me82 Posted December 20, 2016 Share Posted December 20, 2016 I am using a pc that was upgraded from xp to windows pro 7 and i did a scan on it using junkware first and it didn't get much off computer, then i downloaded malwarebytes the free version but it has trial version. it got some malware off when i restarted my pc and opened up google chrome the index file came up not normal google screen so i reset google and it shows normal again. This happens whenever i do a malwarebytes scan where just the index file come . It happened in firefox too and i had to go in settings and refresh firefox. Also the safesearch toolbar did not get removed in google chrome , I tried adware removal tool as well and i it took off was ask.com and aol.com. So i went in google extensions and downloaded adblocker( Stands) And went to google homepage and the safesearch toolbar does not show anymore because of the adblocker Link to comment Share on other sites More sharing options...
me82 Posted December 20, 2016 Author Share Posted December 20, 2016 I did a search on internet to get off the safesearch toolbar but it requires going in the registry deleting the safeseach entries pol file, and i don't want to go in the registry and mess up my computer. Even though the toolbar doesn't show anymore that doesn't mean its off my computer right? Link to comment Share on other sites More sharing options...
Juliet Posted December 20, 2016 Share Posted December 20, 2016 I did a search on internet to get off the safesearch toolbar but it requires going in the registry deleting the safeseach entries pol file, and i don't want to go in the registry and mess up my computer. Even though the toolbar doesn't show anymore that doesn't mean its off my computer right?It's possible bits and pieces could still be on there. I'm going to move this topic to the HJT forum (Have I Been Hijacked?) and have you run a tool that searches the registry, then we can easily remove items that need to go. Link to comment Share on other sites More sharing options...
Juliet Posted December 20, 2016 Share Posted December 20, 2016 All tools that I have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step. it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using. Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK. Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu. Farbar Recovery Scan Tool (FRST) Scan Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop. Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run. Right-Click FRST.exe / FRST64.exe and select Run as administrator to run the programme. Click Yes to the disclaimer. Ensure the Addition.txt box is checked. Click the Scan button and let the programme run. Upon completion, click OK, then OK on the Addition.txt pop up screen. Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. Link to comment Share on other sites More sharing options...
me82 Posted December 20, 2016 Author Share Posted December 20, 2016 This (stands) adblocker for google does wonders Link to comment Share on other sites More sharing options...
Juliet Posted December 20, 2016 Share Posted December 20, 2016 good deal Link to comment Share on other sites More sharing options...
me82 Posted December 20, 2016 Author Share Posted December 20, 2016 Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-12-2016 Ran by Owner (administrator) on OWNER-PC (20-12-2016 16:41:33) Running from C:\Users\Owner\Desktop Loaded Profiles: Owner (Available Profiles: Owner) Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States) Internet Explorer Version 8 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ==================== Registry (Whitelisted) ==================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2786768 2016-11-29] (Malwarebytes) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 Tcpip\..\Interfaces\{9D69391E-5B78-4298-B9EB-3BDF78BF7400}: [DhcpNameServer] 192.168.1.254 Internet Explorer: ================== HKU\S-1-5-21-961524124-1411212058-1041103660-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation) Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation) Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation) Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation) FireFox: ======== FF ProfilePath: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\pmwkzvnz.default-1482205545460 [2016-12-20] FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation) FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.) Chrome: ======= CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default [2016-12-20] CHR Extension: (Google Slides) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-11-05] CHR Extension: (Google Docs) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-11-05] CHR Extension: (Google Drive) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-11-05] CHR Extension: (YouTube) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-11-05] CHR Extension: (Google Sheets) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-11-05] CHR Extension: (Fair Ads (by STANDS)) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gagfkmknmijppikpcikmbbkdkhggcmge [2016-12-20] CHR Extension: (Google Docs Offline) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-11-05] CHR Extension: (Fair AdBlocker (by STANDS)) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgblnfidahcdcjddiepkckcfdhpknnjh [2016-12-20] CHR Extension: (Chrome Web Store Payments) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-11-05] CHR Extension: (Gmail) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-11-05] CHR Extension: (Chrome Media Router) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-19] ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-11-29] (Malwarebytes) R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation) ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R3 E100B; C:\Windows\System32\DRIVERS\efe5b32e.sys [192256 2009-06-10] (Intel Corporation) R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77408 2016-11-29] () R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [176064 2016-12-17] (Malwarebytes) R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [102856 2016-12-20] (Malwarebytes) R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [43968 2016-12-20] (Malwarebytes) R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [250816 2016-12-20] (Malwarebytes) R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [81696 2016-12-20] (Malwarebytes) ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-12-20 16:41 - 2016-12-20 16:42 - 00006779 _____ C:\Users\Owner\Desktop\FRST.txt 2016-12-20 16:41 - 2016-12-20 16:41 - 00000000 ____D C:\FRST 2016-12-20 16:39 - 2016-12-20 16:39 - 02420224 _____ (Farbar) C:\Users\Owner\Desktop\FRST64.exe 2016-12-19 22:45 - 2016-12-19 22:45 - 00000000 ____D C:\Users\Owner\Desktop\Old Firefox Data 2016-12-19 22:02 - 2016-12-19 22:33 - 00000000 ____D C:\AdwCleaner 2016-12-19 21:59 - 2016-12-19 22:00 - 03910208 _____ C:\Users\Owner\Downloads\adwcleaner(2).exe 2016-12-17 13:07 - 2016-12-17 13:07 - 05659917 _____ (Swearware) C:\Users\Owner\Downloads\ComboFix.exe 2016-12-17 12:52 - 2016-12-20 14:51 - 00102856 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys 2016-12-17 12:52 - 2016-12-20 14:51 - 00081696 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys 2016-12-17 12:52 - 2016-12-17 12:52 - 00176064 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys 2016-12-17 12:51 - 2016-12-20 14:51 - 00250816 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2016-12-17 12:51 - 2016-12-20 14:51 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys 2016-12-17 12:51 - 2016-12-17 12:51 - 00001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk 2016-12-17 12:51 - 2016-12-17 12:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes 2016-12-17 12:51 - 2016-12-17 12:51 - 00000000 ____D C:\ProgramData\Malwarebytes 2016-12-17 12:51 - 2016-12-17 12:51 - 00000000 ____D C:\Program Files\Malwarebytes 2016-12-17 12:51 - 2016-11-29 06:27 - 00077408 _____ C:\Windows\system32\Drivers\mbae64.sys 2016-12-17 12:33 - 2016-12-17 12:33 - 01631928 _____ (Malwarebytes) C:\Users\Owner\Downloads\JRT.exe 2016-12-14 21:06 - 2016-12-20 00:19 - 00000000 ____D C:\Users\Owner\AppData\LocalLow\Mozilla 2016-12-11 01:14 - 2016-12-19 22:34 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-12-20 14:58 - 2009-07-13 23:45 - 00021280 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2016-12-20 14:58 - 2009-07-13 23:45 - 00021280 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2016-12-20 14:50 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2016-12-19 22:34 - 2016-10-31 13:19 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service 2016-12-17 13:09 - 2016-11-03 16:21 - 00000000 ____D C:\Users\Owner\AppData\Local\ElevatedDiagnostics 2016-12-17 12:58 - 2016-10-31 13:55 - 00002187 _____ C:\Users\Public\Desktop\Google Chrome.lnk 2016-12-17 12:58 - 2016-10-31 13:55 - 00002187 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk 2016-12-17 12:58 - 2016-10-31 13:20 - 00001151 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk 2016-12-17 12:58 - 2016-10-31 13:19 - 00001163 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk 2016-12-17 12:58 - 2016-10-31 13:15 - 00001447 _____ C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk 2016-12-17 12:58 - 2016-10-31 13:15 - 00001413 _____ C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk 2016-12-17 12:16 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf 2016-12-17 12:00 - 2016-10-31 13:54 - 00003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA 2016-12-17 12:00 - 2016-10-31 13:53 - 00003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore 2016-12-17 11:46 - 2016-11-14 20:00 - 00001945 _____ C:\Windows\epplauncher.mif 2016-12-11 01:16 - 2016-11-03 07:45 - 00000000 ____D C:\Users\Owner\AppData\Local\Google 2016-12-10 23:45 - 2009-07-14 00:13 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI ==================== Files in the root of some directories ======= 2016-11-05 15:04 - 2016-11-05 15:04 - 0000000 _____ () C:\Users\Owner\AppData\Local\{17C1B774-83E0-4D5B-9952-55D0E7B5581A} Some files in TEMP: ==================== C:\Users\Owner\AppData\Local\Temp\libeay32.dll C:\Users\Owner\AppData\Local\Temp\msvcr120.dll C:\Users\Owner\AppData\Local\Temp\sqlite3.dll ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2016-12-19 22:33 ==================== End of FRST.txt ============================ Link to comment Share on other sites More sharing options...
