Task Manager show IE app running, but browser is closed

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ttnicker, Dec 29, 2014.

  1. ttnicker

    ttnicker Private E-2

    Hi, I'm running Win 7 Home Premium 64-bit with 4 GB (RAM). I am having browser hijacking issues. With the browser closed, Task manager-Applications shows the following link running;
    http://zen.esrvadspix.com/?s=11-Internet Explorer
    This may change to "Reimage Repair" or "Privacy l AdRoll-Internet Explorer" etc. Task Manager is unable to end this application and the CPU usage is pegged at 100%. With browser closed I also get 3 sec sound bits popping up randomly. I ran the Read and Run Me First procedure and have attached the resulting logs. Thanks
     

    Attached Files:

    ttnicker, Dec 29, 2014
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Uninstall one of these:
    Avast Free Antivirus
    Norton Internet Security

    You have remnants of other AV software as well.

    Rerun RogueKiller and have it fix these items:
    Code:
    ¤¤¤ Registry : 31 ¤¤¤
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209} -> Found
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E} -> Found
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358} -> Found
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7} -> Found
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301} -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233} -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\netfilter64 (system32\drivers\netfilter64.sys) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\70e6ca8c ("C:\Windows\system32\rundll32.exe" "c:\progra~2\optimi~1\OptProCrashSvc.dll",ServiceMain) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\APNMCP ("C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe") -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BackupStack (C:\Program Files (x86)\JustCloud\BackupStack.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Level Quality Watcher (C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe run options=01110010010000000000000000000000 sourceguid=BBA5481A-926B-4561-BD79-249F618495E6) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\netfilter64 (system32\drivers\netfilter64.sys) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NewPlayerUpdaterService ("C:\Program Files (x86)\NewPlayer\NewPlayerUpdaterService.exe") -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Re-markit (C:\Program Files (x86)\Re-markit-soft\Re-markit157.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SavingsbullFilterService64 (c:\Program Files\SavingsbullFilter\SavingsbullFilterService64.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update Mega Browse ("C:\Program Files (x86)\Mega Browse\updateMegaBrowse.exe") -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Util Mega Browse ("C:\Program Files (x86)\Mega Browse\bin\utilMegaBrowse.exe") -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\netfilter64 (system32\drivers\netfilter64.sys) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\netfilter64 (system32\drivers\netfilter64.sys) -> Found
 ¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] zwja03j1.default : user_pref("browser.startup.homepage", "[URL]http://services.freshy.com/general/newhometab.php?hometab=home&partner=11083&guid={28E8390A-D5B9-4794-A716-C69008D11A98}&i[/URL]="); -> Found
    Now rerun Hitman and have it remove all it finds.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Reboot and rescan with both RogueKiller and Hitman and attach the new logs.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Attach the new MGLogs.zip.
     
    TimW, Dec 29, 2014
    #2
  3. ttnicker

    ttnicker Private E-2

    Thanks for your help TimW. I did as you instructed. After fix with HijackThis, I rebooted and rescanned with RogueKiller & Hitman, but did not do a fix. I then ran MGtools\GetLogs.bat and attached the logs as requested.
     

    Attached Files:

    ttnicker, Dec 29, 2014
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to fix what Hitman found.
     
    TimW, Dec 29, 2014
    #4
  5. ttnicker

    ttnicker Private E-2

    Ok, I removed what Hitman found and attempted to reboot, but got a blue screen on shut down. The system did recover and booted up normally. However, IE now takes about 70sec to open and the web pages 50 sec to load. I also notice that the extra IE app no longer appear in Task manager.
     

    Attached Files:

    ttnicker, Dec 30, 2014
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are malware free, but let's clean up some things:

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :Processes
explorer.exe

:files
C:\ProgramData\AVG2014
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Internet Security
C:\Program Files (x86)\AVG
C:\Program Files (x86)\Norton Internet Security
C:\Program Files (x86)\NortonInstaller
C:\Users\ROLDON\AppData\Local\Temp\*.*

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG_UI]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Optimizer Pro]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Price Finder]

:Commands
[purity]
[ResetHosts]
[emptytemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

    Your other issues will probably need to be addressed in the software forum.
     
    TimW, Dec 30, 2014
    #6
  7. ttnicker

    ttnicker Private E-2

    Hi TimW, I powered up PC today and browser response is back to normal. However the original problem of IE app running in Task manager and the background sound is back. Is there any of the previous steps I need to repeat, or should I just continue and run OTM? I have attached a snapshot of task manager.
     

