Solved Trojan found, unable to remove it

November 25, 2014 at 17:37:24
Specs: Windows 7, Intel Pent., cpu g630, 4.00 GB, 64 bit
I have run Hitman Pro and it found InternetEnforcer, a Trojan; However, I had run Hitman Pro back in Sept. and now the trial license has expired and it will not remove it unless I pay for Hitman Pro. I just ran my AVG, with update, and it did not find it. Any suggestions to get rid of it?
Thanks . . .

See More: Trojan found, unable to remove it

Report •

✔ Best Answer
November 28, 2014 at 19:02:28
This wraps it up Warren, got myself ready & am going out now, catch you when I get back.

As you can see from your logs, you had a lot of stuff installed, that you do not know, how it got installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

WARNING: CNET Download.com downloads now come bundled with opt-out crapware and toolbars ( Same applies to Softonic )
http://www.groovypost.com/unplugged...

I use Softpedia, down the bottom of the page, they make you aware what Ad-supported programs the author of the program has included.
Sample pages
http://www.softpedia.com/get/CD-DVD...
First and foremost, extra attention needs to be paid during installation as ImgBurn offers to create desktop shortcuts to third-party apps, as well as install a browser toolbar onto the host computer, which are not required to ensure the smooth running of the app.
SS of above.
http://i.imgur.com/jgGYNsP.gif
This is what ImgBurn tries to install.
http://i.imgur.com/ms4DzE9.gif
http://i.imgur.com/vVkd39a.gif
http://i.imgur.com/rqFVaHs.gif
http://i.imgur.com/sm1T7h6.gif
http://i.imgur.com/vhkKLYo.gif

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.



#1
November 25, 2014 at 18:19:22
Restart in Safe Mode and run Malwarebytes. Remove anything it finds, post back the report and wait for JohnW to walk you through a series of more advanced tools. Even if it seems to remove it, further testing may be needed to make sure it is completely gone.

You have to be a little bit crazy to keep you from going insane.


Report •

#2
November 25, 2014 at 19:37:42
Thanks Fingers.

WarrenTSI, Copy & Paste the contents of the Malwarebytes scan log please, it is impossible to know what is going on without the logs.

message edited by Johnw


Report •

#3
November 26, 2014 at 06:22:58
will get back to you shorthly . . .

Report •

Related Solutions

#4
November 26, 2014 at 13:22:37
JohnW: I ran the Malwarebytes in safe mode but don't see how to upload to here. I hit the Export button but don't know the name of the file, Malwarebytes, to select it. and can't copy and paste in safe mode apparently.
Please advise

Report •

#5
November 26, 2014 at 13:49:07
C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs

see if this is it


Report •

#6
November 26, 2014 at 13:51:04
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/26/2014
Scan Time: 3:18:52 PM
Logfile:
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.26.07
Rootkit Database: v2014.11.22.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: user

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 555098
Time Elapsed: 20 min, 46 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


Report •

#7
November 26, 2014 at 14:47:11
"Scan Date: 11/26/2014"
Clean, but that doesn't mean anything at this stage, more than likely means the trojan is stopping it finding a problem.

"I have run Hitman Pro and it found InternetEnforcer"
Can you Copy & Paste details of that trojan please.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using this, or upload to a site of your choosing. No account needed. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif

message edited by Johnw


Report •

#8
November 26, 2014 at 17:13:56
John, sorry it is called:

InternetEnhancer.exe

Here is the result of Fabar.

http://www22.zippyshare.com/v/64419...

thanks


Report •

#9
November 26, 2014 at 17:43:19
"InternetEnhancer.exe"
That's better, Copy & Paste everything you can, avoids typo's.

"Here is the result of Fabar"
You are not following instructions, reread them. There are 2 files to upload.

I will be giving you more programs later to run, some are designed by the authors to be run from the Desktop. No one expects you to remember instructions, write or print them.
Extract from FRST ( Farbar log )
"Running from C:\Users\user\Pictures\Pictures Downloaded from AOL"


Report •

#10
Report •

#11
November 26, 2014 at 18:58:32
You still didn't drag it out of > Running from C:\Users\user\Pictures\Pictures Downloaded from AOL & onto your Desktop.

I can see lots of problems.

Here are the first 2 steps, there will be more steps needed after I see the results of these logs.

Run both of these, in this order.

Step 1: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.raymond.cc/blog/adwclean...
http://www.bleepingcomputer.com/dow...
Author's site
http://general-changelog-team.fr/en...
Tutorial
http://general-changelog-team.fr/en...
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Clean.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please Copy & Paste the contents of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 2: Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved onto your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.

message edited by Johnw


Report •

#12
November 26, 2014 at 19:07:17
here is adware result:

# AdwCleaner v4.102 - Report created 26/11/2014 at 22:03:49
# Updated 23/11/2014 by Xplode
# Database : 2014-11-26.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : user - USER-HP
# Running from : C:\Users\user\Pictures\Pictures Downloaded from AOL\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Viewpoint
Folder Deleted : C:\Program Files (x86)\Viewpoint
File Deleted : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xhdl6odd.default-1408823845695\searchplugins\bingp.xml

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKCU\Software\USyndication
Key Deleted : HKLM\SOFTWARE\MetaStream
Key Deleted : HKLM\SOFTWARE\Viewpoint
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17420


-\\ Mozilla Firefox v29.0.1 (en-US)


