Jump to content

Recommended Posts

So I've been having a problem with the program PUM.optional.proxyhijacker, it shows up on Malwarebytes scan during Heuristic Analysis. When I delete it from quarantine the Internet options box opens up then closes quickly. Scans immediately after show nothing, but after rebooting and scanning again it reappears. I've tried using JRT and ADwCleaner then restarting, and it still shows back up. Tried deleting it from the registry, showed back up after reboot. Would appreciate any help on this.

Link to post
Share on other sites

Hello mrturtle99 and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop:

user posted imageGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. user posted image
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

user posted imageMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. user posted image Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

user posted imageInternet Explorer - Click the Tools menu in the upper right-corner of the browser. user posted image Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

user posted imageChange default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location.....

Next,

Follow the instructions in the following link to show hidden files:

http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs...

Thank you,

Kevin..
Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-02-2017
Ran by Solar (administrator) on TURTLE (12-02-2017 16:56:48)
Running from C:\Users\Solar\Desktop
Loaded Profiles: Solar (Available Profiles: Solar)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Qualcomm Atheros) C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Micro-Star International Co., Ltd.) C:\Program Files (x86)\SCM\MSIService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(MSI) C:\Program Files (x86)\MSI\SUPER CHARGER\ChargeService.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Intel Corporation) C:\Windows\System32\ibtsiva.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(MSI) C:\Program Files (x86)\SCM\SCM.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
() C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Sound Blaster Cinema\Sound Blaster Cinema\SBCinema.exe
(MSI) C:\Program Files (x86)\MSI\SUPER CHARGER\SUPER CHARGER.exe
(XXXChurch) C:\Program Files (x86)\XXXChurch\X3Watch\X3Watch.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft) C:\Program Files (x86)\XXXChurch\X3Watch\X3WatchProxyChecker.exe
(Micro-Star International Co., Ltd.) C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe
() C:\Program Files (x86)\MSI\MSI Remind Manager\MSI Reminder.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13667032 2015-01-04] (Realtek Semiconductor)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3347688 2015-09-04] (ELAN Microelectronics Corp.)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [322712 2014-10-09] (Intel Corporation)
HKLM\...\Run: [SCM] => C:\Program Files (x86)\SCM\SCM.exe [405504 2014-11-06] (MSI)
HKLM\...\Run: [MBCfg64] => C:\Windows\system32\RunDLL32.exe C:\Windows\system32\MBCfg64.dll,RunDLLEntry MBCfg64
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-06] (Microsoft Corporation)
HKLM-x32\...\Run: [Sound Blaster Cinema] => C:\Program Files (x86)\Creative\Sound Blaster Cinema\Sound Blaster Cinema\SBCinema.exe [711680 2013-08-16] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [SUPER CHARGER] => C:\Program Files (x86)\MSI\SUPER CHARGER\SUPER CHARGER.exe [1047536 2014-02-21] (MSI)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [McAfeeUpdaterUI] => "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
HKLM-x32\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler
HKLM-x32\...\Run: [PerditiongmmouseRun] => C:\Program Files (x86)\REDRAGON GAMING MOUSE\pdmon.exe [3234304 2013-11-18] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation)
HKU\S-1-5-21-541454271-1517337831-2707160555-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2881824 2017-01-18] (Valve Corporation)
HKU\S-1-5-21-541454271-1517337831-2707160555-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => "C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe"
HKU\S-1-5-21-541454271-1517337831-2707160555-1001\...\Run: [puush] => C:\Program Files (x86)\puush\puush.exe [568904 2016-01-03] ()
HKU\S-1-5-21-541454271-1517337831-2707160555-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27230168 2016-11-15] (Skype Technologies S.A.)
HKU\S-1-5-21-541454271-1517337831-2707160555-1001\...\Run: [Discord] => C:\Users\Solar\AppData\Local\Discord\app-0.0.297\Discord.exe [64290304 2017-01-04] (Hammer & Chisel, Inc.)
HKU\S-1-5-21-541454271-1517337831-2707160555-1001\...\MountPoints2: {2f4e18bb-4b0f-11e5-8268-34e6ad7b1b63} - "F:\VerizonWirelessUpgradeAssistantSetup.exe" -a
HKU\S-1-5-21-541454271-1517337831-2707160555-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\Bubbles.scr [806400 2016-07-16] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Killer Network Manager.lnk [2015-01-05]
ShortcutTarget: Killer Network Manager.lnk -> C:\Windows\Installer\{5B62C353-75A3-463F-A52E-CC005846F3CE}\NetworkManager.exe_130C27D738F34C89BDDF21BCFD74B56D.exe (Flexera Software LLC)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\X3Watch.lnk [2015-08-29]
ShortcutTarget: X3Watch.lnk -> C:\Windows\Installer\{BCF442DC-768A-4383-AFD7-E239F715ADB3}\NewShortcut1_D74C6BBD2867476BAF40C953E203B25E.exe (Flexera Software LLC)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\X3WatchProxyChecker.lnk [2015-08-29]
ShortcutTarget: X3WatchProxyChecker.lnk -> C:\Windows\Installer\{BCF442DC-768A-4383-AFD7-E239F715ADB3}\NewShortcut3_D99F648AB230462A948D38A8F7FE6938.exe (Flexera Software LLC)
Startup: C:\Users\Solar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Curse.lnk [2015-08-24]
ShortcutTarget: Curse.lnk -> C:\Users\Solar\AppData\Roaming\Curse Client\Bin\Curse.exe (Curse, Inc)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [S-1-5-21-541454271-1517337831-2707160555-1001] => Proxy is enabled.
ProxyServer: [S-1-5-21-541454271-1517337831-2707160555-1001] => http=127.0.0.1:8877;https=127.0.0.1:8877
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{e1eb9c55-18e6-4b80-964c-85ecf3ed338d}: [DhcpNameServer] 192.168.2.1
ManualProxies:

