|
Post by sasha22 on Oct 30, 2016 3:24:51 GMT -8
Emsisoft Emergency Kit - Version 11.9 Last update: 10/30/2016 7:06:36 AM User account: Sasha22-PC\Sasha22 Computer name: SASHA22-PC OS version: Windows 7x64 Service Pack 1
Scan settings:
Scan type: Malware Scan Objects: Rootkits, Memory, Traces, Files
Detect PUPs: On Scan archives: Off ADS Scan: On File extension filter: Off Advanced caching: On Direct disk access: Off
Scan start: 10/30/2016 7:11:15 AM Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{0CEC5206-43FA-4BC8-91A7-DC5B121F7960} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{962DE9EA-6508-4D38-B5A1-EA8E431CF0A0} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E9D59045-793B-4638-ABB6-881E6CE9AEEA} detected: Application.BrowserExt (A) Key: HKEY_USERS\S-1-5-21-2287122347-3831853411-1151728686-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} detected: Application.Win32.WSearch (A) Key: HKEY_USERS\S-1-5-21-2287122347-3831853411-1151728686-1001\SOFTWARE\BFGBAR detected: Application.InstallAd (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\GAMINGWONDERLANDEI detected: Application.InstallAd (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{0CEC5206-43FA-4BC8-91A7-DC5B121F7960} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{962DE9EA-6508-4D38-B5A1-EA8E431CF0A0} detected: Application.BrowserExt (A) Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E9D59045-793B-4638-ABB6-881E6CE9AEEA} detected: Application.BrowserExt (A)
Scanned 80930 Found 21
Scan end: 10/30/2016 7:16:37 AM Scan time: 0:05:22
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Oct 30, 2016 10:48:08 GMT -8
Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txtNOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemStart FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
|
|
|
Post by sasha22 on Oct 31, 2016 9:25:49 GMT -8
Fix result of Farbar Recovery Scan Tool (x64) Version: 30-10-2016 Ran by Sasha22 (31-10-2016 12:59:44) Run:2 Running from C:\Users\Sasha22\Desktop Loaded Profiles: Sasha22 (Available Profiles: Sasha22 & DefaultAppPool) Boot Mode: Normal ==============================================
fixlist content: ***************** Start CreateRestorePoint: CloseProcesses: REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{0CEC5206-43FA-4BC8-91A7-DC5B121F7960} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{962DE9EA-6508-4D38-B5A1-EA8E431CF0A0} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E9D59045-793B-4638-ABB6-881E6CE9AEEA} /f REG: reg delete "HKEY_USERS\S-1-5-21-2287122347-3831853411-1151728686-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" /f REG: reg delete HKEY_USERS\S-1-5-21-2287122347-3831853411-1151728686-1001\SOFTWARE\BFGBAR /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\GAMINGWONDERLANDEI /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{0CEC5206-43FA-4BC8-91A7-DC5B121F7960} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{962DE9EA-6508-4D38-B5A1-EA8E431CF0A0} /f REG: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E9D59045-793B-4638-ABB6-881E6CE9AEEA} /f cmd: ipconfig /flushdns cmd: netsh advfirewall reset cmd: netsh advfirewall set allprofiles state on Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f CMD: bitsadmin /reset /allusers RemoveProxy: EmptyTemp: Reboot: end *****************
Restore point was successfully created. Processes closed successfully.
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{0CEC5206-43FA-4BC8-91A7-DC5B121F7960} /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{962DE9EA-6508-4D38-B5A1-EA8E431CF0A0} /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E9D59045-793B-4638-ABB6-881E6CE9AEEA} /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg delete "HKEY_USERS\S-1-5-21-2287122347-3831853411-1151728686-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg delete HKEY_USERS\S-1-5-21-2287122347-3831853411-1151728686-1001\SOFTWARE\BFGBAR /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\GAMINGWONDERLANDEI /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{0CEC5206-43FA-4BC8-91A7-DC5B121F7960} /f =========
ERROR: The system was unable to find the specified registry key or value.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} /f =========
ERROR: The system was unable to find the specified registry key or value.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} /f =========
ERROR: The system was unable to find the specified registry key or value.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} /f =========
ERROR: The system was unable to find the specified registry key or value.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} /f =========
ERROR: The system was unable to find the specified registry key or value.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} /f =========
ERROR: The system was unable to find the specified registry key or value.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} /f =========
ERROR: The system was unable to find the specified registry key or value.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{962DE9EA-6508-4D38-B5A1-EA8E431CF0A0} /f =========
ERROR: The system was unable to find the specified registry key or value.
========= End of Reg: =========
========= reg delete HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E9D59045-793B-4638-ABB6-881E6CE9AEEA} /f =========
ERROR: The system was unable to find the specified registry key or value.
========= End of Reg: =========
========= ipconfig /flushdns =========
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========= End of CMD: =========
========= netsh advfirewall reset =========
An error occurred while attempting to contact the Windows Firewall service. Make sure that the service is running and try your request again.
========= End of CMD: =========
========= netsh advfirewall set allprofiles state on =========
An error occurred while attempting to contact the Windows Firewall service. Make sure that the service is running and try your request again.
========= End of CMD: =========
========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
The operation completed successfully.
========= End of Reg: =========
========= bitsadmin /reset /allusers =========
BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp.
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows. Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
0 out of 0 jobs canceled.