    Attached Files:

    ttnicker, Dec 30, 2014
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    ??

    Items I saw in the last RogueKiller and MGlogs.zip
    Also in newfiles.txt
    Code:
                                                    
d-----w                 0 2014-10-03 16:01:32  C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
d-----w                 0 2014-12-02 14:13:04  C:\ProgramData\a87507b9479321a6
d-----w                 0 2014-12-05 08:34:09  C:\ProgramData\AA80FE27E3F3DC33A5533E86B655608E
d-----w                 0 2014-12-10 12:11:50  C:\ProgramData\AVG2014
d-----w                 0 2014-12-10 12:11:51  C:\ProgramData\Optimizer
d-----w                 0 2014-12-05 08:36:41  C:\ProgramData\PRinceeCouppon
d-----w                 0 2014-12-29 00:35:08  C:\ProgramData\ProductData
d-----w                 0 2014-12-05 08:40:03  C:\ProgramData\SalesCheeckker
d-----w                 0 2014-12-05 08:40:31  C:\ProgramData\TicTACoouuponi
d-----w                 0 2014-12-05 08:40:31  C:\ProgramData\TiicuTaaCooupon
d-----w                 0 2014-12-04 12:15:42  C:\ProgramData\WorldWideWebCoupon
d-----w                 0 2014-12-06 17:51:11  C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0}
d-----w                 0 2014-12-16 16:04:42  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
d-----w                 0 2014-12-10 12:11:43  C:\Program Files (x86)\52f152d5-4a4c-41e8-b98b-404fc82db112
d-----w                 0 2014-12-05 08:17:52  C:\Program Files (x86)\AnyProtectEx
d-----w                 0 2014-12-06 13:51:22  C:\Program Files (x86)\AVG SafeGuard toolbar
d-----w                 0 2014-12-05 08:29:42  C:\Program Files (x86)\DealiciousCoupons
d-----w                 0 2014-12-06 21:31:06  C:\Program Files (x86)\PCTRunner
    And in runkeys.txt
    Code:
    
----a-w-                380  2014-03-17 00:14:46 C:\Windows\tasks\APSnotifierPP1.job
----a-w-                378  2014-03-16 23:45:40 C:\Windows\tasks\APSnotifierPP2.job
----a-w-                378  2014-03-16 23:45:41 C:\Windows\tasks\APSnotifierPP3.job
----a-w-              2,832  2014-03-16 23:43:29 C:\Windows\system32\tasks\APSnotifierPP1
----a-w-              2,830  2014-03-16 23:43:29 C:\Windows\system32\tasks\APSnotifierPP2
----a-w-              2,830  2014-03-16 23:43:30 C:\Windows\system32\tasks\APSnotifierPP3
d-----w-                  0  2013-06-04 00:06:14 C:\Windows\system32\tasks\Norton Internet Security
----a-w-              3,234  2011-12-25 09:11:49 C:\Windows\system32\tasks\Norton WSC Integration

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="http://services.freshy.com/general/newhometab.php?hometab=home&partner=11083&guid={28E8390A-D5B9-4794-A716-C69008D11A98}&i="


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^ROLDON^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MyPC Backup.lnk]
"path"="C:\\Users\\ROLDON\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MyPC Backup.lnk"
"backup"="C:\\Windows\\pss\\MyPC Backup.lnk.Startup"
"location"="C:\\Users\\ROLDON\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
"backupExtension"=".Startup"
"command"="C:\\PROGRA~2\\MYPCBA~1\\MYPCBA~1.EXE "
"item"="MyPC Backup"
"YEAR"=dword:000007de
"MONTH"=dword:00000003
"DAY"=dword:00000016
"HOUR"=dword:00000009
"MINUTE"=dword:00000029
"SECOND"=dword:0000001d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater]
"key"="SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ApnUpdater"
"hkey"="HKLM"
"command"="\"C:\\Program Files (x86)\\Ask.com\\Updater\\Updater.exe\""
"inimapping"="0"
"YEAR"=dword:000007de
"MONTH"=dword:00000003
"DAY"=dword:00000016
"HOUR"=dword:00000009
"MINUTE"=dword:00000029
"SECOND"=dword:0000001d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vProt]
"key"="SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vProt"
"hkey"="HKLM"
"command"="\"C:\\Program Files (x86)\\AVG SafeGuard toolbar\\vprot.exe\""
"inimapping"="0"
"YEAR"=dword:000007de
"MONTH"=dword:0000000c
"DAY"=dword:0000000c
"HOUR"=dword:00000002
"MINUTE"=dword:0000002d
"SECOND"=dword:0000000e

