Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 28, 2015 0:10:36 GMT -8
I will just have to work off the FRST.txt only that I already have.
Quads
|
|
mc74
New Helpee
Posts: 26
|
Post by mc74 on Jan 28, 2015 9:30:52 GMT -8
Hi Quads, Just got home from work and found out that the last time around (where I left it running this morning) FRST finished the job, i.e. the addition.txt file appears to provide more details. Here it is.
Addition.txt (13.13 KB)
Hope it's useful for you.
|
|
mc74
New Helpee
Posts: 26
|
Post by mc74 on Jan 28, 2015 9:34:49 GMT -8
And just to make sure, the FRST going with that (I don't have the impression it differs from the previous one though).
FRST
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 29, 2015 9:35:59 GMT -8
I realise the large Time Zone difference between us also Press the + R Keys on your keyboard at the same time. Type notepad and click OK. Copy the entire content of the codebox below and paste into the notepad (Including start and end) start HKLM-x32\...\Run: [LManager] => [X] HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-673590877-4009869885-3665325015-1002\...\Run: [uTorrent] => C:\Users\Michiel\AppData\Roaming\uTorrent\uTorrent.exe [1374032 2015-01-21] (BitTorrent Inc.) Startup: C:\Users\Michiel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4B6D28C3A.lnk ShortcutTarget: 4B6D28C3A.lnk -> C:\ProgramData\A3C82D6B4.cpp () Startup: C:\Users\Michiel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CC8D20965.lnk ShortcutTarget: CC8D20965.lnk -> C:\ProgramData\A3C82D6B4.cpp () GroupPolicy: Group Policy on Chrome detected <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dsites_14_11_ch&cd=2XzuyEtN2Y1L1QzutBtDyCzzzy0DtBtBtD0AyBtA0CyB0BtAtN0D0Tzu0SzztDtDtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StByC0ByDyEtD0D0EtGyCtA0EtCtG0E0FyEyEtGtAtB0C0FtGyEyDtDyE0DtAzztAtB0Czyzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2StB0F0DtDtC0D0FtAtGzyyEtA0BtGyDyCtB0DtGyByEtB0BtGtB0AyDtD0AtA0Czy0AyE0AyD2Q&cr=527364643&ir= HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dsites_14_11_ch&cd=2XzuyEtN2Y1L1QzutBtDyCzzzy0DtBtBtD0AyBtA0CyB0BtAtN0D0Tzu0SzztDtDtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StByC0ByDyEtD0D0EtGyCtA0EtCtG0E0FyEyEtGtAtB0C0FtGyEyDtDyE0DtAzztAtB0Czyzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2StB0F0DtDtC0D0FtAtGzyyEtA0BtGyDyCtB0DtGyByEtB0BtGtB0AyDtD0AtA0Czy0AyE0AyD2Q&cr=527364643&ir= URLSearchHook: [S-1-5-21-673590877-4009869885-3665325015-1001] ATTENTION ==> Default URLSearchHook is missing. SearchScopes: HKLM -> DefaultScope {AE048EAA-DD82-4612-9CAA-7B18025E25A1} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites_14_11_ch&cd=2XzuyEtN2Y1L1QzutBtDyCzzzy0DtBtBtD0AyBtA0CyB0BtAtN0D0Tzu0SzztDtDtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StByC0ByDyEtD0D0EtGyCtA0EtCtG0E0FyEyEtGtAtB0C0FtGyEyDtDyE0DtAzztAtB0Czyzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2StB0F0DtDtC0D0FtAtGzyyEtA0BtGyDyCtB0DtGyByEtB0BtGtB0AyDtD0AtA0Czy0AyE0AyD2Q&cr=527364643&ir= SearchScopes: HKLM -> {AE048EAA-DD82-4612-9CAA-7B18025E25A1} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites_14_11_ch&cd=2XzuyEtN2Y1L1QzutBtDyCzzzy0DtBtBtD0AyBtA0CyB0BtAtN0D0Tzu0SzztDtDtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StByC0ByDyEtD0D0EtGyCtA0EtCtG0E0FyEyEtGtAtB0C0FtGyEyDtDyE0DtAzztAtB0Czyzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2StB0F0DtDtC0D0FtAtGzyyEtA0BtGyDyCtB0DtGyByEtB0BtGtB0AyDtD0AtA0Czy0AyE0AyD2Q&cr=527364643&ir= SearchScopes: HKU\S-1-5-21-673590877-4009869885-3665325015-1002 -> DefaultScope {AE048EAA-DD82-4612-9CAA-7B18025E25A1} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites_14_11_ch&cd=2XzuyEtN2Y1L1QzutBtDyCzzzy0DtBtBtD0AyBtA0CyB0BtAtN0D0Tzu0SzztDtDtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StByC0ByDyEtD0D0EtGyCtA0EtCtG0E0FyEyEtGtAtB0C0FtGyEyDtDyE0DtAzztAtB0Czyzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2StB0F0DtDtC0D0FtAtGzyyEtA0BtGyDyCtB0DtGyByEtB0BtGtB0AyDtD0AtA0Czy0AyE0AyD2Q&cr=527364643&ir= SearchScopes: HKU\S-1-5-21-673590877-4009869885-3665325015-1002 -> {AE048EAA-DD82-4612-9CAA-7B18025E25A1} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites_14_11_ch&cd=2XzuyEtN2Y1L1QzutBtDyCzzzy0DtBtBtD0AyBtA0CyB0BtAtN0D0Tzu0SzztDtDtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StByC0ByDyEtD0D0EtGyCtA0EtCtG0E0FyEyEtGtAtB0C0FtGyEyDtDyE0DtAzztAtB0Czyzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2StB0F0DtDtC0D0FtAtGzyyEtA0BtGyDyCtB0DtGyByEtB0BtGtB0AyDtD0AtA0Czy0AyE0AyD2Q&cr=527364643&ir= S2 Winmgmt; C:\PROGRA~3\4B6D28C3A.zot [X] 2015-01-27 19:16 - 2015-01-27 19:16 - 02747488 _____ (Symantec Corporation) C:\Users\Michiel\Downloads\FixPoweliks64.exe Reboot: end Click File, Save As and type fixlist (.txt may be seen on the end depending on the system setup) as the File Name. Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
Right-click on icon and select Run as Administrator to start FRST. (XP users click run after receipt of Windows Security Warning - Open File). Press the button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop, called Fixlog.txt. To paste or attach back here Quads
|
|
mc74
New Helpee
Posts: 26
|
Post by mc74 on Jan 29, 2015 10:06:53 GMT -8
Hi Quads,
I made the fixlist.txt file. Then I tries to run FRST like you said. It started to update itself and then closed. The new version had a different icon, the old version was saved in another folder on the desktop (FRST-Older version). The new version that replaced the version I downloaded yesterday will not run. I get a windows message (in dutch): this program will not run on your PC. Ask the software distributor if a version exists for your PC. You want me to try and run the older version in the desktop folder? Thanks
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 29, 2015 10:19:32 GMT -8
No you can use the new version, FRST has updates all the time.
Go to the Bleeping Computer site where you orinally download FRST and download a fresh updated version (64 bit version)
Remember FRST at times gets detected and blocked from running by the SONAR component of the AV.
Quads
|
|
mc74
New Helpee
Posts: 26
|
Post by mc74 on Jan 29, 2015 11:15:05 GMT -8
The old version of FRST64 updates to a new version that will not work. When I try to redownload it using the link you provided, Norton automatically deletes it (with SONAR already disabled).
|
|
mc74
New Helpee
Posts: 26
|
Post by mc74 on Jan 29, 2015 11:17:38 GMT -8
I ran the older FRST64 version with internet connection cut off, so it would not automatically update before I could run it. It ran just fine, made a fixlog.txt and had the system reboot. It did not need to resume, appeared to be finished.
Fixlog.txt (5.99 KB)
The frequent Norton alerts seem to have ceased now.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 29, 2015 13:27:31 GMT -8
You do have PUP's (I took) some Items), but first
Now the Windows Security Center / Action Center and Window Update etc should be working, as the part of Windows involved has been repaired, then I had Windows Restart for the Changes to take effect.
Quads
|
|
mc74
New Helpee
Posts: 26
|
Post by mc74 on Jan 29, 2015 13:40:07 GMT -8
Windows Security Center is looking alright now.
|
|