Solved Windows 8.1 hang and freze randomly

Hewlett-packard Pavilion 15t-b000 black...
November 13, 2014 at 05:56:51
Specs: Windows 8.1, core i5 1.7 GHz / 4GB RAM
I have been experiencing tis problem for a very long time i tried SFC and chdsk command but still not working all my drivers and windows is upto date i tried all the simple troubelshouting steps but still freezing, so i tried safe mode to see if the problem is caused by windows but it was not everything as okay in safe mode so anyone can help me please.
Thank you.

See More: Windows 8.1 hang and freze randomly

Report •

✔ Best Answer
November 23, 2014 at 14:52:29
As you can see from your logs, you had stuff installed, that you do not know, how it had been installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

I use Softpedia, down the bottom of the page, they make you aware what Ad-supported programs the author of the program has included.
Sample pages
http://www.softpedia.com/get/CD-DVD...
First and foremost, extra attention needs to be paid during installation as ImgBurn offers to create desktop shortcuts to third-party apps, as well as install a browser toolbar onto the host computer, which are not required to ensure the smooth running of the app.
SS of above.
http://i.imgur.com/jgGYNsP.gif
This is what ImgBurn tries to install.
http://i.imgur.com/ms4DzE9.gif
http://i.imgur.com/vVkd39a.gif
http://i.imgur.com/rqFVaHs.gif
http://i.imgur.com/sm1T7h6.gif
http://i.imgur.com/vhkKLYo.gif

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.



#1
November 13, 2014 at 06:45:58
If I am reading you correctly it doesn't freeze in Safe Mode. In which case it is a Windows issue and generally points to drivers.

Have you looked in the Event Viewer, right click the far left Windows icon on the taskbar. Don't worry about all the errors that show up but just those that coincide with a freeze.

Have you downloaded all the Windows updates?

It might be worth running these two freebies just in case something bad is lurking:
https://www.malwarebytes.org/

http://www.bleepingcomputer.com/dow...
(Save the file from the blue download button at the top and double click the file to run).

Always pop back and let us know the outcome - thanks


Report •

#2
November 14, 2014 at 01:06:51
Dear Derek,
Thank you for the reply,
Yes ur right its 90% driver problem but i purchased driver booster pro and updated everything but stll freezing, i have malwarebytes already and i am running adw cleaner and i will give u the results once its finnished

Report •

#3
November 14, 2014 at 01:11:54
Hi again,
This is the report:
# AdwCleaner v4.101 - Report created 14/11/2014 at 13:07:40
# Updated 09/11/2014 by Xplode
# Database : 2014-11-13.1 [Live]
# Operating System : Windows 8.1 Single Language (64 bits)
# Username : Midou35000 - MIDOU
# Running from : C:\Users\Mohamed Mehdi\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : wStLib64

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\apn
Folder Deleted : C:\ProgramData\House Of Soft
Folder Deleted : C:\ProgramData\QuickSet
Folder Deleted : C:\ProgramData\ssafEwweB
Folder Deleted : C:\ProgramData\cdb13b30b6106a0d
Folder Deleted : C:\Program Files (x86)\GreenTree Applications
Folder Deleted : C:\Program Files (x86)\SupTab
Folder Deleted : C:\Program Files (x86)\Skillbrains
Folder Deleted : C:\Users\Mohamed Mehdi\AppData\Local\torch
Folder Deleted : C:\Users\Mohamed Mehdi\AppData\Local\Skillbrains
Folder Deleted : C:\Users\Mohamed Mehdi\AppData\Roaming\goforfiles
Folder Deleted : C:\Users\Mohamed Mehdi\AppData\Roaming\GrabPro
Folder Deleted : C:\Users\Mohamed Mehdi\AppData\Roaming\kuaiyong
Folder Deleted : C:\Users\Mohamed Mehdi\AppData\Roaming\Systweak
Folder Deleted : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[/!\] Not Deleted ( Junction ) : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[/!\] Not Deleted ( Junction ) : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[/!\] Not Deleted ( Junction ) : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[/!\] Not Deleted ( Junction ) : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[/!\] Not Deleted ( Junction ) : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[/!\] Not Deleted ( Junction ) : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[/!\] Not Deleted ( Junction ) : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[/!\] Not Deleted ( Junction ) : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[/!\] Not Deleted ( Junction ) : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[/!\] Not Deleted ( Junction ) : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[/!\] Not Deleted ( Junction ) : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[/!\] Not Deleted ( Junction ) : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[/!\] Not Deleted ( Junction ) : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[/!\] Not Deleted ( Junction ) : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[/!\] Not Deleted ( Junction ) : C:\Users\Mohamed Mehdi\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
File Deleted : C:\Windows\System32\drivers\wStLib64.sys
File Deleted : C:\Windows\System32\roboot64.exe

***** [ Scheduled Tasks ] *****

Task Deleted : Driver Booster Scan
Task Deleted : Driver Booster Update
Task Deleted : LaunchSignup
Task Deleted : update-sys
Task Deleted : update-S-1-5-21-1701846874-164243455-3080674911-1002

***** [ Shortcuts ] *****

Shortcut Disinfected : C:\Users\Mohamed Mehdi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows System\Internet Explorer.lnk
Shortcut Disinfected : C:\Users\Mohamed Mehdi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
Shortcut Disinfected : C:\Users\Mohamed Mehdi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
Key Deleted : HKCU\Software\Classes\pokki
Key Deleted : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4250488A-CB24-0893-C066-B1AEA57BCFF2}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Data Restored : HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Bitberry Software
Key Deleted : HKCU\Software\distromatic
Key Deleted : HKCU\Software\GoforFiles
Key Deleted : HKCU\Software\RegisteredApplicationsEx
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}
Key Deleted : HKLM\SOFTWARE\GoforFiles
Key Deleted : HKLM\SOFTWARE\PIP
Key Deleted : HKLM\SOFTWARE\SupDp
Key Deleted : HKLM\SOFTWARE\systweak
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mystartsearch.com

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17416

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Default_Page_URL]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Search Page]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Default_Search_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Page_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Page_URL]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v


-\\ Google Chrome v38.0.2125.111


-\\ Chromium v


-\\ Comodo Dragon v


*************************

AdwCleaner[R0].txt - [9388 octets] - [14/11/2014 13:05:56]
AdwCleaner[S0].txt - [7783 octets] - [14/11/2014 13:07:40]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7843 octets] ##########


Report •

Related Solutions

#4
November 14, 2014 at 06:45:27
There's no neat way to say this but if you used some sort of program to select drivers then that might easily be your problem. They very often get things wrong even if they are not scams. Your ADWCleaner logs show that Driver Pro was treated as malware.

You get drivers from the computer supplier (when branded) or from the suppliers of the individual components when home built. It is possible that you can sort it out by doing so now, although the presence of conflicting (incorrect) drivers can cause issues.

Did you let ADWCleaner delete everything when you ran the Clean? The reason I'm asking is that it failed to delete some unwanted Chrome stuff.

One aside I spotted, is that ADWCleaner removed "Green Tree Applications", which is YouTube downloader. The reason is that YTD pushes unwanted malware. However I believe that you can put it back safely if you wish, provided you uncheck any unwanted goodies during the install. Just run ADWCleaner afterwards then uncheck the "Green Tree Applications" folder in ADWCleaner before you run the Clean.

ADWCleaner cleared a lot of junk - have you noticed any improvement?

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#5
November 14, 2014 at 22:30:55
Hi,
Well i didnt know that i have a driver pro, and yes i let him deete everything but i think chrome was open and runing when ADWCleaner promoted me to close all programes and everything was closed, i dont know why he couldnt delete some chrome stuff.anyway yes it did clean everything as i said earlier. About "Green Tree Applications" yea i noticed that the programm was uninstalled but its ok i dont care i rarely use that programme.
I noticed alot of improvements one of them is the main problem (wich is the hang and freezing) in the first post i said that i cantdo anything just moving the mouse when windows freeze then i had to hard turn off then again and again but now when it happens i can do everything exept the charms bar and the taskbar if i move the mouse there the classic loading circle of windows apears and the taskbar color changes to Dark blue and after waiting a couple of seconds the computer was back runing.
Do you think its a registry problem?? Or do you think its caused by explorer.exe? i tried to restart it but nothing changed.

Report •

#6
November 15, 2014 at 06:42:02
Well, its a bit open ended at the moment. Do you use registry cleaners because they also can get things wrong and remove valid entries?

Standing back from it I'm still inclined to err towards either drivers or some deeper rooted malware. Both of these could be why things are better in Safe Mode. Clearly ADWCleaner was unable to delete certain things which is suspicious. A fellow helper might be available to take your through a full malware check, which could require running several programs and posting logs. Let me know if you want this and if so I'll send him a message. It would seem a good idea to eliminate malware from the equation for starters.

By the way, did you know that MalwareBytes has a root kit checking option? Go to "Settings > Detection and Protection". It doesn't take too much longer to do the Threat Scan in this mode.

Have you managed to link anything with errors showing in the Event Viewer?

Always pop back and let us know the outcome - thanks


Report •

#7
November 15, 2014 at 06:58:07
About registry cleaners, i used CCleaner(Pro), Wise Registry Cleaner, And too many other registry cleaning programms but i have the backups of ccleaner only cause i deleted other programms.
And yes please send that guy a message and am ready to install (or purchase any programme) just get this problem fixed cause i cant stand it anymore i cant even use the laptop for more than 20 minutes.
I found too many errors in event viewer i will give them to u later.

message edited by Midou


Report •

#8
November 15, 2014 at 08:52:26
Concentrate only on Event errors that happened "immediately around the time it freezes". Chasing stacks of event errors is not usually worth the effort - most are unimportant windows bugs.

I will make contact with a Johnw but he is in Australia so its around 1 am there at present. He might not be available of-course but keep an eye open after about 6 hours or so. We only use free programs but my main consideration is to ensure your computer is virus/malware free at this stage.

Always pop back and let us know the outcome - thanks


Report •

#9
November 16, 2014 at 03:38:36
The problem is that it freezes all around the time thats why i cant exactly know but i found an interesting one that is repeated more than 30 times i copied it and here rae the results:
Log Name: System
Source: disk
Date: 16-Nov-14 2:55:15 PM
Event ID: 7
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Midou
Description:
The device, \Device\Harddisk0\DR0, has a bad block.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="disk" />
<EventID Qualifiers="49156">7</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-11-16T10:55:15.383262800Z" />
<EventRecordID>102607</EventRecordID>
<Channel>System</Channel>
<Computer>Midou</Computer>
<Security />
</System>
<EventData>
<Data>\Device\Harddisk0\DR0</Data>
<Binary>030080000100000000000000070004C0000100009C0000C000000000000000000010AB6F0500000004983E0000000000FFFFFFFF000000005800008402000000E1200AFF42072000000000003C000000000055CF00E0FFFF60AC88CE00E0FFFF0000000000000000603C7ED000E0FFFF000000000000000088D5B70200000000280002B7D58800000100000000000000F00003003112E00000000000110000800000000000000000</Binary>
</EventData>
</Event>


i have no i dea were to find this driver.


Report •

#10
November 16, 2014 at 07:58:59
This might well have a bearing on your troubles:
The device, \Device\Harddisk0\DR0, has a bad block.

See here:
http://windows.microsoft.com/en-gb/...
Do the " Automatically fix file system errors".

I still don't know why ADWCleaner was unable to fix a few things. After you have done the above run ADWCleaner again and post the log please.

Always pop back and let us know the outcome - thanks


Report •

#11
November 16, 2014 at 08:10:43
Okay i did it but it says no errors found.
And i will run ADW again and give u the results.

Report •

#12
November 16, 2014 at 10:52:57
Did you tell it to do the fix on restart (see website near bottom) and if so did you restart the computer?

Always pop back and let us know the outcome - thanks


Report •

#13
November 16, 2014 at 13:23:49
"And i will run ADW again and give u the results"
Yes please.

If any program won't run ( due to the infection ) let me know.

Run RogueKiller
http://www.softpedia.com/get/Securi...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User Guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://www.adlice.com/softwares/rog...
If RogueKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
Download & SAVE to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"

For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
Click on "Delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop.
Exit/Close RogueKiller.
When completed make sure to re-enable your antivirus.


Report •

#14
November 17, 2014 at 06:18:09
Hi jhon, and derek,
Shall i try that rougue kiler programme?
Yes it restarts automaticly and here are the results:
# AdwCleaner v4.101 - Report created 17/11/2014 at 18:15:00
# Updated 09/11/2014 by Xplode
# Database : 2014-11-16.1 [Live]
# Operating System : Windows 8.1 Single Language (64 bits)
# Username : Midou35000 - MIDOU
# Running from : C:\Users\Mohamed Mehdi\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\ytd video downloader
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd video downloader

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17416


-\\ Mozilla Firefox v


-\\ Google Chrome v38.0.2125.111


-\\ Chromium v


-\\ Comodo Dragon v


*************************

AdwCleaner[R0].txt - [9388 octets] - [14/11/2014 13:05:56]
AdwCleaner[R1].txt - [1083 octets] - [17/11/2014 18:14:42]
AdwCleaner[S0].txt - [7959 octets] - [14/11/2014 13:07:47]
AdwCleaner[S1].txt - [1009 octets] - [17/11/2014 18:15:00]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1069 octets] ##########

message edited by Midou


Report •

#15
November 17, 2014 at 13:13:58
"Shall i try that rougue kiler programme?"
Yes please & we will need to run more after that, as we dismantle the nasties bit by bit.

Report •

#16
November 18, 2014 at 05:27:42
Hi,
Alright this is what i got:
RogueKiller V10.0.6.0 (x64) [Nov 13 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Midou35000 [Administrator]
Mode : Delete -- Date : 11/18/2014 17:24:56

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 14 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page :

http://www.symantec.com/redirects/s... -> Replaced

(http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page :

http://www.symantec.com/redirects/s... -> Replaced

(http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page :

http://www.symantec.com/redirects/s... -> Replaced

(http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page :

http://www.symantec.com/redirects/s... -> Replaced

(http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page :

http://www.symantec.com/redirects/s... -> Replaced

(http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page :

http://www.symantec.com/redirects/s... -> Replaced

(http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page :

http://www.symantec.com/redirects/s... -> Replaced

(http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page :

http://www.symantec.com/redirects/s... -> Replaced

(http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin

: 0 -> Replaced (2)
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin

: 0 -> Replaced (2)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel |

{20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Replaced (0)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel |

{59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel |

{20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel |

{59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Replaced (0)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS545050A7E380 +++++
--- User ---
[MBR] 808b3d03edb3ea723dd276eb15424c36
[BSP] d6c0e25bcf712a9a3cbabde3b7e1c859 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 476940 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_11182014_172108.log


Report •

#17
November 18, 2014 at 12:01:19
Next.

Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved onto your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.


