Solved HP Win8.1 Virus Problems Found

February 28, 2015 at 00:38:38
Specs: Window 8.1
I discovered two problems because of a recent change from Webroot anti-virus over to Comodo. Comodo deep scan found the problems. I ran Malwarebytes and found several more. They were quarantined and cleaned. ESET found 23 problems. Two of those were not cleaned by the program.

I'm helping out my Mom with her computer this time. I'm hoping you can take a look at the Malwarebytes and ESET logs and help with next steps. I've dealt with XP and Win 7 problems before but not sure if the same programs I've used in the past should be used on Win 8.1.


See More: HP Win8.1 Virus Problems Found

Report •

✔ Best Answer
February 28, 2015 at 04:22:20
If needed.

Copy & Paste the text below, save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

cmd: netsh winsock reset
cmd: ipconfig /flushdns

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.



#1
February 28, 2015 at 00:39:35
Malwarebytes:

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2015/02/27 18:43:58 -0700</date>
<logfile>mbam-log-2015-02-27 (18-43-52).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.00.4.1028</version>
<malware-database>v2015.02.28.01</malware-database>
<rootkit-database>v2015.02.25.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<osversion>Windows 8.1</osversion>
<arch>x64</arch>
<username>Owner</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>420910</objects>
<time>4200</time>
<processes>0</processes>
<modules>0</modules>
<keys>2</keys>
<values>0</values>
<datas>0</datas>
<folders>3</folders>
<files>4</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<key><path>HKU\S-1-5-21-4191668367-3300016174-3324751454-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\ViewPassword</path><vendor>PUP.Optional.ViewPassword.A</vendor><action>success</action><hash>e7eac063c3c7de588ee7c10651b239c7</hash></key>
<key><path>HKU\S-1-5-21-4191668367-3300016174-3324751454-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\ViewPassword</path><vendor>PUP.Optional.ViewPassword.A</vendor><action>success</action><hash>547d140f41494de93342ab1ca2611fe1</hash></key>
<folder><path>C:\Users\Owner\AppData\Local\Weather_Warnings_LLC</path><vendor>PUP.Optional.StormAlerts.A</vendor><action>success</action><hash>22af0d1601890c2a5cacf18a3ec5728e</hash></folder>
<folder><path>C:\Users\Owner\AppData\Local\Weather_Warnings_LLC\StormAlerts.exe_Url_np0su0eijyf4dp0p3mspfkugrm15pi1d</path><vendor>PUP.Optional.StormAlerts.A</vendor><action>success</action><hash>22af0d1601890c2a5cacf18a3ec5728e</hash></folder>
<folder><path>C:\Users\Owner\AppData\Local\Weather_Warnings_LLC\StormAlerts.exe_Url_np0su0eijyf4dp0p3mspfkugrm15pi1d\1.6.0.0</path><vendor>PUP.Optional.StormAlerts.A</vendor><action>success</action><hash>22af0d1601890c2a5cacf18a3ec5728e</hash></folder>
<file><path>C:\Users\Owner\AppData\Local\Temp\air2C64.exe</path><vendor>PUP.Optional.StormAlerts.A</vendor><action>success</action><hash>5a77c360c7c34fe73707611b837e44bc</hash></file>
<file><path>C:\Users\Owner\AppData\Local\Temp\n5772\s5772.exe</path><vendor>PUP.Optional.Rapiddown</vendor><action>success</action><hash>448d081bcfbbc175e747305bd0310ef2</hash></file>
<file><path>C:\Users\Owner\Downloads\MusicSetup.exe</path><vendor>PUP.Optional.Inbox</vendor><action>success</action><hash>18b9e142fe8c47efcbc161d16b96a55b</hash></file>
<file><path>C:\Users\Owner\AppData\Local\Weather_Warnings_LLC\StormAlerts.exe_Url_np0su0eijyf4dp0p3mspfkugrm15pi1d\1.6.0.0\user.config</path><vendor>PUP.Optional.StormAlerts.A</vendor><action>success</action><hash>22af0d1601890c2a5cacf18a3ec5728e</hash></file>
</items>
</mbam-log>


Report •

#2
February 28, 2015 at 00:40:28
ESET Log:

C:\Users\All Users\Comodo\Cis\Quarantine\data\{1C2BABE2-9F4D-43FB-A884-AE25E3355406} a variant of Win32/AirAdInstaller.A potentially unwanted application
C:\Users\All Users\Comodo\Cis\Quarantine\data\{9921B5C4-B7EC-441E-B8F1-9586D1503520} multiple threats
C:\Program Files (x86)\NCH Software\Doxillion\doxillion.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted - quarantined
C:\Program Files (x86)\NCH Software\Doxillion\doxillionsetup_v2.31.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted - quarantined
C:\ProgramData\Comodo\Cis\Quarantine\data\{1C2BABE2-9F4D-43FB-A884-AE25E3355406} a variant of Win32/AirAdInstaller.A potentially unwanted application deleted - quarantined
C:\ProgramData\Comodo\Cis\Quarantine\data\{9921B5C4-B7EC-441E-B8F1-9586D1503520} multiple threats cleaned by deleting - quarantined
C:\Users\Owner\AppData\Local\Temp\air1743.exe a variant of Win32/AirAdInstaller.B potentially unwanted application deleted - quarantined
C:\Users\Owner\Documents\Downloads\CNET TechTracker\ccsetup322.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application deleted - quarantined
C:\Users\Owner\Downloads\cbsi-TechTracker_Setup-10912909.exe a variant of Win32/CNETInstaller.B potentially unwanted application deleted - quarantined
C:\Users\Owner\Downloads\ccsetup321 (1).exe Win32/Bundled.Toolbar.Google.E potentially unsafe application deleted - quarantined
C:\Users\Owner\Downloads\ccsetup321 (2).exe Win32/Bundled.Toolbar.Google.E potentially unsafe application deleted - quarantined
C:\Users\Owner\Downloads\ccsetup321 (3).exe Win32/Bundled.Toolbar.Google.E potentially unsafe application deleted - quarantined
C:\Users\Owner\Downloads\ccsetup321 (4).exe Win32/Bundled.Toolbar.Google.E potentially unsafe application deleted - quarantined
C:\Users\Owner\Downloads\ccsetup321.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application deleted - quarantined
C:\Users\Owner\Downloads\dfsetup210.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application deleted - quarantined
C:\Users\Owner\Downloads\dfsetup216.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined
C:\Users\Owner\Downloads\doxillionsetup.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted - quarantined
C:\Users\Owner\Downloads\MyCalendar.exe a variant of Win32/InstallCore.AF potentially unwanted application deleted - quarantined
C:\Users\Owner\Downloads\registrybooster(2).exe Win32/RegistryBooster potentially unwanted application deleted - quarantined
C:\Users\Owner\Downloads\registrybooster.exe Win32/RegistryBooster potentially unwanted application deleted - quarantined
C:\Users\Owner\Downloads\RegistryEasy.exe a variant of Win32/Adware.RegistryEasy application cleaned by deleting - quarantined
C:\Users\Owner\Downloads\speedupmypc.exe Win32/Packed.RBCrypt.A.Gen potentially unwanted application deleted - quarantined
C:\Users\Owner\Downloads\WeatherBlink.exe a variant of Win32/AdInstaller potentially unwanted application deleted - quarantined


Report •

#3
February 28, 2015 at 00:57:25
Hi Bangkokindy, back again.

Thanks for the logs, Malwarebytes is wrong.

If you misplace your log, here are ways to find.
http://i.imgur.com/U9IqcVj.gif
http://i.imgur.com/zHMG6J9.gif
http://i.imgur.com/ZZ1trsv.gif
http://i.imgur.com/LL0K3qs.gif
Or,
(Export log to save as txt)
After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Export'.
Click 'Text file (*.txt)'
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named 'File Saved' should appear stating "Your file has been successfully exported".
Click Ok
http://i.imgur.com/LNl3Sgw.gif
http://i.imgur.com/xGJgawB.gif


Report •

Related Solutions

#4
February 28, 2015 at 01:06:51
MBAM log shows this when I export:

Malwarebytes Anti-Malware
www.malwarebytes.org


Update, 2/27/2015 6:43:08 PM, SYSTEM, ADMIN, Manual, Failed, Unable to access update server,
Update, 2/27/2015 6:43:42 PM, SYSTEM, ADMIN, Manual, Rootkit Database, 2014.11.18.1, 2015.2.25.1,
Update, 2/27/2015 6:43:45 PM, SYSTEM, ADMIN, Manual, Malware Database, 2014.11.20.6, 2015.2.28.1,
Update, 2/27/2015 6:43:57 PM, SYSTEM, ADMIN, Manual, Remediation Database, 2013.10.16.1, 2014.12.6.1,
Scan, 2/27/2015 7:58:37 PM, SYSTEM, ADMIN, Manual, Start:2/27/2015 6:43:58 PM, Duration:1 hr 10 min 0 sec, Threat Scan, Completed, 0 Malware Detections, 9 Non-Malware Detections,

(end)


Report •

#5
February 28, 2015 at 01:07:37
Thanks for your help again! Just so you know I am in the States currently... Arizona.

I found the MBAM log I think you were wanting... I had to double click on "scan log"...

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/27/2015
Scan Time: 6:43:58 PM
Logfile: mbam1.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.28.01
Rootkit Database: v2015.02.25.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 420910
Time Elapsed: 1 hr, 10 min, 0 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.ViewPassword.A, HKU\S-1-5-21-4191668367-3300016174-3324751454-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\ViewPassword, Quarantined, [e7eac063c3c7de588ee7c10651b239c7],
PUP.Optional.ViewPassword.A, HKU\S-1-5-21-4191668367-3300016174-3324751454-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\ViewPassword, Quarantined, [547d140f41494de93342ab1ca2611fe1],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 3
PUP.Optional.StormAlerts.A, C:\Users\Owner\AppData\Local\Weather_Warnings_LLC, Quarantined, [22af0d1601890c2a5cacf18a3ec5728e],
PUP.Optional.StormAlerts.A, C:\Users\Owner\AppData\Local\Weather_Warnings_LLC\StormAlerts.exe_Url_np0su0eijyf4dp0p3mspfkugrm15pi1d, Quarantined, [22af0d1601890c2a5cacf18a3ec5728e],
PUP.Optional.StormAlerts.A, C:\Users\Owner\AppData\Local\Weather_Warnings_LLC\StormAlerts.exe_Url_np0su0eijyf4dp0p3mspfkugrm15pi1d\1.6.0.0, Quarantined, [22af0d1601890c2a5cacf18a3ec5728e],

Files: 4
PUP.Optional.StormAlerts.A, C:\Users\Owner\AppData\Local\Temp\air2C64.exe, Quarantined, [5a77c360c7c34fe73707611b837e44bc],
PUP.Optional.Rapiddown, C:\Users\Owner\AppData\Local\Temp\n5772\s5772.exe, Quarantined, [448d081bcfbbc175e747305bd0310ef2],
PUP.Optional.Inbox, C:\Users\Owner\Downloads\MusicSetup.exe, Quarantined, [18b9e142fe8c47efcbc161d16b96a55b],
PUP.Optional.StormAlerts.A, C:\Users\Owner\AppData\Local\Weather_Warnings_LLC\StormAlerts.exe_Url_np0su0eijyf4dp0p3mspfkugrm15pi1d\1.6.0.0\user.config, Quarantined, [22af0d1601890c2a5cacf18a3ec5728e],

Physical Sectors: 0
(No malicious items detected)


(end)

message edited by Bangkokindy


Report •

#6
February 28, 2015 at 01:36:14
Another thing I forgot to mention. The ESET scan took a very long time. There are a ton of files in the appdata/local/temp location that appear to be for setup. I'd like to see if at least some of that can be cleared out... after the virus issues have been addressed. Thanks

Report •

#7
February 28, 2015 at 02:06:10
"I found the MBAM log I think you were wanting"
Yep, that's the one.

"Just so you know I am in the States currently... Arizona"
Very early in morning.

I'm still here.
http://www.timeanddate.com/worldclo...


Report •

#8
February 28, 2015 at 02:06:37
"not sure if the same programs I've used in the past should be used on Win 8.1"
Most tools can still be used, Combofix is one that can't.

Here are the next 2 steps, there will be more steps needed after I see the results of these logs.

Run them in this order.

Step 1: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.raymond.cc/blog/adwclean...
http://www.bleepingcomputer.com/dow...
Author's site
http://general-changelog-team.fr/en...
Tutorial
http://general-changelog-team.fr/en...
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Clean.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please Copy & Paste the contents of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 2: Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved onto your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.


Report •

#9
February 28, 2015 at 02:18:33
"I'd like to see if at least some of that can be cleared out..."
I think they will be dealt with, as part of my procedure, double check for me at the end please, to make they are gone.

Report •

#10
February 28, 2015 at 02:21:57
Here is AdW:

# AdwCleaner v4.111 - Logfile created 28/02/2015 at 03:17:50
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Server]
# Operating system : Windows 8.1 (x64)
# Username : Owner - ADMIN
# Running from : C:\Users\Owner\Downloads\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Owner\AppData\Local\Temp\AirInstaller

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{8DCB7100-DF86-4384-8842-8FA844297B3F}]
Key Deleted : HKCU\Software\SoftwareUpdater

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17416


-\\ Google Chrome v40.0.2214.115

[C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [2004 bytes] - [28/02/2015 03:15:21]
AdwCleaner[R1].txt - [2063 bytes] - [28/02/2015 03:16:58]
AdwCleaner[S0].txt - [1965 bytes] - [28/02/2015 03:17:50]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2024 bytes] ##########


Report •

#11
February 28, 2015 at 02:42:51
JWT Log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.2 (02.02.2015:1)
OS: Windows 8.1 x64
Ran by Owner on Sat 02/28/2015 at 3:25:18.79
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 02/28/2015 at 3:40:24.41
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#12
February 28, 2015 at 02:45:04
Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using this, or upload to a site of your choosing. No account needed. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif

Report •

#13
Report •

#14
February 28, 2015 at 02:57:40
It will take me about 15mins to go through those logs.

Do you want stay with me, we are on the home run, hopefully.


Report •

#15
February 28, 2015 at 03:00:16
Yep, I'll be here... I'm a night owl... well morning owl now.

Report •

#16
February 28, 2015 at 03:06:57
Copy & Paste the text below ( starting closeprocesses: ), save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

closeprocesses:
emptytemp:
CustomCLSID: HKU\S-1-5-21-4191668367-3300016174-3324751454-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-4191668367-3300016174-3324751454-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll No File
AlternateDataStreams: C:\Windows\system32\GlobCollationHost.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\Windows.Globalization.dll:$CmdTcID
AlternateDataStreams: C:\Windows\SysWOW64\GlobCollationHost.dll:$CmdTcID
AlternateDataStreams: C:\Windows\SysWOW64\Windows.Globalization.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\Drivers\mbam.sys:$CmdTcID
AlternateDataStreams: C:\Windows\system32\Drivers\mbamchameleon.sys:$CmdTcID
AlternateDataStreams: C:\Windows\system32\Drivers\mwac.sys:$CmdTcID
AlternateDataStreams: C:\Users\barne_000\SkyDrive:ms-properties
AlternateDataStreams: C:\Users\Owner\OneDrive:ms-properties
AlternateDataStreams: C:\Users\Owner\Desktop\Florida State Head Coach Caught on Video Apparently Threatening to Bench His Star Player During Rose Bowl.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Desktop\FRST64.exe:$CmdTcID
AlternateDataStreams: C:\Users\Owner\Desktop\FRST64.exe:$CmdZnID
AlternateDataStreams: C:\Users\Owner\Desktop\JRT.exe:$CmdTcID
AlternateDataStreams: C:\Users\Owner\Desktop\JRT.exe:$CmdZnID
AlternateDataStreams: C:\Users\Owner\Downloads\AdwCleaner.exe:$CmdTcID
AlternateDataStreams: C:\Users\Owner\Downloads\AdwCleaner.exe:$CmdZnID
AlternateDataStreams: C:\Users\Owner\Downloads\Defogger.exe:$CmdTcID
AlternateDataStreams: C:\Users\Owner\Downloads\Defogger.exe:$CmdZnID
AlternateDataStreams: C:\Users\Owner\Downloads\mbam-setup-2.0.4.1028.exe:$CmdTcID
AlternateDataStreams: C:\Users\Owner\Downloads\mbam-setup-2.0.4.1028.exe:$CmdZnID
AlternateDataStreams: C:\Users\Owner\Downloads\RogueKiller.exe:$CmdTcID
AlternateDataStreams: C:\Users\Owner\Downloads\RogueKiller.exe:$CmdZnID
AlternateDataStreams: C:\Users\Owner\Downloads\unhide.exe:$CmdTcID
AlternateDataStreams: C:\Users\Owner\Downloads\unhide.exe:$CmdZnID
AlternateDataStreams: C:\Users\Owner\Documents\2011.02.14 Julia letter.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\2nd Coming of Christ.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Angel Knocking at the Door.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Another ghost out of the closet.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\AWB 1.28.2011 Update.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\baby pics Luca.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\baby pictures.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Betty - old photos.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Black Lab story.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Blood Clots_Stroke -.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Burning bush.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Child praying.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Christus order confirmation.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Communication, Dean and Janice.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Crabby Old Woman__a tender poem___TV.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Dorothy birthday 2012.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Email from Betty.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Email from DJ 1.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Email from DJ 2.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Email from Michelle.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Emails from before the computer crashed.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Gilbert Stake email addresses.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Good Song_ God Said NO - Turn on Sound.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Holly Ann Barney II.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Holly Ann Barney.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\IN WISDOM_ by Elmer Moore.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Island Girl's Bear Lake Album 1.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Island Girl's Picasa Web Album - 10-04-08 Bear Lake & Logan Canyon 2.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Ivan Spears 1.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Ivan Spears 2 and Karissa.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Ivan Spears 3 and Luca.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Ivan Spears 4 and Karissa and Luca.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\jb An answer to _Where_________.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Jesus and the Children 2.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Jesus' baptism.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Jesus' Obituary.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Jonah pics 2nd birthday.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Letter to Caleb.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Lots of pictures of family (Facebook).eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Luca & the Spears.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Luca and swollen eye 10002009.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Luca Isaac Spears.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Luca's mohawk and skull shirt.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Mary and Baby Jesus.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Mary and Jesus.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Microsoft Office 2010 - Order Confirmation - 107338413.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Norma Larsen herbs.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Paintings of Jesus.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Polar momma and baby_.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Pres.Lorenzo Snow sees the Savior.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Recent Luca Pictures.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Take upon us the name of Christ.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Tami's album, granddaughters.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Tami's Facebook entry 2_12_10.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Thank You Vase.Tami.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Wedding day.eml:OECustomProperty
HKU\.DEFAULT\Software\Classes\exefile: "%1" %* <===== ATTENTION!
HKU\S-1-5-19\Software\Classes\exefile: "%1" %* <===== ATTENTION!
HKU\S-1-5-20\Software\Classes\exefile: "%1" %* <===== ATTENTION!
HKU\S-1-5-21-4191668367-3300016174-3324751454-1001\Software\Classes\exefile: "%1" %* <===== ATTENTION!
HKLM-x32\...\Run: [] => [X]
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
SearchScopes: HKLM -> {2188E24B-6A1C-4C1F-B86D-FEBED3B45E1A} URL = http://www.amazon.com/s/ref=azs_osd...
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-1... ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {2188E24B-6A1C-4C1F-B86D-FEBED3B45E1A} URL = http://www.amazon.com/s/ref=azs_osd...
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-1... ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4191668367-3300016174-3324751454-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
S2 0249101394141562mcinstcleanup; C:\Windows\TEMP\024910~1.EXE [834664 2013-07-13] (McAfee, Inc.)
S2 mcbootdelaystartsvc; "C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
U3 McMPFSvc; No ImagePath
U3 McNaiAnn; No ImagePath
U3 mcpltsvc; No ImagePath
U3 McProxy; No ImagePath
U3 mfecore; No ImagePath
U3 MSK80Service; No ImagePath
U0 SR; No ImagePath
U2 srservice; No ImagePath
2015-02-28 03:34 - 2014-03-06 14:54 - 00003598 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4191668367-3300016174-3324751454-1001
2015-02-24 16:17 - 2013-08-22 08:20 - 00000000 ____D () C:\Windows\CbsTemp
C:\Users\Owner\AppData\Local\Temp\air3912.exe
C:\Users\Owner\AppData\Local\Temp\airEA11.exe
C:\Users\Owner\AppData\Local\Temp\D6C6_SoftwareUpdaterSetupD.exe
C:\Users\Owner\AppData\Local\Temp\Extract.exe
C:\Users\Owner\AppData\Local\Temp\HPInstaller.exe
C:\Users\Owner\AppData\Local\Temp\HPPSdr.exe
C:\Users\Owner\AppData\Local\Temp\qing_update.exe
C:\Users\Owner\AppData\Local\Temp\Quarantine.exe
C:\Users\Owner\AppData\Local\Temp\SP63341.exe
C:\Users\Owner\AppData\Local\Temp\SP63599.exe
C:\Users\Owner\AppData\Local\Temp\SP63878.exe
C:\Users\Owner\AppData\Local\Temp\sp64126.exe
C:\Users\Owner\AppData\Local\Temp\SP64339.exe
C:\Users\Owner\AppData\Local\Temp\SP64854.exe
C:\Users\Owner\AppData\Local\Temp\SP65048.exe
C:\Users\Owner\AppData\Local\Temp\SP65755.exe
C:\Users\Owner\AppData\Local\Temp\SP65782.exe
C:\Users\Owner\AppData\Local\Temp\SP65792.exe
C:\Users\Owner\AppData\Local\Temp\SP65793.exe
C:\Users\Owner\AppData\Local\Temp\SP65796.exe
C:\Users\Owner\AppData\Local\Temp\SP65880.exe
C:\Users\Owner\AppData\Local\Temp\SP66078.exe
C:\Users\Owner\AppData\Local\Temp\SP66867.exe
C:\Users\Owner\AppData\Local\Temp\sqlite3.dll
C:\Users\Owner\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Owner\AppData\Local\Temp\vlc-2.1.2-win32.exe

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.


Report •

#17
February 28, 2015 at 03:19:12
FRST fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-02-2015 01
Ran by Owner at 2015-02-28 04:12:50 Run:1
Running from C:\Users\Owner\Desktop
Loaded Profiles: Owner (Available profiles: Owner & barne_000)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
closeprocesses:
emptytemp:
CustomCLSID: HKU\S-1-5-21-4191668367-3300016174-3324751454-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-4191668367-3300016174-3324751454-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll No File
AlternateDataStreams: C:\Windows\system32\GlobCollationHost.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\Windows.Globalization.dll:$CmdTcID
AlternateDataStreams: C:\Windows\SysWOW64\GlobCollationHost.dll:$CmdTcID
AlternateDataStreams: C:\Windows\SysWOW64\Windows.Globalization.dll:$CmdTcID
AlternateDataStreams: C:\Windows\system32\Drivers\mbam.sys:$CmdTcID
AlternateDataStreams: C:\Windows\system32\Drivers\mbamchameleon.sys:$CmdTcID
AlternateDataStreams: C:\Windows\system32\Drivers\mwac.sys:$CmdTcID
AlternateDataStreams: C:\Users\barne_000\SkyDrive:ms-properties
AlternateDataStreams: C:\Users\Owner\OneDrive:ms-properties
AlternateDataStreams: C:\Users\Owner\Desktop\Florida State Head Coach Caught on Video Apparently Threatening to Bench His Star Player During Rose Bowl.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Desktop\FRST64.exe:$CmdTcID
AlternateDataStreams: C:\Users\Owner\Desktop\FRST64.exe:$CmdZnID
AlternateDataStreams: C:\Users\Owner\Desktop\JRT.exe:$CmdTcID
AlternateDataStreams: C:\Users\Owner\Desktop\JRT.exe:$CmdZnID
AlternateDataStreams: C:\Users\Owner\Downloads\AdwCleaner.exe:$CmdTcID
AlternateDataStreams: C:\Users\Owner\Downloads\AdwCleaner.exe:$CmdZnID
AlternateDataStreams: C:\Users\Owner\Downloads\Defogger.exe:$CmdTcID
AlternateDataStreams: C:\Users\Owner\Downloads\Defogger.exe:$CmdZnID
AlternateDataStreams: C:\Users\Owner\Downloads\mbam-setup-2.0.4.1028.exe:$CmdTcID
AlternateDataStreams: C:\Users\Owner\Downloads\mbam-setup-2.0.4.1028.exe:$CmdZnID
AlternateDataStreams: C:\Users\Owner\Downloads\RogueKiller.exe:$CmdTcID
AlternateDataStreams: C:\Users\Owner\Downloads\RogueKiller.exe:$CmdZnID
AlternateDataStreams: C:\Users\Owner\Downloads\unhide.exe:$CmdTcID
AlternateDataStreams: C:\Users\Owner\Downloads\unhide.exe:$CmdZnID
AlternateDataStreams: C:\Users\Owner\Documents\2011.02.14 Julia letter.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\2nd Coming of Christ.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Angel Knocking at the Door.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Another ghost out of the closet.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\AWB 1.28.2011 Update.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\baby pics Luca.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\baby pictures.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Betty - old photos.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Black Lab story.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Blood Clots_Stroke -.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Burning bush.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Child praying.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Christus order confirmation.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Communication, Dean and Janice.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Crabby Old Woman__a tender poem___TV.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Dorothy birthday 2012.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Email from Betty.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Email from DJ 1.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Email from DJ 2.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Email from Michelle.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Emails from before the computer crashed.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Gilbert Stake email addresses.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Good Song_ God Said NO - Turn on Sound.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Holly Ann Barney II.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Holly Ann Barney.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\IN WISDOM_ by Elmer Moore.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Island Girl's Bear Lake Album 1.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Island Girl's Picasa Web Album - 10-04-08 Bear Lake & Logan Canyon 2.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Ivan Spears 1.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Ivan Spears 2 and Karissa.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Ivan Spears 3 and Luca.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Ivan Spears 4 and Karissa and Luca.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\jb An answer to _Where_________.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Jesus and the Children 2.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Jesus' baptism.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Jesus' Obituary.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Jonah pics 2nd birthday.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Letter to Caleb.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Lots of pictures of family (Facebook).eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Luca & the Spears.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Luca and swollen eye 10002009.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Luca Isaac Spears.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Luca's mohawk and skull shirt.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Mary and Baby Jesus.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Mary and Jesus.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Microsoft Office 2010 - Order Confirmation - 107338413.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Norma Larsen herbs.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Paintings of Jesus.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Polar momma and baby_.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Pres.Lorenzo Snow sees the Savior.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Recent Luca Pictures.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Take upon us the name of Christ.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Tami's album, granddaughters.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Tami's Facebook entry 2_12_10.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Thank You Vase.Tami.eml:OECustomProperty
AlternateDataStreams: C:\Users\Owner\Documents\Wedding day.eml:OECustomProperty
HKU\.DEFAULT\Software\Classes\exefile: "%1" %* <===== ATTENTION!
HKU\S-1-5-19\Software\Classes\exefile: "%1" %* <===== ATTENTION!
HKU\S-1-5-20\Software\Classes\exefile: "%1" %* <===== ATTENTION!
HKU\S-1-5-21-4191668367-3300016174-3324751454-1001\Software\Classes\exefile: "%1" %* <===== ATTENTION!
HKLM-x32\...\Run: [] => [X]
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
SearchScopes: HKLM -> {2188E24B-6A1C-4C1F-B86D-FEBED3B45E1A} URL = http://www.amazon.com/s/ref=azs_osd...
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-1... ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {2188E24B-6A1C-4C1F-B86D-FEBED3B45E1A} URL = http://www.amazon.com/s/ref=azs_osd...
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-1... ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4191668367-3300016174-3324751454-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
S2 0249101394141562mcinstcleanup; C:\Windows\TEMP\024910~1.EXE [834664 2013-07-13] (McAfee, Inc.)
S2 mcbootdelaystartsvc; "C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
U3 McMPFSvc; No ImagePath
U3 McNaiAnn; No ImagePath
U3 mcpltsvc; No ImagePath
U3 McProxy; No ImagePath
U3 mfecore; No ImagePath
U3 MSK80Service; No ImagePath
U0 SR; No ImagePath
U2 srservice; No ImagePath
2015-02-28 03:34 - 2014-03-06 14:54 - 00003598 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4191668367-3300016174-3324751454-1001
2015-02-24 16:17 - 2013-08-22 08:20 - 00000000 ____D () C:\Windows\CbsTemp
C:\Users\Owner\AppData\Local\Temp\air3912.exe
C:\Users\Owner\AppData\Local\Temp\airEA11.exe
C:\Users\Owner\AppData\Local\Temp\D6C6_SoftwareUpdaterSetupD.exe
C:\Users\Owner\AppData\Local\Temp\Extract.exe
C:\Users\Owner\AppData\Local\Temp\HPInstaller.exe
C:\Users\Owner\AppData\Local\Temp\HPPSdr.exe
C:\Users\Owner\AppData\Local\Temp\qing_update.exe
C:\Users\Owner\AppData\Local\Temp\Quarantine.exe
C:\Users\Owner\AppData\Local\Temp\SP63341.exe
C:\Users\Owner\AppData\Local\Temp\SP63599.exe
C:\Users\Owner\AppData\Local\Temp\SP63878.exe
C:\Users\Owner\AppData\Local\Temp\sp64126.exe
C:\Users\Owner\AppData\Local\Temp\SP64339.exe
C:\Users\Owner\AppData\Local\Temp\SP64854.exe
C:\Users\Owner\AppData\Local\Temp\SP65048.exe
C:\Users\Owner\AppData\Local\Temp\SP65755.exe
C:\Users\Owner\AppData\Local\Temp\SP65782.exe
C:\Users\Owner\AppData\Local\Temp\SP65792.exe
C:\Users\Owner\AppData\Local\Temp\SP65793.exe
C:\Users\Owner\AppData\Local\Temp\SP65796.exe
C:\Users\Owner\AppData\Local\Temp\SP65880.exe
C:\Users\Owner\AppData\Local\Temp\SP66078.exe
C:\Users\Owner\AppData\Local\Temp\SP66867.exe
C:\Users\Owner\AppData\Local\Temp\sqlite3.dll
C:\Users\Owner\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Owner\AppData\Local\Temp\vlc-2.1.2-win32.exe
*****************

Processes closed successfully.
"HKU\S-1-5-21-4191668367-3300016174-3324751454-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}" => Key deleted successfully.
"HKU\S-1-5-21-4191668367-3300016174-3324751454-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}" => Key deleted successfully.
"C:\Windows\system32\GlobCollationHost.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\Windows.Globalization.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\SysWOW64\GlobCollationHost.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\SysWOW64\Windows.Globalization.dll" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\Drivers\mbam.sys" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\Drivers\mbamchameleon.sys" => ":$CmdTcID" ADS not found.
"C:\Windows\system32\Drivers\mwac.sys" => ":$CmdTcID" ADS not found.
"C:\Users\barne_000\SkyDrive" => ":ms-properties" ADS not found.
C:\Users\Owner\OneDrive => ":ms-properties" ADS removed successfully.
C:\Users\Owner\Desktop\Florida State Head Coach Caught on Video Apparently Threatening to Bench His Star Player During Rose Bowl.eml => ":OECustomProperty" ADS removed successfully.
"C:\Users\Owner\Desktop\FRST64.exe" => ":$CmdTcID" ADS not found.
C:\Users\Owner\Desktop\FRST64.exe => ":$CmdZnID" ADS removed successfully.
"C:\Users\Owner\Desktop\JRT.exe" => ":$CmdTcID" ADS not found.
C:\Users\Owner\Desktop\JRT.exe => ":$CmdZnID" ADS removed successfully.
"C:\Users\Owner\Downloads\AdwCleaner.exe" => ":$CmdTcID" ADS not found.
C:\Users\Owner\Downloads\AdwCleaner.exe => ":$CmdZnID" ADS removed successfully.
"C:\Users\Owner\Downloads\Defogger.exe" => ":$CmdTcID" ADS not found.
C:\Users\Owner\Downloads\Defogger.exe => ":$CmdZnID" ADS removed successfully.
"C:\Users\Owner\Downloads\mbam-setup-2.0.4.1028.exe" => ":$CmdTcID" ADS not found.
C:\Users\Owner\Downloads\mbam-setup-2.0.4.1028.exe => ":$CmdZnID" ADS removed successfully.
"C:\Users\Owner\Downloads\RogueKiller.exe" => ":$CmdTcID" ADS not found.
C:\Users\Owner\Downloads\RogueKiller.exe => ":$CmdZnID" ADS removed successfully.
"C:\Users\Owner\Downloads\unhide.exe" => ":$CmdTcID" ADS not found.
C:\Users\Owner\Downloads\unhide.exe => ":$CmdZnID" ADS removed successfully.
C:\Users\Owner\Documents\2011.02.14 Julia letter.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\2nd Coming of Christ.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Angel Knocking at the Door.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Another ghost out of the closet.eml => ":OECustomProperty" ADS removed successfully.
"C:\Users\Owner\Documents\AWB 1.28.2011 Update.eml" => ":OECustomProperty" ADS not found.
C:\Users\Owner\Documents\baby pics Luca.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\baby pictures.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Betty - old photos.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Black Lab story.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Blood Clots_Stroke -.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Burning bush.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Child praying.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Christus order confirmation.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Communication, Dean and Janice.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Crabby Old Woman__a tender poem___TV.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Dorothy birthday 2012.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Email from Betty.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Email from DJ 1.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Email from DJ 2.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Email from Michelle.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Emails from before the computer crashed.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Gilbert Stake email addresses.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Good Song_ God Said NO - Turn on Sound.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Holly Ann Barney II.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Holly Ann Barney.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\IN WISDOM_ by Elmer Moore.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Island Girl's Bear Lake Album 1.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Island Girl's Picasa Web Album - 10-04-08 Bear Lake & Logan Canyon 2.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Ivan Spears 1.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Ivan Spears 2 and Karissa.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Ivan Spears 3 and Luca.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Ivan Spears 4 and Karissa and Luca.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\jb An answer to _Where_________.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Jesus and the Children 2.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Jesus' baptism.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Jesus' Obituary.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Jonah pics 2nd birthday.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Letter to Caleb.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Lots of pictures of family (Facebook).eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Luca & the Spears.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Luca and swollen eye 10002009.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Luca Isaac Spears.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Luca's mohawk and skull shirt.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Mary and Baby Jesus.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Mary and Jesus.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Microsoft Office 2010 - Order Confirmation - 107338413.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Norma Larsen herbs.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Paintings of Jesus.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Polar momma and baby_.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Pres.Lorenzo Snow sees the Savior.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Recent Luca Pictures.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Take upon us the name of Christ.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Tami's album, granddaughters.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Tami's Facebook entry 2_12_10.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Thank You Vase.Tami.eml => ":OECustomProperty" ADS removed successfully.
C:\Users\Owner\Documents\Wedding day.eml => ":OECustomProperty" ADS removed successfully.
"HKU\.DEFAULT\Software\Classes\exefile" => Key deleted successfully.
"HKU\S-1-5-19\Software\Classes\exefile" => Key deleted successfully.
"HKU\S-1-5-20\Software\Classes\exefile" => Key deleted successfully.
"HKU\S-1-5-21-4191668367-3300016174-3324751454-1001\Software\Classes\exefile" => Key deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoFolderOptions => value deleted successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2188E24B-6A1C-4C1F-B86D-FEBED3B45E1A}" => Key deleted successfully.
HKCR\CLSID\{2188E24B-6A1C-4C1F-B86D-FEBED3B45E1A} => Key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2188E24B-6A1C-4C1F-B86D-FEBED3B45E1A}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{2188E24B-6A1C-4C1F-B86D-FEBED3B45E1A} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-4191668367-3300016174-3324751454-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found.
0249101394141562mcinstcleanup => Service deleted successfully.
mcbootdelaystartsvc => Service deleted successfully.
McMPFSvc => Service deleted successfully.
McNaiAnn => Service deleted successfully.
mcpltsvc => Service deleted successfully.
McProxy => Service deleted successfully.
mfecore => Service deleted successfully.
MSK80Service => Service deleted successfully.
SR => Service deleted successfully.
srservice => Service deleted successfully.
C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4191668367-3300016174-3324751454-1001 => Moved successfully.
C:\Windows\CbsTemp => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\air3912.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\airEA11.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\D6C6_SoftwareUpdaterSetupD.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\Extract.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\HPInstaller.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\HPPSdr.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\qing_update.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\SP63341.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\SP63599.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\SP63878.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\sp64126.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\SP64339.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\SP64854.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\SP65048.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\SP65755.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\SP65782.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\SP65792.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\SP65793.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\SP65796.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\SP65880.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\SP66078.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\SP66867.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\sqlite3.dll => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\UninstallHPSA.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\vlc-2.1.2-win32.exe => Moved successfully.
EmptyTemp: => Removed 19 GB temporary data.


The system needed a reboot.

==== End of Fixlog 04:14:46 ====


Report •

#18
February 28, 2015 at 03:21:07
Update Malwarebytes & run again.
Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box to Scan for rootkits.
http://i.imgur.com/dZgt1g2.gif
Copy and Paste the contents of the log, in your reply please.

Report •

#19
February 28, 2015 at 03:29:58
Okay, thanks. This scan took over an hour before. If it looks like it is going to go that long again, I'll post the results after I sleep a few hours. I appreciate your help as always!

Report •

#20
February 28, 2015 at 03:36:11
I'll be in bed also, catch you later.

Report •

#21
February 28, 2015 at 03:49:21
Okay, have a good sleep... Malwarebytes ran pretty fast this time... here is the log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/28/2015
Scan Time: 4:24:13 AM
Logfile: mbam2.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.28.02
Rootkit Database: v2015.02.25.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 387117
Time Elapsed: 22 min, 53 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


Report •

#22
February 28, 2015 at 03:51:13
"Okay, have a good sleep"
I'll be up a little while longer.

Report •

#23
February 28, 2015 at 03:51:40
Run Wise Disk Cleaner ( Run the 1st three tabs, left to right. I use default settings, leave boxes that are unchecked, unchecked ) Reboot when finished.
http://www.softpedia.com/get/System...
http://www.freewarefiles.com/Wise-D...
http://www.freewarefiles.com/screen...
http://www.wisecleaner.com/download...
http://i.imgur.com/Jecnfvb.gif
http://i.imgur.com/0xHwdom.gif
http://i.imgur.com/JZLYOLf.gif
http://i.imgur.com/4kfaeGW.gif

After running Wise.
How is it running, what issues does it have now?


Report •

#24
February 28, 2015 at 04:07:12
I'll have to run it later. I just lost connection to her computer (using Team Viewer) and she is asleep so I can't see if it is her router... etc. I'll run it and let you know. The most irritating thing has been that when I try to go to a website using IE or Chrome, I am getting a browser error and I have to try to connect a couple times. Not sure if she needs to restart the router/modem. I'll follow up later. Thanks again.

Report •

#25
February 28, 2015 at 04:09:49
:"I'll follow up later"
Yep, we both need a break.

Report •

#26
February 28, 2015 at 04:22:20
✔ Best Answer
If needed.

Copy & Paste the text below, save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

cmd: netsh winsock reset
cmd: ipconfig /flushdns

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.


Report •

#27
February 28, 2015 at 16:58:23
Hi again,

I ran Wise and did the three tabs of cleaning. My mom rebooted the router/modem and now I am not having the issues I was having with connecting to sites on the first try. It is harder to tell (because I am on Team Viewer), but the computer appears to reboot quickly.

I just ran malwarebytes and had zero problems identified. So it appears that all has been taken care of in terms of the bad stuff.

Next?


Report •

#28
February 28, 2015 at 17:07:29
Run DelFix. Copy & Paste the contents of the log please.
https://toolslib.net/downloads/view...
DelFix is designed to delete all removal tools used during a disinfection.
Indeed, these tools are often updated. It's recommended not to have and use outdated versions on computer.
It's compatible with Windows XP, Vista, 7, 8 in 32 & 64 bits.
Run the tool by right click on the DelFix icon and Run as administrator option.
Make sure that these are checked:
Remove disinfection tools
Purge system restore
Reset system settings
Click Run and wait until the tool completes it's work.
All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)

Report •

#29
February 28, 2015 at 17:13:28
# DelFix v10.9 - Logfile created 28/02/2015 at 18:12:26
# Updated 27/02/2015 by Xplode
# Username : Owner - ADMIN
# Operating System : Windows 8.1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Owner\Desktop\FRST64.exe
Deleted : C:\Users\Owner\Desktop\JRT.exe
Deleted : C:\Users\Owner\Downloads\AdwCleaner.exe
Deleted : C:\Users\Owner\Downloads\Defogger.exe
Deleted : C:\Users\Owner\Downloads\RogueKiller.exe
Deleted : C:\Users\Owner\Downloads\unhide.exe
Deleted : HKLM\SOFTWARE\AdwCleaner

~ Cleaning system restore ...

Deleted : RP #69 [Windows Update | 02/13/2015 23:06:16]
Deleted : RP #70 [Scheduled Checkpoint | 02/21/2015 00:35:49]
Deleted : RP #71 [Installing COMODO Internet Security Premium | 02/23/2015 01:48:49]
Deleted : RP #72 [After Comodo, Malwarebytes, ESET cleaning | 02/28/2015 08:49:13]
Deleted : RP #73 [Post Wise cleaner | 03/01/2015 01:00:13]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########


Report •

#30
February 28, 2015 at 17:24:53
Good one, we have now got rid of all the nasties out of System restore.

I am pretty well finished. Let me know if all goes well.

Here is how a USER got into this mess, no AV would have prevented USER error. Go to any Malware forum & no matter what AV they have installed, they got infected.

As you can see from your logs, you had a lot of stuff installed, that you do not know, how it got installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

WARNING: CNET Download.com downloads now come bundled with opt-out crapware and toolbars ( Same applies to Softonic & Brothersoft )
http://www.groovypost.com/unplugged...

I use Softpedia & FreewareFiles.com, they make you aware what Ad-supported programs the author of the program has included.
http://win.softpedia.com/index.free...
http://www.freewarefiles.com/new_fi...
Sample pages
http://www.softpedia.com/get/CD-DVD...
First and foremost, extra attention needs to be paid during installation as ImgBurn offers to create desktop shortcuts to third-party apps, as well as install a browser toolbar onto the host computer, which are not required to ensure the smooth running of the app.
SS of above.
http://i.imgur.com/jgGYNsP.gif
This is what ImgBurn tries to install.
http://i.imgur.com/ms4DzE9.gif
http://i.imgur.com/vVkd39a.gif
http://i.imgur.com/rqFVaHs.gif
http://i.imgur.com/sm1T7h6.gif
http://i.imgur.com/vhkKLYo.gif

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.

Extract from the fixlog.
"EmptyTemp: => Removed 19 GB temporary data"
Way, way to big, even for a gamer.
Here are temp file settings for a normal user, adjust to suit Mum's requirements.
All browsers, set to 50mb ( that's MB, not GB ) for temp.

"There are a ton of files in the appdata/local/temp location that appear to be for setup"
Are they still there?

If so, use this.

An Important Disk Cleanup Job after Upgrading to Windows 8.1
http://www.techsupportalert.com/con...
http://windows.microsoft.com/en-au/...
https://www.udel.edu/it/help/best-p...
http://fixitwizkid.com/threads/how-...
http://helpdeskgeek.com/windows-8/h...


Report •

#31
February 28, 2015 at 18:49:43
Thanks again! I talked to Mom about the evils of the web. She will try to be more careful ;)

I believe those files that were slowing down the ESET process are no longer there, but I might take a closer look later tonite and see if the clean up after upgrade identifies other issues.

Thanks


Report •

#32
February 28, 2015 at 18:55:17
I just checked the logs, to see what browsers are installed, re temp settings.

IE is straight forward, Chrome is not.

How to set Google Chrome cache to 50mb max temporary files.
With comps, there is always more than one way to do things, try this way.
Right click on the Google Chrome shortcut > Properties.
Copy & Paste this below after .exe" as per SS ( Screenshot )
NOTE: There is a space after .exe"
http://i.imgur.com/vgkU3X1.gif
--disk-cache-size=50000"
Click > Apply & then OK.


Report •

#33
February 28, 2015 at 18:57:12
"I might take a closer look later tonite and see if the clean up after upgrade identifies other issues"
Good idea, ESET is slow, but very thorough.

Report •

#34
February 28, 2015 at 19:04:36
Yes, I did reset IE to 50 mb. I'll try the chrome fix for her as well. Thanks

Report •

#35
February 28, 2015 at 19:14:48
BTW Mom passes on her thanks as well.

Report •

#36
February 28, 2015 at 19:20:19
Thanks, things went really well, you did a great job.

Report •

#37
March 1, 2015 at 15:19:24
Hi again..

I checked the "upgrade to 8.1" instructions out that you provided and everything looks good. I see no residual files.

I'll go ahead and mark this one closed.

Thanks!


Report •

Ask Question