Malware disabling/uninstalling Malwarebytes and closing programs

[iniestra310]

I started having problems a couple of weeks back, after doing some digging online I was able to uninstall some of the malware on my brother's computer but it still seems like there is something there. I was able to install Malwarebytes by running the laptop in safe mode and then installing the program through a USB and that took care of some of the malware. Afterward I attempted to run Malwarebytes in normal mode, but the program kept closing abruptly. I then read about Malwarebytes Chameleon and after messing around with it for a bit, I was able to remove another handful of threats via normal mode. I still seem to having the problem where my internet explorer tab closes abruptly, not to mention that whenever I go out of safe mode into Normal mode, my Malwarebytes gets uninstalled and I am unable to run it. I don't know where to go from here... I attached all of the scans I performed below.

scan1.txt

scan2.txt

scan3.txt

scan4.txt

scan5.txt

daily1.txt

[kevinf80]

Hello iniestra310 and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system, continue as follows please: Download RKill from here: http://www.bleepingcomputer.com/download/rkill/ There are three buttons to choose from with different names on, select the first one and save it to your desktop.   Double-click on the Rkill desktop icon to run the tool. If using Vista or Windows 7/8/10, right-click on it and Run As Administrator. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply. If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time. If the tool does not run from any of the links provided, please let me know. Next, Please open Malwarebytes Anti-Malware.   On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits". Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button. A Threat Scan will begin. When the scan is complete Apply Actions to any found entries. Wait for the prompt to restart the computer to appear (if applicable), then click on Yes. After the restart once you are back at your desktop, open MBAM once more. To get the log from Malwarebytes do the following:   Click on the History tab > Application Logs. Double click on the scan log which shows the Date and time of the scan just performed. Click Export > From export you have three options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… If Malwarebytes is not installed follow these instructions first: Download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following: Launch Malwarebytes Anti-Malware A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program. Click Finish. Follow the instructions above.... Next, Download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach those logs to your reply. Let me see those logs in your reply... Thank you, Kevin...

[iniestra310]

Malwarebytes Anti-Malware
www.malwarebytes.org

 

Scan Date: 4/18/2016
Scan Time: 8:46 AM
Logfile:
Administrator: Yes

 

Version: 2.2.1.1043
Malware Database: v2016.04.18.05
Rootkit Database: v2016.04.17.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

 

OS: Windows 10
CPU: x64
File System: NTFS
User: User

 

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 328962
Time Elapsed: 17 min, 53 sec

 

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

 

Processes: 0
(No malicious items detected)

 

Modules: 0
(No malicious items detected)

 

Registry Keys: 4
PUP.Optional.eShopComp, HKU\S-1-5-21-341121232-1806225534-2008626044-1001_Classes\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\STORAGE\MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\CHILDREN\001\INTERNET EXPLORER\DOMSTORAGE\eshopcomp.com, Quarantined, [311c68481c7d62d47e056b3a7391f30d],
PUP.Optional.eShopComp, HKU\S-1-5-21-341121232-1806225534-2008626044-1001_Classes\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\STORAGE\MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\CHILDREN\001\INTERNET EXPLORER\DOMSTORAGE\pstatic.eshopcomp.com, Quarantined, [c7869f11099095a1abd94d582dd7fb05],
PUP.Optional.eShopComp, HKU\S-1-5-21-341121232-1806225534-2008626044-1001_Classes\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\STORAGE\MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\CHILDREN\001\INTERNET EXPLORER\EDPDOMSTORAGE\eshopcomp.com, Quarantined, [a9a4565a6b2e1125ceb7386dc53f22de],
PUP.Optional.eShopComp, HKU\S-1-5-21-341121232-1806225534-2008626044-1001_Classes\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\STORAGE\MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\CHILDREN\001\INTERNET EXPLORER\EDPDOMSTORAGE\pstatic.eshopcomp.com, Quarantined, [d677a8089900b284a4e28520b153926e],

 

Registry Values: 0
(No malicious items detected)

 

Registry Data: 0
(No malicious items detected)

 

Folders: 0
(No malicious items detected)

 

Files: 0
(No malicious items detected)

 

Physical Sectors: 0
(No malicious items detected)

 

(end)

 

 

 

 

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:17-04-2016 01
Ran by User (administrator) on USER-PC (18-04-2016 09:22:15)
Running from C:\Users\User\Desktop
Loaded Profiles: User (Available Profiles: User)
Platform: Windows 10 Home (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(hidebound) C:\Windows\pram.exe
(Greatbrick Co.) C:\Program Files (x86)\winwalluse\WinWallSync_.exe
(Greatbrick Co.) C:\Program Files (x86)\winwalluse\WinWallSync.exe
(PACE Anti-Piracy, Inc.) C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe
(Greatbrick Co.) C:\Program Files (x86)\winwalluse\WinWallUse_.exe
(Greatbrick Co.) C:\Program Files (x86)\winwalluse\WinWallUse.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Greatbrick Co.) C:\Program Files (x86)\winwalluse\WinWallUse_.exe
(Greatbrick Co.) C:\Program Files (x86)\winwalluse\WinWallUse.exe
(Greatbrick Co.) C:\Program Files (x86)\winwalluse\WinWallUse.exe
(Greatbrick Co.) C:\Program Files (x86)\winwalluse\WinWallUse_.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Greatbrick Co.) C:\Program Files (x86)\winwalluse\WinWallUse.exe
(Greatbrick Co.) C:\Program Files (x86)\winwalluse\WinWallUse_.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
(Microsoft Corporation) C:\Windows\System32\browser_broker.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe

 

==================== Registry (Whitelisted) ===========================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8492800 2015-07-29] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1402624 2015-07-29] (Realtek Semiconductor)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

Tcpip\Parameters: [DhcpNameServer] 192.168.252.1 0.0.0.0
Tcpip\..\Interfaces\{0d6832b7-7671-46c4-887a-e967a11f89bf}: [DhcpNameServer] 192.168.252.1 0.0.0.0
ManualProxies:

 

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-341121232-1806225534-2008626044-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

 

FireFox:
========
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-06] ()

 

==================== Services (Whitelisted) ========================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

S3 digiSPTIService64; C:\Program Files\Avid\Pro Tools\digisptiservice64.exe [190464 2014-12-17] (Avid Technology, Inc.) [File not signed]
R2 lining; C:\WINDOWS\pram.exe [9216 2016-03-19] (hidebound) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [303360 2015-07-29] (Realtek Semiconductor)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [362928 2015-07-10] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-07-10] (Microsoft Corporation)
R2 WinWallSvc; C:\Program Files (x86)\winwalluse\WinWallSync.exe [140984 2016-03-16] (Greatbrick Co.)
R2 WinWallSvc2; C:\Program Files (x86)\winwalluse\WinWallSync_.exe [140984 2016-03-16] (Greatbrick Co.)

 

===================== Drivers (Whitelisted) ==========================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

S3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [140672 2016-04-17] (Malwarebytes)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-04-18] (Malwarebytes)
S3 UdeCx; C:\Windows\System32\drivers\udecx.sys [44032 2015-07-10] ()
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44568 2015-07-10] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [291680 2015-07-10] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [119648 2015-07-10] (Microsoft Corporation)
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]

 

==================== NetSvcs (Whitelisted) ===================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

==================== One Month Created files and folders ========

 

(If an entry is included in the fixlist, the file/folder will be moved.)

 

