Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

popups pc perfromance utilitys

Started by 314 , Jan 19 2014 04:38 PM

This topic is locked

#16
godawgs

Posted 26 January 2014 - 03:46 PM

Teacher

Retired Staff
8,228 posts

The new OTL log shows that the Chrome home page is now google. But the default search engine is still hijacked so we will delete the bad engine and make something else the default.
MalwareBytes quarantined a bunch of rubbish and the ESET on-line scan found more. We will remove some of what ESET found. Then update the out of date Java program.
Please let me know if any other issues remain.

Step-1.

Reset/Delete a Search engine in Chrome

Open the Chrome browser

Click the tools menu icon on the browser toolbar.
Select Settings and find the "Search" section.
Click Manage search engines.
Remove a search engine: Select the Feed Snapdo search engine and click the x or trash can that appears at the end of the row.

Set your default search engine

Click the Chrome menu on the browser toolbar.
Select Settings and find the Search section.
Select the search engine you want to use from the menu (like Google). If the search engine you want to use doesn't appear in the menu, click Manage search engines.
In the Search Engines dialog that appears, select the search engine that you'd like to use from the list.
Click the Make default button that appears at the end of the row. Or mouse over it and click Make Default.
Don’t see the button? You may need to edit its URL. See details below on setting up a search engine.

If the search engine you want to use isn't on this list, see the steps below to add it as a new search engine option.

Add, edit, or remove search engines

Google Chrome automatically saves a list of the search engines you've come across while browsing the web. For example, if you visit http://www.youtube.com, the browser automatically detects and adds the YouTube search engine to the list of search engines that you can access. You’ll then be able to search YouTube directly from the address bar without even visiting the site.

To manually add, edit, or remove search engines from the browser, follow the steps below.

Click the Chrome menu (it looks like a page with 3 horizontal bars) on the browser toolbar.
Select Settings and find the Search section.
Click Manage search engines.
Add a search engine: Scroll to the bottom of the dialog and fill out the fields to set up the search engine.
Edit a search engine: Select the search engine from the list and click the field you want to modify.
Remove a search engine: Select the search engine and click the x that appears at the end of the row.

Step-2.

Posted Image

OTL Fix

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

1. Please copy all of the text in the quote box below (Do Not copy the word Quote. To do this, highlight everything
inside the quote box (except the word Quote) , right click and click Copy.

:COMMANDS
[createrestorepoint]

:FILES
E:\!!@\ccsetup406.exe
E:\500re4\Users\Aaron\AppData\Local\Temp\AskSLib.dll
E:\500re4\Users\Aaron\Downloads\AA_v3.exe
E:\500re4\Users\Aaron\Downloads\FoxitReader542.0901_enu_Setup.exe
E:\Downloads\AA_v3 (1).exe
E:\Downloads\AA_v3.2 (1).exe
E:\Downloads\AA_v3.2.exe
E:\Downloads\AA_v3.exe
E:\Downloads\rcpsetup_vmed (1).exe
E:\Downloads\rcpsetup_vmed.exe
E:\Downloads\SuperOneClickv2.2-ShortFuse.zip
E:\Downloads\SuperOneClickv2.3.1-ShortFuse - Copy.zip
E:\Downloads\SuperOneClickv2.3.1-ShortFuse.zip
E:\Re4_500\Downloads\AA_v3.exe
E:\Re4_500\Downloads\FoxitReader542.0901_enu_Setup.exe
E:\Repair\Work\CPU-Z\cpu-z_1.62-setup-en.exe
E:\sort\zUndicided\Downloads\AA_v3.exe
E:\t3\New folder\tbw_trial.exe
E:\Wayne\AMMYY_Admin(2).exe
E:\Wayne\AMMYY_Admin.exe
E:\Wayne\tftpd32.351.zip

:COMMANDS
[emptytemp]

Warning: This fix is relevant for this system and no other. If you are not this user, DO NOT follow these directions as they could damage the workings of your system.

