Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Onesearch hijack [Closed]


  • This topic is locked This topic is locked

#1
lucille123

lucille123

    Member

  • Member
  • PipPip
  • 86 posts

Hi,

 

My dad has been clicking on random advertisement videos and it looks like his search engine has been hijacked.  I am sure his computer has some malware on it because it seems like it is running slow.

 

Any help is so greatly appreciated.

 

Lisa Huffman 

 

Below is the FRST logs

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02.01.2018
Ran by Sydney (administrator) on SONY (02-01-2018 12:56:40)
Running from C:\Users\Sydney\Desktop
Loaded Profiles: Sydney (Available Profiles: Sydney)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(SlimWare Utilities, Inc.) C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
(Mozilla Corporation) C:\Users\Sydney\AppData\Local\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Users\Sydney\AppData\Local\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Users\Sydney\AppData\Local\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Users\Sydney\AppData\Local\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Users\Sydney\AppData\Local\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Users\Sydney\AppData\Local\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [WindowsDefender] => "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
HKU\S-1-5-21-334888320-4262496311-4089610012-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\Mystify.scr [133632 2014-11-21] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.0.1.1
Tcpip\..\Interfaces\{10CFF09F-1D71-42C5-978A-FAEF4FB05C35}: [DhcpNameServer] 10.0.1.1

Internet Explorer:
==================
HKU\S-1-5-21-334888320-4262496311-4089610012-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp

FireFox:
========
FF DefaultProfile: g12ihscq.default
FF ProfilePath: C:\Users\Sydney\AppData\Roaming\Mozilla\Firefox\Profiles\g12ihscq.default [2018-01-02]
FF Homepage: Mozilla\Firefox\Profiles\g12ihscq.default -> moz-extension://c6dc83ff-f26e-4b90-81d1-fc8d4268204f/newtab/newtab.html
FF NewTabOverride: Mozilla\Firefox\Profiles\g12ihscq.default -> Enabled: [email protected]
FF Extension: (News) - C:\Users\Sydney\AppData\Roaming\Mozilla\Firefox\Profiles\g12ihscq.default\Extensions\[email protected] [2017-12-09]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-08-11] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-08-11] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 MpKsl38489c4e; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D7B70955-C0FA-431E-B234-5C7FE6740B63}\MpKsl38489c4e.sys [58120 2018-01-02] (Microsoft Corporation)
S3 SWDUMon; C:\WINDOWS\system32\DRIVERS\SWDUMon.sys [13920 2017-12-28] ()
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [46600 2017-08-11] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [274776 2017-08-11] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [117592 2017-08-11] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-02 12:56 - 2018-01-02 12:56 - 000004650 _____ C:\Users\Sydney\Desktop\FRST.txt
2018-01-02 12:53 - 2018-01-02 12:56 - 000000000 ____D C:\FRST
2018-01-02 12:53 - 2018-01-02 12:53 - 002393088 _____ (Farbar) C:\Users\Sydney\Desktop\FRST64.exe
2017-12-28 07:38 - 2018-01-02 07:38 - 000000484 _____ C:\WINDOWS\Tasks\DriverUpdate Scan.job
2017-12-28 07:38 - 2017-12-28 07:38 - 000013920 _____ C:\WINDOWS\system32\Drivers\SWDUMon.sys
2017-12-28 07:38 - 2017-12-28 07:38 - 000003194 _____ C:\WINDOWS\System32\Tasks\DriverUpdate Scan
2017-12-28 07:38 - 2017-12-28 07:38 - 000002838 _____ C:\WINDOWS\System32\Tasks\DriverUpdate Startup
2017-12-28 07:38 - 2017-12-28 07:38 - 000000430 _____ C:\WINDOWS\Tasks\DriverUpdate Startup.job
2017-12-28 07:37 - 2017-12-28 07:37 - 000000000 ____D C:\Users\Sydney\AppData\Local\SlimWare Utilities Inc
2017-12-17 13:28 - 2017-12-17 13:28 - 000002501 _____ C:\Users\Public\Desktop\DriverUpdate.lnk
2017-12-17 13:28 - 2017-12-17 13:28 - 000000000 ____D C:\Users\Sydney\AppData\Local\Downloaded Installers
2017-12-17 13:28 - 2017-12-17 13:28 - 000000000 ____D C:\Users\Sydney\AppData\Local\CalendarSparkTooltab
2017-12-17 13:28 - 2017-12-17 13:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdate
2017-12-17 13:28 - 2017-12-17 13:28 - 000000000 ____D C:\Program Files (x86)\DriverUpdate
2017-12-17 13:25 - 2017-12-17 13:25 - 000000000 ____D C:\Users\Sydney\AppData\Local\FromDocToPDFTooltab
2017-12-12 15:05 - 2017-11-17 10:37 - 004168704 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2017-12-12 15:05 - 2017-11-13 22:57 - 025731072 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2017-12-12 15:05 - 2017-11-13 22:30 - 000577024 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2017-12-12 15:05 - 2017-11-13 22:25 - 005925888 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2017-12-12 15:05 - 2017-11-13 22:20 - 000817152 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2017-12-12 15:05 - 2017-11-13 21:55 - 001033216 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2017-12-12 15:05 - 2017-11-13 21:48 - 015267328 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2017-12-12 15:05 - 2017-11-13 21:48 - 000807936 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2017-12-12 15:05 - 2017-11-13 21:39 - 003241472 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2017-12-12 15:05 - 2017-11-13 21:27 - 001544192 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2017-12-12 15:05 - 2017-11-13 21:16 - 000800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2017-12-12 15:05 - 2017-11-13 20:37 - 013679616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2017-12-12 15:05 - 2017-11-13 20:10 - 020269056 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2017-12-12 15:05 - 2017-11-13 19:32 - 000499200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2017-12-12 15:05 - 2017-11-08 10:55 - 000032256 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\BasicRender.sys
2017-12-12 15:05 - 2017-11-07 16:15 - 000323584 _____ (Microsoft Corporation) C:\WINDOWS\system32\iprtrmgr.dll
2017-12-12 15:05 - 2017-11-07 15:49 - 000179712 _____ (Microsoft Corporation) C:\WINDOWS\system32\itss.dll
2017-12-12 15:05 - 2017-11-07 15:46 - 000285184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iprtrmgr.dll
2017-12-12 15:05 - 2017-11-07 15:39 - 000662016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2017-12-12 15:05 - 2017-11-07 15:29 - 001080320 _____ (Microsoft Corporation) C:\WINDOWS\system32\IKEEXT.DLL
2017-12-12 15:05 - 2017-11-07 15:27 - 004509696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2017-12-12 15:05 - 2017-11-07 15:27 - 000151040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\itss.dll
2017-12-12 15:05 - 2017-11-07 15:22 - 000880640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2017-12-12 15:05 - 2017-11-07 15:18 - 000694272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2017-12-12 15:05 - 2017-11-07 15:08 - 000713216 _____ (Microsoft Corporation) C:\WINDOWS\system32\nshwfp.dll
2017-12-12 15:05 - 2017-11-07 15:04 - 002767872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2017-12-12 15:05 - 2017-11-07 15:02 - 000562176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\nshwfp.dll
2017-12-12 15:05 - 2017-11-07 15:01 - 001313280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2017-12-12 15:05 - 2017-11-07 14:58 - 000710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2017-12-12 15:05 - 2017-10-18 12:14 - 000136904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2017-12-12 15:05 - 2017-10-14 02:55 - 000445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2017-12-12 15:05 - 2017-10-14 02:29 - 001436672 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2017-12-12 15:05 - 2017-10-14 02:23 - 000963072 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2017-12-12 15:05 - 2017-10-14 02:17 - 003717632 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2017-12-12 15:05 - 2017-10-14 01:41 - 000324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2017-12-12 15:05 - 2017-10-14 01:19 - 000780800 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2017-12-12 15:05 - 2017-10-10 11:39 - 001192960 _____ (Microsoft Corporation) C:\WINDOWS\system32\uxtheme.dll
2017-12-12 15:05 - 2017-10-10 11:29 - 000068096 _____ (Microsoft Corporation) C:\WINDOWS\system32\UXInit.dll
2017-12-12 15:05 - 2017-10-10 10:42 - 000050176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UXInit.dll
2017-12-12 15:05 - 2017-10-10 09:58 - 000949760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\uxtheme.dll
2017-12-05 09:23 - 2017-12-05 06:44 - 000020734 _____ C:\Users\Sydney\Documents\1987%20when%20I%20joined%20toastmaster.odt_0.odt

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-02 11:26 - 2017-10-30 12:36 - 000000000 ____D C:\Users\Sydney\AppData\LocalLow\Mozilla
2018-01-02 08:25 - 2017-10-30 08:37 - 000003914 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{9A594337-E62B-4967-B670-910067D4443D}
2018-01-01 17:40 - 2017-11-02 12:50 - 000000000 ____D C:\Users\Sydney\Documents\My written documents
2018-01-01 14:15 - 2017-11-02 12:50 - 000000000 ____D C:\Users\Sydney\Documents\Intro
2017-12-30 20:02 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\AppReadiness
2017-12-29 15:22 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\system32\NDF
2017-12-29 07:01 - 2016-12-04 13:22 - 000003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-334888320-4262496311-4089610012-1001
2017-12-29 06:55 - 2017-10-30 12:35 - 000001245 _____ C:\Users\Sydney\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-12-29 06:55 - 2017-10-30 12:35 - 000000000 ____D C:\Users\Sydney\AppData\Local\Mozilla Firefox
2017-12-28 12:10 - 2016-12-04 13:16 - 000000000 ____D C:\Users\Sydney\AppData\Local\Packages
2017-12-28 12:10 - 2013-08-22 10:36 - 000000000 ___HD C:\Program Files\WindowsApps
2017-12-28 08:38 - 2013-08-22 08:36 - 000000000 ____D C:\WINDOWS\Inf
2017-12-28 07:38 - 2017-10-30 07:41 - 000000000 ____D C:\Users\Sydney\OneDrive
2017-12-28 07:36 - 2014-11-21 03:44 - 000820208 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-12-28 07:31 - 2013-08-22 09:45 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-12-24 19:09 - 2017-11-02 12:50 - 000015008 _____ C:\Users\Sydney\Documents\Boca Toastmaster 7 pm.odt
2017-12-24 19:07 - 2017-11-02 12:50 - 000013662 _____ C:\Users\Sydney\Documents\Advanced Toastmaster.odt
2017-12-18 09:23 - 2017-11-02 12:50 - 000012849 _____ C:\Users\Sydney\Documents\Audience Analysis.odt
2017-12-15 18:05 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\rescache
2017-12-15 17:07 - 2013-08-22 09:44 - 000363304 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-12-15 17:06 - 2013-08-22 08:25 - 000262144 ___SH C:\WINDOWS\system32\config\BBI
2017-12-14 18:39 - 2017-11-02 12:50 - 000015265 _____ C:\Users\Sydney\Documents\Goals.odt
2017-12-14 15:38 - 2014-10-14 13:03 - 000000000 ____D C:\Users\Sydney\Desktop\backup 10-14
2017-12-13 08:31 - 2017-11-02 12:51 - 000062441 _____ C:\Users\Sydney\Documents\2 on sayings.odt
2017-12-12 16:50 - 2012-07-26 02:59 - 000000000 ____D C:\WINDOWS\CbsTemp
2017-12-12 16:48 - 2017-10-31 03:01 - 133326408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2017-12-12 16:48 - 2016-12-04 18:09 - 000000000 ____D C:\WINDOWS\system32\MRT
2017-12-12 16:47 - 2016-12-04 18:09 - 133326408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-12-10 09:11 - 2017-11-02 12:50 - 000020638 _____ C:\Users\Sydney\Documents\what you want a story to do.odt
2017-12-10 08:48 - 2017-11-02 12:50 - 000015094 _____ C:\Users\Sydney\Documents\Boca Noon.odt
2017-12-10 08:35 - 2017-11-02 12:51 - 000018959 _____ C:\Users\Sydney\Documents\Action Plan to improve your use of humor.odt
2017-12-10 08:31 - 2017-11-02 12:51 - 000019444 _____ C:\Users\Sydney\Documents\14 steps to Preparartion for a speech.odt
2017-12-08 22:22 - 2017-08-11 18:34 - 000000000 ____D C:\Users\Sydney
2017-12-05 14:50 - 2017-11-02 12:36 - 000000000 ____D C:\Users\Sydney\Documents\HARRY'S FILES
2017-12-05 06:29 - 2017-11-02 12:51 - 000020184 _____ C:\Users\Sydney\Documents\1987 when I joined toastmaster.odt
2017-12-04 20:26 - 2017-11-02 12:50 - 000036733 _____ C:\Users\Sydney\Documents\Dancing tips from Harry Huffman.odt
2017-12-04 11:23 - 2014-11-21 11:03 - 000835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-12-04 11:23 - 2014-11-21 11:03 - 000177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-12-29 04:09

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by Sydney (02-01-2018 12:57:22)
Running from C:\Users\Sydney\Desktop
Windows 8.1 (Update) (X64) (2017-10-30 12:39:08)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-334888320-4262496311-4089610012-500 - Administrator - Disabled)
Guest (S-1-5-21-334888320-4262496311-4089610012-501 - Limited - Disabled)
Sydney (S-1-5-21-334888320-4262496311-4089610012-1001 - Administrator - Enabled) => C:\Users\Sydney

