Norton Internet Security SAPE.Bundler.17

Toshiba /
October 13, 2014 at 16:48:33
Specs: Windows 8, 1.30 GH
A few days ago I started getting this Norton Security "low risk" alert. It is SAPE.Bundler.17, haven't found any reference to it in Norton's website and wondered if this a "phishing" or some sort of hacking attempt?

See More: Norton Internet Security SAPE.Bundler.17

Report •


#1
October 13, 2014 at 16:57:01
Lets see what we can find, these are just to get a first look, probably need to run more as we progress.

Run both of these, in this order.

Step 1: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.raymond.cc/blog/adwclean...
http://www.bleepingcomputer.com/dow...
Author's site
http://general-changelog-team.fr/en...
Tutorial
http://general-changelog-team.fr/en...
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Clean.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please Copy & Paste the contents of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 2: Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved onto your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.


Report •

#2
October 17, 2014 at 09:26:34
Finally got around to running AdwCleaner and JRT, neither resolved the issue with the pop up stating a threat was detected requiring an action
# AdwCleaner v4.000 - Report created 16/10/2014 at 17:03:00
# DB v2014-10-16.8
# Updated 12/10/2014 by Xplode
# Operating System : Windows 8.1 (64 bits)
# Username : Joseph - TOSHIBA-PC
# Running from : C:\Users\Joseph\Downloads\adwcleaner_4.000.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Key Deleted : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17278

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Secondary Start Pages]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Secondary Start Pages]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Secondary Start Pages]

*************************

AdwCleaner[R0].txt - [1629 octets] - [16/10/2014 16:58:03]
AdwCleaner[S0].txt - [1344 octets] - [16/10/2014 17:03:00]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1404 octets] ##########
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.14.2014:1)
OS: Windows 8.1 x64
Ran by Joseph on Fri 10/17/2014 at 8:51:05.14
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 10/17/2014 at 8:57:30.14
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#3
October 17, 2014 at 14:27:23
"neither resolved the issue with the pop up stating a threat was detected requiring an action"
That's normal, we have to dismantle the malware bit by bit.

Run RogueKiller
http://www.softpedia.com/get/Securi...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User Guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://www.adlice.com/softwares/rog...
If RogueKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
Download & SAVE to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"

For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
Click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop.
Exit/Close RogueKiller.
When completed make sure to re-enable your antivirus.


Report •

Related Solutions

#4
October 19, 2014 at 10:46:52
RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Joseph [Administrator]
Mode : Scan -- Date : 10/19/2014 10:12:49

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 6 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2871600126-1854696350-10267512-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://bing.com/ -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2871600126-1854696350-10267512-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://bing.com/ -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 16 (Driver: Not loaded [0xc000036b]) ¤¤¤
[IAT:Addr] (iexplore.exe @ ondemandconnroutehelper.dll) api-ms-win-appmodel-runtime-l1-1-1.dll - GetCurrentApplicationUserModelId : C:\WINDOWS\SYSTEM32\kernel.appcore.dll @ 0x748721ba
[IAT:Addr] (iexplore.exe @ MFPlat.DLL) api-ms-win-devices-config-l1-1-1.dll - CM_Get_Device_Interface_List_SizeW : C:\WINDOWS\SYSTEM32\cfgmgr32.dll @ 0x751f4301
[IAT:Addr] (iexplore.exe @ MFPlat.DLL) api-ms-win-devices-config-l1-1-1.dll - CM_Get_Device_Interface_ListW : C:\WINDOWS\SYSTEM32\cfgmgr32.dll @ 0x751f40c0
[IAT:Addr] (iexplore.exe @ MFPlat.DLL) api-ms-win-devices-config-l1-1-1.dll - CM_Unregister_Notification : C:\WINDOWS\SYSTEM32\cfgmgr32.dll @ 0x751fdaba
[IAT:Addr] (iexplore.exe @ MFPlat.DLL) api-ms-win-devices-config-l1-1-1.dll - CM_Register_Notification : C:\WINDOWS\SYSTEM32\cfgmgr32.dll @ 0x751fe251
[IAT:Addr] (iexplore.exe @ MFPlat.DLL) api-ms-win-devices-config-l1-1-1.dll - CM_MapCrToWin32Err : C:\WINDOWS\SYSTEM32\cfgmgr32.dll @ 0x751fe838
[IAT:Addr] (iexplore.exe @ MFPlat.DLL) api-ms-win-devices-config-l1-1-1.dll - CM_Open_Device_Interface_KeyW : C:\WINDOWS\SYSTEM32\cfgmgr32.dll @ 0x75204239
[IAT:Addr] (iexplore.exe @ MFMediaEngine.dll) api-ms-win-appmodel-runtime-l1-1-1.dll - GetPackagesByPackageFamily : C:\WINDOWS\SYSTEM32\kernel.appcore.dll @ 0x7487233a
[IAT:Addr] (iexplore.exe @ MFMediaEngine.dll) api-ms-win-appmodel-runtime-l1-1-1.dll - PackageIdFromFullName : C:\WINDOWS\SYSTEM32\kernel.appcore.dll @ 0x74872436
[IAT:Addr] (iexplore.exe @ MFMediaEngine.dll) api-ms-win-appmodel-runtime-l1-1-1.dll - GetCurrentPackageFullName : C:\WINDOWS\SYSTEM32\kernel.appcore.dll @ 0x748721f6
[IAT:Addr] (iexplore.exe @ DEVOBJ.dll) api-ms-win-devices-config-l1-1-1.dll - CM_Set_Class_Registry_PropertyW : C:\WINDOWS\SYSTEM32\cfgmgr32.dll @ 0x752196a1
[IAT:Addr] (iexplore.exe @ DEVOBJ.dll) api-ms-win-devices-config-l1-1-1.dll - CM_Get_Class_Registry_PropertyW : C:\WINDOWS\SYSTEM32\cfgmgr32.dll @ 0x752188f4
[IAT:Addr] (iexplore.exe @ DEVOBJ.dll) api-ms-win-devices-config-l1-1-1.dll - CM_Get_Device_IDW : C:\WINDOWS\SYSTEM32\cfgmgr32.dll @ 0x751fd590
[IAT:Addr] (iexplore.exe @ DEVOBJ.dll) api-ms-win-devices-query-l1-1-1.dll - DevCloseObjectQuery : C:\WINDOWS\SYSTEM32\cfgmgr32.dll @ 0x751ffdc1
[IAT:Addr] (iexplore.exe @ DEVOBJ.dll) api-ms-win-devices-query-l1-1-1.dll - DevCreateObjectQuery : C:\WINDOWS\SYSTEM32\cfgmgr32.dll @ 0x75200420
[IAT:Addr] (iexplore.exe @ WINMMBASE.dll) api-ms-win-devices-config-l1-1-1.dll - CM_Get_DevNode_Status : C:\WINDOWS\SYSTEM32\cfgmgr32.dll @ 0x751f684f

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABF050 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB
User = LL1 ... OK
User = LL2 ... OK


Report •

#5
October 19, 2014 at 15:47:23
Run RogueKiller again please, then post the log after hitting Delete.

Report •

#6
October 21, 2014 at 17:01:27
Hello, has a similar issue. Mine was SAPE.bundler.1d. So whenever I feel that there is a threat on my computer. I restart. During restart I keep pushing the F8 key until it enters the setup mode. Then I run it in Safe mode with networking. Then I run a full scan and a power eraser which checks the root kits. That was how I found it. There were two instances of it. I hope this helps.
Also, I forgot to mention that I perform tasks such as updates while still in safe mode.

message edited by Gloriak


Report •

#7
October 26, 2014 at 14:19:43
Thanks Gloiak...appears to have the same results as previous scans even though the latest was run in safe mode, as follows:

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600 ) 64 bits version
Started in : Safe mode with network support
User : Joseph [Administrator]
Mode : Scan -- Date : 10/26/2014 13:17:42

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 6 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2871600126-1854696350-10267512-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://bing.com/ -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2871600126-1854696350-10267512-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://bing.com/ -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc0000061]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABF050 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_10192014_101249.log - RKreport_SCN_10212014_081316.log


Report •

#8
October 26, 2014 at 15:47:27
Download ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please Note: Once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Report •

#9
October 27, 2014 at 09:22:26
I am running OS Windows 8.1 and notice that ComboFix isn't recommended for this OS.

Report •

#10
October 27, 2014 at 17:16:21
"ComboFix isn't recommended for this OS"
Correct, sorry.

Run ESET Online Scanner, Copy and Paste the contents of the log in your reply please. This scan may take a very long while, so please be patient. Maybe start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
You may have to download ESET from a good computer, put it on a flash/thumb/pen drive & run it from there, if your comp is unbootable, or won't let you download.
Create a ESET SysRescue CD or USB drive
http://kb.eset.com/esetkb/index?pag...
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
http://kb.eset.com/esetkb/index?pag...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Which web browsers are compatible with ESET Online Scanner?
http://www.nod32.fi/eset-online-sca...
http://kb.eset.com/esetkb/index?pag...
Online Scanner not working
http://kb.eset.com/esetkb/index?pag...
Why Would I Ever Need an Online Virus Scanner? I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the Desktop.
If no threats are found, you will simply see an information window that no threats were found.
http://www.trishtech.com/security/s...


Report •

#11
October 29, 2014 at 09:24:39
Thanks Johnw,

Here are my results for ESET online scan

C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCache\IE\478LTT2M\Notepad! Setup.exe a variant of Win32/DownloadAssistant.A potentially unwanted application deleted - quarantined
C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCache\IE\TS5O81H2\spstub[1].exe a variant of Win32/ClientConnect.A potentially unwanted application deleted - quarantined
C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCache\IE\YCXVTGLL\OrbiterInstaller[1].exe a variant of Win32/Conduit.SearchProtect.N potentially unwanted application deleted - quarantined
C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCache\IE\YCXVTGLL\sp-downloaderB[1].exe Win32/Toolbar.Conduit.R potentially unwanted application deleted - quarantined
C:\Users\Joseph\AppData\Local\Temp\a29kcXUtQU\3x99QiPO\Setup.exe a variant of Win32/DownloadAssistant.A potentially unwanted application deleted - quarantined
C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\GoBLZ5F60p\sp-downloaderB.exe Win32/Toolbar.Conduit.R potentially unwanted application deleted - quarantined
C:\Users\Joseph\AppData\Local\Temp\a2WR1nGqco\czCuYlpR\Setup.exe a variant of Win32/DownloadAssistant.A potentially unwanted application deleted - quarantined
C:\Users\Joseph\Downloads\cutepdfwriter-setup.exe Win32/DownloadAdmin.G potentially unwanted application deleted - quarantined
C:\Users\Joseph\Downloads\java_installer.exe a variant of Win32/SquareNet.A potentially unwanted application deleted - quarantined
C:\Users\Joseph\Downloads\Outlook Express.exe a variant of Win32/FirseriaInstaller.G potentially unwanted application deleted - quarantined


Report •

#12
October 29, 2014 at 14:47:40
Thanks josephT

Update & Run Malwarebytes' Anti-Malware ( MBAM ) Free Version. Use Quick scan ( now called Threat Scan )
Malwarebytes' Anti-Malware
http://www.softpedia.com/get/Antivi...
http://www.malwarebytes.org/free/
Make sure you uncheck > Enable free trial < at the END of the install.
http://i.imgur.com/tUFCbYz.gif
Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box to Scan for rootkits.
http://i.imgur.com/dZgt1g2.gif
Copy and Paste the contents of the log, in your reply please.

If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
If your MBAM log indicates "No action taken". That's usually a result of NOT clicking the Apply Actions button after the scan. In most cases, a restart will be required.
http://i.imgur.com/U9IqcVj.gif
http://i.imgur.com/zHMG6J9.gif
Or,
http://i.imgur.com/eLcvyZD.gif

message edited by Johnw


Report •

#13
October 30, 2014 at 10:38:03
Thank Johnw,

results of malwarebytes scan below:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/30/2014
Scan Time: 9:32:45 AM
Logfile: MBAM Threat Scan.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.10.30.10
Rootkit Database: v2014.10.22.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Joseph

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 390029
Time Elapsed: 31 min, 36 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


Report •

#14
October 30, 2014 at 15:18:02
Still think you have some unwanted stuff in there josephT, shall keep on trying untill I'm 100% sure you havn't.

Please download Rkill from any one of these links and save it to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your reply.
http://www.bleepingcomputer.com/dow...
Double click on Rkill to run it. If the first one doesn't work try the next one.
This will help remove certain processes and should restore any file associations and your desktop. Note: Your system is still infected as Rkill does not delete files - it merely helps to temporarily disable the infections, allowing us to start the cleansing process.
Do NOT reboot your machine. Each time you reboot, Rkill is disabled and you would have to run it again in order for it to be effective.

Next, Run Hitman Pro,then Copy and Paste the contents of the log please, into your reply.
http://www.softpedia.com/get/Intern...
http://www.surfright.nl/en/HitmanPro
http://www.surfright.nl/en/hitmanpro/
How to scan and obtain a log
http://forums.majorgeeks.com/showth...
Unlimited free scanning and free 30-day version to remove detected malware.
Download now (64-bit)
http://dl.surfright.nl/HitmanPro35_...


Report •

#15
October 31, 2014 at 10:10:48
Ok Johnw,

Results from Hitman without the online program fixing after the scan and detection.

[code]
HitmanPro 3.7.9.232
www.hitmanpro.com

Computer name . . . . : TOSHIBA-PC
Windows . . . . . . . : 6.3.0.9600.X64/4
User name . . . . . . : TOSHIBA-PC\Joseph
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free

Scan date . . . . . . : 2014-10-31 09:52:29
Scan mode . . . . . . : Normal
Scan duration . . . . : 10m 6s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 1
Traces . . . . . . . : 5

Objects scanned . . . : 1,710,670
Files scanned . . . . : 41,651
Remnants scanned . . : 636,296 files / 1,032,723 keys

