Solved Tojan.Gen is running away with my computer again!

July 31, 2014 at 12:21:50
Specs: Windows 7
SEP Antivirus Detection Results window keeps popping up. Hundreds of Trojan.Gens detected. Tried running a full system scan which took days to run. After scanning about 2M files it finally started finding infected files in the thousands. Some have been quarantined and others just logged. The detection results window stills appears, even when I close it, another one pops up.

See More: Tojan.Gen is running away with my computer again!

Report •


✔ Best Answer
August 11, 2014 at 15:58:37
"No viruses found after running MSE!"
Whew, just as well you said this below. I was running out of ideas.
"That makes me nervous"
You now need to research ( google ) how to either use your CD that you mentioned or download the W7 ISO that I mentioned. Having both available is Ideal.
Also, resarch how to have all your important stuff backed up, I have 3 copies of everything.

File to be deleted.
C:\ComboFix

Tools to keep, just update before using. Others not mentioned, need to be downloaded again, because they release new versions constantly.
ESET Online Scanner
TDSSKiller
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://usa.kaspersky.com/downloads/...
http://support.kaspersky.com/faq/?q...
http://support.kaspersky.com/viruse...
Anti-rootkit utility TDSSKiller
http://support.kaspersky.com/faq/?q...
Malwarebytes' Anti-Malware ( MBAM )
TFC
Wise Disk Cleaner
Wise Registry Cleaner
IObit Uninstaller

System Restore will have infected files in it, turning System Restore OFF & then ON will remove them.
http://www.7tutorials.com/system-re...
http://www.sevenforums.com/tutorial...

message edited by Johnw



#1
July 31, 2014 at 13:36:09
At some stage JohnW (and a couple of others well versed in this "stuff") will drop across this one; it's the sort of thing they enjoys...

In the meantime - download and burn to a DVD the Kaspersky Rescue disk ISO.

http://support.kaspersky.co.uk/viru...

Boot up with the dvd. It will load itself into RAM only; then go on-line to update itself and then scan your entire system (a full scan if you opt to - and I would). It will find a lot that most scanners won't - especially if they are running from within windows itself. A lot pests can hide within windows and thus escape detection etc... Booting from an OS that is installed into RAM only leaves them exposed and thus one can deal with them.

The disk is built around a Linux variant. It will access your hard drive - as a resource only; will not write to or install itself - unless you opt to (which I wouldn't at this time).

When it's done what it can - reboot without the Kaspersky disk; and see how things are.

Then download and run in this order:

malwarebytes:

https://www.malwarebytes.org - download the "free" version.

Adwcleaner:

https://www.google.co.uk/?gws_rd=ss...

Junkware Removal Tool (JRT)

http://www.bleepingcomputer.com/dow...

JRT puts itself onto the desktop suitably labeled (JRT as I recall). Run it from there.

When you have done that lot, run diskclean, empty the recycle-bin; and then reboot.

All of the above are freebies; regularly recommended here.


Report •

#2
July 31, 2014 at 14:02:38
#1 I went to the link you provided. It stated: Applies to Kaspersky Rescue Disk

Kaspersky Rescue Disk 10 is designed to scan, disinfect and restore infected operating systems. It should be used when it is impossible to boot the operating system.

I am able to boot the operating system. Should I use it anyway?


Report •

#3
July 31, 2014 at 14:07:44
Yes... The idea is to actually boot up the system - outside of the installed operating system. The Linux variant will load itself into RAM only. It will not install to the hard drive - unless you tell it to.

As in my post above, after updating itself it will run a full scan etc... and clean out anything nasty it finds... And often it is surprising just what is hidden that scanners running within windows don't find...

Equally the other utilities I suggested will dig out a few nasties; each utility has its own style and items it goes after...


Report •

Related Solutions

#4
July 31, 2014 at 14:23:36
How do I burn Kapersky to Imgburn?

Report •

#5
July 31, 2014 at 14:44:07
This is a guide to installing and using imgburn:

http://tinyurl.com/qh5uter

I think it covers it all for you.

Also as I recall (inWindows - I'm on a Mac) if you locate the ISO file and right-click on it, there is drop down menu that will include an option to burn to a cd/dvd - using the utility included in windows-7?


Report •

#6
July 31, 2014 at 15:34:50
Here is the last time we helped.
http://www.computing.net/answers/se...

When all of trvlr's posts have been done, Copy & Paste the contents of the logs in your reply please.


Report •

#7
July 31, 2014 at 16:13:29
#5 - I tried to boot from the disk but it went straight to windows. I went into BIOS and changed the boot order but apparently that didn't work. Should I undo that and proceed with Johnw #6 post?

Report •

#8
July 31, 2014 at 16:28:45
trvlr may be in bed now, you were in the US, I'm here, so lets continue. Let me know when you want to go to bed.
http://www.timeanddate.com/worldclo...

Let me see all the logs you have for your current problems.

Next step.

Run RogueKiller
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User Guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://www.adlice.com/softwares/rog...
If RogueKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
Download & SAVE to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"

For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
Click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop.
Exit/Close RogueKiller.
When completed make sure to re-enable your antivirus.

message edited by Johnw


Report •

#9
July 31, 2014 at 16:30:10
I've also tried to restore my computer to a previous point a few days ago but there are no longer any restoration points. I've always had at least 4 to choose from.

Report •

#10
July 31, 2014 at 16:32:53
#8 - I started OTL scan, should I stop it?

Report •

#11
July 31, 2014 at 16:33:17
" I've always had at least 4 to choose from"
Anything can happen, once you are infected.

Report •

#12
July 31, 2014 at 16:33:52
"#8 - I started OTL scan, should I stop it?"
No.

Report •

#13
July 31, 2014 at 16:43:34
1. I can't disable my SEP. It's grayed out.

2. Should I change my BIOS back?

3. I've downloaded Roguekiller, should I wait until OTL is finished scanning?


Report •

#14
July 31, 2014 at 16:52:48
"1. I can't disable my SEP. It's grayed out"
Don't know what that means, I will when I get more detail, my head is focused on your other stuff.

"2. Should I change my BIOS back? "
Yes.

"3. should I wait until OTL is finished scanning?'
Yes.

message edited by Johnw


Report •

#15
July 31, 2014 at 16:59:30
SEP Antivirus Detection disable greyed out
http://is.gd/iFh9dG

Report •

#16
July 31, 2014 at 16:59:46
#8 - Run RogueKiller. "Shutdown your antivirus to avoid any conflicts."

Report •

#17
July 31, 2014 at 17:03:44
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...

Report •

#18
July 31, 2014 at 17:20:57
Okay - was able to disable SEP but will wait until OTL is finished scanning and run roguekiller or can I run them simultaneously?

Report •

#19
July 31, 2014 at 17:22:43
"can I run them simultaneously?"
No.

Report •

#20
July 31, 2014 at 17:27:28
#19 - okay. it may take awhile. It usually takes a couple of days to run a full SEP scan.

Report •

#21
July 31, 2014 at 17:30:08
When the scan completes, should I change the BIOS first or go ahead with the roguekiller scan?
What timezone are you in?

Report •

#22
July 31, 2014 at 17:34:36
"#19 - okay. it may take awhile. It usually takes a couple of days to run a full SEP scan."
Don't do, in other words, skip the SEP scan.

"should I change the BIOS first"
Yes.

"What timezone are you in?"
Refer my post #8


Report •

#23
July 31, 2014 at 17:44:06
"it may take awhile." I was just relay how long it takes to scan my computer.

Report •

#24
July 31, 2014 at 17:52:39
Ok, hopefully that will not be the case, when we get you clean, that time span is not normal.

Report •

#25
July 31, 2014 at 17:56:34
OTL scan is finished. I will change the BIOS now.

Report •

#26
July 31, 2014 at 17:59:01
"OTL scan is finished"
Logs now please, so I can get started.

Report •

#27
July 31, 2014 at 18:11:57
Unfortunately I decided to change the bios first and am now waiting..... for my laptop to shut down. It's been a few minutes.

Report •

#28
Report •

#29
July 31, 2014 at 18:52:04
Should I disable wireless while scanning roguekiller without SEP?

Report •

#30
July 31, 2014 at 19:08:53
"Should I disable wireless while scanning roguekiller without SEP?"
Won't hurt.

Report •

#31
July 31, 2014 at 19:11:14
RogueKiller V9.2.4.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : HHGregg [Admin rights]
Mode : Remove -- Date : 07/31/2014 22:05:39

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 16 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Run | hsscp.EXE : C:\Users\Vicki 2\AppData\Roaming\Hotspot Shield\bin\hsscp.EXE -nonadmin [x] -> DELETED
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Run | hsscp.EXE : C:\Users\Vicki 2\AppData\Roaming\Hotspot Shield\bin\hsscp.EXE -nonadmin -> ERROR [2]
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8555;https=127.0.0.1:8555 -> NOT SELECTED
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8555;https=127.0.0.1:8555 -> NOT SELECTED
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0 -> NOT SELECTED
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> NOT SELECTED
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0 -> NOT SELECTED
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> NOT SELECTED
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> NOT SELECTED
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> NOT SELECTED
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Suspicious.Path][File] SetPointUpgrade.lnk -- C:\Users\HHGregg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SetPointUpgrade.lnk [LNK@] C:\Users\Vicki 2\AppData\Local\Temp\Logitech\SetPointSI_5\Setup.exe -wait expr=SetVar(mode,\"legacy_post\") -> DELETED

¤¤¤ HOSTS File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 86a4ca094625ce501cacfb20039d96b4
[BSP] 458bba96ec5b49231958465634cc0d18 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 9890 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 20256768 | Size: 100 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 20461568 | Size: 466948 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_07312014_215857.log


Report •

#32
July 31, 2014 at 19:14:09
All those > NOT SELECTED items, means you haven't checked & deleted them.

Report •

#33
July 31, 2014 at 19:18:15
What do I do?

Report •

#34
July 31, 2014 at 19:21:14
Run Rougekiller again, go through all the tabs & make sure all the boxes are checked/ticked on the items it finds.

Post a new log.


Report •

#35
July 31, 2014 at 19:40:53
RogueKiller V9.2.4.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : HHGregg [Admin rights]
Mode : Remove -- Date : 07/31/2014 22:36:48

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 14 ¤¤¤
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8555;https=127.0.0.1:8555 -> DELETED
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8555;https=127.0.0.1:8555 -> ERROR [2]
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0 -> REPLACED (1)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> REPLACED (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0 -> REPLACED (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> REPLACED (1)
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> REPLACED (0)
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> REPLACED (0)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> REPLACED (0)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> REPLACED (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> REPLACED (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> REPLACED (0)
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> REPLACED (0)
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2085123217-935189565-1928209853-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 9 ¤¤¤
[IE:Addon] System : LastPass Toolbar [{9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5}] -> DELETED
[FIREFX:Addon] cdfi4b6q.default : Forecastfox Weather [{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}] -> DELETED
[FIREFX:Addon] cdfi4b6q.default : LastPass Password Manager [support@lastpass.com] -> DELETED
[FIREFX:Addon] cdfi4b6q.default : Lavasoft Search Plugin [jid1-yZwVFzbsyfMrqQ@jetpack] -> DELETED
[FIREFX:Addon] cdfi4b6q.default : Search Toolbar [searchtoolbar@zugo.com] -> DELETED
[FIREFX:Addon] cdfi4b6q.default : Ad-Aware Security Add-on [{87934c42-161d-45bc-8cef-ef18abe2a30c}] -> DELETED
[FIREFX:Addon] cdfi4b6q.default : Adobe Acrobat - Create PDF [web2pdfextension@web2pdf.adobedotcom] -> DELETED
[FIREFX:Addon] cdfi4b6q.default : Motive Extension [mcciwbch@motive.com] -> DELETED
[CHROME:Addon] Default : Motive Extension [edmgmpmklgfbohogafcfobonnkogchec] -> DELETED

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 86a4ca094625ce501cacfb20039d96b4
[BSP] 458bba96ec5b49231958465634cc0d18 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 9890 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 20256768 | Size: 100 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 20461568 | Size: 466948 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_07312014_220539.log - RKreport_SCN_07312014_215857.log - RKreport_SCN_07312014_223408.log


Report •

#36
July 31, 2014 at 19:42:34
Run both of these, in this order.

1: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
How to download from Softpedia
http://i.imgur.com/BWELEfV.gif
http://i.imgur.com/4luY3rU.gif
http://www.raymond.cc/blog/adwclean...
http://www.bleepingcomputer.com/dow...
Author's site
http://general-changelog-team.fr/en...
Tutorial
http://general-changelog-team.fr/en...
Please download AdwCleaner by Xplode onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Clean.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please Copy & Paste the contents of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

2: Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
How to download from Softpedia
http://i.imgur.com/qO92huz.gif
http://i.imgur.com/qzTUYkX.gif
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved onto your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.


Report •

#37
July 31, 2014 at 20:21:56
My computer won't shut down.

Report •

#38
July 31, 2014 at 20:28:17
Looks like an Infection has enabled your proxy. See if you can change it, then see if you can shut down. If not, hold the Power button in till it shuts down.
http://www.bleepingcomputer.com/vir...
Start > Control Panel > Internet Options > Connections > LAN settings, untick > Use a proxy server for your LAN. Click OK twice.

Report •

#39
July 31, 2014 at 20:36:43
It's stuck on the shutting down blue screen. No option to do anything. I'll have to manually power it down.

Report •

#40
July 31, 2014 at 20:48:37
That wasn't the problem. Nothing was checked.

Report •

#41
July 31, 2014 at 21:02:02
Ok, will wait for the post #36 logs.

Report •

#42
July 31, 2014 at 21:11:07
# AdwCleaner v3.302 - Report created 31/07/2014 at 23:06:23
# Updated 30/07/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : HHGregg - VICKI-VAIO
# Running from : C:\Users\Vicki 2\Desktop\adwcleaner_3.302.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

File Deleted : C:\Users\Vicki 2\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage
File Deleted : C:\Users\Vicki 2\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage-journal

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Softonic

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17207


-\\ Mozilla Firefox v31.0 (x86 en-US)

[ File : C:\Users\HHGregg\AppData\Roaming\Mozilla\Firefox\Profiles\cdfi4b6q.default\prefs.js ]


[ File : C:\Users\Vicki 2\AppData\Roaming\Mozilla\Firefox\Profiles\tafauqtx.default-1378473146719\prefs.js ]

Line Deleted : user_pref("extensions.TooManyTabs@visibotech.com.recentlyClosedTabs", "[{\"label\":\"Starting download for AdwCleaner...\",\"url\":\"hxxp://www.softpedia.com/dyn-postdownload.php/c1a99b991974070b2f526[...]

-\\ Google Chrome v36.0.1985.125

[ File : C:\Users\Vicki 2\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}

*************************

AdwCleaner[R0].txt - [4396 octets] - [26/04/2014 11:19:34]
AdwCleaner[R1].txt - [1893 octets] - [31/07/2014 22:58:01]
AdwCleaner[S0].txt - [4483 octets] - [26/04/2014 11:26:51]
AdwCleaner[S1].txt - [1786 octets] - [31/07/2014 23:06:23]

########## EOF - \AdwCleaner\AdwCleaner[S1].txt - [1846 octets] ##########

message edited by KPKris


Report •

#43
July 31, 2014 at 21:40:33
This f****d up my computer. All of my bookmarks are gone. Font is 9pt for everything. All items in Start menu are changed, tray icons are missing, and when I go to Start menu it says I'm logged in as Admin, but when I go to switch user it says that I am logged in as me.

Report •

#44
July 31, 2014 at 21:43:18
And all save passwords are gone.

Report •

#45
July 31, 2014 at 21:47:38
Have you rebooted, everything that gets removed is because it is faulty.

If after the reboot, things are still not right we will start repairs to get it back to normal.


Report •

#46
July 31, 2014 at 21:49:48
It won't shut down.

Report •

#47
July 31, 2014 at 22:14:43
I'm going to bed. Should I manually shut it down?

Report •

#48
July 31, 2014 at 22:21:08
Yep. Run this when you are refreshed.

Run Tweaking.com - Windows Repair

Disable your antivirus program before running Windows Repair.

Start at Step 1 & when you get to the final step, check/tick all the boxes. Reboot when finished

http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.tweaking.com/
http://www.tweaking.com/content/pag...

Copy and Paste the contents of the following log in your reply:
C:\Program Files\Tweaking.com\Windows Repair (All in One)\Tweaking.com_Windows_Repair_Logs\_Windows_Repair_Log.txt



Report •

#49
August 1, 2014 at 08:47:38
Malwarebytes is scanning the Trojans.

Tweaking.com - Step 2. Malwarebytes scanning. - Before trying to repair Windows you need to make sure your system is clean from infections. If your system is infected when you try to repair windows, not only will repairs not work but things could become worse.

I am pausing the scan until further instruction.

message edited by KPKris


Report •

#50
August 1, 2014 at 11:18:45
Computer locked up. Got Windows errors (while using Firefox and notepad) asking if I wanted to end the process or continue to wait for it to respond. Tried both options. Nothing worked. No response for either, and could not maximize programs that were minimized. Could not use Start menu button or Ctrl+alt+del. My mouse did work however.

Manually shut it down.


Report •

#51
August 1, 2014 at 16:38:22
"My mouse did work however"
Ok, lets change direction for a while.

Download Rkill from any one of these links and save it to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your reply.
http://www.bleepingcomputer.com/dow...
Double click on Rkill to run it. If the first one doesn't work try the next one.
This will help remove certain processes and should restore any file associations and your desktop. Note: Your system is still infected as Rkill does not delete files - it merely helps to temporarily disable the infections, allowing us to start the cleansing process.
Do NOT reboot your machine. Each time you reboot, Rkill is disabled and you would have to run it again in order for it to be effective.

Update & Run Malwarebytes' Anti-Malware ( MBAM ) Free Version. Use Quick scan ( now called Threat Scan ) Copy and Paste the contents of the log, in your reply please.
http://i.imgur.com/U9IqcVj.gif
http://i.imgur.com/zHMG6J9.gif


Report •

#52
August 1, 2014 at 20:02:54
Took Firefox 20 minutes to load. SEP is finding infected files some are Trojan.Gen some are not.
http://www.load.to/1uW2y3Y1Hn/scree...

I'm going to download Rkill. Should I disable SEP while running it?


Report •

#53
August 1, 2014 at 20:21:29
" Should I disable SEP while running it?"
No need.

Report •

#54
August 1, 2014 at 20:29:58
Rkill 2.6.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 08/01/2014 11:09:03 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Windows\system32\nlsInterface.exe (PID: 3924) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com

20 out of 14643 HOSTS entries shown.
Please review HOSTS file for further entries.

Program finished at: 08/01/2014 11:24:53 PM
Execution time: 0 hours(s), 15 minute(s), and 50 seconds(s)


Report •

#55
August 1, 2014 at 20:33:29
"Rkill 2.6.7 by Lawrence Abrams (Grinler)"
Looks good, shall see what Malwarebytes says.

Report •

#56
August 1, 2014 at 20:34:32
Scanning now.
What are Hosts files?

Report •

#57
August 1, 2014 at 20:40:09
hosts file
http://is.gd/fIX9n5
http://en.wikipedia.org/wiki/Hosts_...

Probably put there by Spybot.


Report •

#58
August 1, 2014 at 21:01:41
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.04.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17207
Vicki 2 :: VICKI-VAIO [limited]

8/1/2014 11:32:14 PM
mbam-log-2014-08-01 (23-32-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243762
Time elapsed: 24 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Report •

#59
August 1, 2014 at 21:09:54
Now run Junkware Removal Tool (JRT).

Then I will give you one to run whilst you are in bed. These scans we are doing now are just to satisfy you that you are clean, so you can run > Tweaking.com on Saturday.

message edited by Johnw


Report •

#60
August 1, 2014 at 21:19:32
going to scan w JRT now

Report •

#61
August 1, 2014 at 21:31:56
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by HHGregg on Sat 08/02/2014 at 0:20:00.71
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

