Idiots guide re downloading tools.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by EJB, Jan 4, 2015.

  1. EJB

    EJB Corporal

    I have downloaded the various tools to scan my PC then download the logs.
    When clicking on the shortcut or exe file it asks what programme I want to open them with?
     
  2. EJB

    EJB Corporal

    Managed to download 3 logs.

    Hitman pro won't run.
    Tdss couldn't copy the log.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to put MGtools.exe on your Windows boot drive which is drive C and run it from there!!!! This was stated in the instructions for Using MGtools. After letting it finish running, attach the new MGlogs.zip file!! We do not want you attaching individual logs ( like hijackthis.txt ) unless requested.

    Also we need the log from Hitman Pro.

    Also just an FYI: You download TO your PC from MagorGeeks, but you upload TO MajorGeeks from your PC. ;)
     
  4. EJB

    EJB Corporal

    Sorry, I feel suitably admonished.
    It is on my C drive but when I click the programme it simply lists the files...no obvious exe file.

    Will try Hitman pro again but it wouldn't run before.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not sure what you mean! Are you referring to MGtools.exe I don't think so. I think you are looking at the C:\MGtools folder. You need to put MGtools.exe on your Desktop and run it. Then you will get the correct results which is an MGlogs.zip file.

    Exactly what happens? And where did you save the program file to?
    Also did you download the correct 32bit / 64 bit version for your PC? You need the 64 bit version.
     
  6. EJB

    EJB Corporal

    MG Tools is on the desktop.
    I trust the zip file from the folder is what is required?
     
  7. EJB

    EJB Corporal

    Second try!!!
    I don't seem to be able to attach it.
     
    Last edited: Jan 4, 2015
  8. EJB

    EJB Corporal

    Hitman Pro runs then stops saying:-
    'Hitman Pro has stopped working', ' A problem caused the programme to stop working correctly. Windows will close the programme and notify you if a solution is available'
    Then no response.

    I believe this is all to do with my problem on this PC.
    F-Secure then Comodo security were both disabled from updating.
    Windows Defender works OK.
    I can't change the boot order to run an F-Secure recovery disc.
    I can't go to F-Secures website....'This page cannot be displayed'
    I use IE 11 but tried another browser to no avail.

    Everything and all websites (except above) work perfectly OK.
     
    Last edited: Jan 4, 2015
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This may be a conflict with current security programs even if you did try to disable them.

    Windows Defender should not be running if you have F-Secure and Comodo installed!!!

    You still need to attach the MGlogs.zip file that I need to help you.

    Also please run the below.

    Please do the below so that we can boot to System Recovery Options to run a scan.

    For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.


    Plug the flashdrive into the infected PC.

    Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.


    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
  10. EJB

    EJB Corporal

    Only Windows Defender is installed.
    Other security programmes were uninstalled as normal. (For instance I couldn't access the F-Secure site to use the correct uninstaller....it wouldn't completely uninstall via 'Uninstall programmes'.
    However there are still odd remnants of them even though I have uninstalled them and even done a 'regedit' to remove the remnants.
    Have changed the boot order by various methods but it will not run the recovery disc or a memory stick.
    Have two virtually identical PCs and the other one performs all these actions as it should.

    Will try your other suggestions later today.

    Thank You so far.
     
  11. EJB

    EJB Corporal

    Trying to attach the frst txt file with not much luck.
     
    Last edited: Jan 5, 2015
  12. EJB

    EJB Corporal

    There are two txt files....'addition' at 24 KB and 'frst' at 468 KB.
    I assume you require the 'frst', as stated, but it seems to be too large to attach!?
     
  13. EJB

    EJB Corporal

    procd file attached.
     

    Attached Files:

  14. EJB

    EJB Corporal

    'frst' file zipped and attached....hope this is correct.
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not requested!!! I need the log from MGtools as stated in the READ & RUN ME FIRST! The log is MGlog.zip which will be on your Desktop and/or also at C:\MGlogs.zip unless there is an error while running MGtools.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not true! F-Secure is installed an running. This is probably causing you all kinds of problems. You need to uninstall F-Secure via Programs and Features. If you cannot do this then I suggest that you reinstall F-Secure and then reboot. After reboot, properly uninstall F-Secure
     
  17. EJB

    EJB Corporal

    Hopefully the MGTools zip file is attached.

    I am still struggling with F-Secure.
    It's completely invisible on the PC...Programmes/registry/searches etc.
    Trying to download then uninstall!
     

    Attached Files:

  18. EJB

    EJB Corporal

    From my earlier post...Hitman Pro runs then stops saying:-
    'Hitman Pro has stopped working', ' A problem caused the programme to stop working correctly. Windows will close the programme and notify you if a solution is available'
    Then no response.

    I have deleted and downloaded a couple of times with the same result.