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"startup"=dword:00000002
"services"=dword:00000000
     
    Last edited: Dec 30, 2014
    chaslang, Dec 30, 2014
    #8
  9. ttnicker

    ttnicker Private E-2

    Should I rerun RogueKiller and HitmanPro and post new logs?
     
    ttnicker, Dec 30, 2014
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Use Add/remove programs to uninstall:
    AnyProtect
    PRinceeCouppon
    SalesCheeckker
    SavingsBull


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Rerun RogueKiller and have it fix these items:
    Code:
    ¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] explorer.exe -- C:\Users\ROLDON\AppData\Roaming\ernden\berdis.dll[-] -> Unloaded

¤¤¤ Registry : 4 ¤¤¤
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8800;https=127.0.0.1:8800 -> Not selected
[PUM.Proxy] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8800;https=127.0.0.1:8800 -> Not selected
    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :Processes
explorer.exe
:files
C:\Windows\tasks\APSnotifierPP1.job
C:\Windows\tasks\APSnotifierPP2.job
C:\Windows\tasks\APSnotifierPP3.job
C:\Windows\system32\tasks\APSnotifierPP1
C:\Windows\system32\tasks\APSnotifierPP2
C:\Windows\system32\tasks\APSnotifierPP3
C:\Windows\system32\tasks\Norton Internet Security
C:\Windows\system32\tasks\Norton WSC Integration
C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
C:\ProgramData\a87507b9479321a6
C:\ProgramData\AA80FE27E3F3DC33A5533E86B655608E
C:\ProgramData\AVG2014
C:\ProgramData\Optimizer
C:\ProgramData\PRinceeCouppon
C:\ProgramData\ProductData
C:\ProgramData\SalesCheeckker
C:\ProgramData\TicTACoouuponi
C:\ProgramData\TiicuTaaCooupon
C:\ProgramData\WorldWideWebCoupon
C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0}
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
C:\Program Files (x86)\52f152d5-4a4c-41e8-b98b-404fc82db112
C:\Program Files (x86)\AnyProtectEx
C:\Program Files (x86)\AVG SafeGuard toolbar
C:\Program Files (x86)\DealiciousCoupons
C:\Program Files (x86)\PCTRunner
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^ROLDON^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MyPC Backup.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vProt]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"startup"=dword:00000000
"services"=dword:00000000
:Commands
[purity]
[ResetHosts]
[emptytemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

    Reboot and rescan with RogueKiller and Hitman and attach the logs.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    Last edited: Dec 30, 2014
    TimW, Dec 30, 2014
    #10
  11. ttnicker

    ttnicker Private E-2

    I ran the MGtools\analyse.exe, but HJT could not repair 010 Winsock LSP and suggested I use the LSPFix program. Should I download and run this program?
     
    ttnicker, Dec 31, 2014
    #11
  12. ttnicker

    ttnicker Private E-2

    While running OTM Windows OS warned of system shutdown. Not sure if it was an OTM reboot, but there was insufficient time to copy and past the info from the Results window. All else seem to be fine - no rogue apps in Task manager and no browser redirect. Thanks a lot TimW and the rest of the MajorGeeks team, I truly appreciate your time and will be clicking the donate button.
     

    Attached Files:

    ttnicker, Dec 31, 2014
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you uninstall the 4 items requested or did you have a problem? They still show and I see a couple others to remove. I will give you another fix.

    RogueKiller also shows one item for freshy.com under Web broswer that needs to be removed. So see if you can have RogueKiller fix this.

    ¤¤¤ Web browsers : 1 ¤¤¤
    [PUM.HomePage][FIREFX:Config] zwja03j1.default : user_pref("browser.startup.homepage", "http://services.freshy.com/general/newhometab.php?hometab=home&partner=11083&guid={28E8390A-D5B9-4794-A716-C69008D11A98}&i="); -> Found

    Then reboot your PC and run a new scan with RogueKiller and attach the new log.


