Jump to content

Recommended Posts

Hello! My computer has been acting very unusual lately. I am a malwarebytes premium user. My computer has been very sluggish, especially when running browsers. It is the most sluggish if running IE. The computer runs better but not perfect while in safe mode. I first noticed a problem while updating Java. It normally removes old version, but didn't this time, so I tried to uninstall it myself through control panel. I restarted the system, only to find the changes had been reverted. I then scanned with several different programs (logs attached, but unable to find malwarebytes scan, which showed system was clean). Other than cookies, suspected pup and "wecarereminder", it didn't seem as though anything serious was found. While scanning with Rogue Killer Premium, it reported about 8 hook.IEAT's, so I posted my results there only to be told they were legitimate. I attempted to uninstall MSE because I wanted to use malwarebytes as my primary antivirus, but after system restart, it was right back on the system as though I did nothing. I have tried to access system restore, installed windows updates, but am unable to, and am only shown some of the results in safe mode. While in regular boot mode, it hangs, then windows explorer closes. Can someone take a look at my logs and advise if there is a problem or not, and if clean up is needed, please assist with that? Thank you so much in advance!

Addition.txt

FRST.txt

HitmanPro_20160308_2242.log

rkscan8mar16txtscanresults.txt

emisoft scan_160302-030509.txt

trend micro scan results.txt

Link to post
Share on other sites

  • Replies 90
  • Created
  • Last Reply

Top Posters In This Topic

Hello cyann5974 and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....
 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.


Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

 

 

There are two Anti-virus programs installed with realtime protection enabled (Emsisoft and MSE), that will cause major problems for the operating system. You should uninstall one of those ASAP.. Your choice....

 

Next,

 

Uninstall Spybot s&d - Instructions here: https://www.safer-networking.org/faq/how-to-uninstall-2/

 

Next,

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…



Next,

 

Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,
 
thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.



Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Post those logs, also let me know if you have any remaining issues or concerns..

 

Thank you,

 

Kevin
 

 

 

 

 

 

 

Fixlist.txt

Link to post
Share on other sites

Kevinf80,

Thank you for your prompt reply and assistance feedback. I am in the process of starting the fix using FRST fixlist.txt provided to the system, and it prompted for system reboot. My apologies for the late reply, but multiple attempts of uninstalling emisoft and spybot program and its program files as suggested in link proved fruitless. After uninstall, it prompted system reboot and was still there with no changes as before. I am attempting to uninstall in normal boot mode this time and run FRST fixlist again.

Link to post
Share on other sites

If you have trouble with uninstalls use the following tool:

 

Download GeekUninstaller from here: http://www.geekuninstaller.com/download (Choose free version) Save Geek.zip to your Desktop. (Visit the Home page at that link for necessary information)

Extract Geek Uninstaller and save to your Desktop. There is no need to install, the executable is portable and can also be run from a USB if required.

Run the tool, the main GUI will populate with installed programs list,

Left click on Program name to highlight that entry.

Select Action from the Menu bar, then Uninstall from there follow the prompts.

If Uninstall fails open the "Action" menu one more time and use "Force Removal" option
 

Let me know the outcome...

 

Thank you,

 

Kevin..

Link to post
Share on other sites

Kevinf80,

 

I will try the tool suggested. I didn't have problems with emisoft, though it did appear to leave behind some orphan folders. The bigger issue has been with removing Spybot S&D. When I attempt to do it through add/remove programs in control panel, it shows it has already been removed, and asks if I would like to remove the entry? When I go to system files, the folder contents say it can't be deleted

because it is in use by updater service. I will post an update after attempting to use suggested tool. Thanks again for your feedback and response!

Link to post
Share on other sites

If the issue remains with orphan folders run FRST again, if they show in the logs we can remove them with an FRST fix... Do this after all steps are completed,,

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt and Shortcut.txt under "Optional scan" Select scan, when done post the new logs....

 

Thanks,

 

Kevin..
 

Link to post
Share on other sites

Hi Kevinf80,

 

I downloaded and ran recommended tool as suggested. Thanks so much for that awesomeness! Thus far, it enabled me to completely delete Java, and search and destroy, though it took quite some time to do it. I am going to follow the next step as suggested above, and will post/attach its outcome. 