me82 Posted December 20, 2016 Author Share Posted December 20, 2016 dditional scan result of Farbar Recovery Scan Tool (x64) Version: 17-12-2016 Ran by Owner (20-12-2016 16:42:48) Running from C:\Users\Owner\Desktop Windows 7 Professional Service Pack 1 (X64) (2016-10-31 18:12:56) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-961524124-1411212058-1041103660-500 - Administrator - Disabled) Guest (S-1-5-21-961524124-1411212058-1041103660-501 - Limited - Disabled) HomeGroupUser$ (S-1-5-21-961524124-1411212058-1041103660-1002 - Limited - Enabled) Owner (S-1-5-21-961524124-1411212058-1041103660-1001 - Administrator - Enabled) => C:\Users\Owner ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B} AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96} AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) 7-Zip 16.04 (x64) (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov) Adobe Flash Player 10 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 10.3.181.14 - Adobe Systems Incorporated) Dell System Detect (HKU\S-1-5-21-961524124-1411212058-1041103660-1001\...\58d94f3ce2c27db0) (Version: 7.11.0.6 - Dell) Gigabyte Wireless LAN Card (HKLM-x32\...\{2C564A58-BD28-4926-95E1-EC7812FCA44F}) (Version: 1.00.0000 - Gigabyte) Google Chrome (HKLM-x32\...\{16C1182D-6E13-3989-A4BC-360B106D5C4E}) (Version: 54.0.2840.71 - Google, Inc.) Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden Malwarebytes version 3.0.4.1269 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.4.1269 - Malwarebytes) Microsoft .NET Framework 4.6.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01590 - Microsoft Corporation) Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) Mozilla Firefox 50.1.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 50.1.0 (x86 en-US)) (Version: 50.1.0 - Mozilla) Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 50.1.0.6186 - Mozilla) OpenOffice 4.1.3 (HKLM-x32\...\{EEA30AEB-8BA7-465B-85D4-098BB99733E7}) (Version: 4.13.9783 - Apache Software Foundation) Revo Uninstaller 2.0.1 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.0.1 - VS Revo Group, Ltd.) WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {0FF23161-EB9E-4AB3-93EC-E0C5F6A10961} - System32\Tasks\{0BC15F45-0E9A-4980-B72C-8F0726195EB6} => pcalua.exe -a "C:\Users\Owner\Desktop\Dell driver software\PROSet.exe" -d "C:\Users\Owner\Desktop\Dell driver software" Task: {21D0A833-C8DA-416E-9F39-466C7976A40B} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-10-31] (Google Inc.) Task: {32E4A7E2-E17E-4190-B103-4CB7EC80D21E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-10-31] (Google Inc.) Task: {8A4E1E6B-F689-47C4-AB88-0FDE06508D23} - System32\Tasks\{18A18759-B6F5-4E7F-B704-7492ACD8B881} => pcalua.exe -a C:\Users\Owner\Desktop\PROSet.exe -d C:\Users\Owner\Desktop (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) ==================== Shortcuts ============================= (The entries could be listed to be restored or removed.) ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> " ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> " ==================== Loaded Modules (Whitelisted) ============== 2016-12-17 12:51 - 2016-11-29 06:27 - 02259232 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll 2016-12-17 12:51 - 2016-11-29 06:27 - 02247632 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll 2016-12-17 12:51 - 2016-11-29 06:27 - 02813904 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\arwlib.dll 2016-12-17 12:51 - 2016-11-08 09:46 - 00693248 _____ () C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\qtquickcontrolsplugin.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service" ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) IE trusted site: HKU\S-1-5-21-961524124-1411212058-1041103660-1001\...\dell.com -> dell.com ==================== Hosts content: =============================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-961524124-1411212058-1041103660-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg DNS Servers: 192.168.1.254 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [sPPSVC-In-TCP] => %SystemRoot%\system32\sppsvc.exe FirewallRules: [sPPSVC-In-TCP-NoScope] => %SystemRoot%\system32\sppsvc.exe FirewallRules: [{866803FD-2C6D-4482-8773-1BED7A76011E}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{9E10EE46-C05B-437E-96F5-8E56D6E5B315}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{F4EF756C-B155-4620-93A2-5370AE5D94F5}] => C:\Program Files (x86)\SrpnFiles\SrpnFiles.exe FirewallRules: [{225C20D6-FB3D-47A7-B85B-3F1695D86273}] => C:\Program Files (x86)\SrpnFiles\SrpnFiles.exe FirewallRules: [{94FAB7E2-3330-46AF-BCE3-28EC66D42C41}] => C:\Program Files (x86)\SrpnFiles\downloader.exe FirewallRules: [{F9300FBC-C47A-4721-BDAF-1A873F9361A8}] => C:\Program Files (x86)\SrpnFiles\downloader.exe FirewallRules: [{0AC08974-A0D6-4E54-A31A-6F6A1C009353}] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ==================== Restore Points ========================= 31-10-2016 13:13:08 Windows Update 31-10-2016 13:59:39 Installed Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 05-11-2016 12:22:07 Installed Intel® Network Connections. 