Internet Explorer:
==================
HKU\S-1-5-21-541454271-1517337831-2707160555-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://msi13.msn.com/
HKU\S-1-5-21-541454271-1517337831-2707160555-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://msi13.msn.com
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2016-12-25] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2016-12-25] (Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll [2016-12-25] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\ssv.dll [2017-01-21] (Oracle Corporation)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\GROOVEEX.DLL [2016-12-25] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-01-21] (Oracle Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-25] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-25] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-25] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-12-25] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Solar\AppData\Roaming\Mozilla\Firefox\Profiles\mpweb1ib.default-1486877155314 [2017-02-12]
FF Homepage: Mozilla\Firefox\Profiles\mpweb1ib.default-1486877155314 -> www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_24_0_0_194.dll [2017-01-20] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_194.dll [2017-01-20] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\WINDOWS\SysWOW64\Adobe\Director\np32dsw_1223183.dll [2015-12-21] (Adobe Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-16] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-16] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-01-21] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-01-21] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-12-25] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2016-12-25] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\local-settings.js [2014-10-24] <==== ATTENTION (Points to *.cfg file)
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\mozilla.cfg [2014-10-24] <==== ATTENTION

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2946304 2016-12-25] (Microsoft Corporation)
S3 DAUpdaterSvc; C:\Program Files (x86)\Steam\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe [25832 2016-06-28] (BioWare)
R2 ETDService; C:\Program Files\Elantech\ETDService.exe [144104 2015-09-04] (ELAN Microelectronics Corp.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [18584 2014-10-09] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [373744 2016-11-01] (Intel Corporation)
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel(R) Corporation) [File not signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel(R) Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-09-16] (Intel Corporation)
R2 Micro Star SCM; C:\Program Files (x86)\SCM\MSIService.exe [160768 2014-11-06] (Micro-Star International Co., Ltd.) [File not signed]
R2 MSI_SuperCharger; C:\Program Files (x86)\MSI\SUPER CHARGER\ChargeService.exe [162800 2014-02-21] (MSI)
R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [458176 2016-12-29] (NVIDIA Corporation)
R2 Qualcomm Atheros Killer Service V2; C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe [360448 2014-08-18] (Qualcomm Atheros) [File not signed]
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S1 BfLwf; C:\WINDOWS\system32\DRIVERS\bwcW8x64.sys [97968 2014-08-13] (Qualcomm Atheros, Inc.)