Link to post
Share on other sites

Kevinf80:

 

Results of Malwarebytes scan with recommended settings:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 3/14/2016
Scan Time: 5:59 PM
Logfile: 
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.03.14.06
Rootkit Database: v2016.03.12.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Administrator 
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 394065
Time Elapsed: 2 hr, 48 min, 34 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
On to step 2....
Link to post
Share on other sites

Kevin80:

An update:

Though the tool initially uninstalled and removed entries for spybot and java, when system restarted as required at end of FRST, all changes were reverted back. Very frustrating. Will attach output asap....

****************************************************Edited To Include Results Output********************************

 Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01

Ran by Administrator (2016-03-14 21:38:45) Run:1
Running from C:\Users\Administrator\Desktop\Scan, Tweak & Clean
Loaded Profiles: Administrator (Available Profiles: Administrator)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File 
Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File 
cmd: netsh winsock reset
BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll => No File
BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll => No File
FF Plugin-x32: @playon.tv/PlayOnToolbar -> C:\Program Files (x86)\MediaMall\toolbar\npVT.dll [No File]
S2 MCSTRM; no ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 keycrypt; system32\DRIVERS\KeyCrypt64.sys [X]
S3 MEMSWEEP2; \??\C:\Windows\system32\4691.tmp [X]
C:\Users\Trippenson\jobq.dat
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:DocumentSummaryInformation [63]
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:SummaryInformation [63]
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]
AlternateDataStreams: C:\ProgramData\TEMP:16E7793D [154]
AlternateDataStreams: C:\ProgramData\TEMP:330B710D [136]
AlternateDataStreams: C:\ProgramData\TEMP:36CB2BB0 [129]
AlternateDataStreams: C:\ProgramData\TEMP:427CF283 [118]
AlternateDataStreams: C:\ProgramData\TEMP:703F5242 [120]
AlternateDataStreams: C:\ProgramData\TEMP:744022A1 [292]
AlternateDataStreams: C:\ProgramData\TEMP:76C56CCB [137]
AlternateDataStreams: C:\ProgramData\TEMP:8626A8FC [120]
AlternateDataStreams: C:\ProgramData\TEMP:887EAE14 [158]
AlternateDataStreams: C:\ProgramData\TEMP:8DA5A13A [137]
AlternateDataStreams: C:\ProgramData\TEMP:A13B1B25 [140]
AlternateDataStreams: C:\ProgramData\TEMP:A20F1AF8 [144]
AlternateDataStreams: C:\ProgramData\TEMP:AA341DB1 [140]
AlternateDataStreams: C:\ProgramData\TEMP:B24930D4 [116]
AlternateDataStreams: C:\ProgramData\TEMP:B8F8512D [140]
AlternateDataStreams: C:\ProgramData\TEMP:C4B264B5 [132]
AlternateDataStreams: C:\ProgramData\TEMP:D01EDC15 [134]
AlternateDataStreams: C:\ProgramData\TEMP:FE53E4F7 [116]
CMD: ipconfig /flushdns
EmptyTemp:
end
 
 
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000008 => key not found. 
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000009 => key not found. 
 
=========  netsh winsock reset =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@playon.tv/PlayOnToolbar" => key removed successfully
MCSTRM => service not found.
catchme => service not found.
keycrypt => service not found.
MEMSWEEP2 => service not found.
"C:\Users\Administrator\jobq.dat" => not found.
"C:\Windows\SysWOW64\zlib.dll" => ":DocumentSummaryInformation" ADS not found.
"C:\Windows\SysWOW64\zlib.dll" => ":SummaryInformation" ADS not found.
"C:\Windows\SysWOW64\zlib.dll" => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS not found.
"C:\ProgramData\TEMP" => ":16E7793D" ADS not found.
"C:\ProgramData\TEMP" => ":330B710D" ADS not found.
"C:\ProgramData\TEMP" => ":36CB2BB0" ADS not found.
"C:\ProgramData\TEMP" => ":427CF283" ADS not found.
"C:\ProgramData\TEMP" => ":703F5242" ADS not found.
"C:\ProgramData\TEMP" => ":744022A1" ADS not found.
"C:\ProgramData\TEMP" => ":76C56CCB" ADS not found.
"C:\ProgramData\TEMP" => ":8626A8FC" ADS not found.
"C:\ProgramData\TEMP" => ":887EAE14" ADS not found.
"C:\ProgramData\TEMP" => ":8DA5A13A" ADS not found.
"C:\ProgramData\TEMP" => ":A13B1B25" ADS not found.
"C:\ProgramData\TEMP" => ":A20F1AF8" ADS not found.
"C:\ProgramData\TEMP" => ":AA341DB1" ADS not found.
"C:\ProgramData\TEMP" => ":B24930D4" ADS not found.
"C:\ProgramData\TEMP" => ":B8F8512D" ADS not found.
"C:\ProgramData\TEMP" => ":C4B264B5" ADS not found.
"C:\ProgramData\TEMP" => ":D01EDC15" ADS not found.
"C:\ProgramData\TEMP" => ":FE53E4F7" ADS not found.
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
EmptyTemp: => 54.4 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 21:49:34 ====
 