    Uninstall the below programs. If you do not find them or they will not uninstall, just keep going but you must tell us if you were able to uninstall them or if you had a problem!!!!
    AnyProtect
    DiscountLocAtoor
    Muvic Smartbar
    PRinceeCouppon
    SalesCheeckker
    SavingsBull
    TicTACoouuponi
    unicoupons
    WorldWideWebCoupon


    Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe


:Services
avgwd
NIS

 
:Files
C:\ProgramData\Optimizer
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Internet Security
C:\Program Files (x86)\AVG
C:\Program Files (x86)\Norton Internet Security
C:\Program Files (x86)\NortonInstaller
C:\Program Files (x86)\Price Finder
C:\Windows\system32\tasks\APSnotifierPP1
C:\Windows\system32\tasks\APSnotifierPP2
C:\Windows\system32\tasks\APSnotifierPP3
C:\Windows\system32\tasks\Norton Internet Security
C:\Windows\system32\tasks\Norton WSC Integration
C:\Users\ROLDON\AppData\Local\Temp\*.*


:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^ROLDON^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MyPC Backup.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG_UI]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Optimizer Pro]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Price Finder]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vProt]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyProtect]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{194FED75-9C74-BDB7-53F8-8CFFEF1AFEC9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AA236AFD-B26E-4BC7-9A13-76BD5F9887AC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D86C82B0-1F02-816A-5F3D-6466F6A67566}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CC17A332-9555-AD95-3985-0BDD9BF0EC71}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Level Quality Watcher]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E370F69F-ED3F-925F-31FC-14D1329A713B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6F10CA8F-97E3-48FB-9003-3EE8E9050577}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}_is1]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now run MSconfig and put your PC back into normal startup mode. You should not be using MSconfig as a startup manager.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the RogueKillerlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Dec 31, 2014
    chaslang, Dec 31, 2014
    #13
  14. ttnicker

    ttnicker Private E-2

    Wishing everyone a happy and prosperous new year.
    Apologies to the moderators for the lengthy inactivity on this thread as I was out of town for the holidays.
    During the previous scan I did encounter some problems. When running Hijack This I got a popup window stating that HJT cannot repair 010 Winsock LSP entries, and that I should use LSP Fix. I ran LSP Fix from the link provided, but it found and fixed only one Winsock LSP.
    With the scans I just did, RogueKiller was unable to delete the http://services.freshy.com link. Also in Control Panel I only saw the Muvic Smartbar program, but was unable to delete it.
     

    Attached Files:

    ttnicker, Jan 6, 2015
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [vProt] "C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe"
    O4 - HKLM\..\Run: [Price Finder] C:\Program Files (x86)\Price Finder\PriceFinderHelper.exe /check
    O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2014\avgui.exe" /TRAYONLY
    O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
    O4 - HKCU\..\Run: [Optimizer Pro] C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe
    O4 - Startup: MyPC Backup.lnk = C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe

    After clicking Fix, exit HJT.


    Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\system32\tasks\APSnotifierPP1
C:\Windows\system32\tasks\APSnotifierPP2
C:\Windows\system32\tasks\APSnotifierPP3
C:\Windows\system32\tasks\avast! Emergency Update
C:\Windows\system32\tasks\GoogleUpdateTaskMachineCore
C:\Windows\system32\tasks\GoogleUpdateTaskMachineUA
C:\Windows\system32\tasks\Norton Internet Security
C:\Windows\system32\tasks\Norton WSC Integration
C:\ProgramData\Optimizer
C:\Program Files (x86)\globalUpdate
C:\Users\ROLDON\AppData\Local\Temp\*.*
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Level Quality Watcher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"vProt"=-
"Price Finder"=-
"AVG_UI"=-
"ApnUpdater"=-
[HKEY_USERS\S-1-5-21-2219924553-3981919129-1326906706-1001\Software\Microsoft\Windows\CurrentVersion\run]
"Optimizer Pro"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{74DC03B4-A8D2-4730-9DCE-59EF50B117B8}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 6, 2015
    #15
  16. ttnicker

    ttnicker Private E-2

    During the reboot process of OTM I ended up with a black screen and an active pointer. I had looked away for a minute, so I'm not sure if this occurred at the shutdown or startup stage. It's over 40 mins now, I've tried pressing different keys - enter, esc, but still no response. The HDD indicator light at the side of computer is off. Should I power off/on and continue from where I left off?
     
    ttnicker, Jan 6, 2015
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes I don't think you have any other choice now. Wait a minute after powering it off before turn back on.

    If OTM did not run properly, we may need to run the fix with a different tool. But try repeating the OTM fix after booting in safe mode. Run only OTM in safe mode. Everything else in normal mode.
     
    chaslang, Jan 6, 2015
    #17
  18. ttnicker

    ttnicker Private E-2

    The Muvic Smartbar is gone from programs list, and Task Manager no longer shows that unknown app running. I rebooted a couple times and all seems to be working fine.
     

    Attached Files:

    ttnicker, Jan 6, 2015
    #18
  19. ttnicker

    ttnicker Private E-2

    Spoke too soon! That pesky app has reappeared in Task Manager. Unable to end task.
     
    ttnicker, Jan 6, 2015
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
netsvcs
drives
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
    chaslang, Jan 7, 2015
    #20
  21. ttnicker

    ttnicker Private E-2

    I did the OTL scan and attached the results. I left the OTL program open and did not apply any fix.
     
    ttnicker, Jan 8, 2015
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach anything. Make sure you watch for error messages! Perhaps the log is too large and needs to be ZIP'ed before attaching.
     
    chaslang, Jan 8, 2015
    #22
  23. ttnicker

    ttnicker Private E-2

    Ok, I think it's there now
     

    Attached Files:

    • OTL.Txt
      File size:
      273.8 KB
      Views:
      4
    ttnicker, Jan 8, 2015
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts.
    • Double-click OTL.exe to run. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :OTL
MOD - [2014/11/17 21:32:20 | 000,122,880 | ---- | M] () -- C:\Users\ROLDON\AppData\Roaming\ernden\rewardca.dll
DRV:[b]64bit:[/b] - [2014/10/29 21:03:36 | 000,123,672 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgmfx64.sys -- (Avgmfx64)
DRV:[b]64bit:[/b] - [2014/10/24 10:20:06 | 000,237,848 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Stopped] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (Avgldx64)
DRV:[b]64bit:[/b] - [2014/10/20 15:15:50 | 000,269,080 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtdia.sys -- (Avgtdia)
DRV:[b]64bit:[/b] - [2014/07/21 20:03:12 | 000,244,504 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgidsdrivera.sys -- 
DRV:[b]64bit:[/b] - [2014/06/30 11:43:02 | 000,152,344 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgdiska.sys -- (Avgdiska)
DRV:[b]64bit:[/b] - [2014/06/17 15:07:12 | 000,328,984 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgloga.sys -- (Avgloga)
DRV:[b]64bit:[/b] - [2014/06/17 15:06:24 | 000,190,744 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgidsha.sys -- (AVGIDSHA)
DRV:[b]64bit:[/b] - [2014/06/17 15:06:06 | 000,031,512 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgrkx64.sys -- (Avgrkx64)
DRV:[b]64bit:[/b] - [2011/12/25 04:11:50 | 000,174,200 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:[b]64bit:[/b] - [2011/08/08 10:38:06 | 000,167,048 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1301000.01C\ccSetx64.sys -- (ccSet_NIS)
DRV:[b]64bit:[/b] - [2011/08/02 13:22:10 | 000,729,720 | R--- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1301000.01C\srtsp64.sys -- (SRTSP)
DRV:[b]64bit:[/b] - [2011/08/02 13:22:10 | 000,037,496 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1301000.01C\srtspx64.sys -- (SRTSPX)
DRV:[b]64bit:[/b] - [2011/07/28 14:20:02 | 001,084,536 | R--- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1301000.01C\SymEFA64.sys -- (SymEFA)
DRV:[b]64bit:[/b] - [2011/07/25 13:18:40 | 000,401,016 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1301000.01C\symnets.sys -- (SymNetS)
DRV:[b]64bit:[/b] - [2011/07/25 13:18:36 | 000,451,192 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1301000.01C\SymDS64.sys -- (SymDS)
DRV:[b]64bit:[/b] - [2011/07/25 13:15:52 | 000,189,560 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1301000.01C\Ironx64.sys -- (SymIRON)
DRV - [2011/08/19 04:00:00 | 001,151,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20110819.004\BHDrvx64.sys -- (BHDrvx64)
DRV - [2011/08/09 20:00:00 | 002,048,632 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20110810.019\EX64.SYS -- (NAVEX15)
DRV - [2011/08/09 20:00:00 | 000,117,880 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20110810.019\ENG64.SYS -- (NAVENG)
DRV - [2011/07/20 12:43:24 | 000,488,568 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20110726.001\IDSviA64.sys -- (IDSVia64)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = [URL]http://en.wikipedia.org/wiki/Special:Search?search={searchTerms[/URL]}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}: "URL" = [URL]http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://www.ebay.com/sch/i.html?_nkw={searchTerms[/URL]}
FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.3.0\\npsitesafety.dll ()
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\IPSFFPlgn\ [2013/06/03 19:05:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\coFFPlgn\ [2013/06/03 19:05:03 | 000,000,000 | ---D | M]
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - {0B3F74BE-FFB8-4473-86CE-9E29EF0E2BE4} - No CLSID value found.
O3 - HKU\S-1-5-21-2219924553-3981919129-1326906706-1001\..\Toolbar\WebBrowser: (no name) - {4F564F32-5637-5341-5443-7A786E7484D7} - No CLSID value found.
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000001 - C:\Windows\SysNative\ProtectMe64.dll (ProtectMe)
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000002 - C:\Windows\SysNative\ProtectMe64.dll (ProtectMe)
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000003 - C:\Windows\SysNative\ProtectMe64.dll (ProtectMe)
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000004 - C:\Windows\SysNative\ProtectMe64.dll (ProtectMe)
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000015 - C:\Windows\SysNative\ProtectMe64.dll (ProtectMe)
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\17.3.0\ViProtocol.dll (AVG Secure Search)
[2015/01/06 20:02:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Optimizer
[2015/01/06 04:02:15 | 000,000,000 | ---D | C] -- C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0}
[2014/03/16 18:17:06 | 000,954,776 | ---- | C] (AnyProtect.com) -- C:\Users\ROLDON\AppData\Local\AnyProtectScannerSetup.exe
[2014/12/09 16:19:12 | 001,990,720 | ---- | M] () -- C:\MGtools(1).exe
[2014/12/09 16:17:50 | 020,447,072 | ---- | M] (Malwarebytes Corporation                                    ) -- C:\Users\ROLDON\Desktop\mb.exe.exe
[2014/11/23 12:26:03 | 000,004,528 | ---- | C] () -- C:\Windows\SysWow64\ProtectMe.ini
[2014/11/23 12:26:03 | 000,002,408 | ---- | C] () -- C:\Windows\SysWow64\ProtectMeOff.ini
:Files
C:\Users\ROLDON\AppData\Roaming\ernden
C:\Windows\SysWow64\ProtectMe.ini
C:\Windows\SysWow64\ProtectMeOff.ini
C:\ProgramData\Optimizer
C:\Windows\SysNative\ProtectMe64.dll
C:\Program Files (x86)\Common Files\AVG Secure Search
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]
[REBOOT]
    • Now click the [​IMG] button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 8, 2015
    #24
  25. ttnicker