    When visiting the F-Secure site all the links are 'Page not available' although I can actually access the main site.

    Beginning to think that a full reinstall of the OS is getting nearer.....I would have to return to my PC builder for that though!
     
  19. EJB

    EJB Corporal

    With the help, again, of Revo Uninstaller I have managed to locate and uninstall most of F-Secure.
    I still can't activate any links to F-Secure to reinstall or download the F-Secure uninstaller.
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download this >> View attachment fixlist.txt

    Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.
    Now reboot back into the System Recovery Options as you did previously.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)

    Now boot into normal Windows and continue with the below.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • Fixlog.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  21. EJB

    EJB Corporal

    When I click the 'fixlist.txt' link it downloads 'attachment.php'.
    I then click to reply in the thread....as I am now doing.....the link shows as 'Attachment 217828'.

    Your much appreciated continued help Please.
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    This is an issue with the way newer versions of Internet Explorer work ( or do not work ;) ). Basically it is extremely annoying!


    You can try the following:
    • Run Internet Explorer and click Tools
    • On the Tools pull down select the Compatibility View
    • Now select the Compatibility View Settings item.
    • In the Compatibility View Settings form type majorgeeks.com in the Add this website: box and then click Add.
    • Then click the Close button.
    • Exit Internet Explorer an then restart.
    Did that help? If not, you can use Firefox ( which you have installed ) to download it. Otherwise just save it as attachment.php and then afterwards right click on it and select Rename. Change the name to fixlist.txt.
     
    Last edited: Jan 7, 2015
  23. EJB

    EJB Corporal

    Hopefully both correct.
     

    Attached Files:

  24. EJB

    EJB Corporal

    Further:-
    When clicking a desktop link an F-Secure pop up was appearing....when clicking the OK button it disappeared and the correct programme appeared.
    That has now cleared up and doesn't show.

    When clicking, in an email,(or going direct) an F-Secure link I get the following :-
    ---------------------------
    COMODO secure DNS
    Unsafe website blocked.
    ----------------------------

    I found 2 Comodo files in 'C'/Programme Data.
    I deleted them.
    Could then access the F-Secure site but when I click 'Download' it appeared again.

    I have previously search the PC and the registry for F-Secure and Comodo and found nothing.

    PS. I initially renamed the file but have now 'added' MG.
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In your installed Programs list I still see all of the below from F-Secure

    Computer Security 14.106.101.0 (release)
    F-Secure SafeSearch 1.03.146.0 (release)
    Online Safety 2.107.2552.1523
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I also see a bunch of folders that need to be deleted:

    d-----w 0 2014-11-05 10:19:47 C:\ProgramData\Comodo
    d-----w 0 2014-11-05 10:19:12 C:\ProgramData\Comodo Downloader
    d-----w 0 2014-11-05 12:00:26 C:\ProgramData\SparkTrust
    d-----w 0 2014-05-14 14:02:48 C:\ProgramData\\Adtrustmedia
    d-----w 0 2014-07-01 14:21:22 C:\ProgramData\\AVAST Software
    d-----w 0 2014-11-05 10:19:47 C:\ProgramData\\Comodo
    d-----w 0 2014-11-05 10:19:12 C:\ProgramData\\Comodo Downloader
    d-----w 0 2014-11-05 12:00:26 C:\ProgramData\\SparkTrust
    d-----w 0 2014-11-05 10:35:49 C:\Program Files (x86)\ESET
     
  27. EJB

    EJB Corporal

    I did delete 'Programme Data/Comodo and Comodo downloader' after posting the last logs.
    I could see only one entry each for the above two.
    I have deleted the other entries.

    The F-Secure items you list I simply can't find.
    They are not in 'uninstall or change a programme'

    However I have just run 'regedit' and found all three.....do I delete them in the registry?
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As long as you are confident that you will only be deleting those exact registry keys. ;)

    Also let's run the below after you delete those keys.


    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      drives
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)

    Be patient while doing the below. The fixes can sometimes take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.
     
  29. EJB

    EJB Corporal

    Thank you , will run those tomorrow.
     
  30. EJB

    EJB Corporal

    Had to zip OTL.txt as it was too large....hope this is correct?

    Ran the repairs as suggested.

    Tried to reinstall also tried to uninstall F-Secure and the dreaded box appeared:-
    Firstly the 'security certificate is not valid (?) then when I said 'go anyway'
    ---------------------------
    COMODO secure DNS
    Unsafe website blocked.
    ----------------------------

    Searched the programme lists and F-Secure was present in 'Programme Data'.
    I deleted it.

    Checked the registry and there were multiple entries for both F-Secure and Comodo.....I didn't take any action at this stage.
    When searching the registry in the past I have had no hits for these two.