 
 
It appears as though all change attempts revert back upon reboot. I have still been having
issues with accessibility to system restore and similar control panel settings.
Edited by cyann5974
Link to post
Share on other sites

Hi Kevin,

Thanks for your timely response and feedback. Log for Adwcleaner:

# AdwCleaner v5.102 - Logfile created 15/03/2016 at 08:21:04
# Updated 13/03/2016 by Xplode
# Database : 2016-03-14.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Administrator - Administrator-PC
# Running from : C:\Users\Administrator\Desktop\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

Folder Found : C:\ProgramData\Trymedia

***** [ Files ] *****


***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{0DC81A74-1FBD-4EF6-82B2-DE3FA05E8233}
Key Found : HKLM\SOFTWARE\Classes\Interface\{1B26E4A2-7F09-4365-9AB8-13E6891E42CB}
Key Found : HKLM\SOFTWARE\Classes\Interface\{21402197-BB5B-476C-AA1D-3FFED8ED813A}
Key Found : HKLM\SOFTWARE\Classes\Interface\{42E8D680-A18B-4CAA-ACE0-18EA05E4A056}
Key Found : HKLM\SOFTWARE\Classes\Interface\{454A4044-16EC-4D64-9069-C5B8832B7B55}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4FEB1BAD-35AD-4A08-B6EC-E6D832F1ED4D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{8F2B3016-17D4-447A-B207-FFA8957A834A}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E66B63B0-49F8-47E3-A9BA-799287B59E87}
Key Found : HKLM\SOFTWARE\Classes\Interface\{F8FA5B48-B7A2-4BC6-8389-9587643A4660}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{0DC81A74-1FBD-4EF6-82B2-DE3FA05E8233}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{1B26E4A2-7F09-4365-9AB8-13E6891E42CB}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{21402197-BB5B-476C-AA1D-3FFED8ED813A}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{42E8D680-A18B-4CAA-ACE0-18EA05E4A056}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{454A4044-16EC-4D64-9069-C5B8832B7B55}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{4FEB1BAD-35AD-4A08-B6EC-E6D832F1ED4D}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{8F2B3016-17D4-447A-B207-FFA8957A834A}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{E66B63B0-49F8-47E3-A9BA-799287B59E87}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{F8FA5B48-B7A2-4BC6-8389-9587643A4660}
Key Found : HKLM\SOFTWARE\Trymedia Systems
Key Found : HKLM\SOFTWARE\PogoDGC

***** [ Web browsers ] *****

[C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : aol.com
[C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : ask.com

*************************

C:\Program Files (x86)\AdwCleaner\AdwCleaner[C1].txt - [3072 bytes] - [07/03/2016 17:47:26]
C:\Program Files (x86)\AdwCleaner\AdwCleaner[C2].txt - [1509 bytes] - [11/03/2016 04:10:15]
C:\Program Files (x86)\AdwCleaner\AdwCleaner[S1].txt - [2752 bytes] - [07/03/2016 17:38:02]
C:\Program Files (x86)\AdwCleaner\AdwCleaner[S2].txt - [1303 bytes] - [11/03/2016 03:24:55]
C:\Program Files (x86)\AdwCleaner\AdwCleaner[S3].txt - [2953 bytes] - [15/03/2016 08:21:04]

########## EOF - C:\Program Files (x86)\AdwCleaner\AdwCleaner[S3].txt - [3046 bytes] ##########

after which prompted reboot to clean found items.

FRST and Addition Logs attached. After reboot, it appears as though fixes and deletes have again been reverted...Spybot, old Java, still present.

 

 

Addition.txt

FRST.txt

Link to post
Share on other sites

Kevin,

Results of JRT:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.3 (02.09.2016)
Operating System: Windows 7 Home Premium x64 
Ran by Administrator (Administrator) on Tue 03/15/2016 at 10:34:33.06
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


File System: 17 

Successfully deleted: C:\Users\Administrator\AppData\Roaming\alawarentertainment (Folder) 
Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\21SICF7O (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\46GOX4MH (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9KCNEX4K (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EIF4I6GJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EJ5YLKQE (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F10F80K6 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC7VA0SZ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFNC074A (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\21SICF7O (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\46GOX4MH (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9KCNEX4K (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EIF4I6GJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EJ5YLKQE (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F10F80K6 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC7VA0SZ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFNC074A (Temporary Internet Files Folder) 

Registry: 1 

Successfully deleted: HKLM\Software\MozillaPlugins\@playon.tv/playontoolbar (Registry Key) 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 03/15/2016 at 10:36:07.41
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

Will be scanning with Malicious Software Removal Tool next.

My concerns throughout this process are that the changes aren't permanent upon system reboot when required. I can access task manager, but not the task scheduler. Maybe I am not explaining it right, but the area where you can either disable, stop, or delete a scheduled task, for example, google, ARM, and flash scheduled updater services. When I attempt to, it hangs and says it couldn't be changed or stopped. It almost seems like legitimate windows keys or settings were replaced with rogue ones or something, because prior to this happening, I had no issues accessing or viewing installed updates, or changing settings. Now, I am only able to view some of the installed updates but only while in safe mode.

Link to post
Share on other sites

I can stop the tasks you mention, i`ll also remove whatever remnants I can see in the logs... I do not see Java anywhere...

I can remove the tasks you mention with FRST fix, also some remnants from Spybot and Vipre... 

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Download Services Repair tool, available here -

http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe

Save it to your Desktop. Right click on it and select Run As Administrator, follow the prompts. It should reboot when it finishes. If not reboot it yourself.

 

Next,

 

Boot your system to normal mode, see if you can run FRST in that mode, Ensure all boxes are checkmarked under White list, but only Addition.txt under Optional scans.

 

Post those logs, also give an update on any remaining issues or concerns...

 

Thank you,

 

Kevin

 

 

 

 

 

 

 

 

Fixlist.txt

Link to post
Share on other sites

Kevin,

Thanks for the reply. The MS tool took quite some time to finish, but I was finally able to do the run function and pull up the scan results:

The first results were from the quick scan and the last was from the full c:/ scan.


---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.33, February 2016 (build 5.33.12300.0)
Started On Tue Mar 15 10:27:05 2016

Engine: 1.1.12400.0
Signatures: 1.213.4702.0

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.34, March 2016 (build 5.34.12400.0)
Started On Tue Mar 15 11:17:09 2016

Engine: 1.1.12400.0
Signatures: 1.213.7173.0

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Tue Mar 15 11:25:01 2016


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.34, March 2016 (build 5.34.12400.0)
Started On Tue Mar 15 11:27:07 2016

Engine: 1.1.12400.0
Signatures: 1.213.7173.0

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Tue Mar 15 22:43:59 2016


Return code: 0 (0x0)
 

moving on to the next step of running FRST again using fixlist.

Link to post
Share on other sites

Kevin:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Administrator (2016-03-17 07:51:35) Run:2
Running from C:\Users\Administrator\Desktop
Loaded Profiles: Administrator (Available Profiles: Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3331748830-2736650989-2071172937-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => "C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe"
C:\Program Files\Common Files\AV\Spybot - Search and Destroy\
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3331748830-2736650989-2071172937-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [lggaaajacmlhgbpldaboipiinndchjgm] - C:\Program Files (x86)\MediaMall\toolbar\ce.crx <not found>
C:\Program Files (x86)\MediaMall
S2 SDScannerService; "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe" [X]
S3 SDWSCService; "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe" [X]
S1 epp; \??\C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys [X]
C:\ProgramData\Spybot - Search & Destroy
C:\ProgramData\Trymedia
C:\Program Files (x86)\Spybot - Search & Destroy 2
Task: {A6E32170-1C3C-42DA-9973-CF3A1D8F4C66} - System32\Tasks\Safer-Networking\Spybot Anti-Beacon\Refresh Anti-Beacon immunization => C:\Program Files (x86)\Spybot Anti-Beacon\SDAntiBeacon.exe
C:\Program Files (x86)\Spybot Anti-Beacon
Task: C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Task: C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe
S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [40584 2015-08-27] (ThreatTrack Security)
C:\Windows\System32\drivers\gfiark.sys
S3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [31264 2013-09-04] (ThreatTrack Security)
C:\Windows\System32\drivers\gfiutil.sys
C:\Windows\system32\Drivers\tmrkb.sys
C:\Windows\system32\Drivers\tmcomm.sys
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPatrol
Task: {528B58BE-668B-44AE-9D60-730822F30F58} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-12-14] (Adobe Systems Incorporated)
Task: {88E03E82-11B2-4DC8-B7C5-6B814F4DC5C8} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-09-24] (Google Inc.)
Task: {ACFCA159-C4F8-4E53-8773-7EAF52C4E466} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-02-10] (Adobe Systems Incorporated)
Task: {FDA320BB-DB84-4D7E-80AD-32CF125F5B55} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-09-24] (Google Inc.)
Task: C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe
Task: C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe
CMD: ipconfig /flushdns
EmptyTemp:
end

*****************

Error: (0) Failed to create a restore point.
Processes closed successfully.
HKU\S-1-5-21-3331748830-2736650989-2071172937-1001\Software\Microsoft\Windows\CurrentVersion\Run\\SpybotPostWindows10UpgradeReInstall => value removed successfully
C:\Program Files\Common Files\AV\Spybot - Search and Destroy => moved successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-3331748830-2736650989-2071172937-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\lggaaajacmlhgbpldaboipiinndchjgm" => key removed successfully
"C:\Program Files (x86)\MediaMall" => not found.
SDScannerService => service removed successfully
SDWSCService => service removed successfully
epp => service removed successfully
C:\ProgramData\Spybot - Search & Destroy => moved successfully
"C:\ProgramData\Trymedia" => not found.
C:\Program Files (x86)\Spybot - Search & Destroy 2 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{A6E32170-1C3C-42DA-9973-CF3A1D8F4C66}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6E32170-1C3C-42DA-9973-CF3A1D8F4C66}" => key removed successfully
C:\Windows\System32\Tasks\Safer-Networking\Spybot Anti-Beacon\Refresh Anti-Beacon immunization => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Safer-Networking\Spybot Anti-Beacon\Refresh Anti-Beacon immunization" => key removed successfully
"C:\Program Files (x86)\Spybot Anti-Beacon" => not found.
C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job => moved successfully
C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job => moved successfully
gfiark => service removed successfully
C:\Windows\System32\drivers\gfiark.sys => moved successfully
gfiutil => service removed successfully
C:\Windows\System32\drivers\gfiutil.sys => moved successfully
C:\Windows\system32\Drivers\tmrkb.sys => moved successfully
C:\Windows\system32\Drivers\tmcomm.sys => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPatrol => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{528B58BE-668B-44AE-9D60-730822F30F58}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{528B58BE-668B-44AE-9D60-730822F30F58}" => key removed successfully
C:\Windows\System32\Tasks\Adobe Acrobat Update Task => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Adobe Acrobat Update Task" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{88E03E82-11B2-4DC8-B7C5-6B814F4DC5C8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{88E03E82-11B2-4DC8-B7C5-6B814F4DC5C8}" => key removed successfully
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{ACFCA159-C4F8-4E53-8773-7EAF52C4E466}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ACFCA159-C4F8-4E53-8773-7EAF52C4E466}" => key removed successfully
C:\Windows\System32\Tasks\Adobe Flash Player Updater => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Adobe Flash Player Updater" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FDA320BB-DB84-4D7E-80AD-32CF125F5B55}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDA320BB-DB84-4D7E-80AD-32CF125F5B55}" => key removed successfully
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA" => key removed successfully
C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job => not found.
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => moved successfully
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => moved successfully
C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job => moved successfully
C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job => not found.

=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

EmptyTemp: => 60.9 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 08:27:21 ====

 

I rebooted system, and saw all changes were reverted back and didn't remain changed...

Link to post
Share on other sites

Hi Kevin,

I was unable to do this yesterday after your reply as I was away from my computer. I am in the process of running scan as suggested and will post results as they arrive. To make a long story short, using the tool recommended above, I attempted to uninstall all versions of Java and Flash, spybot, and the other version of playon, and when I restarted, in addition to the other advise given that I followed, I found everything seemingly unchanged and programs still there. For some reason, since the required Java update on 10 February 2016, when updating other programs including java, instead of removing old version during install, it installed over top of it. I went to the site to use the uninstall old versions tool, and it says there isn't one there to uninstall, but in add/remove programs it shows two versions present.....

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.