2016-04-18 09:22 - 2016-04-18 09:22 - 00006123 _____ C:\Users\User\Desktop\FRST.txt
2016-04-18 09:21 - 2016-04-18 09:22 - 00000000 ____D C:\FRST
2016-04-18 09:20 - 2016-04-18 09:20 - 00016148 _____ C:\WINDOWS\system32\USER-PC_User_HistoryPrediction.bin
2016-04-18 09:14 - 2016-04-18 09:14 - 02375680 _____ (Farbar) C:\Users\User\Desktop\FRST64.exe
2016-04-18 09:13 - 2016-04-18 09:13 - 01726464 _____ (Farbar) C:\Users\User\Downloads\FRST (3).exe
2016-04-18 08:43 - 2016-04-18 08:43 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\User\Desktop\rkill.exe
2016-04-18 08:42 - 2016-04-18 08:45 - 00002216 _____ C:\Users\User\Desktop\Rkill.txt
2016-04-18 08:42 - 2016-04-18 08:42 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\User\Downloads\iExplore.exe
2016-04-17 18:25 - 2016-04-17 18:25 - 01726464 _____ (Farbar) C:\Users\User\Downloads\FRST (2).exe
2016-04-17 18:24 - 2016-04-17 18:24 - 01726464 _____ (Farbar) C:\Users\User\Downloads\FRST (1).exe
2016-04-17 18:14 - 2016-04-17 18:14 - 00020880 _____ C:\Users\User\Desktop\scan1.txt
2016-04-17 18:13 - 2016-03-10 14:06 - 00001258 _____ C:\Users\User\Desktop\master.conf
2016-04-17 17:57 - 2016-04-17 17:57 - 00001173 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-04-17 17:18 - 2016-03-18 07:28 - 00968136 _____ (MalwareBytes) C:\Users\User\Desktop\mbam-chameleon.exe
2016-04-17 14:12 - 2016-04-18 09:11 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-04-17 14:12 - 2016-04-17 18:13 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-04-17 14:12 - 2016-04-17 17:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-04-17 14:12 - 2016-04-17 17:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-04-17 14:12 - 2016-04-17 14:12 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-04-17 14:12 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-04-17 14:12 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-04-17 13:38 - 2016-04-17 13:38 - 00000000 ____D C:\WINDOWS\System32\Tasks\GenericSettingsHandler
2016-04-17 13:31 - 2016-04-17 17:56 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2016-04-17 13:30 - 2016-04-17 17:57 - 00000000 ____D C:\WINDOWS\pss
2016-03-26 15:47 - 2016-03-26 15:47 - 00003738 _____ C:\WINDOWS\System32\Tasks\Keyboard Update Service
2016-03-26 15:46 - 2016-04-18 08:47 - 00004148 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{7A11EC4F-81A9-413D-94D9-F26A5DC5292B}
2016-03-19 21:09 - 2016-03-19 21:09 - 00065536 _____ C:\WINDOWS\system32\edbres00002.jrs
2016-03-19 21:09 - 2016-03-19 21:09 - 00065536 _____ C:\WINDOWS\system32\edbres00001.jrs
2016-03-19 21:09 - 2016-03-19 21:09 - 00008192 _____ C:\WINDOWS\system32\edb.chk
2016-03-19 20:37 - 2016-02-23 07:53 - 01314496 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole32.dll
2016-03-19 20:37 - 2016-02-23 07:51 - 00633184 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\fvevol.sys
2016-03-19 20:37 - 2016-02-23 07:41 - 00299600 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMASF.DLL
2016-03-19 20:37 - 2016-02-23 07:07 - 22322624 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2016-03-19 20:37 - 2016-02-23 06:23 - 00952968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ole32.dll
2016-03-19 20:37 - 2016-02-23 06:11 - 00249976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMASF.DLL
2016-03-19 20:37 - 2016-02-23 05:39 - 02879024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2016-03-19 20:37 - 2016-02-23 05:38 - 20858360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll
2016-03-19 20:37 - 2016-02-23 05:16 - 02237952 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2016-03-19 20:37 - 2016-02-23 04:55 - 24592896 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-03-19 20:37 - 2016-02-23 04:45 - 12504576 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2016-03-19 20:37 - 2016-02-23 04:45 - 06788608 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
2016-03-19 20:37 - 2016-02-23 04:38 - 02663424 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Logon.dll
2016-03-19 20:37 - 2016-02-23 04:14 - 00841728 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32spl.dll
2016-03-19 20:37 - 2016-02-23 04:04 - 00225792 _____ (Microsoft Corporation) C:\WINDOWS\system32\wsqmcons.exe
2016-03-19 20:37 - 2016-02-23 04:03 - 00450560 _____ (Microsoft Corporation) C:\WINDOWS\system32\werui.dll
2016-03-19 20:37 - 2016-02-23 03:55 - 14241792 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmp.dll
2016-03-19 20:37 - 2016-02-23 03:51 - 00915456 _____ (Microsoft Corporation) C:\WINDOWS\system32\configurationclient.dll
2016-03-19 20:37 - 2016-02-23 03:51 - 00678912 _____ (Microsoft Corporation) C:\WINDOWS\system32\scapi.dll
2016-03-19 20:37 - 2016-02-23 03:48 - 21859840 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2016-03-19 20:37 - 2016-02-23 03:48 - 05157376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2016-03-19 20:37 - 2016-02-23 03:46 - 00400384 _____ (Microsoft Corporation) C:\WINDOWS\system32\sharemediacpl.dll
2016-03-19 20:37 - 2016-02-23 03:45 - 01844736 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMPDMC.exe
2016-03-19 20:37 - 2016-02-23 03:45 - 00088576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\olepro32.dll
2016-03-19 20:37 - 2016-02-23 03:44 - 01821696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Logon.dll
2016-03-19 20:37 - 2016-02-23 03:38 - 07524864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2016-03-19 20:37 - 2016-02-23 03:17 - 00393728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\werui.dll
2016-03-19 20:37 - 2016-02-23 03:11 - 12589056 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wmp.dll
2016-03-19 20:37 - 2016-02-23 03:03 - 01495040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMPDMC.exe
2016-03-19 20:37 - 2016-02-23 03:00 - 11263488 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2016-03-19 20:37 - 2016-02-23 02:58 - 18800640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2016-03-19 20:37 - 2016-01-30 23:25 - 01951872 _____ (Microsoft Corporation) C:\WINDOWS\system32\KernelBase.dll
2016-03-19 20:37 - 2016-01-30 23:25 - 01248896 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinTypes.dll
2016-03-19 20:37 - 2016-01-30 23:23 - 02601160 _____ (Microsoft Corporation) C:\WINDOWS\system32\combase.dll
2016-03-19 20:37 - 2016-01-30 23:23 - 01420392 _____ (Microsoft Corporation) C:\WINDOWS\system32\msctf.dll
2016-03-19 20:37 - 2016-01-30 23:06 - 01531368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KernelBase.dll
2016-03-19 20:37 - 2016-01-30 23:06 - 00809336 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WinTypes.dll
2016-03-19 20:37 - 2016-01-30 23:04 - 01811360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\combase.dll
2016-03-19 20:37 - 2016-01-30 23:04 - 01180696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msctf.dll
2016-03-19 20:37 - 2016-01-30 22:29 - 11557888 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.dll
2016-03-19 20:37 - 2016-01-30 22:26 - 03793408 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpcorets.dll
2016-03-19 20:37 - 2016-01-30 22:22 - 00680448 _____ (Microsoft Corporation) C:\WINDOWS\system32\rasmans.dll
2016-03-19 20:37 - 2016-01-30 22:20 - 02849792 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2016-03-19 20:37 - 2016-01-30 22:17 - 00109056 _____ (Microsoft Corporation) C:\WINDOWS\system32\hlink.dll
2016-03-19 20:37 - 2016-01-30 22:16 - 09889280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinui.dll
2016-03-19 20:37 - 2016-01-30 22:13 - 04791808 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-03-19 20:37 - 2016-01-30 22:06 - 02316800 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2016-03-19 20:37 - 2016-01-30 22:04 - 00100352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\hlink.dll
2016-03-19 20:37 - 2016-01-30 22:02 - 03580416 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-03-19 20:36 - 2016-02-23 07:52 - 00858408 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.exe
2016-03-19 20:36 - 2016-02-23 07:51 - 00146784 _____ (Microsoft Corporation) C:\WINDOWS\system32\wermgr.exe
2016-03-19 20:36 - 2016-02-23 07:50 - 00630160 _____ (Microsoft Corporation) C:\WINDOWS\system32\wer.dll
2016-03-19 20:36 - 2016-02-23 07:48 - 08022368 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-03-19 20:36 - 2016-02-23 07:48 - 01294352 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
2016-03-19 20:36 - 2016-02-23 07:48 - 01123952 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.exe
2016-03-19 20:36 - 2016-02-23 07:41 - 01150816 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-03-19 20:36 - 2016-02-23 07:41 - 00078040 _____ (Microsoft Corporation) C:\WINDOWS\system32\wkscli.dll
2016-03-19 20:36 - 2016-02-23 07:40 - 00110584 _____ (Microsoft Corporation) C:\WINDOWS\system32\srvcli.dll
2016-03-19 20:36 - 2016-02-23 07:38 - 00272752 _____ (Microsoft Corporation) C:\WINDOWS\system32\sqmapi.dll
2016-03-19 20:36 - 2016-02-23 07:36 - 00080128 _____ (Microsoft Corporation) C:\WINDOWS\system32\netapi32.dll
2016-03-19 20:36 - 2016-02-23 07:11 - 00781984 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfds.dll
2016-03-19 20:36 - 2016-02-23 07:11 - 00658784 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupEngine.dll
2016-03-19 20:36 - 2016-02-23 07:11 - 00103776 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupApi.dll
2016-03-19 20:36 - 2016-02-23 07:08 - 03622272 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2016-03-19 20:36 - 2016-02-23 06:39 - 00607416 _____ (Microsoft Corporation) C:\WINDOWS\system32\fontdrvhost.exe
2016-03-19 20:36 - 2016-02-23 06:30 - 01643872 _____ (Microsoft Corporation) C:\WINDOWS\system32\diagtrack.dll
2016-03-19 20:36 - 2016-02-23 06:25 - 01085632 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-03-19 20:36 - 2016-02-23 06:21 - 00529456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wer.dll
2016-03-19 20:36 - 2016-02-23 06:21 - 00141152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wermgr.exe
2016-03-19 20:36 - 2016-02-23 06:11 - 00073360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\srvcli.dll
2016-03-19 20:36 - 2016-02-23 06:11 - 00055808 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wkscli.dll
2016-03-19 20:36 - 2016-02-23 06:09 - 00229352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\sqmapi.dll
2016-03-19 20:36 - 2016-02-23 06:06 - 00069232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\netapi32.dll
2016-03-19 20:36 - 2016-02-23 05:58 - 00150528 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotification.exe
2016-03-19 20:36 - 2016-02-23 05:50 - 00395264 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupShim.dll
2016-03-19 20:36 - 2016-02-23 05:50 - 00075264 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetCfgNotifyObjectHost.exe
2016-03-19 20:36 - 2016-02-23 05:42 - 00658536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfds.dll
2016-03-19 20:36 - 2016-02-23 05:42 - 00467296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupEngine.dll
2016-03-19 20:36 - 2016-02-23 05:42 - 00078176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupApi.dll
2016-03-19 20:36 - 2016-02-23 05:35 - 00365568 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
2016-03-19 20:36 - 2016-02-23 05:20 - 00138240 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dfsc.sys
2016-03-19 20:36 - 2016-02-23 05:17 - 00333312 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusUpdateHandlers.dll
2016-03-19 20:36 - 2016-02-23 05:15 - 00539728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontdrvhost.exe
2016-03-19 20:36 - 2016-02-23 05:15 - 00033280 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups2.dll
2016-03-19 20:36 - 2016-02-23 04:59 - 00319488 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetworkBindingEngineMigPlugin.dll
2016-03-19 20:36 - 2016-02-23 04:59 - 00104960 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\rasl2tp.sys
2016-03-19 20:36 - 2016-02-23 04:57 - 00189952 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupSvc.dll
2016-03-19 20:36 - 2016-02-23 04:42 - 00771072 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
2016-03-19 20:36 - 2016-02-23 04:42 - 00091648 _____ (Microsoft Corporation) C:\WINDOWS\system32\asycfilt.dll
2016-03-19 20:36 - 2016-02-23 04:37 - 00057344 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetCfgNotifyObjectHost.exe
2016-03-19 20:36 - 2016-02-23 04:36 - 00281600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupShim.dll
2016-03-19 20:36 - 2016-02-23 04:25 - 00303104 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\atmfd.dll
2016-03-19 20:36 - 2016-02-23 04:18 - 00031232 _____ (Microsoft Corporation) C:\WINDOWS\system32\seclogon.dll
2016-03-19 20:36 - 2016-02-23 04:17 - 00133120 _____ (Microsoft Corporation) C:\WINDOWS\system32\browser.dll
2016-03-19 20:36 - 2016-02-23 04:17 - 00058368 _____ (Microsoft Corporation) C:\WINDOWS\system32\browcli.dll
2016-03-19 20:36 - 2016-02-23 04:08 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppxSysprep.dll
2016-03-19 20:36 - 2016-02-23 04:03 - 00045568 _____ (Adobe Systems) C:\WINDOWS\system32\atmlib.dll
2016-03-19 20:36 - 2016-02-23 04:02 - 03587584 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2016-03-19 20:36 - 2016-02-23 03:55 - 19326464 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2016-03-19 20:36 - 2016-02-23 03:45 - 00574464 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakradiag.dll
2016-03-19 20:36 - 2016-02-23 03:45 - 00078848 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\asycfilt.dll
2016-03-19 20:36 - 2016-02-23 03:29 - 00043520 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\browcli.dll
2016-03-19 20:36 - 2016-02-23 03:17 - 00037376 _____ (Adobe Systems) C:\WINDOWS\SysWOW64\atmlib.dll
2016-03-19 20:36 - 2016-02-23 03:00 - 05457408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2016-03-19 20:36 - 2016-01-30 23:24 - 01824880 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2016-03-19 20:36 - 2016-01-30 23:06 - 01535032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2016-03-19 20:36 - 2016-01-30 22:34 - 00088064 _____ (Microsoft Corporation) C:\WINDOWS\system32\ngckeyenum.dll
2016-03-19 20:36 - 2016-01-30 22:33 - 00057856 _____ (Microsoft Corporation) C:\WINDOWS\system32\IoTAssignedAccessLockFramework.dll
2016-03-19 20:36 - 2016-01-30 22:29 - 00141312 _____ (Microsoft Corporation) C:\WINDOWS\system32\rasman.dll
2016-03-19 20:36 - 2016-01-30 22:25 - 00366592 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuuhext.dll
2016-03-19 20:36 - 2016-01-30 22:25 - 00143872 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxdav.sys
2016-03-19 20:36 - 2016-01-30 22:24 - 00784384 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2016-03-19 20:36 - 2016-01-30 22:24 - 00047616 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups.dll
2016-03-19 20:36 - 2016-01-30 22:23 - 00079360 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpudd.dll
2016-03-19 20:36 - 2016-01-30 22:19 - 01602560 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2016-03-19 20:36 - 2016-01-30 22:19 - 00237056 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetworkDesktopSettings.dll
2016-03-19 20:36 - 2016-01-30 22:19 - 00046592 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\IoTAssignedAccessLockFramework.dll
2016-03-19 20:36 - 2016-01-30 22:18 - 00147456 _____ (Microsoft Corporation) C:\WINDOWS\system32\mtxoci.dll
2016-03-19 20:36 - 2016-01-30 22:16 - 00950272 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2016-03-19 20:36 - 2016-01-30 22:13 - 00123392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rasman.dll
2016-03-19 20:36 - 2016-01-30 22:13 - 00034816 _____ (Microsoft Corporation) C:\WINDOWS\system32\ztrace_maps.dll
2016-03-19 20:36 - 2016-01-30 22:11 - 00678400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2016-03-19 20:36 - 2016-01-30 22:11 - 00291840 _____ (Microsoft Corporation) C:\WINDOWS\system32\microsoft-windows-system-events.dll
2016-03-19 20:36 - 2016-01-30 22:11 - 00162304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msorcl32.dll
2016-03-19 20:36 - 2016-01-30 22:05 - 01380864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2016-03-19 20:36 - 2016-01-30 22:05 - 00118272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mtxoci.dll
2016-03-19 20:36 - 2016-01-30 22:02 - 00768000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2016-03-19 20:36 - 2016-01-30 21:58 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ztrace_maps.dll
2016-03-19 20:22 - 2016-03-19 20:23 - 01324116 _____ C:\WINDOWS\SysWOW64\soft.exe
2016-03-19 20:03 - 2016-03-19 20:03 - 00000000 _____ C:\WINDOWS\SysWOW64\x64.txt
2016-03-19 19:59 - 2016-04-17 12:53 - 00000000 ____D C:\WINDOWS\System32\Tasks\Leader Technologies
2016-03-19 19:53 - 2016-03-19 19:53 - 00000000 ____D C:\Users\User\AppData\Roaming\Leadertech
2016-03-19 19:42 - 2016-03-19 21:08 - 00000000 ____D C:\Program Files (x86)\winwalluse
2016-03-19 19:41 - 2016-03-19 19:42 - 00000000 ____D C:\Program Files\Sound+
2016-03-19 19:34 - 2016-04-17 14:24 - 00000000 ____D C:\Program Files (x86)\S5
2016-03-19 19:34 - 2016-03-19 19:34 - 00000000 ____D C:\Users\User\AppData\Roaming\c
2016-03-19 19:34 - 2016-03-19 19:34 - 00000000 ____D C:\ProgramData\1458441258
2016-03-19 19:33 - 2016-03-19 19:33 - 00187904 _____ C:\WINDOWS\rsrcs.dll
2016-03-19 19:32 - 2016-04-17 18:12 - 00000000 ____D C:\Program Files (x86)\ubiquity
2016-03-19 19:32 - 2016-04-17 17:32 - 00000000 ____D C:\Program Files (x86)\silencer
2016-03-19 19:32 - 2016-04-17 17:32 - 00000000 ____D C:\Program Files (x86)\NewInternet
2016-03-19 19:32 - 2016-04-17 17:32 - 00000000 ____D C:\Program Files (x86)\mancebo
2016-03-19 19:32 - 2016-04-17 17:32 - 00000000 ____D C:\Program Files (x86)\atrocity
2016-03-19 19:32 - 2016-03-19 19:33 - 00000000 ____D C:\a
2016-03-19 19:32 - 2016-03-19 19:32 - 00000054 _____ C:\WINDOWS\key.ini
2016-03-19 19:31 - 2016-03-19 19:31 - 00000014 _____ C:\Users\User\AppData\Local\22814750.txt
2016-03-19 16:48 - 2016-03-19 16:48 - 00041719 _____ C:\WINDOWS\aggresive.exe
2016-03-19 16:48 - 2016-03-19 16:48 - 00009216 _____ (hidebound) C:\WINDOWS\pram.exe
2016-03-19 16:48 - 2016-03-19 16:48 - 00000019 _____ C:\WINDOWS\SysWOW64\35425539.bat

 

==================== One Month Modified files and folders ========

 

(If an entry is included in the fixlist, the file/folder will be moved.)

 

2016-04-18 09:22 - 2015-07-10 04:04 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-04-18 09:19 - 2015-07-10 05:21 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-04-18 09:12 - 2015-07-29 01:17 - 00875126 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-04-18 09:12 - 2015-07-10 04:04 - 00000000 ___HD C:\Program Files\WindowsApps
2016-04-18 09:12 - 2015-07-10 04:02 - 00000000 ____D C:\WINDOWS\INF
2016-04-18 09:05 - 2015-07-10 02:05 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2016-04-17 18:21 - 2015-07-29 01:22 - 00000000 ____D C:\Users\User\AppData\Local\Packages
2016-04-17 18:12 - 2015-07-10 04:04 - 00000000 __RSD C:\WINDOWS\Media
2016-04-17 17:50 - 2016-03-18 20:41 - 00000000 ____D C:\Program Files (x86)\Avid
2016-04-17 17:50 - 2016-03-18 19:45 - 00000000 ____D C:\Program Files (x86)\InstallShield Installation Information
2016-04-17 17:37 - 2016-02-06 16:48 - 00000000 ____D C:\Users\User\AppData\Local\Sony
2016-04-17 17:32 - 2016-03-18 22:12 - 00000000 ____D C:\ProgramData\WindowsMsg
2016-04-17 17:32 - 2016-03-18 22:11 - 00000000 ____D C:\Users\User\AppData\Roaming\Full Checker
2016-04-17 17:32 - 2015-07-10 04:06 - 00000000 ____D C:\WINDOWS\Setup
2016-04-17 16:56 - 2015-07-10 04:04 - 00000000 ____D C:\WINDOWS\system32\WinBioDatabase
2016-04-17 15:59 - 2015-07-10 04:04 - 00000000 ____D C:\WINDOWS\rescache
2016-04-17 15:56 - 2015-09-11 19:55 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-04-17 15:55 - 2015-09-11 19:56 - 135176864 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-04-17 15:55 - 2015-07-10 03:55 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-04-06 11:32 - 2016-02-06 16:36 - 00829944 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-04-06 11:32 - 2016-02-06 16:36 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2016-03-26 22:04 - 2015-07-29 01:22 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-03-26 21:48 - 2015-07-10 05:20 - 00227552 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-03-26 21:46 - 2015-07-10 06:14 - 00000000 ____D C:\Program Files\Windows Journal
2016-03-26 21:46 - 2015-07-10 04:04 - 00000000 ____D C:\Program Files\Windows Portable Devices
2016-03-26 21:46 - 2015-07-10 04:04 - 00000000 ____D C:\Program Files\Windows Multimedia Platform
2016-03-26 21:46 - 2015-07-10 04:04 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
2016-03-26 21:46 - 2015-07-10 04:04 - 00000000 ____D C:\Program Files (x86)\Windows Multimedia Platform
2016-03-19 20:00 - 2016-03-18 20:41 - 00000000 ____D C:\Program Files\Avid