    The very first indication at the beginning of this whole saga was an F-Secure warning of Script 614643. In each case it said it had dealt with it!
     

    Attached Files:

    • OTL.zip
      File size:
      76.7 KB
      Views:
      2
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    WHY? I did not ask you to do this. We just got finished getting rid of it and Comodo which were causing yoou problems?
     
  32. EJB

    EJB Corporal

    Sorry, I obviously mistakenly assumed that we had reached a conclusion.
    That's no excuse!!!!!!

    I have a restore point at 'Tweakings.com'.....I'm grasping at straws now!!
     
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall anythng from Comodo and/or F-Secure that you have. Use Revo and then also use the below

    GeekUninstaller 1.3.2.42

    Use Force Removal by selecting the program for removal and click Shift Delete or see the Action menu selection.

    After using both uninstallers, you need to reboot and then repeat my instructions back in message # 28 with OTL and Windows Repair. Henceforth, as stated in the READ & RUN ME FIRST instructions please follow the below
     
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Oh and one more scan I want you to run but this time follow the instructions given. Run the FRST scan I gave you back in message # 9. But this time run it from the System Recovery Options menu as requested. Last time you ran it and the subsequent fix from normal boot mode!
     
  35. EJB

    EJB Corporal

    I have looked through 'uninstall or change programmes'.
    Also 'C' Programme Files/Data/x86 etc.
    Also looked via Revo And Geeks Uninstall.

    No sign of F-Secure and Comodo.

    If I use 'regedit' and search the registry I find multiple items.
     
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then just continue with the instructions in my last two messages. OTL scan, Windows Repair, a proper scan with FRST.
     
  37. EJB

    EJB Corporal

    Have run OTL, System Repair also frst64.

    I am unable to get into 'system recovery options menu'.....I simply can't find it after reading many supposed methods....W8.1 doesn't seem be too helpful...Sorry!

    However 'command prompt' is readily available.

    I will try again tomorrow with the Windows disc method.
     

    Attached Files:

    Last edited: Jan 9, 2015
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay you should have told me about the problem with FRST when first requested to run. A log from normal boot mode is of no use to us.

    Also move OTL.COM to drive C Desktop folder as requested. It should not be on drive D.

    I think many of your problem are due to you having installed and run the below junk. This junk has killed a lot of PCs.

    C:\Program Files\Reimage\Reimage Protector

    On Dec 22 nd something touched/modified most of your Windows system files which is why your OTL logs are so large.


    Please run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

    Then immediately reboot your PC.

    After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.

    After the reboot and attaching the new RogueKiller log, continue on with the below instructions.



    Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts.
    • Double-click OTL.exe to run. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :OTL
    SRV:[B]64bit:[/B] - [2014/12/02 11:51:42 | 007,138,664 | ---- | M] (ReimageĀ®) [Auto | Running] -- C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe -- (ReimageRealTimeProtector)
    DRV:[B]64bit:[/B] - [2014/07/01 14:22:40 | 000,056,016 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\fsbts.sys -- (fsbts)
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [URL]https://uk.yahoo.com?fr=hp-avast&type=avastbcl[/URL]
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:52619;https=127.0.0.1:52619
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:52619;https=127.0.0.1:52619
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{b9f47bca-a729-4bf7-b093-bf9fc4320f28}: C:\Program Files (x86)\F-Secure\apps\OnlineSafety\browser\deploy\fs_firefox_https
    O2:[B]64bit:[/B] - BHO: (F-Secure Online Safety) - {45BBE08D-81C5-4A67-AF20-B2A077C67747} - C:\Program Files (x86)\F-Secure\apps\OnlineSafety\browser\install\fs_ie_https\fs_ie_https64.dll File not found
    O2:[B]64bit:[/B] - BHO: (F-Secure Search) - {690EF1CF-5775-4CB3-A5B8-85A63FD0262B} - C:\Program Files (x86)\F-Secure\apps\SafeSearch\IE\FSSafeSearch64.dll File not found
    O3:[B]64bit:[/B] - HKLM\..\Toolbar: (F-Secure Search Toolbar) - {B242FC32-2B60-48EA-A8E3-2E280EDBC48F} - C:\Program Files (x86)\F-Secure\apps\SafeSearch\IE\FSSafeSearch64.dll File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-21-980987733-1711783861-904182696-1001\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-21-980987733-1711783861-904182696-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [URL]http://download.eset.com/special/eos/OnlineScanner.cab[/URL] (Reg Error: Key error.)
    [2015/01/09 11:28:16 | 000,000,000 | ---D | C] -- C:\Users\Jill\AppData\Local\F-Secure
    [2015/01/09 10:17:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Reimage Protector
    [2015/01/09 10:17:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reimage Repair
    [2015/01/09 10:17:12 | 000,000,000 | ---D | C] -- C:\Program Files\Reimage
    [2015/01/09 10:17:01 | 000,000,000 | ---D | C] -- C:\rei
    [2015/01/09 10:16:11 | 000,000,165 | ---- | C] () -- C:\Windows\Reimage.ini
    [2015/01/08 14:13:44 | 000,316,856 | ---- | C] () -- C:\Users\Jill\MGlogs.zip
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4457E969-CD4F-4BEC-8DCF-EE8C37C3D9C2}: NameServer = 156.154.70.22,156.154.71.22
     