    ttnicker Private E-2

    I tried running the fix in OTL 4 times with no success. The first 2 times with protection software disabled I got a pop up stating that "windows encountered a critical problem and will restart automatically in one minute." The last 2 attempts I also had windows firewall turned off, and OTL froze - not responding in Task Manager. No log files were generated. Should the computer be disconnected from the internet during these fixes?
     
    ttnicker, Jan 9, 2015
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please reboot your PC into safe boot mode and run OTL ( only OTL ) in safe mode . Make sure you still use Run As Administrator. Bot to normal mode for GetLogs.bat and posting logs.
     
    chaslang, Jan 9, 2015
    #26
  27. ttnicker

    ttnicker Private E-2

    Could not get OTL to run in safe mood, still freezes up.
     
    ttnicker, Jan 13, 2015
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do the below so that we can boot to System Recovery Options to run a scan.

    For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
    chaslang, Jan 14, 2015
    #28
  29. ttnicker

    ttnicker Private E-2

    I've attached the log from the Farbar scan.
     

    Attached Files:

    ttnicker, Jan 14, 2015
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download this >> View attachment fixlist.txt


    Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.
    Now reboot back into the System Recovery Options as you did previously.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)

    Now boot into normal Windows and continue with the below.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • Fixlog.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 15, 2015
    #30
  31. ttnicker

    ttnicker Private E-2

    Ok, I ran the FRST64 fix and have attached the logs.
     

    Attached Files:

    ttnicker, Jan 15, 2015
    #31
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Good job! Looks better now. Are you having any problems?
     
    chaslang, Jan 15, 2015
    #32
  33. ttnicker

    ttnicker Private E-2

    Good morning Chaslang! Over the past few days I rebooted quite a few times, browsed many web sites and I'm happy to say that the problem is definately gone. Many, many thanks to you and your team. I will be happy to donate. Are there any of the downloaded programs I need to keep for periodic use?
     
    ttnicker, Jan 19, 2015
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. I think your question should be answered by the below.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Jan 20, 2015
    #34

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds