Jump to content

I'm infected


Recommended Posts

Or rather a computer I'm helping through Teamviewer is or was, been working on it for about a week for a few hours a day, had over 100 yellows and a few reds on the first Malwarebytes scan, have run AdwCleaner a dozen times or so, and have run a few dozen attempts to repair TCPIP, Winsock, Registry, etc, but I'll refrain from running anything further until instructed as I've been unable to fix it and am looking for help.

 

The problem currently is that while I can connect through Teamviewer, and the computer can ping google.com and 8.8.8.8, most programs don't find a connection, no browsers find a connection, but it's obviously connected. Winsock and Winsock2 seem to be corrupted and I've been unable to delete them through various admin rights methods and fixit programs but I don't know if that's the hurdle. This computer has had multple bouts of malware, older user, not as technically proficient as I'd like them to be.

 

MB & FRST scans attached, thanks, you guys are doing awesome stuff here, will check back in the evenings, I'm -8.

Addition.txt

FRST.txt

MalwareBytesScan.txt

Link to post
Share on other sites

Hello Thalas and :welcome:! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
Step 1

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Step 2

Please update Malwarebytes Anti-Malware and perform a threat scan. Post your log file.

In your next reply, post the following log files:

  • FRST log
  • Malwarebytes' Anti-Malware log

fixlist.txt

Link to post
Share on other sites

Malwarebytes couldn't access the update server after the fixlist, I rebooted the computer, still couldn't access, so I ran Malwarebytes without an update. Both the fixlog and MBlog pasted per your request. Thanks for the help, donated to you and bought MB premium but I won't activate it on the computer in question until instructed. Happy to continue receiving help here unless you think CS would be a better option.

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 12-07-2015
Ran by Johnny at 2015-07-15 20:29:54 Run:1
Running from C:\Users\Johnny\Desktop
Loaded Profiles: Johnny (Available Profiles: Johnny)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
CloseProcesses:
Task: {EF8BE4E6-E539-4DCE-8D5E-CBB6E5A869AA} - System32\Tasks\VGAASAWMBLXVFEPQ => C:\ProgramData\Service1291\Service1291.exe [2015-06-28] () <==== ATTENTION
Task: C:\Windows\Tasks\VGAASAWMBLXVFEPQ.job => C:\ProgramData\Service1291\Service1291.exe <==== ATTENTION
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\y15rs30g.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\c1iek.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\7ygl8r.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\amuyck.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\1oi1h3uh.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\sou70gnx3.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\38k17csr.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\hb32qgtf.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\2zrssu47.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\nj3chr5w.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\4omwp.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\i6d7x8577.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\da5bqffh.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\86qxr.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\2ons6hba0.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\u78k8.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\dc0emyb.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\ov3b5v6.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\40aha.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\ui8m8.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\i7ew7khf7.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\1zhto.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\rbycrck.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\e8jvx.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\giktv.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\ioyao6.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\kn0m5.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\snfj323y1.exe] => Enabled:Policy
StandardProfile\AuthorizedApplications: [C:\Windows\TEMP\3016iccz4.exe] => Enabled:Policy
C:\Windows\TEMP\y15rs30g.exe
C:\Windows\TEMP\c1iek.exe
C:\Windows\TEMP\7ygl8r.exe
C:\Windows\TEMP\amuyck.exe
C:\Windows\TEMP\1oi1h3uh.exe
C:\Windows\TEMP\sou70gnx3.exe
C:\Windows\TEMP\38k17csr.exe
C:\Windows\TEMP\hb32qgtf.exe
C:\Windows\TEMP\2zrssu47.exe
C:\Windows\TEMP\nj3chr5w.exe
C:\Windows\TEMP\4omwp.exe
C:\Windows\TEMP\i6d7x8577.exe
C:\Windows\TEMP\da5bqffh.exe
C:\Windows\TEMP\86qxr.exe
C:\Windows\TEMP\2ons6hba0.exe
C:\Windows\TEMP\u78k8.exe
C:\Windows\TEMP\dc0emyb.exe
C:\Windows\TEMP\ov3b5v6.exe
C:\Windows\TEMP\40aha.exe
C:\Windows\TEMP\ui8m8.exe
C:\Windows\TEMP\i7ew7khf7.exe
C:\Windows\TEMP\1zhto.exe
C:\Windows\TEMP\rbycrck.exe
C:\Windows\TEMP\e8jvx.exe
C:\Windows\TEMP\giktv.exe
C:\Windows\TEMP\ioyao6.exe
C:\Windows\TEMP\kn0m5.exe
C:\Windows\TEMP\snfj323y1.exe
C:\Windows\TEMP\3016iccz4.exe
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wwd.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WeWatcherProxy => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wwd.sys => ""="Driver"
HKU\S-1-5-21-1231513644-3049446364-3289125613-1001\...\MountPoints2: {515b937b-3f6b-11e4-9f8c-806e6f6e6963} - E:\autorun.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1231513644-3049446364-3289125613-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser]  <======= ATTENTION (Policy restriction on ProxySettings)
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Winsock: Catalog9 01 C:\Windows\system32\WeWatcherLSP.dll [350048 2015-07-07] (WeWatcher)
Winsock: Catalog9 02 C:\Windows\system32\WeWatcherLSP.dll [350048 2015-07-07] (WeWatcher)
Winsock: Catalog9 03 C:\Windows\system32\WeWatcherLSP.dll [350048 2015-07-07] (WeWatcher)
Winsock: Catalog9 04 C:\Windows\system32\WeWatcherLSP.dll [350048 2015-07-07] (WeWatcher)
Winsock: Catalog9 21 C:\Windows\system32\WeWatcherLSP.dll [350048 2015-07-07] (WeWatcher)
CHR HKLM\...\Chrome\Extension: [fgbcffenncokfocljomejddmgcpppjom] - https://clients2.google.com/service/update2/crx
R2 WeWatcherProxy; C:\Program Files\ServiceUpdater\WeWatcherProxy.exe [1865624 2015-06-25] (WeWatcher)
R1 wwd; C:\Windows\system32\Drivers\wwd.sys [28568 2015-06-25] () [File not signed]
2015-07-07 18:51 - 2015-07-07 18:51 - 00000930 _____ C:\Windows\system32\${LOGFILE}
2015-07-07 18:44 - 2015-07-07 18:44 - 00000000 _____ C:\Windows\system32\Number of results
2015-07-07 18:43 - 2015-07-14 21:48 - 00000344 ____H C:\Windows\Tasks\VGAASAWMBLXVFEPQ.job
2015-07-07 18:43 - 2015-07-07 18:43 - 00000000 ____D C:\ProgramData\Service1291
2015-07-07 18:43 - 2015-07-07 18:43 - 00000000 ____D C:\ProgramData\28341ff220e0446c9fff27c4493d622e
2015-07-07 18:25 - 2015-07-07 22:15 - 00000000 ____D C:\Users\Johnny\AppData\Local\66CA99FC-3D6B-D042-BE9F-5506A762FF7C
2015-07-07 18:12 - 2015-07-07 18:13 - 00009824 _____ C:\Windows\system32\WeWatcherProxyOff.ini
2015-07-07 18:12 - 2015-07-07 18:12 - 00000000 ____D C:\Program Files\ServiceUpdater
2015-07-07 18:12 - 2015-06-25 17:38 - 00350048 _____ (WeWatcher) C:\Windows\system32\WeWatcherLSP.dll
2015-07-07 18:12 - 2015-06-25 17:38 - 00028568 _____ C:\Windows\system32\Drivers\wwd.sys
2015-07-07 18:10 - 2015-07-07 18:11 - 00000000 ____D C:\Program Files\LookSafe Utility
2015-07-09 02:59 - 2015-06-06 20:30 - 00000000 ____D C:\Users\Johnny\AppData\Roaming\Azureus
2014-11-20 19:48 - 2014-11-20 19:48 - 0628496 _____ (CMI Limited) C:\Users\Johnny\AppData\Local\nse4E24.tmp
2014-12-13 06:06 - 2014-12-13 06:05 - 0613057 _____ (CMI Limited) C:\Users\Johnny\AppData\Local\nsfEF64.tmp
2014-11-20 18:54 - 2014-11-20 18:54 - 0613057 _____ (CMI Limited) C:\Users\Johnny\AppData\Local\nsjBA5B.tmp
2014-12-18 07:44 - 2014-12-18 07:44 - 0613057 _____ (CMI Limited) C:\Users\Johnny\AppData\Local\nsl9B6.tmp
2014-12-18 08:14 - 2014-12-18 08:14 - 0628496 _____ (CMI Limited) C:\Users\Johnny\AppData\Local\nsm238F.tmp
2014-12-13 01:13 - 2014-12-13 01:13 - 0613057 _____ (CMI Limited) C:\Users\Johnny\AppData\Local\nst9040.tmp
CMD: netsh winsock reset
CMD: ipconfig /flushdns
EmptyTemp:
end
*****************

Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{EF8BE4E6-E539-4DCE-8D5E-CBB6E5A869AA}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF8BE4E6-E539-4DCE-8D5E-CBB6E5A869AA}" => key removed successfully.
C:\Windows\System32\Tasks\VGAASAWMBLXVFEPQ => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\VGAASAWMBLXVFEPQ" => key removed successfully.
C:\Windows\Tasks\VGAASAWMBLXVFEPQ.job => moved successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\y15rs30g.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\c1iek.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\7ygl8r.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\amuyck.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\1oi1h3uh.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\sou70gnx3.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\38k17csr.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\hb32qgtf.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\2zrssu47.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\nj3chr5w.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\4omwp.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\i6d7x8577.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\da5bqffh.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\86qxr.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\2ons6hba0.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\u78k8.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\dc0emyb.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\ov3b5v6.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\40aha.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\ui8m8.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\i7ew7khf7.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\1zhto.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\rbycrck.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\e8jvx.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\giktv.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\ioyao6.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\kn0m5.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\snfj323y1.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\3016iccz4.exe => value removed successfully.
"C:\Windows\TEMP\y15rs30g.exe" => File/Folder not found.
"C:\Windows\TEMP\c1iek.exe" => File/Folder not found.
"C:\Windows\TEMP\7ygl8r.exe" => File/Folder not found.
"C:\Windows\TEMP\amuyck.exe" => File/Folder not found.
"C:\Windows\TEMP\1oi1h3uh.exe" => File/Folder not found.
"C:\Windows\TEMP\sou70gnx3.exe" => File/Folder not found.
"C:\Windows\TEMP\38k17csr.exe" => File/Folder not found.
"C:\Windows\TEMP\hb32qgtf.exe" => File/Folder not found.
"C:\Windows\TEMP\2zrssu47.exe" => File/Folder not found.
"C:\Windows\TEMP\nj3chr5w.exe" => File/Folder not found.
"C:\Windows\TEMP\4omwp.exe" => File/Folder not found.
"C:\Windows\TEMP\i6d7x8577.exe" => File/Folder not found.
"C:\Windows\TEMP\da5bqffh.exe" => File/Folder not found.
"C:\Windows\TEMP\86qxr.exe" => File/Folder not found.
"C:\Windows\TEMP\2ons6hba0.exe" => File/Folder not found.
"C:\Windows\TEMP\u78k8.exe" => File/Folder not found.
"C:\Windows\TEMP\dc0emyb.exe" => File/Folder not found.
"C:\Windows\TEMP\ov3b5v6.exe" => File/Folder not found.
"C:\Windows\TEMP\40aha.exe" => File/Folder not found.
"C:\Windows\TEMP\ui8m8.exe" => File/Folder not found.
"C:\Windows\TEMP\i7ew7khf7.exe" => File/Folder not found.
"C:\Windows\TEMP\1zhto.exe" => File/Folder not found.
"C:\Windows\TEMP\rbycrck.exe" => File/Folder not found.
"C:\Windows\TEMP\e8jvx.exe" => File/Folder not found.
"C:\Windows\TEMP\giktv.exe" => File/Folder not found.
"C:\Windows\TEMP\ioyao6.exe" => File/Folder not found.
"C:\Windows\TEMP\kn0m5.exe" => File/Folder not found.
"C:\Windows\TEMP\snfj323y1.exe" => File/Folder not found.
"C:\Windows\TEMP\3016iccz4.exe" => File/Folder not found.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\wwd.sys" => key removed successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WeWatcherProxy" => key removed successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\wwd.sys" => key removed successfully.
"HKU\S-1-5-21-1231513644-3049446364-3289125613-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{515b937b-3f6b-11e4-9f8c-806e6f6e6963}" => key removed successfully.
HKCR\CLSID\{515b937b-3f6b-11e4-9f8c-806e6f6e6963} => key not found.
C:\Windows\system32\GroupPolicy\Machine => moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-1231513644-3049446364-3289125613-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => value removed successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 => key could not remove. Access Denied.
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 => key could not remove. Access Denied.
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 => key could not remove. Access Denied.
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 => key could not remove. Access Denied.
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021 => key could not remove. Access Denied.
"HKLM\SOFTWARE\Google\Chrome\Extensions\fgbcffenncokfocljomejddmgcpppjom" => key removed successfully.
WeWatcherProxy => Service could not remove
wwd => Unable to stop service.
wwd => Service could not remove
C:\Windows\system32\${LOGFILE} => moved successfully.
C:\Windows\system32\Number of results => moved successfully.
"C:\Windows\Tasks\VGAASAWMBLXVFEPQ.job" => File/Folder not found.
C:\ProgramData\Service1291 => moved successfully.
C:\ProgramData\28341ff220e0446c9fff27c4493d622e => moved successfully.
C:\Users\Johnny\AppData\Local\66CA99FC-3D6B-D042-BE9F-5506A762FF7C => moved successfully.
C:\Windows\system32\WeWatcherProxyOff.ini => moved successfully.
C:\Program Files\ServiceUpdater => moved successfully.
Could not move "C:\Windows\system32\WeWatcherLSP.dll" => Scheduled to move on reboot.
Could not move "C:\Windows\system32\Drivers\wwd.sys" => Scheduled to move on reboot.
C:\Program Files\LookSafe Utility => moved successfully.
C:\Users\Johnny\AppData\Roaming\Azureus => moved successfully.
C:\Users\Johnny\AppData\Local\nse4E24.tmp => moved successfully.
C:\Users\Johnny\AppData\Local\nsfEF64.tmp => moved successfully.
C:\Users\Johnny\AppData\Local\nsjBA5B.tmp => moved successfully.
C:\Users\Johnny\AppData\Local\nsl9B6.tmp => moved successfully.
C:\Users\Johnny\AppData\Local\nsm238F.tmp => moved successfully.
C:\Users\Johnny\AppData\Local\nst9040.tmp => moved successfully.

=========  netsh winsock reset =========

Access is denied.



========= End of CMD: =========


=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

EmptyTemp: => 59.6 MB temporary data Removed.

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-07-15 20:31:09)<=

"C:\Windows\system32\WeWatcherLSP.dll" => Could not move
"C:\Windows\system32\Drivers\wwd.sys" => Could not move

==== End of Fixlog 20:31:09 ====

 

 

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/15/2015
Scan Time: 8:51 PM
Logfile: Malwarebytes.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.06.03.03
Rootkit Database: v2015.06.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7
CPU: x86
File System: NTFS
User: Johnny

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 312212
Time Elapsed: 13 min, 1 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Thanks for your donation! :)

About the support, it is your decision. If you would like to proceed:

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
  • Please copy/paste the contents or attach that log file to your next reply.
  • If needed the file can be located here: C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
Link to post
Share on other sites

Installer hung a handful of times, waited 10 minutes each time before killing process, blue screen finally came up but no text appeared, waited half an hour before killing that, rebooted computer, first try it got to the blue screen and text appeared, turned my attention elsewhere for a bit, when I came back the computer had apparently crashed, no logfile to be found, I pulled up IE on a hunch and it connected, so it looks like something was fixed but I wasn’t sure that I should run Combofix again, so I wanted to post the results here and ask for advice on the next step.

 

All security measures are disabled currently for Combofix and it’s still installed. I haven’t run MB again or any other type of scanner or fixer.

Link to post
Share on other sites

No worries don't be sorry you're helping tremendously continuous thanks. That time everything worked without any glitches, teamviewer worked in safe mode with networking and it wasn't before the combofix half ran so that's how I ran it, teamviewer dropped out for a few moments but I don't think that's surprising, log was open on the screen and in the C directory where it should've been, let me know what's next, security still disabled currently.

 

 

 

ComboFix 15-07-20.01 - Johnny 07/20/2015  17:26:19.1.2 - x86 NETWORK
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3062.2543 [GMT -7:00]
Running from: c:\users\Johnny\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\LIL7FEF.tmp
C:\LIL7FFE.tmp
C:\LIL802D.tmp
C:\LIL803D.tmp
C:\LIL80AA.tmp
C:\LIL80D9.tmp
C:\LIL81B3.tmp
C:\LIL81E2.tmp
C:\LIL856B.tmp
C:\LIL857A.tmp
C:\LIL8903.tmp
C:\LIL8980.tmp
C:\LIL8A89.tmp
c:\programdata\3049848230259880137UL
c:\programdata\3049848230259880137UL\4ff6e7b3db4d05d4cf3d94b7e4e838ca.ini
c:\programdata\ntuser.pol
c:\windows\msdownld.tmp
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2015-06-21 to 2015-07-21  )))))))))))))))))))))))))))))))
.
.
2015-07-21 00:31 . 2015-07-21 00:31    --------    d-----w-    c:\users\Johnny\AppData\Local\temp
2015-07-21 00:31 . 2015-07-21 00:31    --------    d-----w-    c:\users\Default\AppData\Local\temp
2015-07-15 05:06 . 2015-07-17 03:27    98520    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-07-15 05:06 . 2015-06-18 15:41    51928    ----a-w-    c:\windows\system32\drivers\mwac.sys
2015-07-15 05:06 . 2015-06-18 15:41    94936    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2015-07-15 05:06 . 2015-06-18 15:41    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2015-07-15 05:06 . 2015-07-15 05:06    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2015-07-15 03:59 . 2015-07-15 03:59    53248    ----a-w-    c:\windows\system32\zlib.dll
2015-07-15 03:59 . 2015-07-15 03:59    --------    d-----w-    C:\Support
2015-07-15 00:44 . 2015-06-24 08:23    9252600    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{5A1CC1D9-3F49-4B76-959D-1B2E1135CD6F}\mpengine.dll
2015-07-14 05:50 . 2015-07-15 00:25    --------    d-----w-    c:\users\Johnny\AppData\Local\ElevatedDiagnostics
2015-07-14 03:39 . 2015-07-15 00:47    --------    d-----w-    c:\windows\system32\catroot2
2015-07-14 03:28 . 2015-07-21 00:18    --------    d-----w-    c:\windows\system32\wbem\repository
2015-07-12 03:39 . 2015-07-12 03:39    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2015-07-12 02:50 . 2015-07-15 01:21    --------    d-----w-    C:\AdwCleaner
2015-07-11 23:51 . 2015-07-11 23:51    --------    d-----w-    C:\RegBackup
2015-07-11 22:58 . 2015-07-11 22:58    --------    d-----w-    c:\program files\Tweaking.com
2015-07-11 22:48 . 2015-07-16 03:31    --------    d-----w-    C:\FRST
2015-07-11 05:48 . 2015-07-12 03:39    --------    d-----w-    c:\programdata\Malwarebytes
2015-07-09 04:32 . 2015-07-09 09:54    18510000    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2015-07-08 14:07 . 2015-07-08 14:07    --------    d-----w-    c:\programdata\18685fe00006c06
2015-07-08 13:47 . 2015-07-08 13:47    --------    d-----w-    c:\users\Johnny\AppData\Roaming\Windows Live Writer
2015-07-08 13:47 . 2015-07-08 13:47    --------    d-----w-    c:\users\Johnny\AppData\Local\Windows Live Writer
2015-07-08 04:13 . 2015-07-08 04:13    --------    d-----w-    c:\users\Johnny\AppData\Local\Google
2015-07-08 03:57 . 2015-07-08 03:57    --------    d-----w-    c:\users\Johnny\AppData\Local\Opera Software
2015-07-08 03:57 . 2015-07-08 03:57    --------    d-----w-    c:\users\Johnny\AppData\Roaming\Opera Software
2015-07-08 03:53 . 2015-07-08 13:54    --------    d-----w-    c:\program files\Opera
2015-07-08 01:12 . 2015-06-26 00:38    28568    ----a-w-    c:\windows\system32\drivers\wwd.sys
2015-07-08 01:12 . 2015-06-26 00:38    350048    ----a-w-    c:\windows\system32\WeWatcherLSP.dll
2015-07-08 01:06 . 2015-07-08 01:06    --------    d-----w-    c:\programdata\COMODO
2015-07-08 01:04 . 2015-07-08 01:04    --------    d-----w-    C:\73835d98-7290-47f8-a869-e4eff77baab2
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-06-23 20:27 . 2014-09-18 19:46    246952    ------w-    c:\windows\system32\MpSigStub.exe
2015-05-25 18:07 . 2015-06-10 02:28    3989440    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2015-05-25 18:07 . 2015-06-10 02:28    3934144    ----a-w-    c:\windows\system32\ntoskrnl.exe
2015-05-25 18:07 . 2015-06-10 02:28    67520    ----a-w-    c:\windows\system32\drivers\ksecdd.sys
2015-05-25 18:07 . 2015-06-10 02:28    137664    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2015-05-25 18:04 . 2015-06-10 02:28    1307648    ----a-w-    c:\windows\system32\ntdll.dll
2015-05-25 18:01 . 2015-06-10 02:28    172032    ----a-w-    c:\windows\system32\wdigest.dll
2015-05-25 18:01 . 2015-06-10 02:28    853504    ----a-w-    c:\windows\system32\diagtrack.dll
2015-05-25 18:01 . 2015-06-10 02:28    635392    ----a-w-    c:\windows\system32\tdh.dll
2015-05-25 18:01 . 2015-06-10 02:28    65536    ----a-w-    c:\windows\system32\TSpkg.dll
2015-05-25 18:01 . 2015-06-10 02:28    400896    ----a-w-    c:\windows\system32\srcore.dll
2015-05-25 18:01 . 2015-06-10 02:28    43008    ----a-w-    c:\windows\system32\srclient.dll
2015-05-25 18:01 . 2015-06-10 02:28    100352    ----a-w-    c:\windows\system32\sspicli.dll
2015-05-25 18:01 . 2015-06-10 02:28    15872    ----a-w-    c:\windows\system32\sspisrv.dll
2015-05-25 18:01 . 2015-06-10 02:28    248832    ----a-w-    c:\windows\system32\schannel.dll
2015-05-25 18:01 . 2015-06-10 02:28    92160    ----a-w-    c:\windows\system32\sechost.dll
2015-05-25 18:01 . 2015-06-10 02:28    22016    ----a-w-    c:\windows\system32\secur32.dll
2015-05-25 18:01 . 2015-06-10 02:28    221184    ----a-w-    c:\windows\system32\ncrypt.dll
2015-05-25 18:01 . 2015-06-10 02:28    259584    ----a-w-    c:\windows\system32\msv1_0.dll
2015-05-25 18:01 . 2015-06-10 02:28    1061376    ----a-w-    c:\windows\system32\lsasrv.dll
2015-05-25 18:01 . 2015-06-10 02:28    551424    ----a-w-    c:\windows\system32\kerberos.dll
2015-05-25 18:01 . 2015-06-10 02:28    38912    ----a-w-    c:\windows\system32\csrsrv.dll
2015-05-25 18:01 . 2015-06-10 02:28    17408    ----a-w-    c:\windows\system32\credssp.dll
2015-05-25 18:01 . 2015-06-10 02:28    641536    ----a-w-    c:\windows\system32\advapi32.dll
2015-05-25 18:00 . 2015-06-10 02:28    40448    ----a-w-    c:\windows\system32\typeperf.exe
2015-05-25 18:00 . 2015-06-10 02:28    364544    ----a-w-    c:\windows\system32\tracerpt.exe
2015-05-25 18:00 . 2015-06-10 02:28    69632    ----a-w-    c:\windows\system32\smss.exe
2015-05-25 18:00 . 2015-06-10 02:28    262656    ----a-w-    c:\windows\system32\rstrui.exe
2015-05-25 18:00 . 2015-06-10 02:28    37888    ----a-w-    c:\windows\system32\relog.exe
2015-05-25 18:00 . 2015-06-10 02:28    82944    ----a-w-    c:\windows\system32\logman.exe
2015-05-25 18:00 . 2015-06-10 02:28    22528    ----a-w-    c:\windows\system32\lsass.exe
2015-05-25 18:00 . 2015-06-10 02:28    17408    ----a-w-    c:\windows\system32\diskperf.exe
2015-05-25 18:00 . 2015-06-10 02:28    50176    ----a-w-    c:\windows\system32\auditpol.exe
2015-05-25 17:57 . 2015-06-10 02:28    60416    ----a-w-    c:\windows\system32\msobjs.dll
2015-05-25 17:57 . 2015-06-10 02:28    146432    ----a-w-    c:\windows\system32\msaudite.dll
2015-05-25 17:55 . 2015-06-10 02:28    6656    ----a-w-    c:\windows\system32\apisetschema.dll
2015-05-25 17:55 . 2015-06-10 02:28    686080    ----a-w-    c:\windows\system32\adtschema.dll
2015-05-25 17:00 . 2015-06-10 02:28    2384384    ----a-w-    c:\windows\system32\win32k.sys
2015-05-25 16:53 . 2015-06-10 02:28    36864    ----a-w-    c:\windows\system32\UtcResources.dll
2015-05-23 03:28 . 2015-06-10 02:28    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2015-05-23 03:28 . 2015-06-10 02:28    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2015-05-23 03:15 . 2015-06-10 02:28    503808    ----a-w-    c:\windows\system32\vbscript.dll
2015-05-23 03:15 . 2015-06-10 02:28    62464    ----a-w-    c:\windows\system32\iesetup.dll
2015-05-23 03:15 . 2015-06-10 02:28    47616    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2015-05-23 03:14 . 2015-06-10 02:28    341504    ----a-w-    c:\windows\system32\html.iec
2015-05-23 03:13 . 2015-06-10 02:28    64000    ----a-w-    c:\windows\system32\MshtmlDac.dll
2015-05-23 03:05 . 2015-06-10 02:28    115712    ----a-w-    c:\windows\system32\ieUnatt.exe
2015-05-23 03:05 . 2015-06-10 02:28    102912    ----a-w-    c:\windows\system32\ieetwcollector.exe
2015-05-23 03:04 . 2015-06-10 02:28    620032    ----a-w-    c:\windows\system32\jscript9diag.dll
2015-05-23 03:00 . 2015-06-10 02:28    667648    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2015-05-23 02:52 . 2015-06-10 02:28    60416    ----a-w-    c:\windows\system32\JavaScriptCollectionAgent.dll
2015-05-23 02:47 . 2015-06-10 02:28    4305920    ----a-w-    c:\windows\system32\jscript9.dll
2015-05-23 02:37 . 2015-06-10 02:28    2052608    ----a-w-    c:\windows\system32\inetcpl.cpl
2015-05-23 02:37 . 2015-06-10 02:28    1155072    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2015-05-23 02:20 . 2015-06-10 02:28    1950720    ----a-w-    c:\windows\system32\wininet.dll
2015-05-22 18:03 . 2015-06-05 23:10    571392    ----a-w-    c:\windows\system32\generaltel.dll
2015-05-22 18:02 . 2015-06-05 23:10    621568    ----a-w-    c:\windows\system32\invagent.dll
2015-05-22 18:02 . 2015-06-05 23:10    333824    ----a-w-    c:\windows\system32\devinv.dll
2015-05-22 18:02 . 2015-06-05 23:10    879104    ----a-w-    c:\windows\system32\appraiser.dll
2015-05-22 18:02 . 2015-06-05 23:10    37888    ----a-w-    c:\windows\system32\acmigration.dll
2015-05-22 18:02 . 2015-06-05 23:10    202752    ----a-w-    c:\windows\system32\aepdu.dll
2015-05-22 17:58 . 2015-06-05 23:10    901120    ----a-w-    c:\windows\system32\aeinv.dll
2015-05-21 13:20 . 2015-06-05 23:10    163840    ----a-w-    c:\windows\system32\aepic.dll
2015-05-13 13:39 . 2015-05-13 13:39    82432    ----a-w-    c:\users\Johnny\AppData\Roaming\Microsoft\MSXML2\msxml4r.dll
2015-05-13 13:39 . 2015-05-13 13:39    1275392    ----a-w-    c:\users\Johnny\AppData\Roaming\Microsoft\MSXML2\msxml4.dll
2015-05-09 03:14 . 2015-06-10 02:27    169984    ----a-w-    c:\windows\system32\winsrv.dll
2015-05-09 03:13 . 2015-06-10 02:27    293376    ----a-w-    c:\windows\system32\KernelBase.dll
2015-05-09 03:12 . 2015-06-10 02:27    271360    ----a-w-    c:\windows\system32\conhost.exe
2015-05-09 03:08 . 2015-06-10 02:27    4608    ----a-w-    c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    4096    ----a-w-    c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    4096    ----a-w-    c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    4096    ----a-w-    c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    4096    ----a-w-    c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3584    ----a-w-    c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3584    ----a-w-    c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3584    ----a-w-    c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3072    ----a-w-    c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3072    ----a-w-    c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3072    ----a-w-    c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3072    ----a-w-    c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3072    ----a-w-    c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    5120    ----a-w-    c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3584    ----a-w-    c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3584    ----a-w-    c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3584    ----a-w-    c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3072    ----a-w-    c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3072    ----a-w-    c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3072    ----a-w-    c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3072    ----a-w-    c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3072    ----a-w-    c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    4096    ----a-w-    c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2015-05-09 03:08 . 2015-06-10 02:27    3072    ----a-w-    c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2015-05-09 01:59 . 2015-06-10 02:27    6144    ----a-w-    c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2015-05-09 01:59 . 2015-06-10 02:27    4608    ----a-w-    c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2015-05-09 01:59 . 2015-06-10 02:27    3584    ----a-w-    c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2015-05-09 01:59 . 2015-06-10 02:27    3072    ----a-w-    c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2015-05-01 13:16 . 2015-05-14 10:13    102608    ----a-w-    c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-04-29 18:07 . 2015-06-10 02:27    4096    ----a-w-    c:\windows\system32\dxmasf.dll
2015-04-29 18:07 . 2015-06-10 02:27    4096    ----a-w-    c:\windows\system32\msdxm.ocx
2015-04-29 18:07 . 2015-06-10 02:27    8192    ----a-w-    c:\windows\system32\spwmp.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-10-20 04:17    223432    ----a-w-    c:\users\Johnny\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-10-20 04:17    223432    ----a-w-    c:\users\Johnny\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-10-20 04:17    223432    ----a-w-    c:\users\Johnny\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\Johnny\AppData\Roaming\mjusbsp\cdloader2.exe" [2014-07-04 51592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-08-03 1314816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-24 02:30    173592    ----a-w-    c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-24 02:30    141848    ----a-w-    c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-24 02:30    150552    ----a-w-    c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2014-12-11 19:16    30872672    ----a-r-    c:\program files\Skype\Phone\Skype.exe
.
R1 wwd;wwd service;c:\windows\system32\Drivers\wwd.sys [2015-06-26 28568]
R2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2015-06-18 1133880]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2014-12-11 315496]
R2 WeWatcherProxy;WeWatcherProxy;c:\program files\ServiceUpdater\WeWatcherProxy.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2015-05-23 102912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2015-06-18 23256]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2015-06-18 51928]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
utcsvc    REG_MULTI_SZ       DiagTrack
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = localhost:8080
uSearchAssistant = hxxp://www.bing.com/search?q={searchTerms}
LSP: c:\windows\system32\WeWatcherLSP.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Toolbar-Locked - (no file)
MSConfigStartUp-Itibiti - c:\program files\Itibiti Soft Phone\Itibiti.exe
MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\msseces.exe
MSConfigStartUp-VLCService - c:\program files\VLC media player\VLCSvc.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="BrowserHTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="BrowserHTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="BrowserHTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="BrowserHTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="BrowserHTM"
.
Completion time: 2015-07-20  17:33:06
ComboFix-quarantined-files.txt  2015-07-21 00:33
.
Pre-Run: 800,643,387,392 bytes free
Post-Run: 800,505,466,880 bytes free
.
- - End Of File - - C2B832D722FC683651A24123A884A30C
A36C5E4F47E84449FF07ED3517B43A31
 

Link to post
Share on other sites

Update worked, went ahead and fixed the results.

 

Side note, there's been a lot of flickering on the various windows that have been opening up since this computer got hit by malware, wondering if you have an opinion on what might be causing that, I'm guessing some drivers might need to be reinstalled.

 

 

 

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2015/07/21 20:09:23 -0700</date>
<logfile>mbam-log-2015-07-21 (20-09-21).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.1.8.1057</version>
<malware-database>v2015.07.21.08</malware-database>
<rootkit-database>v2015.07.17.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<osversion>Windows 7</osversion>
<arch>x86</arch>
<username>Johnny</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>321660</objects>
<time>770</time>
<processes>0</processes>
<modules>16</modules>
<keys>21</keys>
<values>1</values>
<datas>0</datas>
<folders>0</folders>
<files>2</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>enabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<module><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></module>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataContainer</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>690306de2c5e47ef8bdbb1eb63a150b0</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataContainer.1</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>5b119e462367013582e4a2faa46035cb</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataController</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>a6c612d234567eb875f1e9b3897b56aa</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataController.1</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>3d2fb1335e2cfc3a97cf5a42ca3a8a76</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataTable</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>ed7f756faedcdc5a24420795a163837d</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataTable.1</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>f37936ae1377989e3135f1abdb2914ec</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataTableFields</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>0f5d22c21e6c8fa7abbb2f6d55afc53b</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataTableFields.1</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>a3c939abccbed0662d39019b956f05fb</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataTableHolder</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>4c2001e3ee9c2c0aec7a57450afadc24</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataTableHolder.1</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>95d702e21d6d15214224f5a7798b649c</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.LSPLogic</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>f577657fed9d94a2bbab9b01a163946c</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.LSPLogic.1</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>ea82bf257713cc6acf975c40699b26da</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.ReadOnlyManager</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>fc705e86e1a91026e5814a5252b209f7</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.ReadOnlyManager.1</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>acc0bf25286250e6fa6c683404006898</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.WatchDog</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>c5a743a15733b4823036cad26e96e818</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.WatchDog.1</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>9bd13fa5a1e93afc4c1a4953b84c936d</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\APPID\WeWatcherProxy.EXE</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>success</action><hash>3c30cb197a10f93d3134bce0dc28e818</hash></key>
<key><path>HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS</path><vendor>PUP.Optional.Shopperz.A</vendor><action>success</action><hash>cba11cc88efc9d9939b9276f35cf4db3</hash></key>
<key><path>HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WeWatcherProxy</path><vendor>PUP.Optional.WeWatcherProxy.A</vendor><action>delete-on-reboot</action><hash>a1cb35aff09a79bd5314afede51f8878</hash></key>
<key><path>HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\SushiLeadsUpdaterService</path><vendor>PUP.Optional.SushiLeads.A</vendor><action>success</action><hash>0f5d73711d6d1323e6b804041de601ff</hash></key>
<key><path>HKU\S-1-5-18\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}</path><vendor>PUP.Optional.SuperOptimizer.C</vendor><action>success</action><hash>bcb025bf2169360034af6334ca3aa65a</hash></key>
<value><path>HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS</path><valuename>{3c9ce603-44cc-4997-a166-239e6186c6ef}</valuename><vendor>PUP.Optional.Shopperz.A</vendor><action>success</action><valuedata>C:\Program Files\shopperz\Firefox</valuedata><hash>cba11cc88efc9d9939b9276f35cf4db3</hash></value>
<file><path>C:\WINDOWS\SYSTEM32\drivers\wwd.sys</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>5f6b4829bbdba552ca688e12596c6348</hash></file>
<file><path>C:\Windows\System32\WeWatcherLSP.dll</path><vendor>PUP.Optional.Winsock.HijackBoot</vendor><action>delete-on-reboot</action><hash>80ec19cba7e3f93d74664082f30e0df3</hash></file>
</items>
</mbam-log>
 

Link to post
Share on other sites

We still have some work to do, so let's check if this will be gone after all.

Step 1

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 2

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan button. Wait until is finished.
  • Click on Clean.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner\AdwCleaner[s0].txt as well.
Step 3

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.

    ESET OnlineScan

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.

      Save it to your Desktop.

    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • In your next reply, post the following log files:
    • Junkware Removal Tool log
    • AdwCleaner log
    • ESET Online Scanner log
Link to post
Share on other sites

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.5.1 (07.16.2015:1)
OS: Windows 7 Professional x86
Ran by Johnny on Wed 07/22/2015 at 18:12:29.60
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Failed to delete: [service] wwd



~~~ Tasks



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\SearchAssistant



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] C:\ai_recyclebin
Successfully deleted: [Folder] C:\Program Files\pro pc cleaner
Successfully deleted: [Folder] C:\Users\Johnny\Appdata\Local\com
Successfully deleted: [Folder] C:\Users\Johnny\Appdata\Local\pirates
Successfully deleted: [Folder] C:\Users\Johnny\Appdata\Local\stormalerts
Successfully deleted: [Folder] C:\Users\Johnny\Appdata\LocalLow\company
Successfully deleted: [Folder] C:\Users\Johnny\AppData\Roaming\pro pc cleaner





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 07/22/2015 at 18:14:33.71
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

# AdwCleaner v4.208 - Logfile created 22/07/2015 at 18:24:39
# Updated 09/07/2015 by Xplode
# Database : 2015-07-15.1 [server]
# Operating system : Windows 7 Professional Service Pack 1 (x86)
# Username : Johnny - JOHNNY77
# Running from : C:\Users\Johnny\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\ParetoLogic
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - localhost:8080

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17840


-\\ Mozilla Firefox v


-\\ Opera v0.0.0.0


*************************

AdwCleaner[R0].txt - [7685 bytes] - [11/07/2015 19:51:04]
AdwCleaner[R10].txt - [2026 bytes] - [12/07/2015 22:20:42]
AdwCleaner[R11].txt - [2145 bytes] - [12/07/2015 23:11:35]
AdwCleaner[R12].txt - [2265 bytes] - [12/07/2015 23:29:29]
AdwCleaner[R13].txt - [2386 bytes] - [13/07/2015 18:38:38]
AdwCleaner[R14].txt - [2506 bytes] - [13/07/2015 19:23:03]
AdwCleaner[R15].txt - [2626 bytes] - [13/07/2015 20:56:57]
AdwCleaner[R16].txt - [2746 bytes] - [14/07/2015 17:31:59]
AdwCleaner[R17].txt - [3084 bytes] - [22/07/2015 18:18:46]
AdwCleaner[R1].txt - [7744 bytes] - [11/07/2015 20:14:10]
AdwCleaner[R2].txt - [2148 bytes] - [11/07/2015 21:44:24]
AdwCleaner[R3].txt - [2035 bytes] - [11/07/2015 22:06:22]
AdwCleaner[R4].txt - [2050 bytes] - [12/07/2015 13:25:56]
AdwCleaner[R5].txt - [1832 bytes] - [12/07/2015 14:05:29]
AdwCleaner[R6].txt - [1837 bytes] - [12/07/2015 14:38:49]
AdwCleaner[R7].txt - [1709 bytes] - [12/07/2015 14:56:45]
AdwCleaner[R8].txt - [1827 bytes] - [12/07/2015 15:15:08]
AdwCleaner[R9].txt - [1945 bytes] - [12/07/2015 16:19:08]
AdwCleaner[s0].txt - [7962 bytes] - [11/07/2015 20:31:19]
AdwCleaner[s10].txt - [2215 bytes] - [12/07/2015 23:27:53]
AdwCleaner[s11].txt - [2335 bytes] - [12/07/2015 23:44:56]
AdwCleaner[s12].txt - [2455 bytes] - [13/07/2015 19:10:39]
AdwCleaner[s13].txt - [2575 bytes] - [13/07/2015 19:38:00]
AdwCleaner[s14].txt - [2695 bytes] - [13/07/2015 21:35:58]
AdwCleaner[s15].txt - [2815 bytes] - [14/07/2015 18:21:30]
AdwCleaner[s16].txt - [2271 bytes] - [22/07/2015 18:24:39]
AdwCleaner[s1].txt - [2250 bytes] - [11/07/2015 22:03:34]
AdwCleaner[s2].txt - [2127 bytes] - [11/07/2015 22:38:11]
AdwCleaner[s3].txt - [2138 bytes] - [12/07/2015 14:02:53]
AdwCleaner[s4].txt - [1912 bytes] - [12/07/2015 14:36:39]
AdwCleaner[s5].txt - [1913 bytes] - [12/07/2015 14:54:47]
AdwCleaner[s6].txt - [1779 bytes] - [12/07/2015 15:13:05]
AdwCleaner[s7].txt - [1897 bytes] - [12/07/2015 15:55:48]
AdwCleaner[s8].txt - [2015 bytes] - [12/07/2015 19:21:00]
AdwCleaner[s9].txt - [2094 bytes] - [12/07/2015 23:10:06]

########## EOF - C:\AdwCleaner\AdwCleaner[s16].txt - [2862  bytes] ##########
 

 

 

C:\73835d98-7290-47f8-a869-e4eff77baab2\InstallerHelper.dll    a variant of Win32/Bundlore.Q potentially unwanted application    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Bench\BService\1.1\bhelper.dll.vir    Win32/AdWare.SmartApps.E application    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Bench\BService\1.1\bservice.exe.vir    Win32/AdWare.SmartApps.E application    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\ProgramData\Browser\prompt.exe.vir    a variant of MSIL/Adware.PullUpdate.H application    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Johnny\AppData\Roaming\3O6ORnyiQgQjxW5pr.vir    JS/Toolbar.Crossrider.C potentially unwanted application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Johnny\AppData\Roaming\MVdGmSi4mx3.vir    JS/Toolbar.Crossrider.C potentially unwanted application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Johnny\AppData\Roaming\pJEoIoITBbiQJ7DXZc4FAq.vir    JS/Toolbar.Crossrider.C potentially unwanted application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Johnny\AppData\Roaming\KeepMySettingsX\keepmysettingsx.zip.vir    a variant of Win32/InstallIQ.A potentially unwanted application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Windows\system32\drivers\netfilter.sys.vir    a variant of Win32/NetFilter.A potentially unsafe application    cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Program Files\ServiceUpdater\WeWatcherCert.dll    a variant of Win32/Packed.Komodia.B suspicious application    cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Program Files\ServiceUpdater\WeWatcherLSP.dll    a variant of Win32/Packed.Komodia.B suspicious application    cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Program Files\ServiceUpdater\WeWatcherLSP.exe    a variant of Win32/Packed.Komodia.A suspicious application    cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Program Files\ServiceUpdater\WeWatcherProxy.exe    a variant of Win32/Packed.Komodia.A suspicious application    cleaned by deleting - quarantined
C:\FRST\Quarantine\C\Users\Johnny\AppData\Local\nse4E24.tmp.xBAD    Win32/AnyProtect.G potentially unwanted application    deleted - quarantined
C:\FRST\Quarantine\C\Users\Johnny\AppData\Local\nsfEF64.tmp.xBAD    Win32/AnyProtect.G potentially unwanted application    deleted - quarantined
C:\FRST\Quarantine\C\Users\Johnny\AppData\Local\nsjBA5B.tmp.xBAD    Win32/AnyProtect.G potentially unwanted application    deleted - quarantined
C:\FRST\Quarantine\C\Users\Johnny\AppData\Local\nsl9B6.tmp.xBAD    Win32/AnyProtect.G potentially unwanted application    deleted - quarantined
C:\FRST\Quarantine\C\Users\Johnny\AppData\Local\nsm238F.tmp.xBAD    Win32/AnyProtect.G potentially unwanted application    deleted - quarantined
C:\FRST\Quarantine\C\Users\Johnny\AppData\Local\nst9040.tmp.xBAD    Win32/AnyProtect.G potentially unwanted application    deleted - quarantined
C:\FRST\Quarantine\C\Users\Johnny\AppData\Local\66CA99FC-3D6B-D042-BE9F-5506A762FF7C\Modules\cdp.dll    a variant of Win32/GigaClicks.AQ potentially unwanted application    cleaned by deleting - quarantined
C:\System Volume Information\SystemRestore\FRStaging\Users\Johnny\Downloads\Setup (11).exe    NSIS/TrojanDownloader.Adload.AG trojan    cleaned by deleting - quarantined
C:\Users\Johnny\Downloads\FLVPlayer-Chrome.exe    NSIS/TrojanDownloader.Adload.AP trojan    cleaned by deleting - quarantined
 

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.