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

CalendarSpark Internet Explorer Homepage and New Tab (HKU\S-1-5-21-334888320-4262496311-4089610012-1001\...\CalendarSparkTooltab Uninstall Internet Explorer) (Version:  - Mindspark Interactive Network, Inc.) <==== ATTENTION
Canon MX880 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX880_series) (Version:  - )
DriverUpdate (HKLM-x32\...\{055C7DA5-A1F5-41FB-932C-82474ED3487A}) (Version: 2.7.11 - Slimware Utilities Holdings, Inc.) Hidden
DriverUpdate (HKLM-x32\...\DriverUpdate) (Version: 2.7.11 - Slimware Utilities Holdings, Inc.)
FromDocToPDF Internet Explorer Homepage and New Tab (HKU\S-1-5-21-334888320-4262496311-4089610012-1001\...\FromDocToPDFTooltab Uninstall Internet Explorer) (Version:  - Mindspark Interactive Network, Inc.) <==== ATTENTION
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 57.0.3 (x86 en-US) (HKU\S-1-5-21-334888320-4262496311-4089610012-1001\...\Mozilla Firefox 57.0.3 (x86 en-US)) (Version: 57.0.3 - Mozilla)
OpenOffice 4.1.4 (HKLM-x32\...\{BDB210E1-06C5-451F-BDAC-C18DDC7C2F14}) (Version: 4.14.9788 - Apache Software Foundation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {2DDD154A-9783-4437-903F-C6D0133FBB01} - System32\Tasks\DriverUpdate Startup => C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe [2017-07-19] (SlimWare Utilities, Inc.)
Task: {632D400E-0EE5-4FC4-A1A3-5C73FEA61324} - \Microsoft\Windows\Setup\EOSNotify -> No File <==== ATTENTION
Task: {7AF9AD0D-1D65-4331-B2E6-B92DD6AC8A8E} - System32\Tasks\DriverUpdate Scan => C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe [2017-07-19] (SlimWare Utilities, Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\DriverUpdate Scan.job => C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe
Task: C:\WINDOWS\Tasks\DriverUpdate Startup.job => C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 08:25 - 2013-08-22 08:25 - 000000824 _____ C:\WINDOWS\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-334888320-4262496311-4089610012-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Sydney\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 10.0.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

12-12-2017 16:47:08 Windows Update
21-12-2017 04:21:20 Scheduled Checkpoint
28-12-2017 04:40:05 Scheduled Checkpoint

==================== Faulty Device Manager Devices =============

Name: Multimedia Video Controller
Description: Multimedia Video Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Base System Device
Description: Base System Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Touchscreen
Description: Touchscreen
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (12/29/2017 03:21:08 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.18817 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 120c

Start Time: 01d380e11b7e3a67

Termination Time: 15

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: c561c91b-ecd5-11e7-be81-f07bcbd62ee8

Faulting package full name:

Faulting package-relative application ID:

Error: (12/29/2017 06:51:14 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.18817 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 12cc

Start Time: 01d380257205c624

Termination Time: 93

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: 8f8e9e9f-ec8e-11e7-be81-f07bcbd62ee8

Faulting package full name:

Faulting package-relative application ID:

Error: (12/24/2017 04:07:04 PM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2006) (User: NT AUTHORITY)
Description: There was an error with the Windows Location Provider database

Error: (12/22/2017 06:00:29 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.18817 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1898

Start Time: 01d37b64185a890a

Termination Time: 0

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: e55882f8-e76b-11e7-be80-f07bcbd62ee8

Faulting package full name:

Faulting package-relative application ID:

Error: (12/21/2017 08:00:12 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.18817 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 72c

Start Time: 01d37aac7f8f1a7e

Termination Time: 59

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: 74120160-e6b3-11e7-be80-f07bcbd62ee8

Faulting package full name:

Faulting package-relative application ID:

Error: (12/21/2017 05:39:07 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.18817 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 7c0

Start Time: 01d37aaa22e3532b

Termination Time: 0

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: b2dd0aac-e69f-11e7-be80-f07bcbd62ee8

Faulting package full name:

Faulting package-relative application ID:

Error: (12/21/2017 05:22:07 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.18817 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1a5c

Start Time: 01d37aa90a8f7ba1

Termination Time: 44

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: 5e887dff-e69d-11e7-be80-f07bcbd62ee8

Faulting package full name:

Faulting package-relative application ID:

Error: (12/17/2017 04:52:48 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.18817 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1260

Start Time: 01d3778101d5a9a5

Termination Time: 15

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: 9ce0d523-e374-11e7-be80-f07bcbd62ee8

Faulting package full name:

Faulting package-relative application ID:

Error: (12/16/2017 08:37:20 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.18817 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: d80

Start Time: 01d376d6b01598ac

Termination Time: 23

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: cfbfb5e5-e2ca-11e7-be80-f07bcbd62ee8

Faulting package full name:

Faulting package-relative application ID:

Error: (12/16/2017 12:23:06 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: SONY)
Description: Activation of app microsoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail failed with error: -2147024809 See the Microsoft-Windows-TWinUI/Operational log for additional information.


System errors:
=============
Error: (12/28/2017 04:48:03 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.

Error: (12/28/2017 04:47:40 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.

Error: (12/28/2017 07:31:54 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 7:07:56 AM on ‎12/‎28/‎2017 was unexpected.

Error: (12/28/2017 06:39:01 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.

Error: (12/27/2017 03:03:46 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.

Error: (12/25/2017 12:29:48 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.

Error: (12/21/2017 07:57:00 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.

Error: (12/20/2017 07:06:15 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.

Error: (12/19/2017 06:30:09 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.

Error: (12/19/2017 09:43:26 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.


==================== Memory info ===========================

Processor: Intel® Core™2 Quad CPU Q8400 @ 2.66GHz
Percentage of memory in use: 39%
Total physical RAM: 8127.18 MB
Available physical RAM: 4931.93 MB
Total Virtual: 9407.18 MB
Available Virtual: 6121.97 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.17 GB) (Free:901.4 GB) NTFS
Drive e: () (Removable) (Total:0.48 GB) (Free:0.46 GB) FAT

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: EA36DBB8)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.2 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 489 MB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt ============================


  • 0

Advertisements


#2
Bruce1270

Bruce1270

    Trusted Helper

  • Malware Removal
  • 1,703 posts

Hello lucille123 and :welcome:
 
My name is Bruce1270 and I will be helping you with your malware problem.  

A few things before we get started.

Please read all instructions carefully. If there is anything you do not understand please ask me first before doing anything.
Please be patient. I am a volunteer who does this in my spare time so I will try to get back to you as soon as possible.
Please follow all instructions in the order given.
Please do not install any other software unless advised. This may hinder the removal process.
At the top of your post, please click on the "Follow this topic" button and make sure that the "Received notification" box is checked and set to "Instantly" This will send an email to you as soon as I reply to your topic, allowing us to solve your problem faster.
Please make sure you reply within 4 days to my responses, if there is no reply within 4 days, the topic will be closed and you will need to request the topic be reopened.


Important!

Please save or print off these instructions. Part of this fix may require you to be in safe mode where you will not be able to access the internet or my instructions!

I would strongly recommend you back up your personal data and folders before we begin.

Malware removal can be very long, complicated and may take multiple steps. I understand this may be frustrating but please stay with this topic until your machine is declared clean. The results will hopefully be very rewarding. :happy:
As we go along please tell me how the computer is running now. Please be as descriptive as possible e.g. I'm still getting web redirects, I am unable to access the internet etc.

OK. Let's move on.

Step1 - Remove Unwanted Programs

Please remove the following programs:

CalendarSpark Internet Explorer Homepage and New Tab
DriverUpdate
FromDocToPDF Internet Explorer Homepage and New Tab


To do this
Swipe in from the right edge of the screen, then tap Search. (If you're using a mouse, point to the top-right corner of the screen, move the mouse pointer down, then click Search.)
Enter control panel in the search box, then tap or click Control Panel.
Under View by:, select Large Icons, then tap or click Programs and features.
Tap or click the program, then tap or click Uninstall.
Follow the instructions on screen.


Step2 - FRST fix

Highlight the entire content of the quote box below.

CreateRestorePoint:
(SlimWare Utilities, Inc.) C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe
S3 SWDUMon; C:\WINDOWS\system32\DRIVERS\SWDUMon.sys [13920 2017-12-28] ()
C:\WINDOWS\system32\DRIVERS\SWDUMon.sys
2017-12-28 07:38 - 2018-01-02 07:38 - 000000484 _____ C:\WINDOWS\Tasks\DriverUpdate Scan.job
2017-12-28 07:38 - 2017-12-28 07:38 - 000013920 _____ C:\WINDOWS\system32\Drivers\SWDUMon.sys
2017-12-28 07:38 - 2017-12-28 07:38 - 000003194 _____ C:\WINDOWS\System32\Tasks\DriverUpdate Scan
2017-12-28 07:38 - 2017-12-28 07:38 - 000002838 _____ C:\WINDOWS\System32\Tasks\DriverUpdate Startup
2017-12-28 07:38 - 2017-12-28 07:38 - 000000430 _____ C:\WINDOWS\Tasks\DriverUpdate Startup.job
2017-12-28 07:37 - 2017-12-28 07:37 - 000000000 ____D C:\Users\Sydney\AppData\Local\SlimWare Utilities Inc
2017-12-17 13:28 - 2017-12-17 13:28 - 000002501 _____ C:\Users\Public\Desktop\DriverUpdate.lnk
2017-12-17 13:28 - 2017-12-17 13:28 - 000000000 ____D C:\Users\Sydney\AppData\Local\Downloaded Installers
2017-12-17 13:28 - 2017-12-17 13:28 - 000000000 ____D C:\Users\Sydney\AppData\Local\CalendarSparkTooltab
2017-12-17 13:28 - 2017-12-17 13:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdate
2017-12-17 13:28 - 2017-12-17 13:28 - 000000000 ____D C:\Program Files (x86)\DriverUpdate
2017-12-17 13:25 - 2017-12-17 13:25 - 000000000 ____D C:\Users\Sydney\AppData\Local\FromDocToPDFTooltab
Task: {2DDD154A-9783-4437-903F-C6D0133FBB01} - System32\Tasks\DriverUpdate Startup => C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe [2017-07-19] (SlimWare Utilities, Inc.)
Task: {632D400E-0EE5-4FC4-A1A3-5C73FEA61324} - \Microsoft\Windows\Setup\EOSNotify -> No File <==== ATTENTION
Task: {7AF9AD0D-1D65-4331-B2E6-B92DD6AC8A8E} - System32\Tasks\DriverUpdate Scan => C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe [2017-07-19] (SlimWare Utilities, Inc.)
Task: C:\WINDOWS\Tasks\DriverUpdate Scan.job => C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe
Task: C:\WINDOWS\Tasks\DriverUpdate Startup.job => C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
Hosts:
EmptyTemp:

Right click on the highlighted text and select Copy.
Start FRST (FRST64) with Administrator privileges
Press the Fix button. FRST will process the lines copied above from the clipboard.
When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
Please copy and paste its contents in your next reply.


Step3 - Run AdwCleaner

Download AdwCleaner from here to the Desktop

Close all open windows and browsers
Double click the Adwcleaner icon to execute the program
When the Tool opens for the first time accept the Terms of use
adwcleaner1.jpg
Click the Scan button and wait for the program to finish.
Click on Tools then options
adwcleaner2.jpg
tick to reset -
TCP/IP Settings
IPSec
IE policies
Chrome policies
Chrome preferences
Click OK.
Please click Clean button.
when cleaning is finished, you may be prompted to restart your computer. Do so.
Upon completion, a log (AdwCleaner[C*].txt) will open.
Please copy and paste this in your next reply.


Step4 - Malwarebytes Scan


Please download Malwarebytes to your desktop.
Double-click mb3-consumer-{version number}.exe and follow the prompts to install the program. Note: This will be the trial version for 14 days and then reverts to the free version.
Click on Scan Now

MBAM1_Scan.jpg

The scan will automatically commence.

MBAMscan2.jpg
 
If any threats are detected, Put a checkmark on all detected and click on "Quarantine Selected"
Selected reports may be viewed on screen, or exported to a text file for later viewing. Please note that only manual (on demand) scans are available for users of the free version of Malwarebytes.
 
MBAMScanfinished.jpg
 
Please note that an Export button is shown at the bottom left corner of this screen. This allows you to make a copy of the log for use by other programs. You may export to your clipboard or to a text (TXT) file. Export to a .txt file and post its contents.

Things for your next post:
Fixlog.txt
AdwCleaner[C*].txt
MBAM log
How is the computer running now?

 


  • 0

#3
lucille123

lucille123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts

Hi,

 

Thank you so much for your response.

 

When I try to do the frst step, I am not sure where to paste the copied portion before hitting the button fix.

 

The instructions you gave were:

 

Right click on the highlighted text and select Copy.
Start FRST (FRST64) with Administrator privileges
Press the Fix button. FRST will process the lines copied above from the clipboard.
When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
Please copy and paste its contents in your next reply.

 

Where do I paste the info?


  • 0

#4
Bruce1270

Bruce1270

    Trusted Helper

  • Malware Removal
  • 1,703 posts
Hi lucille123

You shouldn't need to paste it. Once copied and pressing fix should process it.
  • 0

#5
lucille123

lucille123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts

When I try pressing the fix button, a message box pops up and says

 

nofixlist.txt found. The fixlist.txt should be in the same folder/directory the tool is located.


  • 0

#6
Bruce1270

Bruce1270

    Trusted Helper

  • Malware Removal
  • 1,703 posts
Hi Lucille123

No worries :) We'll do it a different way.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Download the attached fixlist.txt to your desktop.Attached File  fixlist.txt   2.16KB   22 downloads
  • Ensure fixlist.txt is in the same location as FRST.exe on your desktop.
    FRSTfix.jpg
  • Run FRST by right clicking on it and selecting Run as Administrator and press Fix
  • On completion a log (fixlog.txt) will be generated.
  • Please select all text in this fix, copy (CTRL + C) and then Paste (CTRL + V) in your next reply.

    Then carry on with the rest of the instructions from post #2.

    Thanks

  • 0

#7
lucille123

lucille123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts

Okay, here is the log

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by Sydney (08-01-2018 22:05:45) Run:1
Running from C:\Users\Sydney\Desktop
Loaded Profiles: Sydney (Available Profiles: Sydney)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
(SlimWare Utilities, Inc.) C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe
S3 SWDUMon; C:\WINDOWS\system32\DRIVERS\SWDUMon.sys [13920 2017-12-28] ()
C:\WINDOWS\system32\DRIVERS\SWDUMon.sys
2017-12-28 07:38 - 2018-01-02 07:38 - 000000484 _____ C:\WINDOWS\Tasks\DriverUpdate Scan.job
2017-12-28 07:38 - 2017-12-28 07:38 - 000013920 _____ C:\WINDOWS\system32\Drivers\SWDUMon.sys
2017-12-28 07:38 - 2017-12-28 07:38 - 000003194 _____ C:\WINDOWS\System32\Tasks\DriverUpdate Scan
2017-12-28 07:38 - 2017-12-28 07:38 - 000002838 _____ C:\WINDOWS\System32\Tasks\DriverUpdate Startup
2017-12-28 07:38 - 2017-12-28 07:38 - 000000430 _____ C:\WINDOWS\Tasks\DriverUpdate Startup.job
2017-12-28 07:37 - 2017-12-28 07:37 - 000000000 ____D C:\Users\Sydney\AppData\Local\SlimWare Utilities Inc
2017-12-17 13:28 - 2017-12-17 13:28 - 000002501 _____ C:\Users\Public\Desktop\DriverUpdate.lnk
2017-12-17 13:28 - 2017-12-17 13:28 - 000000000 ____D C:\Users\Sydney\AppData\Local\Downloaded Installers
2017-12-17 13:28 - 2017-12-17 13:28 - 000000000 ____D C:\Users\Sydney\AppData\Local\CalendarSparkTooltab
2017-12-17 13:28 - 2017-12-17 13:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdate
2017-12-17 13:28 - 2017-12-17 13:28 - 000000000 ____D C:\Program Files (x86)\DriverUpdate
2017-12-17 13:25 - 2017-12-17 13:25 - 000000000 ____D C:\Users\Sydney\AppData\Local\FromDocToPDFTooltab
Task: {2DDD154A-9783-4437-903F-C6D0133FBB01} - System32\Tasks\DriverUpdate Startup => C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe [2017-07-19] (SlimWare Utilities, Inc.)
Task: {632D400E-0EE5-4FC4-A1A3-5C73FEA61324} - \Microsoft\Windows\Setup\EOSNotify -> No File <==== ATTENTION
Task: {7AF9AD0D-1D65-4331-B2E6-B92DD6AC8A8E} - System32\Tasks\DriverUpdate Scan => C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe [2017-07-19] (SlimWare Utilities, Inc.)
Task: C:\WINDOWS\Tasks\DriverUpdate Scan.job => C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe
Task: C:\WINDOWS\Tasks\DriverUpdate Startup.job => C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
Hosts:
EmptyTemp:
*****************

Restore point was successfully created.
C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe => No running process found
"HKLM\System\CurrentControlSet\Services\SWDUMon" => removed successfully
SWDUMon => service removed successfully
C:\WINDOWS\system32\DRIVERS\SWDUMon.sys => moved successfully
"C:\WINDOWS\Tasks\DriverUpdate Scan.job" => not found
"C:\WINDOWS\system32\Drivers\SWDUMon.sys" => not found
"C:\WINDOWS\System32\Tasks\DriverUpdate Scan" => not found
"C:\WINDOWS\System32\Tasks\DriverUpdate Startup" => not found
"C:\WINDOWS\Tasks\DriverUpdate Startup.job" => not found
C:\Users\Sydney\AppData\Local\SlimWare Utilities Inc => moved successfully
"C:\Users\Public\Desktop\DriverUpdate.lnk" => not found
C:\Users\Sydney\AppData\Local\Downloaded Installers => moved successfully
"C:\Users\Sydney\AppData\Local\CalendarSparkTooltab" => not found
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdate" => not found
"C:\Program Files (x86)\DriverUpdate" => not found
"C:\Users\Sydney\AppData\Local\FromDocToPDFTooltab" => not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2DDD154A-9783-4437-903F-C6D0133FBB01} => could not remove key. ErrorCode1: 0x00000001
"C:\WINDOWS\System32\Tasks\DriverUpdate Startup" => not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DriverUpdate Startup => key not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{632D400E-0EE5-4FC4-A1A3-5C73FEA61324}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{632D400E-0EE5-4FC4-A1A3-5C73FEA61324}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\EOSNotify" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7AF9AD0D-1D65-4331-B2E6-B92DD6AC8A8E} => key not found
"C:\WINDOWS\System32\Tasks\DriverUpdate Scan" => not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DriverUpdate Scan => key not found
"C:\WINDOWS\Tasks\DriverUpdate Scan.job" => not found
"C:\WINDOWS\Tasks\DriverUpdate Startup.job" => not found

========= netsh advfirewall reset =========

Ok.


========= End of CMD: =========


========= netsh advfirewall set allprofiles state on =========

Ok.


========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 27312800 B
Java, Flash, Steam htmlcache => 8165 B
Windows/system/drivers => 6172226 B
Edge => 0 B
Chrome => 0 B
Firefox => 404218104 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 456975 B
systemprofile32 => 0 B
LocalService => 44242 B
NetworkService => 8928 B
Sydney => 4310944778 B

RecycleBin => 748722688 B
EmptyTemp: => 5.1 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 22:07:06 ====


  • 0

#8
lucille123

lucille123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts

Here are the rest of the logs

 

# AdwCleaner 7.0.6.0 - Logfile created on Tue Jan 09 12:40:42 2018
# Updated on 2017/21/12 by Malwarebytes
# Running on Windows 8.1 (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

No malicious folders deleted.

***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ak.staticimgfarm.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\calendarspark.dl.tb.ask.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\easypdfcombine.dl.tb.ask.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\fromdoctopdf.dl.tb.ask.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hp.myway.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\staticimgfarm.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\yourtemplatefinder.dl.tb.ask.com
Deleted: [Key] - HKLM\SOFTWARE\SlimWare Utilities Inc
Deleted: [Key] - HKU\S-1-5-21-334888320-4262496311-4089610012-1001\Software\SlimWare Utilities Inc
Deleted: [Key] - HKCU\Software\SlimWare Utilities Inc
Deleted: [Key] - HKLM\SOFTWARE\SLIMWARE UTILITIES, INC.


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::TCP/IP settings cleared
::IPSec settings cleared
::IE policies deleted
::Chrome policies deleted
::Additional Actions: 0



*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [2193 B] - [2018/1/9 12:37:32]


########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 1/9/18
Scan Time: 7:44 AM
Log File: d90f69bc-f53a-11e7-babd-f07bcbd62ee8.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3656
License: Trial

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: SONY\Sydney

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 236753
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 1 min, 52 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Trojan.Kovter, C:\USERS\SYDNEY\DOWNLOADS\FIREFOX-UPDATE.JS, Quarantined, [76], [447252],1.0.3656

Physical Sector: 0
(No malicious items detected)


(end)


  • 0

#9
lucille123

lucille123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts

I rebooted and keep getting a message about having problems running a dll

 

It says There was a problem running windows/system32/logilda.dll

 

The onesearch homepage persists.  I am going to change it now....


  • 0

#10
lucille123

lucille123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts

resetting the homepage to google.com seems to have worked


  • 0

Advertisements


#11
lucille123

lucille123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts

When I try to type in youtube.com onesearch still seems to try to hijack that


  • 0

#12
Bruce1270

Bruce1270

    Trusted Helper

  • Malware Removal
  • 1,703 posts
Hi Lucille123
 

It says There was a problem running windows/system32/logilda.dll


Run this FRST fix


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Download the attached fixlist.txt to your desktop.Attached File  fixlist.txt   188bytes   26 downloads

Ensure fixlist.txt is in the same location as FRST.exe on your desktop.
FRSTfix.jpg

Run FRST by right clicking on it and selecting Run as Administrator and press Fix
On completion a log (fixlog.txt) will be generated.
Please select all text in this fix, copy (CTRL + C) and then Paste (CTRL + V) in your next reply.

Then Reset all your web browsers

Please see this guide on how to reset your web browsers.
Please follow the instructions for Chrome, FireFox and Internet Explorer.

Then Run Emsisoft Scan

Download the Emsisoft Emergency Kit and execute it. From there, click on the Extract button to extract the program in the EEK folder;
Once the extraction is complete, Emsisoft Emergency Kit will open, and suggest you to run an online update before using the program. Click on Yes to launch it.
After the update, click on Malware Scan under 2. Scan and accept to let Emsisoft Emergency Kit detect PUPs (click on Yes).
Once the scan is complete, if items are detected make sure that every item in the list is checked, and click on Quarantine selected;
If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
After the restart, click on the Start Emsisoft Emergency Kit icon again on your desktop to open it;
This time, click on Logs;
From there, go under the Quarantine Log tab, and click on the Export button;
Save the log on your desktop, then open it, and copy/paste its content in your next reply;

Things for your next post:
fixlog.txt
Emsisoft Log
How are the things running now?
  • 0

#13
lucille123

lucille123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts

Here's the newest FRST log

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by Sydney (09-01-2018 20:24:36) Run:2
Running from C:\Users\Sydney\Desktop
Loaded Profiles: Sydney (Available Profiles: Sydney)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
C:\Windows\System32\LogiLDA.dll
EmptyTemp:
*****************

Restore point was successfully created.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Logitech Download Assistant" => removed successfully
"C:\Windows\System32\LogiLDA.dll" => not found

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 9537458 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 28684 B
Edge => 0 B
Chrome => 0 B
Firefox => 52473214 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 1256 B
NetworkService => 7796 B
Sydney => 607068 B

RecycleBin => 0 B
EmptyTemp: => 67.8 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 20:24:59 ====


  • 0

#14
lucille123

lucille123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts

Emsisoft Emergency Kit 2017.12.0.8334 stable [en-us]
OS: Windows 8.1 (Version 6.3, Build 9600, 64-bit Edition)

Forensics log

Date    Component    Action    Details    
1/9/2018 8:42:47 PM    Scanner    Scan finished    Scanned 72911 objects and found nothing.    
1/9/2018 8:39:56 PM    User SONY\Sydney    Scan started    Malware Scan    
1/9/2018 8:39:03 PM    User SONY\Sydney    Setting modified    "Detect PUPs" has been changed to "Enabled".    
1/9/2018 8:37:05 PM    User    Update    Downloaded and installed 10 files (704 kb) (13 sec.).    
1/9/2018 8:36:52 PM    Core    Notification    "Recommended Reading:New in 2017.12: More efficient logs and license management".    
1/9/2018 8:36:47 PM    User    Update    Failed with error "Server returned error" (0 sec.).    
 


  • 0

#15
Bruce1270

Bruce1270

    Trusted Helper

  • Malware Removal
  • 1,703 posts
Hi Lucille123

How are the web browsers and searches doing now?

How is the computer running generally? :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP