Solved Installed CleanMyPC and now system all messed up

Hewlett-packard / Hp g62 notebook pc
June 5, 2014 at 19:06:15
Specs: window 7 home premimum, Intel Pentium Dual Core T4400 2.2ghz
JohnW-
Hello :) I have another computer with a lot of issues. My mother in law installed one of those Clean my pc things that are advertised on tv, even though in the past I have told her not to. She said her computer ran great after it installed, but after the free trial, it started acting up even worse. She called them and they told her there were tons of viruses and spyware on her system and to remove them she had to pay them an additional $100. She called me, and I have the computer. I was going to run through the programs that you had me use on the Safer Browser thread, but wanted your opinion. It's Win 7 home premium. Should I give it a go?

OMG don't judge me!


See More: Installed CleanMyPC and now system all messed up

Report •


#1
June 5, 2014 at 19:26:13
Hi Shanna, give me 10mins to see what we used.

Report •

#2
June 5, 2014 at 19:46:03
✔ Best Answer
Yes, do it that way Shanna, post the logs as we progress.

Report •

#3
June 5, 2014 at 19:46:39
[url=http://www.load.to/K2TReC9haz/attach.txt]attach.txt[/url] [url=http://www.load.to/TX2odn6CIz/dds.txt]dds.txt[/url]

DDS log files

Malware Bytes is running now

OMG don't judge me!

message edited by shanna99


Report •

Related Solutions

#4
June 5, 2014 at 19:58:51
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/5/2014
Scan Time: 10:34:23 PM
Logfile: malwarelog.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.05.13
Rootkit Database: v2014.06.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: paulett

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 306293
Time Elapsed: 18 min, 4 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 3
PUP.Optional.ToolBarInstaller.A, C:\Users\paulett\Downloads\HD_Player__CD5MTCD13345_c62dd63d1e8b6f4cdbb7df679d792ed3 (1).exe, , [f6eb4133a4d750e65331c63353b03dc3],
PUP.Optional.ToolBarInstaller.A, C:\Users\paulett\Downloads\HD_Player__CD5MTCD13345_c62dd63d1e8b6f4cdbb7df679d792ed3 (2).exe, , [c31ec8acb1caae889fe5f5045da60cf4],
PUP.Optional.ToolBarInstaller.A, C:\Users\paulett\Downloads\HD_Player__CD5MTCD13345_c62dd63d1e8b6f4cdbb7df679d792ed3.exe, , [b1304a2aaecde94d7e06a75214effb05],

Physical Sectors: 0
(No malicious items detected)


(end)

OMG don't judge me!


Report •

#5
June 5, 2014 at 20:05:27
AdWare Log:

# AdwCleaner v3.212 - Report created 05/06/2014 at 23:01:35
# Updated 05/06/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : paulett - PAULETT-PC
# Running from : C:\Users\paulett\Desktop\adwcleaner_3.212.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\apn
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Users\Cassie\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\paulett\AppData\LocalLow\mapsgalaxy_39
Folder Deleted : C:\Users\paulett\AppData\Roaming\DriverCure
Folder Deleted : C:\Users\paulett\AppData\Roaming\pccustubinstaller
Folder Deleted : C:\Users\paulett\AppData\Roaming\Systweak
File Deleted : C:\END
File Deleted : C:\Users\paulett\AppData\Roaming\Mozilla\Firefox\Profiles\snt9sv6v.default\searchplugins\Askcom.xml
File Deleted : C:\Users\paulett\AppData\Roaming\Mozilla\Firefox\Profiles\snt9sv6v.default\searchplugins\ask-search.xml

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll
Key Deleted : HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AdvancedSystemProtector_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AdvancedSystemProtector_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\CToolbar_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\CToolbar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\prompt_installer-conduit_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\prompt_installer-conduit_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{10E9E863-3913-40D0-903D-D46DEB18C982}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0F9AF7E3-3853-473F-A49B-E470A3A41501}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{10E9E863-3913-40D0-903D-D46DEB18C982}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DADF82FD-0783-4CA9-98AA-615F657A2A9E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0F9AF7E3-3853-473F-A49B-E470A3A41501}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DADF82FD-0783-4CA9-98AA-615F657A2A9E}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F0B76E1-4E46-427B-B55B-B90593468AC6}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{4B3803EA-5230-4DC3-A7FC-33638F3D3542}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{A25AA6E2-1CDE-4D0F-A5D4-4898D7FB3C86}
Key Deleted : HKCU\Software\systweak
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\MyWebSearch
Key Deleted : HKLM\Software\systweak

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17041


-\\ Mozilla Firefox v29.0.1 (en-US)

[ File : C:\Users\Cassie\AppData\Roaming\Mozilla\Firefox\Profiles\t4dcms1i.default\prefs.js ]


[ File : C:\Users\paulett\AppData\Roaming\Mozilla\Firefox\Profiles\snt9sv6v.default\prefs.js ]

Line Deleted : user_pref("CT3239904_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1358103496590,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");
Line Deleted : user_pref("Smartbar.ConduitHomepagesList", "");
Line Deleted : user_pref("Smartbar.ConduitSearchEngineList", "SocialSearchBar_App Customized Web Search");
Line Deleted : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3239904&SearchSource=2&q=");
Line Deleted : user_pref("extensions.dynconff.cache.home.mywebsearch.com.content", "<package expire=\"600\" es=\"914\" pcdids=\"v51\"></package>");
Line Deleted : user_pref("extensions.dynconff.cache.home.mywebsearch.com.expires", "1356486111636");
Line Deleted : user_pref("extensions.mywebsearch.prevDefaultEngine", "Ask.com");
Line Deleted : user_pref("extensions.mywebsearch.prevKwdEnabled", true);
Line Deleted : user_pref("extensions.mywebsearch.prevSelectedEngine", "Ask.com");
Line Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.homepage", "hxxp://home.mywebsearch.com/index.jhtml?ptb=E05CA12B-DEDA-4116-B3ED-739B1D4F5A67&n=77fc8f81&p2=^ZX^xdm039^YY^us&si=radiopi");
Line Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.hp.enabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.initialized", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.installation.contextKey", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.installation.installDate", "2013040513");
Line Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.installation.partnerId", "^ZX^xdm039^YY^us");
Line Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.installation.partnerSubId", "radiopi");
Line Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.installation.success", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.installation.toolbarId", "E05CA12B-DEDA-4116-B3ED-739B1D4F5A67");
Line Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.lastActivePing", "1365184265538");
Line Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.options.defaultSearch", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.options.homePageEnabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.options.keywordEnabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.options.tabEnabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.weather.location", "15926");
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.homepage", "hxxp://home.mywebsearch.com/index.jhtml?ptb=83DFC29F-8507-4BF9-BCB7-B0F6D7D9DE00&n=77ee3e4c&ptnrS=ZKxdm144YYus&si=CKaw9aznlbMCFUKd4AodLB[...]
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.hp.enabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.hp.lastGuardTime", 1666996883);
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.hp.numGuards", 1);
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.hp.user.defined", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.initialized", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.installation.contextKey", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.installation.installDate", "2012102220");
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.installation.partnerId", "ZKxdm144YYus");
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.installation.partnerSubId", "CKaw9aznlbMCFUKd4AodLBAApg");
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.installation.success", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.installation.toolbarId", "83DFC29F-8507-4BF9-BCB7-B0F6D7D9DE00");
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.lastActivePing", "1356485447905");
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.searchHistory", "how to get porcepine needles out of a dog||toys||ny high school soccer rankings||ny state high school soccer playoffs||ichabod cran[...]
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.tab.date", "1350951004977");
Line Deleted : user_pref("extensions.toolbar.mindspark._52Members_.weather.location", "15926");
Line Deleted : user_pref("extensions.toolbar.mindspark._gcMembers_.homepage", "hxxp://home.mywebsearch.com/index.jhtml?ptb=4E6C14CE-DD86-4C49-BD25-C1CFB1B0AB3F&n=77fc20f3&p2=^XN^xdm016^S04208^us");
Line Deleted : user_pref("extensions.toolbar.mindspark._gcMembers_.hp.enabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._gcMembers_.initialized", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._gcMembers_.installation.contextKey", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._gcMembers_.installation.installDate", "2013012211");
Line Deleted : user_pref("extensions.toolbar.mindspark._gcMembers_.installation.partnerId", "^XN^xdm016^S04208^us");
Line Deleted : user_pref("extensions.toolbar.mindspark._gcMembers_.installation.partnerSubId", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._gcMembers_.installation.success", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._gcMembers_.installation.toolbarId", "4E6C14CE-DD86-4C49-BD25-C1CFB1B0AB3F");
Line Deleted : user_pref("extensions.toolbar.mindspark._gcMembers_.lastActivePing", "1358871738280");
Line Deleted : user_pref("extensions.toolbar.mindspark._gcMembers_.options.defaultSearch", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._gcMembers_.options.homePageEnabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._gcMembers_.options.keywordEnabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._gcMembers_.options.tabEnabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._gcMembers_.searchHistory", "");
Line Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "radiorage@mindspark.com");
Line Deleted : user_pref("extensions.toolbar.mindspark.lastInstalled", "radiorage@mindspark.com");
Line Deleted : user_pref("extensions.toolbar.mindspark.sa.enabled", true);
Line Deleted : user_pref("extensions.toolbar.mindspark.sa.owner", "webfetti@mindspark.com");
Line Deleted : user_pref("extensions.toolbar.mindspark.tab.enabled", true);

-\\ Google Chrome v35.0.1916.114

[ File : C:\Users\paulett\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [12939 octets] - [05/06/2014 23:00:39]
AdwCleaner[S0].txt - [12665 octets] - [05/06/2014 23:01:35]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [12726 octets] ##########

OMG don't judge me!


Report •

#6
June 5, 2014 at 20:24:06
JRT Log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by paulett on Thu 06/05/2014 at 23:07:01.78
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{26842A09-FFA8-4E2C-AE12-0C80F01C3295}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\ustechsupport
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{36377DD7-B3EB-42f5-986F-680BAF59BA9D}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\ustechsupport"
Successfully deleted: [Folder] "C:\Users\paulett\AppData\Roaming\ustechsupport"
Successfully deleted: [Folder] "C:\Users\paulett\appdata\locallow\popularscreensavers_7iei"
Successfully deleted: [Folder] "C:\Program Files (x86)\popularscreensavers_7iei"
Successfully deleted: [Folder] "C:\Program Files (x86)\ustechsupport"
Successfully deleted: [Folder] "C:\Program Files (x86)\Common Files\ustechsupport"
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{00711546-D44D-40F4-8D88-6F6AA239DED4}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{04823BF7-4CE1-47BC-8406-C2F80E5DDA5D}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{07D38031-0821-42F3-A6BA-41598A3C5A99}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{0D559443-5103-45A1-9175-0690DECCC5D0}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{0D8F33A0-A9F5-43D7-A847-8791AB2A4E46}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{0FDC7311-8704-43CD-A5D1-300B6993B9A0}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{17161294-7580-4225-AC96-3F3C1619B341}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{19C516BA-1438-4F58-9EEC-0915E90D414C}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{1F7BFEFD-F614-4FDB-8479-E05283D4471B}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{21B204CE-6D57-46EA-94CB-0BA502375CDB}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{2C7C8D61-0FCF-40D1-B254-FDD10B42B033}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{32868372-9075-4F4C-9194-79CA725E5373}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{34DB41B4-30DB-4C14-A052-0FEC030EAFFA}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{3E560117-86DF-42B3-B97B-5CBBCE232B98}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{46ADE1D6-A955-4F0E-9E18-19FA427A42C8}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{48734768-198F-40E8-A4A3-452DB142E7CF}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{50DDE6CF-3E69-4A01-80C4-EE9F2F9B3B29}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{5592BF76-D9D8-4390-A106-5D2E943D58F6}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{55B2F18C-F630-4A29-82F6-89A297299CD3}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{56EE56FB-40C5-4E44-990D-BDB3E7F5AC6E}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{592091CA-5DA8-40A8-B666-B29A8D451441}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{5C5E10F7-CEFF-41D9-BFF5-EE2C8335BD9F}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{67F4E387-0CF2-462F-9437-1F398699CDE9}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{699DD9D2-A68D-412F-9EF9-B5AD150CCD9B}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{6E449635-F527-4C64-9E22-67A66C08CE6B}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{81BE917C-86A5-41A9-93ED-8FAC1E37BDA6}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{8604E06D-0F2B-46C6-A46E-169275E2A642}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{860FA468-0C1C-4146-9CEB-3E085E63D0F6}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{899DA086-32AA-48CC-B3C0-04773B4C6851}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{8C681911-8A69-480F-9534-A2E86A3D0D45}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{94B42529-CA1F-4A1A-B15A-20884C33315B}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{9728D619-76D4-4599-9CD9-2E3F7A15F687}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{9A0115EA-F62E-4D16-B033-CBB59F965948}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{9E932EB4-71AB-460F-B648-36884A420CB8}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{A546F73C-407C-4ADC-8610-0A2D088B8ACE}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{AD43941A-C169-476A-BEEA-E5EF40DCDC93}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{B7741834-2055-4EFC-B082-58C0843A8570}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{BAE8E4BD-D8E7-4B4F-A78E-91B14E7421A7}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{BB8060D4-7067-403F-898B-D96F05456A68}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{D2C2422E-11B1-41C8-A368-7249F15FE193}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{DB7F80E0-A2B8-40EB-84DD-21ECDDCEE404}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{DF3DB144-68EF-48A6-BA38-A4E7AE5097B0}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{E0D53350-D42C-4167-A647-3F142F71BFEB}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{E49FF33C-2546-4554-8C92-687A7F759EA3}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{E95D6E66-2539-464F-8FE1-58CEDD98CF93}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{EA8C8979-836E-4893-BB82-2E5C54107D46}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{EE4B3EC6-39D0-4141-9411-E1DD32A568EF}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{EFD082C3-ABDF-4C9D-86EC-C9D23F6CED28}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{F3E1AF03-F254-4E1E-9B54-577F2929C9F9}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{F409340F-C6EB-462F-8AAF-E3FAB803FC5F}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{F7E94751-8489-4971-8141-D0E572BCD7FE}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{FBC99C82-B74C-412C-8B07-C3EE21FD1131}

~~~ FireFox

Emptied folder: C:\Users\paulett\AppData\Roaming\mozilla\firefox\profiles\snt9sv6v.default\minidumps [157 files]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by paulett on Thu 06/05/2014 at 23:07:01.78
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{26842A09-FFA8-4E2C-AE12-0C80F01C3295}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\ustechsupport
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{36377DD7-B3EB-42f5-986F-680BAF59BA9D}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\ustechsupport"
Successfully deleted: [Folder] "C:\Users\paulett\AppData\Roaming\ustechsupport"
Successfully deleted: [Folder] "C:\Users\paulett\appdata\locallow\popularscreensavers_7iei"
Successfully deleted: [Folder] "C:\Program Files (x86)\popularscreensavers_7iei"
Successfully deleted: [Folder] "C:\Program Files (x86)\ustechsupport"
Successfully deleted: [Folder] "C:\Program Files (x86)\Common Files\ustechsupport"
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{00711546-D44D-40F4-8D88-6F6AA239DED4}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{04823BF7-4CE1-47BC-8406-C2F80E5DDA5D}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{07D38031-0821-42F3-A6BA-41598A3C5A99}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{0D559443-5103-45A1-9175-0690DECCC5D0}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{0D8F33A0-A9F5-43D7-A847-8791AB2A4E46}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{0FDC7311-8704-43CD-A5D1-300B6993B9A0}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{17161294-7580-4225-AC96-3F3C1619B341}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{19C516BA-1438-4F58-9EEC-0915E90D414C}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{1F7BFEFD-F614-4FDB-8479-E05283D4471B}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{21B204CE-6D57-46EA-94CB-0BA502375CDB}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{2C7C8D61-0FCF-40D1-B254-FDD10B42B033}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{32868372-9075-4F4C-9194-79CA725E5373}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{34DB41B4-30DB-4C14-A052-0FEC030EAFFA}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{3E560117-86DF-42B3-B97B-5CBBCE232B98}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{46ADE1D6-A955-4F0E-9E18-19FA427A42C8}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{48734768-198F-40E8-A4A3-452DB142E7CF}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{50DDE6CF-3E69-4A01-80C4-EE9F2F9B3B29}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{5592BF76-D9D8-4390-A106-5D2E943D58F6}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{55B2F18C-F630-4A29-82F6-89A297299CD3}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{56EE56FB-40C5-4E44-990D-BDB3E7F5AC6E}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{592091CA-5DA8-40A8-B666-B29A8D451441}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{5C5E10F7-CEFF-41D9-BFF5-EE2C8335BD9F}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{67F4E387-0CF2-462F-9437-1F398699CDE9}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{699DD9D2-A68D-412F-9EF9-B5AD150CCD9B}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{6E449635-F527-4C64-9E22-67A66C08CE6B}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{81BE917C-86A5-41A9-93ED-8FAC1E37BDA6}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{8604E06D-0F2B-46C6-A46E-169275E2A642}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{860FA468-0C1C-4146-9CEB-3E085E63D0F6}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{899DA086-32AA-48CC-B3C0-04773B4C6851}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{8C681911-8A69-480F-9534-A2E86A3D0D45}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{94B42529-CA1F-4A1A-B15A-20884C33315B}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{9728D619-76D4-4599-9CD9-2E3F7A15F687}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{9A0115EA-F62E-4D16-B033-CBB59F965948}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{9E932EB4-71AB-460F-B648-36884A420CB8}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{A546F73C-407C-4ADC-8610-0A2D088B8ACE}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{AD43941A-C169-476A-BEEA-E5EF40DCDC93}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{B7741834-2055-4EFC-B082-58C0843A8570}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{BAE8E4BD-D8E7-4B4F-A78E-91B14E7421A7}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{BB8060D4-7067-403F-898B-D96F05456A68}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{D2C2422E-11B1-41C8-A368-7249F15FE193}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{DB7F80E0-A2B8-40EB-84DD-21ECDDCEE404}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{DF3DB144-68EF-48A6-BA38-A4E7AE5097B0}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{E0D53350-D42C-4167-A647-3F142F71BFEB}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{E49FF33C-2546-4554-8C92-687A7F759EA3}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{E95D6E66-2539-464F-8FE1-58CEDD98CF93}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{EA8C8979-836E-4893-BB82-2E5C54107D46}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{EE4B3EC6-39D0-4141-9411-E1DD32A568EF}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{EFD082C3-ABDF-4C9D-86EC-C9D23F6CED28}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{F3E1AF03-F254-4E1E-9B54-577F2929C9F9}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{F409340F-C6EB-462F-8AAF-E3FAB803FC5F}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{F7E94751-8489-4971-8141-D0E572BCD7FE}
Successfully deleted: [Empty Folder] C:\Users\paulett\appdata\local\{FBC99C82-B74C-412C-8B07-C3EE21FD1131}

~~~ FireFox

Emptied folder: C:\Users\paulett\AppData\Roaming\mozilla\firefox\profiles\snt9sv6v.default\minidumps [157 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 06/05/2014 at 23:20:27.63
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 06/05/2014 at 23:20:27.63
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OMG don't judge me!


Report •

#7
June 5, 2014 at 20:29:21
My preference in this case would be to run a System Restore to before the program was installed in order to correct any registry changes that it would have made. Then I would run Malwarebytes to check for infections. I am just guessing, but I think you will find that the machine is relatively clean but their program is causing the slow downs in order to make you pay them to keep it 'clean'. This is sounding like a 'Protection Scheme' where you pay the thugs so no one will rob you. If there are more than the minimum nasties, you can always run 'everything' as needed. Finally I would manually run a Windows Update since it will probably run a malicious software removal tool.

You have to be a little bit crazy to keep you from going insane.


Report •

#8
June 5, 2014 at 20:29:21
"but after the free trial, it started acting up even worse"
What issues do you have now?

Report •

#9
June 5, 2014 at 20:37:55
@Fingers: there are no system restore points available. Tried that already. Yea, that is what I believe those programs you see on TV are.

@Johnw: frequent freezes, crashes, randomly not loading web pages, and just a general slow down. The MIL made it sound like it was horrible, but really it's not as bad as she made it out to be. I just wanted to be sure I get it working as good as possible before giving it back, because it seems with her any little slowdown is horrible and she's jumping paying money to have someone clean her computer. She lives over an hour away so she doesn't have time to bring the computer to me to clean up.

OMG don't judge me!


Report •

#10
June 5, 2014 at 20:38:02
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 06/05/2014 11:25:57 PM
Windows Version: Windows 7

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 223030 files processed.

The C:\Users\paulett\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
* NoActiveDesktopChanges policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
* DisableTaskMgr policy was found and deleted!
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Program finished at: 06/05/2014 11:31:31 PM
Execution time: 0 hours(s), 5 minute(s), and 34 seconds(s)

message edited by shanna99


Report •

#11
June 5, 2014 at 20:48:08
I will continue in the morning. I have not been able to get google chrome (her preferred browser...trying to talk her into firefox...) to work right, it's slow and freezes a lot. I have to get to bed, work in the morning. Poo.