    :Files
    C:\Program Files (x86)\F-Secure
    C:\Program Files\Reimage
    C:\Windows\System32\Tasks\ReimageUpdater
    C:\Windows\System32\Tasks\Reimage Reminder
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [EMPTYTEMP] 
    [EMPTYFLASH]
    
    [REBOOT]
    • Now click the [​IMG] button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Jan 9, 2015
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also I have a question. It looks like you are in the UK but I see the below in your logs

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4457E969-CD4F-4BEC-8DCF-EE8C37C3D9C2}: NameServer = 156.154.70.22,156.154.71.22

    This IP Address is in the USA. Why is this configured on this PC?
     
  40. EJB

    EJB Corporal

    I have no idea re the IP address!?
    Will continue tomorrow.

    PS. "C:\Program Files\Reimage\Reimage Protector" downloaded today when I clicked on one of the links. I didn't notice at the beginning but then went to another link and downloaded the correct programme.....can't remember which!
     
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay be careful what you click on. As stated in the READ & RUN ME FIRST and some other procedures our downloads are

    See the download links under this icon [​IMG]

    Anything else is advertisements we have no control over and google does not police the crap they advertise.

    Do you know why so many files were changed on 12/22/2014 ?
     
    Last edited: Jan 10, 2015
  42. EJB

    EJB Corporal

    Re files change I don't know but enquiring later with 'other half' who's PC it is.
    Didn't run Reimage. Complicated to remove but I hope I have!
    Not easy to put OTL onto 'C' but have managed.

    Working through.
     
  43. EJB

    EJB Corporal

    Rogue Killer scan was 'instant' and there were no items listed on any of the tabs.
    FRST attached and run the correct way hopefully.

    Continuing.
     

    Attached Files:

  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please attache the log from RogueKiller.

    Ah so you were finally able to run FRST properly! What changed?

    After I see the log from OTL and the new MGlogs.zip, I will decide what to do next.


    Maybe the owner updated to Windows 8.1 on 12/22/2014
     
    Last edited: Jan 11, 2015
  45. EJB

    EJB Corporal

    Re-ran the correct Rogue Killer (64 Bit).
    Deleted the lines suggested.
    Re-ran after boot up....log not saved on desktop....reinstalled RK and same again.
    The lines (above) are still present after deleting them/reboot and run again.
    Found 'report' not log....have attached.

    PCs (2) built and supplied new to us with 8.1 installed in May.
    Oct/Nov the SSDs were cloned and replaced by my supplier due to a batch fault.

    The script that I got warnings about appeared November...but was quarantined by F-Secure.
     

    Attached Files:

  46. EJB

    EJB Corporal

    Wrong OTL log attached.

    Only activity on the 22 Dec 14 was Windows updates:-
    KB 3014442
    KB 3013816
    KB 3013769
    KB 3000850
    No unusual activity seen!
     

    Attached Files:

    • OTL.zip
      File size:
      76.7 KB
      Views:
      2
  47. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Logs from RogueKiller now get saved in c:\programdata\roguekiller

    I did not ask for a new OTL scan log. You need to attach the logs from the fix with OTL and the new MGlogs.zip
     
  48. EJB

    EJB Corporal

    2 Logs attached.
     

    Attached Files:

  49. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay there are a few things remaining from F-Secure

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Also look for the below folder and delete it if found:
    C:\ProgramData\F-Secure

    Now reboot your PC one more time and run a scan with RogueKiller again. Attach the new log.
     
  50. EJB

    EJB Corporal

    'fixme.reg'......successful.
    C/prog data/......no F-Secure found.
    RK log attached.

    In 'Programme Files' the u/m are dated 22 Dec 2014:-
    Windows Journal.
    Windows Mail.
    Windows media Player.
    Windows Multimedia Platform.
    Windows Photo Viewer.
    Windows Portable Devices.
    Windows Power Shell.
    Windows Internet Explorer.
    C:\ProgramData\regid.1991-06.com.microsoft

    Apart from the Windows updates on 22nd Dec I have no idea what happened!!
    My updates are always (and always have been) set to 'Let me choose'. I then select all those already selected and sometimes add others after checking what they are.
     

    Attached Files:

    Last edited: Jan 11, 2015

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds