Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.
This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Hello everyone
We want to personally apologize to everyone for the downtime that we've experienced. We are working to get everything back up as quickly as possible. Due to the issues we've had, your password will need to be reset. Please click the button that says "Forgot Your Password" and change it. We are working to have things back to normal. Emails are fixed and should now send properly. Thank you all for your patience.
Thanks,
PCHF Management
Hello!
So a couple of days ago I accidentally downloaded an addon to google chrome that's called mail.ru. It has since then messed up my browser by adding addons, changing homepage address, ads that pop on and you know the stuff that ad malwares do. I usually fix this problem by just uninstalling them. But this malware, I am not able to remove the virus. I keep getting popup on this page called newcityinworld.com & sosalovodro4ik.xyz. I have norton security on my computer so I ran a full system scan but no virus was found. I tried removing every file that had mail.ru in discreption with help of "regedit". Still this **** page keeps on popping up. Currently I have an addon "block site" that obvoiusly blocks these sites by redirecting them to google.com. But it's still annoying and chrome feels slower. Any suggestions? Thanks
Please download the FRST 32 bit or FRST 64bit version to suit your operating system. It is important FRST is downloaded to your desktop.
If you are unsure if your operating system is 32 or 64 Bit please go HERE.
Once downloaded right click the FRST desktop icon and select "Run as administrator" from the menu"
If you receive any security warnings, or the User Account Control warning opens at any time whilst using FRST you can safely allow FRST to proceed.
FRST will open with two dialogue boxes, accept the disclaimer.
Accept the default whitelist options,
If the additions.txt options box is not checked please select it.
Then select Scan
Frst will take a few minutes to scan your computer, and when finished will produce two log files on your desktop, FRST.txt, and Addition.txt. They will display immediately on the desktop, but can be reopened later as a notepad file.
Please Copy and Paste the contents of these logs in your next post for review
Please download the FRST 32 bit or FRST 64bit version to suit your operating system. It is important FRST is downloaded to your desktop.
If you are unsure if your operating system is 32 or 64 Bit please go HERE.
Once downloaded right click the FRST desktop icon and select "Run as administrator" from the menu"
If you receive any security warnings, or the User Account Control warning opens at any time whilst using FRST you can safely allow FRST to proceed.
FRST will open with two dialogue boxes, accept the disclaimer.
Accept the default whitelist options,
If the additions.txt options box is not checked please select it.
Then select Scan
Frst will take a few minutes to scan your computer, and when finished will produce two log files on your desktop, FRST.txt, and Addition.txt. They will display immediately on the desktop, but can be reopened later as a notepad file.
Please Copy and Paste the contents of these logs in your next post for review
I see that you have BitTorrent installed. Though P2P programs themselves are not malicious, the chance of downloading a malicious file is like playing russian roullette. Any file could be the one that will turn your computer into a very expensive door stop, and I would appreciate if you disabled the software and refrained from using it while we are working on your current issue. For all we know, this could be how your system was infiltrated.
Also, it is better for us helper for the FRST & Addition.txt logs to be copy and pasted in your reply not attached. Can you please remove or confirm that you will not use Bittorrent for the duration of us assisting you with your issue and paste the two logs rather than attach them. This will speed up the process of you getting help.
I see that you have BitTorrent installed. Though P2P programs themselves are not malicious, the chance of downloading a malicious file is like playing russian roullette. Any file could be the one that will turn your computer into a very expensive door stop, and I would appreciate if you disabled the software and refrained from using it while we are working on your current issue. For all we know, this could be how your system was infiltrated.
Also, it is better for us helper for the FRST & Addition.txt logs to be copy and pasted in your reply not attached. Can you please remove or confirm that you will not use Bittorrent for the duration of us assisting you with your issue and paste the two logs rather than attach them. This will speed up the process of you getting help.
Oh sorry I am new to this forum, anyway I have uninstalled BitTorrent and ran a new scan
FRST log
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 01-01-2017
Ran by michael96 (administrator) on 5CG4391DJR (06-01-2017 20:00:17)
Running from C:\Users\michael96\Desktop
Loaded Profiles: michael96 (Available Profiles: michael96)
Platform: Windows 8.1 Enterprise (Update) (X64) Language: Svenska (Sverige)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
(There is no automatic fix for files that do not pass verification.)
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2017-01-06 15:42
==================== End of FRST.txt ============================
Addition log
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 01-01-2017
Ran by michael96 (06-01-2017 20:00:51)
Running from C:\Users\michael96\Desktop
Windows 8.1 Enterprise (Update) (X64) (2015-05-06 11:50:35)
Boot Mode: Normal
==========================================================
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Norton Security (Disabled - Up to date) {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Security (Disabled - Up to date) {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}
FW: Norton Security (Enabled) {6BFC5632-188D-B806-D13E-C607121B42A0}
Application errors:
==================
Error: (01/06/2017 11:57:14 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: Ett problem hindrade data för Programmet för kvalitetsförbättring i Windows från att skickas till Microsoft, (Fel 80070005).
Error: (01/06/2017 11:01:21 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Felet uppstod i programmet med namn: Connect.Service.ContentService.exe, version 20.1.49.0, tidsstämpel 0x54d43c57
, felet uppstod i modulen med namn: KERNELBASE.dll, version 6.3.9600.18340, tidsstämpel 0x57366075
Undantagskod: 0xe0434352
Felförskjutning: 0x0000000000008a5c
Process-ID: 0x648
Programmets starttid: 0x01d26803cb91d7c5
Sökväg till program: C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe
Sökväg till modul: C:\windows\system32\KERNELBASE.dll
Rapport-ID: 12604602-d3f7-11e6-82ae-3464a9d004ce
Fullständigt namn på felaktigt paket:
Program-ID relativt till felaktigt paket:
Error: (01/06/2017 11:01:05 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Tillämpningsprogram: Connect.Service.ContentService.exe
Framework-version: v4.0.30319
Beskrivning: Processen avslutades på grund av ett ohanterat undantag.
Undantagsinformation: System.ArgumentNullException
Stack:
vid System.Globalization.CultureInfo..ctor(System.String, Boolean)
vid Connect.IVault.Program.Main()
Error: (01/06/2017 05:19:42 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
Error: (01/06/2017 05:19:33 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
System errors:
=============
Error: (01/06/2017 06:35:28 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT instans)
Description: Installationsfel: Det gick inte att installera följande uppdatering på grund av fel 0x80070002: Microsoft.Reader.
Error: (01/06/2017 03:43:07 PM) (Source: DCOM) (EventID: 10010) (User: 5CG4391DJR)
Description: Servern {1B1F472E-3221-4826-97DB-2C2324D389AE} registrerades inte med DCOM inom erforderlig timeout.
Error: (01/06/2017 03:42:37 PM) (Source: DCOM) (EventID: 10010) (User: 5CG4391DJR)
Description: Servern {BF6C1E47-86EC-4194-9CE5-13C15DCB2001} registrerades inte med DCOM inom erforderlig timeout.
Error: (01/06/2017 03:42:35 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT instans)
Description: Installationsfel: Det gick inte att installera följande uppdatering på grund av fel 0x80070002: Microsoft.Reader.
Error: (01/06/2017 11:12:22 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT instans)
Description: Installationsfel: Det gick inte att installera följande uppdatering på grund av fel 0x80070002: Microsoft.Reader.
Error: (01/06/2017 11:01:21 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Tjänsten Autodesk Content Service kunde inte startas på grund av följande fel:
Tjänsten svarade inte på start- eller kontrollbegäran i tid.
Error: (01/06/2017 11:01:21 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: En timeout (30000 ms) inträffade vid väntan på att tjänsten Autodesk Content Service skulle ansluta.
Error: (01/06/2017 11:01:03 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Tjänsten MBAMChameleon kunde inte startas på grund av följande fel:
Det går inte att hitta filen.
==================== Memory info ===========================
Processor: Intel(R) Celeron(R) CPU 2950M @ 2.00GHz
Percentage of memory in use: 83%
Total physical RAM: 4009.11 MB
Available physical RAM: 678.2 MB
Total Virtual: 6953.11 MB
Available Virtual: 2158.57 MB
Download attached fixlist.txt file and save it to the Desktop. NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
Click the Cog/Sproket Wheel, at the top right of Zemana
Select Advanced - I have read the warning and wish to proceed.
Place a tick next to Detect Suspicious (Root CA) Certificates.
Then click the house icon in Zemana.
Then hit your start button at the lower left hand corner of your desktop.
Then left click on Computer.
Drag Local Disk C: Into the area of Zemana that reads Drag and drop files here to scan them.
Once the scan has completed click graph icon on the top right of the programs User interface.
Double click to open the latest log-file.
Copy it to your clipboard.
Post the log here in your next reply.
ZHP Scan.
Please download Zhp Cleaner to your desktop. Right Click the icon and select run as administrator.
2. Once you have started the program, you will need to click the scanner button.
The program will close all open browsers!
3. Once the scan is completed, the you will want to click the Repair button.
At the end of the process you may be asked to reboot your machine. After you reboot a report will open on your desktop. Copy and paste the report here in your next reply.
When the program completes, the tool will automatically open a log file.
Please post that log here in your next post.
Fresh FRST Logs.
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
Right-click on FRST icon and select Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
Make sure that Addition option is checked.
Press Scan button and wait.
The tool will produce two logfiles on your desktop: FRST.txt, and Addition.txt.
Download attached fixlist.txt file and save it to the Desktop. NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
Click the Cog/Sproket Wheel, at the top right of Zemana
Select Advanced - I have read the warning and wish to proceed.
Place a tick next to Detect Suspicious (Root CA) Certificates.
Then click the house icon in Zemana.
Then hit your start button at the lower left hand corner of your desktop.
Then left click on Computer.
Drag Local Disk C: Into the area of Zemana that reads Drag and drop files here to scan them.
Once the scan has completed click graph icon on the top right of the programs User interface.
Double click to open the latest log-file.
Copy it to your clipboard.
Post the log here in your next reply.
ZHP Scan.
Please download Zhp Cleaner to your desktop. Right Click the icon and select run as administrator.
2. Once you have started the program, you will need to click the scanner button.
The program will close all open browsers!
3. Once the scan is completed, the you will want to click the Repair button.
At the end of the process you may be asked to reboot your machine. After you reboot a report will open on your desktop. Copy and paste the report here in your next reply.
When the program completes, the tool will automatically open a log file.
Please post that log here in your next post.
Fresh FRST Logs.
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
Right-click on FRST icon and select Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
Make sure that Addition option is checked.
Press Scan button and wait.
The tool will produce two logfiles on your desktop: FRST.txt, and Addition.txt.
Fix result of Farbar Recovery Scan Tool (x64) Version: 01-01-2017
Ran by michael96 (06-01-2017 20:18:07) Run:1
Running from C:\Users\michael96\Desktop
Loaded Profiles: michael96 (Available Profiles: michael96)
Boot Mode: Normal
==============================================
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-21-3641276461-1987637529-1729258412-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ => value removed successfully
HKU\S-1-5-21-3641276461-1987637529-1729258412-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a0127733-022f-11e5-8263-18cf5eb3a663} => key removed successfully
HKCR\CLSID\{a0127733-022f-11e5-8263-18cf5eb3a663} => key not found.
C:\Users\michael96\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Games Arcade (BETA).lnk => moved successfully
C:\Users\michael96\AppData\Local\Facebook\Games\FacebookGames.exe => moved successfully
C:\windows\system32\GroupPolicy\Machine => moved successfully
C:\windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
C:\windows\system32\GroupPolicy\User => moved successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{04EE8B03-B476-4835-9D7D-8D2249FDB8C0}\\DhcpNameServer => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C} => key removed successfully
HKCR\Wow6432Node\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C} => key not found.
Firefox DefaultSearchEngine removed successfully
Firefox SearchEngineOrder.3 removed successfully
Firefox SelectedSearchEngine removed successfully
Firefox "homepage" removed successfully
Firefox "Keyword.URL" removed successfully
C:\Users\michael96\AppData\Roaming\Mozilla\Firefox\Profiles\6wy7q6u7.default\Extensions\bingsearch.full@microsoft.com.xpi => moved successfully
C:\Users\michael96\AppData\Roaming\Mozilla\Firefox\Profiles\6wy7q6u7.default\Extensions\homepage@mail.ru => moved successfully
C:\Users\michael96\AppData\Roaming\Mozilla\Firefox\Profiles\6wy7q6u7.default\Extensions\search@mail.ru => moved successfully
C:\Users\michael96\AppData\Roaming\Mozilla\Firefox\Profiles\6wy7q6u7.default\Extensions\{a38384b3-2d1d-4f36-bc22-0f7ae402bcd7} => moved successfully
C:\Users\michael96\AppData\Roaming\Mozilla\Firefox\Profiles\6wy7q6u7.default\searchplugins\bing-.xml => moved successfully
C:\Users\michael96\AppData\Roaming\Mozilla\Firefox\Profiles\6wy7q6u7.default\searchplugins\mailru.xml => moved successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{F04D2D30-776C-4d02-8627-8E4385ECA58D} => value removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3 => key removed successfully
C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll => moved successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9 => key removed successfully
C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll => not found.
Chrome HomePage => removed successfully
Chrome StartupUrls => removed successfully
C:\Users\michael96\AppData\Local\Google\Chrome\User Data\Default\Extensions\boeajhmfdjldchidhphikilcgdacljfm => moved successfully
C:\Users\michael96\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi => moved successfully
C:\Users\michael96\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmameahlembdcigphohgiodcgjomcgeo => moved successfully
C:\Users\michael96\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\coobgpohoikkiipiblmjeljniedjpjpf => moved successfully
C:\Users\michael96\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\pjkljhegncpnkpknbcohdijeoejaedia => moved successfully
HKLM\SOFTWARE\Google\Chrome\Extensions\aaaabpccljmmhilhhndnjkobdedbpkjp => key removed successfully
HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif => key removed successfully
HKLM\SOFTWARE\Google\Chrome\Extensions\nppllibpnmahfaklnpggkibhkapjkeob => key removed successfully
HKU\S-1-5-21-3641276461-1987637529-1729258412-1001\SOFTWARE\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd => key removed successfully
HKU\S-1-5-21-3641276461-1987637529-1729258412-1001\SOFTWARE\Google\Chrome\Extensions\mjbepbhonbojpoaenhckjocchgfiaofo => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\aaaabpccljmmhilhhndnjkobdedbpkjp => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ccfifbojenkenpkmnbnndeadpfdiffof => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\nppllibpnmahfaklnpggkibhkapjkeob => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\oelpkepjlgmehajehfeicfbjdiobdkfj => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ojlcebdkbpjdpiligkdbbkdkfjmchbfd => key removed successfully
HKLM\System\CurrentControlSet\Services\dbx => key removed successfully
dbx => service removed successfully
HKLM\System\CurrentControlSet\Services\MBAMChameleon => key removed successfully
MBAMChameleon => service removed successfully
HKLM\System\CurrentControlSet\Services\NAVENG => could not remove key. Access Denied.
HKLM\System\CurrentControlSet\Services\NAVEX15 => could not remove key. Access Denied.
C:\Users\michael96\AppData\Local\Mail.Ru => moved successfully
C:\ProgramData\Mail.Ru => moved successfully
C:\ProgramData\Ament.ini => moved successfully
C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc => moved successfully
HKU\S-1-5-21-3641276461-1987637529-1729258412-1001_Classes\CLSID\{0B628DE4-07AD-4284-81CA-5B439F67C5E6} => key removed successfully
HKU\S-1-5-21-3641276461-1987637529-1729258412-1001_Classes\CLSID\{149DD748-EA85-45A6-93C5-AC50D0260C98} => key removed successfully
HKU\S-1-5-21-3641276461-1987637529-1729258412-1001_Classes\CLSID\{5370C727-1451-4700-A960-77630950AF6D} => key removed successfully
HKU\S-1-5-21-3641276461-1987637529-1729258412-1001_Classes\CLSID\{E2C40589-DE61-11ce-BAE0-0020AF6D7005} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A34C1C68-404B-4289-BFBE-7725F5DFFB30} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A34C1C68-404B-4289-BFBE-7725F5DFFB30} => key removed successfully
C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C3336BE0-BEC9-4B97-9D23-9ACB1E493903} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C3336BE0-BEC9-4B97-9D23-9ACB1E493903} => key removed successfully
C:\windows\System32\Tasks\{890F82FE-F5EE-4547-BE2C-169BD15FD43C} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{890F82FE-F5EE-4547-BE2C-169BD15FD43C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CE7FBCF8-E036-43BD-AC0E-0B983C41DEEC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CE7FBCF8-E036-43BD-AC0E-0B983C41DEEC} => key removed successfully
C:\windows\System32\Tasks\newcityinworld => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\newcityinworld => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D216C4A7-4D0F-4C51-B186-B246567347FF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D216C4A7-4D0F-4C51-B186-B246567347FF} => key removed successfully
C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA => key removed successfully
C:\Users\michael96\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mail.Ru.lnk => Shortcut argument removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{F7AB17AA-7F27-4A9F-9E9F-DF12E8F08DE6}C:\program files (x86)\ti education\ti-nspire cas student software\ti-nspire cas student software.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{210792F8-F6C7-4987-8098-0B8A81C4288C}C:\program files (x86)\ti education\ti-nspire cas student software\ti-nspire cas student software.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B818A6EF-1A72-47E2-AE87-DF7C6144BB8D} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C84797BF-D276-45F2-88B1-80736AEF9352} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A745AA81-304F-47B9-8A74-588FA1A204EF} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{64DDB27E-3693-4F8F-A722-8587671057FF} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3350FF72-E5C4-4E71-8061-91D151148435} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{80BC569A-607D-490C-8353-C7C1F37A7248} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C67D7595-E163-4E6F-8059-306C691E40DF} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{DF55B2F0-4337-452D-B9FE-61EC14A5A73B} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{99F72D7E-10B9-4613-842C-2782A7996F35} => value removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
========= ipconfig /flushdns =========
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========= End of CMD: =========
=========== EmptyTemp: ==========
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 95737662 B
Java, Flash, Steam htmlcache => 65248701 B
Windows/system/drivers => 1241892 B
Edge => 0 B
Chrome => 349055164 B
Firefox => 239603372 B
Opera => 0 B
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 2323068 B
LocalService => 515208 B
NetworkService => 67754 B
michael96 => 43930589 B
RecycleBin => 0 B
EmptyTemp: => 768.8 MB temporary data Removed.
================================
The system needed a reboot.
==== End of Fixlog 20:18:40 ====
Zemana deep scan:
Zemana AntiMalware 2.70.2.341 (installerad)
-------------------------------------------------------
Scan Result : Avslutad
Scan Date : 2017-1-6
Operating System : Windows 8.1 64-bit
Processor : 2X Intel(R) Celeron(R) CPU 2950M @ 2.00GHz
BIOS Mode : Legacy
CUID : 12CF12D28E8E909C952E1E
Scan Type : Anpassad skanning
Duration : 17m 41s
Scanned Objects : 291370
Detected Objects : 7
Excluded Objects : 0
Read Level : SCSI
Auto Upload : Enabled
Detect All Extensions : Disabled
Scan Documents : Disabled
Domain Info : WORKGROUP,0,2
YGO! The Final Duel - Normal.exe
Status : Skannad
Object : %homedrive%\yugi\yu-gi-oh! duel in the shadow realm - the final duel\ygo! the final duel - normal.exe
MD5 : FA7AF448F3DFA19712C0384592E683D3
Publisher : -
Size : 3088384
Version : -
Detection : Malware:Win32/Vorniac.A!Keae
Cleaning Action : Karantän
Related Objects :
Fil - %homedrive%\yugi\yu-gi-oh! duel in the shadow realm - the final duel\ygo! the final duel - normal.exe
AllCards.exe
Status : Skannad
Object : %homedrive%\yugi\yu-gi-oh! duel in the shadow realm - the final duel\all cards - unlocker\allcards.exe
MD5 : BEC4C128A57E6224AE6A719052A9C2A6
Publisher : -
Size : 50348
Version : 1.2.0.715
Detection : Adware:Win32/Nevoros.B!Aclk
Cleaning Action : Karantän
Related Objects :
Fil - %homedrive%\yugi\yu-gi-oh! duel in the shadow realm - the final duel\all cards - unlocker\allcards.exe
Cleaning Result
-------------------------------------------------------
Cleaned : 7
Reported as safe : 0
Failed : 0
ZHP Cleaner:
~ ZHPCleaner v2017.1.5.3 by Nicolas Coolman (2017/01/05)
~ Run by michael96 (Administrator) (06/01/2017 20:55:20)
~ Web: https://www.nicolascoolman.com
~ Blog: https://www.anti-malware.top
~ Facebook : https://www.facebook.com/nicolascoolman1
~ State version : Version OK
~ Type : Repair
~ Report : C:\Users\michael96\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Users\michael96\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt
~ UAC : Activate
~ Boot Mode : Normal (Normal boot)
Windows 8.1 Enterprise, 64-bit (Build 9600)
---\\ Services (0)
~ No malicious or unnecessary items found.
---\\ Browser internet (0)
~ No malicious or unnecessary items found.
---\\ Hosts file (1)
~ The hosts file is legitimate (1)
---\\ Scheduled automatic tasks. (0)
~ No malicious or unnecessary items found.
---\\ Explorer ( File, Folder) (13)
MOVED file: C:\Windows\Installer\wix{2E4AF2A6-50EA-4260-9BA4-5E582D11879A}.SchedServiceConfig.rmi =>.Superfluous.Empty
MOVED file: C:\Windows\Installer\wix{3540181E-340A-4E7A-B409-31663472B2F7}.SchedServiceConfig.rmi =>.Superfluous.Empty
MOVED file: C:\Windows\Installer\wix{55BB2110-FB43-49B3-93F4-945A0CFB0A6C}.SchedServiceConfig.rmi =>.Superfluous.Empty
MOVED file: C:\Windows\Installer\wix{A37CDB58-AAE8-0000-8C13-E0F7BACB0D5F}.SchedServiceConfig.rmi =>.Superfluous.Empty
MOVED folder: C:\Program Files (x86)\QuickTime =>Riskware.QuickTime
MOVED folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime =>Riskware.QuickTime
MOVED folder: C:\windows\Installer\MSIEF7D.tmp- =>.Superfluous.Empty
MOVED folder: C:\windows\Installer\MSIF105.tmp- =>.Superfluous.Empty
MOVED folder: C:\windows\Installer\MSIF1E1.tmp- =>.Superfluous.Empty
MOVED folder: C:\windows\Installer\MSIF31A.tmp- =>.Superfluous.Empty
MOVED folder: C:\windows\Installer\MSIF3F6.tmp- =>.Superfluous.Empty
MOVED folder: C:\windows\Installer\MSIFC28.tmp- =>.Superfluous.Empty
MOVED folder: C:\windows\Installer\MSIFD23.tmp- =>.Superfluous.Empty
~ End of clean in 00h00mn26s
~====================
ZHPCleaner-[R]-06012017-20_55_46.txt
ZHPCleaner--06012017-20_52_20.txt
FRST log
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 01-01-2017
Ran by michael96 (administrator) on 5CG4391DJR (06-01-2017 21:39:08)
Running from C:\Users\michael96\Desktop
Loaded Profiles: michael96 (Available Profiles: michael96)
Platform: Windows 8.1 Enterprise (Update) (X64) Language: Svenska (Sverige)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
(There is no automatic fix for files that do not pass verification.)
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2017-01-06 15:42
==================== End of FRST.txt ============================
Addition log:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 01-01-2017
Ran by michael96 (06-01-2017 21:39:36)
Running from C:\Users\michael96\Desktop
Windows 8.1 Enterprise (Update) (X64) (2015-05-06 11:50:35)
Boot Mode: Normal
==========================================================
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Norton Security (Disabled - Up to date) {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Security (Disabled - Up to date) {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}
FW: Norton Security (Enabled) {6BFC5632-188D-B806-D13E-C607121B42A0}
Application errors:
==================
Error: (01/06/2017 08:23:34 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Det gick inte att skapa aktiveringskontext för C:\Program Files (x86)\Microsoft Office\Office15\lync.exe.Manifest. Det finns ett fel i manifest- eller principfilen C:\Program Files (x86)\Microsoft Office\Office15\UccApi.DLL på rad 1.
Den komponentidentitet som hittades i manifestet matchar inte identiteten i den komponent som begärdes.
Referens är UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0".
Definition är UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0".
Använd sxstrace.exe om du vill diagnostisera ytterligare.
Error: (01/06/2017 08:19:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Felet uppstod i programmet med namn: Connect.Service.ContentService.exe, version 20.1.49.0, tidsstämpel 0x54d43c57
, felet uppstod i modulen med namn: KERNELBASE.dll, version 6.3.9600.18340, tidsstämpel 0x57366075
Undantagskod: 0xe0434352
Felförskjutning: 0x0000000000008a5c
Process-ID: 0x66c
Programmets starttid: 0x01d26851c9e07b56
Sökväg till program: C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe
Sökväg till modul: C:\windows\system32\KERNELBASE.dll
Rapport-ID: 10aff07e-d445-11e6-82af-3464a9d004ce
Fullständigt namn på felaktigt paket:
Program-ID relativt till felaktigt paket:
Error: (01/06/2017 08:19:23 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Tillämpningsprogram: Connect.Service.ContentService.exe
Framework-version: v4.0.30319
Beskrivning: Processen avslutades på grund av ett ohanterat undantag.
Undantagsinformation: System.ArgumentNullException
Stack:
vid System.Globalization.CultureInfo..ctor(System.String, Boolean)
vid Connect.IVault.Program.Main()
Error: (01/06/2017 08:18:07 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Fel i tjänsten Volume Shadow Copy: Oväntat fel när gränssnittet IVssWriterCallback skulle erhållas. hr = 0x80070005, Åtkomst nekad.
.
Det orsakas ofta av inkorrekta säkerhetsinställningar i processen för antingen skrivaren eller beställaren.
Åtgärd:
Samlar in skrivardata
Kontext:
Skrivarklass-ID: {e8132975-6f93-4464-a53e-1050253ae220}
Skrivarnamn: System Writer
Skrivarinstans-ID: {1642d07e-7e7b-4755-b67a-baba494ace5d}
Error: (01/06/2017 11:57:14 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: Ett problem hindrade data för Programmet för kvalitetsförbättring i Windows från att skickas till Microsoft, (Fel 80070005).
Error: (01/06/2017 11:01:21 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Felet uppstod i programmet med namn: Connect.Service.ContentService.exe, version 20.1.49.0, tidsstämpel 0x54d43c57
, felet uppstod i modulen med namn: KERNELBASE.dll, version 6.3.9600.18340, tidsstämpel 0x57366075
Undantagskod: 0xe0434352
Felförskjutning: 0x0000000000008a5c
Process-ID: 0x648
Programmets starttid: 0x01d26803cb91d7c5
Sökväg till program: C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe
Sökväg till modul: C:\windows\system32\KERNELBASE.dll
Rapport-ID: 12604602-d3f7-11e6-82ae-3464a9d004ce
Fullständigt namn på felaktigt paket:
Program-ID relativt till felaktigt paket:
Error: (01/06/2017 11:01:05 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Tillämpningsprogram: Connect.Service.ContentService.exe
Framework-version: v4.0.30319
Beskrivning: Processen avslutades på grund av ett ohanterat undantag.
Undantagsinformation: System.ArgumentNullException
Stack:
vid System.Globalization.CultureInfo..ctor(System.String, Boolean)
vid Connect.IVault.Program.Main()
Error: (01/06/2017 05:19:42 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
System errors:
=============
Error: (01/06/2017 09:19:17 PM) (Source: volsnap) (EventID: 36) (User: )
Description: Skuggkopiorna för volymen C: avbröts eftersom lagringsutrymmet för skuggkopian inte kunde växa på grund av en begränsning som angetts av användaren.
Error: (01/06/2017 08:19:38 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Tjänsten Autodesk Content Service kunde inte startas på grund av följande fel:
Tjänsten svarade inte på start- eller kontrollbegäran i tid.
Error: (01/06/2017 08:19:38 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: En timeout (30000 ms) inträffade vid väntan på att tjänsten Autodesk Content Service skulle ansluta.
Error: (01/06/2017 08:18:58 PM) (Source: DCOM) (EventID: 10010) (User: 5CG4391DJR)
Description: Servern {9BA05972-F6A8-11CF-A442-00A0C90A8F39} registrerades inte med DCOM inom erforderlig timeout.
Error: (01/06/2017 08:18:58 PM) (Source: DCOM) (EventID: 10010) (User: 5CG4391DJR)
Description: Servern {9BA05972-F6A8-11CF-A442-00A0C90A8F39} registrerades inte med DCOM inom erforderlig timeout.
Error: (01/06/2017 08:18:50 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: Tjänsthanteraren försökte utföra en korrigeringsåtgärd (Starta om tjänsten) efter att tjänsten Windows Search avslutats oväntat, men denna åtgärd misslyckades med följande fel:
Det finns redan en aktiv session av tjänsten.
Error: (01/06/2017 08:18:20 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Tjänsten Windows Search avslutades oväntat. Den har gjort detta 1 gång(er). Följande åtgärd kommer att utföras om 30000 millisekunder: Starta om tjänsten.
Error: (01/06/2017 08:18:19 PM) (Source: DCOM) (EventID: 10010) (User: 5CG4391DJR)
Description: Servern {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} registrerades inte med DCOM inom erforderlig timeout.
Error: (01/06/2017 08:18:19 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Tjänsten HP Support Solutions Framework Service avslutades oväntat. Detta har skett 1 gånger.
Error: (01/06/2017 08:18:19 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Tjänsten Steam Client Service avslutades oväntat. Detta har skett 1 gånger.
==================== Memory info ===========================
Processor: Intel(R) Celeron(R) CPU 2950M @ 2.00GHz
Percentage of memory in use: 60%
Total physical RAM: 4009.11 MB
Available physical RAM: 1599.94 MB
Total Virtual: 6953.11 MB
Available Virtual: 3809.09 MB
Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log is saved to your desktop and will automatically open.
Please post the JRT log.
Adware Removal Tool Scan.
Download Adware removal tool to your desktop, right click the icon and select Run as Administrator.
Hit Ok.
Hit next make sure to leave all items checked, for removal.
The Program will close all open programs to complete the removal, so save any work and hit OK. Then hit OK after the removal process is complete, thenOK again to finish up. Post log generated by tool.
Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log is saved to your desktop and will automatically open.
Please post the JRT log.
Adware Removal Tool Scan.
Download Adware removal tool to your desktop, right click the icon and select Run as Administrator.
Hit Ok.
Hit next make sure to leave all items checked, for removal.
The Program will close all open programs to complete the removal, so save any work and hit OK. Then hit OK after the removal process is complete, thenOK again to finish up. Post log generated by tool.
Windows 8.1(6.3.9600) (x64) Enterprise Lang: Swedish(041D)
Installation date OS: 06.05.2015 11:50:35
LicenseStatus: Office 15, OfficeProPlusVL_MAK edition The machine is permanently activated.
LicenseStatus: Windows(R), Enterprise edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: Internet Explorer (C:\Program Files\Internet Explorer\iexplore.exe)
SystemDrive: C: FS: [NTFS] Capacity: [97.3 Gb] Used: [79.9 Gb] Free: [17.4 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.0.9600.18538
User Account Control enabled
Automatically download and schedule installation
Date install updates: 2016-12-18 19:35:08
Windows Update (wuauserv) - The service is running
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
------------------------------ [ MS Office ] ------------------------------
Microsoft Office 2013 x86 v.15.0.4569.1506
---------------------------- [ Antivirus_WMI ] ----------------------------
Norton Security (disabled)
Windows Defender (disabled and up to date)
---------------------------- [ Firewall_WMI ] -----------------------------
Norton Security
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Windows Defender (disabled and up to date)
Norton Security (disabled)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Norton Security v.22.8.1.14
Norton Identity Safe v.2014.7.11.42
-------------------------- [ SecurityUtilities ] --------------------------
Zemana AntiMalware v.2.70.341
--------------------------- [ OtherUtilities ] ----------------------------
WinRAR 5.21 (64-bit) v.5.21.0 Warning! Download Update
Microsoft Silverlight v.5.1.50901.0
WinRAR 5.21 (32-bit) v.5.21.0 Warning! Download Update
--------------------------------- [ IM ] ----------------------------------
Skype™ 7.27 v.7.27.101 Warning! Download Update ^Optional update.^
-------------------------------- [ Java ] ---------------------------------
Java 8 Update 101 v.8.0.1010.13 Warning! Download Update Uninstall old version and install new one (jre-8u112-windows-i586.exe).
--------------------------- [ AppleProduction ] ---------------------------
Bonjour v.3.1.0.1
iTunes v.12.5.4.42
QuickTime 7 v.7.79.80.95 Warning! This software is no longer supported. Please uninstall it and use another software.
Bonjour-tjänst (Bonjour Service) - The service is running
--------------------------- [ AdobeProduction ] ---------------------------
Adobe Flash Player 24 NPAPI v.24.0.0.186
Adobe Reader XI (11.0.11) - Svenska v.11.0.11 Warning! Download Update ^Please run Adobe Reader XI and go Help - Check for updates...^
------------------------------- [ Browser ] -------------------------------
Google Chrome v.55.0.2883.87
Mozilla Firefox 43.0.4 (x86 sv-SE) v.43.0.4 Warning! Download Update
--------------------------- [ RunningProcess ] ----------------------------
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe v.55.0.2883.87
------------------ [ AntivirusFirewallProcessServices ] -------------------
Windows Defender Service (WinDefend) - The service has stopped
Windows Defender Network Inspection Service (WdNisSvc) - The service has stopped
ZAM Controller Service (ZAMSvc) - The service is running
C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe v.0.0.0.0
---------------------------- [ UnwantedApps ] -----------------------------
Ace Stream Media 3.1.11 v.3.1.11 Unwanted software.
Skype Click to Call v.8.5.0.9167 Warning! Browser's toolbar. It can slow down the working of your browser and have violation privacy problems.
----------------------------- [ End of Log ] ------------------------------
Adware cleaner scan
# AdwCleaner v6.042 - Logfile created 06/01/2017 at 22:34:22
# Updated on 06/01/2017 by Malwarebytes
# Database : 2017-01-06.1 [Server]
# Operating System : Windows 8.1 Enterprise (X64)
# Username : michael96 - 5CG4391DJR
# Running from : C:\Users\michael96\Downloads\adwcleaner_6.042.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 8.1 Enterprise x64
Ran by michael96 (Administrator) on 2017-01-06 at 22:36:22,37
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2017-01-06 at 22:38:58,68
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please follow the suggestions in the security check log, and update your software. You can also use Patch My PC
WinRAR 5.21 (64-bit) v.5.21.0 Warning! Download Update
Microsoft Silverlight v.5.1.50901.0
WinRAR 5.21 (32-bit) v.5.21.0 Warning! Download Update
--------------------------------- [ IM ] ----------------------------------
Skype™ 7.27 v.7.27.101 Warning! Download Update ^Optional update.^
-------------------------------- [ Java ] ---------------------------------
Java 8 Update 101 v.8.0.1010.13 Warning! Download Update Uninstall old version and install new one (jre-8u112-windows-i586.exe).
--------------------------- [ AppleProduction ] ---------------------------
Bonjour v.3.1.0.1
iTunes v.12.5.4.42
QuickTime 7 v.7.79.80.95 Warning! This software is no longer supported. Please uninstall it and use another software.
Bonjour-tjänst (Bonjour Service) - The service is running
--------------------------- [ AdobeProduction ] ---------------------------
Adobe Flash Player 24 NPAPI v.24.0.0.186
Adobe Reader XI (11.0.11) - Svenska v.11.0.11 Warning! Download Update ^Please run Adobe Reader XI and go Help - Check for updates...^
------------------------------- [ Browser ] -------------------------------
Google Chrome v.55.0.2883.87
Mozilla Firefox 43.0.4 (x86 sv-SE) v.43.0.4 Warning! Download Update
Also, you will need to re-run Adware Cleaner I need to see a new log to make sure all was removed.
I need to see the following in your next post.
Updated Security Check log after updating apps. A fresh Adware Cleaner log, that shows me you have deleted the adware from your machine. Tell me if any issues are present on your machine. If after I see that you are updated and all bad items are removed, we will clean up the tools we used.
alright, I think that the admalware is now removed, haven't had any pop ups in a while.
here are the updated logs
Adw cleaner
# AdwCleaner v6.042 - Logfile created 07/01/2017 at 00:17:19
# Updated on 06/01/2017 by Malwarebytes
# Database : 2017-01-06.1 [Local]
# Operating System : Windows 8.1 Enterprise (X64)
# Username : michael96 - 5CG4391DJR
# Running from : C:\Users\michael96\Downloads\adwcleaner_6.042 (1).exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support
Windows 8.1(6.3.9600) (x64) Enterprise Lang: Swedish(041D)
Installation date OS: 06.05.2015 11:50:35
LicenseStatus: Office 15, OfficeProPlusVL_MAK edition The machine is permanently activated.
LicenseStatus: Windows(R), Enterprise edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: Internet Explorer (C:\Program Files\Internet Explorer\iexplore.exe)
SystemDrive: C: FS: [NTFS] Capacity: [97.3 Gb] Used: [81.4 Gb] Free: [15.9 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.0.9600.18538
User Account Control enabled
Automatically download and schedule installation
Date install updates: 2016-12-18 19:35:08
Windows Update (wuauserv) - The service is running
Security Center (wscsvc) - The service is starting
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
------------------------------ [ MS Office ] ------------------------------
Microsoft Office 2013 x86 v.15.0.4569.1506
---------------------------- [ Antivirus_WMI ] ----------------------------
Norton Security (disabled)
Windows Defender (disabled and up to date)
---------------------------- [ Firewall_WMI ] -----------------------------
Norton Security
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Windows Defender (disabled and up to date)
Norton Security (disabled)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Norton Security v.22.8.1.14
Norton Identity Safe v.2014.7.11.42
-------------------------- [ SecurityUtilities ] --------------------------
Zemana AntiMalware v.2.70.341
--------------------------- [ OtherUtilities ] ----------------------------
WinRAR 5.40 (64-bit) v.5.40.0
Microsoft Silverlight v.5.1.50901.0
WinRAR 5.40 (32-bit) v.5.40.0
--------------------------------- [ IM ] ----------------------------------
Skype™ 7.30 v.7.30.105
-------------------------------- [ Java ] ---------------------------------
Java 8 Update 112 v.8.0.1120.15
--------------------------- [ AppleProduction ] ---------------------------
Bonjour v.3.1.0.1
iTunes v.12.5.4.42
Bonjour-tjänst (Bonjour Service) - The service is running
--------------------------- [ AdobeProduction ] ---------------------------
Adobe Flash Player 24 NPAPI v.24.0.0.186
Adobe Reader XI (11.0.18) - Svenska v.11.0.18
------------------------------- [ Browser ] -------------------------------
Mozilla Firefox 50.1.0 (x64 sv-SE) v.50.1.0
Google Chrome v.55.0.2883.87
Mozilla Firefox 43.0.4 (x86 sv-SE) v.43.0.4 Warning! Download Update
--------------------------- [ RunningProcess ] ----------------------------
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe v.55.0.2883.87
------------------ [ AntivirusFirewallProcessServices ] -------------------
Windows Defender Service (WinDefend) - The service has stopped
Windows Defender Network Inspection Service (WdNisSvc) - The service has stopped
ZAM Controller Service (ZAMSvc) - The service is running
C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe v.0.0.0.0
---------------------------- [ UnwantedApps ] -----------------------------
Skype Click to Call v.8.5.0.9167 Warning! Browser's toolbar. It can slow down the working of your browser and have violation privacy problems.
----------------------------- [ End of Log ] ------------------------------
Remove disinfection tools
Create registry backup
Purge System Restore
Now click on "Run" button.
allow the program to complete its work.
all the tools we used will be removed.
Tool will create and open a log report (DelFix.txt) Note: The report can be located at the following location C:\DelFix.txt
Remove disinfection tools
Create registry backup
Purge System Restore
Now click on "Run" button.
allow the program to complete its work.
all the tools we used will be removed.
Tool will create and open a log report (DelFix.txt) Note: The report can be located at the following location C:\DelFix.txt
Sorry for the late respond,
Man thank you so much for the help I appreciate it alot ! I will definitely suggest this forum to my friends
Here are the last logs
Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : michael96 [Administrator]
Started from : C:\Users\michael96\Desktop\RogueKillerX64.exe
Mode : Delete -- Date : 01/07/2017 11:18:45 (Duration : 00:25:22)
I almost forgot to mention about a couple of programs to remove from your machine.
Ace Stream Media 3.1.11 (HKU\S-1-5-21-3641276461-1987637529-1729258412-1001\...\AceStream) (Version: 3.1.11 - Ace Stream Media) <==== ATTENTION
Facebook Games Arcade 0.11.2.4 (HKLM-x32\...\{923578AC-231E-4A7C-8AB8-A90C16B8A507}) (Version: 0.11.2.4 - Facebook)
FRST seems to flag the Ace media, it seems it is related to Torrents. If it were my machine it would go... it seems it could open you up to infections.
Also, I would certainly not have anything running from facebook anywhere near my machine, so that is a definite uninstall...
Re-Run R-Killer and place a tick next to the firewall paths below, and delete it. Uninstalling the program will remove the rest of the files.
[PUP.Gen0|PUP.Gen1|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {19DA06B4-E9B1-40BE-A251-5973CFB4EC64} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Users\michael96\AppData\Local\Amigo\Application\amigo.exe|Name=Amigo (mDNS-In)|Desc=Regel som tillåter inkommande mDNS-trafik för Amigo.|EmbedCtxt=Amigo| [x] -> Not selected