Malware _____________________________________________________________________

C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCache\IE\478LTT2M\PCTechHotlineSetup[1].exe
Size . . . . . . . : 1,710,008 bytes
Age . . . . . . . : 10.0 days (2014-10-21 08:49:09)
Entropy . . . . . : 8.0
SHA-256 . . . . . : 13559969D1F89E38FF52AD7D39986B911F7B3BB93E957F9483A01C0F8CB4D1A6
Product . . . . . : PC Tech Hotline
Publisher . . . . : Crawler Group
Description . . . : PC Tech Hotline Setup
Version . . . . . : 3.0.0.5
RSA Key Size . . . : 2048
Source URL . . . . : hxxp://www.pctechhotline.com/dnl/config/408/PCTechHotlineSetup.exe
LanguageID . . . . : 0
Authenticode . . . : Self-signed
> Kaspersky . . . . : not-a-virus:WebToolbar.Win32.CrawBar.c
Fuzzy . . . . . . : 112.0
Forensic Cluster
-85.3s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\GoBLZ5F60p\
-85.3s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AKkzsv6xgs\
-85.3s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AKkzsv6xgs\notepad.exe
-85.0s C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCache\IE\YCXVTGLL\notepad[1].exe
-84.3s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{33B82C4B-FC56-4705-ABE7-D755AFF5E764}
-78.4s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\inet.txt
-74.5s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\nsq2A13.tmp
-69.0s C:\Windows\Prefetch\SP-DOWNLOADERB.EXE-DB6D54D1.pf
-67.6s C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCache\IE\478LTT2M\spstub[1].exe
-65.9s C:\Users\Joseph\AppData\Roaming\Syncplify.me\
-65.9s C:\Users\Joseph\AppData\Roaming\Syncplify.me\Notepad! 1.0.10.50\install\
-65.9s C:\Users\Joseph\AppData\Roaming\Syncplify.me\Notepad! 1.0.10.50\install\Notepad_Setup.msi
-65.9s C:\Users\Joseph\AppData\Roaming\Syncplify.me\Notepad! 1.0.10.50\
-65.8s C:\Users\Joseph\AppData\Roaming\Syncplify.me\Notepad! 1.0.10.50\install\Notepad_Setup.x64.msi
-60.5s C:\Users\Joseph\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
-60.5s C:\Users\Joseph\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
-60.0s C:\Users\Joseph\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F
-60.0s C:\Users\Joseph\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F
-60.0s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\QBackup\{DE2D9AB0-96B1-406F-A69E-94EFE39484C7}\{58EBE179-63E5-4B2B-A343-5B0B26393423}.qbd
-60.0s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\QBackup\{DE2D9AB0-96B1-406F-A69E-94EFE39484C7}\{58EBE179-63E5-4B2B-A343-5B0B26393423}.qbi
-59.8s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{82AA8618-47C2-4D90-B802-F18F6E06E83E}
-59.8s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{EC06882A-9EB2-43BC-A6F2-6958636708FA}
-59.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\QBackup\{DE2D9AB0-96B1-406F-A69E-94EFE39484C7}\{56BC3170-1B52-427B-825B-B814374EDFF9}.qbd
-59.5s C:\Users\Joseph\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_8B785D4716BCF75682A628CCE2B676D0
-59.5s C:\Users\Joseph\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_8B785D4716BCF75682A628CCE2B676D0
-56.7s C:\Windows\Prefetch\NOTEPAD.EXE-04CA7432.pf
-56.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\
-56.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\
-56.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\lic.html
-56.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\verifyrepair.html
-56.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\folder.html
-56.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\outofrbdisk.html
-56.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\welcome.html
-56.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\box-custom.png
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\setuptype.html
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\box-repair.png
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\customize.html
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\verifyremove.html
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\maintype.html
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\client.png
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\next.png
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\prepare.html
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\button-large-bg.png
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\client_server.png
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\maintwelcome.html
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\style.css
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\print.png
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\progress.html
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\back.png
-56.1s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\QBackup\{DE2D9AB0-96B1-406F-A69E-94EFE39484C7}\{56BC3170-1B52-427B-825B-B814374EDFF9}.qbi
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\box.png
-56.1s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\jquery-1.3.2.js
-56.1s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{FBB82834-F312-4087-8808-01ABC7A707CF}
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\pngfix\
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\pngfix\DD_belatedPNG_0.0.8a.js
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\userexit.html
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\common.js
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\box-add-remove.png
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\check.png
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\box-remove.png
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\cancel.png
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\progress\
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\progress\progressbar.css
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\retry.png
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\exit.html
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\fatalerror.html
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\verifyready.html
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\diskcost.html
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\progress\progressbar.js
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\fileinuse.html
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\outofdisk.html
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\rmfiles.html
-56.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\resume.html
-55.9s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\server.png
-55.9s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\{836111B0-6595-4FEA-AAF6-73CEF062AFD0}\Spring.742DA8B7\varstyle.css
-55.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\
-55.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\Up
-55.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\progress
-55.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\removico
-55.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\background
-55.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\banner
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\licagreelogoicon
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\New
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\whitebackground
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\optionslogoicon
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\exclamic
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\folderlogoicon
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\printico
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\waitlogoicon
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\insticon
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\tabback
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\installlogoicon
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\applogoicon
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\btnimg
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\repairic
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\progressbg
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\completi
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\custicon
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\info
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\minbackground
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\Prereq.dll
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\aicustact.dll
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\tempFiles.dll
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\lzmaextractor.dll
-55.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\AI_EXTUI_BIN_15732\cmdlinkarrow
-54.3s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{5395A9DC-0D66-4BF4-84D0-E3442FF7515F}
-52.6s C:\Windows\Prefetch\NSQ2A13.EXE-28791BD2.pf
-50.9s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{530DFE0A-A50A-42A3-A850-4D62EF15F3D8}
-48.2s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{6C02D61F-C56B-49A7-997C-6BD2E0696736}
-45.3s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{10E9F558-D220-48B9-9D6F-80E7E8AF380C}
-45.2s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{DB57D070-631E-4A2D-B360-E890BA579144}
-41.3s C:\Windows\Prefetch\NSO8B0F.TMP-4A648200.pf
-40.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\0Cb7Kxr9ZN\
-40.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\0Cb7Kxr9ZN\Setup_en.exe
-37.3s C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCache\IE\0F1QOESW\Setup_en[1].exe
-36.1s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\QBackup\{DE2D9AB0-96B1-406F-A69E-94EFE39484C7}\{A39FFD2C-CE8F-4A49-ACB0-67F5BCC17B10}.qbd
-35.6s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\QBackup\{DE2D9AB0-96B1-406F-A69E-94EFE39484C7}\{A39FFD2C-CE8F-4A49-ACB0-67F5BCC17B10}.qbi
-35.6s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{8FC51C46-B38E-487B-B8B6-A66BEDC4BCEA}
-35.3s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{8D3392FA-F40A-45B2-8941-732474BFD997}
-35.0s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\wwwC444.tmp
-18.0s C:\Windows\Prefetch\SETUP_EN.TMP-E274E775.pf
-12.1s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{D696B6D0-A3E3-41C1-9FDC-8D260E107392}
-11.7s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{2F4B9982-96A9-4905-89EB-CE5E52F04B7F}
-3.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{60ED05E2-324B-4115-848B-0E5C8EC6CB70}
-3.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\QBackup\{FACF78F1-1B22-4F96-9C80-5FB554CEC028}.qbi
-3.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\QBackup\{FACF78F1-1B22-4F96-9C80-5FB554CEC028}\
-3.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\QBackup\{FACF78F1-1B22-4F96-9C80-5FB554CEC028}\{2175A509-ACF8-4E53-8B34-AAEA3B078D65}.qbd
-3.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\QBackup\{FACF78F1-1B22-4F96-9C80-5FB554CEC028}\{2175A509-ACF8-4E53-8B34-AAEA3B078D65}.qbi
-3.4s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\QBackup\{FACF78F1-1B22-4F96-9C80-5FB554CEC028}\{DBCE6B9E-35DE-43C2-A778-652BAD8760A0}.qbd
-3.4s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\QBackup\{FACF78F1-1B22-4F96-9C80-5FB554CEC028}\{DBCE6B9E-35DE-43C2-A778-652BAD8760A0}.qbi
-3.4s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\QBackup\{FACF78F1-1B22-4F96-9C80-5FB554CEC028}\{14410989-DEE7-4E52-9A04-D4B2F0F60305}.qbd
-3.4s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\QBackup\{FACF78F1-1B22-4F96-9C80-5FB554CEC028}\{14410989-DEE7-4E52-9A04-D4B2F0F60305}.qbi
-1.8s C:\Windows\Prefetch\SPYWARECLEAR.EXE-C1F44D57.pf
0.0s C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCache\IE\478LTT2M\PCTechHotlineSetup[1].exe
4.5s C:\Windows\Prefetch\SPYWARECLEARUPDATE.EXE-EAC52AFE.pf
5.0s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{C8A24305-9262-4BD2-86C0-57D3C3768DEC}
5.0s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{8DC76431-459A-4646-AD44-4C4C43681319}
5.8s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{69C8ACC4-6FAB-450D-A01A-D1CD030838EE}
12.1s C:\Windows\Prefetch\SPYWARECLEARSHIELD.EXE-41BA5724.pf
12.8s C:\$RECYCLE.BIN\S-1-5-21-2871600126-1854696350-10267512-1001\$RTOK394.lnk
13.9s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{2B8199D7-5135-45E7-8C89-8FFCF06827CF}
15.9s C:\Windows\Prefetch\PCTECHHOTLINESETUP.TMP-BD28D2D5.pf
19.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\FfK4mRF4j1\
19.2s C:\Users\Joseph\AppData\Local\Temp\a2R7PkoijL\FfK4mRF4j1\SpywareClearSetup1.exe
19.8s C:\Windows\Temp\WAX9A59.tmp
20.6s C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SC_svc64.exe_6ceae76a8f57c8269c655fffbaec2134b5c7645_d5ab997c_cab_2e219dc4\
20.7s C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SC_svc64.exe_6ceae76a8f57c8269c655fffbaec2134b5c7645_d5ab997c_cab_2e219dc4\WER9AA8.tmp.appcompat.txt
20.7s C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SC_svc64.exe_6ceae76a8f57c8269c655fffbaec2134b5c7645_d5ab997c_cab_2e219dc4\WER9DA7.tmp.WERInternalMetadata.xml
20.7s C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SC_svc64.exe_6ceae76a8f57c8269c655fffbaec2134b5c7645_d5ab997c_cab_2e219dc4\memory.hdmp
27.4s C:\Windows\Prefetch\PCTECHHOTLINE.EXE-DF3C05F7.pf
27.6s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{0294C305-1AC4-469A-B253-8EEE29177EFC}
27.7s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\CmnClnt\ccSubSDK\{263D6137-3D15-4C32-9EBD-975CD72F9486}