========= End of CMD: =========
========= RemoveProxy: =========
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully HKU\S-1-5-21-2287122347-3831853411-1151728686-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully HKU\S-1-5-21-2287122347-3831853411-1151728686-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
========= End of RemoveProxy: =========
=========== EmptyTemp: ==========
BITS transfer queue => 20971520 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 12396447 B Java, Flash, Steam htmlcache => 29777 B Windows/system/drivers => -774 B Edge => 0 B Chrome => 0 B Firefox => 0 B Opera => 0 B
Temp, IE cache, history, cookies, recent: Default => 0 B Public => 0 B ProgramData => 0 B systemprofile => 128 B systemprofile32 => 0 B LocalService => 0 B NetworkService => 0 B Sasha22 => 23305820 B DefaultAppPool => 0 B
RecycleBin => 56352 B EmptyTemp: => 54.1 MB temporary data Removed.
================================
The system needed a reboot.
==== End of Fixlog 13:00:45 ====
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Oct 31, 2016 22:03:02 GMT -8
How is your system and Norton running now?
|
|
|
Post by sasha22 on Nov 2, 2016 2:39:37 GMT -8
They both seem to be running good. Thanks for all your help. Sasha22
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 2, 2016 11:31:30 GMT -8
We need to remove the tools we've used during the cleaning of your machine. [/a] Ensure the following is ticked: - Remove disinfection tools
- Create registry backup
- Purge system restore
[/ul] Then click Run. The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply. Once you have the log file saved, please reboot your system to complete the clean up process. Your system looks clean and your logs are fine. Unless you want something else done, you are done and free to go.Final words from me: Surf safely, and watch when installing or letting anything add itself to your system. Remember, the best security is not on your system but in the chair in front of it. Take care and thanks for sticking with us in this rushed time. === options ====Unchecky is a small service that runs in the background to help keep those "extra toolbars" and tag along search engines from automatically installing. By automatically directing you to a custom install with all the options unchecked, only what you manually choose and confirm gets installed. CryptoPrevent is a free program that prevents CryptoLocker / ransomware from infecting your PC by locking down the OS so the malware can not get a grip on your system. You can read the details about this program here. Also, consider adding MalwareBytes Antimalware to your arsenal of safe keeping programs. Use the free version (not the paid or trial version) and you won't have a problem with your antivirus scanner program. Keep it updated and run a scan with it once a week. Lastly, if you use Firefox as your main web browser, consider adding the NoScript and uBlock Origin add-ons to the browser to block scripting hijacks and remove unwanted ads from the pages you view. You may also find some information and tips at this thread: How did I get infected in the first place?and COMPUTER SECURITY - a short quide to staying safer online
I'll leave this topic open for a few days so that if you have any questions you can come back here. Surf safe, my friend!!
|
|
|
Post by sasha22 on Nov 4, 2016 3:53:18 GMT -8
# DelFix v1.010 - Logfile created 04/11/2016 at 07:23:17 # Updated 26/04/2015 by Xplode # Username : Sasha22 - SASHA22-PC # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
~ Removing disinfection tools ...
Deleted : C:\FRST Deleted : C:\AdwCleaner Deleted : C:\Users\Sasha22\Desktop\FRST-OlderVersion Deleted : C:\Users\Sasha22\Desktop\Addition.txt Deleted : C:\Users\Sasha22\Desktop\AdwCleaner[C0].txt Deleted : C:\Users\Sasha22\Desktop\adwcleaner_6.030.exe Deleted : C:\Users\Sasha22\Desktop\Fixlog.txt Deleted : C:\Users\Sasha22\Desktop\FRST.txt Deleted : C:\Users\Sasha22\Desktop\FRST64.exe Deleted : C:\Users\Sasha22\Desktop\JRT.exe Deleted : C:\Users\Sasha22\Desktop\JRT.txt
~ Creating registry backup ... OK
~ Cleaning system restore ...
Deleted : RP #430 [Windows Update | 10/15/2016 17:48:29] Deleted : RP #431 [Windows Update | 10/19/2016 12:20:41] Deleted : RP #433 [Restore Point Created by FRST | 10/26/2016 08:58:42] Deleted : RP #434 [restore after trojan | 10/26/2016 14:20:40] Deleted : RP #435 [JRT Pre-Junkware Removal | 10/29/2016 13:58:30] Deleted : RP #437 [Restore Point Created by FRST | 10/31/2016 16:59:47]
New restore point created !
########## - EOF - ##########
These are the fix files still on my system: Malwarebytes Anti-Malware malwarebytes scan 10-29-2016 EmsisoftEmergencyKit DelFix
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 5, 2016 0:10:19 GMT -8
You can delete the C:\EEK folder to remove Emsisoft scanner if you want. You can uninstall Malwarebytes AntiMalware by going to the Control Panel > Programs and Features.
Both of these programs are more of full featured AntiMalware scanners and not malware removal tools (per se) so they are not included in the DelFix removal routines. Strange that DelFix is still remains on the system; did DelFix cause a reboot or not?
|
|
|
Post by sasha22 on Nov 20, 2016 9:03:13 GMT -8
DelFix did cause a reboot. The DelFix was a file and not the program. I deleted the file. You say I "can" delete Emsisoft Emergency Kit and uninstall Malwarebytes Anti-malware. I ask should I? The Malwarebytes Anti-malware is not offering a free version (only a free trial or purchase). Even though it says my free trial has ended it still allows me to update the program and run a scan of my system. Currently I have installed: CryptoPrevent Unchecky SUPERAntiSpyware Free Edition and CCleaner from 2012.
Thanks for everything Sasha22
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 20, 2016 22:37:27 GMT -8
I would keep the EEK and MBAM programs and use them as second opinion scanners. Malwarebytes is currently in 'free' mode on your machine (it does not make that apparent but it is). The programs you have are fine but just make sure that CCleaner is updated to the latest version as Piriform improves the cleaning and fixes any bugs very quickly.
|
|