Help!

[honeypot]

[initially posted this on 'Bleeping Computer', unfortunately no one replied, I hope someone will help here]

I'm new here,

Have been using Adw Cleaner for years now.
 
Recently I've been using my browser for making online transactions a lot and I store my passwords to lastpass.

Anyway, I felt something was wrong with my Firefox cause it seemed running bit slower than ususal, so run the cleaner and I got this in the log result,
****************************************************************************************************************************************
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}

***** [ Web browsers ] *****

[-] [C:\Users\Alienware\AppData\Roaming\Mozilla\Firefox\Profiles\wux8w0k3.default\prefs.js] [Preference] Deleted : user_pref("network.hxxp.request.max-start-delay", 0);

*************************

:: "Tracing" keys removed
:: Winsock settings cleared
*************************************************************************************************************************************
Can someone explain to me what are those BHO? and how is it connected to "Tracing" ?

I mean, were my keystrokes being monitored somehow because of the above? Am I in troble?
Sorry if this seem to be a stupid question but I'm new to all this, learning steadily though.

Thanks

[kevinf80]

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

The BHO entries are all related to IOBit, I would never recommand anything related to that company to anyone...

 

Winsock network event tracing is disabled by default on Windows Vista and above for obvious reasons, malware and infection developers are known to use the Winsock network for malicious purposes.

Many security program developers are well aware of such issues and do have auto fixes set accordingly....

 

If you believe your system is infected run the following,

 

Please open Malwarebytes Anti-Malware.

• On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
• Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
• Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
• A Threat Scan will begin.
• With some infections, you may or may not see this message box.
  
          'Could not load DDA driver'
• Click 'Yes' to this message, to allow the driver to load after a restart.
• Allow the computer to restart. Continue with the rest of these instructions.
• When the scan is complete, click Apply Actions.
• Wait for the prompt to restart the computer to appear, then click on Yes.
• After the restart once you are back at your desktop, open MBAM once more.
  

To get the log from Malwarebytes do the following:

• Click on the History tab > Application Logs.
• Double click on the scan log which shows the Date and time of the scan just performed.
• Click Export > From export you have three options:
  
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
• Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…
  

If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.

• Double-click mbam-setup and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
• Launch Malwarebytes Anti-Malware
• A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
• Click Finish. Follow the instructions above....
  

 
Next,
 
Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

• Double-click to run it. When the tool opens click Yes to disclaimer.
  (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
• Make sure Addition.txt is checkmarked under "Optional scans"
• Press Scan button to run the tool....
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The tool will also make a log named (Addition.txt)  Please attach those logs to your reply.
  

 

Let me see those logs in your reply, it would also be beneficial to close your thread at BC, or close out here if you prefer Bleeping Computers....

 

Thank you,

 

Kevin....

[honeypot]

Hey Kevin,

First off, Thank You so much for such a comprehensive reply, it really helped me clear my doubts.

To start with, I do use torrent client but it's for only 1 purpose i.e downloading Ubuntu or other linux distributions and sometimes a documentary(not the copyrighted ones) and THAT'S IT. I NEVER used any bit torrent client except Qbittorrent which is as you know, an open-source software and that too occasionaly.

And NO, I do not use pirated copies of softwares(although I'll admit that I used to but it was like 5 - 6 years ago)
Everything installed into my system is either free, paid, bought, subscription based or open-source.
For those Adobe entries, I use Adobe CC subscription which includes all their products alongside Acrobat 11 which I bought standalone year and a half ago.

As you suggested I have uninstalled the IOBit Advanced System Care 9 (free) version which I installed few weeks ago but IOBit uninstaller is still there as I require it sometimes but if you want me to remove it too, I'm willing to do it, (request) I'll be grateful if you give me any alternative for IOBit uninstaller which does similar job?(a humble request)

I'd also like to add that, I saw 'utorrent' entry in the log file(Addition.txt) which is just baffling since I have never ever used or installed that piece of crap in my system.

Also I found lot of error entries in the log file, I have no idea how or why it's there since my system is running fine or at least I think it does. Although my system's boot time has gradually been reduced over the time. Haven't formatted the system since last 4 years (approx) if that helps in any way.
If it's not too much to ask, can you please tell me why those errors persist in my system and in what way can I resolve it?

Anyway,

1. First log content for MBAM, as follows,

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/2/2016
Scan Time: 2:02 AM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.01.01.04
Rootkit Database: v2015.12.26.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Alienware

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 710690
Time Elapsed: 1 hr, 30 min, 15 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


2. I was not able to paste the content of the log file in FRST.txt (gave  me error while replying - 'too long') so I attached it instead along with Addition.txt.

 

Thank You

Addition.txt

FRST.txt

[honeypot]

I mean 3 years (approx) (not formatted), typing mistake.

[kevinf80]

I do not see any obvious malware or infection in those logs, what exactly do you believe to be wrong with your system?

 

Lets do a bit of tidying up....

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.
 

Next,

 

Scan with ZOEK

Please download ZOEK by Smeenk from here: http://hijackthis.nl/smeenk/ and save it to your desktop (preferred version is the *.exe one)

*.exe Mirror http://smeenk.247fixes.com/Tools/zoek.exe

Temporary disable your AntiVirus and AntiSpyware protection - instructions here or here

• Right-click on icon and select Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
  

createsrpoint;autoclean;emptyalltemp;ipconfig /flushdns >>"%temp%\log.txt";b

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
  

Please include its content in your next reply. Don't forget to re-enable security software!

 

Post those logs, also let me know if any remaining issues or concerns...

 

Thank you,

 

Kevin

 

 

Fixlist.txt

[honeypot]

Hey Kevin,

Before proceeding any further, I'd like to Thank You so very much for offering your time and resolving issues. Your systematic guide for detecting/resolving the problems not only cleared junk and old invalid registry entries from my system but also taught me lot of various ways to detect and fix/remove malwares or other system errors for that matter.

Anyway, as you asked,

Here's the content of the Fixlog.txt

Fix result of Farbar Recovery Scan Tool (x64) Version:31-12-2015
Ran by Alienware (2016-01-02 15:20:31) Run:1
Running from C:\Users\Alienware\Desktop
Loaded Profiles: Alienware (Available Profiles: Alienware)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CloseProcesses:
CreateRestorePoint:
HKU\S-1-5-21-1051103352-2590003180-4276231435-1002\...\Run: [GalaxyClient] => [X]
HKU\S-1-5-21-1051103352-2590003180-4276231435-1002\...\MountPoints2: {5188114d-60f2-11e5-8361-ecf4bb1797b6} - "D:\OnePlus_setup.exe" /s
S3 iscFlash; no ImagePath
S3 BTATH_BUS; \SystemRoot\System32\drivers\btath_bus.sys [X]
S3 cpuz138; \??\C:\Users\ALIENW~1\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X]
Task: {30489B76-1AC3-4058-A5D4-8448FD06C53D} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {43163811-B954-428D-9A52-1F779B4EBFAF} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {51791F25-0793-4559-A394-DAA2B338699F} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {5956DE13-8744-4623-AEEF-B3ACA1406F4C} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {618F4284-5E96-4C9F-9F53-DDA9A36056CB} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {6D8781B0-D2EB-4200-B3DB-DA1277733657} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {7B0E4B60-16DF-45CB-B98A-362AEDEF5750} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {8C0AD9C2-6214-4B2A-BBC7-FC4BA3FABFF8} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {D6FCAE11-1AF0-471C-8C43-AB8D0E8F0820} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {E2CFF249-1113-46D8-BDD0-AB670BA3E406} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {F439353A-9A6B-4AD9-A290-17FE898E872A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
EmptyTemp:
end
*****************