Cookies _____________________________________________________________________

C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCookies\23J9QCRI.txt
C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCookies\2WJB4KMJ.txt
C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCookies\JB2NZRCT.txt
C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCookies\YLMG2BNO.txt


[/code]


Report •

#16
October 31, 2014 at 13:43:44
"Results from Hitman without the online program fixing after the scan and detection"
Go ahead & fix josephT.

New log after fixing, please.


Report •

#17
November 1, 2014 at 10:07:05
Johnw,

I ran Malwarebytes and Hitman in Safe Mode and these are the results with no fix requested. Still getting the Norton risk alert.


[code]
HitmanPro 3.7.9.232
www.hitmanpro.com

Computer name . . . . : TOSHIBA-PC
Windows . . . . . . . : 6.3.0.9600.X64/4
Safe Mode Boot . . . : MINIMAL
User name . . . . . . : TOSHIBA-PC\Joseph
UAC . . . . . . . . . : Disabled
License . . . . . . . : Free

Scan date . . . . . . : 2014-11-01 09:39:45
Scan mode . . . . . . : Normal
Scan duration . . . . : 5m 1s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : No connection
Reboot . . . . . . . : No

Threats . . . . . . . : 0
Traces . . . . . . . : 4

Objects scanned . . . : 1,708,613
Files scanned . . . . : 39,450
Remnants scanned . . : 640,867 files / 1,028,296 keys

Cookies _____________________________________________________________________

C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCookies\23J9QCRI.txt
C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCookies\2WJB4KMJ.txt
C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCookies\JB2NZRCT.txt
C:\Users\Joseph\AppData\Local\Microsoft\Windows\INetCookies\YLMG2BNO.txt


[/code]


Report •

#18
November 1, 2014 at 13:33:00
"Still getting the Norton risk alert"
Yep, that's what I suspected.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using this, or upload to a site of your choosing. No account needed. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif.


Report •

#19
November 1, 2014 at 20:05:57
Norton security says FRST is a threat, "Threat Name: suspicious cloud.7.esp", therefore the download was removed.

Should I download FRST in safe mode? I don't need something else to have to deal with as the initial threat is a Norton /security threat alert as well.


Report •

#20
November 1, 2014 at 20:08:36
It's a false alert, Farbar is used in countless malware forums, including this one.

Mark the alarm as Ok.


Report •

#21
November 2, 2014 at 08:29:19
Johnw

The links for FRST.txt and addition.txt logs.

http://www10.zippyshare.com/v/17271...
http://www10.zippyshare.com/v/63661...


Report •

#22
November 2, 2014 at 14:29:30
Copy & Paste the text below ( starting closeprocesses: ), save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.

closeprocesses:
emptytemp:
AlternateDataStreams: C:\Users\Joseph\SkyDrive:ms-properties
SearchScopes: HKLM - {0FD4BD52-19EF-41C3-B678-795E9D8C4B5C} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM-x32 - {0FD4BD52-19EF-41C3-B678-795E9D8C4B5C} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKCU - DefaultScope {0FD4BD52-19EF-41C3-B678-795E9D8C4B5C} URL =
SearchScopes: HKCU - {0FD4BD52-19EF-41C3-B678-795E9D8C4B5C} URL =
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
C:\Users\Joseph\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Joseph\AppData\Local\Temp\installutilities.dll
C:\Users\Joseph\AppData\Local\Temp\Quarantine.exe
C:\Users\Joseph\AppData\Local\Temp\sqlite3.dll
C:\Users\Joseph\FinanceOFXLOG.DAT
C:\Users\Joseph\FinanceOFXOLD.DAT


