Infected Laptop for a few weeks now

Since mid January 2011 my laptop has been blue screening on boot up. I can go into safe mode, not run any tools and reboot normally. I have ran malwarebytes it finds trojans, virus and malware, quarantines them then reboots and they are still there when run again. I use AVG 2012 and it does the same thing, keeps finding the same virus's and quarantines them but still finds them again on next run. I found your site and downloaded all the tools and ran them in the order stated and this morning I still blue screened. I did not run root repeal as I have a 64 bit system. The other 4 files are attached. I sure do hope you can help me!!

 

Hi and welcome to Major Geeks, Niter55!

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

 

Here is the log, laptop blue screened on me again 3 times this morning, and now I'm seeing 2 desktop.ini files on my desktop. Thanks for trying to help.

 

http://img196.imageshack.us/img196/3557/tdsskiller.gif Please also attach the log from TDSSKiller as requested in TDSSKiller - How to run

 

I am so sorry I didn't attach it. Please forgive, been many years since I've done this kind of stuff.

 

No problem.

http://img196.imageshack.us/img196/3557/tdsskiller.gif Re-scan with TDSSKiller with the parameters you used before.
This time if TDSS File System appears, delete it!
Then attach the latest TDSSKiller log. (How to attach)

Reviewing your other logs now

 

Newest log attached. The TDSS file did appear and I deleted it.

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Ask Toolbar
• AVG PC Tuneup <-- You can reinstall if you wish after malware removal is complete.
• Conduit Engine
• Java(TM) 6 Update 20 <-- Outdated
• Shareaza <-- P2P
• Spybot - Search & Destroy 2 <-- You can reinstall if you wish after malware removal is complete.
• Vuze Remote Toolbar <-- P2P source of conduit
• Vuze <-- P2P
• Zynga Toolbar <-- Source of Conduit

You may need to reboot for the changes to take effect on some of the above, go ahead and reboot before proceeding.

http://img825.imageshack.us/img825/2648/hjt.gif Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:53394
R3 - URLSearchHook: (no name) - {37483b40-c254-4a72-bda4-22ee90182c1e} - (no file)
O4 - HKCU\..\Run: [fchost] C:\ProgramData\fchost.exe
O4 - HKCU\..\Run: [chkiso] C:\Users\Anita\AppData\Roaming\chkiso.exe
O4 - .DEFAULT User Startup: Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (User 'Default user')

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4


http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DDS::[/COLOR]
uInternet Settings,ProxyServer = http=127.0.0.1:53394
[COLOR="DarkRed"]Domains::[/COLOR]
[COLOR="DarkRed"]Driver::[/COLOR]
SDHookService
SDUpdateService
SDWSCService
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - C:\Users\Anita\AppData\Roaming\Mozilla\Firefox\Profiles\vqhjgqdm.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 53394
FF - prefs.js: network.proxy.type - 0
[COLOR="DarkRed"]File::[/COLOR]
C:\Windows\svchost.exe
C:\Users\Anita\AppData\Roaming\com.w3i.intune
C:\Users\Anita\AppData\Roaming\Microsoft\Windows\Templates\767t3m7h5421
C:\ProgramData\767t3m7h5421
C:\Users\Anita\Desktop\AVG PC Tuneup.lnk
C:\Program Files (x86)\tbZyng.dll
C:\Users\Anita\AppData\Roaming\chkiso.exe
C:\ProgramData\fchost.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
C:\Windows\tasks\Scan the system (Spybot - Search & Destroy).job
C:\Windows\tasks\Refresh immunization (Spybot - Search & Destroy).job
C:\Windows\tasks\Check for updates (Spybot - Search & Destroy).job
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Program Files (x86)\AVG
C:\Program Files (x86)\Spybot - Search & Destroy 2
C:\Program Files (x86)\ConduitEngine
C:\Program Files (x86)\Zynga
C:\Program Files (x86)\Vuze_Remote
C:\ProgramData\AVG2012
C:\$AVG
C:\Windows\assembly\tmp
C:\Windows\assembly\temp\U
C:\EEFF0
C:\ProgramData\Shareaza
C:\ProgramData\{7159CBC6-DD81-425C-AA97-17777FE759F6}
C:\ProgramData\Spybot - Search & Destroy
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG PC Tuneup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shareaza
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
C:\ProgramData\Best Buy pc app
C:\Program Files (x86)\F0073
C:\Program Files (x86)\EMBIRD32
C:\Users\Anita\AppData\Roaming\F0073
C:\Users\Anita\AppData\Roaming\EEFF0
C:\Users\Anita\AppData\Roaming\AVG
C:\Windows\SysWow64\%APPDATA%
C:\Users\Anita\AppData\Local\Shareaza
C:\ProgramData\Shareaza
C:\Program Files (x86)\Shareaza Applications
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{98e34367-8df7-42b4-837b-20b892ff0849}"=-
"{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"fchost"=-
"chkiso"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"dplaysvr"=-
[HKEY_USERS\S-1-5-21-430041498-3596214885-946225714-1001\Software\Microsoft\Windows\CurrentVersion\run]
"fchost"=-
"chkiso"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"=-
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"=-
[-HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
[-HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"=-
"{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"=-
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
[-HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
[-HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"=-
"SDTray"=-
"QuickTime Task"=-
"NBAgent"=-
"HP Software Update"=-
"Corel Photo Downloader"=-
"Corel File Shell Monitor"=-
"Adobe Reader Speed Launcher"=-
"Adobe ARM"=-
"Adobe Acrobat Speed Launcher"=-
"Acrobat Assistant 8.0"=-
"Malwarebytes' Anti-Malware"=-

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Reminder for myself: Windows Firewall Authorization Driver Service is NOT running

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u2-windows-x64.exe

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the PC is running after you have completed these steps. If the malware was removed properly we will work on repairing Windows Firewall.

 

Just finished combo fix. One of the programs you had me uninstall was not listed in my uninstall programs: Ask Toolbar. I also could not uninstall avg pc tuneup (a file was missing, so I deleted it) vuze toolbar uninstalled however vuze wouldn't uninstall (file was missing, I deleted it from programs). I did not go into regedit to see if it was there because I didn't want to do something on my own without you telling me to. I haven't had to do anything like this in many years. I was a network admin until 1998 a LONG time ago. I am doing my best to follow your instructions to a T I am now getting ready to install the current version of Java then run the mgtools\getlogs.bat after the update and I will post my log when I have finished. Thank you so very much for all the help so far. I lost my firewall about 3 weeks ago when all this mess started.

 

Here is the logs zip file. I will reboot a few times. One of my Embroidery machine programs is now gone but I have the setup file on a flash drive that I will install later after everything is clean on here or I will redownload it direct from the site where I purchased it.
I forgot to say on previous post that even though AVG was uninstalled when I started the combofix it said it was still running, I don't understand that because it wasn't listed in program files to uninstall nor was it in my start list, in fact I haven't reinstalled it yet.

 

Logs are starting to look a lot better. Just a few more things and then we'll start on the Windows Firewall. Sorry about the inconvenience with the Embird 2010 program. I did not realize it was listed in Add/Remove and that it was legit. We still have the option to restore the folder I deleted pertaining to it at a later time if you wish.

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Best Buy pc app
• Java(TM) 6 Update 20 (64-bit)

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Reset Registry Permissions
  • Repair WMI
  • Repair Hosts File
  • Remove Policies Set By Infections
  • Repair MSI (Windows Installer)
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
[COLOR="DarkRed"]Folder::[/COLOR]
c:\programdata\Best Buy pc app
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\0a\02\04\15\10\17ß"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{28387537-e3f9-4ed7-860c-11e69af4a8a0}"=-
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Now run the following file as Administrator (Right-mouse click and select "Run as Administrator): C:\MGtools\FixWFW.bat
This only takes a split second to run. You may have seen a black DOS window flash on the screen.
Go ahead and reboot now.

Once back in Windows...

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know what problems remain, if any. Test your Windows Firewall too.

 

The Best Buy pc app was not listed in the control panel so I couldn't uninstall, I did uninstall the old java file. I also lost an excel file but I do have it on a stick so I'm not worried about it (it was password protected with all my logins and passwords). Next I will run the MGtools\FixWFW.bat reboot then post my next log. I can't express how much I appreciate your help and your patience with me.

 

I still have no firewall, two error codes. "Windows firewall can't change some of your settings error code 0x80070424" when I tried to go to advanced settings I got the error code 0x6D9

I checked my flash stick and only have the Embird setup file, I didn't have all the other embird stuff backed up.

 

Let's restore the Embird folder first. This was the only folder I deleted but there was quite a bit in it.

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]DeQuarantine::[/COLOR]
C:\QooBox\Quarantine\C\Program Files (x86)\EMBIRD32
[COLOR="DarkRed"]Quit::[/COLOR]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\DeQuarantine.txt
Attach this log to your next message. (How to attach)

 

Here is the dequarantine.txt

 

Let me know if everything is OK with the program now before we continue working on the firewall.

 

YES!!!!!! I sew alot for St. Jude's Trail Rides and all my files are back. Thank you!!!! Now on to my firewall

 

http://img35.imageshack.us/img35/1911/miniregtool.gif Please download MiniRegTool.zip and unzip it.

• Run the tool.
• Copy and paste the 4 bold lines below into the edit box:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpsdrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSDRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC

• Check the List Permissions radio button.
• Press the Go button and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

 

here are the results.

 

Ok first - find c:\MGtools\FixW7FWdrv.reg
When you have located this file, double-click it and allow it to merge into the registry.

Let me know if you received a "successfully merged into the registry" message or not. If you did NOT receive a successful message, let me know exactly what message you received.

 

Successfully merged!!

 

Ok good.

Now attempt to do the same exact thing with this registry file: c:\MGtools\FixW7FW.reg

Let me know if it was successful or not.

 

Success again

 

Good. Now reboot.

Once you have rebooted...

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Double-check that the Windows Firewall is working now too. Let me know how the system is running as well.

 

My laptop is running good now!! A Firewall again!!! I rebooted once, cold boot and no blue screen. You are FANTASTIC at your job and the best volunteer I have had the pleasure of helping me. I can not thank you enough. I hope this has gotten rid of my bugs on here.

 

It was my pleasure

Your latest logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Thank you again for all your help. I've uninstalled what was listed and am installing MS Security Essentials for the time being, I will eventually buy the SuperAnti Spyware. I'm keeping that and Malware on here just for removing as you suggested, however I hope not to get bombed again. I had been using AVG 2012 (free one) then bought the AVG PC Tuneup but don't think I will reinstall them. I need to research online and read instead of using my laptop as a guinea pig. I don't know as much as I used to know about virus's and computers so I will leave that up to people like you Thanks again and may God Bless you for the work you do.

 

You're welcome. Be safe