Processes closed successfully.
Error: (0) Failed to create a restore point.
HKU\S-1-5-21-1051103352-2590003180-4276231435-1002\Software\Microsoft\Windows\CurrentVersion\Run\\GalaxyClient => value removed successfully
"HKU\S-1-5-21-1051103352-2590003180-4276231435-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5188114d-60f2-11e5-8361-ecf4bb1797b6}" => key removed successfully
HKCR\CLSID\{5188114d-60f2-11e5-8361-ecf4bb1797b6} => key not found.
iscFlash => service removed successfully
BTATH_BUS => service removed successfully
cpuz138 => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{30489B76-1AC3-4058-A5D4-8448FD06C53D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{30489B76-1AC3-4058-A5D4-8448FD06C53D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{43163811-B954-428D-9A52-1F779B4EBFAF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{43163811-B954-428D-9A52-1F779B4EBFAF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{51791F25-0793-4559-A394-DAA2B338699F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{51791F25-0793-4559-A394-DAA2B338699F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5956DE13-8744-4623-AEEF-B3ACA1406F4C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5956DE13-8744-4623-AEEF-B3ACA1406F4C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{618F4284-5E96-4C9F-9F53-DDA9A36056CB}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{618F4284-5E96-4C9F-9F53-DDA9A36056CB}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6D8781B0-D2EB-4200-B3DB-DA1277733657}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6D8781B0-D2EB-4200-B3DB-DA1277733657}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7B0E4B60-16DF-45CB-B98A-362AEDEF5750}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B0E4B60-16DF-45CB-B98A-362AEDEF5750}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8C0AD9C2-6214-4B2A-BBC7-FC4BA3FABFF8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8C0AD9C2-6214-4B2A-BBC7-FC4BA3FABFF8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D6FCAE11-1AF0-471C-8C43-AB8D0E8F0820}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D6FCAE11-1AF0-471C-8C43-AB8D0E8F0820}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E2CFF249-1113-46D8-BDD0-AB670BA3E406}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E2CFF249-1113-46D8-BDD0-AB670BA3E406}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F439353A-9A6B-4AD9-A290-17FE898E872A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F439353A-9A6B-4AD9-A290-17FE898E872A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => key removed successfully
EmptyTemp: => 227.9 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 15:20:43 ====


2. From zoek-results.txt

Zoek.exe v5.0.0.1 Updated 31-December-2015
Tool run by Alienware on Sat 01/02/2016 at 15:28:14.94.
Microsoft Windows 10 Home 10.0.10586  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Alienware\Desktop\zoek.exe [scan all users] [script inserted]

==== System Restore Info ======================

1/2/2016 3:30:26 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Indie Softworks deleted successfully
C:\Program Files\DAUM deleted successfully
C:\PROGRA~3\Comms deleted successfully
C:\PROGRA~3\IDM deleted successfully
C:\PROGRA~3\IntelDLM deleted successfully
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) deleted successfully
C:\PROGRA~3\{FD6F83C0-EC70-4581-8361-C70CD1AA4B98} deleted successfully
C:\Users\Alienware\AppData\Local\ActiveSync deleted successfully
C:\Users\Alienware\AppData\Local\CrashDumps deleted successfully
C:\Users\Alienware\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\Alienware\AppData\Local\EmieSiteList deleted successfully
C:\Users\Alienware\AppData\Local\EmieUserList deleted successfully
C:\Users\Alienware\AppData\Local\NetworkTiles deleted successfully
C:\Users\Alienware\AppData\Local\PackageStaging deleted successfully
C:\Users\Alienware\AppData\Local\VMware deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\CrashDumps deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Maps deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

ProfilePath: C:\Users\ALIENW~1\AppData\Roaming\Mozilla\Firefox\Profiles\wux8w0k3.default

user.js not found
---- Lines yahoo removed from prefs.js ----
user_pref("browser.pocket.settings.tags", "[\"tech help\",\"facts\",\"philosophy\",\"unsolvable\",\"reference\",\"support\",\"inspiration\",\"mental p
---- FireFox user.js and prefs.js backups ----

prefs_20160102_0350_.backup

==== Batch Command(s) Run By Tool======================


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

==== Deleting Files \ Folders ======================

C:\PROGRA~2\Indie Softworks not found
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) not found
C:\PROGRA~3\{FD6F83C0-EC70-4581-8361-C70CD1AA4B98} not found
C:\Users\Alienware\AppData\Roaming\calibre deleted
C:\Users\Alienware\AppData\Roaming\Sublime Text 3 deleted
C:\PROGRA~3\ProductData deleted
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\GPT.INI deleted
C:\WINDOWS\Syswow64\GroupPolicy\gpt.ini deleted
C:\Users\ALIENW~1\AppData\Roaming\Mozilla\Firefox\Profiles\wux8w0k3.default\jetpack deleted
C:\Users\ALIENW~1\AppData\Roaming\Mozilla\Firefox\Profiles\wux8w0k3.default\Yahoo Inc deleted
"C:\Users\Alienware\AppData\Local\{651AD6B2-1B3C-4016-81FB-D01F20DCCE39}" deleted
"C:\Users\Alienware\AppData\Roaming\vlc\vlcrc" deleted
"C:\Users\Alienware\AppData\Roaming\vlc" deleted
"C:\Users\Alienware\AppData\Roaming\TaiG" deleted
"C:\Users\Alienware\AppData\Roaming\MPC-HC" deleted
"C:\Users\Alienware\AppData\Roaming\Origin" deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\ALIENW~1\AppData\Roaming\Mozilla\Firefox\Profiles\wux8w0k3.default
user_pref("services.sync.prefs.sync.browser.search.selectedEngine", true);

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"sp@avast.com"="C:\Program Files\AVAST Software\Avast\SafePrice\FF" [12/02/2015 04:42 AM]
[HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions]
"mozilla_cc2@internetdownloadmanager.com"="C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi" [12/09/2015 07:25 PM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\ALIENW~1\AppData\Roaming\Mozilla\Firefox\Profiles\wux8w0k3.default
- Default Full Zoom Level em:descriptionDefault FullZoom Level em:creatorAlice0775 em:homepageURLhttp:space.geocities.yahoo.co.jpglalice0775 em:optionsURLchrome:defaultfullzoomlevelcontentpref.xul em:iconURLchrome:defaultfullzoomlevelskinicon.png - C:\Users\Alienware\AppData\Roaming\Mozilla\Firefox\Profiles\wux8w0k3.default\extensions\{D9A7CBEC-DE1A-444f-A092-844461596C4D}
- ColorZilla - C:\Users\Alienware\AppData\Roaming\Mozilla\Firefox\Profiles\wux8w0k3.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
- LastPass - C:\Users\Alienware\AppData\Roaming\Mozilla\Firefox\Profiles\wux8w0k3.default\extensions\support@lastpass.com
- Advanced Cookie Manager - C:\Users\Alienware\AppData\Roaming\Mozilla\Firefox\Profiles\wux8w0k3.default\extensions\cookiemgr@jayapal.com
- Advanced Cookie Manager - %ProfilePath%\extensions\cookiemgr@jayapal.com
- LastPass - %ProfilePath%\extensions\support@lastpass.com
- ColorZilla - %ProfilePath%\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
- Default Full Zoom Level em:descriptionDefault FullZoom Level em:creatorAlice0775 em:homepageURLhttp:space.geocities.yahoo.co.jpglalice0775 em:optionsURLchrome:defaultfullzoomlevelcontentpref.xul em:iconURLchrome:defaultfullzoomlevelskinicon.png - %ProfilePath%\extensions\{D9A7CBEC-DE1A-444f-A092-844461596C4D}
- HTTPS by default - %ProfilePath%\extensions\https-by-default@robwu.nl.xpi
- YouTube High Definition - %ProfilePath%\extensions\{7b1bf0b6-a1b9-42b0-b75d-252036438bdc}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\Alienware\AppData\Roaming\Mozilla\Firefox\Profiles\wux8w0k3.default
70858ED7836E5C849D33576A84DC8CCF    - C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_267.dll -    Shockwave Flash


==== Chromium Look ======================

Google Chrome Version: 46.0.2490.86

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
efaidnbmnnnibpcajpcglclefindmkaj - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx[09/12/2014 03:13 PM]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[11/18/2015 12:24 AM]
ngpampappnmepgilojfohadhhmbhlaek - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx[12/29/2015 05:48 PM]

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
lmjegmlicamnimmfhcmpkclmigmmcbeh - No path found[]

ColorZilla - Alienware\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bhlhnicpbhignbdhedgjhgdocnmhomnp
Empty New Tab Page - Alienware\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\dpjamkmjmigaoobjbekmfgabipmfilij
AdBlock - Alienware\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gighmmpiobklfepjocnamgkkbiglidom
Avast Online Security - Alienware\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gomekmidlodglbbmalcneegieacbdmki
LastPass - Alienware\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\hdokiejnpimakedhajhdlcegeplioahd
WhatFont - Alienware\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\jabopobgcpjmedljpbcaablpmlmfcogm
SmoothScroll - Alienware\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nbokbjkabcmbfdlbddjidfmibcpneigj
Save to Pocket - Alienware\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\niloccemoadcdkdjlinkgdfekeahmflj

==== Chromium Fix ======================

C:\Users\Alienware\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\dpjamkmjmigaoobjbekmfgabipmfilij deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"

==== All HKLM and HKCU SearchScopes ======================

HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\SearchScopes\{1A95DC8F-4A6D-4938-B715-50B59B516306} - http://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=DCJB
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKCU\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Alienware\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Alienware\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Alienware\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Alienware\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

C:\Users\Alienware\AppData\Local\Mozilla\Firefox\Profiles\wux8w0k3.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Alienware\AppData\Local\Google\Chrome\User Data\Profile 1\Cache emptied successfully

==== Empty All Flash Cache ======================

No Flash Cache Found

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=78 folders=67 42583106 bytes)

==== Empty Temp Folders ======================

C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\ALIENW~1\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on Sat 01/02/2016 at 15:56:59.21 ======================


Lastly, I don't have any major concerns but would like to ask 2 questions

1. Is there any good alternative for IOBit uninstaller, how about Revo uninstaller? Or is there any other way, like a tool or something to remove the software completely
2. Few things from Addition.txt that bug me, will these errors cause issue in the system? or are these only leftovers from previous errors?

 

Errors from Addition.txt

Application errors:
==================
Error: (01/02/2016 12:37:09 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: AW)
Description: Activation of app Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/01/2016 09:01:43 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: AW)
Description: Activation of app Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/01/2016 06:57:20 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: AW)
Description: Activation of app Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/01/2016 05:45:21 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: AW)
Description: Activation of app Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/01/2016 04:21:45 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: AW)
Description: Activation of app Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/01/2016 04:21:45 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: AW)
Description: Activation of app Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp failed with error: -2147023170 See the Microsoft-Windows-TWinUI/Operational log for additional information.


System errors:
=============
Error: (01/02/2016 12:42:18 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Advanced SystemCare Service 9 service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/01/2016 10:40:37 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {F3B4E234-7A68-4E43-B813-E4BA55A065F6}

Error: (01/01/2016 10:35:32 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {F3B4E234-7A68-4E43-B813-E4BA55A065F6}

Error: (01/01/2016 09:00:19 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 4003) (User: NT AUTHORITY)
Description: WLAN AutoConfig detected limit connectivity, performing Reset/Recover.adapter.

 Code: 8 0x0 0x0

Error: (01/01/2016 09:00:18 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 4003) (User: NT AUTHORITY)
Description: WLAN AutoConfig detected limit connectivity, performing Reset/Recover.adapter.

 Code: 2 0xdeaddeed 0xeeec

Error: (01/01/2016 09:00:18 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 4003) (User: NT AUTHORITY)
Description: WLAN AutoConfig detected limit connectivity, performing Reset/Recover.adapter.

 Code: 1 0xc 0x4

Error: (01/01/2016 06:57:14 PM) (Source: Tcpip) (EventID: 4199) (User: )
Description: The system detected an address conflict for IP address 192.168.1.2 with the system
having network hardware address 48-50-73-E2-82-F0. Network operations on this system may
be disrupted as a result.

Error: (01/01/2016 04:47:05 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (01/01/2016 03:58:45 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The VMware Workstation Server service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (01/01/2016 03:58:42 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The User Data Access_5acdb6 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.


CodeIntegrity:
===================================
  Date: 2015-12-30 21:28:30.352
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-25 03:03:36.087
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-19 02:52:04.838
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-19 02:25:14.243
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-10 17:29:36.651
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-10 16:40:12.374
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-10 04:02:47.190
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-09 06:20:18.739
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-05 18:41:18.840
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2015-12-03 19:29:11.213
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.


Thank You for all your valuable help

[kevinf80]

Thanks for the logs and update on system status, regarding your questions:

 

1. Is there any good alternative for IOBit uninstaller, how about Revo uninstaller? Or is there any other way, like a tool or something to remove the software completely

 

I recommend "GeekUnistaller" is free, portable and does not come bundled with unwanted extras...

 

Download GeekUninstaller from here: http://www.geekuninstaller.com/download (Choose free version) Save Geek.zip to your Desktop. (Visit the Home page at that link for necessary information)

Extract Geek Uninstaller and save to your Desktop. There is no need to install, the executable is portable and can also be run from a USB if required.

Run the tool, the main GUI will populate with installed programs list,

Left click on Program name to highlight that entry.

Select Action from the Menu bar, then Uninstall from there follow the prompts.

If Uninstall fails open the "Action" menu one more time and use "Force Removal" option
 

Next,

 

2. Few things from Addition.txt that bug me, will these errors cause issue in the system? or are these only leftovers from previous errors?

 

The erros you mention are harmless will not cause any issues or concerns. Just ignore them all....

 

Next,

 

I guess we can clean up.....

 

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

• 
     
• Remove disinfection tools
  

Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

 

Next,

 

One other point, I see from the logs that system restore is turned off. If that is a deliberate action I recommend you keep it on and active....

 

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... 
 

[honeypot]

Hey Kevin,

Thank you for the 'Geek Uninstaller', Appreciate it
First thing I removed from that tool was IOBit uninstaller itself

Thank you for letting me know about those errors won't be any problem.

As per you suggestion I downloaded and ran Delfix, it deleted the remnants created by previous security tools.

And yes, switching off system restore was a deliberate action but as per your advice I have enabled it, thank you(again)

About the shared links regarding PC security - since it's a long read, I made notes from the links - Common 'Security Questions and best Practices' and will be reading it topic by topic.

Thing is, I cannot thank you enough.

You'll receive a small donation few minutes from now.
Don't get me wrong but it's not for what you did (which helped me understand about Malware removal along with other security issues related to my system) No, because your resolution/guide/info/help is no way near the worth in comparison and I think it would be sort of insulting measuring it with you know, money or what not.

So, consider it as a small token of my gratitude, Thank You sir.

P.S - You're AWESOME! and keep up being one

[kevinf80]

Thank you for the donation, very much appreciated. Also thank you even more for those kind words you post, to hear such a reply is very rewarding for me.... Do not hesitate to comeback if you ever need further help.

 

Regards,

 

Kevin....

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!