPlayer.exe_Url_o4dtzvfairwgx2aefcjiiv2m5z1q0lha, Quarantined, [c1acd3492c5ee155966c097aa55edf21],
PUP.Optional.NewPlayer.A, C:\Users\Marcel\AppData\Local\com\NewPlayer.exe_Url_o4dtzvfairwgx2aefcjiiv2m5z1q0lha\2.1.1.5, Quarantined, [c1acd3492c5ee155966c097aa55edf21],
PUP.Optional.NewPlayer.A, C:\Users\Marcel\AppData\Local\com\NewPlayer.exe_Url_o4dtzvfairwgx2aefcjiiv2m5z1q0lha\2.1.1.9, Quarantined, [c1acd3492c5ee155966c097aa55edf21],

Files: 37
PUP.Optional.OpenCandy, C:\$Recycle.Bin\S-1-5-21-3235092901-3201886512-1435208716-1000\$RNQZXPW.exe, Quarantined, [b1bc36e6117966d07724f1ed39ccff01],
PUP.Optional.FunWebProducts.A, C:\$Recycle.Bin\S-1-5-21-3235092901-3201886512-1435208716-1000\$RHNFNBA.exe, Quarantined, [0e5f0814107a8aacb99dab69d035fa06],
PUP.Optional.OpenCandy, C:\$Recycle.Bin\S-1-5-21-3235092901-3201886512-1435208716-1000\$R15NO4S.exe, Quarantined, [f578f62699f10f27019ad00e838220e0],
PUP.Optional.OpenCandy, C:\$Recycle.Bin\S-1-5-21-3235092901-3201886512-1435208716-1000\$RYT66ZB.exe, Quarantined, [e38a6dafbad0c2743566b826917454ac],
PUP.Optional.ShoppingGate.A, C:\Users\Marcel\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_inst.shoppingate.info_0.localstorage, Quarantined, [7cf10c103a50e74f12505762887b5ca4],
PUP.Optional.ShoppingGate.A, C:\Users\Marcel\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_inst.shoppingate.info_0.localstorage-journal, Quarantined, [eb821a024644a4920a58665327dc5fa1],
Rogue.Multiple, C:\ProgramData\46710485\BITA521.tmp, Quarantined, [67066cb0fd8d53e3b276f34df40f9d63],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Settings.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\SignIn with Facebook.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\SignIn with Twitter.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Wajam Website.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Search\Ask.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Search\Google.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Search\IMDb.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Search\Shopping.com.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Search\TripAdvisor.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Search\Wikipedia.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Search\Yahoo!.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Shopping\Amazon.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Shopping\Argos.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Shopping\Ebay.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Shopping\Etsy.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Shopping\HomeDepot.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Shopping\Ikea.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Shopping\Lowe's.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Shopping\Mercadolivre.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Shopping\MyShopping.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Shopping\Sears.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Shopping\Target.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Shopping\Tesco.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Shopping\Walmart.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Explore Social Shopping\Zalando.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.Wajam.A, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wajam\Uninstall Wajam\uninstall.lnk, Quarantined, [1c515ac21b6f59dd26fd79d86a997888],
PUP.Optional.ChampionDeals.A, C:\ProgramData\ChampionDeals\ChampionDeals.exe, Quarantined, [3a330b115535a2947f2c156012f13ac6],
PUP.Optional.Astromenda.A, C:\Users\Marcel\AppData\Local\Astromenda\data, Quarantined, [7cf14ece0b7f1a1c644cd2b0e41fd62a],
PUP.Optional.NewPlayer.A, C:\Users\Marcel\AppData\Local\com\NewPlayer.exe_Url_o4dtzvfairwgx2aefcjiiv2m5z1q0lha\2.1.1.5\user.config, Quarantined, [c1acd3492c5ee155966c097aa55edf21],
PUP.Optional.NewPlayer.A, C:\Users\Marcel\AppData\Local\com\NewPlayer.exe_Url_o4dtzvfairwgx2aefcjiiv2m5z1q0lha\2.1.1.9\user.config, Quarantined, [c1acd3492c5ee155966c097aa55edf21],

Physical Sectors: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

Below are the two add-ons that I copied and pasted from my Manage add-ons. Hope this extra info is helpful.

 

 

Name:                   BBestSaveForeYoou
Publisher:              Not Available

 

Type:                   Browser Helper Object
Architecture:           32-bit and 64-bit
Version:                Not available
File date:              ‎Monday, ‎February ‎02, ‎2015, ‏‎5:51 PM
Date last accessed:     ‎Today, ‎February ‎09, ‎2015, ‏‎1 minute ago
Class ID:               {3D626B9C-A16F-4A7F-9C65-5B5534B90CE7}
Use count:              204
Block count:            11
File:                   qymLTL48qAiLrM.x64.dll
Folder:                 C:\Program Files (x86)\BBestSaveForeYoou

 

AND

 

Name:                   DiesccounTExtteNssII
Publisher:              Not Available
Type:                   Browser Helper Object
Architecture:           32-bit and 64-bit
Version:                Not available
File date:              ‎Monday, ‎February ‎02, ‎2015, ‏‎5:52 PM
Date last accessed:     ‎Today, ‎February ‎09, ‎2015, ‏‎2 minutes ago
Class ID:               {BDF1AB71-7DD3-4C26-9A04-473A194C17BE}
Use count:              204
Block count:            11
File:                   sNe8wsEFZxeDeS.x64.dll
Folder:                 C:\Program Files (x86)\DiesccounTExtteNssII

 

Link to post
Share on other sites

Thank you.