 

==================== Files in the root of some directories =======

 

2016-03-19 19:31 - 2016-03-19 19:31 - 0000014 _____ () C:\Users\User\AppData\Local\22814750.txt
2016-03-17 22:00 - 2016-03-17 22:00 - 0000000 _____ () C:\Users\User\AppData\Local\ok223.txt
2016-02-16 11:47 - 2016-02-16 11:47 - 0006656 _____ () C:\Users\User\AppData\Local\tinstall.exe
2016-02-16 11:46 - 2016-02-16 11:46 - 0007168 _____ () C:\Users\User\AppData\Local\tinstall4.exe

 

Some files in TEMP:
====================
C:\Users\User\AppData\Local\Temp\7za.exe
C:\Users\User\AppData\Local\Temp\compete.exe
C:\Users\User\AppData\Local\Temp\HKXANO0WM6.exe
C:\Users\User\AppData\Local\Temp\io1.exe
C:\Users\User\AppData\Local\Temp\mesox.exe
C:\Users\User\AppData\Local\Temp\setdd.exe

 

==================== Bamital & volsnap =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

 

LastRegBack: 2016-04-17 15:47

 

==================== End of FRST.txt ============================

 

Rkill.txt

Addition.txt

[kevinf80]

Thanks for the logs, continue as follows: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Run FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Download AdwCleaner by Xplode onto your Desktop.   Double click on Adwcleaner.exe to run the tool. Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Scan with ESET Online Scanner This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox. Temporary disable your AntiVirus and AntiSpyware protection - instructions here. Please visit ESET Online Scanner website. Click there Run ESET Online Scanner. If using Internet Explorer:   Accept the Terms of Use and click Start. Allow the running of add-on. If using Mozilla Firefox or Google Chrome: Download esetsmartinstaller_enu.exe that you'll be given link to. Double click esetsmartinstaller_enu.exe. Allow the Terms of Use and click Start. To perform the scan:   Select "Enable detection of potentially unwanted applications" Make sure that Remove found threats is unchecked. Scan archives is checked. In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked. Under “Enable Stealth Technology select “Change” select any extra drives in that window. Click Start The program will begin to download it's virus database. The speed may vary depending on your Internet connection. When completed, the program will begin to scan. This may take several hours. Please, be patient. Do not do anything on your machine as it may interrupt the scan. When the scan is done, click Finish. A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad. Please include this logfile in your next reply. Don't forget to re-enable protection software! Let me see those logs in your reply, also give an update on any remaining issues or concerns.. Thank you, Kevin..

Fixlist.txt

[iniestra310]

# AdwCleaner v5.112 - Logfile created 18/04/2016 at 14:46:39
# Updated 17/04/2016 by Xplode
# Database : 2016-04-17.1 [Server]
# Operating system : Windows 10 Home  (X64)
# Username : User - USER-PC
# Running from : C:\Users\User\Downloads\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

 

***** [ Services ] *****

 

***** [ Folders ] *****

 

[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ttwifi

 

***** [ Files ] *****

 

***** [ DLLs ] *****

 

***** [ Shortcuts ] *****

 

***** [ Scheduled tasks ] *****

 

***** [ Registry ] *****

 

[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{79F768ED-0B12-42EF-8257-36751A0ECF3A}]
[-] Key Deleted : HKCU\Software\osTip
[-] Key Deleted : HKCU\Software\ttwifi
[-] Key Deleted : HKLM\SOFTWARE\SearchModule
[-] Key Deleted : HKLM\SOFTWARE\SecureWeb
[-] Key Deleted : HKLM\SOFTWARE\SecureWebChannel
[-] Key Deleted : HKLM\SOFTWARE\xs
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Faster Web
[-] Key Deleted : [x64] HKLM\SOFTWARE\SearchModule
[-] Data Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\d19tqk5t6qcjac.cloudfront.net
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\d3l3lkinz3f56t.cloudfront.net
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\foxi69.tlscdn.com
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\tlscdn.com
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\d19tqk5t6qcjac.cloudfront.net
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\d3l3lkinz3f56t.cloudfront.net
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\foxi69.tlscdn.com
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\tlscdn.com

 

***** [ Web browsers ] *****

 

*************************

 

:: "Tracing" keys deleted
:: Winsock settings cleared

 

*************************

 

C:\AdwCleaner\AdwCleaner[C1].txt - [519 bytes] - [18/04/2016 14:43:02]
C:\AdwCleaner\AdwCleaner[C2].txt - [3213 bytes] - [18/04/2016 14:46:39]
C:\AdwCleaner\AdwCleaner[S1].txt - [3530 bytes] - [18/04/2016 14:40:52]
C:\AdwCleaner\AdwCleaner[S2].txt - [3492 bytes] - [18/04/2016 14:46:06]

 

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [3432 bytes] ##########

Fixlog.txt

log.txt

[iniestra310]

No other issues or concerns at this time!

[kevinf80]

Unfortunately there is evidence of illegal software installed/present on your system, that is a direct breach of forum policy. We cannot offer any further help.. A moderator will lock and close your thread... Please read forum policy with regard to Piracy Thank you, Kevin

[AdvancedSetup]

This topic will now be closed due to evidence of cracked or pirated software on this system.Piracy Policy

[AdvancedSetup]

Topic reopened per request

[kevinf80]

I assume all illegal software has been removed to comply with forum protocol, if so continue as follows please:

Download CKScanner from here: http://downloads.malwareremoval.com/CKScanner.exe Important - Save it to your desktop. Doubleclick CKScanner.exe (Right click and "Run as administrator" in Vista/Win7). Give permission if necessary, and click Search For Files. After a very short time, when the cursor hourglass disappears, click Save List To File. A message box will verify the file saved. Please run the program once only. Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply. Next, Download Sophos Free Virus Removal Tool and save it to your desktop.   Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... Next, Please download Security Analysis by Rocket Grannie from here: http://rocketgrannie.spywareinfoforum.org/RGSA.exe   Save it to your Desktop. Close your security software to avoid potential conflicts. Double click RGSA.exe Click OK on the copyright-disclaimer It will produce a log named SALog.txt on the Desktop or in the same folder from where the tool is run if installed elsewhere. Please copy and paste the contents of that log in this topic. Note: The link to the most current version of the program will always be in the first post of this topic. Note: (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run to continue.) Note: The current java version on XP will show as "out of date". Note: Flash Player ActiveX is pre-installed with Internet Explorer in Windows 10 and updates Automatically. Please post your feedback in this topic. Let me see those logs in your reply.... Thank you, Kevin

 

[iniestra310]

Hey Kevin,

 

I was going back and forth with Ron and I told him that since this laptop was given to me by my brother, I am not sure if there are any more pirated programs on here. As far as I can tell and from what my brother told me, there are no other ones but I am not sure as I don't have the technical capability to tell. I deleted the files that Ron told me to, but those files were actually in the past downloads folder. I am just giving you a heads up because I don't have any intentions of using illegal software on my laptop, I just want to get it fixed so that I can use it for work.

[kevinf80]

Thanks for the update, if any illegal programs remain i`ll help to remove them, post the requested logs and we can continue..

Thank you,

Kevin....

[iniestra310]

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\windows\prefetch\keygen.exe-7e6016d6.pf
scanner sequence 3.AP.11.JCNAOZ
 ----- EOF -----
 

 

No threats were found with Sophos.

 

 

Result of Security Analysis by Rocket Grannie (x86) version: 16th April 2016
Running from:C:\Users\User\Desktop (21:14:25 - 04/22/2016)
***---------------------------------------------------------***
Microsoft Windows 10 Home X64
UAC is Enabled!
Internet Explorer 11
Default Browser: Microsoft Edge
***-----------------Anti-Virus - Firewall-------------------***
Windows Defender Disabled - up to Date!
Windows Firewall is Enabled!
Searching for any other Firewall
*No other Firewall Installed*
***----------------AntiSpyware - Miscellaneous---------------***
Adobe flash Player Plugin is not installed
Google Chrome (version 49)
Malwarebytes Anti-Malware (version 2.2.1.1043)

 

***----------------Analysis Complete-------------------------***

[iniestra310]

Sorry for the delay.. Got slammed at work these past couple of days so I was working late.

[kevinf80]

What is the current status of the operating system, do you have any remaining issues or concerns?

[iniestra310]

Kevin,

 

I don't see any other issues at this time. Is there anything else I need to do?

[kevinf80]

One final scan to check status of security and system utilities etc....

Please download Security Analysis by Rocket Grannie from here: http://rocketgrannie.spywareinfoforum.org/RGSA.exe   Save it to your Desktop. Close your security software to avoid potential conflicts. Double click RGSA.exe Click OK on the copyright-disclaimer It will produce a log named SALog.txt on the Desktop or in the same folder from where the tool is run if installed elsewhere. Please copy and paste the contents of that log in this topic. Note: The link to the most current version of the program will always be in the first post of this topic. Note: (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run to continue.) Note: The current java version on XP will show as "out of date". Note: Flash Player ActiveX is pre-installed with Internet Explorer in Windows 10 and updates Automatically. Please post the log in your next reply.... Thank you, Kevin.....

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!