Failed to delete: [Folder] "C:\Program Files (x86)\coupons"

~~~ FireFox

Emptied folder: C:\Users\HHGregg\AppData\Roaming\mozilla\firefox\profiles\cdfi4b6q.default\minidumps [1 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 08/02/2014 at 0:28:50.33
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#62
August 1, 2014 at 21:45:05
"Failed to delete: [Folder] "C:\Program Files (x86)\coupons"
We will see if the next program deals with > coupons

Run ESET Online Scanner, Copy and Paste the contents of the log in your reply please. This scan may take a very long while, so please be patient. Maybe start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
You may have to download ESET from a good computer, put it on a flash/thumb/pen drive & run it from there, if your comp is unbootable, or won't let you download.
Create a ESET SysRescue CD or USB drive
http://kb.eset.com/esetkb/index?pag...
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
http://kb.eset.com/esetkb/index?pag...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
Which web browsers are compatible with ESET Online Scanner?
http://www.nod32.fi/eset-online-sca...
http://kb.eset.com/esetkb/index?pag...
Online Scanner not working
http://kb.eset.com/esetkb/index?pag...
Why Would I Ever Need an Online Virus Scanner? I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the Desktop.
If no threats are found, you will simply see an information window that no threats were found.
http://www.trishtech.com/security/s...


Report •

#63
August 1, 2014 at 22:01:54
The only thing to download was esetsmartinstaller_enu

Report •

#64
August 1, 2014 at 22:16:37
"The only thing to download was esetsmartinstaller_enu"
That's it.

Report •

#65
August 1, 2014 at 22:18:58
I'm going to reboot my computer. After the last JRT scan it has made the same changes to my computer and browser info that will be rectified when rebooted. Should I rescan with Rkill after restart?

Report •

#66
August 1, 2014 at 23:13:53
" Should I rescan with Rkill after restart?"
No need, Eset is an online check.

Report •

#67
August 2, 2014 at 06:13:02
Re your SS below, go into SEP & Delete everything that has been Quarantined.
http://www.load.to/1uW2y3Y1Hn/scree...

Wait till I see the ESET log, before we make the next move.


Report •

#68
August 2, 2014 at 06:44:14
How do I Create a ESET SysRescue CD or USB drive? The link you provided shows how to use the disk to restore.

message edited by KPKris


Report •

#69
August 2, 2014 at 07:03:54
Just started ESET scan

Report •

#70
August 2, 2014 at 16:56:39
67% scanned.
Total scan time so far: 9:49:30.
No threats or infections as of yet.

Report •

#71
August 2, 2014 at 17:05:09
"No threats or infections as of yet"
Very good, we may even have time tonight, to do another scan before your bedtime. Shall wait for the ESET result first.


Report •

#72
August 2, 2014 at 20:32:24
It's at 88%. I'm going to bed now. I'll post the results in the morning.

message edited by KPKris


Report •

#73
August 3, 2014 at 04:28:23
ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=7ddff4d454bbd54e8367a5e237e4794c
# engine=19470
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-08-03 10:29:47
# local_time=2014-08-03 06:29:47 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1=''
# compatibility_mode=5893 16776637 100 94 0 158605237 0 0
# scanned=849912
# found=8
# cleaned=8
# scan_time=73426
sh=6F567DAC13A7A92AAE3DDF1329AAC434D53C1591 ft=1 fh=3952bddfaca8c54c vn="Win32/OpenCandy potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Users\Vicki 2\Desktop\All\HHGREGG-VAIO\History\Level2\C\Users\Vicki 2\AppData\Local\Mozilla\Firefox\Profiles\mo12iasu.default\Cache\269BC445d01"
sh=6F567DAC13A7A92AAE3DDF1329AAC434D53C1591 ft=1 fh=3952bddfaca8c54c vn="Win32/OpenCandy potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Users\Vicki 2\Desktop\All\HHGREGG-VAIO\History\Level2\C\Users\Vicki 2\Downloads\FreeYouTubeDownloaderSetup(2).exe"
sh=5CA96A0C243390C378DEE1A629684EA261E2CFC4 ft=1 fh=a717dcd23690f0a7 vn="Win32/OpenCandy potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Users\Vicki 2\Desktop\Security Tools\SetupImgBurn_2.5.8.0.exe"
sh=384C3279A061E37A510EEC8E08EA9775C109696A ft=1 fh=7362c0dd49850319 vn="a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Users\Vicki 2\Downloads\duplicate-file-finder-setup.exe"
sh=F22E9A48185261B6448FDEC90C333E12281EAA70 ft=1 fh=3952bddf93c23912 vn="Win32/OpenCandy potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Users\Vicki 2\Downloads\FreeYouTubeDownloaderSetup(2).exe"
sh=68190AB2E8A9BA582C5B193CB600CFF76EC70FD7 ft=1 fh=3952bddf37034ae5 vn="Win32/OpenCandy potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Users\Vicki 2\Downloads\FreeYouTubeDownloaderSetup.exe"
sh=738FBF13BA38B03D21DFC6532C7A994EC128A38A ft=1 fh=0f77c0789df4917e vn="a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Users\Vicki 2\Downloads\hwmonitor_1.22-setup.exe"
sh=8E6A280CEFB00FAAF7FDE4016B5E0DDA4C7CB102 ft=1 fh=0ae8027486b57fb8 vn="Win32/OpenCandy potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Users\Vicki 2\Downloads\winscp429setup.exe"

Report •

#74
August 3, 2014 at 04:39:39
Beautiful.

This has about 50 steps.

Download ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"

If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

#75
August 3, 2014 at 04:44:10
No need to run Rkill.

Report •

#76
August 3, 2014 at 04:46:42
Should I delete the SEP quarantined files first?

Report •

#77
August 3, 2014 at 04:52:13
"Should I delete the SEP quarantined files first?"
Yes, always delete quarantined files after a week.

Report •

#78
August 3, 2014 at 06:22:41
. . . .

message edited by KPKris


Report •

#79
August 3, 2014 at 06:27:17
Not normal. Any log?

Report •

#80
August 3, 2014 at 07:55:31
I left and when I came back my computer had rebooted. I wasn't sure if the scan had completed so I tried to move the blue DOS box out of the way to see if there were report files created. Now the box is going crazy plus the programs that normally open at start up are open and I cannot close them. SEP is also detecting Trojans again.

Report •

#81
August 3, 2014 at 16:10:30
Please download and run ListParts64 by Farbar (for 64-bit system):
http://download.bleepingcomputer.co...
Click on the Scan button.
The scan results will open in Notepad.
Copy and Paste the contents into your reply.

Report •

#82
August 3, 2014 at 16:53:09
Enable firewall and SEP?

Report •

#83
August 3, 2014 at 17:02:43
Don't think it will make any difference, try both ways.

Report •

#84
August 3, 2014 at 17:03:26
Can open browser but with the Combofix box flashing it won't allow me to enter any web address.

Report •

#85
August 3, 2014 at 17:07:48
Right click on the taskbar > Task Manager & in process, click on End task.

Report •

#86
August 3, 2014 at 17:13:03
Looks like it is called End Process in W7.
Figure C
http://www.techrepublic.com/blog/wi...

message edited by Johnw


Report •

#87
August 3, 2014 at 17:42:10
I can't end it. The Combofix box won't let me. It is going up and down the screen. When I do click on the process it ends before I can end it, then it reappears a second later. Over and over. I'm assuming the process is CF 12171.3XE. I'll try and link images.

Report •

#88
August 3, 2014 at 17:44:12
Reboot any way you can.

Report •

#89
August 3, 2014 at 17:45:18
I finally was able to click on it at just the right time to end it and got the message that it could not end the process. Wrong process?

Report •

#90
August 3, 2014 at 17:48:38
Could it be CCP.exe *32? The description is just CCP

Report •

#91
August 3, 2014 at 17:53:17
Hang on, I will fire up a W7 comp & run Combofix.

Report •

#92
August 3, 2014 at 17:54:38
The blue Combofix box is locked together with the DOS black box that has C:/Combofix/perf.3X

Report •

#93
August 3, 2014 at 17:56:43
" I will fire up a W7 comp & run Combofix."
Okay

Report •

#94
August 3, 2014 at 18:04:35
Your logs > C:\Program Files (x86)\Sony\SmartWi Connection Utility\CCP.exe

I cannot see Combofix in Process's either, reboot.


Report •

#95
August 3, 2014 at 18:06:37
Okay. Same thing is happening with the boxes.

Report •

#96
August 3, 2014 at 18:16:11
Combofix will also be down on the Task bar, right click on it & hit Close.

Report •

#97
August 3, 2014 at 18:24:32
Don't see the icon. Also, in order to do anything I have to click many times , for instance, to close a window, since the Combofix box is flashing and moving up and down my screen. It's a ghost like appearance. Right clicking on anything would be impossible.

Report •

#98
August 3, 2014 at 18:26:53
I'm finally able to open a browser. Do you want me to try and run the ListParts64 scan?

Report •

#99
August 3, 2014 at 18:28:17
"Do you want me to try and run the ListParts64 scan?"
Yep

Report •

#100
August 3, 2014 at 18:42:30
I'm going to safe mode. Started to restart but had stuff open that were holding it up. I cancelled the restart. Now the combofix box is gone.

message edited by KPKris


Report •

#101
August 3, 2014 at 18:48:52
ListParts by Farbar Version: 31-07-2014
Ran by Vicki 2 on 03-08-2014 at 21:47:34
Windows 7 (X64)
Running From: C:\Users\Vicki 2\Desktop
Language: English (United States)
************************************************************

========================= Memory info ======================

Percentage of memory in use: 65%
Total physical RAM: 4078.06 MB
Available physical RAM: 1386.75 MB
Total Pagefile: 8154.3 MB
Available Pagefile: 4945.45 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:456 GB) (Free:82.69 GB) NTFS

============================== MBR Partition Table ==================

The boot configuration data store could not be opened.
Access is denied.


****** End Of Log ******


Report •

#102
August 3, 2014 at 18:50:41
"The boot configuration data store could not be opened.
Access is denied."

Try normal mode.


Report •

#103
August 3, 2014 at 18:52:45
See # 100 .

Report •

#104
August 3, 2014 at 19:02:23
"SEP is also detecting Trojans again"
Copy & Paste ( not a SS ) the contents of the log into your reply.

Report •

#105
August 3, 2014 at 19:19:13
It will take a bit for the log to complete loading. It looks like a spreadsheet.

message edited by KPKris


Report •

#106
August 3, 2014 at 19:43:27
Runtime error. Windows asked to close in an unusual way.

Report •

#107
August 3, 2014 at 19:50:49
"Runtime error. Windows asked to close in an unusual way."
Where are you looking?
Can you see it has the bad files?

Report •

#108
August 3, 2014 at 19:53:11
http://www.load.to/VdSp5trPTr/SS3.JPG

Report •

#109
August 3, 2014 at 19:54:38
I just googled & got this SS, is this where you are looking?
http://i.imgur.com/GCY4G3T.gif

Report •

#110
August 3, 2014 at 20:19:11
#107 - yes. http://www.load.to/kWr7lwQaej/ss5.JPG

Report •

#111
August 3, 2014 at 20:21:39
I got the results from SS3 from SS4.
http://www.load.to/VNcyEItuKg/ss4.JPG

Report •

#112
August 3, 2014 at 20:23:30
Still no log, lets move on.

No one is expected to remember instructions, are you printing or writing them down?
If so, Uninstall ComboFix. The reason we remove Combofix, is that a new version comes out nearly every day.
Turn off all active protection software.
Push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
Please Copy and Paste the following into the box > ComboFix /Uninstall and click OK.

Now to try another way to run Combofix.

Download the latest version, put it on an USB thumb drive and run Combofix from the USB, just say continue to all the warning messages.

message edited by Johnw


Report •

#113
August 3, 2014 at 20:36:00
Got the log. It's an excel file.


Report •

#114
August 3, 2014 at 20:37:13
"Got the log. It's an excel file"
Ok.

Report •

#115
August 3, 2014 at 20:41:04
http://www.load.to/BybWQi6fvm/risks...

Report •

#116
August 3, 2014 at 20:49:07
Got it, try post #112

Report •

#117
August 3, 2014 at 20:58:57
I uninstalled it. I think the reason for the problem with it before was because I tried to move the scan box over on my desktop.

Report •

#118
August 3, 2014 at 21:11:12
"I tried to move the scan box over on my desktop"
I agree.

When I fired up a W7 comp & ran Combofix, it appears to be doing nothing, but it gathers the info it needs & eventually kicks into life, then once again appears to be doing nothing. Mine took about 25mins to finish.


Report •

#119
August 3, 2014 at 21:11:15
Started the scan. I'm going to bed.

Report •

#120
August 3, 2014 at 21:16:13
It has completed 3 stages. How many are there?

Report •

#121
August 3, 2014 at 21:21:50
About 50, will not take very long.

Report •

#122
August 3, 2014 at 21:26:59
I'm going to have to stay up because I forgot to change my power settings to not sleep.

Report •

#123
August 3, 2014 at 21:29:44
Ok, once you do, don't touch the mouse.

Report •

#124
August 4, 2014 at 05:01:52
I ran the scan and got the results. However, it changed the settings on my computer, so I tried to restart but it wouldn't shutdown so I manually powered it down. Now the Combofix folder is empty. Should I rerun the scan?

Report •

#125
August 4, 2014 at 05:04:44
" Should I rerun the scan?"
Yep.

Report •

#126
August 4, 2014 at 05:17:08
- Uninstall first? -

Report •

#127
August 4, 2014 at 05:20:47
No, it is still a current version.

Report •

#128
August 4, 2014 at 06:12:21
I'm out of gas, going to bed now.
Got a lot on tomorrow, may get some small chances to get online.

Report •

#129
August 4, 2014 at 06:30:17
ComboFix 14-08-02.02 - HHGregg 08/04/2014 8:30.3.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4078.1558 [GMT -4:00]
Running from: J:\ComboFix.exe
AV: Ad-Aware Antivirus *Disabled/Outdated* {D87B6541-12A1-DAEA-0033-9B8057AAB996}
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Ad-Aware Firewall *Disabled* {E040E464-58CE-DBB2-2B6C-32B5A979FEED}
SP: Ad-Aware Antivirus *Disabled/Outdated* {631A84A5-349B-D564-3A83-A0F22C2DF32B}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2014-07-04 to 2014-08-04 )))))))))))))))))))))))))))))))
.
.
2014-08-04 13:00 . 2014-08-04 13:00 -------- d-----w- c:\users\Vicki\AppData\Local\temp
2014-08-04 13:00 . 2014-08-04 13:00 -------- d-----w- c:\users\Test\AppData\Local\temp
2014-08-04 13:00 . 2014-08-04 13:00 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2014-08-04 13:00 . 2014-08-04 13:00 -------- d-----w- c:\users\HHGregg\AppData\Local\temp
2014-08-04 13:00 . 2014-08-04 13:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-08-02 14:16 . 2014-08-02 14:16 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F4E15AF3-1B77-40DD-9848-D8ECFDFBAD3F}\offreg.dll
2014-08-02 13:29 . 2014-08-02 13:29 -------- d-sh--w- c:\users\Vicki 2\AppData\Local\EmieUserList
2014-08-02 13:29 . 2014-08-02 13:29 -------- d-sh--w- c:\users\Vicki 2\AppData\Local\EmieSiteList
2014-08-02 05:11 . 2014-08-02 05:11 -------- d-----w- c:\program files (x86)\ESET
2014-08-02 05:07 . 2014-08-02 05:07 -------- d-sh--w- c:\users\HHGregg\AppData\Local\EmieUserList
2014-08-02 05:07 . 2014-08-02 05:07 -------- d-sh--w- c:\users\HHGregg\AppData\Local\EmieSiteList
2014-08-02 03:31 . 2014-08-02 03:31 -------- d-----w- c:\users\Vicki 2\AppData\Roaming\Malwarebytes
2014-08-01 15:25 . 2014-07-02 03:09 10924376 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F4E15AF3-1B77-40DD-9848-D8ECFDFBAD3F}\mpengine.dll
2014-08-01 15:22 . 2014-08-01 15:22 -------- d-----w- c:\users\HHGregg\AppData\Roaming\Malwarebytes
2014-08-01 15:22 . 2014-08-01 15:22 -------- d-----w- c:\programdata\Malwarebytes
2014-08-01 15:22 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-08-01 15:22 . 2014-08-01 15:22 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2014-08-01 14:51 . 2014-05-14 16:23 44512 ----a-w- c:\windows\system32\wups2.dll
2014-08-01 14:51 . 2014-05-14 16:23 58336 ----a-w- c:\windows\system32\wuauclt.exe
2014-08-01 14:51 . 2014-05-14 16:23 2477536 ----a-w- c:\windows\system32\wuaueng.dll
2014-08-01 14:51 . 2014-05-14 16:21 2620928 ----a-w- c:\windows\system32\wucltux.dll
2014-08-01 14:50 . 2014-05-14 16:23 38880 ----a-w- c:\windows\system32\wups.dll
2014-08-01 14:50 . 2014-05-14 16:23 36320 ----a-w- c:\windows\SysWow64\wups.dll
2014-08-01 14:50 . 2014-05-14 16:23 700384 ----a-w- c:\windows\system32\wuapi.dll
2014-08-01 14:50 . 2014-05-14 16:23 581600 ----a-w- c:\windows\SysWow64\wuapi.dll
2014-08-01 14:50 . 2014-05-14 16:20 97792 ----a-w- c:\windows\system32\wudriver.dll
2014-08-01 14:50 . 2014-05-14 16:17 92672 ----a-w- c:\windows\SysWow64\wudriver.dll
2014-08-01 14:50 . 2014-05-14 13:23 198600 ----a-w- c:\windows\system32\wuwebv.dll
2014-08-01 14:50 . 2014-05-14 13:23 179656 ----a-w- c:\windows\SysWow64\wuwebv.dll
2014-08-01 14:50 . 2014-05-14 13:20 36864 ----a-w- c:\windows\system32\wuapp.exe
2014-08-01 14:50 . 2014-05-14 13:17 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2014-08-01 14:50 . 2014-08-01 14:50 -------- d-----w- c:\program files (x86)\Tweaking.com
2014-08-01 04:18 . 2014-08-01 04:18 -------- d-----w- c:\windows\ERUNT
2014-08-01 01:38 . 2014-08-01 02:23 29160 ----a-w- c:\windows\SysWow64\drivers\TrueSight.sys
2014-08-01 01:38 . 2014-08-01 01:38 -------- d-----w- c:\programdata\RogueKiller
2014-07-31 17:31 . 2014-08-03 13:02 -------- d-----w- c:\programdata\Malwarebytes Anti-Exploit
2014-07-25 21:38 . 2014-07-25 21:38 -------- d-----w- c:\users\HHGregg\AppData\Local\Adobe
2014-07-22 19:47 . 2014-07-22 20:09 -------- d-----w- c:\users\Vicki 2\.FamilySearchIndexing
2014-07-22 19:44 . 2014-07-22 19:44 -------- d-----w- c:\program files (x86)\FamilySearch Indexing
2014-07-22 15:48 . 2014-07-22 15:48 -------- d-----w- c:\users\Vicki 2\AppData\Roaming\Motive
2014-07-11 13:09 . 2014-07-11 13:10 -------- d-----w- c:\program files\iPod
2014-07-11 13:09 . 2014-07-11 13:15 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-07-11 13:09 . 2014-07-11 13:15 -------- d-----w- c:\program files\iTunes
2014-07-11 13:09 . 2014-07-11 13:15 -------- d-----w- c:\program files (x86)\iTunes
2014-07-09 09:24 . 2014-06-18 02:19 1247232 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\tipskins.dll
2014-07-09 09:24 . 2014-06-18 02:19 503296 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\tiptsf.dll
2014-07-09 09:24 . 2014-06-18 02:19 449024 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\tabskb.dll
2014-07-09 09:24 . 2014-06-18 02:19 110592 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\TipBand.dll
2014-07-09 09:24 . 2014-06-18 02:18 224768 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\TabTip.exe
2014-07-09 09:24 . 2014-06-18 02:18 692736 ----a-w- c:\windows\system32\osk.exe
2014-07-09 09:24 . 2014-06-18 02:17 544768 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\TipRes.dll
2014-07-09 09:24 . 2014-06-18 01:52 348672 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll
2014-07-09 09:24 . 2014-06-18 01:51 10240 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
2014-07-09 09:24 . 2014-06-18 01:51 646144 ----a-w- c:\windows\SysWow64\osk.exe
2014-07-09 09:24 . 2014-06-18 01:10 3157504 ----a-w- c:\windows\system32\win32k.sys
2014-07-09 09:23 . 2014-06-03 10:02 1719296 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2014-07-09 09:23 . 2014-06-03 10:02 1389568 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2014-07-09 09:23 . 2014-06-03 10:02 1380864 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2014-07-09 09:23 . 2014-06-03 10:02 1354240 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2014-07-09 09:23 . 2014-06-03 09:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2014-07-09 09:23 . 2014-06-06 10:10 624128 ----a-w- c:\windows\system32\qedit.dll
2014-07-09 09:23 . 2014-06-06 09:44 509440 ----a-w- c:\windows\SysWow64\qedit.dll
2014-07-09 09:23 . 2014-05-30 06:45 497152 ----a-w- c:\windows\system32\drivers\afd.sys
2014-07-09 09:21 . 2014-06-19 00:48 2768384 ----a-w- c:\windows\system32\iertutil.dll
2014-07-09 09:19 . 2014-06-05 14:45 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-07-09 09:19 . 2014-06-05 14:26 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-07-09 09:19 . 2014-06-05 14:25 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-09 12:14 . 2010-08-27 22:01 96441528 ----a-w- c:\windows\system32\MRT.exe
2014-07-09 00:12 . 2012-04-11 14:21 699056 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-07-09 00:12 . 2011-05-15 11:35 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-07-09 00:12 . 2014-05-14 11:11 5659136 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2014-05-09 06:14 . 2014-05-14 11:28 477184 ----a-w- c:\windows\system32\aepdu.dll
2014-05-09 06:11 . 2014-05-14 11:28 424448 ----a-w- c:\windows\system32\aeinv.dll
2013-08-27 23:52 . 2013-08-27 14:56 13844000 ----a-w- c:\program files (x86)\Common Files\lpuninstall.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"SmartWiHelper"="c:\program files (x86)\Sony\SmartWi Connection Utility\SmartWiHelper.exe" [2010-01-20 82944]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2010-01-22 597792]
"MaxMenuMgr"="c:\program files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-12-18 197928]
"ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2010-01-15 316784]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2009-11-20 284696]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]
"CarboniteSetupLite"="c:\program files (x86)\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2014-05-08 41336]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2014-05-08 840568]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2012-08-08 540056]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-07-08 152392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotSnD"="c:\program files (x86)\Spybot - Search & Destroy\SpybotSD.exe" [2009-01-26 5365592]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2013-04-04 532040]
.
c:\users\Vicki 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2013-6-25 246472]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-3-12 1125152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe;c:\program files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe [x]
R2 LavasoftAdAwareService11;Ad-Aware Service 11;c:\program files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.1.5354.0\AdAwareService.exe;c:\program files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.1.5354.0\AdAwareService.exe [x]
R2 Oasis2Service;Oasis2Service;c:\program files (x86)\DDNi\Oasis2Service\Oasis2Service.exe;c:\program files (x86)\DDNi\Oasis2Service\Oasis2Service.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [x]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys;c:\windows\SYSNATIVE\drivers\Impcd.sys [x]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys;c:\windows\SYSNATIVE\DRIVERS\ivusb.sys [x]
R3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys;c:\windows\SYSNATIVE\drivers\libusb0.sys [x]
R3 McComponentHostServiceSony;McAfee Security Scan Component Host Service for Sony;c:\program files (x86)\Sony\MSS\3.0.271\McCHSvc.exe;c:\program files (x86)\Sony\MSS\3.0.271\McCHSvc.exe [x]
R3 MSSQL$DDNI;SQL Server (DDNI);c:\program files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\sqlservr.exe;c:\program files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\sqlservr.exe [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys;c:\windows\SYSNATIVE\DRIVERS\psi_mf.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\DRIVERS\taphss6.sys;c:\windows\SYSNATIVE\DRIVERS\taphss6.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [x]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\VICKI2~1\AppData\Local\Temp\Rar$EX82.472\WinRing0x64.sys;c:\users\VICKI2~1\AppData\Local\Temp\Rar$EX82.472\WinRing0x64.sys [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [x]
R4 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [x]
R4 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [x]
R4 SQLAgent$DDNI;SQL Server Agent (DDNI);c:\program files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\SQLAGENT.EXE;c:\program files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\SQLAGENT.EXE [x]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys;c:\windows\SYSNATIVE\drivers\gfibto.sys [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys;c:\windows\SYSNATIVE\DRIVERS\Lbd.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S1 BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver;c:\program files\lavasoft\ad-aware antivirus\firewall engine\1.6.0.0\drivers\bdfndisf6.sys;c:\program files\lavasoft\ad-aware antivirus\firewall engine\1.6.0.0\drivers\bdfndisf6.sys [x]
S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys;c:\windows\SYSNATIVE\DRIVERS\hssdrv6.sys [x]
S2 AT&T Troubleshoot & Resolve;AT&T Troubleshoot & Resolve;c:\program files (x86)\ATT\8.4.1.11\ma\bin\MAHostService.exe;c:\program files (x86)\ATT\8.4.1.11\ma\bin\MAHostService.exe [x]
S2 CouponPrinterService;Coupon Printer Service;c:\program files (x86)\Coupons\CouponPrinterService.exe;c:\program files (x86)\Coupons\CouponPrinterService.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 nlscc;Nalpeiron X64 Service;c:\windows\system32\nlsInterface.exe;c:\windows\SYSNATIVE\nlsInterface.exe [x]
S2 pcCMService64;pcCMService64;c:\program files\Common Files\Motive\pcCMService.exe;c:\program files\Common Files\Motive\pcCMService.exe [x]
S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [x]
S2 regi;regi;c:\windows\system32\drivers\regi.sys;c:\windows\SYSNATIVE\drivers\regi.sys [x]
S2 rimspci;rimspci;c:\windows\system32\drivers\rimssne64.sys;c:\windows\SYSNATIVE\drivers\rimssne64.sys [x]
S2 risdsnpe;risdsnpe;c:\windows\system32\drivers\risdsne64.sys;c:\windows\SYSNATIVE\drivers\risdsne64.sys [x]
S2 SampleCollector;VAIO Care Performance Service;c:\program files\Sony\VAIO Care\VCPerfService.exe;c:\program files\Sony\VAIO Care\VCPerfService.exe [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [x]
S2 Secunia CSI Agent;Secunia CSI Agent;c:\program files (x86)\Secunia\CSI\csia.exe;c:\program files (x86)\Secunia\CSI\csia.exe [x]
S2 uCamMonitor;CamMonitor;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [x]
S2 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [x]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys;c:\windows\SYSNATIVE\DRIVERS\ArcSoftKsUFilter.sys [x]
S3 BTHprint;Microsoft Bluetooth Printer Class;c:\windows\system32\DRIVERS\bthprint.sys;c:\windows\SYSNATIVE\DRIVERS\bthprint.sys [x]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys;c:\windows\SYSNATIVE\drivers\btwampfl.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys;c:\windows\SYSNATIVE\DRIVERS\LEqdUsb.Sys [x]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys;c:\windows\SYSNATIVE\DRIVERS\LHidEqd.Sys [x]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys;c:\windows\SYSNATIVE\drivers\SFEP.sys [x]
S3 SpfService;VAIO Entertainment Common Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService.exe;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService.exe [x]
S3 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe;c:\program files\Sony\VAIO Power Management\SPMService.exe [x]
S3 VCService;VCService;c:\program files\Sony\VAIO Care\VCService.exe;c:\program files\Sony\VAIO Care\VCService.exe [x]
S3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update 5\VUAgent.exe;c:\program files\Sony\VAIO Update 5\VUAgent.exe [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-07-19 12:13 1104200 ----a-w- c:\program files (x86)\Google\Chrome\Application\36.0.1985.125\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-08-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 00:13]
.
2014-08-04 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-2085123217-935189565-1928209853-1012.job
- c:\users\Vicki 2\AppData\Local\Citrix\GoToMeeting\1468\g2mupdate.exe [2014-07-12 15:44]
.
2014-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-03 04:19]
.
2014-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-03 04:19]
.
2014-04-24 c:\windows\Tasks\User_Feed_Synchronization-{817629D2-25BF-4A4C-9500-D0E55F577720}.job
- c:\windows\system32\msfeedssync.exe [2014-01-03 18:56]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
c:\users\Vicki 2\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-25 10060320]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-02-22 16397416]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"Apoint"="c:\program files (x86)\Apoint\Apoint.exe" [BU]
"ATT_McciTrayApp"="c:\program files\ATT\8.4.1.11\ma\bin\pcTrayApp.exe" [2014-04-02 2834432]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: LastPass - file://c:\program files (x86)\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files (x86)\LastPass\context.html?cmd=fillforms
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: Zend Studio - Debug current page - c:\program files (x86)\Adobe\Adobe Flash Builder 4.5\ietoolbar\ZendIEToolbar.dll/DebugCurrent.html
IE: Zend Studio - Debug next page - c:\program files (x86)\Adobe\Adobe Flash Builder 4.5\ietoolbar\ZendIEToolbar.dll/DebugNext.html
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\HHGregg\AppData\Roaming\Mozilla\Firefox\Profiles\cdfi4b6q.default\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
c:\users\Vicki 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk - c:\users\HHGregg\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
AddRemove-Coupon Printer for Windows5.0.0.7 - c:\program files (x86)\Coupons\uninstall.exe
AddRemove-{A7E19604-93AF-4611-8C9F-CE509C2B286F}_is1 - c:\program files (x86)\Free YouTube Downloader\unins000.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SampleCollector]
"ImagePath"="\"c:\program files\Sony\VAIO Care\VCPerfService.exe\" \"/service\" \"/sstates\" \"/sampleinterval=10000\" \"/procinterval=5\" \"/dllinterval=120\" \"/counter=\Processor(_Total)\% Processor Time:1\" \"/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:1\" \"/counter=\Network Interface(*)\Bytes Total/sec:1\" \"/expandcounter=\Processor Information(*)\Processor Frequency:1\" \"&\" \"/expandcounter=\Processor(*)\% Idle Time:1\" \"/expandcounter=\Processor(*)\% C1 Time:1\" \"/expandcounter=\Processor(*)\% C2 Time:1\" \"/expandcounter=\Processor(*)\%C3 & Time:1\" \"/expandcounter=\Processor(*)\% Processor Time:1\" \"/directory=c:\programdata\Sony Corporation\VAIO Care\inteldata\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.14"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-08-04 09:09:16
ComboFix-quarantined-files.txt 2014-08-04 13:09
ComboFix2.txt 2014-08-04 04:54
.
Pre-Run: 100,055,670,784 bytes free
Post-Run: 99,919,978,496 bytes free
.
- - End Of File - - 318C43699D76C01BA60639FC78D351D4

Report •

#130
August 4, 2014 at 15:55:02
Combofix didn't find any more new Malware, it did delete remnants/orphans of old malware.

You can delete the files in the Qoobox folder, in a weeks time.
Qoobox is a folder created by Combofix to quarantine any infected files.
http://www.bleepingcomputer.com/com...

Next, RunTFC
http://www.geekstogo.com/forum/file...
http://www.bleepingcomputer.com/dow...
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please double-click TFC.exe to run it. Note: If you are running on Vista/Windows 7/8, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

After TFC, run Tweaking.com
Latest version > 2.8.4
No need to run Malwarebytes.


Report •

#131
August 4, 2014 at 17:55:13
Running tweeking.com now.
How often should I be deleting temp files and which ones?

Report •

#132
August 5, 2014 at 01:28:48
"Running tweeking.com now"
Ok, shall wait for the log.

"How often should I be deleting temp files and which ones?"
Will cover that later.



Report •

#133
August 5, 2014 at 04:57:02

System Variables
--------------------------------------------------------------------------------
OS: Windows 7 Home Premium
OS Architecture: 64-bit
OS Version: 6.1.7601
OS Service Pack: Service Pack 1
Computer Name: VICKI-VAIO
Windows Drive: C:\
Windows Path: C:\Windows
Program Files: C:\Program Files
Program Files (x86): C:\Program Files (x86)
Current Profile: C:\Users\HHGregg
Current Profile SID: S-1-5-21-2085123217-935189565-1928209853-1004
Current Profile Classes: S-1-5-21-2085123217-935189565-1928209853-1004_Classes
Profiles Location: C:\Users
Profiles Location 2: C:\Windows\ServiceProfiles
Local Settings AppData: C:\Users\HHGregg\AppData\Local
--------------------------------------------------------------------------------

System Information
--------------------------------------------------------------------------------
System Up Time: 0 Days 00:33:17

Process Count: 117
Commit Total: 2.31 GB
Commit Limit: 7.96 GB
Commit Peak: 2.42 GB
Handle Count: 35319
Kernel Total: 512.37 MB
Kernel Paged: 426.82 MB
Kernel Non Paged: 85.55 MB
System Cache: 1.99 GB
Thread Count: 1414
--------------------------------------------------------------------------------

Memory Before Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 3.98 GB
Memory Used: 1.94 GB(48.6697%)
Memory Avail.: 2.04 GB
--------------------------------------------------------------------------------

Cleaning Memory Before Starting Repairs...

Memory After Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 3.98 GB
Memory Used: 1.58 GB(39.5966%)
Memory Avail.: 2.41 GB
--------------------------------------------------------------------------------

Starting Repairs...
Started at (8/4/2014 10:13:37 PM)

01 - Reset Registry Permissions 01/03
HKEY_CURRENT_USER & Sub Keys
Start (8/4/2014 10:13:47 PM)
Running Repair Under Current User Account
Done (8/4/2014 10:14:20 PM)

01 - Reset Registry Permissions 02/03
HKEY_LOCAL_MACHINE & Sub Keys
Start (8/4/2014 10:14:20 PM)
Running Repair Under System Account
Done (8/4/2014 10:23:15 PM)

01 - Reset Registry Permissions 03/03
HKEY_CLASSES_ROOT & Sub Keys
Start (8/4/2014 10:23:15 PM)
Running Repair Under System Account
Done (8/4/2014 10:25:27 PM)

02 - Reset File Permissions: C:
C: & Sub Folders
Start (8/4/2014 10:25:27 PM)
Trying To Run Repair As Trusted Installer.
You will see a Interactive Services Detection Window.
The Repair Is Running In That Window.
This Is Normal And Will Go Away Once The Repair Is Finished.
Running Repair Under Current User Account
Done (8/4/2014 10:25:33 PM)

02 - Reset File Permissions: All Profiles
C:\Users & Sub Folders
Start (8/4/2014 10:25:33 PM)
Running Repair Under System Account
Done (8/5/2014 12:26:25 AM)

02 - Reset File Permissions: Current Profile
C:\Users\HHGregg & Sub Folders
Start (8/5/2014 12:26:27 AM)
Running Repair Under System Account
Done (8/5/2014 12:29:44 AM)

02 - Reset File Permissions: Cleanup
Repairing Restricted Folders Permissions To Avoid Infinite Loops
Start (8/5/2014 12:29:44 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 12:30:13 AM)

03 - Reset Service Permissions
Start (8/5/2014 12:30:13 AM)
Running Repair Under System Account
Done (8/5/2014 12:30:52 AM)

04 - Register System Files
Start (8/5/2014 12:30:53 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 12:32:49 AM)

05 - Repair WMI
Start (8/5/2014 12:32:49 AM)

Starting Security Center So We Can Export The Security Info.

Exporting Antivirus Info...
Ad-Aware Antivirus Exported.
Symantec Endpoint Protection Exported.

Exporting AntiSpyware Info...
Ad-Aware Antivirus Exported.
Windows Defender Exported.
Symantec Endpoint Protection Exported.

Exporting 3rd Party Firewall Info...
Ad-Aware Firewall Exported.

Running Repair Under Current User Account
Done (8/5/2014 12:45:00 AM)

06 - Repair Windows Firewall
Start (8/5/2014 12:45:00 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 12:45:49 AM)

07 - Repair Internet Explorer
Start (8/5/2014 12:45:49 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 12:46:52 AM)

08 - Repair MDAC/MS Jet
Start (8/5/2014 12:46:52 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 12:47:31 AM)

09 - Repair Hosts File
Start (8/5/2014 12:47:31 AM)
Running Repair Under System Account
Done (8/5/2014 12:47:34 AM)

10 - Remove Policies Set By Infections
Start (8/5/2014 12:47:34 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 12:47:40 AM)

11 - Repair Start Menu Icons Removed By Infections
Start (8/5/2014 12:47:40 AM)
Running Repair Under System Account
Done (8/5/2014 12:47:44 AM)

12 - Repair Icons
Start (8/5/2014 12:47:44 AM)
Running Repair Under Current User Account
Done (8/5/2014 12:47:47 AM)

13 - Repair Winsock & DNS Cache
Start (8/5/2014 12:47:47 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 12:48:24 AM)

14 - Remove Temp Files
Start (8/5/2014 12:48:25 AM)
Running Repair Under System Account
Done (8/5/2014 12:48:28 AM)

15 - Repair Proxy Settings
Start (8/5/2014 12:48:28 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 12:48:34 AM)

16 - Unhide Non System Files
Start (8/5/2014 12:48:34 AM)
C:\ - Total Files Unhidden: 4658 - Check Unhidden_Files.txt for list of files unhidden
Done (8/5/2014 1:07:32 AM)

17 - Repair Windows Updates
Start (8/5/2014 1:07:32 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:08:20 AM)

18 - Repair CD/DVD Missing/Not Working
Start (8/5/2014 1:08:20 AM)
iTunes was found, adding UpperFilters for iTunes Reg Key
UpperFilters added?: True
Done (8/5/2014 1:08:20 AM)

19 - Repair Volume Shadow Copy Service
Start (8/5/2014 1:08:20 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:08:49 AM)

20 - Repair Windows Sidebar/Gadgets
Start (8/5/2014 1:08:49 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:09:05 AM)

21 - Repair MSI (Windows Installer)
Start (8/5/2014 1:09:05 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:09:20 AM)

22 - Repair Windows Snipping Tool
Start (8/5/2014 1:09:20 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:09:26 AM)

23.01 - Repair bat Association
Start (8/5/2014 1:09:26 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:09:32 AM)

23.02 - Repair cmd Association
Start (8/5/2014 1:09:32 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:09:45 AM)

23.03 - Repair com Association
Start (8/5/2014 1:09:45 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:09:51 AM)

23.04 - Repair Directory Association
Start (8/5/2014 1:09:51 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:09:58 AM)

23.05 - Repair Drive Association
Start (8/5/2014 1:09:58 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:10:04 AM)

23.06 - Repair exe Association
Start (8/5/2014 1:10:04 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:10:10 AM)

23.07 - Repair Folder Association
Start (8/5/2014 1:10:10 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:10:23 AM)

23.08 - Repair inf Association
Start (8/5/2014 1:10:23 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:10:29 AM)

23.09 - Repair lnk (Shortcuts) Association
Start (8/5/2014 1:10:29 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:10:36 AM)

23.10 - Repair msc Association
Start (8/5/2014 1:10:36 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:10:42 AM)

23.11 - Repair reg Association
Start (8/5/2014 1:10:42 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:10:48 AM)

23.12 - Repair scr Association
Start (8/5/2014 1:10:48 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:10:55 AM)

24 - Repair Windows Safe Mode
Start (8/5/2014 1:10:55 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:11:01 AM)

25 - Repair Print Spooler
Start (8/5/2014 1:11:01 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:11:26 AM)

26 - Restore Important Windows Services
Start (8/5/2014 1:11:26 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:11:35 AM)

27 - Set Windows Services To Default Startup
Start (8/5/2014 1:11:35 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:11:41 AM)

Skipping Repair.
Repair is for Windows v6.2 (Windows 8 & Newer) or higher.
Current version: 6.1

Skipping Repair.
Repair is for Windows v6.2 (Windows 8 & Newer) or higher.
Current version: 6.1

Skipping Repair.
Repair is for Windows v6.2 (Windows 8 & Newer) or higher.
Current version: 6.1

31 - Repair Windows 'New' Submenu
Start (8/5/2014 1:11:41 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (8/5/2014 1:11:48 AM)

Cleaning up empty logs...

All Selected Repairs Done.
Done at (8/5/2014 1:11:48 AM)
Total Repair Time: 02:58:12


...YOU MUST RESTART YOUR SYSTEM...
Running Repair Under Current User Account


Report •

#134
August 5, 2014 at 05:00:45
"...YOU MUST RESTART YOUR SYSTEM...
Running Repair Under Current User Account"

Have you?

message edited by Johnw


Report •

#135
August 5, 2014 at 05:08:10
yes. I set it to shut down upon completion.

Report •

#136
August 5, 2014 at 05:11:25
"yes. I set it to shut down upon completion"
Good one.

Download Farbar Recovery Scan Tool and save it to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Upload it.
The first time the tool is run, it makes also another log (Addition.txt). Upload it.


Report •

#137
August 5, 2014 at 05:14:51
. disable SEP ?

Report •

#138
August 5, 2014 at 05:19:44
SEP is finding Trojans in .tmp files

Report •

#139
August 5, 2014 at 05:27:08
"SEP is finding Trojans in .tmp files"
It looks like you have unfixable trojans, maybe they are encrypted.

I would now reinstall.

Make sure when you reinstall, you delete ALL partitions & format to NTFS.

W7 - Click on > Drive options (advanced) Then highlight each partition & hit > Delete.
http://www.blackviper.com/os-instal...
http://www.blackviper.com/os-instal...

Here are some examples of why you delete all partitions.
http://forums.spybot.info/showthrea...
http://forums.whatthetech.com/index...
http://blog.eset.com/2011/10/18/tdl...


Report •

#140
August 5, 2014 at 05:30:19
uninstall through control panel?

Report •

#141
August 5, 2014 at 05:35:31
"uninstall through control panel?"
No reinstall Windows 7, you lose everything.

Report •

#142
August 5, 2014 at 05:41:06
That makes me nervous.

Report •

#143
August 5, 2014 at 05:45:10
Maybe uninstalling Norton is the way to go, could be false positives.
I use MSE.

How can I fully remove Norton Antivirus from my system?
https://support.norton.com/sp/en/us...
http://www.pchell.com/virus/uninsta...
http://www.softpedia.com/get/Tweak/...

Microsoft Security Essentials ( MSE )
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://windows.microsoft.com/en-us/...
http://www.techsupportalert.com/9be...
System requirements
http://www.microsoft.com/en-us/secu...
Check list for installing Microsoft Security Essentials
http://experts.windows.com/w/expert...
Can Microsoft Security Essentials ( MSE ) protect me from online banking and shopping.
http://answers.microsoft.com/en-us/...
If you choose to use Security Essentials, please follow the steps in this thread first, especially the part about removing all existing realtime antimalware:
http://kb.eset.com/esetkb/index?pag...

message edited by Johnw


Report •

#144
August 5, 2014 at 06:04:02
I can't find a link to Symantec Endpoint Protection removal tool.

Report •

#145
August 5, 2014 at 06:09:18
http://www.softpedia.com/dyn-postdo...

Report •

#146
August 5, 2014 at 06:19:03
If that doesn't work, use this.

IObit Uninstaller
http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.freewarefiles.com/IObit-...
http://www.majorgeeks.com/files/det...
http://www.iobit.com/advanceduninst...
Do a Standard Uninstall & then the Powerful Scan to remove all the lurking bits.
http://i.imgur.com/olyCkcJ.gif
http://i.imgur.com/cKc5Chi.gif

message edited by Johnw


Report •

#147
August 5, 2014 at 06:29:48
... . . .

message edited by KPKris


Report •

#148
August 5, 2014 at 06:35:37
After using IObit Uninstaller, then installing MSE, do post #136

Report •

#149
August 5, 2014 at 06:51:12
Select all of the folders and files?
Shred files also?

Report •

#150
August 5, 2014 at 06:55:34
Don't know where you are!

Report •

#151
August 5, 2014 at 06:59:03
Powerful scan options.
http://www.load.to/AWIPOEd55u/iobit...

message edited by KPKris


Report •

#152
August 5, 2014 at 07:01:16
I can't remember, SS please.

Report •

#153
August 5, 2014 at 07:04:12
I just uninstalled an old program, check only SelectAll.

Report •

#154
August 5, 2014 at 07:37:03
Scanning with MSE now.

Report •

#155
August 5, 2014 at 07:39:18
OK, I'll have to go to bed.

Report •

#156
Report •

#157
August 5, 2014 at 15:03:42
Whilst I'm checking the logs.
Uninstall Combofix please.

Report •

#158
August 5, 2014 at 15:35:18
You now have a very large amount of cleaning to do. When finished, run Farbar Recovery Scan Tool again, post the logs.

Run both of these, in this order.

Run Wise Disk Cleaner ( Run the 1st three tabs, left to right. I use default settings, leave boxes that are unchecked, unchecked ) Reboot when finished.
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://www.wisecleaner.com/download...
http://i.imgur.com/Jecnfvb.gif
http://i.imgur.com/0xHwdom.gif
http://i.imgur.com/JZLYOLf.gif
http://i.imgur.com/4kfaeGW.gif

Run Wise Registry Cleaner ( Only use Registry Cleaner & with default settings. Don't use System Tuneup, that is for Experts, you really have to know what you are doing ) Reboot when finished.
http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.wisecleaner.com/wiseregi...
http://i.imgur.com/Qy7HWcA.gif


Report •

#159
August 5, 2014 at 15:47:21
I don't see Combofix to uninstall.

Report •

#160
August 5, 2014 at 15:52:53
Are you saying you have tried instructions in post #112?

Report •

#161
August 5, 2014 at 15:54:43
I download the RWD cleaner to the desktop. When I tried to run it I got the following error:
Unable to execute file in the temporary directory. Setup aborted.
Error 5: Access is denied.

Report •

#162
August 5, 2014 at 15:55:55
"Are you saying you have tried instructions in post #112?"
Yes

Report •

#163
August 5, 2014 at 15:59:05
"Error 5: Access is denied'
Did you right click on it & select, > Run as administator.

Report •

#164
August 5, 2014 at 16:00:22
Yes - I automatically have programs run as admin. with password

Report •

#165
August 5, 2014 at 16:04:44
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-08-2014
Ran by Vicki 2 (ATTENTION: The logged in user is not administrator) on VICKI-VAIO on 05-08-2014 11:52:48

Report •

#166
August 5, 2014 at 16:12:22
I am not logged on as admin but I require admin permissions to download and run programs.

Report •

#167
August 5, 2014 at 16:17:53
Don't understand that last message.

Report •

#168
August 5, 2014 at 16:25:16
Admin set up parameters for users. One of them being unable to download programs without a password. Hence the reason I am running programs "as Admin" while logged in as a User until this computer is good to go.

Report •

#169
August 5, 2014 at 16:28:47
Ok, I shall have to leave it to you to get things sorted out so you can download & run programs again.

Report •

#170
August 5, 2014 at 16:31:07
? It's been working this way through this whole post. What is wrong now?

message edited by KPKris


Report •

#171
August 5, 2014 at 16:34:39
"? It's been setup this way for years"
Doesn't matter, since removing SEP, something has changed. Double check your settings.

Report •

#172
August 5, 2014 at 16:35:16
I was able to download the RWD cleaner, just not run it.

Report •

#173
August 5, 2014 at 16:38:44
Should I try the 2nd part of post #158 and see if I get an error?
or some benign program?

message edited by KPKris


Report •

#174
August 5, 2014 at 16:44:37
Yep, worth a try.

Report •

#175
August 5, 2014 at 16:48:26
I just tried to switch users to login to Admin and got this error.
"logon Process Initialization Failure."
Interactive logon process Initialization has failed. Please consult the event log for more details."

When I click on OK it just keeps coming back to this error screen.


Report •

#176
August 5, 2014 at 16:50:44
See if Tweaking.com will run, no need to check the W8 fixes.

Report •

#177
August 5, 2014 at 16:54:27
I can't do anything. It just keeps cycling through this message when I click OK. I am using my phone to respond to this.

*cycling through the error message.

message edited by KPKris


Report •

#178
August 5, 2014 at 16:58:49

With SEP it takes over the comp with it's own settings. Now you have to try & get back to normal W7 settings.

Turn the comp off & see what happens in Safe mode.


Report •

#179
August 5, 2014 at 17:06:05
Got the dreaded blue screen. Now startup repair has started scanning. It just asked me if I wanted to restore to a previous point. I sure hope there is one! Lately there hasn't been one.
It's attempting repairs right now.

Report •

#180
August 5, 2014 at 17:08:28
Sounds good, this is what I was hoping, be very patient, even when you think nothing is happening, it can take a long while.

Report •

#181
August 5, 2014 at 17:30:25
Okay. Up and running. What should I do next, besides breathe? :)

Report •

#182
August 5, 2014 at 17:43:56
Uninstall combofix, just in case it is still installed.

Report •

#183
August 5, 2014 at 17:49:45
Don't see the program but the folder is there with the log file.

Report •

#184
August 5, 2014 at 17:52:26
How do I safely check if I have restoration points?

Report •

#185
August 5, 2014 at 17:53:02
Is this what you are doing?

Turn off all active protection software.
Push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
Please Copy and Paste the following into the box > ComboFix /Uninstall and click OK.


Report •

#186
August 5, 2014 at 18:01:13
I used the IObit uninstaller and did not find it.

Tried it your way too and it did not find it.

message edited by KPKris


Report •

#187
August 5, 2014 at 18:03:51
Have a look in IObit Uninstaller & tell me if SEP is there.

Did you go back to a previous Restore point or just do the Repair?


Report •

#188
August 5, 2014 at 18:11:36
SEP is not there.

I told it to go to a previous restore point but it never left the repair screen so I was thinking there was no restore point to go to.

When Windows restarted I got the following error.

http://www.load.to/E97L5CxzJI/SEP_s...

I went to their website and it told me to upgrade. ha!


Report •

#189
August 5, 2014 at 18:19:40
Ok, that is a small part of what has to be cleaned up, run the Wise tools in the order I nominated.

Report •

#190
August 5, 2014 at 19:01:05
Okay. I'll run it first thing tomorrow. Gotta go for now.

Report •

#191
August 5, 2014 at 19:29:14
"I'll run it"
Just to be clear.

1: Run Wise Disk Cleaner
2: Run Wise Registry Cleaner

message edited by Johnw


Report •

#192
August 6, 2014 at 06:24:30
The Scans are finished.

Report •

#193
August 6, 2014 at 14:47:45
You should have a nice zippy feel to the comp now.

Download Security Check by screen317 from one of the following links and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
Please restart the computer before running this security check..
* Double click SecurityCheck.exe. If you run Windows Vista or 7/8, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; Please Copy and Paste the contents into your reply.


Report •

#194
August 6, 2014 at 16:50:38
Results of screen317's Security Check version 0.99.86
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
Secunia PSI
Malwarebytes Anti-Malware version 1.75.0.1300
Wise Disk Cleaner 8.23
Wise Registry Cleaner 8.22
JavaFX 2.1.1
Java(TM) 6 Update 26
Java 7 Update 7
Java 7 Update 25
[color=red][b]Java version out of Date![/b][/color]
Adobe Flash Player 14.0.0.145
Adobe Reader XI
Mozilla Firefox (31.0)
Google Chrome 35.0.1916.153
Google Chrome 36.0.1985.125
Google Chrome plugins...
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
Norton ccSvcHst.exe
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Lavasoft Ad-Aware Antivirus Ad-Aware Antivirus 11.1.5354.0\AdAwareService.exe
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: 7%
[b][u]````````````````````End of Log``````````````````````[/b][/u]

Report •

#195
August 6, 2014 at 16:51:58
From your AdwCleaner log.
Key Deleted : HKCU\Software\Softonic
WARNING: CNET Download.com downloads now come bundled with opt-out crapware and toolbars ( Same applies to Softonic )
http://dottech.org/23420/cnet-crapw...
Last time I helped you, I mentioned to use Unchecky ( Yes, I know you have Ghostery installed ) to help prevent all this stuff being installed. You haven't installed it.
http://www.computing.net/answers/se...

As you can see from your logs, you had a lot of stuff installed, that you did not know had been installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.
I use Softpedia, down the bottom of the page, they make you aware what Ad-supported programs the author of the program has included.
Sample pages
http://www.softpedia.com/get/CD-DVD...
http://www.softpedia.com/get/Multim...
Users are advised to pay attention while installing this ad-supported application:
· Offers to change the homepage for web browsers installed in the system
· Offers to change the default search engine for web browsers installed in the system
· Offers to install StartNow Toolbar that the program does not require to fully function
SS ( screenshots ) of above
http://i.imgur.com/CSBplyA.gif
http://i.imgur.com/3eWWoXm.gif

"How often should I be deleting temp files and which ones?"
Run these once a month.
TFC
Wise Disk Cleaner ( no need to reboot, now you have run it once )
Wise Registry Cleaner

For the future, so you can handle emergencies.
Do you have the W7 CD/DVD or other?
Do you know your product number?


Report •

#196
August 6, 2014 at 18:29:00
Just installed Unchecky. Don't know why I didn't before. Thanks for letting me know. Every time I start up my computer I get a notification box to update Java. Is it safe to do that?
Thank you so much for all of the hours/days and effort you put in to help fix my computer! Much appreciated.

Report •

#197
August 6, 2014 at 18:32:07
"Thank you so much for all of the hours/days and effort you put in to help fix my computer! Much appreciated"
YW & we are nearly finished.

You missed this on my last post.

For the future, so you can handle emergencies.
Do you have the W7 CD/DVD or other?
Do you know your product number?


Report •

#198
August 6, 2014 at 18:33:07
From the screen317's Security Check log.
"[color=red][b]Java version out of Date![/b][/color]"
Java security wise,is a high risk program, I do not have it installed, very few people need it. Usually, if needed a program will squark, telling you it is needed. What I do is, find another program to do the same job, that doesn't need Java.
Uninstall Java or update it using JavaRa.

To remove old and redundant versions of the Java Runtime Environment:
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://singularlabs.com/software/ja...

I expected Wise to remove this.
"Norton ccSvcHst.exe"
Are there any Norton or Symantec entries in IObit Uninstaller?
If so, uninstall.

"Lavasoft Ad-Aware Antivirus Ad-Aware Antivirus 11.1.5354.0\AdAwareService.exe"
Having two AV's installed means they are competing against one another, I would uninstall this one.

What type of hard drive are you using, the old style or SSD ( Solid State )?


Report •

#199
August 7, 2014 at 04:43:00
Just remembered one of your logs quoted the hard drive > ST9500325AS.

From the screen317's Security Check log.
"Total Fragmentation on Drive C: 7%"
Run Wise Disk Cleaner, go to the last tab & click on Disk Defrag.


Report •

#200
August 7, 2014 at 06:06:27
"Do you have the W7 CD/DVD or other?"
I created a System Repair Disk Windows 7 for my laptop when I first purchased it.

Tried uninstalling Java - it installed all versions except 2.

I am still getting the SEP error at startup. Post #188.

I do not see Symantec or Norton in IObit.

message edited by KPKris


Report •

#201
August 7, 2014 at 06:10:33
"Tried uninstalling Java - it installed all versions except 2"
Use IObit Uninstaller

"I am still getting the SEP error at startup. Post #188"
Remove Norton ccSvcHst.exe from Startups.
How to Change, Add, or Remove Startup Programs in Windows 7
http://www.sevenforums.com/tutorial...


Report •

#202
August 7, 2014 at 06:13:02
Repeat requests.
Do you know your product number?

message edited by Johnw


Report •

#203
August 7, 2014 at 06:33:49
Going to bed.

Use your Product number with this ISO. Digital River is the MS official download site. This then gives you what most people have, your operating system, which allows repairs & reinstalls.
Windows 7 Home Premium SP1-U ISO English x64: X17-58997.iso
http://msft.digitalrivercontent.net...
Put it on a thumb drive & label it. Use this program.
Rufus
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://rufus.akeo.ie/


Report •

#204
August 7, 2014 at 18:36:57
"This then gives you what most people have, your operating system, which allows repairs & re-installs"
So this would be different than the system repair disk I created?

I'm not sure what you mean by product #.
and as stated in #200 - I do not see Symantec or Norton in IObit. I disabled some processes in startup for now.


Report •

#205
August 7, 2014 at 18:59:24
"So this would be different than the system repair disk I created?"
Yes, thereby it gives you another option in an emergency.

"I'm not sure what you mean by product #"
It is what you need if you ever have to do a complete reinstall of W7, it then activates via MS.
Read your manual where to find. Make a note of the numbers in a safe place if readable.
If the numbers are worn off, let me know & I can use a tool to recover them off your hard drive.

"and as stated in #200 - I do not see Symantec or Norton in IObit"
Yep, I saw you edited that & I edited my question.

" I disabled some processes in startup for now"
Ok, now you have stopped it appearing at startup, you can delete ccSvcHst.exe

Your logs show it here.
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe


Report •

#206
August 7, 2014 at 21:40:24
Just finished a full system MSE scan which took 12 hours and found 2 viruses.

http://www.load.to/VSzehbGKDS/MSE_s...
http://www.load.to/fQcvkaC6AW/MSE_s...
Deleting them now.


Report •

#207
August 7, 2014 at 21:56:29
Run both Wise tools again please.
Don't skip any of the steps as per my previous instructions.

Then Run Farbar again. You will probably only get one log.


Report •

#208
August 8, 2014 at 06:17:07
Farbar scan results.
http://www.load.to/9Zo1R2xFHs/FRST.txt

Report •

#209
August 8, 2014 at 15:39:38
"Farbar scan results"
Thanks, just to confirm those logs, run OTL ( not Farbar ) again please, there will be 2 logs.

Report •

#210
August 8, 2014 at 17:18:48
Okay. Do I need to disable MSE? I tried looking back at #8 but could not find instructions on running OTL.

Also, I noticed when I'm downloading some of these programs, the verified publisher is unknown. Is there a way to scan the .exe files before downloading and running them?


Report •

#211
August 8, 2014 at 17:31:00
" Do I need to disable MSE?"
No.

"Is there a way to scan the .exe files before downloading and running them?"
What I do is download, if it is really nasty or unknown, MSE will kick in & warn you.
I then usually download & then if it is from an unknown source, do a double check before running, I right click on it & from the drop down run MSE & Malwarebytes.


Report •

#212
August 8, 2014 at 19:41:25
http://www.load.to/mqcMeav4g8/OTL.Txt

Report •

#213
August 8, 2014 at 20:17:53
Got it, will have some work ready for you when you wake up.

Report •

#214
August 9, 2014 at 03:15:17
Copy & Paste the text below ( starting S4 ), save into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

S4 ccEvtMgr; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [108392 2009-07-08] (Symantec Corporation)
S4 ccSetMgr; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [108392 2009-07-08] (Symantec Corporation)
R2 CouponPrinterService; C:\Program Files (x86)\Coupons\CouponPrinterService.exe [176624 2014-02-13] (Coupons.com Inc.)
SRV - [2014/02/13 18:58:00 | 000,176,624 | ---- | M] (Coupons.com Inc.) [Auto | Running] -- C:\Program Files (x86)\Coupons\CouponPrinterService.exe -- (CouponPrinterService)
(Coupons.com Inc.) C:\Program Files (x86)\Coupons\CouponPrinterService.exe
S2 Symantec AntiVirus; No ImagePath
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [486192 2014-06-10] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142128 2014-06-10] (Symantec Corporation)
R3 NAVENG; C:\ProgramData\Symantec\Definitions\VirusDefs\20140803.034\eng64.sys [126040 2013-12-17] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Definitions\VirusDefs\20140803.034\ex64.sys [2099288 2013-12-17] (Symantec Corporation)
R1 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [443952 2009-08-25] (Symantec Corporation)
R1 SRTSP; C:\Windows\SysWOW64\Drivers\SRTSP64.SYS [443952 2009-08-25] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [481840 2009-08-25] (Symantec Corporation)
S3 SRTSPL; C:\Windows\SysWOW64\Drivers\SRTSPL64.SYS [481840 2009-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [32304 2009-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\SysWOW64\Drivers\SRTSPX64.SYS [32304 2009-08-25] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [172592 2010-08-28] (Symantec Corporation)
2014-07-29 07:59 - 2014-07-29 08:00 - 03077584 _____ (Symantec Corporation) C:\Users\Vicki 2\Downloads\NPE (1).exe
2014-07-22 18:12 - 2014-07-22 18:12 - 00024839 _____ () C:\Users\Vicki 2\Documents\Symantec Proactive treat log 07222014.csv
2014-08-07 10:28 - 2010-08-28 12:10 - 00000000 ____D () C:\Program Files (x86)\Symantec
2014-07-29 08:00 - 2014-07-29 07:59 - 03077584 _____ (Symantec Corporation) C:\Users\Vicki 2\Downloads\NPE (1).exe
2014-07-22 18:12 - 2014-07-22 18:12 - 00024839 _____ () C:\Users\Vicki 2\Documents\Symantec Proactive treat log 07222014.csv
BHO: LastPass Browser Helper Object -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPBar64.dll No File
Toolbar: HKLM-x32 - Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~2\Adobe\ADOBEF~3.5\IETOOL~1\ZENDIE~1.DLL No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - No File
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Vicki 2\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll No File
FF Plugin HKCU: CouponNetwork.com/CMDUniversalCouponPrintActivator - C:\Users\VICKI2~1\AppData\Roaming\CATALI~1\NPBCSK~1.DLL (Catalina Marketing Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPcol400.dll (Catalina Marketing Corporation)
SearchScopes: HKCU - DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKLM - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
SearchScopes: HKLM-x32 - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
SearchScopes: HKCU - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
HKLM-x32\...\Run: [] => [X]


Report •

#215
August 9, 2014 at 06:26:15
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-08-2014
Ran by HHGregg at 2014-08-09 09:32:04 Run:1
Running from C:\Users\Vicki 2\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
S4 ccEvtMgr; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [108392 2009-07-08] (Symantec Corporation)
S4 ccSetMgr; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [108392 2009-07-08] (Symantec Corporation)
R2 CouponPrinterService; C:\Program Files (x86)\Coupons\CouponPrinterService.exe [176624 2014-02-13] (Coupons.com Inc.)
SRV - [2014/02/13 18:58:00 | 000,176,624 | ---- | M] (Coupons.com Inc.) [Auto | Running] -- C:\Program Files (x86)\Coupons\CouponPrinterService.exe -- (CouponPrinterService)
(Coupons.com Inc.) C:\Program Files (x86)\Coupons\CouponPrinterService.exe
S2 Symantec AntiVirus; No ImagePath
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [486192 2014-06-10] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142128 2014-06-10] (Symantec Corporation)
R3 NAVENG; C:\ProgramData\Symantec\Definitions\VirusDefs\20140803.034\eng64.sys [126040 2013-12-17] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Definitions\VirusDefs\20140803.034\ex64.sys [2099288 2013-12-17] (Symantec Corporation)
R1 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [443952 2009-08-25] (Symantec Corporation)
R1 SRTSP; C:\Windows\SysWOW64\Drivers\SRTSP64.SYS [443952 2009-08-25] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [481840 2009-08-25] (Symantec Corporation)
S3 SRTSPL; C:\Windows\SysWOW64\Drivers\SRTSPL64.SYS [481840 2009-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [32304 2009-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\SysWOW64\Drivers\SRTSPX64.SYS [32304 2009-08-25] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [172592 2010-08-28] (Symantec Corporation)
2014-07-29 07:59 - 2014-07-29 08:00 - 03077584 _____ (Symantec Corporation) C:\Users\Vicki 2\Downloads\NPE (1).exe
2014-07-22 18:12 - 2014-07-22 18:12 - 00024839 _____ () C:\Users\Vicki 2\Documents\Symantec Proactive treat log 07222014.csv
2014-08-07 10:28 - 2010-08-28 12:10 - 00000000 ____D () C:\Program Files (x86)\Symantec
2014-07-29 08:00 - 2014-07-29 07:59 - 03077584 _____ (Symantec Corporation) C:\Users\Vicki 2\Downloads\NPE (1).exe
2014-07-22 18:12 - 2014-07-22 18:12 - 00024839 _____ () C:\Users\Vicki 2\Documents\Symantec Proactive treat log 07222014.csv
BHO: LastPass Browser Helper Object -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPBar64.dll No File
Toolbar: HKLM-x32 - Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~2\Adobe\ADOBEF~3.5\IETOOL~1\ZENDIE~1.DLL No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - No File
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Vicki 2\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll No File
FF Plugin HKCU: CouponNetwork.com/CMDUniversalCouponPrintActivator - C:\Users\VICKI2~1\AppData\Roaming\CATALI~1\NPBCSK~1.DLL (Catalina Marketing Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPcol400.dll (Catalina Marketing Corporation)
SearchScopes: HKCU - DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKLM - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
SearchScopes: HKLM-x32 - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
SearchScopes: HKCU - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
HKLM-x32\...\Run: [] => [X]
*****************

ccEvtMgr => Service deleted successfully.
ccSetMgr => Service deleted successfully.
CouponPrinterService => Service stopped successfully.
CouponPrinterService => Service deleted successfully.
SRV - [2014/02/13 18:58:00 | 000,176,624 | ---- | M] (Coupons.com Inc.) [Auto | Running] -- C:\Program Files (x86)\Coupons\CouponPrinterService.exe -- (CouponPrinterService) => Error: No automatic fix found for this entry.
C:\Program Files (x86)\Coupons\CouponPrinterService.exe => No running process found
Symantec AntiVirus => Service deleted successfully.
eeCtrl => Service stopped successfully.
eeCtrl => Service deleted successfully.
EraserUtilRebootDrv => Unable to stop service
EraserUtilRebootDrv => Service deleted successfully.
NAVENG => Unable to stop service
NAVENG => Service deleted successfully.
NAVEX15 => Unable to stop service
NAVEX15 => Service deleted successfully.
SRTSP => Service stopped successfully.
SRTSP => Service deleted successfully.
SRTSP => Service not found.
SRTSPL => Service deleted successfully.
SRTSPL => Service not found.
SRTSPX => Service stopped successfully.
SRTSPX => Service deleted successfully.
SRTSPX => Service not found.
SymEvent => Unable to stop service
SymEvent => Service deleted successfully.
C:\Users\Vicki 2\Downloads\NPE (1).exe => Moved successfully.
C:\Users\Vicki 2\Documents\Symantec Proactive treat log 07222014.csv => Moved successfully.
C:\Program Files (x86)\Symantec => Moved successfully.
"C:\Users\Vicki 2\Downloads\NPE (1).exe" => File/Directory not found.
"C:\Users\Vicki 2\Documents\Symantec Proactive treat log 07222014.csv" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95D9ECF5-2A4D-4550-BE49-70D42F71296E}" => Key not found.
"HKCR\CLSID\{95D9ECF5-2A4D-4550-BE49-70D42F71296E}" => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{95188727-288F-4581-A48D-EAB3BD027314} => value deleted successfully.
"HKCR\Wow6432Node\CLSID\{95188727-288F-4581-A48D-EAB3BD027314}" => Key deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
"HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}" => Key not found.
"HKCR\PROTOCOLS\Handler\skype-ie-addon-data" => Key deleted successfully.
"HKCR\CLSID\{91774881-D725-4E58-B298-07617B9B86A8}" => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1" => Key deleted successfully.
"HKCR\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2" => Key deleted successfully.
"HKCR\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3" => Key deleted successfully.
"HKCR\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4" => Key deleted successfully.
"HKCR\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
"HKCU\Software\MozillaPlugins\CouponNetwork.com/CMDUniversalCouponPrintActivator" => Key not found.
C:\Users\VICKI2~1\AppData\Roaming\CATALI~1\NPBCSK~1.DLL => Moved successfully.
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPcol400.dll (Catalina Marketing Corporation) => Error: No automatic fix found for this entry.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key deleted successfully.
"HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => Key deleted successfully.
"HKCR\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => Key deleted successfully.
"HKCR\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => Key not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.


The system needed a reboot.

==== End of Fixlog ====

message edited by KPKris


Report •

#216
August 10, 2014 at 04:39:34
New OTL & Farbar logs please.

Report •

#217
August 10, 2014 at 06:16:40
OTL Quick or regular scan?

message edited by KPKris


Report •

#218
August 10, 2014 at 12:09:03
Download OTL, save & run from your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://oldtimer.geekstogo.com/OTL.exe
http://www.itxassociates.com/OT-Too...
Double click the OTL icon to start the tool. (Note: If you are running on Vista or Windows 7 accept UAC alert)
1: When the window appears, underneath Output at the top, make sure Standard output is selected.
2: Select Scan all users
3: Change Drivers to All
4: Under the Extra Registry section, check Use SafeList
5: In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
6: Click Run Scan and let the program run uninterrupted.
Screenshots ( SS ) of 1 - 6
http://i.imgur.com/rvTDUlL.gif
When the scan is complete, two text files will be created on your Desktop.
OTL.Txt <- this one will be opened
Extras.txt <- this one will be minimized

Report •

#219
Report •

#220
August 10, 2014 at 13:53:18
Repeat # 214 ?

Report •

#221
August 10, 2014 at 16:20:20
Opp's sorry, I want to now check with a new Farbar Recovery Scan Tool scan, to see if the the fixes stuck,
Refer post #136.

Report •

#222
August 10, 2014 at 16:35:34
Give me the with OTL logs dated the 10th please, they were the old logs.

Report •

#223
August 10, 2014 at 16:37:03
http://www.load.to/4h8wid2CQ5/FRST.txt

Report •

#224
August 10, 2014 at 17:13:36
"Give me the with OTL logs dated the 10th please, they were the old logs."
#219 are old logs?


Report •

#225
August 10, 2014 at 17:16:39
"#219 are old logs?"
Yep, they are dated the 8th.

Report •

#226
August 10, 2014 at 17:25:54
10-08-2014? . . . .

Report •

#227
Report •

#228
August 10, 2014 at 17:31:29
No, 8/8/2014
You have uploaded an old log.

http://i.imgur.com/vNnmA0I.gif


Report •

#229
August 10, 2014 at 17:33:31
That's better.
The logs are now virtually clean, next test is to run MSE as per your post #206.
In theory, it should be clean.

From the FRST log.
Files to move or delete:
====================
C:\Users\Vicki 2\jobq.dat


Report •

#230
August 10, 2014 at 17:33:39
. . . .

message edited by KPKris


Report •

#231
August 10, 2014 at 17:39:11
I'll run MSE overnight since it takes awhile.

Open FRST and delete C:\Users\Vicki 2\jobq.dat?


Report •

#232
August 10, 2014 at 17:45:59
"Open FRST and delete"
No, go to C:\Users\Vicki 2\jobq.dat?

Report •

#233
August 11, 2014 at 05:59:07
No viruses found after running MSE!

Report •

#234
August 11, 2014 at 15:58:37
✔ Best Answer
"No viruses found after running MSE!"
Whew, just as well you said this below. I was running out of ideas.
"That makes me nervous"
You now need to research ( google ) how to either use your CD that you mentioned or download the W7 ISO that I mentioned. Having both available is Ideal.
Also, resarch how to have all your important stuff backed up, I have 3 copies of everything.

File to be deleted.
C:\ComboFix

Tools to keep, just update before using. Others not mentioned, need to be downloaded again, because they release new versions constantly.
ESET Online Scanner
TDSSKiller
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://usa.kaspersky.com/downloads/...
http://support.kaspersky.com/faq/?q...
http://support.kaspersky.com/viruse...
Anti-rootkit utility TDSSKiller
http://support.kaspersky.com/faq/?q...
Malwarebytes' Anti-Malware ( MBAM )
TFC
Wise Disk Cleaner
Wise Registry Cleaner
IObit Uninstaller

System Restore will have infected files in it, turning System Restore OFF & then ON will remove them.
http://www.7tutorials.com/system-re...
http://www.sevenforums.com/tutorial...

message edited by Johnw


Report •

#235
August 11, 2014 at 17:44:57
I'm so glad I didn't have to reinstall W7! Thanks for all of your help and patience. I'm going to go through this whole post to make sure I didn't miss anything you have suggested just in case. Thanks again.

Report •

#236
August 11, 2014 at 17:49:27
" Thanks for all of your help and patience"
YW, you stayed with it as well, most people give up.

Report •

#237
August 12, 2014 at 10:52:41
And "well dun" to you JohnW as well... Have to admit what you know about dealing with pests various is remarkable... And the patience you show in all cases exemplary.

And I have learned a little at least about what and how - but way to go to be as adept as you.

Is the thread a record I wonder - 235 posts - not including this one?


Report •

#238
August 12, 2014 at 15:42:25
Thanks trvlr. Yes it was very challenging, just a matter of finding clues from the logs & then planing ahead.

You are on the right track by reading posts that solve problems, I document everything new I learn, I also put that database ( Just a simple text file with it's own folder & dedicated headers for the text files ) on a thumb drive & take it everywhere with me. Like after singing yesterday, on the way home I stopped at singers house & fixed her comp.
Googling is also a very, very big part of problem solving.

235 posts, don't know if it is an record, but certainly up there. Very satisfying to get things sorted out, no matter how long it takes.


Report •

#239
August 14, 2014 at 21:03:56
I was wondering if it was a record myself when I saw this was finally solved.
I was also wondering if it might have been easier to delete all partitions and reinstalled or if available, reimaged the drive from a saved image.

You have to be a little bit crazy to keep you from going insane.


Report •

#240
August 14, 2014 at 22:07:23
We got to that point, refer post #142.

Report •

#241
August 15, 2014 at 21:26:21
Whenever I set up a machine, after two to four weeks when everything is exactly like I want it, I manually make a drive image using Windows Back Up. This way I can always restore the machine back to that point in less than a half hour using the Widows 7 Repair Disk and the drive image. Since I use a separate drive or partition for storage, the image does not get out of hand size wise and the storage and personal stuff is covered by a Back Up which can be restored after that if needed. Most prefer an external drive for back ups but I prefer a separate internal drive with one partition just for the initial perfected drive image and a second larger one for regular automatic backups with an included drive image. Really important files are also backed up manually (copy/paste) to other computers on my home network. For others that I have set up for that may try to fix things themselves first or wait until things get really bad, I will make an extra initial drive image on DVDr in case I find little that can be saved. This can save many hours when the infections get really dug in.

You have to be a little bit crazy to keep you from going insane.


Report •


Ask Question