FRST.gif Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

There will be two versions to download: 32-bit and 64-bit. Please download the one that is designed for your system. If you don't know which one should it be, download both of them and try each other out. Only one will run - this is the right one. Please leave it and delete the other.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    > XP users click run after receipt of Windows Security Warning - Open File.

    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.

  • When the tool opens click Yes to disclaimer.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please include their content in your next reply.
Link to post
Share on other sites

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 08-02-2015
Ran by Marcel at 2015-02-10 12:44:12
Running from C:\Users\Marcel\Downloads
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adblock Plus for IE (32-bit and 64-bit) (HKLM\...\{C5D8EEB2-EDBC-4375-829D-BE50547C8890}) (Version: 1.3 - Eyeo GmbH)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 13.0.0.111 - Adobe Systems Incorporated)
Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.0.4.144 - Adobe Systems, Inc.)
Apple Application Support (HKLM-x32\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{BDD99690-3541-4619-9D2A-3CDDB3E15F9E}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Cisco Packet Tracer 6.1.1 Student (HKLM-x32\...\Cisco Packet Tracer 6.1.1 Student_is1) (Version:  - Cisco Systems, Inc.)
Dell Resource CD (HKLM-x32\...\{42929F0F-CE14-47AF-9FC7-FF297A603021}) (Version: 1.00.0000 - Dell Inc.)
DW WLAN Card Utility (HKLM\...\DW WLAN Card Utility) (Version: 5.60.48.18 - Dell Inc.)
Facebook Video Calling 1.2.0.287 (HKLM-x32\...\{B92C5909-1D37-4C51-8397-A28BB28E5DC3}) (Version: 1.2.287 - Skype Limited)
iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
OpenOffice.org 3.4.1 (HKLM-x32\...\{9F1F2AEA-C72A-4DD6-991E-C5506A5625E4}) (Version: 3.41.9593 - Apache Software Foundation)
Skype™ 6.10 (HKLM-x32\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.10.104 - Skype Technologies S.A.)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Viber (HKU\S-1-5-21-3235092901-3201886512-1435208716-1000\...\Viber) (Version: 3.0.0.134678 - Viber Media Inc)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points  =========================

08-12-2014 18:21:03 Windows Update
13-12-2014 07:59:09 Windows Update
17-12-2014 23:20:57 Windows Update
22-12-2014 09:10:34 Windows Update
16-01-2015 09:21:32 Windows Update
20-01-2015 14:03:21 Windows Update
21-01-2015 08:47:23 Windows Update
22-01-2015 14:32:16 Windows Update
26-01-2015 17:04:19 Windows Update
31-01-2015 10:15:37 Windows Update
04-02-2015 10:16:29 Installed Adblock Plus for IE (32-bit and 64-bit)
04-02-2015 15:19:34 Windows Update
09-02-2015 12:41:30 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 19:34 - 2015-01-28 13:37 - 00450892 ____R C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 www.123fporn.info
127.0.0.1 123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com

There are 1000 more lines.

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {401DFF1F-C658-4C75-A51A-FA95B54CF5AB} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-3235092901-3201886512-1435208716-1000Core => C:\Users\Marcel\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: {4A3EF857-3AB2-4151-9EB5-0704B8F5E478} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-3235092901-3201886512-1435208716-1000UA => C:\Users\Marcel\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: {585CA1E2-7C51-461F-8F61-EFCE0E4A1F52} - System32\Tasks\{35BBE5C7-8AE4-495D-87B0-4A1EA97B1597} => C:\Program Files (x86)\HughesNet Status Meter\HughesNet Status Meter.exe
Task: {5E235B4C-6AB7-449F-9C0E-70CD0E4D11B0} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {C2C7B65F-CA4F-4D99-83C7-D85D2FF736C2} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-02-04] (Adobe Systems Incorporated)
Task: {E7FC3F0D-F0A3-430D-85D6-E5F47B3D642F} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3235092901-3201886512-1435208716-1000Core.job => C:\Users\Marcel\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3235092901-3201886512-1435208716-1000UA.job => C:\Users\Marcel\AppData\Local\Facebook\Update\FacebookUpdate.exe

