Solved How to recover from System Restore problem now

April 21, 2015 at 11:20:46
Specs: Windows 7 home, Intel Pent., cpu g630, 4.00 GB, 64 bit
I am on my other computer now.

Had a problem getting on AOL before. Was on this a.m. and all was well. Went out for awhile and shut AOL down but left comp on.

Upon returning, I tried to start AOL up again, but would not open. All other programs are ok and will open. IE will open too.

So I did a system restore back to April 15. It ran thru the normal functions, and windows started to start up, twice, but I never got the "Windows had restored your computer, etc"

Instead, the screen went black and i get the Windows startup again, then goes black and Windows startup goes again, then black and cursor is in center of screen and can be moved around, activity light is blinking very slowly on and off.

Have been using MSE for virus and did not shut it down, don't know if you can, used to use AVG and used to shut it down for recovery.

Has been sitting like this for 20 mins or so. Should i turn it off and hope for start-up or what?

Networking, wi-fi, this computer networked, is fine

Waiting for suggestions . . .


See More: How to recover from System Restore problem now

Report •


✔ Best Answer
April 28, 2015 at 12:34:04
Good one Warren, I could see there was more work to do.

Make sure you run Delfix.

Download the latest version of Farbar, run, then upload the 2 logs please.



#1
April 21, 2015 at 12:18:45
If you are still in trouble try this (which at odd times has unstuck computers):
Turn off, disconnect from power, remove main battery too if it is a laptop. Hold the Power Off/On button down for at least 20 seconds to discharge the motherboard components. Re-assemble and cross your fingers.

Always pop back and let us know the outcome - thanks


Report •

#2
April 21, 2015 at 13:33:27
Try booting into Windows Safe Mode by tapping F8 at start up. Then use the System Restore undo function.

Report •

#3
April 21, 2015 at 13:36:33
thanks for response Derek, but no go.

I get the Windows is starting up screen, and then the choices, start in safe mode, safe mode with networking, or safe mode with com prompt.

I tried each one and it goes to black screen with curser.


Report •

Related Solutions

#4
April 21, 2015 at 13:49:26
Othehill: just saw your reply and did that and got many selections, I chose Repair Your Computer, started loading files, System Recovery Option and Startup Repair.

Then box came up, could not detect a problem. with 2 more selections:

View diagnostic and repair details
View advanced options for system recovery and support

I should take the last one? advanced options for system recovery and support?


Report •

#5
April 21, 2015 at 13:50:26
See if this sorts things out Warren.

How to use a Lazesoft Windows Recovery CD or USB device to fix the boot problems if your Windows operating system does not start correctly
http://www.lazesoft.com/fix-boot-pr...
"It is very common for PC users to be faced with a Windows crash. When this happens, the dreaded 'Blue Screen of Death' pops up, or your PC has a black screen and can not boot or start up"

Lazesoft Recovery Suite Home Edition
http://www.softpedia.com/get/System...
http://www.lazesoft.com/lazesoft-re...
Tutorials
http://www.lazesoft.com/guide.html
Screenshot ( SS )
http://i.imgur.com/4HXqQKS.jpg
How to Boot a Computer from a Lazesoft Recovery USB Device
http://www.lazesoft.com/create-a-bo...


Report •

#6
April 21, 2015 at 14:03:05
Hi JohnW:

I have three HP Backup disks that I made few months ago but I would like to try the repair suggestion in the previous message:

I should take the last one? advanced options for system recovery and support?

what do you think?


Report •

#7
April 21, 2015 at 14:19:36
"what do you think?"
I saw that there Warren, don't know how you pick one from the other, probably try one & see what it says.

Lazesoft would be my next choice & I am not ruling out infection/malware.

Small steps until we get some more clues.


Report •

#8
April 21, 2015 at 14:24:41
Here is more info.

view diagnostic and repair details
https://www.google.com.au/webhp?hl=...
http://www.7tutorials.com/fix-windo...


Report •

#9
April 21, 2015 at 14:29:58
Thanks John. I picked the last one, and finally got to a selection to Undo System Restore. It is undoing right now. Plenty of other selections but would restore to factory settings, and lose all, and do a mammoth backup.
So when it is done , will let you know.

Nice to see you again also. you helped me in the past a few times


Report •

#10
April 21, 2015 at 14:35:29
"Nice to see you again also. you helped me in the past a few times"
You too Warren, wondered if you remembered me.

"So when it is done , will let you know"
Thanks.

message edited by Johnw


Report •

#11
April 21, 2015 at 15:55:50
Hi John. Been thru the mill with this problem.

The undo restore worked fine but I was still unable to open AOL. So I tried another date and restore stopped in the middle, said it couldn't continue. So I uninstalled AOL altogether and tried to install it. It downloaded fine but the computer said I had some communication software running and it couldn't be installed. Tried this a couple of times.

I couldn't find anything that they were talking about.

So I finally tried another restore date, about the 4th one, and it went fine, and AOL installed and all is well.

I just wanted to avoid all the backing up old stuff etc.

Thank you very much for your help, all.



Report •

#12
April 21, 2015 at 16:12:27
Looks like some of your restores have somehow corrupted. Thanks for popping back to let us know.

Always pop back and let us know the outcome - thanks


Report •

#13
April 21, 2015 at 17:07:14
I can go through these logs Warren, to see if I can spot an underlying problem.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using this, or upload to a site of your choosing. No account needed. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif


Report •

#14
April 21, 2015 at 17:39:09
thanks John, and all. will run these tomorrow and post for you.

Report •

#15
April 22, 2015 at 13:15:12
Johnw: bear with me for awhile; I can't get on AOL on the said computer. Running some malware bytes and virus checkers and hope that I can get aol going there.

Report •

#16
April 22, 2015 at 14:30:03
Malware & other was what I would have been looking for Warren, running those scans will help.

You are probably using the same tools as last time, post or upload logs if you want.
http://www.computing.net/answers/se...


Report •

#17
April 22, 2015 at 14:42:34
ok I just got on by doing a restore again. Ran Malware bytes and MSW and found 7 PUP.options. but could not start aol after removing them, restore did the trick. where shoul i begin now, do this first?

http://www.computing.net/answers/se...


Report •

#18
April 22, 2015 at 14:47:41
Run Farbar first so I have a before & after Warren.

ESET cleared the decks very nicely & allowed access by the other tools to finish clearing the nasties.


Report •

#19
Report •

#20
April 22, 2015 at 18:19:37
is AOL your only way to connect to the internet??

Report •

#21
April 22, 2015 at 18:21:50
no, i have mozilla , google IE

i prefer aol tho


Report •

#22
April 22, 2015 at 20:31:03
I ran Eset again and here is the result:

http://www32.zippyshare.com/v/fNqGc...


Report •

#23
April 23, 2015 at 03:42:42
"I ran Eset again and here is the result"
Once again, very good result, same as when I helped you previously.

You have not installed Unchecky.

Once installed, run AdwCleaner & Junkware Removal Tool, post the logs please.

message edited by Johnw


Report •

#24
April 23, 2015 at 05:53:50
Will do John when i get home this afternoon. thanks

Report •

#25
April 23, 2015 at 05:56:55
Ok Warren, I'm not far off bed, nearly 9pm here & I'm an early riser.

Report •

#26
April 23, 2015 at 05:59:52
have a long easy sleep. lol

I can't go to bed that early, take a while to get to sleep. see you later


Report •

#27
April 23, 2015 at 17:05:49
JohnW:

I was unable to get on AOL this afternoon,so I did a system restore, then I re-ran Eset and MSE and just ran AdWare. Will do Junkware Removal next.

Here is the AdWare: xml version="1.0"?>

-<Summary>

<ScanInfo EndTime="20150423T235919.259824" StartTime="20150423T235340.259824" ScanType="Quick" ScanMode="Manual"/>


-<InfectedObjects>

<InfectedObject ThreatName="Cookie.Advertising" ThreatType="Virus" ObjectStatus="Deleted" InnerObject="" ParentContainers="" ObjectPath="C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\O0Y43GUX.txt" ObjectType="Cookie"/>

<InfectedObject ThreatName="Cookie.Advertising" ThreatType="Virus" ObjectStatus="Deleted" InnerObject="" ParentContainers="" ObjectPath="C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\1ZY89LAN.txt" ObjectType="Cookie"/>

<InfectedObject ThreatName="Cookie.247RealMedia" ThreatType="Virus" ObjectStatus="Deleted" InnerObject="" ParentContainers="" ObjectPath="C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PLC6M8GS.txt" ObjectType="Cookie"/>

<InfectedObject ThreatName="Cookie.Statcounter" ThreatType="Virus" ObjectStatus="Deleted" InnerObject="" ParentContainers="" ObjectPath="C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\RQH1YUCK.txt" ObjectType="Cookie"/>

<InfectedObject ThreatName="Cookie.Advertising" ThreatType="Virus" ObjectStatus="Deleted" InnerObject="" ParentContainers="" ObjectPath="C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\S0UOAUT6.txt" ObjectType="Cookie"/>

<InfectedObject ThreatName="Trojan.GenericKD.2316837" ThreatType="Virus" ObjectStatus="DeletedReboot" InnerObject="ImagePath" ParentContainers="SYSTEM\CONTROLSET001\SERVICES\BOLODUJY\" ObjectPath="C:\USERS\USER\APPDATA\ROAMING\99AA50B1-1429754916-236E-CE5E-03894AD18E8B\JNSS4AD9.TMP" ObjectType="RegistryKey"/>

<InfectedObject ThreatName="Trojan.GenericKD.2317289" ThreatType="Virus" ObjectStatus="DeletedReboot" InnerObject="ImagePath" ParentContainers="SYSTEM\CONTROLSET001\SERVICES\RUMEJIDE\" ObjectPath="C:\USERS\USER\APPDATA\ROAMING\99AA50B1-1429754916-236E-CE5E-03894AD18E8B\NSS1D1F.TMPFS" ObjectType="RegistryKey"/>

</InfectedObjects>

</Summary>


Report •

#28
April 23, 2015 at 17:15:30
John: here is the Junkware results:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.6.1 (04.23.2015:1)
OS: Windows 7 Home Premium x64
Ran by user on Thu 04/23/2015 at 20:08:14.35
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

Successfully stopped: [Service] orbiter
Successfully deleted: [Service] orbiter

~~~ Tasks

Failed to delete: [Task] C:\windows\tasks\APSnotifierPP1.job
Failed to delete: [Task] C:\windows\tasks\APSnotifierPP2.job
Failed to delete: [Task] C:\windows\tasks\APSnotifierPP3.job
Successfully deleted: [Task] C:\windows\system32\tasks\APSnotifierPP1
Successfully deleted: [Task] C:\windows\system32\tasks\APSnotifierPP2
Successfully deleted: [Task] C:\windows\system32\tasks\APSnotifierPP3
Successfully deleted: [Task] C:\windows\system32\tasks\Driver Booster SkipUAC (user)
Successfully deleted: [Task] C:\windows\system32\tasks\ProPCCleaner_Popup
Successfully deleted: [Task] C:\windows\system32\tasks\ProPCCleaner_Start

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{015DB5FA-EAFB-4592-A95B-F44D3EE87FA9}

~~~ Files

Successfully deleted: [File] C:\windows\patsearch.bin

~~~ Folders

Failed to delete: [Folder] C:\ProgramData\viewpoint
Successfully deleted: [Folder] C:\Program Files (x86)\predm
Successfully deleted: [Folder] C:\Program Files (x86)\searchprotect
Successfully deleted: [Folder] C:\Program Files (x86)\viewpoint
Successfully deleted: [Folder] C:\Users\user\appdata\local\pro_pc_cleaner
Successfully deleted: [Folder] C:\Users\user\appdata\local\searchprotect
Successfully deleted: [Folder] C:\Users\user\documents\propccleaner

~~~ FireFox

Successfully deleted: [File] C:\Users\user\AppData\Roaming\mozilla\firefox\profiles\xhdl6odd.default-1408823845695\searchplugins\trovi.xml
Successfully deleted the following from C:\Users\user\AppData\Roaming\mozilla\firefox\profiles\xhdl6odd.default-1408823845695\prefs.js

user_pref(browser.search.selectedEngine, Trovi);

~~~ Chrome

Successfully deleted: [Folder] C:\Users\user\appdata\local\Google\Chrome\User Data\Default\Extensions\igckfjdcbkimejmjmpmebffdjjjgncfn

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 04/23/2015 at 20:11:12.82
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#29
April 23, 2015 at 17:24:08


"Here is the AdWare: xml version="1.0"?>"
Can I have the text version please Warren.

It looks like what is on your post #27
http://www.computing.net/answers/se...


Report •

#30
April 23, 2015 at 17:32:15
This the right one?

<?xml version="1.0"?>

-<Summary>

<ScanInfo EndTime="20150423T235919.259824" StartTime="20150423T235340.259824" ScanType="Quick" ScanMode="Manual"/>


-<InfectedObjects>

<InfectedObject ThreatName="Cookie.Advertising" ThreatType="Virus" ObjectStatus="Deleted" InnerObject="" ParentContainers="" ObjectPath="C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\O0Y43GUX.txt" ObjectType="Cookie"/>

<InfectedObject ThreatName="Cookie.Advertising" ThreatType="Virus" ObjectStatus="Deleted" InnerObject="" ParentContainers="" ObjectPath="C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\1ZY89LAN.txt" ObjectType="Cookie"/>

<InfectedObject ThreatName="Cookie.247RealMedia" ThreatType="Virus" ObjectStatus="Deleted" InnerObject="" ParentContainers="" ObjectPath="C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PLC6M8GS.txt" ObjectType="Cookie"/>

<InfectedObject ThreatName="Cookie.Statcounter" ThreatType="Virus" ObjectStatus="Deleted" InnerObject="" ParentContainers="" ObjectPath="C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\RQH1YUCK.txt" ObjectType="Cookie"/>

<InfectedObject ThreatName="Cookie.Advertising" ThreatType="Virus" ObjectStatus="Deleted" InnerObject="" ParentContainers="" ObjectPath="C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\S0UOAUT6.txt" ObjectType="Cookie"/>

<InfectedObject ThreatName="Trojan.GenericKD.2316837" ThreatType="Virus" ObjectStatus="DeletedReboot" InnerObject="ImagePath" ParentContainers="SYSTEM\CONTROLSET001\SERVICES\BOLODUJY\" ObjectPath="C:\USERS\USER\APPDATA\ROAMING\99AA50B1-1429754916-236E-CE5E-03894AD18E8B\JNSS4AD9.TMP" ObjectType="RegistryKey"/>

<InfectedObject ThreatName="Trojan.GenericKD.2317289" ThreatType="Virus" ObjectStatus="DeletedReboot" InnerObject="ImagePath" ParentContainers="SYSTEM\CONTROLSET001\SERVICES\RUMEJIDE\" ObjectPath="C:\USERS\USER\APPDATA\ROAMING\99AA50B1-1429754916-236E-CE5E-03894AD18E8B\NSS1D1F.TMPFS" ObjectType="RegistryKey"/>

</InfectedObjects>

</Summary>


Report •

#31
April 23, 2015 at 17:36:40
"<?xml version="1.0"?>"
No, it's xml.

You can find the logfile at C:\AdwCleaner[S1].txt


Report •

#32
April 23, 2015 at 18:02:41
I lost aol on that computer again. I put that command in and it doesn't come up. In startup block, typing cmd to get the dos block, right?

Report •

#33
April 23, 2015 at 18:09:56
anyway, ran it again and it found nothing at all.

Report •

#34
April 23, 2015 at 18:34:39
Next step, run RogueKiller.

Report •

#35
April 23, 2015 at 18:46:51
going to take a break.

Report •

#36
April 24, 2015 at 02:32:14
Typing/running cmd (cmd.exe) does open smallish window with a dos prompt.

Report •

#37
April 24, 2015 at 06:00:37
yes I did that but the C:\ didn't work for me.; said it was not a recognizable command

Report •

#38
April 24, 2015 at 08:40:56
I can see why that command didn't work but I don't really think Johnw meant you to use command prompt at all. More likely he was just using DOS notation to describe the path in Windows. So, from Windows go "Computer", then find the C drive and once there find the folder adwcleaner. In there you should be able to find the latest adwcleaner log file.

Always pop back and let us know the outcome - thanks


Report •

#39
April 24, 2015 at 09:04:12
To get to (drop back to) the C: drive... at the initial "windows" dos prompt you type:

cd.. - that drops you back one level/directory... so logically you could repeat it to get to c: root.

That's CD (upper or lower case) followed immediately (no space) by two full stops/periods... (and then press enter/return of course).

Or simply type < cd c:\ > (no < >) - and go straight to c: root?

You need to "tell" dos to change directory... which is what the "cd" bit is doing... the "c:\" (again no "" or < >) bit tells it which directory to go to.

(The windows dos prompt opens into the system32 folder as I recall...)

This link explains it a little more clearly and shows the assorted dos commands; including variations on the above...

http://www.computerhope.com/cdhlp.htm

Incidentally as it's been a while since I used dos commands... I have just tested the above info on my win7 running in Parallels on a Mac. Works just fine...

message edited by trvlr


Report •

#40
April 24, 2015 at 11:44:47

AOL and am going now to reinstall it. I just want to get AOL up and running. Then can do all the virus checking again.

message edited by WarrenTSI


Report •

#41
April 24, 2015 at 13:32:47
just ran roguekiller:

RogueKiller V10.6.0.0 [Apr 17 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : user [Administrator]
Started from : C:\Users\user\Downloads\RogueKiller (1).exe
Mode : Delete -- Date : 04/24/2015 16:27:11

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84FF7BD6-B47F-46F8-9130-01B2696B36CB} -> ERROR [2]
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SProtection (C:\Program Files (x86)\Common Files\Umbrella\Umbrella211.exe) -> ERROR [2]
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SProtection (C:\Program Files (x86)\Common Files\Umbrella\Umbrella211.exe) -> ERROR [2]
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SProtection (C:\Program Files (x86)\Common Files\Umbrella\Umbrella211.exe) -> ERROR [2]
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://go.microsoft.com/fwlink/p/?L... -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://go.microsoft.com/fwlink/p/?L... -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 2 -> Replaced (2)
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 2 -> Replaced (2)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 1 -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 1 -> Replaced (1)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[IE:Addon] System : AOL Toolbar [{ba00b7b1-0351-477a-b948-23e3ee5a73d4}] -> Deleted
[PUM.HomePage][FIREFX:Config] 8kdUxwoC.default : user_pref("browser.startup.homepage", "http://us.yhs4.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wny_secureddownload_15_17¶m1=1¶m2=f%3D1%26b%3DFirefox%26cc%3Dus%26pa%3DWinYahoo%26cd%3D2XzuyEtN2Y1L1Qzu0EzzyEtD0FtBzyyByEtBtCyB0ByBtBzytN0D0Tzu0StCtBtDzztN1L2XzutAtFtCtDtFtBtFtDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyE0F0BtCzytAyDyEtG0CtBtB0EtGtC0F0DtAtG0BtD0D0DtGyB0FzztD0E0E0DtBtD0EzztB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0CzzyEzztByDzztGtDzzzztBtGyEtDtDzztGzz0C0CzztGzz0B0EyCtA0DyDyEyE0EyEtA2QtN0A0LzutB%26cr%3D1734043491%26a%3Dwny_secureddownload_15_17%26os%3DWindows 7 Home Premium"); -> Replaced (about:home)

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500DM002-1BD142 +++++
--- User ---
[MBR] 924826ac3437bf7b744da4fb927e1ca9
[BSP] be26b01df814f3e42470ca09652e5698 : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 206848 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 468992 | Size: 465360 MB
3 - Basic data partition | Offset (sectors): 953526272 | Size: 11351 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_11262014_222555.log - RKreport_SCN_11262014_222746.log - RKreport_SCN_11262014_222930.log - RKreport_SCN_11262014_223134.log
RKreport_SCN_11262014_223320.log - RKreport_DEL_11262014_223518.log - RKreport_DEL_11262014_223526.log - RKreport_DEL_11262014_223546.log
RKreport_DEL_11262014_223552.log - RKreport_DEL_11262014_223555.log - RKreport_DEL_11262014_223559.log - RKreport_DEL_11262014_223603.log
RKreport_DEL_11262014_223607.log - RKreport_DEL_11262014_223610.log - RKreport_DEL_11262014_223614.log - RKreport_DEL_11262014_223617.log
RKreport_DEL_11262014_223621.log - RKreport_DEL_11262014_223625.log - RKreport_DEL_11262014_223636.log - RKreport_DEL_11262014_223644.log
RKreport_DEL_11262014_223651.log - RKreport_DEL_11262014_223656.log - RKreport_DEL_11262014_223659.log - RKreport_DEL_11262014_223705.log
RKreport_DEL_11262014_223710.log - RKreport_DEL_11262014_223724.log - RKreport_DEL_11262014_223731.log - RKreport_DEL_11262014_223739.log
RKreport_DEL_11262014_223752.log - RKreport_DEL_11262014_223758.log - RKreport_DEL_11262014_223805.log - RKreport_SCN_03152015_141443.log
RKreport_DEL_03152015_141509.log - RKreport_SCN_04242015_004331.log - RKreport_DEL_04242015_004409.log - RKreport_DEL_04242015_004412.log
RKreport_SCN_04242015_162056.log - RKreport_DEL_04242015_162308.log - RKreport_DEL_04242015_162327.log - RKreport_DEL_04242015_162355.log
RKreport_DEL_04242015_162418.log - RKreport_DEL_04242015_162420.log - RKreport_DEL_04242015_162432.log - RKreport_DEL_04242015_162534.log
RKreport_DEL_04242015_162540.log - RKreport_DEL_04242015_162557.log - RKreport_DEL_04242015_162604.log - RKreport_DEL_04242015_162609.log
RKreport_DEL_04242015_162638.log - RKreport_DEL_04242015_162701.log - RKreport_DEL_04242015_162706.log


Report •

#42
April 24, 2015 at 13:34:38
Before this I downloaded AOL and opened it. But when I shut down the computer and restarted it, I was unable to open AOL off the aol icon.

Don't know what to do about this now.


Report •

#43
April 24, 2015 at 15:20:05
"I don't really think Johnw meant you to use command prompt at all"
Correct Derek.

Once Warren told me in post #33 it was clean, I moved on.

message edited by Johnw


Report •

#44
April 24, 2015 at 15:21:20
Desktop Icons are nothing more than shortcuts. Delete that icon and go to the start menu to run AOL. You will most likely find a folder. Open the folder and look for the executable file to run AOL.

If you then can access AOL then open the start menu again, but this time copy and paste that file to the desktop to create another shortcut.


Report •

#45
April 24, 2015 at 15:27:07
"Don't know what to do about this now"
No more system restores Warren, they have all the nasties in them, lets get you malware free first & then get any other problems sorted out.

Report •

#46
April 24, 2015 at 15:30:20
Please download Rkill from any one of these links and save it to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your reply.
http://www.bleepingcomputer.com/dow...
Double click on Rkill to run it. If the first one doesn't work try the next one.
This will help remove certain processes and should restore any file associations and your desktop. Note: Your system is still infected as Rkill does not delete files - it merely helps to temporarily disable the infections, allowing us to start the cleansing process.
Do NOT reboot your machine. Each time you reboot, Rkill is disabled and you would have to run it again in order for it to be effective.

Download ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
The logs are large, upload them using this, or upload to a site of your choosing. No account needed. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please Note: Once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

#47
April 24, 2015 at 15:33:27
OtheHill
Just wondering, did you really mean have an AOL exe file on the desktop as well as the existing one? I'm thinking that a desktop shortcut to the existing exe file might be necessary as there could be other AOL associated files in the same location. I'm none too familiar with AOL so maybe you know something I don't know.

Warren
Ignore this chatter for now.

Always pop back and let us know the outcome - thanks


Report •

#48
April 24, 2015 at 16:45:13
I don't use AOL either but IE and FF have application files that you use to create desktop shortcuts. No different than any other program.

Probably shouldn't have used the term exe. Appli;cation is the correct term.

I am assuming the desktop icon is dead because the program was removed.

message edited by OtheHill


Report •

#49
April 24, 2015 at 16:50:45
OtheHill
OK thanks - maybe it was just the way I read it.

Always pop back and let us know the outcome - thanks


Report •

#50
April 25, 2015 at 05:45:58
Hi John: Rkill:

Rkill 2.7.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 04/25/2015 08:43:48 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\windows\wanmpsvc.exe (PID: 3568) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* C:\windows\System32\drivers\usbuhci.sys : 30,720 : 04/08/2013 03:03 PM : 62069a34518bcf9c1fd9e74b3f6db7cd [NoSig]
+-> C:\windows\System32\DriverStore\FileRepository\usbport.inf_amd64_neutral_d5d6e7e900318837\usbuhci.sys : 30,720 : 11/26/2013 09:41 PM : dd253afc3bc6cba412342de60c3647f3 [Pos Repl]
+-> C:\windows\System32\DriverStore\FileRepository\usbport.inf_amd64_neutral_f935002f367d5bb0\usbuhci.sys : 30,720 : 07/13/2009 08:06 PM : 81fb2216d3a60d1284455d511797db3d [Pos Repl]
+-> C:\windows\winsxs\amd64_usbport.inf_31bf3856ad364e35_6.1.7601.17514_none_1be864e21a2d2b97\usbuhci.sys : 30,720 : 07/13/2009 08:06 PM : 81fb2216d3a60d1284455d511797db3d [Pos Repl]
+-> C:\windows\winsxs\amd64_usbport.inf_31bf3856ad364e35_6.1.7601.18328_none_1be17b8a1a31cc37\usbuhci.sys : 30,720 : 11/26/2013 09:41 PM : dd253afc3bc6cba412342de60c3647f3 [Pos Repl]
+-> C:\windows\winsxs\amd64_usbport.inf_31bf3856ad364e35_6.1.7601.22526_none_1c6919a73351367a\usbuhci.sys : 30,720 : 11/26/2013 09:42 PM : 2e682dce4319a90e02a327f8a427544a [Pos Repl]

Checking HOSTS File:

* No issues found.

Program finished at: 04/25/2015 08:44:36 AM
Execution time: 0 hours(s), 0 minute(s), and 48 seconds(s)


Report •

#51
April 25, 2015 at 06:15:57
john: hope I did this right. let me know. lol have to go out for now

http://www51.zippyshare.com/v/foSLk...


Report •

#52
Report •

#53
April 25, 2015 at 07:27:58

Thanks Warren, the txt one was Ok.

Re your post #19, have a look at the files you sent & you will see what you have done wrong.

Delete any FRST.exe & FRST/Addition.txt files you have on the Desktop. Then Download the new version > Farbar Recovery Scan Tool 23.4.2015.2
Run the program & before uploading, open them & make sure you are sending the correct files.


Report •

#54
April 25, 2015 at 12:13:28
deleted frst etc off desktop

http://www55.zippyshare.com/v/U65ZZ...

http://www55.zippyshare.com/v/Q3vSS...


Report •

#55
April 25, 2015 at 16:21:57
That's better Warren.

Copy & Paste the text below ( starting closeprocesses: ), save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

closeprocesses:
emptytemp:
Download Updater (AOL Inc.) (HKLM-x32\...\SoftwareUpdUtility) (Version: - AOL Inc.) <==== ATTENTION
Task: {2B22CCD7-06A3-4B40-A67D-72031237880D} - \Driver Booster SkipUAC (user) No Task File <==== ATTENTION
Task: {6636EB01-CEEC-4CED-B0E9-12003AF6DE13} - \ProPCCleaner_Start No Task File <==== ATTENTION
Task: {E6727D44-19A7-4A02-998A-1701BD5AEE9F} - \gtaUpt No Task File <==== ATTENTION
Task: {FD9688E3-A7DA-4764-AB03-705DD2ED7474} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {FE4F9E2D-0870-4CD3-B013-837A9CF9E801} - \ProPCCleaner_Popup No Task File <==== ATTENTION
AlternateDataStreams: C:\windows\system32\Drivers\uqdrccfr.sys:changelist
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> {8CDE19E6-71C2-4B46-89B7-35F6A18C571A} URL =
SearchScopes: HKLM-x32 -> {4E315FC2-4FEC-4525-9CC6-253C291A4C7D} URL = http://search.aol.com/aol/search?q=...
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2277337054-3082054672-1405126948-1000 -> DefaultScope {ECCD7E25-182F-4CFD-89DF-8436C1741C90} URL = http://search.aol.com/aol/search?q=...
SearchScopes: HKU\S-1-5-21-2277337054-3082054672-1405126948-1000 -> {67C334C0-408D-4E6D-B5A7-0ADD6AFFA252} URL = http://us.yhs4.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wny_secureddownload_15_17¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWinYahoo%26cd%3D2XzuyEtN2Y1L1Qzu0EzzyEtD0FtBzyyByEtBtCyB0ByBtBzytN0D0Tzu0StCtBtDzztN1L2XzutAtFtCtDtFtBtFtDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyE0F0BtCzytAyDyEtG0CtBtB0EtGtC0F0DtAtG0BtD0D0DtGyB0FzztD0E0E0DtBtD0EzztB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0CzzyEzztByDzztGtDzzzztBtGyEtDtDzztGzz0C0CzztGzz0B0EyCtA0DyDyEyE0EyEtA2QtN0A0LzutB%26cr%3D1734043491%26a%3Dwny_secureddownload_15_17%26os%3DWindows 7 Home Premium&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2277337054-3082054672-1405126948-1000 -> {ECCD7E25-182F-4CFD-89DF-8436C1741C90} URL = http://search.aol.com/aol/search?q=...
BHO: AOL Toolbar Loader -> {3ef64538-8b54-4573-b48f-4d34b0238ab2} -> C:\Program Files\AOL Toolbar\aoltb.dll No File
CHR Extension: (No Name) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\igckfjdcbkimejmjmpmebffdjjjgncfn [2015-04-25]
S2 AVGIDSAgent; No ImagePath
S2 avgwd; No ImagePath
S2 csrcc; No ImagePath
S1 HWiNFO32; No ImagePath
S1 hszhgdgs; \??\C:\windows\system32\drivers\hszhgdgs.sys [X]
2015-04-22 20:06 - 2015-04-22 20:06 - 0001078 _____ () C:\Program Files\Videos - Shortcut.lnk
2014-08-05 13:58 - 2014-08-05 13:58 - 0000132 _____ () C:\Users\user\AppData\Roaming\Adobe BMP Format CS5 Prefs
2015-03-01 17:09 - 2015-04-15 00:42 - 0000135 _____ () C:\Users\user\AppData\Roaming\WB.CFG
2014-12-19 21:57 - 2014-12-19 21:57 - 0000064 _____ () C:\Users\user\AppData\Local\03f93296264d03cea06482ef12c9d103
2014-07-02 16:06 - 2014-09-10 22:28 - 0004608 _____ () C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-03-03 09:43 - 2015-03-04 09:43 - 0000010 _____ () C:\Users\user\AppData\Local\DSI.DAT
2015-04-15 15:16 - 2015-04-15 15:16 - 0002137 _____ () C:\Users\user\AppData\Local\recently-used.xbel

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.


Report •

#56
April 26, 2015 at 08:16:36
Johnw:

I copied and pasted text below (starting close processes), and saved it to notepad on desktop, and named it 'fixlist.txt'

Downloaded and ran FRST/FRST64, sent it to notepad and saved it on desktop.

Ran it and a box comes up "scan completed. The "frst.txt" is saved in the same location FRST tool is run."

I assume that means on the desktop.

I clicked OK to that, and click on FIX and it says "no fix list.txt found should be in same folder/directory the tool is located."

the tool is on the desktop, and so is fixlist.txt.

Please help.


Report •

#57
April 26, 2015 at 12:26:28
No idea Warren, we went through this last time.

Plenty of screenshots if you can't see why, it will be something simple.


Report •

#58
April 26, 2015 at 13:45:29
Well, I don't see it.

FRST,txt is saved on Notebook, on the desktop;
fixlist.txt is saved on Notebook, on the desktop;
FRST64.exe is on the desktop.

just don't see it. sorry


Report •

#59
April 26, 2015 at 14:56:54
OK. I figured it out. here it is

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-04-2015
Ran by user at 2015-04-26 17:47:07 Run:1
Running from C:\Users\user\Downloads
Loaded Profiles: user (Available profiles: user & Arleen)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
closeprocesses:
emptytemp:
Download Updater (AOL Inc.) (HKLM-x32\...\SoftwareUpdUtility) (Version: - AOL Inc.) <==== ATTENTION
Task: {2B22CCD7-06A3-4B40-A67D-72031237880D} - \Driver Booster SkipUAC (user) No Task File <==== ATTENTION
Task: {6636EB01-CEEC-4CED-B0E9-12003AF6DE13} - \ProPCCleaner_Start No Task File <==== ATTENTION
Task: {E6727D44-19A7-4A02-998A-1701BD5AEE9F} - \gtaUpt No Task File <==== ATTENTION
Task: {FD9688E3-A7DA-4764-AB03-705DD2ED7474} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {FE4F9E2D-0870-4CD3-B013-837A9CF9E801} - \ProPCCleaner_Popup No Task File <==== ATTENTION
AlternateDataStreams: C:\windows\system32\Drivers\uqdrccfr.sys:changelist
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> {8CDE19E6-71C2-4B46-89B7-35F6A18C571A} URL =
SearchScopes: HKLM-x32 -> {4E315FC2-4FEC-4525-9CC6-253C291A4C7D} URL = http://search.aol.com/aol/search?q=...
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2277337054-3082054672-1405126948-1000 -> DefaultScope {ECCD7E25-182F-4CFD-89DF-8436C1741C90} URL = http://search.aol.com/aol/search?q=...
SearchScopes: HKU\S-1-5-21-2277337054-3082054672-1405126948-1000 -> {67C334C0-408D-4E6D-B5A7-0ADD6AFFA252} URL = http://us.yhs4.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wny_secureddownload_15_17¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWinYahoo%26cd%3D2XzuyEtN2Y1L1Qzu0EzzyEtD0FtBzyyByEtBtCyB0ByBtBzytN0D0Tzu0StCtBtDzztN1L2XzutAtFtCtDtFtBtFtDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyE0F0BtCzytAyDyEtG0CtBtB0EtGtC0F0DtAtG0BtD0D0DtGyB0FzztD0E0E0DtBtD0EzztB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0CzzyEzztByDzztGtDzzzztBtGyEtDtDzztGzz0C0CzztGzz0B0EyCtA0DyDyEyE0EyEtA2QtN0A0LzutB%26cr%3D1734043491%26a%3Dwny_secureddownload_15_17%26os%3DWindows 7 Home Premium&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2277337054-3082054672-1405126948-1000 -> {ECCD7E25-182F-4CFD-89DF-8436C1741C90} URL = http://search.aol.com/aol/search?q=...
BHO: AOL Toolbar Loader -> {3ef64538-8b54-4573-b48f-4d34b0238ab2} -> C:\Program Files\AOL Toolbar\aoltb.dll No File
CHR Extension: (No Name) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\igckfjdcbkimejmjmpmebffdjjjgncfn [2015-04-25]
S2 AVGIDSAgent; No ImagePath
S2 avgwd; No ImagePath
S2 csrcc; No ImagePath
S1 HWiNFO32; No ImagePath
S1 hszhgdgs; \??\C:\windows\system32\drivers\hszhgdgs.sys [X]
2015-04-22 20:06 - 2015-04-22 20:06 - 0001078 _____ () C:\Program Files\Videos - Shortcut.lnk
2014-08-05 13:58 - 2014-08-05 13:58 - 0000132 _____ () C:\Users\user\AppData\Roaming\Adobe BMP Format CS5 Prefs
2015-03-01 17:09 - 2015-04-15 00:42 - 0000135 _____ () C:\Users\user\AppData\Roaming\WB.CFG
2014-12-19 21:57 - 2014-12-19 21:57 - 0000064 _____ () C:\Users\user\AppData\Local\03f93296264d03cea06482ef12c9d103
2014-07-02 16:06 - 2014-09-10 22:28 - 0004608 _____ () C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-03-03 09:43 - 2015-03-04 09:43 - 0000010 _____ () C:\Users\user\AppData\Local\DSI.DAT
2015-04-15 15:16 - 2015-04-15 15:16 - 0002137 _____ () C:\Users\user\AppData\Local\recently-used.xbel


*****************

Processes closed successfully.
Download Updater (AOL Inc.) (HKLM-x32\...\SoftwareUpdUtility) (Version: - AOL Inc.) <==== ATTENTION => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2B22CCD7-06A3-4B40-A67D-72031237880D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2B22CCD7-06A3-4B40-A67D-72031237880D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Driver Booster SkipUAC (user)" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6636EB01-CEEC-4CED-B0E9-12003AF6DE13}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6636EB01-CEEC-4CED-B0E9-12003AF6DE13}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProPCCleaner_Start" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E6727D44-19A7-4A02-998A-1701BD5AEE9F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E6727D44-19A7-4A02-998A-1701BD5AEE9F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\gtaUpt" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FD9688E3-A7DA-4764-AB03-705DD2ED7474}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FD9688E3-A7DA-4764-AB03-705DD2ED7474}" => Key deleted successfully.
C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\SvcRestartTask" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FE4F9E2D-0870-4CD3-B013-837A9CF9E801}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FE4F9E2D-0870-4CD3-B013-837A9CF9E801}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProPCCleaner_Popup" => Key deleted successfully.
C:\windows\system32\Drivers\uqdrccfr.sys => ":changelist" ADS removed successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8CDE19E6-71C2-4B46-89B7-35F6A18C571A}" => Key deleted successfully.
HKCR\CLSID\{8CDE19E6-71C2-4B46-89B7-35F6A18C571A} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{4E315FC2-4FEC-4525-9CC6-253C291A4C7D}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{4E315FC2-4FEC-4525-9CC6-253C291A4C7D} => Key not found.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67C334C0-408D-4E6D-B5A7-0ADD6AFFA252}" => Key deleted successfully.
HKCR\CLSID\{67C334C0-408D-4E6D-B5A7-0ADD6AFFA252} => Key not found.
"HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ECCD7E25-182F-4CFD-89DF-8436C1741C90}" => Key deleted successfully.
HKCR\CLSID\{ECCD7E25-182F-4CFD-89DF-8436C1741C90} => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ef64538-8b54-4573-b48f-4d34b0238ab2}" => Key deleted successfully.
"HKCR\CLSID\{3ef64538-8b54-4573-b48f-4d34b0238ab2}" => Key deleted successfully.
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\igckfjdcbkimejmjmpmebffdjjjgncfn => Moved successfully.
AVGIDSAgent => Service deleted successfully.
avgwd => Service deleted successfully.
csrcc => Service deleted successfully.
HWiNFO32 => Service deleted successfully.
hszhgdgs => Service deleted successfully.
C:\Program Files\Videos - Shortcut.lnk => Moved successfully.
C:\Users\user\AppData\Roaming\Adobe BMP Format CS5 Prefs => Moved successfully.
C:\Users\user\AppData\Roaming\WB.CFG => Moved successfully.
C:\Users\user\AppData\Local\03f93296264d03cea06482ef12c9d103 => Moved successfully.
C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => Moved successfully.
C:\Users\user\AppData\Local\DSI.DAT => Moved successfully.
C:\Users\user\AppData\Local\recently-used.xbel => Moved successfully.
EmptyTemp: => Removed 283.8 MB temporary data.


The system needed a reboot.

==== End of Fixlog 17:47:16 ====


Report •

#60
April 26, 2015 at 15:32:57
by zippyshare:

http://www78.zippyshare.com/v/2eAYg...


Report •

#61
April 26, 2015 at 18:15:42
"OK. I figured it out"
Good one Warren.

Run these again in this order, post the logs please.

1: AdwCleaner
2: Update first & then run Malwarebytes


Report •

#62
April 26, 2015 at 18:55:31
thanks. will run them

Report •

#63
April 26, 2015 at 19:21:39
adaware found nothing:


<?xml version="1.0"?>

-<Summary>

<ScanInfo EndTime="20150427T021607.950986" StartTime="20150427T021407.950986" ScanType="Quick" ScanMode="Manual"/>

<InfectedObjects/>

</Summary>


Report •

#64
April 26, 2015 at 19:24:41
running malewarebytes now. computer running unsteady since I ran the Fix

Report •

#65
April 26, 2015 at 19:58:12
and here is updated malwarebytes:

http://www5.zippyshare.com/v/6iOqUp...


Report •

#66
April 26, 2015 at 20:00:28
Have you quarantined them Warren?
New log showing please.

Report •

#67
April 26, 2015 at 20:03:38
yes i have done that

Report •

#68
April 26, 2015 at 20:07:26
Run malwarebytes again to make sure the removals have stuck.

Post the log after quarantining anything it finds. If nothing is found, still post the log.


Report •

#69
April 26, 2015 at 20:11:05
here is the log before quarantine. will run it again and send to you

http://www66.zippyshare.com/v/A1PpL...


Report •

#70
April 26, 2015 at 21:29:36
john; zippyshare not allowing me to upload the second one. ads popping up all ovear the screen.

havae to go to bed now.

can you leave me further instructions. I will try again tomorrow


Report •

#71
April 26, 2015 at 21:34:31
"I will try again tomorrow"
That's the best way Warren, when you are fresh.

" ads popping up all ovear the screen"
I use this.

Ad Muncher
http://www.softpedia.com/get/Intern...
https://www.admuncher.com/


Report •

#72
April 27, 2015 at 05:46:10
http://www8.zippyshare.com/v/YelLm9...

will run malwarebytes when I come home later.

very unstable here.


Report •

#73
April 27, 2015 at 05:49:46
morning John:

on other computer now. other is very unstable but I am going to run malwarebytes again while off to work.

and will do your last instruction. muncher. sounds like a good one.


Report •

#74
Report •

#75
April 27, 2015 at 13:07:56
ok ran malwaerbytes for fourth time:

http://www54.zippyshare.com/v/U1KnJ...


Report •

#76
April 27, 2015 at 15:56:34
Step 1: Run DelFix. Copy & Paste the contents of the log please.
https://toolslib.net/downloads/view...
DelFix is designed to delete all removal tools used during a disinfection.
Indeed, these tools are often updated. It's recommended not to have and use outdated versions on computer.
It's compatible with Windows XP, Vista, 7, 8 in 32 & 64 bits.
Run the tool by right click on the DelFix icon and Run as administrator option.
Make sure that these are checked:
Activate UAC (optional; some users prefer to keep it off)
Remove disinfection tools
Create registry backup
Purge system restore
Reset system settings
Click Run and wait until the tool completes it's work.
All tools we used, should be gone. Tool will create an report for you (C:\DelFix.txt)

Step 2: Download the new version of Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.


Report •

#77
April 28, 2015 at 07:15:37
Johnw:

The most amazing thing happened last night.

All is well!!! I had run Eset and Malwarebytes again and found many evil things. And I deleted quite a few things that were making the computer unstable. Upon rebooting, AOL opened up and all is well.

I owe you a debt of gratitude for standing by and helping me out in such a perplexing situation. And I also learned a lot by what you showed me.

Thank you and to the Forum also.


Report •

#78
April 28, 2015 at 12:34:04
✔ Best Answer
Good one Warren, I could see there was more work to do.

Make sure you run Delfix.

Download the latest version of Farbar, run, then upload the 2 logs please.


Report •

#79
April 28, 2015 at 14:21:40
ok john will do

Report •

#80
April 28, 2015 at 14:35:37
# DelFix v10.8 - Logfile created 28/04/2015 at 17:30:41
# Updated 29/07/2014 by Xplode
# Username : user - USER-HP
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\FRST
Deleted : C:\Users\user\Downloads\FRST-OlderVersion
Deleted : C:\ComboFix.txt
Deleted : C:\Users\user\Desktop\FRST.txt
Deleted : C:\Users\user\Desktop\FRST64.exe - Shortcut.lnk
Deleted : C:\Users\user\Downloads\Addition.txt
Deleted : C:\Users\user\Downloads\adwcleaner_4.202(1).exe
Deleted : C:\Users\user\Downloads\adwcleaner_4.202.exe
Deleted : C:\Users\user\Downloads\ComboFix.exe
Deleted : C:\Users\user\Downloads\esetsmartinstaller_enu (1).exe
Deleted : C:\Users\user\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Users\user\Downloads\Fixlog.txt
Deleted : C:\Users\user\Downloads\FRST.txt
Deleted : C:\Users\user\Downloads\FRST64.exe
Deleted : C:\Users\user\Downloads\rkill.com
Deleted : C:\Users\user\Downloads\RogueKiller (1).exe
Deleted : C:\windows\grep.exe
Deleted : C:\windows\PEV.exe
Deleted : C:\windows\NIRCMD.exe
Deleted : C:\windows\MBR.exe
Deleted : C:\windows\SED.exe
Deleted : C:\windows\SWREG.exe
Deleted : C:\windows\SWSC.exe
Deleted : C:\windows\SWXCACLS.exe
Deleted : C:\windows\Zip.exe
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #352 [After installing Advanced Uninstaller PRO | 04/28/2015 00:14:58]
Deleted : RP #353 [Installed AVG 2015 | 04/28/2015 01:41:59]
Deleted : RP #354 [Installed AVG 2015 | 04/28/2015 01:42:34]
Deleted : RP #355 [IObit Uninstaller restore point | 04/28/2015 02:03:12]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########

message edited by WarrenTSI


Report •

#81
April 28, 2015 at 14:50:47
and JRT

http://www51.zippyshare.com/v/j86iB...


Report •

#82
April 28, 2015 at 17:12:14
"and JRT"
That's not the log.

Report •

#83
April 28, 2015 at 18:05:47
now I can't open AOL???

http://www1.zippyshare.com/v/aPdxuy...


Report •

#84
April 28, 2015 at 18:19:09
I only have one restore point remaining, this evening when I ran JRT and DelFix

Report •

#85
April 28, 2015 at 18:47:01
"now I can't open AOL???"
Can you forget about AOL, until we get the comp clean.

Do the rest of post #78 please.


Report •

#86
Report •

#87
Report •

#88
April 28, 2015 at 19:10:04
now aol opens rerererer

Report •

#89
April 28, 2015 at 22:27:38
"ok ran malwaerbytes for fourth time:"
It keeps finding & quarantining this file each time.
veggy@veggyAddon.com
http://www.systemlookup.com/FF_Exte...
That file was not in any of your Farbar logs, normally it would be. So it got on your comp sometime after the first & last logs. I have no idea how it got there.

"All is well!!! I had run Eset and Malwarebytes again and found many evil things"
Probably including > veggy@veggyAddon.com

"I only have one restore point remaining"
Correct, the others were infected.

Copy & Paste the text below ( starting closeprocesses: ), save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

closeprocesses:
emptytemp:
Task: {3AA6B597-E1F5-4FAE-8590-CEE7BA1C499C} - \ReimageUpdater No Task File <==== ATTENTION
Task: {3E926AA2-17A1-4602-89AA-023759F4A36F} - \SmartWeb Upgrade Trigger Task No Task File <==== ATTENTION
Task: {4381DFCD-21D7-4634-8893-0B58B2DB71B3} - System32\Tasks\RweljUS => C:\Users\user\AppData\Roaming\RweljUS.exe <==== ATTENTION
Task: {4C8DA41D-E736-4F3A-A0C0-8819A2D5B0BB} - \avaavaevy No Task File <==== ATTENTION
Task: {79DDD1BF-5133-45ED-B9ED-A88D3B38478F} - System32\Tasks\1N0vB89Qh5UXWJzTMjm => C:\Users\user\AppData\Roaming\1N0vB89Qh5UXWJzTMjm.exe <==== ATTENTION
Task: {7B0BF9EE-5D04-4C92-B413-3D5D0C12EC37} - \Reimage Reminder No Task File <==== ATTENTION
Task: {954F9DA0-7EDD-48F9-8415-F45143320BFF} - System32\Tasks\NetEngine => C:\ProgramData\NetEngine\bin\D7\netengine.exe <==== ATTENTION
Task: {D94D27B4-0F61-40B1-B2C6-4271D74886C4} - System32\Tasks\KH4a9wc6t5qIiVBvj1S => C:\Users\user\AppData\Roaming\KH4a9wc6t5qIiVBvj1S.exe <==== ATTENTION
Task: {FD6F40CB-5F1C-471E-A05A-3485BD31D27C} - System32\Tasks\ozf2tRvggeNhJK0A3YgWZ9WyIHy => C:\Users\user\AppData\Roaming\ozf2tRvggeNhJK0A3YgWZ9WyIHy.exe <==== ATTENTION
Task: C:\windows\Tasks\1N0vB89Qh5UXWJzTMjm.job => C:\Users\user\AppData\Roaming\1N0vB89Qh5UXWJzTMjm.exe <==== ATTENTION
Task: C:\windows\Tasks\KH4a9wc6t5qIiVBvj1S.job => C:\Users\user\AppData\Roaming\KH4a9wc6t5qIiVBvj1S.exe <==== ATTENTION
Task: C:\windows\Tasks\ozf2tRvggeNhJK0A3YgWZ9WyIHy.job => C:\Users\user\AppData\Roaming\ozf2tRvggeNhJK0A3YgWZ9WyIHy.exe <==== ATTENTION
Task: C:\windows\Tasks\RweljUS.job => C:\Users\user\AppData\Roaming\RweljUS.exe <==== ATTENTION
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC64Loader.dll File Not Found
ShortcutTarget: hqghumeaylnlf.lnk -> C:\ProgramData\{addcd112-c87d-3b11-addc-cd112c87444b}\hqghumeaylnlf.exe (No File)
SearchScopes: HKU\S-1-5-21-2277337054-3082054672-1405126948-1000 -> DefaultScope {015DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
BHO-x32: AOL Toolbar Loader -> {3ef64538-8b54-4573-b48f-4d34b0238ab2} -> C:\Program Files (x86)\AOL Toolbar\aoltb.dll No File
Toolbar: HKLM-x32 - AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files (x86)\AOL Toolbar\aoltb.dll No File
FF Extension: No Name - C:\Program Files (x86)\Ninja Loader\FireFox [2015-04-27]
S3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [X]
S2 NinjaLoaderService; No ImagePath
S2 nNOyjb; "C:\ProgramData\TQrRAeTSFU\nNOyjb.exe" [X]
S2 qkv; c:\windows\qkv.exe [X]
S3 cpuz134; \??\C:\Users\user\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
2015-04-19 08:20 - 2015-04-19 08:20 - 0005872 _____ () C:\Users\user\AppData\Roaming\1N0vB89Qh5UXWJzTMjm
2015-04-19 08:20 - 2015-04-19 08:20 - 0005872 _____ () C:\Users\user\AppData\Roaming\KH4a9wc6t5qIiVBvj1S
2015-04-14 12:28 - 2015-04-14 12:28 - 0004387 _____ () C:\Users\user\AppData\Roaming\ozf2tRvggeNhJK0A3YgWZ9WyIHy
2015-04-14 12:28 - 2015-04-14 12:28 - 0004387 _____ () C:\Users\user\AppData\Roaming\RweljUS
2015-04-27 16:38 - 2015-04-27 16:38 - 0000064 _____ () C:\Users\user\AppData\Local\03f93296264d03cea06482ef12c9d103

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.


Report •

Ask Question