Report •

#23
November 2, 2014 at 16:20:31
Results of Fixlog.txt


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-11-2014
Ran by Joseph at 2014-11-02 16:06:52 Run:1
Running from C:\Users\Joseph\Desktop
Loaded Profile: Joseph (Available profiles: Joseph & Administrator)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
closeprocesses:
emptytemp:
AlternateDataStreams: C:\Users\Joseph\SkyDrive:ms-properties
SearchScopes: HKLM - {0FD4BD52-19EF-41C3-B678-795E9D8C4B5C} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM-x32 - {0FD4BD52-19EF-41C3-B678-795E9D8C4B5C} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKCU - DefaultScope {0FD4BD52-19EF-41C3-B678-795E9D8C4B5C} URL =
SearchScopes: HKCU - {0FD4BD52-19EF-41C3-B678-795E9D8C4B5C} URL =
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
C:\Users\Joseph\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Joseph\AppData\Local\Temp\installutilities.dll
C:\Users\Joseph\AppData\Local\Temp\Quarantine.exe
C:\Users\Joseph\AppData\Local\Temp\sqlite3.dll
C:\Users\Joseph\FinanceOFXLOG.DAT
C:\Users\Joseph\FinanceOFXOLD.DAT


*****************

Processes closed successfully.
C:\Users\Joseph\SkyDrive => ":ms-properties" ADS removed successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0FD4BD52-19EF-41C3-B678-795E9D8C4B5C}" => Key deleted successfully.
"HKCR\CLSID\{0FD4BD52-19EF-41C3-B678-795E9D8C4B5C}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0FD4BD52-19EF-41C3-B678-795E9D8C4B5C}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{0FD4BD52-19EF-41C3-B678-795E9D8C4B5C}" => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0FD4BD52-19EF-41C3-B678-795E9D8C4B5C}" => Key deleted successfully.
"HKCR\CLSID\{0FD4BD52-19EF-41C3-B678-795E9D8C4B5C}" => Key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKCR\PROTOCOLS\Handler\ipp\0x00000001" => Key deleted successfully.
"HKCR\CLSID\{E1D2BF42-A96B-11D1-9C6B-0000F875AC61}" => Key not found.
C:\Users\Joseph\AppData\Local\Temp\dllnt_dump.dll => Moved successfully.
C:\Users\Joseph\AppData\Local\Temp\installutilities.dll => Moved successfully.
C:\Users\Joseph\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Joseph\AppData\Local\Temp\sqlite3.dll => Moved successfully.
C:\Users\Joseph\FinanceOFXLOG.DAT => Moved successfully.
C:\Users\Joseph\FinanceOFXOLD.DAT => Moved successfully.
EmptyTemp: => Removed 1.2 GB temporary data.


The system needed a reboot.

==== End of Fixlog ====


Report •

#24
November 2, 2014 at 16:23:39
Lets see what VirusTotal has to say about > SAPE.Bundler.17
Post the resuts please.

VirusTotalScanner
http://www.softpedia.com/get/Securi...
http://securityxploded.com/virus-to...


Report •

#25
November 3, 2014 at 13:24:51
Total Virus Scan(TVS) doesn't allow me to type in the SAPE.Bundler.17 that Norton Security
alerts me to and I can't copy and paste the only other reference in the Norton Alert notepad in order to see what TVS has to say. I never allowed Norton to run to quarantine or delete whatever this is. With all the phishing, viruses and Trojans popping up these days I went to Norton site to see what they had on this and found nothing therefore Computing.Net was my next choice.

Report •

#26
November 3, 2014 at 13:32:57
Please download SystemLook from one of the links below and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://jpshortstuff.247fixes.com/Sy...
http://jpshortstuff.247fixes.com/Sy...
http://images.malwareremoval.com/jp...
Double-click SystemLook.exe to run it.
Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
Copy the content of the following into the main textfield:

:filefind
*SAPE.Bundler.17*
:folderfind
*SAPE.Bundler.17*
:regfind
SAPE.Bundler.17

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please Copy & Paste the contents of the log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Report •

#27
November 4, 2014 at 08:56:12
System Look results

SystemLook 30.07.11 by jpshortstuff
Log created at 16:57 on 03/11/2014 by Joseph
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

No Context: filefind

No Context: *SAPE.Bundler.17*

No Context: folderfind

No Context: *SAPE.Bundler.17*

No Context: REGFIND

No Context: *SAPE.Bundler.17*

-= EOF =-


Report •

#28
November 4, 2014 at 12:22:29
"October 13
haven't found any reference to it in Norton's website"
"November 3
I went to Norton site to see what they had on this and found nothing"
None of that made sense, Norton found it. I googled it, back in OCT. Have been perusing the matter since then.

Symantec AntiVirus detections (19697)
(These threats are also detected by the latest Virus Definitions.)
http://www.symantec.com/security_re...
http://i.imgur.com/zlK5sE4.gif

As a matter of interest, where does Norton find SAPE.Bundler.17?

"I never allowed Norton to run to quarantine or delete whatever this is"
I would allow Norton to quarantine it.
Copy & Paste the log please.

message edited by Johnw


Report •

#29
November 4, 2014 at 16:44:01
I don't know where Norton found this threat, this is what it alluded to in the pop up that it suggested I resolve. Maybe this info below will give you some insight. In the meantime I will try to find out how to use Windows 8.1 find feature for the threat or file on the hard drive.

