Solved On startup Windows 8.1 can not find client.exe

April 30, 2015 at 10:07:43
Specs: Windows 8.1, i5
When I log into windows 8.1 I get an error box that says: "Can not find c:\prgram files (x86)\user extensions\client.exe"

See More: On startup Windows 8.1 can not find client.exe

Report •

#1
April 30, 2015 at 12:14:41
✔ Best Answer
Seems client.exe is a suspicious file. Best run these three little freebies in the order given to see what they find and fix. Note they are used frequently by helpers on here and are quite safe:

AdwCleaner:
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run the program. Use the "Scan" button, followed by the "Cleaning" button.

Junkware Removal Tool (JRT)
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run JRT. It might appear to have stopped at times or flash the screen but sit tight until it has finished.

MalwareBytes:
http://filehippo.com/download_malwa...
(green Download button top right - not anything else on the page)
Install and Run the program but before doing its Scan go to "Settings > Detection and Protection" and put a checkmark in "Scan for rootkits". Quarantine anything it finds.

Please copy/paste the logs on here because even if the symptoms are cured you are likely to still have things lurking around that require further cleaning.

Always pop back and let us know the outcome - thanks


Report •

#2
April 30, 2015 at 22:52:31
Thanks for your help. The first one did the trick.

Report •

#3
April 30, 2015 at 22:58:58
"Thanks for your help. The first one did the trick"
You will not be clean yet. This malware is like cancer, you have to get the lot.

Even after running the 3 programs, there will be more work to be done.

Copy & Paste the contents of the logs please.


Report •

Related Solutions

#4
May 13, 2015 at 07:25:25
Hi. I'm having the same problem and have run the 3 recommended programs. I've included my log files and was hoping you might look and see if I still have malicious files that need addressing. Thanks in advance.
Scott
<?xml version="1.0" encoding="UTF-8"?>

-<logs>

<record subtype="Malware Protection" result="Starting" last_modified_tag="85ca4998-683d-404a-b799-34825389a3b2" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Protection" source="Protection" datetime="2015-05-13T07:54:43.035465-05:00" LoggingEventType="2" severity="debug"/>

<record subtype="Malware Protection" result="Started" last_modified_tag="9a72cd42-b601-41e6-8dce-b29c194d84ca" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Protection" source="Protection" datetime="2015-05-13T07:54:43.051073-05:00" LoggingEventType="2" severity="debug"/>

<record subtype="Malicious Website Protection" result="Starting" last_modified_tag="7f6edf02-5f95-4ff9-bd7e-21ac623c9a1e" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Protection" source="Protection" datetime="2015-05-13T07:54:43.082342-05:00" LoggingEventType="2" severity="debug"/>

<record subtype="Malicious Website Protection" result="Started" last_modified_tag="e60a421d-bb6c-4138-96a5-e0db87128431" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Protection" source="Protection" datetime="2015-05-13T07:54:43.426072-05:00" LoggingEventType="2" severity="debug"/>

<record last_modified_tag="ad7424dd-1dea-45e7-ba52-f809d4ad78e2" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Update" source="Manual" datetime="2015-05-13T07:54:48.120527-05:00" LoggingEventType="1" severity="debug" toVersion="2015.4.21.1" name="Rootkit Database" fromVersion="2015.2.25.1"/>

<record last_modified_tag="617d6470-6c7f-46b1-a59b-14e7355c0dec" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Update" source="Manual" datetime="2015-05-13T07:54:48.136220-05:00" LoggingEventType="1" severity="debug" toVersion="2015.5.9.1" name="Remediation Database" fromVersion="2015.3.9.1"/>

<record last_modified_tag="8094e8c6-f41c-4f97-a82c-bf4c14a76d7a" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Update" source="Manual" datetime="2015-05-13T07:55:38.556112-05:00" LoggingEventType="1" severity="debug" toVersion="2015.5.13.3" name="Malware Database" fromVersion="2015.3.9.5"/>

<record subtype="Refresh" result="Starting" last_modified_tag="b10f641f-2638-42f0-b61f-9325a418c1f5" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Protection" source="Protection" datetime="2015-05-13T07:55:38.587304-05:00" LoggingEventType="2" severity="debug"/>

<record subtype="Malicious Website Protection" result="Stopping" last_modified_tag="7b571845-b625-48aa-8a25-df13f68ff460" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Protection" source="Protection" datetime="2015-05-13T07:55:38.587304-05:00" LoggingEventType="2" severity="debug"/>

<record subtype="Malicious Website Protection" result="Stopped" last_modified_tag="0bf8204c-384a-454e-8ce0-26f61e8aa75a" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Protection" source="Protection" datetime="2015-05-13T07:55:38.696679-05:00" LoggingEventType="2" severity="debug"/>

<record subtype="Refresh" result="Success" last_modified_tag="f1def638-b4f7-4069-987a-3ff6e418e719" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Protection" source="Protection" datetime="2015-05-13T07:55:46.584939-05:00" LoggingEventType="2" severity="debug"/>

<record subtype="Malicious Website Protection" result="Starting" last_modified_tag="01a44225-1015-4f3a-ab2d-3ed7b6271757" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Protection" source="Protection" datetime="2015-05-13T07:55:46.600573-05:00" LoggingEventType="2" severity="debug"/>

<record subtype="Malicious Website Protection" result="Started" last_modified_tag="30304a10-db74-4d0a-9ed2-fa0330cfa51d" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Protection" source="Protection" datetime="2015-05-13T07:55:46.959869-05:00" LoggingEventType="2" severity="debug"/>

<record last_modified_tag="c2e961de-bc55-4447-ad9a-469ae2016948" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Scan" source="Manual" datetime="2015-05-13T08:30:27.565147-05:00" LoggingEventType="6" severity="debug" scanresult="completed" nonmalwaredetections="5" malwaredetections="0" duration="1650" starttime="2015-05-13T07:56:01-05:00" scantype="threat"/>

<record subtype="Malware Protection" result="Starting" last_modified_tag="0608f832-2169-4422-b3be-82dcafcaa31e" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Protection" source="Protection" datetime="2015-05-13T08:32:10.914744-05:00" LoggingEventType="2" severity="debug"/>

<record subtype="Malware Protection" result="Started" last_modified_tag="a4801639-508b-4136-a595-fc508184c8c8" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Protection" source="Protection" datetime="2015-05-13T08:32:10.961553-05:00" LoggingEventType="2" severity="debug"/>

<record subtype="Malicious Website Protection" result="Starting" last_modified_tag="54c7f83c-0854-461d-9108-e5276dfacfac" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Protection" source="Protection" datetime="2015-05-13T08:32:11.024030-05:00" LoggingEventType="2" severity="debug"/>

<record subtype="Malicious Website Protection" result="Started" last_modified_tag="fb7d552d-1dce-4d47-806f-ddaab2e674da" systemname="CHRISTI-KENZIE" username="SYSTEM" type="Protection" source="Protection" datetime="2015-05-13T08:32:11.555268-05:00" LoggingEventType="2" severity="debug"/>

</logs>
<?xml version="1.0" encoding="UTF-16"?>

-<mbam-log>


-<header>

<date>2015/05/13 07:56:01 -0500</date>

<logfile>mbam-log-2015-05-13 (07-55-59).xml</logfile>

<isadmin>yes</isadmin>

</header>


-<engine>

<version>2.01.6.1022</version>

<malware-database>v2015.05.13.03</malware-database>

<rootkit-database>v2015.04.21.01</rootkit-database>

<license>trial</license>

<file-protection>enabled</file-protection>

<web-protection>enabled</web-protection>

<self-protection>disabled</self-protection>

</engine>


-<system>

<osversion>Windows 8.1</osversion>

<arch>x64</arch>

<username>kenzie and christi</username>

<filesys>NTFS</filesys>

</system>


-<summary>

<type>threat</type>

<result>completed</result>

<objects>342238</objects>

<time>1650</time>

<processes>0</processes>

<modules>0</modules>

<keys>3</keys>

<values>2</values>

<datas>0</datas>

<folders>0</folders>

<files>0</files>

<sectors>0</sectors>

</summary>


-<options>

<memory>enabled</memory>

<startup>enabled</startup>

<filesystem>enabled</filesystem>

<archives>enabled</archives>

<rootkits>enabled</rootkits>

<deeprootkit>disabled</deeprootkit>

<heuristics>enabled</heuristics>

<pup>enabled</pup>

<pum>enabled</pum>

</options>


-<items>


-<key>

<path>HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\UPDATECHECK</path>

<vendor>PUP.Optional.Coupoon.A</vendor>

<action>success</action>

<hash>bf68a6ed276316207f036efc798c60a0</hash>

</key>


-<key>

<path>HKU\S-1-5-18\SOFTWARE\APPDATALOW\SOFTWARE\coupoon</path>

<vendor>PUP.Optional.Coupoon.A</vendor>

<action>success</action>

<hash>ba6d6c272f5bf5415032fc69bc49b749</hash>

</key>


-<key>

<path>HKU\S-1-5-21-349792416-3134956358-2395811717-1002\SOFTWARE\RapidMediaConverterApp</path>

<vendor>PUP.Optional.RapidMediaConverter.A</vendor>

<action>success</action>

<hash>3dea246fd1b94fe74c946009d233b749</hash>

</key>


-<value>

<path>HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>

<valuename>ospd_us_1055</valuename>

<vendor>PUP.Optional.OneSoftPerDay.A</vendor>

<action>success</action>

<valuedata/>

<hash>8b9c63308a00e74fba0653a0ac5736ca</hash>

</value>


-<value>

<path>HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\UPDATECHECK</path>

<valuename>ImagePath</valuename>

<vendor>PUP.Optional.Coupoon.A</vendor>

<action>success</action>

<valuedata>C:\Program Files (x86)\Coupoon\UpdateCheck.exe run </valuedata>

<hash>bf68a6ed276316207f036efc798c60a0</hash>

</value>

</items>

</mbam-log>

# AdwCleaner v4.203 - Logfile created 13/05/2015 at 07:11:44
# Updated 30/04/2015 by Xplode
# Database : 2015-05-12.2 [Server]
# Operating system : Windows 8.1 (x64)
# Username : kenzie and christi - CHRISTI-KENZIE
# Running from : C:\Users\kenzie and christi\Downloads\adwcleaner_4.203.exe
# Option : Scan

***** [ Services ] *****

Service Found : netfilter64
Service Found : CoupoonService64

***** [ Files / Folders ] *****

File Found : C:\END
File Found : C:\Users\Public\Desktop\eBay.lnk
File Found : C:\WINDOWS\System32\drivers\netfilter64.sys
Folder Found : C:\Program Files (x86)\coupoon
Folder Found : C:\Program Files (x86)\Coupoon
Folder Found : C:\Program Files (x86)\predm
Folder Found : C:\Program Files\coupoon
Folder Found : C:\Program Files\Coupoon
Folder Found : C:\ProgramData\{37f1a116-191c-dbd8-37f1-1a1161918458}

***** [ Scheduled tasks ] *****

Task Found : Check Updates
Task Found : GeniusBox
Task Found : Validate Installation

***** [ Shortcuts ] *****


***** [ Registry ] *****

Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyEnable] - 1
Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <-loopback>
Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - hxxp=127.0.0.1:49355;hxxps=127.0.0.1:49355
Key Found : HKCU\Software\geniusboxinstalled
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{015DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Found : HKCU\Software\Search Extensions
Key Found : HKCU\Software\Super Optimizer
Key Found : [x64] HKCU\Software\geniusboxinstalled
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{015DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Found : [x64] HKCU\Software\Search Extensions
Key Found : [x64] HKCU\Software\Super Optimizer
Key Found : HKLM\SOFTWARE\coupoon
Key Found : HKLM\SOFTWARE\Coupoon
Key Found : HKLM\SOFTWARE\GeniusBox
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GeniusBox
Key Found : HKLM\SOFTWARE\ORBTR
Key Found : HKLM\SOFTWARE\Tutorials
Key Found : [x64] HKLM\SOFTWARE\coupoon
Key Found : [x64] HKLM\SOFTWARE\Coupoon
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [DefaultConnectionSettings]
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [SavedLegacySettings]

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17416


*************************

AdwCleaner[R0].txt - [2530 bytes] - [13/05/2015 07:11:44]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2589 bytes] ##########


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.7.0 (05.09.2015:1)
OS: Windows 8.1 x64
Ran by kenzie and christi on Wed 05/13/2015 at 7:19:30.21
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Tasks

Successfully deleted: [Task] C:\WINDOWS\system32\tasks\Optimize Start Menu Cache Files-S-1-5-21-115118928-520901032-3686030894-500
Successfully deleted: [Task] C:\WINDOWS\system32\tasks\Optimize Start Menu Cache Files-S-1-5-21-349792416-3134956358-2395811717-1002
Successfully deleted: [Task] C:\WINDOWS\system32\tasks\Optimize Start Menu Cache Files-S-1-5-21-349792416-3134956358-2395811717-500
Successfully deleted: [Task] C:\WINDOWS\system32\tasks\Optimize Start Menu Cache Files-S-1-5-21-3642419692-2220924000-3342007480-500

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 05/13/2015 at 7:22:04.19
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#5
May 13, 2015 at 07:29:28
I'm online DScottW & can help.

Run RogueKiller
http://www.softpedia.com/get/Securi...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User Guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://www.adlice.com/softwares/rog...
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
If RogueKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
http://www.askvg.com/how-to-disable...
Download & SAVE to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"

For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
Anything that is not checked, leave it unchecked.
Click on "Delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop.
Exit/Close RogueKiller.
When completed, make sure to re-enable your antivirus.


Report •

#6
May 14, 2015 at 00:52:42
Thank you John. This is the report from Roguekiller. There were several files listed under the Registry and the Antirootkit tabs, but none of the boxes were checked off so I left them all alone.

Report •

#7
May 14, 2015 at 01:09:03
"This is the report from Roguekiller"
No log Scott?

message edited by Johnw


Report •

#8
May 14, 2015 at 08:12:40
Wow! Sorry about that.

(1st LOG)

RogueKiller V10.6.3.0 (x64) [May 11 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : kenzie and christi [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 05/14/2015 00:47:37

¤¤¤ Processes : 1 ¤¤¤
[VT.Unknown] MRT.exe(5872) -- C:\WINDOWS\system32\MRT.exe[7] -> Killed [TermThr]

¤¤¤ Registry : 25 ¤¤¤
[Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -> Found
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -> Found
[Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1 | (default) : {F241C880-6982-4CE5-8CF7-7085BA96DA5A} -> Found
[Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2 | (default) : {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} -> Found
[Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3 | (default) : {BBACC218-34EA-4666-9D7A-C78F2274A524} -> Found
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1 | (default) : {F241C880-6982-4CE5-8CF7-7085BA96DA5A} -> Found
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2 | (default) : {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} -> Found
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3 | (default) : {BBACC218-34EA-4666-9D7A-C78F2274A524} -> Found
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> Found
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> Found
[Orphan] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} : Norton Toolbar -> Found
[Orphan] (X64) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} : -> Found
[Orphan] (X86) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} : -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD075 SATA Disk Device +++++
--- User ---
[MBR] f06d394c69b99d19f05bd38f2b018085
[BSP] 1dac98500ab1d7d6d7ab9694ae4a9676 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1353728 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1615872 | Size: 688627 MB
4 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 1411923968 | Size: 451 MB
5 - [SYSTEM] Basic data partition | Offset (sectors): 1412847616 | Size: 25537 MB
User = LL1 ... OK
User = LL2 ... OK

(2nd LOG)

RogueKiller V10.6.3.0 (x64) [May 11 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : kenzie and christi [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Delete -- Date : 05/14/2015 00:54:41

¤¤¤ Processes : 1 ¤¤¤
[VT.Unknown] MRT.exe(5872) -- C:\WINDOWS\system32\MRT.exe[7] -> Killed [TermThr]

¤¤¤ Registry : 25 ¤¤¤
[Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -> Not selected
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -> Not selected
[Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1 | (default) : {F241C880-6982-4CE5-8CF7-7085BA96DA5A} -> Not selected
[Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2 | (default) : {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} -> Not selected
[Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3 | (default) : {BBACC218-34EA-4666-9D7A-C78F2274A524} -> Not selected
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1 | (default) : {F241C880-6982-4CE5-8CF7-7085BA96DA5A} -> Not selected
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2 | (default) : {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} -> Not selected
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3 | (default) : {BBACC218-34EA-4666-9D7A-C78F2274A524} -> Not selected
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> Not selected
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> Not selected
[Orphan] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} : Norton Toolbar -> Not selected
[Orphan] (X64) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} : -> Not selected
[Orphan] (X86) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} : -> Not selected
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD075 SATA Disk Device +++++
--- User ---
[MBR] f06d394c69b99d19f05bd38f2b018085
[BSP] 1dac98500ab1d7d6d7ab9694ae4a9676 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1353728 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1615872 | Size: 688627 MB
4 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 1411923968 | Size: 451 MB
5 - [SYSTEM] Basic data partition | Offset (sectors): 1412847616 | Size: 25537 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_05142015_004737.log


(LAST LOG)


RogueKiller V10.6.3.0 (x64) [May 11 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : kenzie and christi [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 05/14/2015 01:19:05

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 25 ¤¤¤
[Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -> Found
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -> Found
[Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1 | (default) : {F241C880-6982-4CE5-8CF7-7085BA96DA5A} -> Found
[Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2 | (default) : {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} -> Found
[Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3 | (default) : {BBACC218-34EA-4666-9D7A-C78F2274A524} -> Found
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1 | (default) : {F241C880-6982-4CE5-8CF7-7085BA96DA5A} -> Found
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2 | (default) : {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} -> Found
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3 | (default) : {BBACC218-34EA-4666-9D7A-C78F2274A524} -> Found
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> Found
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> Found
[Orphan] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} : Norton Toolbar -> Found
[Orphan] (X64) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} : -> Found
[Orphan] (X86) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} : -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-349792416-3134956358-2395811717-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD075 SATA Disk Device +++++
--- User ---
[MBR] f06d394c69b99d19f05bd38f2b018085
[BSP] 1dac98500ab1d7d6d7ab9694ae4a9676 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1353728 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1615872 | Size: 688627 MB
4 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 1411923968 | Size: 451 MB
5 - [SYSTEM] Basic data partition | Offset (sectors): 1412847616 | Size: 25537 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_05142015_004737.log - RKreport_DEL_05142015_005441.log

Thank you for your time.

message edited by DScottW


Report •

#9
May 14, 2015 at 17:01:08
Please download Farbar Recovery Scan Tool and save it to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using this, or upload to a site of your choosing. No account needed. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif

Report •

Ask Question