Problems With Browsers

Welcome to Major Geeks!

Please download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe


:Files
C:\WINDOWS\system32\tasks\AutoKMS
C:\WINDOWS\system32\tasks\Nuezgik
C:\WINDOWS\system32\tasks\Xsoeehma
C:\ProgramData\Xsoeehma
C:\ProgramData\9a3622d0-1977-0
C:\ProgramData\9a3622d0-7d01-1
C:\ProgramData\Avg
C:\ProgramData\Avira
C:\ProgramData\cbce07f0-11c7-0
C:\ProgramData\cbce07f0-2e25-1
C:\ProgramData\Panda Security
C:\ProgramData\Spybot - Search & Destroy
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Waterfox.lnk
C:\Program Files (x86)\AVG
C:\Program Files (x86)\Avira
C:\Program Files (x86)\Spybot - Search & Destroy 2
C:\WINDOWS\TEMP\*.*
C:\Users\Admin\AppData\Local\Temp\*.*

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotPostWindows10UpgradeReInstall"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"AvgUi"=-

[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"AvgUi"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, Win7, 8 or 10, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• the JRT.TXT log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Actually none of the problems that you are mentioning really sound like malware. They sound more like software conflicts or issues that often occur from performing registry cleaning or running system performance tweakers. However there are a few things that did not get removed with the last fix so let's continue and we will run a couple other tools too just to be on the safe side. Also we will run a program named Windows Repair to see if it helps.

First see if you can find and delete the below folders which failed to delete. Let me know your results.

C:\WINDOWS\system32\tasks\AutoKMS
C:\WINDOWS\system32\tasks\Nuezgik
C:\WINDOWS\system32\tasks\Safer-Networking
C:\WINDOWS\system32\tasks\Xsoeehma
C:\ProgramData\Xsoeehma

Now run the below no matter what happens with the above.

Please download the latest version of FRST the below link.

Farbar Recovery Scan Tool and save it to your Desktop.

Note: Make sure you download the proper version ( 32 bit or 64 bit ) for your PC. Only one will run, the correct one. So it you make a mistake and download the wrong one, go back and get the other.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the + Repairs tab.
• Then click the + Open Repairs button down on the bottom right.
• This will automatically begin a registry backup, so wait for it to complete and when it finishes, you will see a list of many possible different repairs and they are all selected by default. At the bottom of this form there is a not so obvious Unselect All Repairs check box which is to the right of a check box with a green check mark in it. Please click the Unselect All Repairs box. The green check mark box is to Select All Repairs. The ony way you see what these boxes are is when your mouse hovers over them.
• Now select the following repair options ( the numbers at the begin are the current repair numbers but this is subject to change.)
  • 01 - Reset Registry Permissions
  • 02 - Reset File Permissions
  • 03 - Reset Service Permissions
  • 04 - Register System Files
  • 05 - Repair WMI
  • 10 - Remove Policies Set By Infections
  • 13 - Network
  • 14 - Repair Proxy Settings
  • 15 - Repair Windows Updates
  • 21 - Repair MSI (Windows Installer)
  • 23 - Repair File Associations (12 )
  • 26 - Restore Important Windows Services
  • 27 - Set Windows Services To Default Startup
• Now on the right side under the When Repairs Complete title, check the box for Restart/Shutdown System and then make sure the Restart System radio button is enabled not the Shutdown System button.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start Repairs button at the lower right.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished. If it does not then reboot it yourself.

 

You can try having Windows Repair fix your icons but not sure that it will help.

Again I don't think your problems are due to malware based on all previous logs and your current logs. More likely due to system errors or software conflicts etc with Waterfox.
But you do still have a bunch of left overs from all the antivirus programs that you installed ( bad idea ) and some other junk too. So let's try to fix this stuff up. I may be sending you to the Software Forum soon for your problems with Waterfox.


Download this attached fixlist.txt file found at the bottom of this message and save fixlist.txt on your Desktop. Make sure you save it as a txt file.

• You should now have both fixlist.txt and FRST64.exe on your Desktop.
• Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
• Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
• Click the Fix button just once and wait.
• Your computer should reboot after the fix runs.
• Reconnect your internet connection after reboot so you can come back here to continue.
• The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Please attach the above two log first before you continue with the below.

Also at this point, I want to double check the status of things we tried to remove above by having you run another scan with FRST like in my last message and attach the new FRST.txt log.

 

You should try asking about this in the Software Forum because it is not a malware problem. My suggestion would be to uninstall it completely!!! This means uninstall and then delete all relate folders and shortcuts links to make sure all addons/extensions are removed. Make sure registry info is cleaned up too ( an uninstaller program like Revo Uninstaller. may help with this )

It creates the original at C:\MGlogs.zip and then copies to the Desktop for convenience because some people have a difficult time getting to the root folder but the Desktop seems easier for them.

Your logs are clean.

If you are not having any other malware problems, it is time to do our final steps. Please complete all of the below final instructions before running any other scans to avoid false detections of things we have already quarantined or left overs from system restore.

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • For Windows 8 and 8.1 system restore see this link: Win 8 System Restore - How to enable/disable​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • 
     How to Protect yourself from malware!

 

You're welcome.

From the below folders and registry keys.

C:\Program Files (x86)\Mozilla Firefox
C:\Users\Admin\AppData\Roaming\Mozilla
[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox]

And also the below shortcut needed to be removed for Waterfox too because shortcuts can carry infections.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Waterfox.lnk

 

The below registry patch should remove these.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Not related as far as I can tell, but perhaps something that we have already cleaned up had caused an issue previously with Yahoo.

 

You're welcome.

We already did all we needed back in message number 11 ( I assume you finished all of those now ? ). So give Waterfox a try again if you still want to use it.

 

Yes but before doing so perhaps you should look into uninstalling BitDefender first. You have both BitDefender and Windows Defender running which you should not have. So if you uninstall ( not disable ) BitDefender and check to see if there is any change.

 

Let me know the results of the uninstall! I'm also not sure it will resolve your problems but based on your logs, the issue is not from malware. I don't use Waterfox so I cannot comment either way. But I never found Firefox to be an improvement over IE.

Yes Windows Defender is supposed to disable when another security program is installed but per your logs this did not happen.

 

Interesting since it was running. Your logs had showed the below for BitDefender:

bdagent.exe "C:\Program Files\Bitdefender\Bitdefender 2016\bdagent.exe"
bdwtxag.exe "C:\Program Files\Bitdefender\Bitdefender 2016\bdwtxag.exe"
bdwtxcr.exe "C:\Program Files\Bitdefender\Bitdefender 2016\bdwtxcr.exe" --parent-window=0 chrome-extension://dhhejlifdlcgcmogbggeomfodgklfaem/
ProductAgentService.exe "C:\Program Files\Bitdefender Agent\ProductAgentService.exe"

And the below for Windows Defender:
MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" SpyNetServiceDss -RestrictPrivileges -AccessKey D3F09444-9646-6F18-4CE8-CC2721F2AB20 -Reinvoke
MsMpEng.exe

You will have to tell me exactly what it says. Creating screen shots is dependent upon when the popup occurs. If it is before you login then you don't have the ability to run a screen snapshot program yet. If after you login then there are dozens of free tools to do this. Power Point files cannot be attached to messages.

 

Perhaps it is related to one of the below startup processes you load each time you start your PC. These showed in your logs among other startups. The CrazyTalk Serve line seems like a good candidate.

• O4 - HKLM\..\Run: [RadioController] "C:\Program Files (x86)\RadioController\RfBtnHelper.exe" Start_Run
• O4 - HKLM\..\Run: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
• O4 - HKLM\..\Run: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
• O4 - HKLM\..\Run: [DelaypluginInstall] C:\ProgramData\Wondershare\Video Converter Ultimate\DelayPluginI.exe
• O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\WINDOWS\system32\CrazyTalk.dll,DllServeMediaFile
• O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe" -quiet
• O4 - HKCU\..\Run: [Dropbox Update] "C:\Users\Admin\AppData\Local\Dropbox\Update\DropboxUpdate.exe" /c
• O4 - HKCU\..\Run: [OneDrive] "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
• O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
• O4 - HKCU\..\Run: [AcerPortal] "C:\Program Files (x86)\Acer\Acer Portal\AcerPortal.exe" startup
• O4 - HKCU\..\Run: [RemoteFilesTrayIcon] "C:\Program Files (x86)\Acer\abFiles\abFilesTrayIcon.exe" --hideUI
• O4 - HKUS\S-1-5-19\..\Run: [OneDriveSetup] C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup (User 'LOCAL SERVICE')
• O4 - HKUS\S-1-5-20\..\Run: [OneDriveSetup] C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup (User 'NETWORK SERVICE')
• O4 - Startup: Dropbox.lnk = Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe
• O4 - Startup: MEGAsync.lnk = Admin\AppData\Local\MEGAsync\MEGAsync.exe
• O4 - Global Startup: Acer Backup Manager Tray.lnk = C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe

Again this is not a malware problem.

 

You're welcome. Surf safely!