Report •

#18
November 19, 2014 at 06:46:57
There u go:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.9 (11.15.2014:2)
OS: Windows 8.1 Single Language x64
Ran by Midou35000 on 19-Nov-14 at 18:38:26.58
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\\Software\Microsoft\Internet Explorer\Main\\Start Page

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"
Successfully deleted: [Empty Folder] C:\Users\Mohamed Mehdi\appdata\local\{05938B0F-3F0E-47BF-9596-E0780BB412CB}
Successfully deleted: [Empty Folder] C:\Users\Mohamed Mehdi\appdata\local\{51DD0B28-55FB-4779-996D-A29454857232}
Successfully deleted: [Empty Folder] C:\Users\Mohamed Mehdi\appdata\local\{5B0F07B6-EFAB-48BD-A225-1DE272342397}
Successfully deleted: [Empty Folder] C:\Users\Mohamed Mehdi\appdata\local\{6E42A73D-DB9D-498F-AAF1-AAC37995E6E8}
Successfully deleted: [Empty Folder] C:\Users\Mohamed Mehdi\appdata\local\{8C9E0907-78FC-4689-9276-206C77EB7752}
Successfully deleted: [Empty Folder] C:\Users\Mohamed Mehdi\appdata\local\{AD4005D2-E902-40BD-89AD-69998470F7EB}
Successfully deleted: [Empty Folder] C:\Users\Mohamed Mehdi\appdata\local\{CE7E667B-42D4-4514-8BAF-0F81BAA29753}
Successfully deleted: [Empty Folder] C:\Users\Mohamed Mehdi\appdata\local\{DD61FD5B-55E8-4486-823E-597D372FAC25}
Successfully deleted: [Empty Folder] C:\Users\Mohamed Mehdi\appdata\local\{DFF995B2-A5EF-42F6-AB7B-6A8778DD3B00}
Successfully deleted: [Empty Folder] C:\Users\Mohamed Mehdi\appdata\local\{FFC4D7E6-45EF-4697-9AA5-1A141AA9CE08}
Successfully deleted: [Empty Folder] C:\Users\Mohamed Mehdi\appdata\local\{FFE39303-50C9-46FB-B27B-5A61CD0AA2FE}

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 19-Nov-14 at 18:45:26.15
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#19
November 19, 2014 at 12:09:10
Update & Run Malwarebytes' Anti-Malware ( MBAM ) Free Version. Use Quick scan ( now called Threat Scan )
Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box to Scan for rootkits.
http://i.imgur.com/dZgt1g2.gif
Copy and Paste the contents of the log, in your reply please.

If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
If your MBAM log indicates "No action taken". That's usually a result of NOT clicking the Apply Actions button after the scan. In most cases, a restart will be required.
If you misplace your log, here are ways to find.
http://i.imgur.com/U9IqcVj.gif
http://i.imgur.com/zHMG6J9.gif
http://i.imgur.com/ZZ1trsv.gif
http://i.imgur.com/LL0K3qs.gif
Or,
(Export log to save as txt)
After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Export'.
Click 'Text file (*.txt)'
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named 'File Saved' should appear stating "Your file has been successfully exported".
Click Ok
http://i.imgur.com/LNl3Sgw.gif
http://i.imgur.com/xGJgawB.gif

message edited by Johnw


Report •

#20
November 21, 2014 at 01:48:09
Hey i got no infected files should i give you the log file??

Report •

#21
November 21, 2014 at 01:56:12
"Hey i got no infected files should i give you the log file??"
No, that will be fine.

1: Run TFC
http://www.geekstogo.com/forum/file...
http://www.bleepingcomputer.com/dow...
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Download it onto your Desktop If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Double-click TFC.exe to run it. Note: If you are running on Vista/Windows 7/8, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

2: Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using this, or upload to a site of your choosing. No account needed. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif


Report •

#22
November 21, 2014 at 02:26:33
There u go sir:
https://www.mediafire.com/?72ucakw4...

Report •

#23
November 21, 2014 at 02:55:24
"There u go sir"
Got em, may take a hour or 2 to go through them.

Report •

#24
November 21, 2014 at 03:41:27
Copy & Paste the text below ( starting closeprocesses: ), save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

closeprocesses:
emptytemp:
AlternateDataStreams: C:\Windows:{4B9A1497-0817-47C4-9612-D6A1C53ACF57}
AlternateDataStreams: C:\Users\Mohamed Mehdi\SkyDrive:ms-properties
AlternateDataStreams: C:\Users\Mohamed Mehdi\Downloads\noname.eml:OECustomProperty
YTD Video Downloader 4.7.3 (HKLM-x32\...\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}) (Version: 4.7.3 - GreenTree Applications SRL) <==== ATTENTION
Task: {683BECA0-0C0B-4B0C-ADE3-04B56599CF42} - \JetBoost_AutoUpdate No Task File <==== ATTENTION
Task: {9109D261-D4CF-4E5E-B0BC-368B071DCD2B} - \AutoKMS No Task File <==== ATTENTION
HKU\S-1-5-19\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2374784 2014-08-23] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-20\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2374784 2014-08-23] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-1701846874-164243455-3080674911-1002\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2374784 2014-08-23] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-18\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2374784 2014-08-23] (Microsoft Corporation) <==== ATTENTION
GroupPolicyUsers\S-1-5-21-1701846874-164243455-3080674911-1002\User: Group Policy restriction detected <======= ATTENTION
CHR HKU\S-1-5-21-1701846874-164243455-3080674911-1002\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM -> {F0572533-8462-4212-91AD-57BDDCDF167C} URL = http://www.amazon.co.uk/s/ref=azs_o...
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM-x32 -> {F0572533-8462-4212-91AD-57BDDCDF167C} URL = http://www.amazon.co.uk/s/ref=azs_o...
SearchScopes: HKU\S-1-5-21-1701846874-164243455-3080674911-1002 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKU\S-1-5-21-1701846874-164243455-3080674911-1002 -> {4187F0FC-AF41-4E4B-AE67-84C8FD35A0AE} URL = http://terra.im/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1701846874-164243455-3080674911-1002 -> {F0572533-8462-4212-91AD-57BDDCDF167C} URL = http://www.amazon.co.uk/s/ref=azs_o...
Winlogon\Notify\igfxcui: igfxdev.dll [X]
S3 andnetndis; \SystemRoot\system32\DRIVERS\lgandnetndis64.sys [X]
S3 AthBTPort; \SystemRoot\system32\DRIVERS\btath_flt.sys [X]
S3 BTATH_A2DP; \SystemRoot\system32\drivers\btath_a2dp.sys [X]
S3 BTATH_HCRP; \SystemRoot\System32\drivers\btath_hcrp.sys [X]
S3 BTATH_LWFLT; \SystemRoot\system32\DRIVERS\btath_lwflt.sys [X]
S3 BTATH_RCP; \SystemRoot\System32\drivers\btath_rcp.sys [X]
AppInit_DLLs: C:\PROGRA~2\Amazon\AMAZON~1\AMAZON~2.DLL => C:\PROGRA~2\Amazon\AMAZON~1\AMAZON~2.DLL File Not Found
AppInit_DLLs-x32: , C:\PROGRA~2\Amazon\AMAZON~1\\AMAZON~3.DLL => "C:\PROGRA~2\Amazon\AMAZON~1\\AMAZON~3.DLL" File Not Found
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
HKU\S-1-5-21-1701846874-164243455-3080674911-1002\...\MountPoints2: D - "D:\Autorun.exe"
HKU\S-1-5-21-1701846874-164243455-3080674911-1002\...\MountPoints2: {ce859296-47c2-11e4-bf7b-8480fa2f1566} - "F:\LG_PC_Programs.exe"

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.


Report •

#25
November 21, 2014 at 07:30:59
It looks like it didnt find some stuff:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 20-11-2014
Ran by Midou35000 at 2014-11-21 19:21:28 Run:1
Running from C:\Users\Mohamed Mehdi\Desktop
Loaded Profile: Midou35000 (Available profiles: Midou35000 & Administrator & Guest)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
closeprocesses:
emptytemp:
AlternateDataStreams: C:\Windows:{4B9A1497-0817-47C4-9612-D6A1C53ACF57}
AlternateDataStreams: C:\Users\Mohamed Mehdi\SkyDrive:ms-properties
AlternateDataStreams: C:\Users\Mohamed Mehdi\Downloads\noname.eml:OECustomProperty
YTD Video Downloader 4.7.3 (HKLM-x32\...\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}) (Version: 4.7.3 - GreenTree Applications SRL) <==== ATTENTION
Task: {683BECA0-0C0B-4B0C-ADE3-04B56599CF42} - \JetBoost_AutoUpdate No Task File <==== ATTENTION
Task: {9109D261-D4CF-4E5E-B0BC-368B071DCD2B} - \AutoKMS No Task File <==== ATTENTION
HKU\S-1-5-19\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2374784 2014-08-23] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-20\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2374784 2014-08-23] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-1701846874-164243455-3080674911-1002\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2374784 2014-08-23] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-18\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2374784 2014-08-23] (Microsoft Corporation) <==== ATTENTION
GroupPolicyUsers\S-1-5-21-1701846874-164243455-3080674911-1002\User: Group Policy restriction detected <======= ATTENTION
CHR HKU\S-1-5-21-1701846874-164243455-3080674911-1002\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM -> {F0572533-8462-4212-91AD-57BDDCDF167C} URL = http://www.amazon.co.uk/s/ref=azs_o...
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM-x32 -> {F0572533-8462-4212-91AD-57BDDCDF167C} URL = http://www.amazon.co.uk/s/ref=azs_o...
SearchScopes: HKU\S-1-5-21-1701846874-164243455-3080674911-1002 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKU\S-1-5-21-1701846874-164243455-3080674911-1002 -> {4187F0FC-AF41-4E4B-AE67-84C8FD35A0AE} URL = http://terra.im/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1701846874-164243455-3080674911-1002 -> {F0572533-8462-4212-91AD-57BDDCDF167C} URL = http://www.amazon.co.uk/s/ref=azs_o...
Winlogon\Notify\igfxcui: igfxdev.dll [X]
S3 andnetndis; \SystemRoot\system32\DRIVERS\lgandnetndis64.sys [X]
S3 AthBTPort; \SystemRoot\system32\DRIVERS\btath_flt.sys [X]
S3 BTATH_A2DP; \SystemRoot\system32\drivers\btath_a2dp.sys [X]
S3 BTATH_HCRP; \SystemRoot\System32\drivers\btath_hcrp.sys [X]
S3 BTATH_LWFLT; \SystemRoot\system32\DRIVERS\btath_lwflt.sys [X]
S3 BTATH_RCP; \SystemRoot\System32\drivers\btath_rcp.sys [X]
AppInit_DLLs: C:\PROGRA~2\Amazon\AMAZON~1\AMAZON~2.DLL => C:\PROGRA~2\Amazon\AMAZON~1\AMAZON~2.DLL File Not Found
AppInit_DLLs-x32: , C:\PROGRA~2\Amazon\AMAZON~1\\AMAZON~3.DLL => "C:\PROGRA~2\Amazon\AMAZON~1\\AMAZON~3.DLL" File Not Found
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
HKU\S-1-5-21-1701846874-164243455-3080674911-1002\...\MountPoints2: D - "D:\Autorun.exe"
HKU\S-1-5-21-1701846874-164243455-3080674911-1002\...\MountPoints2: {ce859296-47c2-11e4-bf7b-8480fa2f1566} - "F:\LG_PC_Programs.exe"
*****************

Processes closed successfully.
C:\Windows => ":{4B9A1497-0817-47C4-9612-D6A1C53ACF57}" ADS removed successfully.
"C:\Users\Mohamed Mehdi\SkyDrive" => ":ms-properties" ADS not found.
C:\Users\Mohamed Mehdi\Downloads\noname.eml => ":OECustomProperty" ADS removed successfully.
YTD Video Downloader 4.7.3 (HKLM-x32\...\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}) (Version: 4.7.3 - GreenTree Applications SRL) <==== ATTENTION => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{683BECA0-0C0B-4B0C-ADE3-04B56599CF42}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{683BECA0-0C0B-4B0C-ADE3-04B56599CF42}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\JetBoost_AutoUpdate" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{9109D261-D4CF-4E5E-B0BC-368B071DCD2B}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9109D261-D4CF-4E5E-B0BC-368B071DCD2B}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS" => Key deleted successfully.
HKU\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.
HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.
HKU\S-1-5-21-1701846874-164243455-3080674911-1002\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.
HKU\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.
C:\Windows\system32\GroupPolicyUsers\S-1-5-21-1701846874-164243455-3080674911-1002\User => Moved successfully.
"HKU\S-1-5-21-1701846874-164243455-3080674911-1002\SOFTWARE\Policies\Google" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
"HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F0572533-8462-4212-91AD-57BDDCDF167C}" => Key deleted successfully.
"HKCR\CLSID\{F0572533-8462-4212-91AD-57BDDCDF167C}" => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{F0572533-8462-4212-91AD-57BDDCDF167C}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{F0572533-8462-4212-91AD-57BDDCDF167C}" => Key not found.
HKU\S-1-5-21-1701846874-164243455-3080674911-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-1701846874-164243455-3080674911-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4187F0FC-AF41-4E4B-AE67-84C8FD35A0AE}" => Key deleted successfully.
"HKCR\CLSID\{4187F0FC-AF41-4E4B-AE67-84C8FD35A0AE}" => Key not found.
"HKU\S-1-5-21-1701846874-164243455-3080674911-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F0572533-8462-4212-91AD-57BDDCDF167C}" => Key deleted successfully.
"HKCR\CLSID\{F0572533-8462-4212-91AD-57BDDCDF167C}" => Key not found.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui" => Key deleted successfully.
andnetndis => Service deleted successfully.
AthBTPort => Service deleted successfully.
BTATH_A2DP => Service deleted successfully.
BTATH_HCRP => Service deleted successfully.
BTATH_LWFLT => Service deleted successfully.
BTATH_RCP => Service deleted successfully.
"C:\PROGRA~2\Amazon\AMAZON~1\AMAZON~2.DLL" => Value Data removed successfully.
", C:\PROGRA~2\Amazon\AMAZON~1\\AMAZON~3.DLL" => Value Data removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => value deleted successfully.
"HKCR\CLSID\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F}" => Key not found.
"HKLM\Software\Wow6432Node\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => Key deleted successfully.
"HKU\S-1-5-21-1701846874-164243455-3080674911-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\S-1-5-21-1701846874-164243455-3080674911-1002" => Key not found.
"HKU\S-1-5-21-1701846874-164243455-3080674911-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ce859296-47c2-11e4-bf7b-8480fa2f1566}" => Key deleted successfully.
"HKCR\CLSID\{ce859296-47c2-11e4-bf7b-8480fa2f1566}" => Key not found.
EmptyTemp: => Removed 111.2 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====


Report •

#26
November 21, 2014 at 12:24:47
"It looks like it didnt find some stuff:"
That's normal, bit by bit we will get you clean.