==================== Loaded Modules (whitelisted) ==============

2012-01-10 21:12 - 2012-01-10 21:12 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2014-10-04 09:36 - 2014-09-01 21:22 - 00936656 _____ () C:\Users\Marcel\AppData\Local\Viber\Viber.exe
2014-07-31 11:16 - 2014-07-31 11:16 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 12:05 - 2014-10-11 12:05 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2015-02-03 13:58 - 2015-02-03 13:58 - 49463296 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\libViber.dll
2015-02-03 13:58 - 2015-02-03 13:58 - 00770048 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\libGLESv2.dll
2015-02-03 13:58 - 2015-02-03 13:58 - 00106496 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\qfacebook.dll
2015-02-03 13:57 - 2015-02-03 13:57 - 00172032 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\exif.dll
2015-02-03 13:58 - 2015-02-03 13:58 - 00049152 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\libEGL.dll
2015-02-03 13:58 - 2015-02-03 13:58 - 00876544 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\platforms\qwindows.dll
2015-02-03 13:58 - 2015-02-03 13:58 - 00024576 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\imageformats\qgif.dll
2015-02-03 13:58 - 2015-02-03 13:58 - 00024576 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\imageformats\qico.dll
2015-02-03 13:58 - 2015-02-03 13:58 - 00204800 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\imageformats\qjpeg.dll
2015-02-03 13:58 - 2015-02-03 13:58 - 00221184 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\imageformats\qmng.dll
2015-02-03 13:58 - 2015-02-03 13:58 - 00016384 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\imageformats\qsvg.dll
2015-02-03 13:58 - 2015-02-03 13:58 - 00016384 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\imageformats\qtga.dll
2015-02-03 13:58 - 2015-02-03 13:58 - 00311296 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\imageformats\qtiff.dll
2015-02-03 13:58 - 2015-02-03 13:58 - 00016384 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\imageformats\qwbmp.dll
2015-02-03 13:58 - 2015-02-03 13:58 - 00638976 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\sqldrivers\qsqlite.dll
2015-02-03 13:57 - 2015-02-03 13:57 - 00032768 _____ () C:\Users\Marcel\AppData\Local\Viber\5.0.0.2821\iconengines\qsvgicon.dll
2012-08-10 16:51 - 2012-08-10 16:51 - 00985088 _____ () C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll
2015-02-02 17:51 - 2015-02-02 17:51 - 00561664 _____ () C:\Program Files (x86)\BBestSaveForeYoou\qymLTL48qAiLrM.dll
2015-02-02 17:52 - 2015-02-02 17:52 - 00561664 _____ () C:\Program Files (x86)\DiesccounTExtteNssII\sNe8wsEFZxeDeS.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== Other Registry Areas =====================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3235092901-3201886512-1435208716-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Marcel\AppData\Roaming\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

==================== Accounts: =============================

Administrator (S-1-5-21-3235092901-3201886512-1435208716-500 - Administrator - Disabled)
Guest (S-1-5-21-3235092901-3201886512-1435208716-501 - Limited - Disabled)
Marcel (S-1-5-21-3235092901-3201886512-1435208716-1000 - Administrator - Enabled) => C:\Users\Marcel

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (02/10/2015 11:58:41 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1092

Error: (02/10/2015 11:58:41 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1092

Error: (02/10/2015 11:58:41 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (02/10/2015 11:17:27 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1061

Error: (02/10/2015 11:17:27 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1061

Error: (02/10/2015 11:17:27 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (02/10/2015 10:42:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 448: DNSServiceGetAddrInfo      v4v6 iPhone.local.

Error: (02/10/2015 10:42:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 448: Could not write data to client because of error - aborting connection

Error: (02/10/2015 10:42:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: send_msg ERROR: failed to write 80 of 80 bytes to fd 448 errno 10053 (An established connection was aborted by the software in your host machine.)

Error: (02/10/2015 10:35:00 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 2075

System errors:
=============
Error: (02/10/2015 00:27:14 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.

Error: (02/10/2015 00:27:14 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.

Error: (02/10/2015 00:26:31 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.

Error: (02/10/2015 00:24:04 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.

Error: (02/10/2015 00:24:00 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.

Error: (02/10/2015 00:23:59 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.

Error: (02/10/2015 00:23:59 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.

Error: (02/10/2015 00:23:57 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.

Error: (02/10/2015 00:23:57 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.

Error: (02/10/2015 00:23:56 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.

Microsoft Office Sessions:
=========================
Error: (02/10/2015 11:58:41 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1092

Error: (02/10/2015 11:58:41 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1092

Error: (02/10/2015 11:58:41 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (02/10/2015 11:17:27 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1061

Error: (02/10/2015 11:17:27 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1061

Error: (02/10/2015 11:17:27 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (02/10/2015 10:42:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 448: DNSServiceGetAddrInfo      v4v6 iPhone.local.

Error: (02/10/2015 10:42:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 448: Could not write data to client because of error - aborting connection

Error: (02/10/2015 10:42:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: send_msg ERROR: failed to write 80 of 80 bytes to fd 448 errno 10053 (An established connection was aborted by the software in your host machine.)

Error: (02/10/2015 10:35:00 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 2075

==================== Memory info ===========================

Processor: Intel® Core i3 CPU M 350 @ 2.27GHz
Percentage of memory in use: 68%
Total physical RAM: 2934.56 MB
Available physical RAM: 926.6 MB
Total Pagefile: 5867.3 MB
Available Pagefile: 3087.3 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.66 GB) (Free:411.98 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 8DAA710C)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-02-2015
Ran by Marcel (administrator) on MARCEL-PC on 10-02-2015 12:58:39
Running from C:\Users\Marcel\Downloads
Loaded Profiles: Marcel (Available profiles: Marcel)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\BCMWLTRY.EXE
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
() C:\Users\Marcel\AppData\Local\Viber\Viber.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_16_0_0_305_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Eyeo GmbH) C:\Program Files\Adblock Plus for IE\AdblockPlusEngine.exe
(Farbar) C:\Users\Marcel\Downloads\FRST64 (1).exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [broadcom Wireless Manager UI] => C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5470208 2009-12-16] (Dell Inc.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3235092901-3201886512-1435208716-1000\...\Run: [Facebook Update] => "C:\Users\Marcel\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
HKU\S-1-5-21-3235092901-3201886512-1435208716-1000\...\Run: [Viber] => C:\Users\Marcel\AppData\Local\Viber\Viber.exe [936656 2014-09-01] ()
AppInit_DLLs-x32: c:\progra~2\searchprotect\searchprotect\bin\spvc32loader.dll => "c:\progra~2\searchprotect\searchprotect\bin\spvc32loader.dll" File Not Found
Startup: C:\Users\Marcel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HughesNetStatusMeter.lnk
ShortcutTarget: HughesNetStatusMeter.lnk -> C:\Program Files (x86)\HughesNetStatusMeter\HughesNetStatusMeter\HughesNetStatusMeter.exe (No File)
Startup: C:\Users\Marcel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
BootExecute: autocheck autochk * sdnclean64.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:57604;https=127.0.0.1:57604
ProxyServer: [s-1-5-21-3235092901-3201886512-1435208716-1000] => localhost:8080
HKU\S-1-5-21-3235092901-3201886512-1435208716-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.com/news/
HKU\S-1-5-21-3235092901-3201886512-1435208716-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
SearchScopes: HKLM-x32 -> {23088cf8-eaf8-4bb3-a251-9ba61557ac75} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^Z1^xdm126^YYA^ie&ptb=920CBEE8-B37C-4B3A-9F27-5BCEB97C7F9C&psa=&ind=2013112218&st=sb&n=77fda79a&searchfor={searchTerms}
SearchScopes: HKU\S-1-5-21-3235092901-3201886512-1435208716-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3235092901-3201886512-1435208716-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: BBestSaveForeYoou -> {3d626b9c-a16f-4a7f-9c65-5b5534b90ce7} -> C:\Program Files (x86)\BBestSaveForeYoou\qymLTL48qAiLrM.x64.dll ()
BHO: DiesccounTExtteNssII -> {bdf1ab71-7dd3-4c26-9a04-473a194c17be} -> C:\Program Files (x86)\DiesccounTExtteNssII\sNe8wsEFZxeDeS.x64.dll ()
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll (Adblock Plus)
BHO-x32: BBestSaveForeYoou -> {3d626b9c-a16f-4a7f-9c65-5b5534b90ce7} -> C:\Program Files (x86)\BBestSaveForeYoou\qymLTL48qAiLrM.dll ()
BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO-x32: DiesccounTExtteNssII -> {bdf1ab71-7dd3-4c26-9a04-473a194c17be} -> C:\Program Files (x86)\DiesccounTExtteNssII\sNe8wsEFZxeDeS.dll ()
BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll (Adblock Plus)
Toolbar: HKU\S-1-5-21-3235092901-3201886512-1435208716-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 67.142.174.10 67.142.174.11
Tcpip\..\Interfaces\{432D54BB-7296-4409-9A02-CB4E55F11C2B}: [NameServer] 8.8.8.8,8.8.4.4

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1204144.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3235092901-3201886512-1435208716-1000: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Marcel\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File

Chrome:
=======
CHR HomePage: Default -> hxxp://astromenda.com/?f=1&a=ast_dnldstr_14_40_ch&cd=2XzuyEtN2Y1L1QzuyBtD0FtC0AtCyDzy0E0F0C0A0ByEzy0AtN0D0Tzu0StCtDtDyEtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCtByBtD0C0A0CtBtG0D0D0AyBtGtDtB0EyDtG0EtCtB0EtGtA0B0C0D0BzytBzzzyyBzztB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0FtD0F0F0Ezyzy0EtGzztC0DyEtGyE0D0AtDtG0B0F0CzztGzy0E0BtAyDzy0E0CyBtC0Fzy2Q&cr=324390655&ir=
CHR StartupUrls: Default -> "hxxp://astromenda.com/?f=7&a=ast_dnldstr_14_40_ch&cd=2XzuyEtN2Y1L1QzuyBtD0FtC0AtCyDzy0E0F0C0A0ByEzy0AtN0D0Tzu0StCtDtDyEtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCtByBtD0C0A0CtBtG0D0D0AyBtGtDtB0EyDtG0EtCtB0EtGtA0B0C0D0BzytBzzzyyBzztB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0FtD0F0F0Ezyzy0EtGzztC0DyEtGyE0D0AtDtG0B0F0CzztGzy0E0BtAyDzy0E0CyBtC0Fzy2Q&cr=324390655&ir=", "hxxp://www.google.com"
CHR DefaultSearchKeyword: Default -> astromenda.com
CHR DefaultSearchURL: Default -> http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_dnldstr_14_40_ch&cd=2XzuyEtN2Y1L1QzuyBtD0FtC0AtCyDzy0E0F0C0A0ByEzy0AtN0D0Tzu0StCtDtDyEtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCtByBtD0C0A0CtBtG0D0D0AyBtGtDtB0EyDtG0EtCtB0EtGtA0B0C0D0BzytBzzzyyBzztB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0FtD0F0F0Ezyzy0EtGzztC0DyEtGyE0D0AtDtG0B0F0CzztGzy0E0BtAyDzy0E0CyBtC0Fzy2Q&cr=324390655&ir=
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR Profile: C:\Users\Marcel\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\Marcel\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-11-22]
CHR Extension: (YouTube) - C:\Users\Marcel\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-04-11]
CHR Extension: (Google Search) - C:\Users\Marcel\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-04-11]
CHR Extension: (Related Content by Zemanta) - C:\Users\Marcel\AppData\Local\Google\Chrome\User Data\Default\Extensions\fejeknoakjeblidffkajbioncodnmhge [2015-02-04]
CHR Extension: (Gmail) - C:\Users\Marcel\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-04-11]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [4950016 2009-12-16] (Dell Inc.) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-02-09] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-10 12:44 - 2015-02-10 12:44 - 00018010 _____ () C:\Users\Marcel\Downloads\Addition.txt
2015-02-10 12:43 - 2015-02-10 12:58 - 00012050 _____ () C:\Users\Marcel\Downloads\FRST.txt
2015-02-10 12:40 - 2015-02-10 12:58 - 00000000 ____D () C:\FRST
2015-02-10 12:35 - 2015-02-10 12:39 - 02132992 _____ (Farbar) C:\Users\Marcel\Downloads\FRST64 (1).exe
2015-02-09 15:00 - 2015-02-09 15:00 - 00000701 _____ () C:\Users\Marcel\Desktop\Help Forum.txt
2015-02-09 13:55 - 2015-02-09 13:55 - 00000111 _____ () C:\Users\Marcel\Desktop\delete malware help page.txt
2015-02-07 14:58 - 2015-02-09 20:36 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-07 14:58 - 2015-02-07 14:58 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-07 14:58 - 2015-02-07 14:58 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-07 14:58 - 2015-02-07 14:58 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-07 14:58 - 2015-02-07 14:58 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-02-07 14:58 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-02-07 14:58 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-02-07 14:58 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-02-07 14:53 - 2015-02-07 14:53 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Marcel\Downloads\mbam-setup-2.0.4.1028.exe
2015-02-05 00:47 - 2015-02-06 12:04 - 00000000 ____D () C:\Users\Marcel\Desktop\Testout Labs
2015-02-04 10:16 - 2015-02-04 10:16 - 00000000 ____D () C:\Program Files\Adblock Plus for IE
2015-02-04 10:14 - 2015-02-04 10:15 - 05915456 _____ ( ) C:\Users\Marcel\Downloads\adblockplusie-1.3 (1).exe
2015-02-04 10:14 - 2015-02-04 10:14 - 05915456 _____ ( ) C:\Users\Marcel\Downloads\adblockplusie-1.3.exe
2015-02-04 08:13 - 2015-02-04 08:13 - 00000000 ____D () C:\Program Files (x86)\Related Content by Zemanta
2015-02-04 08:13 - 2015-02-04 08:13 - 00000000 ____D () C:\Program Files (x86)\GreaatSavea4U
2015-02-04 08:12 - 2015-02-04 08:12 - 00000000 ____D () C:\ProgramData\ielnbcehfkegjbnlkmkjclidmnnepcej
2015-02-02 17:52 - 2015-02-04 08:13 - 00000000 ____D () C:\ProgramData\880365515719780960UL
2015-02-02 17:52 - 2015-02-02 17:52 - 00000000 ____D () C:\Program Files (x86)\DiesccounTExtteNssII
2015-02-02 17:51 - 2015-02-02 17:52 - 00000000 ____D () C:\Program Files (x86)\BBestSaveForeYoou
2015-01-21 11:44 - 2014-12-11 22:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-21 11:44 - 2014-12-11 22:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-21 11:44 - 2014-12-11 22:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-21 11:44 - 2014-12-11 22:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-21 11:44 - 2014-12-11 22:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-21 11:44 - 2014-12-11 22:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-21 11:44 - 2014-12-11 22:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-21 08:58 - 2015-01-21 08:58 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-01-20 13:56 - 2015-01-20 13:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-01-20 13:56 - 2015-01-20 13:56 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2015-01-20 13:56 - 2015-01-20 13:56 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2015-01-20 13:55 - 2015-01-20 13:55 - 13087456 _____ (Microsoft Corporation) C:\Users\Marcel\Downloads\Silverlight_x64.exe
2015-01-17 12:54 - 2014-12-18 20:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-17 12:54 - 2014-12-18 18:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-17 12:54 - 2014-12-11 10:47 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-17 12:54 - 2014-12-05 21:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-17 12:54 - 2014-12-05 20:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-17 12:54 - 2014-12-05 20:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-10 12:41 - 2013-04-11 01:30 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-10 12:39 - 2013-04-05 13:19 - 01228119 _____ () C:\Windows\WindowsUpdate.log
2015-02-10 12:25 - 2009-07-13 21:45 - 00028528 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-10 12:25 - 2009-07-13 21:45 - 00028528 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-10 10:27 - 2013-04-10 20:37 - 00000932 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3235092901-3201886512-1435208716-1000UA.job
2015-02-09 18:27 - 2014-10-04 09:37 - 00000000 ____D () C:\Users\Marcel\AppData\Roaming\ViberPC
2015-02-09 18:27 - 2014-10-04 09:36 - 00000000 ____D () C:\Users\Marcel\AppData\Local\Viber
2015-02-09 18:27 - 2009-07-13 22:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-09 18:27 - 2009-07-13 21:51 - 00037915 _____ () C:\Windows\setupact.log
2015-02-09 14:19 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-02-09 13:25 - 2014-11-27 13:29 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2015-02-09 13:25 - 2013-10-15 10:34 - 00000000 ____D () C:\Users\Marcel\AppData\Roaming\Skype
2015-02-09 13:25 - 2010-11-20 20:47 - 00155660 _____ () C:\Windows\PFRO.log
2015-02-09 13:24 - 2014-04-14 13:01 - 00001238 _____ () C:\Windows\wininit.ini
2015-02-09 12:51 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\DigitalLocker
2015-02-09 12:50 - 2014-04-11 21:38 - 00000000 ____D () C:\Users\Marcel\AppData\Local\com
2015-02-06 18:46 - 2013-04-10 20:37 - 00000910 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3235092901-3201886512-1435208716-1000Core.job
2015-02-04 13:41 - 2013-04-11 01:30 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-04 13:41 - 2013-04-11 01:30 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-04 13:41 - 2013-04-11 01:30 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-04 08:29 - 2013-04-11 01:30 - 00000000 ____D () C:\Program Files (x86)\Google
2015-01-29 13:04 - 2014-04-11 21:35 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2
2015-01-28 11:08 - 2014-11-22 16:35 - 00000000 ____D () C:\ProgramData\c37afc5acfb2a60
2015-01-24 11:41 - 2013-10-18 04:23 - 00000000 ____D () C:\Users\Marcel\AppData\Local\Deployment
2015-01-22 13:44 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\registration
2015-01-21 08:54 - 2013-07-17 23:27 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-21 08:48 - 2013-04-06 10:35 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-16 09:23 - 2009-07-13 22:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI

==================== Files in the root of some directories =======

2013-10-11 22:45 - 2013-10-11 22:46 - 0000084 _____ () C:\Users\Marcel\AppData\Local\DVDPATH.TXT
2013-10-18 04:11 - 2013-10-18 04:11 - 0007605 _____ () C:\Users\Marcel\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-02-03 12:26

==================== End Of Log ============================

Link to post
Share on other sites

Hi Marcel,

51a612a8b27e2-Zoek.png Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:

    createsrpoint;[-HKLM\SOFTWARE\Policies\Google];r64resetieproxy;{23088cf8-eaf8-4bb3-a251-9ba61557ac75};c{3d626b9c-a16f-4a7f-9c65-5b5534b90ce7};cC:\Program Files (x86)\BBestSaveForeYoou;fs{bdf1ab71-7dd3-4c26-9a04-473a194c17be};cC:\Program Files (x86)\DiesccounTExtteNssII;fs{2318C2B1-4965-11D4-9B18-009027A5CD4F};cfejeknoakjeblidffkajbioncodnmhge;chremptyclsid;autoclean;resethosts;chrdefaults;C:\ProgramData\880365515719780960UL;fsC:\Program Files (x86)\GreaatSavea4U;fsC:\Program Files (x86)\Related Content by Zemanta;fs[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Windows NT\CurrentVersion\Windows];r"Appinit_DLLs"="";rC:\ProgramData\c37afc5acfb2a60;fsC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2;fs 
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
Please include its content in your next reply.

Don't forget to re-enable your switched-off protection software!

Link to post
Share on other sites

Zoek doesn't work in Safe Mode either. Tried it in Safe Mode Networking. Also reinstalled it with the same results:( It keeps rebooting when I try to run as Administrator. The latest piece of nasty code is a  verbal warning about my computer being infected with a virus - doesn't turn off when I press mute. 

Link to post
Share on other sites

Hello :)

ok, let's try to do it with some another approach.

JRTbythisisu.png Fix with Junkware Removal Tool

Please download JRT by Thisisu and save the file to your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on JRTbythisisu.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Follow the prompts and let this process run uninterrupted.
  • This scan can take a while, depending on your System specs.
  • Upon completion, a log (JRT.txt) will open on your desktop.
Please include the contents of that file in your reply.

Do not forget to re-enable your previously switched off protection software!

Please also manually reboot your machine after this procedure.

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • The program will begin to update the database (if internet connection is operational). Please wait a little bit.
  • Follow the prompts and click Scan.
  • When finished, please click Clean.
  • Upon completion, click Report. A log (AdwCleaner[s*].txt) will open.
Please include the contents of that file in your reply.
Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Below are the two scan log outputs. Since I've ran AdwCleaner and JRT my PUP's seem to have gone away? Will keep you updated. However, BBestSaveForeyoou (which was a very annoying pop up ad which ran on every page I requested) is still in my Manage add-ons and I'm unable to high lite the disable?

 

 

 

# AdwCleaner v4.110 - Logfile created 16/02/2015 at 12:37:31
# Updated 05/02/2015 by Xplode
# Database : 2015-02-14.2 [server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Marcel - MARCEL-PC
# Running from : C:\Users\Marcel\Downloads\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\RoyalCoupon
Folder Deleted : C:\ProgramData\880365515719780960UL
[#] Folder Deleted : C:\Program Files (x86)\Linkey
[#] Folder Deleted : C:\Program Files (x86)\SearchProtect
[#] Folder Deleted : C:\Program Files (x86)\Settings Manager
[#] Folder Deleted : C:\Program Files (x86)\ShopperPro
Folder Deleted : C:\Program Files (x86)\RoyalCoupon
Folder Deleted : C:\Program Files (x86)\BBestSaveForeYoou
Folder Deleted : C:\Program Files (x86)\DiesccounTExtteNssII
Folder Deleted : C:\Program Files (x86)\GreaatSavea4U
[#] Folder Deleted : C:\Program Files\Linkey
[#] Folder Deleted : C:\Program Files\SearchProtect
[#] Folder Deleted : C:\Program Files\Settings Manager
[#] Folder Deleted : C:\Program Files\ShopperPro
[#] Folder Deleted : C:\Users\Marcel\AppData\Roaming\Linkey
Folder Deleted : C:\ProgramData\ielnbcehfkegjbnlkmkjclidmnnepcej
File Deleted : C:\Users\Marcel\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage
File Deleted : C:\Users\Marcel\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage-journal

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\.
Key Deleted : HKLM\SOFTWARE\Classes\..9
Key Deleted : HKLM\SOFTWARE\Classes\SoftCoup.SoftCoup
Key Deleted : HKLM\SOFTWARE\Classes\SoftCoup.SoftCoup.9
Key Deleted : HKLM\SOFTWARE\Classes\Pbdf1ab71_7dd3_4c26_9a04_473a194c17be_.Pbdf1ab71_7dd3_4c26_9a04_473a194c17be_
Key Deleted : HKLM\SOFTWARE\Classes\Pbdf1ab71_7dd3_4c26_9a04_473a194c17be_.Pbdf1ab71_7dd3_4c26_9a04_473a194c17be_.9
Key Deleted : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{353e8c1c-0229-490e-9c3e-4c3150a8aaa4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7a227102-6ffc-43e5-b2fe-3fee433a2d03}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9aefb16c-6b48-4031-ba12-0014f3f2ca85}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{bdf1ab71-7dd3-4c26-9a04-473a194c17be}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{f0b4cfd7-e47f-4823-85e9-eda272b01cfe}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{fe1bdfb8-b436-4d7f-809f-bdf6c675dfe4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{230332DF-D235-47EE-BC42-60860EF144CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bdf1ab71-7dd3-4c26-9a04-473a194c17be}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4C2743F0-A2E2-41A0-9E65-798943109F42}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{353e8c1c-0229-490e-9c3e-4c3150a8aaa4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7a227102-6ffc-43e5-b2fe-3fee433a2d03}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9aefb16c-6b48-4031-ba12-0014f3f2ca85}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{bdf1ab71-7dd3-4c26-9a04-473a194c17be}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0b4cfd7-e47f-4823-85e9-eda272b01cfe}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{fe1bdfb8-b436-4d7f-809f-bdf6c675dfe4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{353e8c1c-0229-490e-9c3e-4c3150a8aaa4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7a227102-6ffc-43e5-b2fe-3fee433a2d03}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9aefb16c-6b48-4031-ba12-0014f3f2ca85}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{bdf1ab71-7dd3-4c26-9a04-473a194c17be}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{f0b4cfd7-e47f-4823-85e9-eda272b01cfe}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{fe1bdfb8-b436-4d7f-809f-bdf6c675dfe4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{353e8c1c-0229-490e-9c3e-4c3150a8aaa4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7a227102-6ffc-43e5-b2fe-3fee433a2d03}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9aefb16c-6b48-4031-ba12-0014f3f2ca85}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{bdf1ab71-7dd3-4c26-9a04-473a194c17be}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0b4cfd7-e47f-4823-85e9-eda272b01cfe}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{fe1bdfb8-b436-4d7f-809f-bdf6c675dfe4}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{353e8c1c-0229-490e-9c3e-4c3150a8aaa4}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{7a227102-6ffc-43e5-b2fe-3fee433a2d03}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{9aefb16c-6b48-4031-ba12-0014f3f2ca85}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{bdf1ab71-7dd3-4c26-9a04-473a194c17be}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{f0b4cfd7-e47f-4823-85e9-eda272b01cfe}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{fe1bdfb8-b436-4d7f-809f-bdf6c675dfe4}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1BE14FE1-3175-4324-A77B-33FE5CB7A6ED}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6C990ECA-72D6-4E65-A35B-A08C1DF79E6E}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FC65300A-DC43-4D86-B153-E59CF6E74216}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bdf1ab71-7dd3-4c26-9a04-473a194c17be}
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}
Key Deleted : HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\Taronja
Key Deleted : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8B114619-78B7-1CFF-55EF-74266954F883}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7540FDBD-7FDC-30AE-3778-815CB87DBE46}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE9B04F2-E9E8-162C-829B-52C116B3EFCC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{35E0D123-1F22-9AE6-F973-B7ECA46E8BFE}
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <-loopback>;*.local
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - localhost:8080

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17631

-\\ Google Chrome v

[C:\Users\Marcel\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Marcel\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Marcel\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_dnldstr_14_40_ch&cd=2XzuyEtN2Y1L1QzuyBtD0FtC0AtCyDzy0E0F0C0A0ByEzy0AtN0D0Tzu0StCtDtDyEtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCtByBtD0C0A0CtBtG0D0D0AyBtGtDtB0EyDtG0EtCtB0EtGtA0B0C0D0BzytBzzzyyBzztB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0FtD0F0F0Ezyzy0EtGzztC0DyEtGyE0D0AtDtG0B0F0CzztGzy0E0BtAyDzy0E0CyBtC0Fzy2Q&cr=324390655&ir=
[C:\Users\Marcel\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://en.softonic.com/s/{searchTerms}

*************************

AdwCleaner[R0].txt - [8881 bytes] - [16/02/2015 12:36:04]
AdwCleaner[s0].txt - [8569 bytes] - [16/02/2015 12:37:31]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [8628  bytes] ##########

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.2 (02.02.2015:1)
OS: Windows 7 Home Premium x64
Ran by Marcel on Mon 02/16/2015 at 12:11:58.63
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

~~~ Registry Keys

Successfully deleted: [Registry Key] "hkey_current_user\software\apn pip"
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{23088cf8-eaf8-4bb3-a251-9ba61557ac75}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d626b9c-a16f-4a7f-9c65-5b5534b90ce7}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3d626b9c-a16f-4a7f-9c65-5b5534b90ce7}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3d626b9c-a16f-4a7f-9c65-5b5534b90ce7}
Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d626b9c-a16f-4a7f-9c65-5b5534b90ce7}
Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{3d626b9c-a16f-4a7f-9c65-5b5534b90ce7}
Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d626b9c-a16f-4a7f-9c65-5b5534b90ce7}
Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{3d626b9c-a16f-4a7f-9c65-5b5534b90ce7}

 

~~~ Files

Successfully deleted: [File] "C:\Users\Marcel\appdata\local\google\chrome\user data\default\local storage\http_www.ask.com_0.localstorage"
Successfully deleted: [File] "C:\Users\Marcel\appdata\local\google\chrome\user data\default\local storage\http_www.ask.com_0.localstorage-journal"
Successfully deleted: [File] "C:\Users\Marcel\appdata\local\google\chrome\user data\default\local storage\http_www.superfish.com_0.localstorage"
Successfully deleted: [File] "C:\Users\Marcel\appdata\local\google\chrome\user data\default\local storage\http_www.superfish.com_0.localstorage-journal"
Successfully deleted: [File] "C:\Windows\wininit.ini"

 

~~~ Folders

Successfully deleted: [Folder] "C:\Users\Marcel\appdata\locallow\iac"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\optimizer pro v3.2"

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 02/16/2015 at 12:15:06.28
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link to post
Share on other sites

Hi Marcel,

I apologize for the delay, I was swamped with an additional work and that prevented me from replying daily.

...and we're not done here yet.

FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    > XP users click run after receipt of Windows Security Warning - Open File.

    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.

  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please include their content in your next reply.
Link to post
Share on other sites

  • 2 months later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.