CLOSED Help with removing high risk items

[Susan Peach 0]

Upon attempting to quarantine 4 suspicious files found during a scan, I got a message stating:

"Removing these items bears an unusually high risk of crashing your operating system during automatic cleaning, as these threats are embedded deeply.

The malware removal experts at the Emsisoft Support will guide you through a safe removal of these threats."

Accordingly, I am attaching the requested log files as per the forum posting instructions, and await your instructions.

 

 

 

 

scan_190124-135355.txt

Addition_24-01-2019 14.11.35.txt

FRST_24-01-2019 14.11.35.txt

[Kevin Zoll 307]

Hello Susan,

Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in.

Start::
ShellServiceObjects-x32: No Name -> {E6FB5E20-DE35-11CF-9C87-00AA005127ED} =>
SSODL-x32: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - No File
ShellExecuteHooks-x32: No Name - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - -> No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File
BHO-x32: No Name -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> No File
2019-01-19 15:38 - 2015-12-17 16:43 - 000678944 _____ (WildTangent, Inc.) C:\ProgramData\uninstall2338968.exe
2019-01-19 15:35 - 2019-01-19 15:38 - 000000000 ____D C:\Users\Gerald\AppData\Roaming\WildTangent
2019-01-19 15:38 - 2015-12-17 16:43 - 000678944 _____ (WildTangent, Inc.) C:\ProgramData\uninstall2338968.exe
2009-02-05 10:16 - 2009-02-04 09:42 - 000000062 ___SH () C:\Users\Gerald\AppData\Roaming\desktop (1).ini
2009-02-05 10:16 - 2016-11-23 20:42 - 000000062 ___SH () C:\Users\Gerald\AppData\Local\desktop (1).ini
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ShellIconOverlayIdentifiers-x32: [Offline Files] -> {750fdf0e-2a26-11d1-a3ea-080036587f03} => -> No File
ContextMenuHandlers1-x32: [!NetFax0] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No File
ContextMenuHandlers1-x32-x32: [!NetFax1] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No File
ContextMenuHandlers1-x32-x32-x32: [!NetFax2] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No File
ContextMenuHandlers1-x32-x32-x32-x32: [!NetFax3] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No File
ContextMenuHandlers1-x32-x32-x32-x32-x32: [!NetFax4] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No File
ContextMenuHandlers1-x32-x32-x32-x32-x32-x32: [!NetFax5] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No File
ContextMenuHandlers1-x32-x32-x32-x32-x32-x32-x32: [!NetFax6] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No File
ContextMenuHandlers1-x32-x32-x32-x32-x32-x32-x32-x32: [!NetFax7] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No File
ContextMenuHandlers3: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
Task: {0C2E1A1E-2F5A-40B8-BB7E-F9CDFE3BCE67} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {E013D9EF-8BBD-4E2A-B494-A36BFABC6476} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant printer driver installation => C:\WINDOWS\TEMP\sp77849.exe <==== ATTENTION
C:\WINDOWS\TEMP\sp77849.exe
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{95B7759C-8C7F-4BF1-B163-73684A933233}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\W3I" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3064643449-3981555495-736014380-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3064643449-3981555495-736014380-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}" /f
End::

[Susan Peach 0]

Attaching fixlog.txt file as requested.

Note that FRST did not read from the clipboard so I created a new .txt document with that name and saved in unicode format. Hopefully this is correct.

I currently have a message on my computer screen that I need to restart. I will wait to do that until I receive further instructions from you.

Fixlog.txt

[Kevin Zoll 307]

Susan,

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

[Susan Peach 0]

Shut down and restarted computer as prompted by FRST after running the fix provided.

Ran new EEK and FRST scans (attached).

Prior to restarting computer we did have one instance of a hijack/redirect while viewing cnn.com but have not had one yet since restarting. We do sometimes get a message on a yellow background at the top of a web page that "a web page is slowing down your browser" and have seen this once since restarting but not sure if this is related to the hijack issue or something else.

scan_190125-182548.txt

FRST.txt

[Kevin Zoll 307]

The "a web page is slowing down your browser" message is displayed when a page is slow loading web resources.  Usually happens on pages that have lots of graphics or videos.

Your FRST log is empty.  Please do a fresh scan with FRST again.

[Susan Peach 0]

New FRST scan attached, sorry not sure why the other was empty.

FRST_26-01-2019 18.20.12.txt

[Kevin Zoll 307]

Susan,

Your FRST log looks fine.  How are things running?

[Susan Peach 0]

So far so good, no more hijacks since running the fix so I think we're good. Thanks very much for your help.

[Kevin Zoll 307]

Susan,

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your Desktop.

• Ensure Remove disinfection tools is checked.
• Also place a checkmark next to:
  • Create registry backup
  • Purge system restore
• Click the Run button.

When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
How Did I Get Infected?

That should take care of everything.

Safe Surfing!

[Susan Peach 0]

All done as instructed. Thanks again for your help,  much appreciated!

[Kevin Zoll 307]

Susan,

You are welcome.

Thread Closed

Reason: Resolved

PM either Kevin, Elise, or Arthur to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread