Need help with virus removal - (MindSpark ?)

[haganm]

Greetings and thank you in advance for any/all assistance you can provide.

I may not yet be providing all the detail I can but will certainly add any additional detail required (as instructed).

So, I have my father in law's PC. I believe it is infected with virus / malware /etc. I think they clicked on a link in an email they shouldn't of but can't really be sure.

Symptoms:
First symptom I noticed is that I cannot connect the PC (Windows 7) to the Internet, either wirelessly or using an Ethernet cable to my wireless router. The "network" tray icon is greyed with a red X. When I select "Troubleshoot problems", I get the following results:

Windows could not automatically detect this network's proxy settings.

I have currently tried/executed the following:

1). Ran Malwarebytes which was already installed on this PC. ALthough I couldn't update the DB, it tagged multiple occurrences of "MindSpark" related items as issues, which I successfully quarantined. When I currently run Malwarebytes, I got "No issues found"

2) Ran Avast! scan - I attempted to run the Avast scan but was unsuccessful as the application would not loaded. The only error I got was a small popup windows with an exclamation point with the avastui header.

3) Ran Malwarebytes Rootkit Scanner - Again, not able to update the scanner but this scan returned "No Issues".

At this point - nothing had changed - still couldn't access the internet. But did also notice the following:

1) Upon a reboot, noticed the following message on the icon tray:

Failed to Connect to a Windows Service: Windows could not connect to the System Event Noticiation Service service. This problem prevents standard users from logging on to the system. As an administrative user, you can review the system Event log for details about why the service didn't respond.

Note: When I attempted to bring up the Event Viewer, I got the following message: Event Log Service is unavailable. Verify that the service is running.

At this point, I attempted to do a system restore to a previous operational point. This was unsuccessful.

Additional notes:
1) Looking at the Process tab in Task Manager, notice the following entries

dllhost.exe user COM Surrogate
dllhost.exe *32 system COM Surrogate

No idea if that is an issue but thought I'd include.


So, I at the end of my very limited ability to figure out what is going on.

Appreciate any/all help you can provide.

Many thanks in advance!!

 

[donetao]

Hi! I would visit our malware section and make sure your PC is clean even though you ran all those programs and they showed you were clean.
What is your exact problem at this moment?? When did you restore your PC to a restore point??
https://www.sysnative.com/forums/security-arena/2507-malware-removal-posting-instructions.html

 

[haganm]

Greetings,
Sorry if I posted in the wrong section. So, sorry if I'm ignorant here (I'm not a power user....). How do I make sure my PC is clean? Currently, if I run Malwarebytes and Malwarebytes rootkit, I get "No issues found". However, I still can't get the PC connected to the Internet (as described in my original post). In addition, I've noticed the other items (also mentioned) that is leading me to believe I've been infected:

1) Can't run Avast
2) Failed to Connect to a Windows Service message
3) Can run Event Viewer to review cause of 2) above
4) Couldn't restore to a previous point. My attempt to do so failed.



The problem actually hasn't

 

[donetao]

Hi! You're not ignorant! I don't think I'm supposed to help with malware. If you think your infected you should follow the link that I posted so that our malware team can help you. Malwarebytes is good and it's good that no issues were found. You might try a sfc /scannow. Then visit our malware section! MindSpark is malware.
https://support.microsoft.com/en-us/kb/929833/

 

[Corrine]

Hi, haganm.

Based on the brief information you provided, it appears your father-in-law's computer is infected with the Poweliks trojan. In order to get you started on the cleanup process, please carefully follow the steps below in the order provided. If you have any questions, please feel free to ask.

A. Re-enable downloads by doing the following:

1. On your father-in-law's computer, click the Start button and type run
2. When run appears at the top of the search results, click it.
3. In the Open field of the box that opens, type inetcpl.cpl and press enter.
4. When Internet Properties opens, click on the Security tab.
5. At the bottom, click on the Reset all zones to default level button.
6. Click the Apply button followed by the OK button to save your changes.
7. Close the Internet Properties screen.

B. Launch Internet Explorer (or any other browser) and download the ESET Poweliks Cleaner tool to the desktop.

1. When the download is complete, navigate to your Desktop, double-click ESETPoweliksCleaner.exe.
2. Read the terms of the End-user license agreement and click Agree if you agree to them.
3. The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
4. If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed.
5. Press any key to exit the tool.
6. Shutdown/restart the computer.

C. Provide the logs requested in the Malware Removal Posting Instructions so that any additional malware can be removed from the computer.

@donetao: SFC will not be the least bit helpful in this situation.

 

[donetao]

@donetao: SFC will not be the least bit helpful in this situation.

Mindspark is malware. Wasn't sure if I'm allowed to help with malware. I will leave the OP in your capable hands.
Will follow this thread and see If I can learn. I have heard of ESET on line scanner, but not ESETPoweliksCleaner.exe.
Thanks @Corrine!! I was trying to get OP to your section!! Gave the link twice.:wave:

 

[haganm]

Hi Corrine, Thanks in advance for any/all help you can provide. I attempted to Re-enable downloads per your instructions. However, even after all steps, my network icon on the task bar is still greyed out with a red "X". So, when I restart IE, I still can't get connected to anything. Thanks!

 

[haganm]

Donetao; Thanks for taking the time to reply. I do appreciate that! I'll work with Corrine to get this resolve but I do appreciate your willingness to reply and help!

 

[Corrine]

Hi, haganm.

In that case, you're going to need to download the tools on your working computer and transfer them via USB stick or other media to your father-in-law's computer, and in return, copy those logs back to your computer to post here for review. Without the logs requested in the Malware Removal Posting Instructions, I cannot provide any further advice beyond the information you provided regarding the dllhost.exe *32 system COM Surrogate (which is a sign that it is the Poweliks Trojan). As to the Mindspark you mentioned, yes it is undesirable but I believe that it is Poweliks that is the major problem.

 

[haganm]

Corrine,
I was not able to access the internet even in Safe mode. I did use the USB approach.

I loaded and ran ESETPoweliksCleaner.exe Returned "No Threat found"
I loaded and ran DDS & Security Check succesfully.

Attached are files you requested:

DDS.TXT
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17689 BrowserJavaVersion: 10.71.2
Run by deaton at 8:08:40 on 2015-04-08
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3894.2799 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Outdated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Outdated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {1B8D532F-88B1-B2AD-ED22-AED92687A1D2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\AVAST Software\Avast\avastui.exe
C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\deaton\Desktop\ESETPoweliksCleaner.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.com/
uSearch Bar = hxxps://www.yahoo.com?fr=hp-avast&type=odc089
uSearch Page = hxxps://search.yahoo.com/yhs/search?type=odc089&hspart=avast&hsimp=yhs-001&p={searchTerms}
uDefault_Page_URL = hxxp://services.freshy.com/general/newhometab.php?hometab=home&partner=11045&guid={6726F2E9-C87A-4F27-8E42-8632CE54AFA4}&i=
mStart Page = hxxps://www.yahoo.com?fr=hp-avast&type=odc089
mSearch Bar = hxxps://www.yahoo.com?fr=hp-avast&type=odc089
mSearch Page = hxxps://search.yahoo.com/yhs/search?type=odc089&hspart=avast&hsimp=yhs-001&p={searchTerms}
uURLSearchHooks: {D8278076-BC68-4484-9233-6E7F1628B56C} - <orphaned>
uURLSearchHooks: {472734EA-242A-422b-ADF8-83D1E48CC825} - <orphaned>
uURLSearchHooks: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - <orphaned>
uURLSearchHooks: <No Name>: {f15ff29f-85a1-43cd-9674-e5ba40016c97} -
uURLSearchHooks: <No Name>: {7888381e-e4f0-48f5-a278-b48b0187d950} -
mWinlogon: Userinit = userinit.exe,
BHO: {0631bff0-6846-48ca-982d-d62d7f376e97} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - <orphaned>
BHO: {beea7fa9-d1f4-49a2-9b1f-6fb7a2d9bc2a} - <orphaned>
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
LSP: C:\Windows\System32\CatWSPrx.dll
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{A11058A2-0D8D-46C9-8C5F-9705C6855019} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{B2D38C19-2F0C-43A4-9BB1-ADD4CE73C272} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{B2D38C19-2F0C-43A4-9BB1-ADD4CE73C272}\4647E677F6F64697D2E6564777F627B6 : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - <orphaned>
x64-BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - <orphaned>
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;C:\Windows\System32\drivers\aswRvrt.sys [2013-12-24 65776]
R0 aswVmm;avast! VM Monitor;C:\Windows\System32\drivers\aswVmm.sys [2013-12-24 267632]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswsnx.sys [2013-12-24 1050432]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswsp.sys [2013-12-24 436624]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-11-20 98208]
R2 aswHwid;avast! HardwareID;C:\Windows\System32\drivers\aswHwid.sys [2014-8-4 29208]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-12-24 83280]
R2 aswStm;aswStm;C:\Windows\System32\drivers\aswstm.sys [2013-12-24 116728]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2014-12-24 50344]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-6-29 27192]
R2 RtVOsdService;RtVOsdService Installer;C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe [2010-4-19 315392]
R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-11-20 2320920]
R2 ZAPrivacyService;ZoneAlarm Privacy Service;C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [2014-8-13 96272]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-11-20 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2010-11-20 158720]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-11-20 271872]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\Windows\System32\drivers\rtl8192se.sys [2011-9-8 1225832]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;C:\Windows\System32\drivers\BVRPMPR5a64.SYS [2011-6-19 35840]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2015-3-10 114688]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-9-14 129752]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-9-14 19456]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-11-20 245792]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-9-14 56832]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-12-24 1255736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
S4 CinemaNow Service;CinemaNow Service;C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2010-5-21 140272]
.
=============== Created Last 30 ================
.
2015-03-24 23:17:23 943616 ----a-w- C:\Windows\System32\appraiser.dll
2015-03-24 23:17:23 760832 ----a-w- C:\Windows\System32\invagent.dll
2015-03-24 23:17:23 677888 ----a-w- C:\Windows\System32\generaltel.dll
2015-03-24 23:17:23 414720 ----a-w- C:\Windows\System32\devinv.dll
2015-03-24 23:17:23 30720 ----a-w- C:\Windows\System32\acmigration.dll
2015-03-24 23:17:23 1107456 ----a-w- C:\Windows\System32\aeinv.dll
2015-03-24 23:17:22 227328 ----a-w- C:\Windows\System32\aepdu.dll
2015-03-24 23:17:22 192000 ----a-w- C:\Windows\System32\aepic.dll
2015-03-10 21:07:58 693176 ----a-w- C:\Windows\System32\winload.efi
2015-03-10 21:06:37 215552 ----a-w- C:\Windows\System32\ubpm.dll
2015-03-10 21:05:57 465920 ----a-w- C:\Windows\System32\WMPhoto.dll
2015-03-10 21:05:56 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll
.
==================== Find3M ====================
.
2015-04-07 21:04:04 129752 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2015-04-07 14:46:46 96472 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2015-03-06 05:56:10 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2015-03-06 05:56:10 155576 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2015-03-06 05:42:39 210944 ----a-w- C:\Windows\System32\wdigest.dll
2015-03-06 05:42:36 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2015-03-06 05:42:35 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2015-03-06 05:42:35 136192 ----a-w- C:\Windows\System32\sspicli.dll
2015-03-06 05:42:33 341504 ----a-w- C:\Windows\System32\schannel.dll
2015-03-06 05:42:33 28160 ----a-w- C:\Windows\System32\secur32.dll
2015-03-06 05:42:29 314880 ----a-w- C:\Windows\System32\msv1_0.dll
2015-03-06 05:42:29 309760 ----a-w- C:\Windows\System32\ncrypt.dll
2015-03-06 05:42:27 728064 ----a-w- C:\Windows\System32\kerberos.dll
2015-03-06 05:42:27 1461760 ----a-w- C:\Windows\System32\lsasrv.dll
2015-03-06 05:42:20 22016 ----a-w- C:\Windows\System32\credssp.dll
2015-03-06 05:41:46 31232 ----a-w- C:\Windows\System32\lsass.exe
2015-03-06 05:41:31 64000 ----a-w- C:\Windows\System32\auditpol.exe
2015-03-06 05:39:16 60416 ----a-w- C:\Windows\System32\msobjs.dll
2015-03-06 05:38:57 146432 ----a-w- C:\Windows\System32\msaudite.dll
2015-03-06 05:36:56 686080 ----a-w- C:\Windows\System32\adtschema.dll
2015-03-06 05:10:34 172032 ----a-w- C:\Windows\SysWow64\wdigest.dll
2015-03-06 05:10:30 65536 ----a-w- C:\Windows\SysWow64\TSpkg.dll
2015-03-06 05:10:26 248832 ----a-w- C:\Windows\SysWow64\schannel.dll
2015-03-06 05:10:26 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2015-03-06 05:10:22 259584 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2015-03-06 05:10:22 221184 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2015-03-06 05:10:18 550912 ----a-w- C:\Windows\SysWow64\kerberos.dll
2015-03-06 05:10:11 17408 ----a-w- C:\Windows\SysWow64\credssp.dll
2015-03-06 05:09:31 50176 ----a-w- C:\Windows\SysWow64\auditpol.exe
2015-03-06 05:09:19 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2015-03-06 05:07:50 60416 ----a-w- C:\Windows\SysWow64\msobjs.dll
2015-03-06 05:07:43 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2015-03-06 05:06:20 686080 ----a-w- C:\Windows\SysWow64\adtschema.dll
2015-02-26 03:25:44 3204096 ----a-w- C:\Windows\System32\win32k.sys
2015-02-20 04:41:01 41984 ----a-w- C:\Windows\System32\lpk.dll
2015-02-20 04:40:59 100864 ----a-w- C:\Windows\System32\fontsub.dll
2015-02-20 04:40:56 14336 ----a-w- C:\Windows\System32\dciman32.dll
2015-02-20 04:40:55 46080 ----a-w- C:\Windows\System32\atmlib.dll
2015-02-20 04:13:49 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2015-02-20 04:13:46 10240 ----a-w- C:\Windows\SysWow64\dciman32.dll
2015-02-20 04:13:43 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2015-02-20 04:12:51 25600 ----a-w- C:\Windows\SysWow64\lpk.dll
2015-02-20 03:29:16 372224 ----a-w- C:\Windows\System32\atmfd.dll
2015-02-20 03:09:16 299008 ----a-w- C:\Windows\SysWow64\atmfd.dll
2015-02-20 03:06:02 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2015-02-20 03:05:49 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2015-02-20 02:50:14 66560 ----a-w- C:\Windows\System32\iesetup.dll
2015-02-20 02:49:29 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2015-02-20 02:49:19 584192 ----a-w- C:\Windows\System32\vbscript.dll
2015-02-20 02:47:56 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2015-02-20 02:35:17 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2015-02-20 02:35:05 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
2015-02-20 02:34:24 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2015-02-20 02:32:34 6035456 ----a-w- C:\Windows\System32\jscript9.dll
2015-02-20 02:26:12 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2015-02-20 02:22:35 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2015-02-20 02:13:57 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2015-02-20 02:09:08 503296 ----a-w- C:\Windows\SysWow64\vbscript.dll
2015-02-20 02:08:59 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2015-02-20 02:08:13 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2015-02-20 02:06:44 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2015-02-20 01:56:54 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2015-02-20 01:56:07 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2015-02-20 01:47:06 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2015-02-20 01:46:45 2125824 ----a-w- C:\Windows\System32\inetcpl.cpl
2015-02-20 01:41:52 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2015-02-20 01:30:39 4300288 ----a-w- C:\Windows\SysWow64\jscript9.dll
2015-02-20 01:28:25 2358784 ----a-w- C:\Windows\System32\wininet.dll
2015-02-20 01:24:21 2052608 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2015-02-20 01:23:19 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2015-02-20 01:01:25 1888256 ----a-w- C:\Windows\SysWow64\wininet.dll
2015-02-05 20:31:26 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2015-02-05 20:31:26 701616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2015-02-05 20:31:21 4437680 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2015-02-03 03:34:38 5554104 ----a-w- C:\Windows\System32\ntoskrnl.exe
2015-02-03 03:34:36 94656 ----a-w- C:\Windows\System32\drivers\mountmgr.sys
2015-02-03 03:33:29 616360 ----a-w- C:\Windows\System32\winresume.efi
2015-02-03 03:30:58 631808 ----a-w- C:\Windows\System32\evr.dll
2015-02-03 03:29:19 8704 ----a-w- C:\Windows\System32\pcaevts.dll
2015-02-03 03:28:49 2048 ----a-w- C:\Windows\System32\mferror.dll
2015-02-03 03:28:14 6656 ----a-w- C:\Windows\System32\apisetschema.dll
2015-02-03 03:19:12 663552 ----a-w- C:\Windows\System32\drivers\PEAuth.sys
2015-02-03 03:16:31 3973048 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2015-02-03 03:16:31 3917760 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2015-02-03 03:11:55 50176 ----a-w- C:\Windows\SysWow64\rrinstaller.exe
2015-02-03 03:11:48 23040 ----a-w- C:\Windows\SysWow64\mfpmp.exe
2015-02-03 03:11:18 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2015-02-03 03:09:03 2048 ----a-w- C:\Windows\SysWow64\mferror.dll
2015-02-03 03:08:07 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2015-02-03 02:32:25 61440 ----a-w- C:\Windows\System32\drivers\appid.sys
2015-01-31 03:48:54 3179520 ----a-w- C:\Windows\System32\rdpcorets.dll
2015-01-31 03:48:54 16384 ----a-w- C:\Windows\System32\RdpGroupPolicyExtension.dll
2015-01-30 23:56:52 243200 ----a-w- C:\Windows\System32\rdpudd.dll
2015-01-30 23:56:51 459336 ----a-w- C:\Windows\System32\drivers\cng.sys
2015-01-27 23:36:21 1239720 ----a-w- C:\Windows\System32\aitstatic.exe
2015-01-17 02:48:38 1067520 ----a-w- C:\Windows\System32\msctf.dll
2015-01-17 02:30:42 828928 ----a-w- C:\Windows\SysWow64\msctf.dll
2015-01-09 03:14:27 91136 ----a-w- C:\Windows\System32\wdi.dll
2015-01-09 03:14:19 950272 ----a-w- C:\Windows\System32\perftrack.dll
2015-01-09 03:14:19 29696 ----a-w- C:\Windows\System32\powertracker.dll
.
============= FINISH: 8:09:33.71 ===============

Attach.txt
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 12/24/2010 11:43:16 AM
System Uptime: 4/8/2015 7:34:10 AM (1 hours ago)
.
Motherboard: Hewlett-Packard | | 1425
Processor: Intel(R) Pentium(R) CPU P6100 @ 2.00GHz | CPU | 1999/1066mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 281 GiB total, 209.466 GiB free.
D: is FIXED (NTFS) - 17 GiB total, 2.494 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP381: 2/6/2015 4:31:04 PM - Scheduled Checkpoint
RP382: 2/11/2015 10:51:30 PM - Windows Update
RP383: 2/12/2015 11:03:18 PM - Windows Update
RP384: 2/20/2015 10:34:02 AM - Scheduled Checkpoint
RP385: 2/25/2015 8:00:13 AM - Windows Update
RP386: 3/4/2015 3:27:26 PM - Scheduled Checkpoint
RP387: 3/10/2015 8:15:15 PM - Windows Update
RP388: 3/18/2015 6:24:10 PM - Scheduled Checkpoint
RP389: 3/24/2015 11:28:03 PM - Windows Update
RP390: 4/7/2015 1:33:36 PM - Restore Operation
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 16 ActiveX
Adobe Shockwave Player 11.5
Avast Free Antivirus
CCleaner
DailyBibleGuide Internet Explorer Toolbar
ESU for Microsoft Windows 7
Google Update Helper
Java 7 Update 71
Java Auto Updater
Malwarebytes Anti-Malware version 2.0.4.1028
Microsoft .NET Framework 4.5.1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft IntelliPoint 8.1
Microsoft Office 2010
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WSE 3.0 Runtime
Motitags Internet Explorer Toolbar
Realtek Ethernet Controller Driver For Windows 7
Security Update for Microsoft .NET Framework 4.5.1 (KB2894854v2)
Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
Security Update for Microsoft .NET Framework 4.5.1 (KB2931368)
Security Update for Microsoft .NET Framework 4.5.1 (KB2972107)
Security Update for Microsoft .NET Framework 4.5.1 (KB2972216)
Security Update for Microsoft .NET Framework 4.5.1 (KB2978128)
Security Update for Microsoft .NET Framework 4.5.1 (KB2979578v2)
Should I Remove It
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
ZoneAlarm Firewall
ZoneAlarm Free Firewall
ZoneAlarm Security
.
==== End Of File ===========================

Check.txt
Results of screen317's Security Check version 0.99.99
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
avast! Antivirus
Antivirus out of date!
`````````Anti-malware/Other Utilities Check:`````````
Java 7 Update 71
Java version 32-bit out of Date!
````````Process Check: objlist.exe by Laurent````````
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastui.exe
CheckPoint ZoneAlarm vsmon.exe
CheckPoint ZoneAlarm ZaPrivacyService.exe
CheckPoint ZoneAlarm zatray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

 

[haganm]

Donetao,
Thanks for the information. I have multiple computers on my home network - all others are able to connect. I also tried the other options listed in the link you provided. Unfortunately, none of them seem to help. Thanks.

 

[Corrine]

Hi, haganm.

It takes time to research logs so please bear with me. I'd like to concentrate on re-establishing the Internet connection and then work on cleaning the computer. Until that is accomplished, you will need to continue using a USB.

1. Let's start with flushing the DNS cache and restoring the HOSTS file. Again, you need to create the flush.bat on your computer and transfer it.

Please copy/paste the lines in bold below to Notepad:

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop.
Double-click flush.bat file to run it. Your computer will reboot.

Note: For Windows Vista or Windows 7, right-click flush.bat and select "Run as Administrator".

2. Only in the event the above is not successful, download WinsockReset.zip from here and transfer the file to your father-in-law's computer. Unzip the file and click on the executable. Proceed with defaults. Next, restart and run the following commands as an Administrator Command prompt. Once done, restart and try a connection.

Open an Administrator Command prompt (Click on the Start button, type CMD, at the top of the start button, right click on the CMD.exe command and select Run as Administrator.) At the prompt type the following and press Enter:

netsh int ip reset C:\Resetlog.txt
netsh winsock reset catalog
ipconfig /flushdns (The space between g and / is needed)
Exit​

Restart the computer and let me know the outcome.

 

[haganm]

Hi Corrine,
Good news. The flush worked! I can now access the internet from the PC. Avast is now loading and I am not getting the "Failed to Connect to a Windows Service:" message upon bootup.

Should I update Avast / Malwarebyte DBs and re-run these utilities?

Thanks!!

 

[Corrine]

Excellent! :dance:

Yes, start with a full system scan with Avast. Follow that with a scan by Malwarebytes:

• After updating Malwarebytes, click on the large green "Scan Now" button to begin the Threat Scan.
• When the scan completes, click the button: Apply All Actions.
• A window with an option to view the detailed log will appear. Click on View Detailed Log.
• After viewing the results, please click on the Copy to Clipboard button > OK.
• Paste your log into your next reply.
• Note: If you lose the Clipboard copy and need to retrieve the log again it can be found by opening Malwarebytes and clicking on History> Application Logs with the date of the scan. Simply double-click on that in order to see the options for Copying to Clipboard or to Export to a .txt file (Notepad). etc.. The .txt file can be saved and posted when you are ready.

 

[haganm]

Sorry - messed up post - I will repost later.

 

[Corrine]

Ok. Have you done the MBAM scan yet?

 

[Latrell Spraulll]

Thank you Corrine. I got handed an especially infected PC, and after all scans were complete the computers network-ability dropped out. Your flush.bat worked like a charm. Do you have an essential set of tools that you recommend for dealing with future issues?

 

[haganm]

Hi Corrine,
Sorry - couldn't repost immediately. Yes, I updated DBs and ran the scans as you suggested with following results:

1). Avast! - Full Scan - No Threats Found
2). Malwarebytes - Full Scan - Threats found and addressed. See log.

+++++
Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software

Scan Date: 4/8/2015
Scan Time: 2:47:07 PM
Logfile: malwarebytes report.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.04.08.06
Rootkit Database: v2015.03.31.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: deaton

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 392165
Time Elapsed: 13 min, 57 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.TNT.A, HKU\S-1-5-21-3602817215-1122856828-3849101790-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\TNT2, Quarantined, [3ad9a4a8b1d9e056c84e953060a304fc],
PUP.Optional.TidyNetwork.A, HKU\S-1-5-21-3602817215-1122856828-3849101790-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\DRAGDROP\{70BC1CDB-0744-4172-BDA0-B5A487D00C3A}, Quarantined, [1102be8eabdf37ffcb90af19a55ea15f],

Registry Values: 0
(No malicious items detected)

Registry Data: 2
PUP.Optional.Freshy.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ABOUTURLS|Tabs, http://services.freshy.com/general/newhometab.php?hometab=home&partner=11045&guid={6726F2E9-C87A-4F27-8E42-8632CE54AFA4}&i=, Good: (Google), Bad: (http://services.freshy.com/general/newhometab.php?hometab=home&partner=11045&guid={6726F2E9-C87A-4F27-8E42-8632CE54AFA4}&i=),Replaced,[7c971a323159a98d79346a860df812ee]
PUP.Optional.Freshy.A, HKU\S-1-5-21-3602817215-1122856828-3849101790-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Default_Page_URL, http://services.freshy.com/general/newhometab.php?hometab=home&partner=11045&guid={6726F2E9-C87A-4F27-8E42-8632CE54AFA4}&i=, Good: (Google), Bad: (http://services.freshy.com/general/newhometab.php?hometab=home&partner=11045&guid={6726F2E9-C87A-4F27-8E42-8632CE54AFA4}&i=),Replaced,[888b75d79af084b27933648ccc39d030]

Folders: 0
(No malicious items detected)

Files: 3
PUP.Optional.Arcade.A, C:\Windows\SysWOW64\CatWSPrx.ini, Quarantined, [060d18343e4c89ad19fd48802fd46e92],
PUP.Optional.Arcade.A, C:\Windows\System32\CatWSPrxOff.ini, Quarantined, [4ec516365b2fe84eb760ccfc1be8a858],
PUP.Optional.Arcade.A, C:\Windows\SysWOW64\CatWSPrxOff.ini, Quarantined, [db38bc90c2c8ca6c0c0b0cbc1ae9a55b],

Physical Sectors: 0
(No malicious items detected)


(end)
++++++


3). Malwarebytes Rootkit Scanner - No Threats found.


Everything seems to be functioning properly but I still notice in Task Manager that the COM surrogates are still there as follows:

dllhost.exe COM Surrogate
dllhost.exe *32 SYSTEM COM Surrogate

Not sure if that is a concern or not. Will await your reply and next steps. Thank you so much for getting me to this point. I very much appreciate your time and assistance!!

 

[Corrine]

Thank you Corrine. I got handed an especially infected PC, and after all scans were complete the computers network-ability dropped out. Your flush.bat worked like a charm. Do you have an essential set of tools that you recommend for dealing with future issues?

Hi, Latrell.

I'm glad the flush.bat worked. Each situation is different. 99.9% of the time I do not recommend any steps until I can review some logs to get an idea of what is being dealt with.

---

haganm, All Malwarebytes found was PUPs (Potentially Unwanted Programs). We'll continue with some additional cleanup but first, let's talk about Oracle Java.

There are very few reasons why Java is needed on a personal computer. Some of those reasons include the following:

• Playing on-line games generally requires Java.
• With OpenOffice, Java is needed for the items listed here .
• It used to be that Java was needed for websites to be properly displayed. However, that is generally not the case now with Flash having taken over.
• There may be commercial programs that depend on Java. If Java is needed for a software installed on your computer, there should be a prompt for it.

Although Internet Explorer is now blocking outdated ActiveX components (see Out-of-date ActiveX control blocking), if Java isn't needed, uninstall it. One less update to worry about and, more importantly, one less potential vulnerability. In the event a program you use requires Java, you will be prompted to install it. Personally, I have not had Java installed on any of my computers for some years and have not missed it.

In the event your father-in-law wishes to keep Java, it needs to be updated as there have been critical security updates released. If that is the decision, please do the following

• Start with uninstalling Java 7 Update 71 (Java does not do a good job of removing old versions when moving to a new release (e.g. Java 6 to Java 7 and Java 7 to Java 8, etc.)
• Download jre-8u40-windows-i586.exe from Java SE Runtime Environment 8 - Downloads.
• See the instructions in under 2. Unwanted "Extras" in my blog post to suppress sponsor offers: Java, The Never-Ending Saga,

It is important to note that the next scheduled Java security update is scheduled for 14 April 2015 so if Java remains on the computer, it will need to be updated again.

After dealing with Java, please do the following:

Please download Adware Cleaner by Xplode. Please save it to your desktop!

• Close all open programs and internet browsers.
• Double-click AdwCleaner.exe to run the tool.
  Note: Windows Vista, Windows 7/8 users right-click and select Run As Administrator.
• Click the Scan button.
• AdwCleaner will begin. Be patient as the scan may take some time to complete.
• After the scan has finished, click the Logfile button. A logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Copy and paste the contents of that logfile in your next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

[haganm]

Hi Corrine,
Per your suggestion, I uninstalled Java. I don't think it was needed for anything specific - thanks for the tip.

Here is the output from running AdwCleaner:

# AdwCleaner v4.201 - Logfile created 08/04/2015 at 19:32:10
# Updated 08/04/2015 by Xplode
# Database : 2015-04-08.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : deaton - DEATON-COMPUTER
# Running from : C:\Users\deaton\Desktop\adwcleaner_4.201.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\apn
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Users\admin\AppData\Roaming\CheckPoint\ZoneAlarm LTD Toolbar
Folder Deleted : C:\Users\deaton\AppData\Local\iac
Folder Deleted : C:\Users\deaton\AppData\Local\Motitags_94
Folder Deleted : C:\Users\deaton\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\deaton\AppData\LocalLow\iac
Folder Deleted : C:\Users\deaton\AppData\Roaming\CheckPoint\ZoneAlarm LTD Toolbar
File Deleted : C:\END
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

***** [ Scheduled tasks ] *****

Task Deleted : RunAsStdUser Task

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\IEHelperv2.5.0.DLL
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4FBBF769-ECEB-420A-B536-133B1D505C36}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9DFFAA5F-44C6-4FF2-80EE-76368D0A2E75}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B8445FED-900C-4137-AD15-DDD2F6306B62}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BB27DF2F-6F05-4A42-9FFD-14696D795750}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{993161E3-CF87-46CF-A702-3FD05D3DEDDD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0510789C-5E5D-4FA3-A3EF-2D56FDE5090A}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A3866408-A46D-4421-816F-F34D7247A046}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C1B9042-3D32-49A1-916B-0AA3A9CDDFD6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2FF49ED5-A3EF-410B-918E-97DECEB5996D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEB20665-7B2B-4594-A799-48D0D977C23D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C1B9042-3D32-49A1-916B-0AA3A9CDDFD6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2FF49ED5-A3EF-410B-918E-97DECEB5996D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EEB20665-7B2B-4594-A799-48D0D977C23D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3554359-40B4-4452-9DDC-C8590337949F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{381F29B0-5D3A-44E0-89D7-AF89E8999CD2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7740A731-EEAB-4C9F-8AFC-162CF9145AC8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9BFBC2CE-A1CD-4AB8-BC84-27D86C66290E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89CC5A31-B592-4BB3-82F5-BD8ACA3E0BF0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22714877-95E3-480E-A313-4EC440965E4F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E4AF0CED-A390-49D6-BCE3-4B477D98696A}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{D8278076-BC68-4484-9233-6E7F1628B56C}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3B181CF2-878B-4758-8FBD-59D8AC5AB12D}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{F0786343-938E-456B-8798-DE7EEC08F820}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9DFFAA5F-44C6-4FF2-80EE-76368D0A2E75}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B8445FED-900C-4137-AD15-DDD2F6306B62}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{BB27DF2F-6F05-4A42-9FFD-14696D795750}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{934063FB-A81D-4849-B02C-478446DF3219}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{993161E3-CF87-46CF-A702-3FD05D3DEDDD}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{0510789C-5E5D-4FA3-A3EF-2D56FDE5090A}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{32CC4D2E-999C-4853-9D3E-5DE4C02D57C6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{34e26447-bf30-4c78-a5b9-61dfa8a55e67}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{cca2e567-1987-4100-a3c6-5b4267084510}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEF7A5B4-C60D-44D2-B147-8AE4F783976E}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEF7A5B4-C60D-44D2-B147-8AE4F783976E}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\powerpack
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\Toolbar
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\PIP
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\home.tb.ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\search.tb.ask.com

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17689


-\\ Google Chrome v

[C:\Users\deaton\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\deaton\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [6838 bytes] - [08/04/2015 19:27:39]
AdwCleaner[S0].txt - [6677 bytes] - [08/04/2015 19:32:10]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6736 bytes] ##########