OMG don't judge me!


Report •

#12
June 5, 2014 at 20:55:09
Ok, Shanna, catch you later.

Report •

#13
June 6, 2014 at 13:41:47
Just posting here to monitor this post for info... Very much another classic problem which arrived after a so called useful utility...; and possibly a potential rip off too...?

Report •

#14
June 6, 2014 at 13:50:51
trvlr: Yea, that is what I believe it was. My mother in law really knows nothing about spyware and "useful" utilities. She is in the mindset that when the computer starts slowing down there is something seriously wrong with it. She isn't patient, and there is no way I could walk her through "fixing" anything on the phone. She gets click happy, and that is what happened in this case. Since she lives about an hour away, she couldn't wait to get her computer "fixed" when all it needed was a good cleaning. I have tried soo many times to tell her NOT to click on things that seem shady, and to ask me first because I generally know what she needs to do. She got ripped off, since she asked me if she should pay the $100 to download the other software to fix it or if she should just get a new computer. To be honest, I don't see where this computer is THAT messed up, just some malware and old files that need to be cleaned out. She would have gotten rid of this computer and spent more to get a new one if I wasn't around to help her with it. It's a shame there are companies out there that prey on people like that, those who really don't know about computers and how they work.

OMG don't judge me!


Report •

#15
June 6, 2014 at 13:51:49
This is actually the second log, I forgot to check some of the things and had to run it again. I forgot to save the log from the first run. ugh.


RogueKiller V9.0.2.0 [Jun 3 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : paulett [Admin rights]
Mode : Remove -- Date : 06/06/2014 16:44:18

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3480461643-3987370765-336084525-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : actsvr.comcastonline.com:8100 -> DELETED
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3480461643-3987370765-336084525-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : actsvr.comcastonline.com:8100 -> ERROR [2]
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-3480461643-3987370765-336084525-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> DELETED
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-3480461643-3987370765-336084525-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> ERROR [2]
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> REPLACED (0)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> REPLACED (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> REPLACED (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD2500BEVT-22A23T0 +++++
--- User ---
[MBR] af3ef04b020db8eb09052e326f5efe5d
[BSP] e584cd95ddb6c56385fb7dddaa4c5d41 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 12291 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 25173855 | Size: 101 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 25382700 | Size: 226080 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_06062014_163831.log - RKreport_DEL_06062014_164002.log - RKreport_SCN_06062014_164355.log

OMG don't judge me!


Report •

#16
June 6, 2014 at 14:02:04
[url=http://www.load.to/a1Qe4mdF5p/tddskiller.txt]tddskiller.txt[/url]

TDSS Killer log, nothing found. I really think the errors she was telling me were all in her head....

OMG don't judge me!


Report •

#17
June 6, 2014 at 14:07:04
Here is one good place to come for help; and there at least two others I know of. It's a pity that many of those who are vulnerable to the rip offs don't come here and similar sites first.

As you know most of us here can offer free and reliable solutions; and each of us have areas where we sort of focus based on our diverse experience.

JohnW is one several here very strong and "up" on pest control and eradication... As you have I think already in the past, follow John's sequences and more than likely it will all be put right..

Then encourage your Ma-in-law to chat with you first, or show her how to post here - although I suspect it will be better initially if she contacts you first...?

Do you think she might be up to using one of the free and safe remote login utilities too;
which might allow you login and have a look-see too?


Report •

#18
June 6, 2014 at 14:15:06
I have used this site for years :) I try to offer my 2 cents now and again, but not too often anymore, no time really. I am very grateful for Johnw's help, he's helped me out on several occasions. As for her posting here, yea, that would be more difficult to explain how to do that and follow the suggestions. It's easier for me to just do it myself.
I have thought about the remote login utilities, but I really don't know too much about them to know what to use. Any suggestions on a good program that would be easy to explain to her?

OMG don't judge me!


Report •

#19
June 6, 2014 at 14:23:17
I think the one I have on my Mac systems is Team Viewer. Qnaps support use it - which is how I came to be familiar with it. It's free for home use;and simple to use - and safe. (I'm on an iPad just now...)

And this is a review of Team Viewer and several others:

http://pcsupport.about.com/od/remot...

Edited to correct a few typos...

message edited by trvlr


Report •

#20
June 6, 2014 at 14:31:15
I will check it out, it might just work for us, a lot easier than her thinking she needs to resort to paying someone else when there is no reason I can't help her out :)

OMG don't judge me!


Report •

#21
Report •

#22
June 6, 2014 at 16:11:06
" I don't see where this computer is THAT messed up"

Lets do a double check, download the latest version.

Download ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...


Report •

#23
June 6, 2014 at 17:06:48
its running the eset online scanner right now, almost done, did find a few worms and such....will post that log when its done :)

OMG don't judge me!


Report •

#24
June 6, 2014 at 17:46:32
Alrighty then. Maybe it is messed up. Eset scan was at 99% and it blue screened on me. It won't restart, keeps restarting at the "Starting Windows" screen. Started the start up repair, and it's not doing much of anything. Interesting. I can use my computer (I am on it now) to make a repair disk for it, or...?

OMG don't judge me!


Report •

#25
June 6, 2014 at 18:24:05
Running the repair disk now...

OMG don't judge me!


Report •

#26
June 6, 2014 at 20:37:57
repair disk not working. safe mode not working.
ugh

OMG don't judge me!


Report •

#27
June 6, 2014 at 20:53:49
went into BIOS. under security, it says "SATA Port0 Disk Status: Froze." I googled it, and everything says the HDD is shot and will need to be replaced. any suggestions? Nothing is working, I can't get it to do anything. There are a ton of pictures that my mother in law would like saved, but ...?

OMG don't judge me!


Report •

#28
June 6, 2014 at 22:11:29
Try slaving the HDD to a good comp & see if it reads it, then copy her stuff into the good comp. If you get stuck, need to know the specs of both HDD's.

Bad HDD, IDE, Sata or SSD?
Good HDD, IDE, Sata or SSD?


Report •

#29
June 22, 2014 at 12:45:14
Trying this for the 3rd time. (I accidentally shut down my computer the first time and closed the wrong tab the second time. LOL)

Sorry it's been so long since I last posted but we have been dealing with some family stuff. To update you on what I have done today:

I downloaded Hiren's BootCD and ran the MiniXP that is on there. It allowed me to run checkdisk. I ran it the first time and it said that Windows has fixed some errors. I ran it the second time and it went through fine. Still not starting up though. Here is links to pictures of the checkdisk results:
http://i.imgur.com/dtuEr2s.jpg
http://i.imgur.com/GG8em3w.jpg

I also was able to connect to the internet and am running Eset online scanner again, since that is what was running when the crash occurred. It is at 74% and has found 4 items so far, 3 that are "potentially unsafe applications" and one that is Win32/Bagel.gen.zip worm.

I don't know if any of this will help, but I figure it gives my mother in law piece of mind because she wants the pictures off of the drive. She's ok with replacing it, but still wants the pictures.

As for slaving it, I only have laptops. What would I need to do to slave the bad drive? I will have to get the specs, I don't have either of them at this exact moment.

OMG don't judge me!


Report •

#30
June 22, 2014 at 12:53:12
Specs for bad computer:

http://www.cnet.com/products/emachi...

This is the drive that is in the good laptop:
Hitachi HTS542516K9SA00 ATA Device

OMG don't judge me!


Report •

#31
June 22, 2014 at 13:01:21
Rebooted after scan was finished and items were quarantined and deleted. It asked to run windows start up assistant, I wasn't paying attention and had it start windows normally. However, it is running checkdisk on its own, something that it wouldn't do before.

OMG don't judge me!


Report •

#32
June 22, 2014 at 14:00:33
As for slaving it, I only have laptops. What would I need to do to slave the bad drive? I will have to get the specs, I don't have either of them at this exact moment.

With laptops one is a limited when it comes to "slaving" a drive.

However... you can buy for not many pennies (but don't buy the cheapest) an adaptor cable set one end of which attaches the drive to be slaved; and the other end is a usb connector...

It will then show up as any other usb device...

You can then copy all the files required to external media (DVD typically); and also of course to the hard drive in the laptop. I would favour to DVD - and check the copied files are accessible/readable before dumping the drive; or doing anything to it which will result in loss of the data on it at present.

The cable sets come usually *these days) with connectors for both EIDE and SATA; and a power supply/adapter to power the drive externally.

You can also buy a "dock" which connects via usb; may (often does) come with an external power supply too - although some may draw power via the usb connection.
You slot the drive into the dock, and again it shows up as usb device. There are various makes/models for these. One has to be careful to check it will work with the brand(s) of hard drive you may wish to use it with. Some of them don't like "some" Western Digital drives (no idea why). Most allow both SATA and EIDE; some only one or other.

Incidentally one connected as above (whichever option) you can also scan the drive for pests...


Report •

#33
June 22, 2014 at 14:05:00
I don't know if I will have to! :) The computer blue screened through the first scandisk. then restarted and ran through scandisk again twice. Restarted. And it's at the login screen, I am going to see if I can login and see what happens!

OMG don't judge me!


Report •

#34
June 22, 2014 at 14:09:32
It allowed me to login. I am going to work on saving all the photos on the disk before I do anything else so that in case something happens, I at least saved the most important part for her. Whew!

OMG don't judge me!


Report •

#35
June 22, 2014 at 14:18:23
" I am going to work on saving all the photos on the disk before I do anything else so that in case something happens"
Best way Shanna, then run Combofix is probably the next move.

Report •

#36
June 22, 2014 at 14:25:09
Agree - save anything that is valuable first/now; then set about "phyxing" things afterwards (if possible).

Report •

#37
June 23, 2014 at 16:23:10
photos are all saved online. I ran ComboFix. Here's the log.

ComboFix 14-06-23.01 - paulett 06/23/2014 19:00:31.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3002.1466 [GMT -4:00]
Running from: c:\users\paulett\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files (x86)\Downloaded Installers
c:\windows\SysWow64\SET161C.tmp
.
.
((((((((((((((((((((((((( Files Created from 2014-05-23 to 2014-06-23 )))))))))))))))))))))))))))))))
.
.
2014-06-23 23:09 . 2014-06-23 23:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-06-23 23:09 . 2014-06-23 23:09 -------- d-----w- c:\users\Cassie\AppData\Local\temp
2014-06-23 22:41 . 2014-06-23 22:41 -------- d-----w- c:\users\paulett\AppData\Roaming\TeamViewer
2014-06-23 22:40 . 2014-06-23 22:40 -------- dc-h--w- c:\programdata\{651038AD-E038-410A-BD90-28FB006FD850}
2014-06-23 22:40 . 2014-06-23 23:06 -------- d-----w- c:\program files (x86)\ITbrain Agent
2014-06-23 22:40 . 2014-06-23 22:40 -------- d-----w- c:\users\Default\AppData\Local\PackageAware
2014-06-23 04:36 . 2014-06-23 04:36 75888 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DC3D6D35-A8AE-4889-86CC-570F0AC0BD02}\offreg.dll
2014-06-23 04:16 . 2014-06-05 10:54 10779000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DC3D6D35-A8AE-4889-86CC-570F0AC0BD02}\mpengine.dll
2014-06-22 21:24 . 2014-05-02 10:53 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{898BD8D4-1A4F-4A51-BCEE-FFC3E563EF26}\gapaengine.dll
2014-06-22 21:24 . 2014-06-05 10:54 10779000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-06-06 21:32 . 2014-06-06 21:32 -------- d-----w- c:\program files (x86)\TeamViewer
2014-06-06 21:03 . 2014-06-06 21:03 -------- d-----w- c:\program files (x86)\ESET
2014-06-06 20:31 . 2014-06-06 20:31 -------- d-----w- c:\programdata\RogueKiller
2014-06-06 03:06 . 2014-06-06 03:06 -------- d-----w- c:\windows\ERUNT
2014-06-06 03:01 . 2010-08-30 12:34 536576 ----a-w- c:\windows\SysWow64\sqlite3.dll
2014-06-06 03:00 . 2014-06-06 03:01 -------- d-----w- C:\AdwCleaner
2014-06-06 02:44 . 2014-06-06 02:45 -------- d-----w- c:\users\paulett\AppData\Roaming\Image Uploader
2014-06-06 02:44 . 2014-06-06 02:44 -------- d-----w- c:\programdata\Image Uploader
2014-06-06 02:44 . 2014-06-06 02:44 -------- d-----w- c:\program files (x86)\Image Uploader
2014-06-04 19:03 . 2014-06-04 19:34 532 ----a-w- c:\windows\system32\ASOROSet.bin
2014-06-04 18:46 . 2014-06-04 18:46 -------- d-----w- c:\windows\Repair
2014-06-04 18:45 . 2014-06-04 18:45 -------- d-----w- c:\users\paulett\AppData\Roaming\supportdotcom
2014-06-04 18:45 . 2014-06-04 19:37 -------- d-----w- c:\program files (x86)\Common Files\supportdotcom
2014-05-29 01:29 . 2014-05-29 01:29 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-05-29 01:29 . 2014-05-29 01:28 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-06-23 07:06 . 2010-03-19 23:53 95414520 ----a-w- c:\windows\system32\MRT.exe
2014-06-06 02:34 . 2014-05-21 02:23 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-14 05:49 . 2012-08-19 22:18 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-05-14 05:49 . 2011-11-01 22:08 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-12 11:26 . 2014-05-21 02:23 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-05-12 11:26 . 2014-05-21 02:23 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-12 11:25 . 2014-05-21 02:23 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-05-09 06:14 . 2014-05-14 19:57 477184 ----a-w- c:\windows\system32\aepdu.dll
2014-05-09 06:11 . 2014-05-14 19:57 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-05-02 10:53 . 2013-03-12 13:39 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-04-12 02:22 . 2014-05-14 19:57 155072 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-04-12 02:22 . 2014-05-14 19:57 95680 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2014-04-12 02:19 . 2014-05-14 19:57 136192 ----a-w- c:\windows\system32\sspicli.dll
2014-04-12 02:19 . 2014-05-14 19:57 29184 ----a-w- c:\windows\system32\sspisrv.dll
2014-04-12 02:19 . 2014-05-14 19:57 28160 ----a-w- c:\windows\system32\secur32.dll
2014-04-12 02:19 . 2014-05-14 19:57 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-04-12 02:19 . 2014-05-14 19:57 31232 ----a-w- c:\windows\system32\lsass.exe
2014-04-12 02:12 . 2014-05-14 19:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-04-12 02:10 . 2014-05-14 19:57 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-04-01 02:46 . 2014-04-01 02:46 130712 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
2014-04-01 02:46 . 2014-04-01 02:46 1070232 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2014-04-01 01:34 . 2014-04-01 01:34 322248 ----a-w- c:\windows\WLXPGSS.SCR
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-05-07 256896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"GarminExpressTrayApp"="c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe" [2014-06-09 122200]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 JLTECH0227;Dual Mode Camera;c:\windows\system32\Drivers\jl2005c.sys;c:\windows\SYSNATIVE\Drivers\jl2005c.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 ssmirrdr;ssmirrdr;c:\windows\system32\DRIVERS\ssmirrdr.sys;c:\windows\SYSNATIVE\DRIVERS\ssmirrdr.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [x]
S2 Garmin Core Update Service;Garmin Core Update Service;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [x]
S2 Greg_Service;GRegService;c:\program files (x86)\eMachines\Registration\GregHSRW.exe;c:\program files (x86)\eMachines\Registration\GregHSRW.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 ITbrain Agent;ITbrain Agent;c:\program files (x86)\ITbrain Agent\itbrain_agent.exe;c:\program files (x86)\ITbrain Agent\itbrain_agent.exe [x]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [x]
S2 TeamViewer9;TeamViewer 9;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe [x]
S2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [x]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-06-22 21:32 1091912 ----a-w- c:\program files (x86)\Google\Chrome\Application\35.0.1916.153\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-06-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-19 05:49]
.
2014-05-31 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df64.exe [2010-12-14 16:18]
.
2014-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-05-21 02:11]
.
2014-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-05-21 02:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-28 7982112]
"Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2009-09-30 823840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-03 159232]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-03 380928]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-03 358912]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 1271072]
"fssui"="c:\program files (x86)\Windows Live\Family Safety\fsui.exe" [2014-04-01 892608]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pogo.com/games/wordsearchdaily#game
uLocal Page = c:\windows\system32\blank.htm
uDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = cdn;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CCB44C55-3F87-4D79-A4E9-34830AAA5F32}: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CCB44C55-3F87-4D79-A4E9-34830AAA5F32}\2456C6B696E6E233443473: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{CCB44C55-3F87-4D79-A4E9-34830AAA5F32}\2656C6B696E6E233939366: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{CCB44C55-3F87-4D79-A4E9-34830AAA5F32}\358616E6E616723702960586F6E6564337: DhcpNameServer = 172.20.10.1
TCP: Interfaces\{CCB44C55-3F87-4D79-A4E9-34830AAA5F32}\64249402355727675696C6C616E63656026516E6023233: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{CCB44C55-3F87-4D79-A4E9-34830AAA5F32}\D6D6D6D6D6D674F6F646: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\paulett\AppData\Roaming\Mozilla\Firefox\Profiles\snt9sv6v.default\
FF - prefs.js: browser.search.selectedEngine - Ask Search
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-77425399.sys
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3480461643-3987370765-336084525-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3480461643-3987370765-336084525-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_214_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_214_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
@="131473"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.13"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-06-23 19:15:05
ComboFix-quarantined-files.txt 2014-06-23 23:15
.
Pre-Run: 169,025,507,328 bytes free
Post-Run: 170,112,409,600 bytes free
.
- - End Of File - - ACB85DE38551561020AD12B29B7D9185


Next steps?

OMG don't judge me!


Report •

#38
June 23, 2014 at 16:23:55
dang it, ignore that one. forgot to change the download location!

OMG don't judge me!


Report •

#39
June 23, 2014 at 16:26:14
Combofix did a good job Shanna.

Download Security Check by screen317 from one of the following links and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
Please restart the computer before running this security check..
* Double click SecurityCheck.exe. If you run Windows Vista or 7/8, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; Please Copy and Paste the contents into your reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.


Report •

#40
June 23, 2014 at 16:28:19
"dang it, ignore that one. forgot to change the download location!"
Ok, shall wait for the next log.

Report •

#41
June 23, 2014 at 16:48:14
There, this is better. I am surprised you didn't catch that, LOL, you were right on it before :)

ComboFix 14-06-23.01 - paulett 06/23/2014 19:34:11.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3002.1553 [GMT -4:00]
Running from: c:\users\paulett\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2014-05-23 to 2014-06-23 )))))))))))))))))))))))))))))))
.
.
2014-06-23 23:40 . 2014-06-23 23:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-06-23 23:40 . 2014-06-23 23:40 -------- d-----w- c:\users\Cassie\AppData\Local\temp
2014-06-23 22:41 . 2014-06-23 22:41 -------- d-----w- c:\users\paulett\AppData\Roaming\TeamViewer
2014-06-23 22:40 . 2014-06-23 22:40 -------- dc-h--w- c:\programdata\{651038AD-E038-410A-BD90-28FB006FD850}
2014-06-23 22:40 . 2014-06-23 23:36 -------- d-----w- c:\program files (x86)\ITbrain Agent
2014-06-23 22:40 . 2014-06-23 22:40 -------- d-----w- c:\users\Default\AppData\Local\PackageAware
2014-06-23 04:36 . 2014-06-23 04:36 75888 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DC3D6D35-A8AE-4889-86CC-570F0AC0BD02}\offreg.dll
2014-06-23 04:16 . 2014-06-05 10:54 10779000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DC3D6D35-A8AE-4889-86CC-570F0AC0BD02}\mpengine.dll
2014-06-22 21:24 . 2014-05-02 10:53 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{898BD8D4-1A4F-4A51-BCEE-FFC3E563EF26}\gapaengine.dll
2014-06-22 21:24 . 2014-06-05 10:54 10779000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-06-06 21:32 . 2014-06-06 21:32 -------- d-----w- c:\program files (x86)\TeamViewer
2014-06-06 21:03 . 2014-06-06 21:03 -------- d-----w- c:\program files (x86)\ESET
2014-06-06 20:31 . 2014-06-06 20:31 -------- d-----w- c:\programdata\RogueKiller
2014-06-06 03:06 . 2014-06-06 03:06 -------- d-----w- c:\windows\ERUNT
2014-06-06 03:01 . 2010-08-30 12:34 536576 ----a-w- c:\windows\SysWow64\sqlite3.dll
2014-06-06 03:00 . 2014-06-06 03:01 -------- d-----w- C:\AdwCleaner
2014-06-06 02:44 . 2014-06-06 02:45 -------- d-----w- c:\users\paulett\AppData\Roaming\Image Uploader
2014-06-06 02:44 . 2014-06-06 02:44 -------- d-----w- c:\programdata\Image Uploader
2014-06-06 02:44 . 2014-06-06 02:44 -------- d-----w- c:\program files (x86)\Image Uploader
2014-06-04 19:03 . 2014-06-04 19:34 532 ----a-w- c:\windows\system32\ASOROSet.bin
2014-06-04 18:46 . 2014-06-04 18:46 -------- d-----w- c:\windows\Repair
2014-06-04 18:45 . 2014-06-04 18:45 -------- d-----w- c:\users\paulett\AppData\Roaming\supportdotcom
2014-06-04 18:45 . 2014-06-04 19:37 -------- d-----w- c:\program files (x86)\Common Files\supportdotcom
2014-05-29 01:29 . 2014-05-29 01:29 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-05-29 01:29 . 2014-05-29 01:28 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-06-23 07:06 . 2010-03-19 23:53 95414520 ----a-w- c:\windows\system32\MRT.exe
2014-06-06 02:34 . 2014-05-21 02:23 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-14 05:49 . 2012-08-19 22:18 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-05-14 05:49 . 2011-11-01 22:08 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-12 11:26 . 2014-05-21 02:23 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-05-12 11:26 . 2014-05-21 02:23 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-12 11:25 . 2014-05-21 02:23 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-05-09 06:14 . 2014-05-14 19:57 477184 ----a-w- c:\windows\system32\aepdu.dll
2014-05-09 06:11 . 2014-05-14 19:57 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-05-02 10:53 . 2013-03-12 13:39 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-04-12 02:22 . 2014-05-14 19:57 155072 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-04-12 02:22 . 2014-05-14 19:57 95680 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2014-04-12 02:19 . 2014-05-14 19:57 136192 ----a-w- c:\windows\system32\sspicli.dll
2014-04-12 02:19 . 2014-05-14 19:57 29184 ----a-w- c:\windows\system32\sspisrv.dll
2014-04-12 02:19 . 2014-05-14 19:57 28160 ----a-w- c:\windows\system32\secur32.dll
2014-04-12 02:19 . 2014-05-14 19:57 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-04-12 02:19 . 2014-05-14 19:57 31232 ----a-w- c:\windows\system32\lsass.exe
2014-04-12 02:12 . 2014-05-14 19:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-04-12 02:10 . 2014-05-14 19:57 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-04-01 02:46 . 2014-04-01 02:46 130712 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
2014-04-01 02:46 . 2014-04-01 02:46 1070232 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2014-04-01 01:34 . 2014-04-01 01:34 322248 ----a-w- c:\windows\WLXPGSS.SCR
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-05-07 256896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"GarminExpressTrayApp"="c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe" [2014-06-09 122200]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 JLTECH0227;Dual Mode Camera;c:\windows\system32\Drivers\jl2005c.sys;c:\windows\SYSNATIVE\Drivers\jl2005c.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 ssmirrdr;ssmirrdr;c:\windows\system32\DRIVERS\ssmirrdr.sys;c:\windows\SYSNATIVE\DRIVERS\ssmirrdr.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [x]
S2 Garmin Core Update Service;Garmin Core Update Service;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [x]
S2 Greg_Service;GRegService;c:\program files (x86)\eMachines\Registration\GregHSRW.exe;c:\program files (x86)\eMachines\Registration\GregHSRW.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 ITbrain Agent;ITbrain Agent;c:\program files (x86)\ITbrain Agent\itbrain_agent.exe;c:\program files (x86)\ITbrain Agent\itbrain_agent.exe [x]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [x]
S2 TeamViewer9;TeamViewer 9;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe [x]
S2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [x]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-06-22 21:32 1091912 ----a-w- c:\program files (x86)\Google\Chrome\Application\35.0.1916.153\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-06-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-19 05:49]
.
2014-05-31 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df64.exe [2010-12-14 16:18]
.
2014-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-05-21 02:11]
.
2014-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-05-21 02:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-28 7982112]
"Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2009-09-30 823840]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-03 159232]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-03 380928]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-03 358912]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 1271072]
"fssui"="c:\program files (x86)\Windows Live\Family Safety\fsui.exe" [2014-04-01 892608]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pogo.com/games/wordsearchdaily#game
uLocal Page = c:\windows\system32\blank.htm
uDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = cdn;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CCB44C55-3F87-4D79-A4E9-34830AAA5F32}: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CCB44C55-3F87-4D79-A4E9-34830AAA5F32}\2456C6B696E6E233443473: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{CCB44C55-3F87-4D79-A4E9-34830AAA5F32}\2656C6B696E6E233939366: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{CCB44C55-3F87-4D79-A4E9-34830AAA5F32}\358616E6E616723702960586F6E6564337: DhcpNameServer = 172.20.10.1
TCP: Interfaces\{CCB44C55-3F87-4D79-A4E9-34830AAA5F32}\64249402355727675696C6C616E63656026516E6023233: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{CCB44C55-3F87-4D79-A4E9-34830AAA5F32}\D6D6D6D6D6D674F6F646: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\paulett\AppData\Roaming\Mozilla\Firefox\Profiles\snt9sv6v.default\
FF - prefs.js: browser.search.selectedEngine - Ask Search
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3480461643-3987370765-336084525-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3480461643-3987370765-336084525-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_214_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_214_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
@="131473"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.13"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-06-23 19:43:26
ComboFix-quarantined-files.txt 2014-06-23 23:43
ComboFix2.txt 2014-06-23 23:15
.
Pre-Run: 170,141,405,184 bytes free
Post-Run: 170,053,435,392 bytes free
.
- - End Of File - - 7A3255154B325961272A50B9D297AA45

OMG don't judge me!


Report •

#42
June 23, 2014 at 16:57:00
"I am surprised you didn't catch that, LOL, you were right on it before :)"
Yep, I slipped up, got to used to you being so good, I didn't even think of double checking.

Combofix result good.


Report •

#43
June 23, 2014 at 17:00:26
Hey we all make mistakes :)

Results of screen317's Security Check version 0.99.85
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
Windows Firewall Disabled!
Microsoft Security Essentials
(On Access scanning [b]disabled[/b]!)
[color=red]Error obtaining update status for antivirus![/color]
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
Spybot - Search & Destroy
Java 7 Update 60
Adobe Flash Player 13.0.0.214 [b][color=red]Flash Player out of Date![/color][/b]
Adobe Reader XI
Mozilla Firefox (30.0)
Google Chrome 35.0.1916.114
Google Chrome 35.0.1916.153
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
[b][color=red]Spybot Teatimer.exe is disabled![/color][/b]
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: 0%
[b][u]````````````````````End of Log``````````````````````[/b][/u]

I know that the firewall and antivirus are disabled. I re-enabled them.

OMG don't judge me!


Report •

#44
June 23, 2014 at 17:06:35
"I know that the firewall and antivirus are disabled. I re-enabled them"
Good one, just the flash needs the security updating.

Download OTL, save & run from your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://oldtimer.geekstogo.com/OTL.exe
http://www.itxassociates.com/OT-Too...
Double click the OTL icon to start the tool. (Note: If you are running on Vista or Windows 7 accept UAC alert)
1: When the window appears, underneath Output at the top, make sure Standard output is selected.
2: Select Scan all users
3: Change Drivers to All
4: Under the Extra Registry section, check Use SafeList
5: In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
6: Click Run Scan and let the program run uninterrupted.
Screenshots ( SS ) of 1 - 6
http://i.imgur.com/rvTDUlL.gif
When the scan is complete, two text files will be created on your Desktop
OTL.Txt <- this one will be opened
Extras.txt <- this one will be minimized

Upload the logs using this. I upload to Imgur.com for images & load.to for files ( neither need an account ) Give us the links please.

Image Uploader
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://zenden.ws/imageuploader_ru
How to use for files.
http://i.imgur.com/FhtnM6c.gif
http://i.imgur.com/yBtjlpb.gif
http://i.imgur.com/txFkgpT.gif

Free file sharing sites come & go, if Imgur.com & load.to are too busy ( or not working ) here are others to try.
free file upload no account needed
http://is.gd/ije9W6
http://www.zippyshare.com/
http://www.speedyshare.com/
http://www.filedropper.com/index.php
http://www.wikisend.com/
https://www.sendspace.com/
http://www.megafileupload.com/

message edited by Johnw


Report •

#45
June 23, 2014 at 17:33:21
Yea, it asked me to update Flash, but I wanted to finish uploading photos first. I will update it here after a bit. Here are the OTL logs.

http://www.load.to/gRddC6VBOG/Extra...
http://www.load.to/VdNLWyybF8/OTL.Txt

OMG don't judge me!


Report •

#46
June 23, 2014 at 18:28:30
2 files that are not normally/suspicious there.

ezsidmv.dat & wklnhst.dat
C:\ProgramData\ezsidmv.dat
C:\Users\paulett\AppData\Roaming\wklnhst.dat

I would rename them by adding the word unknown & see what happens.
ezsidmvunknown.dat
wklnhstunknown.dat

RunTFC
http://www.geekstogo.com/forum/file...
http://www.bleepingcomputer.com/dow...
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please double-click TFC.exe to run it. Note: If you are running on Vista/Windows 7/8, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Report •

#47
July 1, 2014 at 20:24:25
Sorry it's been so long again. I changed the names like you said and nothing happened, that I noticed.

Also ran TFC and it cleaned up about 3.6mb if I remember correctly.

OMG don't judge me!


Report •

#48
July 1, 2014 at 20:48:40
Oh, and I did update Flash also

OMG don't judge me!


Report •

#49
July 2, 2014 at 03:31:59
" I changed the names like you said and nothing happened, that I noticed"
When you happy all is Ok, you can delete those, or just leave them, they are now disabled.

"Oh, and I did update Flash also"
Good.

Here is my info to pass over to your mother in law & a program you may like to install.

As you can see from your logs, you had a lot of stuff installed, that you did not know had been installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

I use Softpedia, down the bottom of the page, they make you aware what Ad-supported programs the author of the program has included.
Sample pages
http://www.softpedia.com/get/CD-DVD...
http://www.softpedia.com/get/Multim...
Users are advised to pay attention while installing this ad-supported application:
· Offers to change the homepage for web browsers installed in the system
· Offers to change the default search engine for web browsers installed in the system
· Offers to install StartNow Toolbar that the program does not require to fully function
SS ( screenshots ) of above
http://i.imgur.com/CSBplyA.gif
http://i.imgur.com/3eWWoXm.gif

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies.
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://unchecky.com/
How to download from Softpedia
http://i.imgur.com/iZ3Fzmc.gif
http://i.imgur.com/NNgm1rF.gif
A reliable application that aims to protect your computer against third-party components often offered during software installations.

After running your Wise tools, you should be all done.
Run both, in this order.
Run Wise Disk Cleaner ( Run the 1st three tabs, left to right. I use default settings, leave boxes that are unchecked, unchecked )
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://www.wisecleaner.com/download...
http://i.imgur.com/Jecnfvb.gif
http://i.imgur.com/0xHwdom.gif
http://i.imgur.com/JZLYOLf.gif
http://i.imgur.com/4kfaeGW.gif

Run Wise Registry Cleaner ( Only use Registry Cleaner & with default settings. Don't use System Tuneup, that is for Experts, you really have to know what you are doing )
http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.wisecleaner.com/wiseregi...
http://i.imgur.com/Qy7HWcA.gif


Report •

#50
July 2, 2014 at 10:44:26
Ok I did all of that. I have used Wise for a while now, and they were already installed on the computer.

I don't know if there is anything else that you want to suggest to do, but I am considering just formatting the computer. I tried to go to the gaming site she uses all the time and it is slow and laggy. I made sure Java was updated and also I closed other programs running that might have hindered performance.

I know she will not be happy with this and I told her that I can format and make it like new again, which has me cringing because of all the time that has already been put into it.
What do you think?

OMG don't judge me!


Report •

#51
July 2, 2014 at 10:55:12
"...she will not be happy with this and I told her that I can format and make it like new again..."

"What do you think?"

Guess the question is how likely is she to do this again? It would likely clean up the mess she's created, but may or may not improve the situation with her games being slow (she really needs to make sure the sites she visits are "safe"). No matter what you decide, make sure the machine is adequately protected from "nasties" before you turn it back over to her...

"Channeling the spirit of jboy..."


Report •

#52
July 2, 2014 at 11:14:31
Oh, she will do it again, that is a guarantee. She only plays on Pogo.com, and some games on facebook. Her issue is that since I live so far from her, when the computer starts going slow, she NEEDS it fixed right away, and gets herself into situations where it is worse than before.

I am honestly not feeling like formatting right now, so I might go ahead and give her back the computer with the TeamViewer program installed, and help her that way. If she does it again, I will format.

I think next time she will just go and get a new computer, even though there isn't anything wrong with this one, just has so much installed and uninstalled. I figure a fresh registry would help, but how long until she fudges it up again is the question. To be fair, it's not just her, my step-daughter does her fair share to mess it up too, installing Skype (there isn't a webcam on this system) and IMVU...both messed this up in the past and I figure there has to be lingering remnants on the system from those programs.

Gotta love mother-in-laws!

OMG don't judge me!


Report •

#53
July 2, 2014 at 16:49:09
" I tried to go to the gaming site she uses all the time and it is slow and laggy"

May need cleaning Shanna.

Information about cleaning computer components
http://www.computerhope.com/cleanin...
http://www.wiscocomputing.com/artic...
http://www.librarysupportstaff.com/...
http://www.bleepingcomputer.com/tut...
Getting The Grunge Out Of Your PC, Fred Langa cleans the dirtiest PC he can find, and along the way shows you how you can easily tackle yours. There are 7 pages.
http://www.informationweek.com/news...


Report •

#54
July 2, 2014 at 17:40:52
Look at this way; a computer acts as an air cleaner/filter...And without it/them we would all be breathing a lot more dust and muck that we are now...

And if the ants move in (we had that problem recently as I recall) they will be quite comfy in there amongst the fluff and compressed dust etc..; and very grateful....


Report •


Ask Question