"hang and freze randomly"
Is it still doing that?

Download Security Check by screen317 from one of the following links and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
Please restart the computer before running this security check..
* Double click SecurityCheck.exe. If you run Windows Vista or 7/8, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; Please Copy and Paste the contents into your reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.


Report •

#27
November 22, 2014 at 00:50:07
"Is it still doing that?"
Yea :(
There u go:
Results of screen317's Security Check version 0.99.90
x64 (UAC is enabled)
Internet Explorer 11
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
Windows Defender
avast! Antivirus
Antivirus up to date!
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
AVG PC TuneUp 2014 (en-GB)
Wise Disk Cleaner 8.35
Adobe Flash Player 15.0.0.189
Google Chrome (38.0.2125.111)
Google Chrome (39.0.2171.65)
Google Chrome (chrome.exe..)
Google Chrome (debug.log..)
Google Chrome (Dictionaries...)
Google Chrome (master_preferences...)
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
AVAST Software Avast AvastSvc.exe
AVAST Software Avast afwServ.exe
AVAST Software Avast avastui.exe
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: %
[b][u]````````````````````End of Log``````````````````````[/b][/u]

Report •

#28
November 22, 2014 at 01:01:40
Avast have just released an update, to fix a few problems they have been having. Update Avast & test for freezing.

Report •

#29
November 22, 2014 at 01:30:15
After updating Avast, I still suspect you have other stuff lurking.

Run ESET Online Scanner, Copy and Paste the contents of the log in your reply please. This scan may take a very long while, so please be patient. Maybe start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
If your comp is unbootable, or won't let you download, you will have to download ESET from a good computer, put it on a flash/thumb/pen/usb drive & run it from there.
Create a ESET SysRescue CD or USB drive
http://kb.eset.com/esetkb/index?pag...
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
http://kb.eset.com/esetkb/index?pag...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Which web browsers are compatible with ESET Online Scanner?
http://www.nod32.fi/eset-online-sca...
http://kb.eset.com/esetkb/index?pag...
Online Scanner not working
http://kb.eset.com/esetkb/index?pag...
Why Would I Ever Need an Online Virus Scanner? I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the Desktop.
If no threats are found, you will simply see an information window that no threats were found.
http://www.trishtech.com/security/s...

message edited by Johnw


Report •

#30
November 22, 2014 at 02:00:03
Wait wait i cant understand what u want to say, do you mean i have to download in another PC or its fine to do it in these one?

Report •

#31
November 22, 2014 at 02:10:54
Only if you have these conditions.
" if your comp is unbootable, or won't let you download"

Report •

#32
November 22, 2014 at 02:50:07
Oh ok i downloaded and run it and its scanning at 31% it has found 1 infected file till now....

Report •

#33
November 22, 2014 at 05:49:04
Scan is done after 3 hours but i ticked delete data and everything even the log file is deleted what can i do? it has found 4 infected files and fixed them all and i went to C:\Program Files\EsetOnlineScanner\log.txt its not there.
any idea?

Report •

#34
November 22, 2014 at 08:15:39
"any idea?"
As per my previous link.

How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...

(on 64-bit systems this directory will be "C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt")


Report •

#35
November 22, 2014 at 09:25:11
I know i went there but i cant find the log file there is 3 exe files only.
What shall i do now??

Report •

#36
November 22, 2014 at 14:08:46
"I know i went there but i cant find the log file there is 3 exe files only.
What shall i do now??"

You said, you went here. The link says go to a different place.

1: C:\Program Files\EsetOnlineScanner\log.txt ( wrong )
2: C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt ( correct )


Report •

#37
November 23, 2014 at 03:27:59
Yes sir i went to C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt but i cant find it and put in mind that it will take 3 hours to scan again

Report •

#38
November 23, 2014 at 03:35:21
I just did a search for ESET on a W8.1 comp, here is another place it is kept.

C:\Program Files\ESET\ESET Online Scanner

Do a search on your comp yourself, if this is not the right place on yours.

message edited by Johnw


Report •

#39
November 23, 2014 at 03:46:05
I did a search in C drive there is completly nothing except a uninstaller.exe and exe file only.

Report •

#40
November 23, 2014 at 03:53:46
I give up, no idea why ESET & log is not showing on a search.

Shall have give up, at least we know it found 4 files.

Run DelFix
https://toolslib.net/downloads/view...
DelFix is designed to delete all removal tools used during a disinfection.
Indeed, these tools are often updated. It's recommended not to have and use outdated versions on computer.
It's compatible with Windows XP, Vista, 7, 8 in 32 & 64 bits.
Run the tool by right click on the DelFix icon and Run as administrator option.
Make sure that these ones are checked:
Remove disinfection tools
Purge system restore
Reset system settings
Click Run and wait until the tool completes his work.
All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)


Report •

#41
November 23, 2014 at 10:16:37
There u go and wait i remember that ESET removed 2 trojan files and two other stuff, anyway there u havae the log:
# DelFix v10.8 - Logfile created 23/11/2014 at 22:13:40
# Updated 29/07/2014 by Xplode
# Username : Midou35000 - MIDOU
# Operating System : Windows 8.1 Single Language (64 bits)

~ Removing disinfection tools ...

Deleted : C:\Users\Mohamed Mehdi\Desktop\SecurityCheck.exe
Deleted : C:\Users\Mohamed Mehdi\Downloads\AdwCleaner.exe
Deleted : C:\Users\Mohamed Mehdi\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Users\Mohamed Mehdi\Downloads\FRST64.exe
Deleted : C:\Users\Mohamed Mehdi\Downloads\JRT.exe
Deleted : C:\Users\Mohamed Mehdi\Downloads\RKreport_DEL_11192014_182435.log
Deleted : C:\Users\Mohamed Mehdi\Downloads\RogueKillerX64.exe
Deleted : C:\Users\Mohamed Mehdi\Downloads\SecurityCheck.exe
Deleted : C:\Users\Mohamed Mehdi\Downloads\TFC.exe
Deleted : HKLM\SOFTWARE\AdwCleaner

~ Cleaning system restore ...

Deleted : RP #478 [Scheduled Checkpoint | 11/18/2014 06:20:06]
Deleted : RP #480 [Windows Modules Installer | 11/21/2014 09:46:36]
Deleted : RP #481 [Registry add:BFE | 11/22/2014 07:44:11]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########


Report •

#42
November 23, 2014 at 14:51:37
Is it still freezing?

Report •

#43
November 23, 2014 at 14:52:29
✔ Best Answer
As you can see from your logs, you had stuff installed, that you do not know, how it had been installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

I use Softpedia, down the bottom of the page, they make you aware what Ad-supported programs the author of the program has included.
Sample pages
http://www.softpedia.com/get/CD-DVD...
First and foremost, extra attention needs to be paid during installation as ImgBurn offers to create desktop shortcuts to third-party apps, as well as install a browser toolbar onto the host computer, which are not required to ensure the smooth running of the app.
SS of above.
http://i.imgur.com/jgGYNsP.gif
This is what ImgBurn tries to install.
http://i.imgur.com/ms4DzE9.gif
http://i.imgur.com/vVkd39a.gif
http://i.imgur.com/rqFVaHs.gif
http://i.imgur.com/sm1T7h6.gif
http://i.imgur.com/vhkKLYo.gif

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.


Report •

#44
November 24, 2014 at 05:46:09
Thanks i runned unchecky and its working cause i tried it on imgburn exe file.
"Is it still freezing?"
give me a day and i will reply if yes or not

Report •

#45
November 24, 2014 at 06:33:49
"give me a day and i will reply if yes or not"
Ok, I'm just going to bed.


Report •

#46
November 25, 2014 at 04:19:37
Yay!!! i cant belive it worked thank you so much my brother you are the best, am a C++ programmer and admit that you beated microsoft in troubelshooting this problem, WOW!!!
Thanks brother.

Report •

#47
November 25, 2014 at 08:18:15
Nicely done and good to hear you won the battle together.

Always pop back and let us know the outcome - thanks


Report •

#48
November 25, 2014 at 13:34:42
"Yay!!! i cant belive it worked thank you so much"

Extract from the Addition log.
"System errors:
=============
Error: (11/21/2014 02:21:15 PM) (Source: disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block."

Lets confirm the above with another chkdsk scan. Maybe all the other stuff was giving a false positive.

Check Disk (chkdsk) - Read Event Viewer Log
http://www.sevenforums.com/tutorial...
Administrative tools - Event viewer - Windows logs - Application - Click on 'source' at the middle top to sort by ascending/descending order. Locate 'wininit' and click on it to view.

Let me see the log please.

message edited by Johnw


Report •

#49
November 26, 2014 at 06:09:28
"Extract from the Addition log"
Sorry i dont get it,
and do i really have to do the chkdsk scan cause it will take a whole day in 11% to finnish.
And derek you were following us silently! lol you too did good my friend.

Report •

#50
November 26, 2014 at 14:55:06
"Sorry i dont get it,
and do i really have to do the chkdsk scan cause it will take a whole day in 11% to finnish"
As it stands at the moment, going on the previous chkdsk report, you now need to replace your hard drive, it is failing.

Report •

#51
November 27, 2014 at 03:09:28
So, you think i should change my hard drive and buy a new one??(put in mind that this is a Sleekbook)

Report •

#52
November 27, 2014 at 15:18:33
"So, you think i should change my hard drive and buy a new one??"
The call is yours, you have the info from the logs.

Personally, I wouldn't do anything, until I run chkdsk again.


Report •

#53
November 27, 2014 at 22:58:42
Ok john i will run chkdsk scan and give you the log.
Oh no! it happened again to me, it freeze again looks like the problem is not fixed, am sorry :(

Report •

#54
November 27, 2014 at 23:10:57
We know you clean, it more than likely now gets down to a failing drive, shall wait for the chkdsk result.

Report •

#55
November 27, 2014 at 23:14:06
ok will run and give you the results, it will take a whole day to scan so probably i will give you the results tomorrow.

Report •

Ask Question