Winpatrol detect Device Setups trying to install themselves?

January 17, 2016 at 08:35:25
Specs: Windows 7, Pentium Dual-Core E5400 / 4BG
Hi, after installing several updates to Windows 7 on my PC, WinPatrol is telling me (after I booted up the PC again) that there are six Streaming Device Setups trying to install themselves as startup programs. WinPatrol has not identified a description or a publisher/author for these programs and I have assumed that these programs are viruses. How can I delete these programs? Thanks.

See More: Winpatrol detect Device Setups trying to install themselves?

Report •

#1
January 17, 2016 at 14:02:37
Run these three freebies as the first step, in the order given:

AdwCleaner:
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run the program. Use the "Scan" button, followed by the "Cleaning" button.

Junkware Removal Tool (JRT)
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run JRT. It might appear to have stopped at times or flash the screen but sit tight until it has finished.

MalwareBytes:
https://www.malwarebytes.org/
Download the free version.
Install and Run the program but before doing its Scan go to "Settings > Detection and Protection" and put a checkmark in "Scan for rootkits". Quarantine anything it finds.

Please copy/paste the logs on here.

Always pop back and let us know the outcome - thanks


Report •

#2
January 18, 2016 at 01:20:15
Thanks, Derek. I'll install the software, run the scans and let you know the results.

Also, WinPatrol is no longer warning me that that the Streaming Device Setups are trying to install themselves as startup programs. Would it be correct to assume that these setups have stopped trying to be installed as startup programs?


Report •

#3
January 18, 2016 at 01:22:38
"Would it be correct to assume that these setups have stopped trying to be installed as startup programs?"
Once we see the contents of the logs, we will be able to evaluate.

Report •

Related Solutions

#4
January 18, 2016 at 14:28:12
WinPatrol has two versions. The free version does not give you access to the evaluation database which gives information on the invading self-installing and self-start "programs".
Purchase of the paid version is worth every cent (or penny for those living on an island).

Your description does not indicate for certain if you use the paid version, but I guess you use that version.

If those warnings do not show up any more in WinPatrol, you can be sure the invading softwares do not try to install themselves again. They are probably in your system now.

Normally you wouldn'thave to worry to delete anything, because WinPatrol gives you a choice to NOT ALLOW them to install. That is precisely the main goal of WinPatrol.
It was up TO YOU to react to that warning, by not allowing installation, which obviously you did not. I'm affraid you missed the whole point of WinPatrol !


Report •

#5
January 19, 2016 at 01:45:05
Thanks for your post, Blackbird. Perhaps I was not clear in my previous posts, but whenever I was presented with the option of allowing the Streaming Device Setups to install themselves as startup programs, I always instructed WinPatrol (the free version) to reject that option.

Also, I ran the three scans and I shall post the logs later.


Report •

#6
January 19, 2016 at 07:48:41
Yes, please do. Did they find anything of consequence?

Always pop back and let us know the outcome - thanks


Report •

#7
January 19, 2016 at 11:46:47
Thanks very much for your help. I ran scans with each piece of software and twice with Malwarebytes Anti-Malware because on the first scan with this software, I did not select the 'rootkit' option.

Please see logs below. I look forward to reading any analysis of them. If it is possible to upload the logs as attachments, please let me know how to do this.

# AdwCleaner v5.030 - Logfile created 18/01/2016 at 19:49:31
# Updated 17/01/2016 by Xplode
# Database : 2016-01-17.3 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : User_Name_1 - X-PC
# Running from : C:\Users\User_Name_2\Downloads\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

Folder Found : C:\Users\User_Name_1\AppData\Roaming\RHEng
Folder Found : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\SearchProtect

***** [ Files ] *****

File Found : C:\Windows\AppPatch\Custom\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb

***** [ DLL ] *****


***** [ Shortcuts ] *****

Shortcut Infected : C:\Users\User_Name_2\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk ( hxxp://www.key-find.com/?type=sc&ts=1424691600&from=key7&uid=3219913727_67194_0A556A97 )

***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
Key Found : HKCU\Software\PRODUCTSETUP
Key Found : HKU\S-1-5-21-1076340520-3992044991-2602661625-1002\Software\Conduit
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Data Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Data Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

***** [ Web browsers ] *****

[C:\Users\User_Name_3\AppData\Roaming\Mozilla\Firefox\Profiles\bb23lera.default\prefs.js] [Preference] Found : user_pref("browser.startup.homepage", "hxxp://www.palikan.com/?f=1&a=plk_ir_15_50&cd=2XzuyEtN2Y1L1QzuyEzzyD0BtAzy0E0FzyyCzz0DyC0AzyyBtN0D0Tzu0StCyEyEtCtN1L2XzutAtFtCyDtFtAtFtDtN1L1Czu1BtBtN1L1G1B1V1N2[...]
[C:\Users\User_Name_2\AppData\Roaming\Mozilla\Firefox\Profiles\x3yeej5o.default\prefs.js] [Preference] Found : user_pref("browser.search.selectedEngine", "key-find");
[C:\Users\User_Name_2\AppData\Roaming\Mozilla\Firefox\Profiles\x3yeej5o.default\prefs.js] [Preference] Found : user_pref("extensions.quick_start.enable_search1", false);
[C:\Users\User_Name_2\AppData\Roaming\Mozilla\Firefox\Profiles\x3yeej5o.default\prefs.js] [Preference] Found : user_pref("extensions.quick_start.sd.closeWindowWithLastTab_prev_state", false);
[C:\Users\User_Name_1\AppData\Local\Chromium\User Data\Default\Secure Preferences] [Startup_URLs] Found : hxxp://www.palikan.com/?f=7&a=plk_ir_15_50&cd=2XzuyEtN2Y1L1QzuyEzzyD0BtAzy0E0FzyyCzz0DyC0AzyyBtN0D0Tzu0StCyEyEtCtN1L2XzutAtFtCyDtFtAtFtDtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2StB0F0DyEzy0E0FtBtGtByDtByCtGtDyDyEtAtGtBtB0E0BtG0FtBzzyBtB0B0Ezy0D0C0Azz2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0B0AtBtCtAyByE0BtG0AtByCzztGyEyByD0BtG0B0B0B0FtG0ByDyE0Fzz0C0EzztB0EtDyD2QtN0A0LzutB&cr=507566118&ir=&uref=chmm
[C:\Users\User_Name_1\AppData\Local\Chromium\User Data\Default\Secure Preferences] [Homepage] Found : hxxp://www.palikan.com/?f=1&a=plk_ir_15_50&cd=2XzuyEtN2Y1L1QzuyEzzyD0BtAzy0E0FzyyCzz0DyC0AzyyBtN0D0Tzu0StCyEyEtCtN1L2XzutAtFtCyDtFtAtFtDtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2StB0F0DyEzy0E0FtBtGtByDtByCtGtDyDyEtAtGtBtB0E0BtG0FtBzzyBtB0B0Ezy0D0C0Azz2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0B0AtBtCtAyByE0BtG0AtByCzztGyEyByD0BtG0B0B0B0FtG0ByDyE0Fzz0C0EzztB0EtDyD2QtN0A0LzutB&cr=507566118&ir=&uref=chmm

########## EOF - \AdwCleaner\AdwCleaner[S2].txt - [3489 bytes] ##########


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows 7 Home Premium x64
Ran by User_Name_1 (Administrator) on 18/01/2016 at 19:56:57.89
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


File System: 6

Successfully deleted: C:\Windows\apppatch\custom\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb (File)
Successfully deleted: C:\Windows\wininit.ini (File)
Successfully deleted: C:\Users\User_Name_1\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AFXAAZEY (Folder)
Successfully deleted: C:\Users\User_Name_1\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FGQN8O5J (Folder)
Successfully deleted: C:\Users\User_Name_1\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PSZSK4H2 (Folder)
Successfully deleted: C:\Users\User_Name_1\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WFMM8NZH (Folder)

Registry: 1

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 18/01/2016 at 19:59:10.20
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 18/01/2016
Scan Time: 20:06
Logfile: MBAM 1 - 18 01 16.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.01.18.05
Rootkit Database: v2016.01.09.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: User_Name_1

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 438372
Time Elapsed: 15 min, 15 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.Palikan, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Quarantined, [44d9fc3fe7b2e84e3726f3dffc0716ea],
PUP.Optional.SearchProtect.AppFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\avaxvyyvyf, Delete-on-Reboot, [c05d1823badf90a608d583a4c83c1de3],

Registry Values: 5
PUP.Optional.Palikan, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, http://www.palikan.com/results.php?f=4&q={searchTerms}&a=plk_ir_15_50&cd=2XzuyEtN2Y1L1QzuyEzzyD0BtAzy0E0FzyyCzz0DyC0AzyyBtN0D0Tzu0StCyEyEtCtN1L2XzutAtFtCyDtFtAtFtDtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2StB0F0DyEzy0E0FtBtGtByDtByCtGtDyDyEtAtGtBtB0E0BtG0FtBzzyBtB0B0Ezy0D0C0Azz2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0B0AtBtCtAyByE0BtG0AtByCzztGyEyByD0BtG0B0B0B0FtG0ByDyE0Fzz0C0EzztB0EtDyD2QtN0A0LzutB&cr=507566118&ir=, Quarantined, [44d9fc3fe7b2e84e3726f3dffc0716ea]
PUP.Optional.Palikan, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TopResultURLFallback, http://www.palikan.com/results.php?f=4&q={searchTerms}&a=plk_ir_15_50&cd=2XzuyEtN2Y1L1QzuyEzzyD0BtAzy0E0FzyyCzz0DyC0AzyyBtN0D0Tzu0StCyEyEtCtN1L2XzutAtFtCyDtFtAtFtDtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2StB0F0DyEzy0E0FtBtGtByDtByCtGtDyDyEtAtGtBtB0E0BtG0FtBzzyBtB0B0Ezy0D0C0Azz2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0B0AtBtCtAyByE0BtG0AtByCzztGyEyByD0BtG0B0B0B0FtG0ByDyE0Fzz0C0EzztB0EtDyD2QtN0A0LzutB&cr=507566118&ir=, Quarantined, [88950a31188195a1372619b91ee5ce32]
PUP.Optional.Palikan, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|FaviconPath, C:\Users\User_Name_1\AppData\LocalLow\Microsoft\Internet Explorer\Services\Palikan.ico, Quarantined, [ff1ed9621c7d2c0ae77631a144bf36ca]
PUP.Optional.Palikan, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}, Palikan, Quarantined, [25f82b109504b284d18c943ebb488c74]
PUP.Optional.Palikan, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|DisplayName, Palikan, Quarantined, [b667102bebae9e98ca93be14b152e11f]

Registry Data: 0
(No malicious items detected)

Folders: 3
PUP.Optional.SearchProtect.AppFlsh, C:\Windows\SysWOW64\config\systemprofile\AppData\Local\SearchProtect, Quarantined, [5ebf43f8e3b633031639b3195fa3ec14],
PUP.Optional.SearchProtect.AppFlsh, C:\Windows\SysWOW64\config\systemprofile\AppData\Local\SearchProtect\SearchProtect, Quarantined, [5ebf43f8e3b633031639b3195fa3ec14],
PUP.Optional.SearchProtect.AppFlsh, C:\Windows\SysWOW64\config\systemprofile\AppData\Local\SearchProtect\SearchProtect\rep, Quarantined, [5ebf43f8e3b633031639b3195fa3ec14],

Files: 4
PUP.Optional.Palikan, C:\Users\User_Name_1\AppData\LocalLow\Microsoft\Internet Explorer\Services\Palikan.ico, Quarantined, [9c819aa1d7c2e254ba4a4de4986c38c8],
PUP.Optional.SearchProtect.AppFlsh, C:\Windows\SysWOW64\config\systemprofile\AppData\Local\SearchProtect\SearchProtect\rep\UserRepository.dat, Quarantined, [5ebf43f8e3b633031639b3195fa3ec14],
PUP.Optional.Palikan, C:\Users\User_Name_2\AppData\Roaming\Mozilla\Firefox\Profiles\bb23lera.default\prefs.js, Good: (user_pref("browser.startup.homepage", "https://www.malwarebytes.org/restorebrowser/), Bad: (user_pref("browser.startup.homepage", "http://www.palikan.com), Replaced,[ce4f40fb4c4dd75f1b5a6b79818346ba]
PUP.Optional.Palikan, C:\Users\User_Name_1\AppData\Local\Chromium\User Data\Default\Secure Preferences, Good: ("session":{"restore_on_startup":4,"startup_urls":["https://www.malwarebytes.org/restorebrowser/"]}}), Bad: ("session":{"restore_on_startup":4,"startup_urls":["http://www.palikan.com/?f=7&a=plk_ir_15_50&cd=2XzuyEtN2Y1L1QzuyEzzyD0BtAzy0E0FzyyCzz0DyC0AzyyBtN0D0Tzu0StCyEyEtCtN1L2XzutAtFtCyDtFtAtFtDtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2StB0F0DyEzy0E0FtBtGtByDtByCtGtDyDyEtAtGtBtB0E0BtG0FtBzzyBtB0B0Ezy0D0C0Azz2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0B0AtBtCtAyByE0BtG0AtByCzztGyEyByD0BtG0B0B0B0FtG0ByDyE0Fzz0C0EzztB0EtDyD2QtN0A0LzutB&cr=507566118&ir=&uref=chmm"]}}), Replaced,[e73669d2c6d34cea8a50944f93713cc4]

Physical Sectors: 0
(No malicious items detected)


(end)


Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 18/01/2016
Scan Time: 20:48
Logfile: MBAM 2 - 18 01 16.txt
Administrator: No

Version: 2.2.0.1024
Malware Database: v2016.01.18.05
Rootkit Database: v2016.01.09.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Limmy

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 296217
Time Elapsed: 24 min, 48 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


Report •

#8
January 19, 2016 at 12:45:54
"If it is possible to upload the logs as attachments, please let me know how to do this"
Not possible.
"I look forward to reading any analysis of them"
Thanks buckie, we are on the right track, here is the next step.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif


Report •

#9
January 21, 2016 at 13:15:23
Hi, I downloaded and ran the Farbar Recovery Scan Tool. I generated two logs. The zippy links for these logs and the the logs for other software I ran are below. Thanks for any help you can give me.

FRST - http://www105.zippyshare.com/v/xmIk...

Addition - http://www3.zippyshare.com/v/LvHLBv...

AdwCleaner - http://www53.zippyshare.com/v/iAEke...

JRT - http://www20.zippyshare.com/v/NHqkK...

Malwarebytes (with 'rootkit' option deselected) -
http://www59.zippyshare.com/v/bcKnP...

Malwarebytes (with 'rootkit' option selected) -
http://www45.zippyshare.com/v/vtDhm...


Report •

#10
January 21, 2016 at 13:40:15
Thanks buckie, back in about 20 mins.

Report •

#11
January 21, 2016 at 14:01:39
Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

CreateRestorePoint:
emptytemp:
closeprocesses:
ShortcutWithArgument: C:\Users\User_Name_3\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.key-find.com/?type=sc&ts=1424691600&from=key7&uid=3219913727_67194_0A556A97
HKU\S-1-5-21-1076340520-3992044991-2602661625-1002\...\MountPoints2: F - F:\Enterprise_Launcher.exe
HKU\S-1-5-21-1076340520-3992044991-2602661625-1002\...\MountPoints2: {8e15f35f-ffe2-11e1-8825-0008549aee6c} - F:\Enterprise_Launcher.exe
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Homepage: hxxp://www.google.ie/
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.


Report •

#12
January 22, 2016 at 11:23:32
Johnw, thanks for your help. Please answer this question for me: should I be logged in as administrator when carrying out this operation? I ask this question because User_Name_3 is a limited user account. Thanks.

Report •

#13
January 22, 2016 at 14:04:39
All you can do buckie, is try.

Report •

#14
January 25, 2016 at 12:20:04
Hi, I ran FRST64 and the contents of the Fixlog file are below. The file can also be accessed with the zippy link:
http://www93.zippyshare.com/v/1Ipb1...

Also, FRST64 stalled and I was forced to close it with Task Manager (about 2 hours after the Fixlog file was created). I don't know if the stalling had an effect on the contents of the Fixlog file.

I look forward to reading any analyis of the file I have uploaded. Thank you.

Fix result of Farbar Recovery Scan Tool (x64) Version:18-01-2016
Ran by User_Name_1 (2016-01-24 21:00:38) Run:1
Running from C:\Users\User_Name_1
Loaded Profiles: User_Name_1 (Available Profiles: User_Name_2 & User_Name_1 & User_Name_3)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
emptytemp:
closeprocesses:
ShortcutWithArgument: C:\Users\User_Name_1\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.key-find.com/?type=sc&ts=1424691600&from=key7&uid=3219913727_67194_0A556A97
HKU\S-1-5-21-1076340520-3992044991-2602661625-1002\...\MountPoints2: F - F:\Enterprise_Launcher.exe
HKU\S-1-5-21-1076340520-3992044991-2602661625-1002\...\MountPoints2: {8e15f35f-ffe2-11e1-8825-0008549aee6c} - F:\Enterprise_Launcher.exe
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Homepage: hxxp://www.google.ie/
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Users\User_Name_1\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk => Shortcut argument removed successfully.
HKU\S-1-5-21-1076340520-3992044991-2602661625-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F => key not found.
HKU\S-1-5-21-1076340520-3992044991-2602661625-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8e15f35f-ffe2-11e1-8825-0008549aee6c} => key not found.
HKCR\CLSID\{8e15f35f-ffe2-11e1-8825-0008549aee6c} => key not found.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Search Page => value removed successfully
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page => value removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
Firefox "homepage" removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully


Report •

#15
January 25, 2016 at 12:47:26
"I look forward to reading any analyis of the file I have uploaded"
The file is incomplete.

Can I have the rest of the log after this line.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully"


Report •

#16
January 25, 2016 at 12:53:53
Johnw, thanks for your quick reply. That's where the file ends. Should I run the program again?

Report •

#17
January 25, 2016 at 13:23:03
"Should I run the program again?"
No.

These you put into the instructions.

"CreateRestorePoint:
emptytemp:
closeprocesses:"

emptytemp is missing at the end of the fixlog.


Report •

#18
January 25, 2016 at 13:31:23
"I don't know if the stalling had an effect on the contents of the Fixlog file"
That is probably the reason buckie, I will move on for now.

Run DelFix. Copy & Paste the contents of the log please.
https://toolslib.net/downloads/view...
DelFix is designed to delete all removal tools used during a disinfection.
Indeed, these tools are often updated. It's recommended not to have and use outdated versions on computer.
Run the tool by right click on the DelFix icon and Run as administrator option.
Make sure that these are checked:
Activate UAC (optional; some users prefer to keep it off)
Remove disinfection tools
Create registry backup
Purge system restore
Reset system settings
Click Run and wait until the tool completes it's work.
Tool will create an report for you (C:\DelFix.txt)


Report •

#19
January 31, 2016 at 08:17:22
Hi, I ran DelFix and it generated the DelFix.txt report, the contents of which are below. I look forward to reading any analysis of the logs I have uploaded. Thanks for your help.

# DelFix v1.011 - Logfile created 31/01/2016 at 16:09:55
# Updated 18/08/2015 by Xplode
# Username : User_Name_2 -PC
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\ComboFix.txt
Deleted : C:\Users\Whacker\Desktop\JRT.txt
Deleted : C:\Windows\grep.exe
Deleted : C:\Windows\PEV.exe
Deleted : C:\Windows\NIRCMD.exe
Deleted : C:\Windows\MBR.exe
Deleted : C:\Windows\SED.exe
Deleted : C:\Windows\SWREG.exe
Deleted : C:\Windows\SWSC.exe
Deleted : C:\Windows\SWXCACLS.exe
Deleted : C:\Windows\Zip.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #540 [Restore Point Created by FRST | 01/24/2016 21:00:53]
Deleted : RP #541 [Windows Update | 01/25/2016 20:36:39]
Deleted : RP #542 [Windows Update | 01/31/2016 12:19:44]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########

message edited by buckie


Report •

#20
January 31, 2016 at 14:03:23
These items need your attention. System Restore may be deliberate. Being a User, you may not be able to do everything as requested.

Run FRST again please, this time, as per previous instructions, from the Desktop, not > Running from C:\Users\User_Name_3\Downloads
Also, right click on the FRST.exe & select > Run as Administrator.

Download the latest version and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Run Farbar again please, follow this SS & upload the 2 new logs.
http://i.imgur.com/i3fg3Pf.gif

Extract from the Addition log.
ATTENTION: System Restore is disabled

Extract from the FRST log.
ATTENTION: ==> Could not access BCD. The user is not administrator.

message edited by Johnw


Report •

#21
February 21, 2016 at 02:54:40
Apolgies for taking so long to submit this follow up.

FRST.txt
http://www7.zippyshare.com/v/Fe3NVY...

Addition.txt
http://www7.zippyshare.com/v/svsb6E...

I look forward to reading your comments/feedback. Thanks for your help.


Report •

#22
February 21, 2016 at 03:11:43
I'm now online buckie, back in 1/2 an hour, if you are still there.

Report •

#23
February 21, 2016 at 03:37:13
Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system..

CreateRestorePoint:
emptytemp:
closeprocesses:
Task: {F84BB038-B783-4427-8038-11208D050B4F} - \avaxvyyvyf -> No File <==== ATTENTION
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => No File
ShortcutTarget: Dropbox.lnk -> C:\Users\User_1\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)
HKU\S-1-5-21-1076340520-3992044991-2602661625-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1076340520-3992044991-2602661625-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1076340520-3992044991-2602661625-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

Open FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.

message edited by Johnw


Report •

#24
February 22, 2016 at 01:32:14
johnw, thanks for your reply. I will carry out your instructions but I would be very grateful if you could explain the principles behind these instructions. Firstly, is it possible to say to say that the device setups that were causing me a problem are no longer present on my PC?

In recent weeks, I have been running scans, uploading logs, copying files with the text that you have posted, running more scans and uploading more logs. However, I don't know the significance of the logs I am generating or what the intention is behind your suggestions. And I don't understand what I can expect to ultimately achieve.

I appreciate your help but I would like to get a better understanding of what the checks I am making and I hope that you can help with that too.


Report •

#25
March 5, 2016 at 04:35:08
Hi, I ran FRST64. The contents of the Fixlog.txt file are below. I look forward to reading your interpretation of it. Thanks for your help.

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016
Ran by User_Name_1 (2016-03-05 12:08:34) Run:1
Running from C:\Users\User_Name_1\Desktop
Loaded Profiles: User_Name_1 (Available Profiles: User_Name_2 & User_Name_1 & User_Name_3)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
emptytemp:
closeprocesses:
Task: {F84BB038-B783-4427-8038-11208D050B4F} - \avaxvyyvyf -> No File <==== ATTENTION
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => No File
ShortcutTarget: Dropbox.lnk -> C:\Users\User_1\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)
HKU\S-1-5-21-1076340520-3992044991-2602661625-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1076340520-3992044991-2602661625-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1076340520-3992044991-2602661625-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F84BB038-B783-4427-8038-11208D050B4F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F84BB038-B783-4427-8038-11208D050B4F}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\avaxvyyvyf => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1" => key removed successfully
HKCR\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2" => key removed successfully
HKCR\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3" => key removed successfully
HKCR\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4" => key removed successfully
HKCR\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => key not found.
C:\Users\User_1\AppData\Roaming\Dropbox\bin\Dropbox.exe => not found.
"HKU\S-1-5-21-1076340520-3992044991-2602661625-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKU\S-1-5-21-1076340520-3992044991-2602661625-1001\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
HKU\S-1-5-21-1076340520-3992044991-2602661625-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
EmptyTemp: => 303.1 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 12:10:47 ====


Report •

#26
March 5, 2016 at 05:25:15
" I look forward to reading your interpretation of it"
At the moment buckie, I am sorting out the existing problems, with a bit of luck we will also solve your original problem > Winpatrol detect Device Setups trying to install themselves?

Your firewall if configured to block these. Is that deliberate?

FirewallRules: [TCP Query User{ACFAA559-C83B-44FF-A5A6-4DB293B96BEF}C:\users\User_3\appdata\roaming\dropbox\bin\dropbox.exe] => (Block) C:\users\User_3\appdata\roaming\dropbox\bin\dropbox.exe
FirewallRules: [UDP Query User{F9C26352-E1BF-4177-BC7F-39FE116563B6}C:\users\User_3\appdata\roaming\dropbox\bin\dropbox.exe] => (Block) C:\users\User_3\appdata\roaming\dropbox\bin\dropbox.exe
FirewallRules: [TCP Query User{CC75D1E7-D83D-404A-8749-1F2AFDD4BD4A}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{62F49A01-209D-4520-834A-B0FF13DA6E59}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe

Here is how a USER got the problems, no AV would have prevented USER error. Go to any Malware forum & no matter what AV they have installed, they got infected.