Resolved Threats:
No risks have been resolved

Unresolved Threats:
SAPE.Bundler.17
Type: Anomaly
Risk: Low (Low Stealth, Low Removal, Low Performance, Low Privacy)
Categories: Adware
Status: Not Attempted
-----------
1 File

1 Browser Cache

SearchProtect
Type: Anomaly
Risk: Low (Low Stealth, Low Removal, Low Performance, Low Privacy)
Categories: Security Risk
Status: Not Attempted
-----------
2 Files

2 Processes

1 Browser Cache


Report •

#30
November 4, 2014 at 16:55:07
I use these on every comp I have worked on for about 5 years, they should remove your problem. Let me know.

Run both of these, in this order.
Run Wise Disk Cleaner ( Run the 1st three tabs, left to right. I use default settings, leave boxes that are unchecked, unchecked ) Reboot when finished.
http://www.softpedia.com/get/System...
http://www.wisecleaner.com/download...
http://i.imgur.com/Jecnfvb.gif
http://i.imgur.com/0xHwdom.gif
http://i.imgur.com/JZLYOLf.gif
http://i.imgur.com/4kfaeGW.gif

Run Wise Registry Cleaner ( Only use Registry Cleaner & with default settings. Don't use System Tuneup, that is for Experts, you really have to know what you are doing ) Reboot when finished.
http://www.softpedia.com/get/Tweak/...
http://www.wisecleaner.com/wiseregi...
http://i.imgur.com/Qy7HWcA.gif


Report •

#31
November 4, 2014 at 19:10:24
Neither of the Run Wise cleaner seem to have gotten rid of the annoying culprit.

Report •

#32
November 4, 2014 at 23:34:19
Run SystemLook again.

:filefind
*Search Protect*
:folderfind
*Search Protect*
:regfind
Search Protect

:filefind
*SearchProtect*
:folderfind
*SearchProtect*
:regfind
SearchProtect


Report •

#33
November 5, 2014 at 09:36:52
Results of System Look again.

SystemLook 30.07.11 by jpshortstuff
Log created at 09:23 on 05/11/2014 by Joseph
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "*search protect*"
No files found.

========== folderfind ==========

Searching for "*search protect*"
No folders found.

========== regfind ==========

Searching for "*search protect*"
No data found.

-= EOF =-


Report •

#34
November 5, 2014 at 12:53:13
"WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results"
Just noticed you are running the 32-bit version of SystemLook.

Download the 64-bit version.
http://jpshortstuff.247fixes.com/Sy...

I now would like to see 4 logs.

Log 1 from this scan.

:filefind
*SAPE.Bundler.17*
:folderfind
*SAPE.Bundler.17*
:regfind
SAPE.Bundler.17

===========================

Log 2 from this scan.

:filefind
*Search Protect*
:folderfind
*Search Protect*
:regfind
Search Protect

==================

Log 3 from this scan.

:filefind
*SearchProtect*
:folderfind
*SearchProtect*
:regfind
SearchProtect

================

Log 4 from this scan.

:filefind
*Conduit*
:folderfind
*Conduit*
:regfind
Conduit


Report •

#35
November 5, 2014 at 15:15:16
Log1
SystemLook 30.07.11 by jpshortstuff
Log created at 14:49 on 05/11/2014 by Joseph
Administrator - Elevation successful

========== Filefind ==========

Searching for "*SAPE.Bundler.17*"
No files found.

========== Folderfind ==========

Searching for "*SAPE.Bundler.17*"
No folders found.

========== Regfind ==========

Searching for "SAPE.Bundler.17"
No data found.

-= EOF =-

Log2
SystemLook 30.07.11 by jpshortstuff
Log created at 14:56 on 05/11/2014 by Joseph
Administrator - Elevation successful

========== Filefind ==========

Searching for "*Search Protect*"
No files found.

========== Folderfind ==========

Searching for "*SEARCH Protect*"
No folders found.

========== Regfind ==========

Searching for "SEARCH Protect"
No data found.

-= EOF =-

Log3
SystemLook 30.07.11 by jpshortstuff
Log created at 15:00 on 05/11/2014 by Joseph
Administrator - Elevation successful

========== Filefind ==========

Searching for "*SearchProtect*"
No files found.

========== Folderfind ==========

Searching for "*SEARCHProtect*"
No folders found.

========== Regfind ==========

Searching for "SEARCHProtect"
No data found.

-= EOF =-

Log4
SystemLook 30.07.11 by jpshortstuff
Log created at 15:04 on 05/11/2014 by Joseph
Administrator - Elevation successful