R3 ibtusb; C:\WINDOWS\system32\DRIVERS\ibtusb.sys [230656 2016-12-12] (Intel Corporation)
S3 Ke2200; C:\WINDOWS\System32\drivers\e22w8x64.sys [130224 2014-03-27] (Qualcomm Atheros, Inc.)
R3 KillerEth; C:\WINDOWS\System32\drivers\e2xw10x64.sys [170128 2016-02-05] (Qualcomm Atheros, Inc.)
R0 MBAMSwissArmy; C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys [192216 2017-02-12] (Malwarebytes)
R3 MEIx64; C:\WINDOWS\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-16] (Intel Corporation)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 NETwNb64; C:\WINDOWS\System32\drivers\Netwbw02.sys [3485696 2016-07-16] (Intel Corporation)
R3 NTIOLib_1_0_3; C:\Program Files (x86)\MSI\SUPER CHARGER\NTIOLib_X64.sys [13368 2012-10-25] (MSI)
R3 nvlddmkm; C:\WINDOWS\System32\DriverStore\FileRepository\nvmiwu.inf_amd64_01856dcc82b1034f\nvlddmkm.sys [14190520 2017-01-17] (NVIDIA Corporation)
R3 RTSPER; C:\WINDOWS\system32\DRIVERS\RtsPer.sys [466648 2015-01-04] (Realsil Semiconductor Corporation)
S3 vmulti; C:\WINDOWS\System32\drivers\vmulti.sys [10752 2014-09-16] (Windows (R) Win 7 DDK provider) [File not signed]
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
R3 WINIO; C:\Program Files (x86)\MSI\Dragon Gaming Center\winio64.sys [15160 2010-06-07] ()
S3 XSplit_Dummy; C:\WINDOWS\system32\drivers\xspltspk.sys [26200 2015-05-25] (SplitmediaLabs Limited)
S4 nvvad_WaveExtensible; \SystemRoot\system32\drivers\nvvad64v.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-12 16:56 - 2017-02-12 16:57 - 00017103 _____ C:\Users\Solar\Desktop\FRST.txt
2017-02-12 16:56 - 2017-02-12 16:56 - 00000000 ____D C:\FRST
2017-02-12 16:53 - 2017-02-12 16:53 - 01763328 _____ (Farbar) C:\Users\Solar\Desktop\FRST.exe
2017-02-12 16:51 - 2017-02-12 16:55 - 02421248 _____ (Farbar) C:\Users\Solar\Desktop\FRST64.exe
2017-02-12 13:14 - 2017-02-12 13:16 - 00000000 ____D C:\AdwCleaner
2017-02-12 13:14 - 2017-02-12 13:14 - 04015056 _____ C:\Users\Solar\Desktop\AdwCleaner.exe
2017-02-12 13:12 - 2017-02-12 13:12 - 00000712 _____ C:\Users\Solar\Desktop\JRT.txt
2017-02-12 13:10 - 2017-02-12 13:10 - 01663040 _____ (Malwarebytes) C:\Users\Solar\Desktop\JRT.exe
2017-02-10 22:02 - 2017-02-10 22:02 - 00000000 ____D C:\Program Files (x86)\VulkanRT
2017-02-10 22:02 - 2016-09-09 12:25 - 00269600 _____ C:\WINDOWS\SysWOW64\vulkan-1.dll
2017-02-10 22:02 - 2016-09-09 12:25 - 00261920 _____ C:\WINDOWS\system32\vulkan-1.dll
2017-02-10 22:02 - 2016-09-09 12:25 - 00110880 _____ C:\WINDOWS\SysWOW64\vulkaninfo.exe
2017-02-10 22:02 - 2016-09-09 12:24 - 00125216 _____ C:\WINDOWS\system32\vulkaninfo.exe
2017-02-10 22:01 - 2016-12-29 07:10 - 00001951 _____ C:\WINDOWS\NvContainerRecovery.bat
2017-02-04 01:44 - 2017-02-04 01:44 - 00000000 ____D C:\Users\Solar\AppData\Local\KADOKAWA
2017-02-02 14:47 - 2017-02-10 22:00 - 00000000 ____D C:\WINDOWS\LastGood.Tmp
2017-01-31 22:13 - 2017-01-31 22:13 - 00001465 _____ C:\Users\Solar\AppData\Local\recently-used.xbel
2017-01-25 21:59 - 2017-01-25 22:05 - 00000124 _____ C:\Users\Solar\.packettracer
2017-01-25 21:59 - 2017-01-25 22:00 - 00019456 _____ C:\Users\Solar\AppData\Local\WebpageIcons.db
2017-01-25 21:59 - 2017-01-25 22:00 - 00000000 ____D C:\Users\Solar\Cisco Packet Tracer 7.0
2017-01-24 22:12 - 2016-11-25 22:12 - 00000032 ____R C:\ProgramData\hash.dat
2017-01-24 21:35 - 2016-12-21 01:08 - 00142848 _____ (Microsoft Corporation) C:\WINDOWS\system32\poqexec.exe
2017-01-24 21:35 - 2016-12-20 22:44 - 00120320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\poqexec.exe
2017-01-17 05:54 - 2017-01-17 05:54 - 34717624 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvoglv64.dll
2017-01-17 05:53 - 2017-01-17 05:53 - 28209080 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvoglv32.dll
2017-01-17 05:53 - 2017-01-17 05:53 - 00951224 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFR64.dll
2017-01-17 05:53 - 2017-01-17 05:53 - 00904752 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFR.dll
2017-01-17 05:53 - 2017-01-17 05:53 - 00448568 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFROpenGL.dll
2017-01-17 05:53 - 2017-01-17 05:53 - 00397240 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFROpenGL.dll
2017-01-17 05:52 - 2017-01-17 05:52 - 40134192 _____ C:\WINDOWS\system32\nvcompiler.dll
2017-01-17 05:52 - 2017-01-17 05:52 - 02961336 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuvid.dll
2017-01-17 05:52 - 2017-01-17 05:52 - 02594744 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuvid.dll
2017-01-17 05:52 - 2017-01-17 05:52 - 01964600 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispco6437654.dll
2017-01-17 05:52 - 2017-01-17 05:52 - 01598392 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispgenco6437654.dll
2017-01-17 05:52 - 2017-01-17 05:52 - 01047096 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvFBC64.dll
2017-01-17 05:52 - 2017-01-17 05:52 - 00985136 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvFBC.dll
2017-01-17 05:51 - 2017-01-17 05:51 - 35233328 _____ C:\WINDOWS\SysWOW64\nvcompiler.dll
2017-01-17 05:51 - 2017-01-17 05:51 - 11017016 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvptxJitCompiler.dll
2017-01-17 05:51 - 2017-01-17 05:51 - 10907368 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvopencl.dll
2017-01-17 05:51 - 2017-01-17 05:51 - 09246824 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvopencl.dll
2017-01-17 05:51 - 2017-01-17 05:51 - 09000336 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvptxJitCompiler.dll
2017-01-17 05:51 - 2017-01-17 05:51 - 00818680 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvEncMFTH264.dll
2017-01-17 05:51 - 2017-01-17 05:51 - 00698544 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvfatbinaryLoader.dll
2017-01-17 05:51 - 2017-01-17 05:51 - 00586784 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvfatbinaryLoader.dll
2017-01-17 05:51 - 2017-01-17 05:51 - 00407240 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvEncodeAPI64.dll
2017-01-17 05:51 - 2017-01-17 05:51 - 00339144 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncodeAPI.dll
2017-01-17 05:50 - 2017-01-17 05:50 - 10453152 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuda.dll
2017-01-17 05:50 - 2017-01-17 05:50 - 08847016 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuda.dll
2017-01-17 05:50 - 2017-01-17 05:50 - 03509152 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvapi.dll
2017-01-17 05:50 - 2017-01-17 05:50 - 00658584 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncMFTH264.dll
2017-01-17 01:37 - 2017-01-17 01:37 - 00042296 _____ C:\WINDOWS\system32\nvinfo.pb

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-12 16:56 - 2016-11-18 18:07 - 00000000 ____D C:\Users\Solar\AppData\LocalLow\Mozilla
2017-02-12 16:55 - 2016-08-23 19:28 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-02-12 16:55 - 2016-07-16 05:47 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2017-02-12 16:55 - 2015-08-20 12:21 - 00000000 __SHD C:\Users\Solar\IntelGraphicsProfiles
2017-02-12 16:54 - 2016-08-23 19:33 - 00000000 ____D C:\Users\Solar
2017-02-12 16:54 - 2015-08-21 00:59 - 00000000 ____D C:\Users\Solar\AppData\Local\CrashDumps
2017-02-12 16:50 - 2016-08-23 19:25 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-02-12 13:20 - 2015-12-30 11:20 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-02-12 13:19 - 2016-11-18 16:07 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-02-12 13:17 - 2016-10-28 10:12 - 00000000 ____D C:\ProgramData\NVIDIA
2017-02-12 13:17 - 2016-08-23 19:49 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-02-12 13:17 - 2016-07-16 00:04 - 00262144 _____ C:\WINDOWS\system32\config\BBI
2017-02-12 13:12 - 2015-08-21 09:12 - 00000000 ____D C:\Program Files (x86)\Steam
2017-02-12 13:10 - 2015-08-24 05:07 - 00000000 ____D C:\Users\Solar\AppData\Roaming\Curse Client
2017-02-12 13:08 - 2015-08-21 07:12 - 00000000 ____D C:\Program Files (x86)\osu!
2017-02-12 10:15 - 2016-07-16 05:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-02-12 10:15 - 2016-07-16 05:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-02-12 10:15 - 2015-08-20 12:21 - 00000000 ____D C:\Users\Solar\AppData\Local\Packages
2017-02-11 23:21 - 2016-06-01 19:49 - 00000000 ____D C:\Program Files (x86)\Project64 1.6
2017-02-11 22:42 - 2015-09-10 09:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-02-11 22:40 - 2016-10-06 12:09 - 00000000 ____D C:\Users\Solar\AppData\Local\Battle.net
2017-02-11 22:20 - 2016-10-06 12:07 - 00000000 ____D C:\Program Files (x86)\Battle.net
2017-02-10 23:25 - 2015-08-20 12:27 - 00000000 __RDO C:\Users\Solar\OneDrive
2017-02-10 23:17 - 2015-08-23 10:01 - 00000000 ____D C:\Users\Solar\.gimp-2.8
2017-02-10 22:40 - 2015-08-29 09:06 - 00000000 ____D C:\Program Files (x86)\Tor Browser
2017-02-10 21:59 - 2016-07-16 05:45 - 00000000 ____D C:\WINDOWS\INF
2017-02-09 14:58 - 2016-10-06 12:11 - 00000000 ____D C:\Program Files (x86)\Overwatch
2017-02-08 21:08 - 2016-10-23 19:19 - 00000000 ____D C:\Program Files (x86)\World of Warcraft
2017-02-05 23:17 - 2015-12-09 17:01 - 00000000 ____D C:\Users\Solar\AppData\Roaming\vlc
2017-02-02 19:49 - 2016-11-18 21:29 - 00000000 ____D C:\Program Files (x86)\Heroes of the Storm
2017-01-31 22:13 - 2015-08-23 10:03 - 00000000 ____D C:\Users\Solar\AppData\Local\gtk-2.0
2017-01-28 20:40 - 2015-09-04 17:13 - 00000000 ____D C:\Users\Solar\AppData\Local\MicrosoftEdge
2017-01-28 16:14 - 2016-07-16 05:47 - 00000000 ____D C:\WINDOWS\rescache
2017-01-27 09:10 - 2016-07-16 05:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-01-26 21:20 - 2015-08-26 22:51 - 00000001 _____ C:\Users\Public\Documents\dgc.txt
2017-01-24 18:16 - 2016-07-16 05:47 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-01-24 18:12 - 2014-11-04 19:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2017-01-21 16:48 - 2015-09-10 09:09 - 00000000 ____D C:\ProgramData\Oracle
2017-01-21 16:47 - 2015-09-16 14:56 - 00097856 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2017-01-21 16:47 - 2015-09-16 14:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-01-21 16:47 - 2015-09-16 14:55 - 00000000 ____D C:\Program Files (x86)\Java
2017-01-20 20:32 - 2016-07-16 05:47 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-01-20 20:32 - 2016-07-16 05:47 - 00000000 ____D C:\WINDOWS\system32\Macromed
2017-01-20 20:32 - 2015-09-12 13:48 - 00000000 ____D C:\Users\Solar\AppData\Local\Adobe
2017-01-19 14:20 - 2016-01-12 19:07 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-01-17 05:50 - 2016-10-28 10:09 - 03972960 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvapi64.dll
2017-01-15 16:02 - 2015-09-08 09:19 - 00000000 ____D C:\Users\Solar\AppData\Roaming\.minecraft

==================== Files in the root of some directories =======

2017-01-31 22:13 - 2017-01-31 22:13 - 0001465 _____ () C:\Users\Solar\AppData\Local\recently-used.xbel
2017-01-25 21:59 - 2017-01-25 22:00 - 0019456 _____ () C:\Users\Solar\AppData\Local\WebpageIcons.db
2017-01-24 22:12 - 2016-11-25 22:12 - 0000032 ____R () C:\ProgramData\hash.dat

Files to move or delete:
====================
C:\ProgramData\hash.dat


Some files in TEMP:
====================
2017-01-07 18:07 - 2017-01-07 18:07 - 0019968 ____N (Red Hat®, Inc.) C:\Users\Solar\AppData\Local\Temp\jansi-64-8994299583166820670.dll
2016-10-19 15:57 - 2016-10-19 15:57 - 0737856 _____ (Oracle Corporation) C:\Users\Solar\AppData\Local\Temp\jre-8u111-windows-au.exe
2017-01-21 16:46 - 2017-01-21 16:46 - 0739904 _____ (Oracle Corporation) C:\Users\Solar\AppData\Local\Temp\jre-8u121-windows-au.exe
2016-10-01 12:55 - 2016-10-01 12:55 - 41768576 _____ (Skype Technologies S.A.) C:\Users\Solar\AppData\Local\Temp\SkypeSetup.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-02-09 17:36

==================== End of FRST.txt ============================

Addition.txt

Link to post
Share on other sites

Thanks for those logs, continue as follows:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Clean install Malwarebytes from version 2 to version 3...

Please download MBAM-clean and save it to your desktop.
 
  • Right-click on mbam-clean.exe icon and select user posted image Run as Administrator to start the tool.
  • It will ask you to reboot the machine - please do so.
  • Run the cleaner tool again, re-boot when complete. <<<---do not miss this step


If you have lost the activation licence key information it can be located here: http://www.cleverbridge.com/342/?scope=cusecolp

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes and is updated do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

If you have lost the activation licence key information it can be located here: http://www.cleverbridge.com/342/?scope=cusecolp

Next,

user posted imageEmsisoft Emergency Kit
  • Click Here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8/10 users: Accept UAC warning if it is enabled). A screen like this will appear:
    user posted image
     
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
    user posted image
     
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    user posted image
     
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    user posted image
     
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    user posted image
     
  • Please Copy and Paste the contents of the scan log in your next reply.


Let me see those logs in your reply, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-02-2017
Ran by Solar (12-02-2017 17:37:16) Run:1
Running from C:\Users\Solar\Desktop
Loaded Profiles: Solar (Available Profiles: Solar)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-541454271-1517337831-2707160555-1001\...\MountPoints2: {2f4e18bb-4b0f-11e5-8268-34e6ad7b1b63} - "F:\VerizonWirelessUpgradeAssistantSetup.exe" -a
ProxyEnable: [S-1-5-21-541454271-1517337831-2707160555-1001] => Proxy is enabled.
ProxyServer: [S-1-5-21-541454271-1517337831-2707160555-1001] => http=127.0.0.1:8877;https=127.0.0.1:8877
RemoveProxy:
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\local-settings.js [2014-10-24] <==== ATTENTION (Points to *.cfg file)
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\mozilla.cfg [2014-10-24] <==== ATTENTION
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S4 nvvad_WaveExtensible; \SystemRoot\system32\drivers\nvvad64v.sys [X]
C:\ProgramData\hash.dat
FirewallRules: [{7102CD25-47B4-47DE-A598-AEF69D10ECF0}] => LPort=1900
FirewallRules: [{9E47E124-3F88-45BC-AE0C-B3FD0241A99D}] => LPort=2869
CMD: ipconfig /flushDNS
EmptyTemp:
end

 

*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-541454271-1517337831-2707160555-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2f4e18bb-4b0f-11e5-8268-34e6ad7b1b63} => key removed successfully
HKCR\CLSID\{2f4e18bb-4b0f-11e5-8268-34e6ad7b1b63} => key not found.
HKU\S-1-5-21-541454271-1517337831-2707160555-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\S-1-5-21-541454271-1517337831-2707160555-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully

========= RemoveProxy: =========

HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-541454271-1517337831-2707160555-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-541454271-1517337831-2707160555-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========

C:\Program Files (x86)\mozilla firefox\defaults\pref\local-settings.js => moved successfully
C:\Program Files (x86)\mozilla firefox\mozilla.cfg => moved successfully
ibtsiva => Service stopped successfully.
HKLM\System\CurrentControlSet\Services\ibtsiva => key removed successfully
ibtsiva => service removed successfully
HKLM\System\CurrentControlSet\Services\nvvad_WaveExtensible => key removed successfully
nvvad_WaveExtensible => service removed successfully
C:\ProgramData\hash.dat => moved successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7102CD25-47B4-47DE-A598-AEF69D10ECF0} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9E47E124-3F88-45BC-AE0C-B3FD0241A99D} => value removed successfully

========= ipconfig /flushDNS =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 122113390 B
Java, Flash, Steam htmlcache => 517757736 B
Windows/system/drivers => 347721361 B
Edge => 8704 B
Chrome => 0 B
Firefox => 14138210 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 35124 B
NetworkService => 551338 B
Solar => 720890873 B

RecycleBin => 0 B
EmptyTemp: => 1.6 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 17:38:57 ====

 

 

Emsisoft Emergency Kit - Version 12.0
Last update: 2/12/2017 11:59:47 PM
User account: TURTLE\Solar
Computer name: TURTLE
OS version: Windows 10x64

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start:    2/13/2017 12:00:27 AM

Scanned    80326
Found    0

Scan end:    2/13/2017 12:07:30 AM
Scan time:    0:07:03

 

 

 

 

None of the searches found anything, so that's good. Gonna do another reboot and have Malwarebytes and Defender do a scan, and hopefully nothing comes up.