As you can see from your logs, you had stuff ( Pup's ) installed, that you do not know, how it got installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

Or, Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://www.freewarefiles.com/Unchec...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.

WARNING: CNET Download.com downloads now come bundled with opt-out crapware and toolbars ( Same applies to Softonic & Brothersoft )
http://www.groovypost.com/unplugged...

I use Softpedia & FreewareFiles.com, they make you aware what Ad-supported programs the author of the program has included.
http://win.softpedia.com/index.free...
http://www.freewarefiles.com/new_fi...
Sample pages
http://www.softpedia.com/get/CD-DVD...
First and foremost, extra attention needs to be paid during installation as ImgBurn offers to create desktop shortcuts to third-party apps, as well as install a browser toolbar onto the host computer, which are not required to ensure the smooth running of the app.
SS of above.
http://i.imgur.com/jgGYNsP.gif
http://i.imgur.com/rqSpp1e.gif
This is what ImgBurn tries to install.
http://i.imgur.com/ms4DzE9.gif
http://i.imgur.com/vVkd39a.gif
http://i.imgur.com/rqFVaHs.gif
http://i.imgur.com/sm1T7h6.gif
http://i.imgur.com/vhkKLYo.gif


Report •

#27
March 6, 2016 at 08:16:16
Thanks for your help, johnw.

I have no recollection of blocking either Dropbox or Firefox. I use both whenever I use my PC and I am not aware of any restriction in using either program as a result of these firewall rules. So this is a surpise to me.

As for the PUPs, I am careful when installing sofware but obviously, on at least one occasion (that I cannot recall), I was not careful enough.


Report •

#28
March 6, 2016 at 14:58:54
Next step buckie.

Download Security Check by screen317 from one of the following links and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
Please restart the computer before running this security check..
* Double click SecurityCheck.exe. If you run Windows Vista or 7/8, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; Please Copy and Paste the contents into your reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.


Report •

#29
March 10, 2016 at 12:19:18
I ran SecurityCheck.exe and the contents of checkup.txt are below. I would be very grateful for anyone's interpretation of it.

Also, I downloaded SecurityCheck.exe from
http://www.bleepingcomputer.com/dow...
(the links in the post above are dead - and I think that it's useful to mention it)

Results of screen317's Security Check version 1.014 --- 12/23/15
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
WinPatrol
Secunia PSI
Java 8 Update 66
Adobe Flash Player 20.0.0.306
Mozilla Firefox (44.0.2)
Google Chrome (48.0.2564.109)
Google Chrome (48.0.2564.116)
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
WinPatrol winpatrol.exe
Ruiware WinPatrol WinPatrol.exe
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: 1%
[b][u]````````````````````End of Log``````````````````````[/b][/u]


Report •

#30
March 10, 2016 at 14:53:57
"(the links in the post above are dead - and I think that it's useful to mention it)"
Thank you.

"I would be very grateful for anyone's interpretation of it"
No conflicts, all up to date.

Extract from your logs.

"Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Users\User_1\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Users\User_1\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source."

I would uninstall the remnants of F-Secure using their tool, if you haven't already done so.

F-Secure Uninstallation Tool
http://www.freewarefiles.com/F-Secu...
http://www.softpedia.com/get/Tweak/...
http://www.bleepingcomputer.com/dow...

message edited by Johnw


Report •

#31
March 13, 2016 at 13:30:55
Hi, I downloaded the F-Secure Uninstallation Tool from freewarefiles.com. I ran the tool but instead of getting instructions (as the readme.txt file lead me to expect), my PC just shut down and re-started.

How can I check if there are remnants of F-Secure still present on my PC? Thanks for any help you can give me.


Report •

#32
March 13, 2016 at 16:20:34
Run the > F-Secure Uninstallation Tool & then use search.

Report •

Ask Question