========== Filefind ==========

Searching for "*Conduit*"
C:\Windows.old\Users\Joseph\AppData\Local\Microsoft\Windows\INetCache\Low\IE\DMVNDNEQ\conduit[1].htm --a---- 211 bytes [22:47 05/06/2014] [22:47 05/06/2014] DAF838963A6703EB01729512B5911803
C:\Windows.old\Users\Joseph\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\2QHPCVV6\Conduit.Search[1].htm --a---- 287 bytes [18:31 05/06/2014] [18:31 05/06/2014] 47B33CAB108EDBC412A7AF64D48CF2E1
C:\Windows.old\Users\Joseph\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\2QHPCVV6\Conduit[1].htm --a---- 1927 bytes [16:23 05/06/2014] [16:23 05/06/2014] 69CAEAF8BE4B54A43A7C9B8FF6CC7C11
C:\Windows.old\Users\Joseph\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\2QHPCVV6\SlimwareCPC-US-Conduit6675-All-300-lp1-Test63b-23040_fc[1].gif --a---- 72637 bytes [00:43 06/06/2014] [00:43 06/06/2014] 1A20B7C85CAD1613904040CDD670F40D
C:\Windows.old\Users\Joseph\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\79TD08KV\Conduit.Search[1].htm --a---- 386 bytes [22:43 05/06/2014] [22:43 05/06/2014] 2492CC4639F9B502E3736F7E82B49D34
C:\Windows.old\Users\Joseph\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\79TD08KV\Conduit.Search[2].htm --a---- 190 bytes [00:43 06/06/2014] [00:43 06/06/2014] 40DA374ED0006AC48F1BFF3B626A36AA
C:\Windows.old\Users\Joseph\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\79TD08KV\SlimwareCPC-US-Conduit6675-All-300-lp1-Test51a-23058_fc[1].gif --a---- 20470 bytes [14:32 05/06/2014] [14:32 05/06/2014] A630C812E06A4DB89B144F9E467C5EB3
C:\Windows.old\Users\Joseph\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\H3DRDUUW\Slimware-US-Conduit3761-All-300-lp1-Test69b-21635_fc[1].gif --a---- 56915 bytes [23:13 05/06/2014] [23:13 05/06/2014] CF8F4079F23B535195917DE2B3C8D46E
C:\Windows.old\Users\Joseph\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\MDLYIN3R\Conduit.Search[1].htm --a---- 190 bytes [14:32 05/06/2014] [14:32 05/06/2014] 40DA374ED0006AC48F1BFF3B626A36AA
C:\Windows.old\Users\Joseph\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\MDLYIN3R\Conduit.Search[2].htm --a---- 272 bytes [16:23 05/06/2014] [16:23 05/06/2014] 2E90AD6EA6863F555C1A808B3F285AF1
C:\Windows.old\Users\Joseph\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\MDLYIN3R\Conduit[1].htm --a---- 1863 bytes [14:32 05/06/2014] [14:32 05/06/2014] B9B753A6777B5F0C3E4315684D4B52D9
C:\Windows.old\Users\Joseph\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\MDLYIN3R\Conduit[2].htm --a---- 1995 bytes [18:31 05/06/2014] [18:31 05/06/2014] BF426B06CF721C7064B28BA733DEFACC

========== Folderfind ==========

Searching for "*Conduit*"
No folders found.

========== Regfind ==========

Searching for "Conduit"
No data found.

-= EOF =-


Report •

#36
November 5, 2014 at 15:27:12
1: Ok, delete all those Conduit entries.

2: Do another Norton scan & post the log.


Report •

#37
November 6, 2014 at 09:58:50
How do I use to delete the conduit entries? Are they all in the C:\Windows.old folder which I should delete.

Report •

#38
November 6, 2014 at 14:22:22
"Are they all in the C:\Windows.old folder which I should delete"
Yes.

All the ones listed in SystemLook

========== Filefind ==========

Searching for "*Conduit*"


Report •

#39
November 6, 2014 at 14:24:27
Alternatively, if you have got all your files out of Windows.old.

do I need to keep Windows.old windows 8.1
http://is.gd/5IIN8Q

How to remove the Windows.old folder
http://windows.microsoft.com/en-AU/...


Report •

#40
November 7, 2014 at 16:43:48
Moved Windows.old to my documents then deleted Windows.old with Lean up system files program followed up with the Norton Quick Scan and this is the Norton scan results.

Scan Information:
Virus Defs Version: 2014.11.07.002
Virus Defs Seq ID: 158724

Scan Statistics:
Scan Start:
Local: 11/7/2014 4:22 PM
UTC: 11/8/2014 12:22 AM
Scan Time: 305 seconds
Scan Targets: Commonly infected areas
Counts:
Total items scanned: 5,544
- Files & Directories: 2,820
- Registry Entries: 572
- Processes & Start-up Items: 1,503
- Network & Browser Items: 642
- Other: 4
- Trusted Files: 583
- Skipped Files: 76

Total security risks detected: 6
Total items resolved: 6
Total items that require attention: 0

Resolved Threats:
6 Tracking Cookies
Type: Anomaly
Risk: Low (Low Stealth, Low Removal, Low Performance, Low Privacy)
Categories: Tracking Cookies
Status: Fully Resolved
-----------
6 Tracking Cookies
Cookie:joseph@doubleclick.net/ - Deleted
Cookie:joseph@kontera.com/ - Deleted
Cookie:joseph@tribalfusion.com/ - Deleted
Cookie:joseph@microsoftsto.112.2o7.net/ - Deleted
Cookie:joseph@m.webtrends.com/ - Deleted
- Deleted


Unresolved Threats:
No unresolved risks


Report •

#41
November 7, 2014 at 16:50:22
Looks good, use Adblock Plus to stop those tracking cookies.

Features
https://adblockplus.org/en/features
A web page for whatever browser you did the Adblock Plus install will open after the install. Follow these SS ( screenshots )
http://i.imgur.com/pW20i0u.gif
http://i.imgur.com/pRIayVe.gif


Report •

#42
November 7, 2014 at 16:57:14
As you can see from your logs, you had a lot of stuff installed, that you do not know, how it had been installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

I use Softpedia, down the bottom of the page, they make you aware what Ad-supported programs the author of the program has included.
Sample pages
http://www.softpedia.com/get/CD-DVD...
First and foremost, extra attention needs to be paid during installation as ImgBurn offers to create desktop shortcuts to third-party apps, as well as install a browser toolbar onto the host computer, which are not required to ensure the smooth running of the app.
SS of above.
http://i.imgur.com/jgGYNsP.gif
This is what ImgBurn tries to install.
http://i.imgur.com/ms4DzE9.gif
http://i.imgur.com/vVkd39a.gif
http://i.imgur.com/rqFVaHs.gif
http://i.imgur.com/sm1T7h6.gif
http://i.imgur.com/vhkKLYo.gif

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.


Report •

#43
November 8, 2014 at 12:27:18
I do not install stuff to my tool bar and certainly try to be selective and cautious about what I click. At any rate I still see the Norton alert that has given us such a long history here without a solution to getting rid of it. Perhaps I should allow it to run and see what Norton does with it?

Report •


Ask Question