Malwarebytes scan result.txt

Link to post
Share on other sites

Alright, so after rebooting and scanning I got this scan result

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/13/17
Scan Time: 12:17 AM
Logfile: Malwarebytes scan result2.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1248
License: Trial

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: TURTLE\Solar

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 403230
Time Elapsed: 20 min, 27 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
PUM.Optional.ProxyHijacker, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, No Action By User, [15083], [-1],0.0.0

Registry Value: 5
PUM.Optional.ProxyHijacker, HKU\S-1-5-21-541454271-1517337831-2707160555-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, No Action By User, [15083], [183992],1.0.1248
PUM.Optional.ProxyHijacker, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, No Action By User, [15083], [-1],0.0.0
PUM.Optional.ProxyHijacker, HKU\S-1-5-21-541454271-1517337831-2707160555-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, No Action By User, [15083], [-1],0.0.0
PUM.Optional.ProxyHijacker, HKU\S-1-5-21-541454271-1517337831-2707160555-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, No Action By User, [15083], [-1],0.0.0
PUM.Optional.ProxyHijacker, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, No Action By User, [15083], [-1],0.0.0

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

 

Immediately after it said to restart my computer, which I did. I then got this scan log, which showed the quarantining of the detected items

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/13/17
Scan Time: 2:28 AM
Logfile: Malwarebytes scan result3.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1249
License: Trial

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 394892
Time Elapsed: 3 min, 55 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
PUM.Optional.ProxyHijacker, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [15084], [-1],0.0.0

Registry Value: 5
PUM.Optional.ProxyHijacker, HKU\S-1-5-21-541454271-1517337831-2707160555-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Quarantined, [15084], [183992],1.0.1249
PUM.Optional.ProxyHijacker, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [15084], [-1],0.0.0
PUM.Optional.ProxyHijacker, HKU\S-1-5-21-541454271-1517337831-2707160555-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [15084], [-1],0.0.0
PUM.Optional.ProxyHijacker, HKU\S-1-5-21-541454271-1517337831-2707160555-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Quarantined, [15084], [-1],0.0.0
PUM.Optional.ProxyHijacker, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [15084], [-1],0.0.0

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

Edited because accidentally pasted same log twice

Edited by mrturtle99
Link to post
Share on other sites

TO add to my previous post, immediately after posting it I ran another scan which gave me this

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/13/17
Scan Time: 8:46 AM
Logfile: Malwarebytes scan result4.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1251
License: Trial

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: TURTLE\Solar

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 403310
Time Elapsed: 12 min, 24 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
PUM.Optional.ProxyHijacker, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [15087], [-1],0.0.0

Registry Value: 5
PUM.Optional.ProxyHijacker, HKU\S-1-5-21-541454271-1517337831-2707160555-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Quarantined, [15087], [183992],1.0.1251
PUM.Optional.ProxyHijacker, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [15087], [-1],0.0.0
PUM.Optional.ProxyHijacker, HKU\S-1-5-21-541454271-1517337831-2707160555-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [15087], [-1],0.0.0
PUM.Optional.ProxyHijacker, HKU\S-1-5-21-541454271-1517337831-2707160555-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Quarantined, [15087], [-1],0.0.0
PUM.Optional.ProxyHijacker, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [15087], [-1],0.0.0

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

 

After I quarantined the items, Internet options opened up in the connections tab, opened up LAN settings, then auto closed in about 2 seconds. When I go in manually and uncheck use a proxy server, it auto opens and rechecks it. The address field is blank and the port number is 80.

Edit: When clicking advanced on proxy server, the exceptions are:

<-loopback>;www.x3watch.com

Edited by mrturtle99
adding info
Link to post
Share on other sites

Thanks for the update, if no more issues run the following to clean up:

Delete Emisoft installer from the Desktop or the folder it was save to.... Delete this folder C:\EEK

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 
Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.