-\\ Google Chrome v39.0.2171.71


*************************

AdwCleaner[R0].txt - [14078 octets] - [28/06/2014 22:43:45]
AdwCleaner[R1].txt - [4541 octets] - [02/07/2014 15:13:13]
AdwCleaner[R2].txt - [4406 octets] - [23/08/2014 15:04:02]
AdwCleaner[R3].txt - [2906 octets] - [22/10/2014 14:21:41]
AdwCleaner[R4].txt - [3718 octets] - [24/10/2014 20:20:05]
AdwCleaner[R5].txt - [2593 octets] - [26/11/2014 22:02:06]
AdwCleaner[S0].txt - [13887 octets] - [28/06/2014 22:44:34]
AdwCleaner[S1].txt - [4676 octets] - [02/07/2014 15:18:32]
AdwCleaner[S2].txt - [5826 octets] - [23/08/2014 15:06:29]
AdwCleaner[S3].txt - [2953 octets] - [22/10/2014 14:25:04]
AdwCleaner[S4].txt - [3834 octets] - [24/10/2014 20:21:59]
AdwCleaner[S5].txt - [2500 octets] - [26/11/2014 22:03:49]

########## EOF - C:\AdwCleaner\AdwCleaner[S5].txt - [2560 octets] ##########


Report •

#13
November 26, 2014 at 19:13:54
and here is the JRT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.9 (11.15.2014:2)
OS: Windows 7 Home Premium x64
Ran by user on Wed 11/26/2014 at 22:08:34.97
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

Successfully deleted: [Empty Folder] C:\Users\user\appdata\local\{2EF10DB2-8375-4EC0-BB4C-57AD908C0A40}
Successfully deleted: [Empty Folder] C:\Users\user\appdata\local\{53CA3510-875E-41F3-B553-E2D33341EB74}
Successfully deleted: [Empty Folder] C:\Users\user\appdata\local\{54FB03C9-A044-4321-B5C5-3501E916D246}
Successfully deleted: [Empty Folder] C:\Users\user\appdata\local\{71CEE8F0-5433-491D-A870-8B94E7D3DDC5}
Successfully deleted: [Empty Folder] C:\Users\user\appdata\local\{D1C7CF38-193E-4FF2-818D-554204B28A87}

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 11/26/2014 at 22:12:56.38
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#14
November 26, 2014 at 19:16:34
Make sure you drag RogueKiller out of > Running from C:\Users\user\Pictures\Pictures Downloaded from AOL & onto your Desktop. To get accurate results, it must be run from the Desktop.

Step 3: Run RogueKiller
http://www.softpedia.com/get/Securi...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User Guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://www.adlice.com/softwares/rog...
If RogueKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
Download & SAVE to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"

For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
Click on "Delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop.
Exit/Close RogueKiller.
When completed make sure to re-enable your antivirus.


Report •

#15
November 26, 2014 at 19:40:38
here is rogue killer

RogueKiller V10.0.8.0 [Nov 20 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : user [Administrator]
Mode : Delete -- Date : 11/26/2014 22:38:06

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 22 ¤¤¤
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 0 -> Replaced (0)
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 0 -> Replaced (0)
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49617;https=127.0.0.1:49617 -> ERROR [0]
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49617;https=127.0.0.1:49617 -> ERROR [2]
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://go.microsoft.com/fwlink/p/?L... -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://go.microsoft.com/fwlink/p/?L... -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://go.microsoft.com/fwlink/p/?L... -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://go.microsoft.com/fwlink/p/?L... -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://go.microsoft.com/fwlink/p/?L... -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://go.microsoft.com/fwlink/p/?L... -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://go.microsoft.com/fwlink/?Lin... -> Replaced (http://go.microsoft.com/fwlink/?LinkId=54896)
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://go.microsoft.com/fwlink/?Lin... -> Replaced (http://go.microsoft.com/fwlink/?LinkId=54896)
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://go.microsoft.com/fwlink/?Lin... -> Replaced (http://go.microsoft.com/fwlink/?LinkId=54896)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://go.microsoft.com/fwlink/?Lin... -> Replaced (http://go.microsoft.com/fwlink/?LinkId=54896)
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://go.microsoft.com/fwlink/?Lin... -> Replaced (http://go.microsoft.com/fwlink/?LinkId=54896)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://go.microsoft.com/fwlink/?Lin... -> Replaced (http://go.microsoft.com/fwlink/?LinkId=54896)
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 2 -> Replaced (2)
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 2 -> Replaced (2)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 0 -> Replaced (0)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 0 -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 0 -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 0 -> Replaced (0)

¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path] \\Registration -- "C:\Program Files (x86)\Hewlett-Packard\HP Setup\Dependencies\RemEngine.exe" (Registration ShowMessageTask2D) -> ERROR [0]
[Suspicious.Path] \Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan -- c:\Program Files\Microsoft Security Client\MpCmdRun.exe (Scan -ScheduleJob -RestrictPrivileges) -> ERROR [0]

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\windows\System32\drivers\etc\hosts] 127.0.0.1 localhost -> Deleted

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUP][FIREFX:Addon] xhdl6odd.default-1408823845695 : ArcadeGiant [{037A8456-0903-427E-B5E0-7D95FDD598AE}] -> Deleted

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500DM002-1BD142 +++++
--- User ---
[MBR] 924826ac3437bf7b744da4fb927e1ca9
[BSP] be26b01df814f3e42470ca09652e5698 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_11262014_222555.log - RKreport_SCN_11262014_222746.log - RKreport_SCN_11262014_222930.log - RKreport_SCN_11262014_223134.log
RKreport_SCN_11262014_223320.log - RKreport_DEL_11262014_223518.log - RKreport_DEL_11262014_223526.log - RKreport_DEL_11262014_223546.log
RKreport_DEL_11262014_223552.log - RKreport_DEL_11262014_223555.log - RKreport_DEL_11262014_223559.log - RKreport_DEL_11262014_223603.log
RKreport_DEL_11262014_223607.log - RKreport_DEL_11262014_223610.log - RKreport_DEL_11262014_223614.log - RKreport_DEL_11262014_223617.log
RKreport_DEL_11262014_223621.log - RKreport_DEL_11262014_223625.log - RKreport_DEL_11262014_223636.log - RKreport_DEL_11262014_223644.log
RKreport_DEL_11262014_223651.log - RKreport_DEL_11262014_223656.log - RKreport_DEL_11262014_223659.log - RKreport_DEL_11262014_223705.log
RKreport_DEL_11262014_223710.log - RKreport_DEL_11262014_223724.log - RKreport_DEL_11262014_223731.log - RKreport_DEL_11262014_223739.log
RKreport_DEL_11262014_223752.log - RKreport_DEL_11262014_223758.log


Report •

#16
November 26, 2014 at 19:44:12
Ok, going well, we are breaking the nasties down, bit by bit.

After Combofix, I will give you a program to run whilst in bed.

Step 4: Download ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please Note: Once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

#17
November 26, 2014 at 20:20:15

Report •

#18
November 26, 2014 at 20:30:50
Another good result.

Step 5: Run ESET Online Scanner, Copy and Paste the contents of the log in your reply please. This scan may take a very long while, so please be patient. Maybe start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
If your comp is unbootable, or won't let you download, you will have to download ESET from a good computer, put it on a flash/thumb/pen/usb drive & run it from there.
Create a ESET SysRescue CD or USB drive
http://kb.eset.com/esetkb/index?pag...
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
http://kb.eset.com/esetkb/index?pag...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Which web browsers are compatible with ESET Online Scanner?
http://www.nod32.fi/eset-online-sca...
http://kb.eset.com/esetkb/index?pag...
Online Scanner not working
http://kb.eset.com/esetkb/index?pag...
Why Would I Ever Need an Online Virus Scanner? I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the Desktop.
If no threats are found, you will simply see an information window that no threats were found.
http://www.trishtech.com/security/s...


Report •

#19
November 26, 2014 at 20:34:49
ok John, will run it an hit the sack. see you tomorrow. and thanks for all

Report •

#20
November 26, 2014 at 20:40:37
Fine Warren.

I'm here.
http://www.timeanddate.com/worldclo...


Report •

#21
November 27, 2014 at 06:49:34
Hi John: here is the result of the Eset scan:

9:39 AM 11/27/2014ESETSmartInstaller@High as downloader log:
all ok
Update failed (41217). Trying proxy 127.0.0.149617
finished. ret_update=0 e_gle=0
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=2ad72119ec3656429d01fdcedf204beb
# engine=21287
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-11-27 05:26:40
# local_time=2014-11-27 12:26:40 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='AVG Internet Security 2014'
# compatibility_mode=1049 16777213 100 100 0 103256784 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 11402617 168609450 0 0
# scanned=223778
# found=12
# cleaned=12
# scan_time=2548
sh=22DF0C5225334D3AD807485F5E9DC92AD42DB731 ft=1 fh=10832299a7779ae3 vn="a variant of MSIL/Adware.StrongVault.A application (cleaned by deleting - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\users\user\AppData\Local\WeatherAlerts\DesktopWeatherAlertsApp.exe.vir"
sh=30676FD4318457A5AFFE953448EB4A16A02CB82E ft=1 fh=d36ab4e3c696a71a vn="Win32/VOPackage.L potentially unwanted application (deleted - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\users\user\AppData\Roaming\VOPackage\runasu.exe.vir"
sh=791CE7CD3C3B2CDF0F015D25ADED971A1E0F1ADF ft=1 fh=feec9bed17d54609 vn="a variant of Win32/VOPackage.M potentially unwanted application (deleted - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\users\user\AppData\Roaming\VOPackage\VOsrv.exe.vir"
sh=2FB5DDA76F4E4A7B503A5FCD307EA23BC7E26ABE ft=1 fh=ada40f36567dd60a vn="a variant of Win32/Adware.AntiMalwarePro.AD application (cleaned by deleting - quarantined)" ac=C fn="C:\Program Files (x86)\Orbasoft Aps\Adware Remover\engine.dll"
sh=A4DE895E3F6F4FA71D75FF28D9B9945801EF79E1 ft=1 fh=05a9aee433a30f9e vn="a variant of Win32/Toolbar.SearchSuite.T potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Users\user\AppData\Local\Temp\nsw95E9.tmp\cappc.exe"
sh=F62EF0ECDFA2CA672739C94401203B4B9947BE04 ft=1 fh=64a92ac40006c88f vn="a variant of Win32/Toolbar.SearchSuite.J potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Users\user\AppData\Local\Temp\nsw95E9.tmp\Uninstall.exe"
sh=0DD690F895E275C3CAD7445283CE6DF88933D7AA ft=1 fh=90296a45f95928ea vn="Win32/DownloadAdmin.G potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Users\user\Downloads\adwareremover-setup.exe"
sh=A85B9F15866C38F422A3B5BB292017B9B837EDF5 ft=1 fh=1ece2e44d248555b vn="Win32/Systweak.D potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Users\user\Downloads\rcp_dcomnew_sec_728.exe"
sh=1D91F706749C27D4023681469BAB7EB230F4C084 ft=1 fh=17b092916561aa0b vn="Win32/DownloadAdmin.G potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Users\user\Downloads\revouninstaller-setup.exe"
sh=C4609302441BDEBFE7ABB37CD6CCFBF14C7080C0 ft=1 fh=05af77b1ea4350ed vn="Win32/DownloadAdmin.G potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Users\user\Pictures\junkwareremovaltool-setup.exe"
sh=64CE0EFAA9858CD08AF1B0A65B46CDCEDAFF2608 ft=1 fh=b55a643a5ffe7337 vn="a variant of Win32/Toolbar.SearchSuite.J potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Users\user\Pictures\Pictures Downloaded from AOL\jZipSetup-r230-n-bc.exe"
sh=14E2BB7A6F6E566CFDCBAF4878F95E072DE7F171 ft=1 fh=a35509c44751aa93 vn="Win32/Toolbar.Crawler.B potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Users\user\Pictures\Pictures Downloaded from AOL\WallpapersSetup.exe"


Report •

#22
November 27, 2014 at 13:29:30
Another good result Warren.

Step 6: Start > Control Panel > Internet Options > Connections > LAN settings, untick > Use a proxy server for your LAN.
Click OK twice.

Step 7: Update & run Malwarebytes again, post the log please.


Report •

#23
November 27, 2014 at 18:47:10
Hi John: here is the latest you asked for:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/27/2014
Scan Time: 9:10:38 PM
Logfile:
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.27.08
Rootkit Database: v2014.11.22.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: user

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 598947
Time Elapsed: 26 min, 2 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 10
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0, , [785d0a34c7b53cfa6363f83818eba858


PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\common, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\config, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\newtab, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\newtab\js, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\settings, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\settings\common, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\settings\Imesh, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\_metadata, , [785d0a34c7b53cfa6363f83818eba858],

Files: 12
Rogue.AdwareRemover, C:\Users\user\Desktop\Adware Remover.lnk, , [22b341fddba174c254f52191ea1944bc],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\manifest.json, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\common\config.js, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\common\registry.js, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\common\reporting.js, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\common\utils.js, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\config\build.json, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\newtab\newtab-hp.html, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\newtab\js\newtab-hp.js, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\settings\common\redirect.js, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\settings\Imesh\background.js, , [785d0a34c7b53cfa6363f83818eba858],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\_metadata\verified_contents.json, , [785d0a34c7b53cfa6363f83818eba858],

Physical Sectors: 0
(No malicious items detected)


(end)


Report •

#24
November 27, 2014 at 19:06:32
Did you quarantine them Warren?

message edited by Johnw


Report •

#25
November 27, 2014 at 19:25:46
yes. here is the final log
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/27/2014
Scan Time: 9:54:22 PM
Logfile:
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.27.08
Rootkit Database: v2014.11.22.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: user

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 598909
Time Elapsed: 24 min, 41 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 10
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64

Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\common, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\config, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\newtab, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\newtab\js, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\settings, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\settings\common, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\settings\Imesh, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\_metadata, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],

Files: 12
Rogue.AdwareRemover, C:\Users\user\Desktop\Adware Remover.lnk, Quarantined, [15c01e20f587a88e5aef6f4329dab749],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\manifest.json, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\common\config.js, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\common\registry.js, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\common\reporting.js, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\common\utils.js, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\config\build.json, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\newtab\newtab-hp.html, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\newtab\js\newtab-hp.js, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\settings\common\redirect.js, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\settings\Imesh\background.js, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],
PUP.Optional.Bandoo, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaafeopjhkcolncjbedbhofpocmdbn\1.3_0\_metadata\verified_contents.json, Quarantined, [a62f9aa41666ff378b3b74bc04ff9c64],

Physical Sectors: 0
(No malicious items detected)


(end)



Report •

#26
November 27, 2014 at 19:33:07
That's better.

Run AdwCleaner again & post the new log please.


Report •

#27
November 27, 2014 at 19:49:07
AdwCleaner v4.102 - Report created 27/11/2014 at 22:45:21
# Updated 23/11/2014 by Xplode
# Database : 2014-11-23.7 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : user - USER-HP
# Running from : C:\Users\user\Pictures\Pictures Downloaded from AOL\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Viewpoint
Folder Deleted : C:\Program Files (x86)\jZip
Folder Deleted : C:\Program Files (x86)\Viewpoint

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\MetaStream
Key Deleted : HKLM\SOFTWARE\Viewpoint
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17420


-\\ Mozilla Firefox v29.0.1 (en-US)


-\\ Google Chrome v39.0.2171.71


*************************

AdwCleaner[R0].txt - [14078 octets] - [28/06/2014 22:43:45]
AdwCleaner[R1].txt - [4541 octets] - [02/07/2014 15:13:13]
AdwCleaner[R2].txt - [4406 octets] - [23/08/2014 15:04:02]
AdwCleaner[R3].txt - [2906 octets] - [22/10/2014 14:21:41]
AdwCleaner[R4].txt - [3718 octets] - [24/10/2014 20:20:05]
AdwCleaner[R5].txt - [2593 octets] - [26/11/2014 22:02:06]
AdwCleaner[R6].txt - [2547 octets] - [27/11/2014 22:43:17]
AdwCleaner[S0].txt - [13887 octets] - [28/06/2014 22:44:34]
AdwCleaner[S1].txt - [4676 octets] - [02/07/2014 15:18:32]
AdwCleaner[S2].txt - [5826 octets] - [23/08/2014 15:06:29]
AdwCleaner[S3].txt - [2953 octets] - [22/10/2014 14:25:04]
AdwCleaner[S4].txt - [3834 octets] - [24/10/2014 20:21:59]
AdwCleaner[S5].txt - [2640 octets] - [26/11/2014 22:03:49]
AdwCleaner[S6].txt - [2498 octets] - [27/11/2014 22:45:21]

########## EOF - C:\AdwCleaner\AdwCleaner[S6].txt - [2558 octets] ##########


Report •

#28
November 27, 2014 at 19:51:31
Run Farbar again please, follow this SS & upload the 2 new logs.
http://i.imgur.com/i3fg3Pf.gif

Report •

#29
Report •

#30
November 27, 2014 at 20:16:05
Couple of questions before you go to bed Warren.

"Running from C:\Users\user\Pictures\Pictures Downloaded from AOL"
Why are you not dragging the Farbar program out of your Pictures folder onto the Desktop?

"ProxyEnable: [S-1-5-21-2277337054-3082054672-1405126948-1000] => Internet Explorer proxy is enabled."
Did you do the disable proxy as per my post #22?

message edited by Johnw


Report •

#31
November 27, 2014 at 20:16:33
gonna hit the hay John. leave further instructions and i will do them tomorrow afternoon. thanks

Report •

#32
November 27, 2014 at 21:31:48
Post #7 "Scan Date: 11/26/2014"
Clean, but that doesn't mean anything at this stage, more than likely means the trojan is stopping it finding a problem"
Even though Malwarebytes is a very good tool to use when infected, post #6 shows Malwarebytes clean, jump to post #25 after we have uncovered many layers of nasties, Malwarebytes was able to see the remaining bits.

Report •

#33
November 28, 2014 at 06:05:32
ok. trying again. did the unclick proxy and downloaded the Frst to the Desktop. bear with me, kinda new to this stuff.

http://www26.zippyshare.com/v/23464...

http://www26.zippyshare.com/v/81338...

off to my part time job, back this afternoon . . .


Report •

#34
November 28, 2014 at 16:14:25
Copy & Paste the text below ( starting closeprocesses: ), save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

closeprocesses:
emptytemp:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Wajam (HKLM-x32\...\WajaIE) (Version: 2.13 (i2.5) - Wajam) <==== ATTENTION
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-3...
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\igfxcui: [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz136; \??\C:\Users\user\AppData\Local\Temp\cpuz136\cpuz136_x64.sys [X]
ProxyEnable: [S-1-5-21-2277337054-3082054672-1405126948-1000] => Internet Explorer proxy is enabled.
ProxyServer: [S-1-5-21-2277337054-3082054672-1405126948-1000] => http=127.0.0.1:49617;https=127.0.0.1:49617
Toolbar: HKU\S-1-5-21-2277337054-3082054672-1405126948-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
C:\Users\user\AppData\Local\Temp\Quarantine.exe
C:\Users\user\AppData\Local\Temp\sqlite3.dll
FF Keyword.URL: hxxp://www.bing.com/search?FORM=U270DF&PC=U270&q=
CHR StartupUrls: Default -> "hxxp://mysearch.avg.com/?cid={7B79B8A5-1239-44E1-BF28-153359B15CD5}&mid=4770f3420e2147d6ad8ad14acce4e9e6-b602d594afd2b0b327e07a06f36ca6a7e42546d0&lang=en&ds=AVG&pr=fr&d=2013-02-06%2000:16:47&v=14.0.0.14&pid=safeguard&sg=1&sap=hp", "hxxp://mysearch.avg.com/?cid={7B79B8A5-1239-44E1-BF28-153359B15CD5}&mid=4770f3420e2147d6ad8ad14acce4e9e6-b602d594afd2b0b327e07a06f36ca6a7e42546d0&lang=en&ds=AVG&pr=fr&d=2013-02-06%2000:16:47&v=14.2.0.1&pid=safeguard&sg=1&sap=hp", "hxxp://search.conduit.com/?CUI=UN79960371128454239&ctid=CT3279141&SearchSource=48", "hxxp://search.conduit.com/?CUI=UN37485405002211423&ctid=CT3275393&SearchSource=48", "hxxp://search.conduit.com/?ctid=CT3289847&SearchSource=48&CUI=UN44736001815097277&UM=2", "hxxp://search.conduit.com/?ctid=CT3289847&SearchSource=48&CUI=UN37578925129132168&UM=2", "hxxp://search.conduit.com/?ctid=CT3289663&SearchSource=48&CUI=UN19578634152859214&UM=2", "hxxp://www.trovi.com/?gd=&ctid=CT3321560&octid=EB_ORIGINAL_CTID&ISID=M4DB2EDB1-1969-49A0-B3D1-16502EBF337F&SearchSource=55&CUI=&UM=5&UP=SP028B7123-09D8-419B-8D73-91A3F847FB7A&SSPV=", "hxxp://securedsearch2.lavasoft.com/index.php?pr=vmn&id=adawaretb&v=3_9&idate=2014-09-07&gen=cnet&ent=hp&u=D8D8508A7FD630FF7F5FE0540C869B0E"
Viewpoint Media Player (HKLM-x32\...\ViewpointMediaPlayer) (Version: - )
FF Plugin-x32: @viewpoint.com/VMP -> C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.


Report •

#35
November 28, 2014 at 17:34:35
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-11-2014 01
Ran by user at 2014-11-28 20:25:16 Run:1
Running from C:\Users\user\Desktop
Loaded Profile: user (Available profiles: user)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
closeprocesses:
emptytemp:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Wajam (HKLM-x32\...\WajaIE) (Version: 2.13 (i2.5) - Wajam) <==== ATTENTION
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-3...
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\igfxcui: [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz136; \??\C:\Users\user\AppData\Local\Temp\cpuz136\cpuz136_x64.sys [X]
ProxyEnable: [S-1-5-21-2277337054-3082054672-1405126948-1000] => Internet Explorer proxy is enabled.
ProxyServer: [S-1-5-21-2277337054-3082054672-1405126948-1000] => http=127.0.0.1:49617;https=127.0.0.1:49617
Toolbar: HKU\S-1-5-21-2277337054-3082054672-1405126948-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
C:\Users\user\AppData\Local\Temp\Quarantine.exe
C:\Users\user\AppData\Local\Temp\sqlite3.dll
FF Keyword.URL: hxxp://www.bing.com/search?FORM=U270DF&PC=U270&q=
CHR StartupUrls: Default -> "hxxp://mysearch.avg.com/?cid={7B79B8A5-1239-44E1-BF28-153359B15CD5}&mid=4770f3420e2147d6ad8ad14acce4e9e6-b602d594afd2b0b327e07a06f36ca6a7e42546d0&lang=en&ds=AVG&pr=fr&d=2013-02-06%2000:16:47&v=14.0.0.14&pid=safeguard&sg=1&sap=hp", "hxxp://mysearch.avg.com/?cid={7B79B8A5-1239-44E1-BF28-153359B15CD5}&mid=4770f3420e2147d6ad8ad14acce4e9e6-b602d594afd2b0b327e07a06f36ca6a7e42546d0&lang=en&ds=AVG&pr=fr&d=2013-02-06%2000:16:47&v=14.2.0.1&pid=safeguard&sg=1&sap=hp", "hxxp://search.conduit.com/?CUI=UN79960371128454239&ctid=CT3279141&SearchSource=48", "hxxp://search.conduit.com/?CUI=UN37485405002211423&ctid=CT3275393&SearchSource=48", "hxxp://search.conduit.com/?ctid=CT3289847&SearchSource=48&CUI=UN44736001815097277&UM=2", "hxxp://search.conduit.com/?ctid=CT3289847&SearchSource=48&CUI=UN37578925129132168&UM=2", "hxxp://search.conduit.com/?ctid=CT3289663&SearchSource=48&CUI=UN19578634152859214&UM=2", "hxxp://www.trovi.com/?gd=&ctid=CT3321560&octid=EB_ORIGINAL_CTID&ISID=M4DB2EDB1-1969-49A0-B3D1-16502EBF337F&SearchSource=55&CUI=&UM=5&UP=SP028B7123-09D8-419B-8D73-91A3F847FB7A&SSPV=", "hxxp://securedsearch2.lavasoft.com/index.php?pr=vmn&id=adawaretb&v=3_9&idate=2014-09-07&gen=cnet&ent=hp&u=D8D8508A7FD630FF7F5FE0540C869B0E"
Viewpoint Media Player (HKLM-x32\...\ViewpointMediaPlayer) (Version: - )
FF Plugin-x32: @viewpoint.com/VMP -> C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
*****************

Processes closed successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
Wajam (HKLM-x32\...\WajaIE) (Version: 2.13 (i2.5) - Wajam) <==== ATTENTION => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui" => Key deleted successfully.
catchme => Service deleted successfully.
cpuz136 => Service deleted successfully.
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
"HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => Key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
C:\Users\user\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\user\AppData\Local\Temp\sqlite3.dll => Moved successfully.
Firefox Keyword.URL deleted successfully.
Chrome StartupUrls deleted successfully.
Viewpoint Media Player (HKLM-x32\...\ViewpointMediaPlayer) (Version: - ) => Error: No automatic fix found for this entry.
"HKLM\Software\Wow6432Node\MozillaPlugins\@viewpoint.com/VMP" => Key deleted successfully.
C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll => Moved successfully.
EmptyTemp: => Removed 510.9 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====


Report •

#36
November 28, 2014 at 17:40:54
"did the unclick proxy"
Refer SS ( screenshot ) & make sure this is how yours is setup.
http://i.imgur.com/faNPuAO.gif

Report •

#37
November 28, 2014 at 17:45:16
I unchecked that a couple of times ago. it was checked now and i unchecked it.

Report •

#38
November 28, 2014 at 17:50:27
Reboot & recheck again please, I cannot assume anything, got to make sure it has stuck.

Report •

#39
November 28, 2014 at 17:56:29
yes, the reboot is apparently causing it to be checked.

Report •

#40
November 28, 2014 at 18:02:17
just rebooted again, it came up checked

Report •

#41
November 28, 2014 at 18:05:03
"yes, the reboot is apparently causing it to be checked"
Something is causing proxy to be enabled, maybe it is an requirement of AOL.

Got to go out now, maybe you can research that.


Report •

#42
November 28, 2014 at 18:06:57
yah i am looking there now

Report •

#43
November 28, 2014 at 18:10:50
TCP/IP and Proxy Configurations

You can choose from two settings for your TCP/IP and proxy server preference:

Automatic proxy configuration: This setting will use the standard AOL settings when using a TCP/IP connection. This setting will work for most Internet Service Provider (ISP) and local area network (LAN) connections.
Manual proxy configuration: This setting will allow you to manually change the TCP/IP and proxy settings as needed by your firewall or proxy server.
Note: Clicking the Reset button will restore the proxy setting to the Automatic proxy configuration.


Report •

#44
November 28, 2014 at 18:17:53
Ok, that explains it.

Run DelFix
https://toolslib.net/downloads/view...
DelFix is designed to delete all removal tools used during a disinfection.
Indeed, these tools are often updated. It's recommended not to have and use outdated versions on computer.
It's compatible with Windows XP, Vista, 7, 8 in 32 & 64 bits.
Run the tool by right click on the DelFix icon and Run as administrator option.
Make sure that these ones are checked:
Remove disinfection tools
Purge system restore
Reset system settings
Click Run and wait until the tool completes his work.
All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)


Report •

#45
November 28, 2014 at 18:19:57
i will not lose my ability to do a system restore if need be, will I?

Report •

#46
November 28, 2014 at 18:21:13
seems the only way to do it otherwise, is to download the latest aol, 10.1 which I don't care about. might try it on the other computer

Report •

#47
November 28, 2014 at 18:22:01
No, we are removing all the infected files from your previous restore points.

Report •

#48
November 28, 2014 at 18:23:09
ok I'll do it now.

Report •

#49
November 28, 2014 at 18:28:33
# DelFix v10.8 - Logfile created 28/11/2014 at 21:26:43
# Updated 29/07/2014 by Xplode
# Username : user - USER-HP
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\ComboFix.txt
Deleted : C:\TDSSKiller.2.7.22.0_12.10.2013_19.37.04_log.txt
Deleted : C:\TDSSKiller.2.7.22.0_16.04.2013_09.56.07_log.txt
Deleted : C:\TDSSKiller.2.7.22.0_16.04.2013_09.58.12_log.txt
Deleted : C:\TDSSKiller.2.7.22.0_24.08.2013_17.30.36_log.txt
Deleted : C:\TDSSKiller.2.7.26.0_06.07.2013_21.21.11_log.txt
Deleted : C:\TDSSKiller.2.8.16.0_16.04.2013_09.59.07_log.txt
Deleted : C:\TDSSKiller.2.8.16.0_16.08.2014_21.30.59_log.txt
Deleted : C:\TDSSKiller.2.8.16.0_19.07.2014_22.45.36_log.txt
Deleted : C:\TDSSKiller.2.8.16.0_28.09.2014_17.26.47_log.txt
Deleted : C:\TDSSKiller.2.8.16.0_29.09.2013_13.20.00_log.txt
Deleted : C:\TDSSKiller.3.0.0.12_12.10.2013_19.38.53_log.txt
Deleted : C:\TDSSKiller.3.0.0.40_16.08.2014_21.31.28_log.txt
Deleted : C:\TDSSKiller.3.0.0.40_19.07.2014_22.45.57_log.txt
Deleted : C:\TDSSKiller.3.0.0.40_28.09.2014_17.28.00_log.txt
Deleted : C:\Users\user\Desktop\Addition.txt
Deleted : C:\Users\user\Desktop\Fixlog.txt
Deleted : C:\Users\user\Desktop\FRST.txt
Deleted : C:\Users\user\Desktop\FRST64.exe
Deleted : C:\Users\user\Desktop\JRT.txt
Deleted : C:\Users\user\Downloads\Extras.Txt
Deleted : C:\Users\user\Downloads\JRT (1).exe
Deleted : C:\Users\user\Downloads\JRT.exe
Deleted : C:\Users\user\Downloads\OTL.Txt
Deleted : C:\windows\grep.exe
Deleted : C:\windows\PEV.exe
Deleted : C:\windows\NIRCMD.exe
Deleted : C:\windows\MBR.exe
Deleted : C:\windows\SED.exe
Deleted : C:\windows\SWREG.exe
Deleted : C:\windows\SWSC.exe
Deleted : C:\windows\SWXCACLS.exe
Deleted : C:\windows\Zip.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe

~ Cleaning system restore ...

Deleted : RP #138 [ComboFix created restore point | 11/06/2014 19:43:48]
Deleted : RP #139 [Windows Update | 11/12/2014 14:36:27]
Deleted : RP #140 [Windows Update | 11/12/2014 19:54:34]
Deleted : RP #141 [Windows Update | 11/19/2014 21:35:14]
Deleted : RP #142 [Checkpoint by HitmanPro | 11/26/2014 00:36:51]
Deleted : RP #143 [Checkpoint by HitmanPro | 11/26/2014 00:37:16]
Deleted : RP #144 [Checkpoint by HitmanPro | 11/26/2014 00:37:32]
Deleted : RP #145 [Checkpoint by HitmanPro | 11/26/2014 00:37:57]
Deleted : RP #146 [IObit Uninstaller restore point | 11/26/2014 01:16:30]
Deleted : RP #147 [IObit Uninstaller restore point | 11/28/2014 03:38:48]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########


Report •

#50
November 28, 2014 at 18:29:55
Run ViewpointKiller ( Just to make sure we got it all )
http://www.softpedia.com/get/Securi...

Report •

#51
November 28, 2014 at 18:35:58
----------------------------------
ViewpointKiller Version 1.23 (final)

ViewpointKiller is now attempting to remove VIEWPOINT MEDIA PLAYER...
The removal process was started at Fri Nov 28 21:32:05 2014

ViewpointKiller determined that "aim.exe" was not running.
ViewpointKiller determined that "aolsoftware.exe" was not running.
ViewpointKiller determined that "aim6.exe" was not running.
ViewpointKiller determined that "aol.exe" was not running.
ViewpointKiller determined that "MtsAxInstaller.exe" was not running.
ViewpointKiller determined that "ViewpointService.exe" was not running.


Falling back to alternate "Viewpoint Manager Service" closure...

It appears that the alternate "Viewpoint Manager Service" closure failed, or the service is not running.


Ran registry removal functions.
ViewpointKiller determined that the PROGRAMFILES variable was set to "C:\Program Files (x86)".

ViewpointKiller determined that the path "C:\Program Files (x86)\Viewpoint\Viewpoint Media Player" does not exist.
ViewpointKiller did not find the folder "C:\Program Files (x86)\Viewpoint\Viewpoint Media Player".
ViewpointKiller determined that the path "C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology" does exist.
There was an error trying to remove "C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology". The error returned was 32.
ViewpointKiller determined that the path "C:\ProgramData\Application Data\Viewpoint" does not exist.
ViewpointKiller was able to remove the "C:\ProgramData\Application Data\Viewpoint" folder successfully.
ViewpointKiller determined that the path "C:\Program Files (x86)\MetaStream" does not exist.
ViewpointKiller did not find the folder "C:\Program Files (x86)\MetaStream".
ViewpointKiller determined that the path "C:\ProgramData.WINDOWS\Application Data\Viewpoint" does not exist.
There was an error trying to remove "C:\ProgramData.WINDOWS\Application Data\Viewpoint". The error returned was 124.
ViewpointKiller determined that the path "C:\Program Files (x86)\Viewpoint\Common" does not exist.
ViewpointKiller did not find the folder "C:\Program Files (x86)\Viewpoint\Common".

Finished reporting.
----------------------------------

----------------------------------
ViewpointKiller Version 1.23 (final)

ViewpointKiller is now attempting to remove VIEWPOINT MANAGER...
The removal process was started at Fri Nov 28 21:35:31 2014

ViewpointKiller determined that "ViewMgr.exe" was not running.

Ran registry removal functions.
ViewpointKiller determined that the PROGRAMFILES variable was set to "C:\Program Files (x86)".

ViewpointKiller determined that the path "C:\Program Files (x86)\Viewpoint\Viewpoint Manager" does not exist.
ViewpointKiller did not find the folder "C:\Program Files (x86)\Viewpoint\Viewpoint Manager".
ViewpointKiller determined that the path "C:\ProgramData\Application Data\Viewpoint" does not exist.
ViewpointKiller did not find the folder "C:\ProgramData\Application Data\Viewpoint".

Finished reporting.
----------------------------------


Report •

#52
November 28, 2014 at 18:37:28
Run TFC
http://www.geekstogo.com/forum/file...
http://www.bleepingcomputer.com/dow...
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Download it onto your Desktop If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Double-click TFC.exe to run it. Note: If you are running on Vista/Windows 7/8, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Report •

#53
November 28, 2014 at 18:42:32
Getting user folders.

Stopping running processes.

Emptying Temp folders.


User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56466 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: HomeGroupUser$
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 2834 bytes

User: Public
->Temp folder emptied: 0 bytes

User: TEMP
->Temp folder emptied: 0 bytes

User: TEMP.Warren-PC
->Temp folder emptied: 0 bytes

User: user
->Temp folder emptied: 89400 bytes
->Temporary Internet Files folder emptied: 17133690 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 1905008 bytes
->Flash cache emptied: 58054 bytes

User: Warren
->Temp folder emptied: 0 bytes

User: Warren .000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 128 bytes
->Flash cache emptied: 2834 bytes

User: Warren.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 2834 bytes

User: warren.001
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 2834 bytes

%systemdrive% .tmp files removed: 38231881 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 242856 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes

Emptying RecycleBin. Do not interrupt.

RecycleBin emptied: 0 bytes
Process complete!

Total Files Cleaned = 55.00 mb

Report •

#54
November 28, 2014 at 18:46:10
You are getting into the swing of it now, going really well.
Nearly finished.

Run both of these, in this order.
Run Wise Disk Cleaner ( Run the 1st three tabs, left to right. I use default settings, leave boxes that are unchecked, unchecked ) Reboot when finished.
http://www.softpedia.com/get/System...
http://www.wisecleaner.com/download...
http://i.imgur.com/Jecnfvb.gif
http://i.imgur.com/0xHwdom.gif
http://i.imgur.com/JZLYOLf.gif
http://i.imgur.com/4kfaeGW.gif

Run Wise Registry Cleaner ( Only use Registry Cleaner & with default settings. Don't use System Tuneup, that is for Experts, you really have to know what you are doing ) Reboot when finished.
http://www.softpedia.com/get/Tweak/...
http://www.wisecleaner.com/wiseregi...
http://i.imgur.com/Qy7HWcA.gif



Report •

#55
November 28, 2014 at 19:00:47
ok ran both

WRC found 1296 problems all is good


Report •

#56
November 28, 2014 at 19:02:28
✔ Best Answer
This wraps it up Warren, got myself ready & am going out now, catch you when I get back.

As you can see from your logs, you had a lot of stuff installed, that you do not know, how it got installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

WARNING: CNET Download.com downloads now come bundled with opt-out crapware and toolbars ( Same applies to Softonic )
http://www.groovypost.com/unplugged...

I use Softpedia, down the bottom of the page, they make you aware what Ad-supported programs the author of the program has included.
Sample pages
http://www.softpedia.com/get/CD-DVD...
First and foremost, extra attention needs to be paid during installation as ImgBurn offers to create desktop shortcuts to third-party apps, as well as install a browser toolbar onto the host computer, which are not required to ensure the smooth running of the app.
SS of above.
http://i.imgur.com/jgGYNsP.gif
This is what ImgBurn tries to install.
http://i.imgur.com/ms4DzE9.gif
http://i.imgur.com/vVkd39a.gif
http://i.imgur.com/rqFVaHs.gif
http://i.imgur.com/sm1T7h6.gif
http://i.imgur.com/vhkKLYo.gif

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.


Report •

#57
November 28, 2014 at 19:05:25
ok John. thank you for your help. I appreciate it

Warren


Report •

#58
November 29, 2014 at 16:50:21
YW Warren, all's well by the looks.

Report •

Ask Question