05-11-2016 12:46:04 Installed Gigabyte Wireless LAN Card 05-11-2016 15:19:55 Installed Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 05-11-2016 15:22:46 Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 05-11-2016 15:25:13 Installed OpenOffice 4.1.3 05-11-2016 17:21:51 Installed Kaspersky Anti-Virus 2010. 14-11-2016 20:02:31 Revo Uninstaller's restore point - Kaspersky Anti-Virus 2010 14-11-2016 20:19:08 Windows Update 14-11-2016 23:10:21 Windows Update 17-12-2016 12:35:49 JRT Pre-Junkware Removal ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (12/20/2016 03:21:17 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: ) Description: A problem prevented Customer Experience Improvement Program data from being sent to Microsoft, (Error 80004005). Error: (12/20/2016 02:52:17 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected. Error: (12/19/2016 10:36:44 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected. Error: (12/19/2016 06:30:31 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: ) Description: A problem prevented Customer Experience Improvement Program data from being sent to Microsoft, (Error 80004005). Error: (12/19/2016 05:38:36 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: ) Description: A problem prevented Customer Experience Improvement Program data from being sent to Microsoft, (Error 80004005). Error: (12/19/2016 05:02:49 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected. Error: (12/17/2016 01:01:24 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected. Error: (12/17/2016 11:47:55 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: ) Description: A problem prevented Customer Experience Improvement Program data from being sent to Microsoft, (Error 80004005). Error: (12/17/2016 11:20:59 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected. Error: (12/14/2016 09:04:07 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected. System errors: ============= Error: (12/19/2016 10:33:33 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service. Error: (12/19/2016 10:33:33 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service. Error: (12/19/2016 10:33:32 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. Error: (12/17/2016 11:40:46 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: ) Description: Event-ID 2001 Error: (12/17/2016 11:35:36 AM) (Source: Service Control Manager) (EventID: 7011) (User: ) Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service. Error: (12/17/2016 11:34:36 AM) (Source: Service Control Manager) (EventID: 7011) (User: ) Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service. Error: (12/17/2016 11:33:36 AM) (Source: Service Control Manager) (EventID: 7011) (User: ) Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service. Error: (12/17/2016 11:32:36 AM) (Source: Service Control Manager) (EventID: 7011) (User: ) Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service. Error: (12/17/2016 11:31:36 AM) (Source: Service Control Manager) (EventID: 7011) (User: ) Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service. Error: (12/17/2016 11:30:36 AM) (Source: Service Control Manager) (EventID: 7011) (User: ) Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service. ==================== Memory info =========================== Processor: Intel® Pentium® 4 CPU 2.80GHz Percentage of memory in use: 53% Total physical RAM: 2038.15 MB Available physical RAM: 942.88 MB Total Virtual: 4076.3 MB Available Virtual: 2643.93 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:74.43 GB) (Free:53.41 GB) NTFS Drive f: () (Fixed) (Total:74.44 GB) (Free:74.35 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: FC78FC78) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=74.4 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (MBR Code: Windows XP) (Size: 74.5 GB) (Disk ID: 41AB2316) Partition 1: (Not Active) - (Size=55 MB) - (Type=DE) Partition 2: (Active) - (Size=74.4 GB) - (Type=07 NTFS) ==================== End of Addition.txt ============================ Link to comment Share on other sites More sharing options...
Juliet Posted December 21, 2016 Share Posted December 21, 2016 Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below: To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. save it to the Desktop as fixlist.txt NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow) start CreateRestorePoint: CloseProcesses: C:\Users\Owner\AppData\Local\Temp\libeay32.dll C:\Users\Owner\AppData\Local\Temp\msvcr120.dll C:\Users\Owner\AppData\Local\Temp\sqlite3.dll ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> " ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> " EmptyTemp: Hosts: End Open FRST/FRST64 and press the > Fix < button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. Link to comment Share on other sites More sharing options...
Juliet Posted December 21, 2016 Share Posted December 21, 2016 I didn't see any residual references to safesearch toolbar. Link to comment Share on other sites More sharing options...
me82 Posted December 21, 2016 Author Share Posted December 21, 2016 when i installed the adblocker it went away from the homepage. (Safeseach) From tomsguide.com it said to Press and hold Windows key and R (Win+R) Copy and paste: %systemroot%\System32\GroupPolicy/MachineDelete : Registry.polRestart the computer. and this link https://www.techsupportall.com/how-to-remove-safesearch-net-homepage-removal-help/ Link to comment Share on other sites More sharing options...
me82 Posted December 21, 2016 Author Share Posted December 21, 2016 Fix result of Farbar Recovery Scan Tool (x64) Version: 17-12-2016 Ran by Owner (20-12-2016 21:20:52) Run:1 Running from C:\Users\Owner\Desktop Loaded Profiles: Owner (Available Profiles: Owner) Boot Mode: Normal ============================================== fixlist content: ***************** start CreateRestorePoint: CloseProcesses: C:\Users\Owner\AppData\Local\Temp\libeay32.dll C:\Users\Owner\AppData\Local\Temp\msvcr120.dll C:\Users\Owner\AppData\Local\Temp\sqlite3.dll ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> " ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> " EmptyTemp: Hosts: End ***************** Restore point was successfully created. Processes closed successfully. C:\Users\Owner\AppData\Local\Temp\libeay32.dll => moved successfully C:\Users\Owner\AppData\Local\Temp\msvcr120.dll => moved successfully C:\Users\Owner\AppData\Local\Temp\sqlite3.dll => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully. C:\Users\Public\Desktop\Google Chrome.lnk => Shortcut argument removed successfully. C:\Windows\System32\Drivers\etc\hosts => moved successfully Hosts restored successfully. =========== EmptyTemp: ========== BITS transfer queue => 8388608 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 6407355 B Java, Flash, Steam htmlcache => 456 B Windows/system/drivers => 812787576 B Edge => 0 B Chrome => 386651845 B Firefox => 204182951 B Opera => 0 B Temp, IE cache, history, cookies, recent: Users => 0 B Default => 0 B Public => 0 B ProgramData => 0 B Link to comment Share on other sites More sharing options...
me82 Posted December 21, 2016 Author Share Posted December 21, 2016 what about my browsers not opening normally after i run a scan in malwarebytes Do i have to disable malwarebytes first then open my browser Link to comment Share on other sites More sharing options...
Juliet Posted December 21, 2016 Share Posted December 21, 2016 Download Zemana AntiMalware: open the program and without changing any options, press Scan after the scan is finished, if threats are detected press Next to remove them Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.open Zemana AntiMalware again and locate the latest report please paste the contents into your reply. ======================== Open Chrome 1- Type about:config in URL and Enter 2- Find: browser.newtab.url 3- Change it to: about:newtab close chrome, open the browser again and see if this corrects. Link to comment Share on other sites More sharing options...
me82 Posted December 21, 2016 Author Share Posted December 21, 2016 My browsers are fine now, its just the new malwarebytes, When i did 2 scans a couple of days ago and deleted what it found restarted the computer , and open browser it showed index file . and then reset browswers it shows normal. Link to comment Share on other sites More sharing options...
me82 Posted December 21, 2016 Author Share Posted December 21, 2016 I will hold off on doing the zemana antimalware Link to comment Share on other sites More sharing options...
Juliet Posted December 21, 2016 Share Posted December 21, 2016 Thats OK They do have a dedicated forum for Malwarebytes 3.0 Have questions or problems with Malwarebytes 3.0 (previously known as Malwarebytes Anti-Malware)? Post them here. https://forums.malwarebytes.com/forum/41-malwarebytes-30/ Link to comment Share on other sites More sharing options...
me82 Posted December 22, 2016 Author Share Posted December 22, 2016 ok I see where there is a patch for some of the issues with malwarebytes Link to comment Share on other sites More sharing options...
Juliet Posted December 22, 2016 Share Posted December 22, 2016 DelFix Please download DelFix or from Here and save the file to your Desktop. Double-click DelFix.exe to run the programme. Place a checkmark next to the following items: Activate UAC Remove disinfection tools Click the Run button. -- This will remove the specialized tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete ). ********************* Link to comment Share on other sites More sharing options...
Juliet Posted December 26, 2016 Share Posted December 26, 2016 Glad we could help. Since this issue appears resolved ... this Topic is closed. Link to comment Share on other sites More sharing options...
Recommended Posts