Windows Update downloaded virus

[gib88]

Hello,

I recently incurred a virus from a Windows Update--that's right, a Windows Update.

I have Windows 10 and the other day it downloaded a bunch of updates and asked me to schedule a restart. I accepted the suggested time, and when that time came, it did a reboot. When it rebooted, everything seemed fine until I went to surf the internet in Chrome. I went directly to my usual website (a trusted and innocuous discussion forum, not unlike this one) and all of a sudden, new tabs started opening up, advertizements filled the browsers, warnings about being infected, etc. I quickly killed the power and booted again. This time I tried in a different browser (Firefox) and the same thing happened. Then I tried rebooting in safe mode with networking, opened IE and the same thing happened there (different website this time).

It seems like after the Windows Update, all my browsers have been hijacked, even in safe mode.

Anyway, I'd like to request some guidance with this. I'm going to try my usual method of removing viruses:

* Run rkill.
* Run MalwareBytes.
* Run Herd Protect.
* Run AdwCleaner.
* Run SuperAntiSpyware.

I always download the latest versions of these before running them.

Some assistance while I do this would be very much appreciated. Thanks.

 

[Celegorm]

I doubt it was windows update that gave it to you - likely just bad timing or a virus that needed restart to change settings while they were not in use. And even trusted sites can get hijacked, or contain bad adds (CNN got hit with virus downloading adds a while back) and then there's always the drive-by downloads. Set the virus installer to install on system start and boom - you're infected.

What you'll likely need to do in your browsers is reset all settings to default. I'd do it manually to ensure nothing remains like over-ridden search providers or anything like that.

Being that you have posted here I'm assuming you have access to another PC. Download ComboFix, throw it on a flash drive then run it on the infected PC. Don't mind the link below - The network I"m on now blocks bleepingcomputer.com so I had to copy the link from the google search. It should still take you to the right place.

https://www.google.com/url?sa=t&rct...WIyTdKJ2RGsRSPpb1MsG-w&bvm=bv.117218890,d.eWE

 

[Technician1]

The virus you got was already in the system and the update woke it up.

 

[gib88]

Thanks both for the responses.

I ran the anti-malware programs I said I'd run in the OP and the virus seems to be gone now.

However, I think Herd Protect deleted an important dll that it wasn't supposed to. When I start Windows, I get this error message:

RAVCp164.exe - System Error

The program can't start because C:\WINDOWS\WinSxS\amd64_microsoft.windows\gdiplus_6595b64144ccf1df_1.1.1058620_none_db007f1392e69ef4\gdiplus.dll is missing from your computer. Try reinstalling the program to fix this problem.

The only applications that don't seem to be working are Herd Protect and MS Paint. When I double-click on these, the mouse cursor spins for a bit then nothing happens. They don't start, in other words. Other programs may be effected in the same way, but I haven't encountered any.

In any case, I'm going to post the logs one at a time in separate posts since this site doesn't seem to allow me to post more than 20,000 characters in one post.

Please have a look at them and let me know if you still think I should run combofix.

---------- Post added at 11:20 PM ---------- Previous post was at 11:19 PM ----------

rkill:

Rkill 2.8.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/17/2016 05:07:33 PM in x64 mode.
Windows Version: Windows 10 Home 

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity: 

 * HdAudAddService [Missing Service]
 * HyperVideo [Missing Service]
 * netvsc [Missing Service]
 * wfpcapture [Missing Service]

 * CompositeBus => \SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_912dfdedc3d2f520\CompositeBus.sys [Incorrect ImagePath]
 * NgcSvc => %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted [Incorrect ImagePath]
 * swenum => \SystemRoot\System32\drivers\swenum.sys [Incorrect ImagePath]

Searching for Missing Digital Signatures: 

 * No issues found.

Checking HOSTS File: 

 * HOSTS file entries found: 

  0.0.0.1    mssplus.mcafee.com

Program finished at: 03/17/2016 05:09:25 PM
Execution time: 0 hours(s), 1 minute(s), and 52 seconds(s)

---------- Post added at 11:20 PM ---------- Previous post was at 11:20 PM ----------

MBAM Protection:

Malwarebytes Anti-Malware
www.malwarebytes.org


Protection, 2016-03-17 5:11 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malware Protection, Starting, 
Protection, 2016-03-17 5:11 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malware Protection, Started, 
Protection, 2016-03-17 5:11 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Starting, 
Protection, 2016-03-17 5:11 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Started, 
Update, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Manual, Remediation Database, 2015.9.16.1, 2016.3.10.1, 
Update, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Manual, Rootkit Database, 2015.9.18.1, 2016.3.12.1, 
Update, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Manual, IP Database, 2015.9.21.2, 2016.3.17.1, 
Update, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Manual, Domain Database, 2015.9.22.3, 2016.3.17.6, 
Update, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Manual, Malware Database, 2015.9.22.5, 2016.3.17.5, 
Protection, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Refresh, Starting, 
Protection, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Stopping, 
Protection, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Stopped, 
Protection, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Refresh, Success, 
Protection, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Starting, 
Protection, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Started, 
Detection, 2016-03-17 5:30 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malware Protection, File, Adware.CloudGuard, C:\Program Files (x86)\DNS Unlocker\dnslockington.exe, Quarantine Failed, 5, Access is denied.  , [0acfb5d3f1a8e254181342a550b17789]
Detection, 2016-03-17 5:37 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malware Protection, File, Adware.CloudGuard, C:\Program Files (x86)\DNS Unlocker\dnslockington.exe, Quarantine Failed, 5, Access is denied.  , [0acfb5d3f1a8e254181342a550b17789]
Scan, 2016-03-17 5:44 PM, SYSTEM, GIBRANSCOMPUTER, Manual, Start:2016-03-17 5:14 PM, Duration:22 min 14 sec, Threat Scan, Completed, 6 Malware Detections, 71 Non-Malware Detections, 
Protection, 2016-03-17 5:46 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malware Protection, Starting, 
Protection, 2016-03-17 5:46 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malware Protection, Started, 
Protection, 2016-03-17 5:46 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Starting, 
Protection, 2016-03-17 5:46 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Started, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, heato.info, 49750, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, heato.info, 49750, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, dynarunner.info, 49751, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, dynarunner.info, 49751, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, kamaker.info, 49752, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, kamaker.info, 49752, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, listcool.net, 49753, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, listcool.net, 49753, Outbound, C:\Windows\System32\svchost.exe, 

(end)

---------- Post added at 11:22 PM ---------- Previous post was at 11:20 PM ----------

MBAM Log (part 1):

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2016-03-17
Scan Time: 5:14 PM
Logfile: mbam.log
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.03.17.05
Rootkit Database: v2016.03.12.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Gibran

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 417433
Time Elapsed: 22 min, 14 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 2
Adware.CloudGuard, C:\Program Files (x86)\DNS Unlocker\dnslockington.exe, 5840, Delete-on-Reboot, [79609eea9009ab8b3af135b2a45d1be5]
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\dnslockington.exe, 5840, Delete-on-Reboot, [8c4dc8c04e4bb77fb5d1776f35cd5aa6]

Modules: 0
(No malicious items detected)

Registry Keys: 13
PUP.Optional.CloudScout, HKLM\SOFTWARE\5da059a482fd494db3f252126fbc3d5b, Quarantined, [bd1c6d1bafea9c9a5d39a9989d671ee2], 
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2F23AB71-4AC6-41F2-A955-EA576E553146}, Quarantined, [c514ccbc0d8cd85eebad9fdb9470b64a], 
PUP.Optional.DNSUnlocker, HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E, Quarantined, [f4e50385782170c6da9356291be95aa6], 
PUP.Optional.DNSUnlocker.EncJob, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1C06E962-A7F9-4A4C-AD35-E887C3F8E706}, Quarantined, [9445b3d52e6b191dff59ddace81c1de3], 
PUP.Optional.ClousdScout.BrwsrFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\DNSLOCKINGTON, Quarantined, [20b9d0b8e0b9f0464cb50f143bc806fa], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E1527582-8509-4011-B922-29E3FB548882}_is1, Quarantined, [45949eea2376ce6829892c5e7f859868], 
PUP.Optional.CloudScout, HKLM\SOFTWARE\WOW6432NODE\5da059a482fd494db3f252126fbc3d5b, Quarantined, [7762fb8d643566d0851169d864a09a66], 
PUP.Optional.DNSUnlocker, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E, Quarantined, [58811573128788aee08d1c6338cce020], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E1527582-8509-4011-B922-29E3FB548882}_is1, Quarantined, [d009592fcfca92a446b1afdaa95b56aa], 
PUP.Optional.DNSUnlocker.EncJob, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{ACEF5720}, Quarantined, [67728ff9dbbe00362e12a3e8bd47d32d], 
PUP.Optional.DriverRestore, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\DRIVERRESTORE, Quarantined, [20b9d7b1f3a6270fdec5048acd373ac6], 
PUP.Optional.WinYahoo, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2F23AB71-4AC6-41F2-A955-EA576E553146}, Quarantined, [45941672f7a2280e4d4ae199b450ee12], 
PUP.Optional.ProductSetup, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\PRODUCTSETUP, Quarantined, [a5341b6dc4d5b5811c6d7ea6f0149868], 

Registry Values: 11
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|URL, https://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f[c514ccbc0d8cd85eebad9fdb9470b64a]D4%26b[c514ccbc0d8cd85eebad9fdb9470b64a]DIE%26cc[c514ccbc0d8cd85eebad9fdb9470b64a]Dca%26pa[c514ccbc0d8cd85eebad9fdb9470b64a]DWincy%26cd[c514ccbc0d8cd85eebad9fdb9470b64a]D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr[c514ccbc0d8cd85eebad9fdb9470b64a]D1893034082%26a[c514ccbc0d8cd85eebad9fdb9470b64a]Dwbf_freaudedtr_16_06%26os_ver[c514ccbc0d8cd85eebad9fdb9470b64a]D10.0%26os[c514ccbc0d8cd85eebad9fdb9470b64a]DWindowsQuarantinedB10QuarantinedBHome&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|TopResultURLFallback, https://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f[1dbcf692d9c083b322762e4cd62e926e]D4%26b[1dbcf692d9c083b322762e4cd62e926e]DIE%26cc[1dbcf692d9c083b322762e4cd62e926e]Dca%26pa[1dbcf692d9c083b322762e4cd62e926e]DWincy%26cd[1dbcf692d9c083b322762e4cd62e926e]D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr[1dbcf692d9c083b322762e4cd62e926e]D1893034082%26a[1dbcf692d9c083b322762e4cd62e926e]Dwbf_freaudedtr_16_06%26os_ver[1dbcf692d9c083b322762e4cd62e926e]D10.0%26os[1dbcf692d9c083b322762e4cd62e926e]DWindowsQuarantinedB10QuarantinedBHome&p={searchTerms}, %4, %5

 

[gib88]

MBAM Log (part 2)

PUP.Optional.DNSUnlocker.EncJob, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1C06E962-A7F9-4A4C-AD35-E887C3F8E706}|Path, \DNSLOCKINGTON, Quarantined, [9445b3d52e6b191dff59ddace81c1de3]
PUP.Optional.DNSUnlocker.EncJob, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{acef5720}|1, 1458181385, Quarantined, [67728ff9dbbe00362e12a3e8bd47d32d]
Trojan.DNSChanger.DNSRst, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{083979f0-93d9-4da1-8457-114ff1ea3703}|NameServer, 82.163.142.7 95.211.158.134, Quarantined, [d009028683165adc3f424d347391fb05]
Trojan.DNSChanger.DNSRst, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{2bbc5fca-b1f0-4322-900f-103f768f68cc}|NameServer, 82.163.142.7 95.211.158.134, Quarantined, [a534a5e3c1d8b48228593a4750b42ad6]
Trojan.DNSChanger.DNSRst, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{4cd92844-59cc-4603-9a79-2ccc04e4289b}|NameServer, 82.163.142.7 95.211.158.134, Quarantined, [74652d5bd6c352e4542da1e023e142be]
PUP.Optional.DriverRestore, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\DRIVERRESTORE|FirstScanDateTime, 2016-02-09T20:18:10.6892223-07:00, Quarantined, [20b9d7b1f3a6270fdec5048acd373ac6]
PUP.Optional.WinYahoo, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|URL, https://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f[45941672f7a2280e4d4ae199b450ee12]D4%26b[45941672f7a2280e4d4ae199b450ee12]DIE%26cc[45941672f7a2280e4d4ae199b450ee12]Dca%26pa[45941672f7a2280e4d4ae199b450ee12]DWincy%26cd[45941672f7a2280e4d4ae199b450ee12]D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr[45941672f7a2280e4d4ae199b450ee12]D1893034082%26a[45941672f7a2280e4d4ae199b450ee12]Dwbf_freaudedtr_16_06%26os_ver[45941672f7a2280e4d4ae199b450ee12]D10.0%26os[45941672f7a2280e4d4ae199b450ee12]DWindowsQuarantinedB10QuarantinedBHome&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|TopResultURLFallback, https://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f[38a12a5eb9e0c86e890e2456e024a15f]D4%26b[38a12a5eb9e0c86e890e2456e024a15f]DIE%26cc[38a12a5eb9e0c86e890e2456e024a15f]Dca%26pa[38a12a5eb9e0c86e890e2456e024a15f]DWincy%26cd[38a12a5eb9e0c86e890e2456e024a15f]D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr[38a12a5eb9e0c86e890e2456e024a15f]D1893034082%26a[38a12a5eb9e0c86e890e2456e024a15f]Dwbf_freaudedtr_16_06%26os_ver[38a12a5eb9e0c86e890e2456e024a15f]D10.0%26os[38a12a5eb9e0c86e890e2456e024a15f]DWindowsQuarantinedB10QuarantinedBHome&p={searchTerms}, %4, %5
PUP.Optional.ProductSetup, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\PRODUCTSETUP|tb, 0J1M1N0T2R2Y2X1S1M0E1R, Quarantined, [a5341b6dc4d5b5811c6d7ea6f0149868]

Registry Data: 4
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=fBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]D1%26bBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]DIE%26ccBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]Dca%26paBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]DWincy%26cdBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26crBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]D1893034082%26aBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]Dwbf_freaudedtr_16_06%26os_verBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]D10.0%26osBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]DWindowsGood: (www.google.com)B10Good: (www.google.com)BHome, %4, %5

 

[gib88]

MBAM Log (part 4)

PUP.Optional.WinYahoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=fBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]D1%26bBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]DIE%26ccBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]Dca%26paBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]DWincy%26cdBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26crBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]D1893034082%26aBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]Dwbf_freaudedtr_16_06%26os_verBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]D10.0%26osBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]DWindowsGood: (www.google.com)B10Good: (www.google.com)BHome, %4, %5
Trojan.DNSChanger.DNSRst, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|NameServer, 82.163.142.7 95.211.158.134, Good: (8.8.8.8), Bad: (82.163.142.7 95.211.158.134),Replaced,[21b8e8a0227754e2de6d33eb46bf8977]
PUP.Optional.WinYahoo, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=fBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]D1%26bBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]DIE%26ccBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]Dca%26paBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]DWincy%26cdBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26crBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]D1893034082%26aBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]Dwbf_freaudedtr_16_06%26os_verBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]D10.0%26osBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]DWindowsGood: (www.google.com)B10Good: (www.google.com)BHome, %4, %5

---------- Post added at 11:24 PM ---------- Previous post was at 11:24 PM ----------

MBAM Log (part 5)

Folders: 8
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker, Delete-on-Reboot, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DriverRestore, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverRestore, Quarantined, [e7f2b9cf24750c2ad7f2b75fb64dd927], 
PUP.Optional.Amonetize, C:\ProgramData\{0f653c13-112c-0}, Quarantined, [15c4a3e59aff4ee8344bd740d52e966a], 
PUP.Optional.Amonetize, C:\ProgramData\{104b8ea3-212c-1}, Quarantined, [9a3f1d6ba5f4a4923a4549ce37ccb749], 
PUP.Optional.Amonetize, C:\ProgramData\b2bdd870-4c15-0, Quarantined, [8851b5d3b0e92f074c3d0b0cb053b947], 
PUP.Optional.Amonetize, C:\ProgramData\b2bdd870-5351-1, Quarantined, [3f9a8afefc9dae88ea9f22f50df69f61], 
PUP.Optional.Amonetize, C:\ProgramData\fba25c27-2375-0, Quarantined, [34a51d6b7425112538512bec857e5ba5], 
PUP.Optional.Amonetize, C:\ProgramData\fba25c27-4755-0, Quarantined, [5683cbbdff9ac57194f5d245966d37c9], 

Files: 39
Adware.CloudGuard, C:\Program Files (x86)\DNS Unlocker\dnslockington.exe, Delete-on-Reboot, [79609eea9009ab8b3af135b2a45d1be5], 
PUP.Optional.InstallCore, C:\Users\Gibran\AppData\Roaming\New Version Available\FreeSoundRecorder.exe, Quarantined, [4d8ca3e52c6d5ed8b9ec3ab2936ee31d], 
PUP.Optional.OneSystemCare, C:\Program Files (x86)\OneSystemCare\CleanupConsole.exe, Quarantined, [3a9f21678910e353ff560a3614f1669a], 
PUP.Optional.383Media, C:\Users\Gibran\AppData\Local\Temp\DRHelper_installFinish.exe, Quarantined, [5a7fd7b12f6ada5ca1693d7ada27dd23], 
PUP.Optional.383Media, C:\Users\Gibran\AppData\Local\Temp\DRHelper_installStart.exe, Quarantined, [b2273751f6a39a9c52b874432ad7629e], 
PUP.Optional.383Media, C:\Users\Gibran\AppData\Local\Temp\DRHelper_uninstallComplete.exe, Quarantined, [2bae295f7c1dba7c26e416a17a8738c8], 
PUP.Optional.ClousdScout.BrwsrFlsh, C:\Windows\System32\Tasks\DNSLOCKINGTON, Quarantined, [627734540693171fc837140ee122758b], 
PUP.Optional.ReMarkable, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.re-markable00.re-markable.net_0.localstorage, Quarantined, [6970c8c0fb9e68ce6aba60c6aa5a9070], 
PUP.Optional.ReMarkable, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.re-markable00.re-markable.net_0.localstorage-journal, Quarantined, [9346097fc4d53afcf72d919554b0d828], 
PUP.Optional.PastaLeads, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_nps.pastaleads.com_0.localstorage, Quarantined, [6a6fa8e09108d3630d122b18c0443ec2], 
PUP.Optional.PastaLeads, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_nps.pastaleads.com_0.localstorage-journal, Quarantined, [1ebb6b1d9cfd3402908fd56ee81ca65a], 
PUP.Optional.BestPriceNinja, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.bestpriceninja.com_0.localstorage, Quarantined, [29b0662239608ea83231106ab74dfa06], 
PUP.Optional.BestPriceNinja, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.bestpriceninja.com_0.localstorage-journal, Quarantined, [a633414753460b2b0261a3d7ab5931cf], 
PUP.Optional.eShopComp, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.eshopcomp.com_0.localstorage, Quarantined, [a336206831685adc371284fbfe06a060], 
PUP.Optional.eShopComp, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.eshopcomp.com_0.localstorage-journal, Quarantined, [e5f4b9cfc9d020160445bdc20cf8c43c], 
PUP.Optional.CrossRider, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d19tqk5t6qcjac.cloudfront.net_0.localstorage, Quarantined, [a039a7e1cacf8aacd0d6730f24e0ed13], 
PUP.Optional.CrossRider, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d19tqk5t6qcjac.cloudfront.net_0.localstorage-journal, Quarantined, [e7f2553336635bdbcbdba7dbec1835cb], 
PUP.Optional.Amonetize.Gen, C:\ProgramData\fba25c27-2375-0\BIT8A81.tmp, Quarantined, [4a8fdcac059485b1f8248ff9ee16619f], 
PUP.Optional.Amonetize.Gen, C:\ProgramData\fba25c27-4755-0\BITF1C4.tmp, Quarantined, [89503454306979bd8c905f296e96e11f], 
PUP.Optional.UTop, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_utop.it_0.localstorage, Quarantined, [c415cdbb910857dfcb8b23689470eb15], 
PUP.Optional.UTop, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_utop.it_0.localstorage-journal, Quarantined, [a237790f4257082e8dc990fb53b16d93], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\config.ini, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\ConsoleApplication1.dll, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\DNSLOCKINGTON.cer, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\dnslockington.exe, Delete-on-Reboot, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\Info.rtf, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\License.rtf, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\LogoBlack.ico, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\LogoGreen.ico, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\LogoYellow.ico, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\Microsoft.Win32.TaskScheduler.dll, Delete-on-Reboot, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\settings.ini, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\unins000.dat, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\unins000.exe, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\ZonaTools.XPlorerBar.dll, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.Amonetize, C:\ProgramData\{0f653c13-112c-0}\BIT711C.tmp, Quarantined, [15c4a3e59aff4ee8344bd740d52e966a], 
PUP.Optional.Amonetize, C:\ProgramData\{104b8ea3-212c-1}\BIT70BD.tmp, Quarantined, [9a3f1d6ba5f4a4923a4549ce37ccb749], 
PUP.Optional.Amonetize, C:\ProgramData\b2bdd870-4c15-0\b2bdd870-4c15-0.d, Quarantined, [8851b5d3b0e92f074c3d0b0cb053b947], 
PUP.Optional.Amonetize, C:\ProgramData\b2bdd870-5351-1\b2bdd870-5351-1.d, Quarantined, [3f9a8afefc9dae88ea9f22f50df69f61], 

Physical Sectors: 0
(No malicious items detected)


(end)

 

[gib88]

AdwCleaner:

# AdwCleaner v5.102 - Logfile created 17/03/2016 at 18:56:40
# Updated 13/03/2016 by Xplode
# Database : 2016-03-16.1 [Server]
# Operating system : Windows 10 Home  (x64)
# Username : Gibran - GIBRANSCOMPUTER
# Running from : D:\anti-virus\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\OneSystemCare
[-] Folder Deleted : C:\ProgramData\acef5720

***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : {58C2F33A-4A1A-051A-275C-A2FB660EAC12}

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{81CA8FCD-1420-4A07-B47D-B30F3DDA79E1}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
[-] Key Deleted : HKCU\Software\eSupport.com

***** [ Web browsers ] *****

[-] [C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

*************************

C:\Program Files (x86)\AdwCleaner\AdwCleaner[C1].txt - [2600 bytes] - [17/03/2016 18:56:40]
C:\Program Files (x86)\AdwCleaner\AdwCleaner[S1].txt - [2675 bytes] - [17/03/2016 18:52:47]

########## EOF - C:\Program Files (x86)\AdwCleaner\AdwCleaner[C1].txt - [2786 bytes] ##########

---------- Post added at 11:28 PM ---------- Previous post was at 11:25 PM ----------

SuperAntiSpyware:

Too long to post.

Visit: http://www.shahspace.com/superantispyware.txt

 

[crazyman143]

gdiplus.dll Doesn't appear in the logs you posted. By the way, RAVCp164.exe is part of Realtek Audio Manager. If you don't use the realtek tray icon, I would suggest just disabling it in your startup items in MSconfig.

If you are concerned about missing system files, run a CMD as administrator, and use the command "sfc /scannow"

SFC will check windows system files for consistency.

 

[gib88]

SFC will check windows system files for consistency.

Thanks.

Here's what sfc said:

Beginning verification phase of system scan.
Verification 55% complete.

Windows Resource Protection could not perform the requested operation.

So it got as far as 55% when it bailed, saying that windows resource protection couldn't perform some operation.

 

[Draygoes]

I see no malware. It appears to be a problem with the update itself. Keep updating, and see if MS fixes their own mestakes. (Yes, I did look over all of your uploaded log files.)