2. Please re-open Posted Image

on your desktop. To do that:

Vista and 7 users: Right click the icon and click Run as Administrator

3. Place the mouse pointer inside the Posted Image

textbox, right click and click Paste. This will put the above script inside the textbox.
4. Click the Posted Image

button.
5. Let the program run unhindered.
6. OTL may ask to reboot the machine. Please do so if asked.
7. Click the Posted Image

JAVA Advice
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software or need it to play games on-line.
In that instance I would recommend that you only use Firefox or Chrome to visit those sites and do the following:

For Firefox, install the NoScript add-on.
For Chrome, install the Script-No add-on.
NOTE: After installing the add-ons you will need to tell them that the site you are visiting is allowed to run Java.
Disable Java in your browsers until you need it for that software and then enable it. (See How to disable Java in your web browser or How to unplug Java from the browser)

If you still want to update your Java, follow the instructions below:

A.
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older versions of Java components and update:

Download the latest version of the Java Runtime Environment (JRE) Version from Here or Here and save it to your desktop.
Look for "Java Platform, Standard Edition". You will see the current Java version and update number under listed under the heading. Example: The newest update is Java SE 7u51
Click the "Download button under the JRE" column.
On the Java SE Runtime Environment page, click the button to "Accept License Agreement".
Under the Java SE Runtime Environment 7u51 heading:
To install the version for your system:
- For Windows 64bit systems, look for Windows x64 29.37MB, click the jre-7u51-windows-64.exe file and save it to your desktop. Do Not run it from the Java site.
Close any programs you may have running - especially your web browser.

B.
Uninstall all versions of Java

Click Start > Control Panel > Add/Remove Programs. The list of installed programs will populate.
Click the Start Orb, then Control Panel. Under the Programs or Programs and Features section click Uninstall a program. The list of installed programs will populate.
Remove all older versions of Java. These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE or J2SE
The versions I see on the computer are:
- Java 7 Update 45
Click each program and click the Remove or Change/Remove button and follow the on screen instructions for the Java uninstaller.
For Vista/7/8: Right click each program and click Uninstall and follow the on screen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

C.
Install the latest JAVA

Back on your desktop:

Right click the jre-7u51-windows-x64.exefile and click Run as Administrator and OK the UAC prompt to install the newest version.
When the Java Setup - Welcome window opens, click the Install > button.
If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

[Note:] The Java Quick Starter (JQS.exe) adds a service to improve the initial start up time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > You will have to be in Classic View to see Java(It looks like a coffee cup). Double-click on Java click the Advanced Tab click Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

Step-4.
1. Let me know if you were able to reset the Chrome search engine.
2. Let me know if you were able to successfully update Java
3. Let me know if any issues remain.
4. The OTL fixes log

#17
314

Posted 26 January 2014 - 09:25 PM

Member

Topic Starter
Member
65 posts

1. did the reset fine
2. updated java worked good
3. my google chrome shortcut icon on task bar is wrong
3a. when i open new tab in chrome it tries to open an extention of some kind(amfclgb......) i cant read what it all says
3b. when i open chrome it always goes to an amazon page.
3c . when i try to right click an icon on my desktop and click open containing folder it opens an internet explorer page, but it says blank page.
3d. my internet explorer wont work unless i run it as an administrator
3f. i cannot uninstall driver support, flv player, mcafee site advisor, my clean pc optomizer, new player, outfox tv, show-password, snap.do us tech support framework, those all say that i do not have permission i have tried using safe mode but no go on that. also i have an icon on desktop that says live pc help

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== FILES ==========
E:\!!@\ccsetup406.exe moved successfully.
E:\500re4\Users\Aaron\AppData\Local\Temp\AskSLib.dll moved successfully.
E:\500re4\Users\Aaron\Downloads\AA_v3.exe moved successfully.
E:\500re4\Users\Aaron\Downloads\FoxitReader542.0901_enu_Setup.exe moved successfully.
E:\Downloads\AA_v3 (1).exe moved successfully.
E:\Downloads\AA_v3.2 (1).exe moved successfully.
E:\Downloads\AA_v3.exe moved successfully.
E:\Downloads\rcpsetup_vmed (1).exe moved successfully.
E:\Downloads\rcpsetup_vmed.exe moved successfully.
E:\Downloads\SuperOneClickv2.2-ShortFuse.zip moved successfully.
E:\Downloads\SuperOneClickv2.3.1-ShortFuse - Copy.zip moved successfully.
E:\Downloads\SuperOneClickv2.3.1-ShortFuse.zip moved successfully.
E:\Re4_500\Downloads\AA_v3.exe moved successfully.
E:\Re4_500\Downloads\FoxitReader542.0901_enu_Setup.exe moved successfully.
E:\Repair\Work\CPU-Z\cpu-z_1.62-setup-en.exe moved successfully.
E:\sort\zUndicided\Downloads\AA_v3.exe moved successfully.
E:\t3\New folder\tbw_trial.exe moved successfully.
E:\Wayne\AMMYY_Admin(2).exe moved successfully.
E:\Wayne\AMMYY_Admin.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: 314
->Temp folder emptied: 84898530 bytes
->Temporary Internet Files folder emptied: 4067100 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 69096891 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: DefaultAppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 29806 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 265764 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 151.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 01262014_200530

Files\Folders moved on Reboot...
C:\Users\314\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\314\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\Windows\temp\vmware-SYSTEM\vmauthd.log scheduled to be moved on reboot.
C:\Windows\temp\vmware-SYSTEM\vmware-usbarb-3004.log moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

#18
godawgs

Posted 26 January 2014 - 10:42 PM

Teacher

Retired Staff
8,228 posts

3f. i cannot uninstall driver support, flv player, mcafee site advisor, my clean pc optomizer, new player, outfox tv, show-password, snap.do us tech support framework, those all say that i do not have permission i have tried using safe mode but no go on that. also i have an icon on desktop that says live pc help

I didn't realize that you had those problems.
In post #8 I asked you to let me know if you had any problems uninstalling the programs I had listed. Since you didn't report any problems except MyPCBackup (in post #11) I assumed the rest went ok. It's possible that AdwCleaner amd JRT removed the uninstall files from the programs when they did the clean procedure, but I don't think that would have generated the permissions issue.

Step-1.

Run RogueKiller

NOTE: If using IE8 or better the Smartscreen Filter will need to be disabled. Directions for disabling the SmartScreen Filter in IE 8, 9 and 10 can be found: here

Click here to go to the RogueKiller download page.
Click the 64 bits (x64): download button and save the RogueKillerX64.exe file to the desktop.

Quit all programs and close all browsers.
Right click the RogueKiller icon and click Run as Administrator to run the program.
NOTE: If this is the first time you have used the program you will need to accept the User Agreement.
Wait until Prescan has finished ...This may take a few minutes, especially if it is the first time you have used the program.
Click on Scan
Wait for the end of the scan.
DO NOT delete anything at this time.
The report has been created on the desktop.

Please post:
All RKreport.txt text files located on your desktop.
NOTE: If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it to winlogon.exe (or winlogon.com) and try again.

Step-2

Check Hard Disk For Errors:

Please copy everything in the code box below into notepad. To do this highlight all text, then right click and click Copy.

@Echo Off
cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"
del %0

Next, open Notepad, or click Start->Run and in the Open: box type notepad.exe and click OK.
Right click in the notepad window and click Paste, or put the cursor inside the notepad window and press the Ctrl-V keys to paste the text into notepad.
On the File menu, click Save
On the Save AS window that comes up, do the following:
- On the left side, click the Desktop Icon. This will put "Desktop" in the Save In: box at the top.
- At the bottom in the File Name: box type testhd.bat
- In the Save as type: box, click the down arrow and click All Files(*.*)
- Click Save
This will put a new file on the Desktop named testhd.bat
The file icon will look like this:

Close all open windows and any open Browsers.
Right click the testhd.bat file on the desktop and click Run As Administrator then OK any UAC prompts to run the file. A command window will open briefly, then close. This is quite normal.
When the command window has closed there will be a new file on the desktop named checkhd.txt
Copy and paste the contents of the checkhd.txt file in your next reply.

Step-3.

Things For Your Next Post:
Please post the logs in the order requested. Please don't attach the logs unless I request it.
1. The RKreport.txt log
2. The testhd.txt log

#19
314

Posted 26 January 2014 - 11:10 PM

Member

Topic Starter
Member
65 posts

RogueKiller V8.8.3 _x64_ [Jan 24 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : 314 [Admin rights]
Mode : Scan -- Date : 01/26/2014 22:02:52
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][SUSP PATH] SomotoUpdateCheckerAutoStart : C:\Users\314\AppData\Local\FilesFrog Update Checker\update_checker.exe - /auto [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤
-> E:\Users\Default\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> E:\Users\Dennis Woods\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - FOUND]
-> E:\Users\QBDataServiceUser17\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> E:\Users\QBDataServiceUser22\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) OCZ-VERTEX3 ATA Device +++++
--- User ---
[MBR] 3caee1e344a26f8c192bf6b23b77d12c
[BSP] 8e45a3090038bd1d7d3f1735575e7ab9 : Linux MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 114371 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) ST1500DL003-9VT16L ATA Device +++++
--- User ---
[MBR] 3cc1df2336373ab2790dd55417dbaa70
[BSP] ec85f2a3d418a084ac39ca131f06a164 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1430797 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ IDE) WDC WD5000AAKS-00YGA0 ATA Device +++++
--- User ---
[MBR] 743b7498ce9340db5ec66f1b1f5fb218
[BSP] 352e663e4e37f9c44f52ab8c8f5c81e2 : Legit.A MBR Code
Partition table:
0 - [XXXXXX] LINUX (0x83) [VISIBLE] Offset (sectors): 2048 | Size: 457599 Mo
1 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 937166846 | Size: 19339 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_01262014_220252.txt >>

The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
434 large file records processed.

0 bad file records processed.

2 EA records processed.

71 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 3)...
Security descriptor verification completed.
31130 data files processed.

CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
Windows has checked the file system and found no problems.

117115903 KB total disk space.
79343844 KB in 118534 files.
76056 KB in 31131 indexes.
0 KB in bad sectors.
293391 KB in use by the system.
65536 KB occupied by the log file.
37402612 KB available on disk.

4096 bytes in each allocation unit.
29278975 total allocation units on disk.
9350653 allocation units available on disk.

#20
godawgs

Posted 26 January 2014 - 11:58 PM

Teacher

Retired Staff
8,228 posts

Step-1.

Run RogueKiller

Quit all programs and close all browsers.

Right click the RogueKiller icon and click Run as Administrator to run the program.
Wait until Prescan has finished ...
Click the Scan button and wait for the scan to complete.
Click on the Delete button.
The report has been created on the desktop.
Next click on the ShortcutsFix
The report has been created on the desktop.

Please post:
The RKreport.txt files located on your desktop.
NOTE: If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it to winlogon.exe (or winlogon.com) and try again.

Step-2.

Delete Old SFC Log and run SFC

Open an elevated command prompt. To do that:
- Click Start, click on All Programs and Accessories, then right click on Command Prompt and click on Run as administrator. (See screenshot below)
A command window will open like the image below:
Type the following and press ENTER after each line:
```
cd  \windows\Logs\cbs

copy  cbs.log  cbs.old

del  cbs.log
```
Back at the blinking cursor:
Type or copy and paste the following command and press Enter:
sfc /scannow

The sfc /scannow command scans all protected system files and replaces incorrect versions with correct Microsoft versions. Note: This may take awhile to finish. Do not close this Command Prompt window until the verification is 100% complete.
When the scan has finished you should get one of the following messages in the Command window:
- Windows Resource Protection did not find any integrity violations.
- Windows Resource Protection could not perform the requested operation.
- Windows Resource Protection found corrupt files and successfully repaired them. Details are included in the CBS.Log %WinDir%\Logs\CBS\CBS.log.
- Windows Resource Protection found corrupt files but was unable to fix some of them. Details are included in the CBS.Log %WinDir%\Logs\CBS\CBS.log.
Write down the results of the scan so you can post them in your next reply.
Type exit and press the ENTER key to close the command window.

Step-3.

Things For Your Next Post:
Please post the logs in the order requested. Please don't attach the logs unless I request it.
1. Let me know which message you got after the sfc /scannow scan.
2. The RKreport[S0]_D_date_time.txt log
3. The RKreport[S0]_SC_date_time.txt log

#21
314

Posted 28 January 2014 - 07:15 PM

Member

Topic Starter
Member
65 posts

Windows Resource Protection did not find any integrity violations

RogueKiller V8.8.4 _x64_ [Jan 27 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : 314 [Admin rights]
Mode : Remove -- Date : 01/28/2014 17:21:08
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][SUSP PATH] SomotoUpdateCheckerAutoStart : C:\Users\314\AppData\Local\FilesFrog Update Checker\update_checker.exe - /auto [x] -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤
-> E:\Users\Default\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> E:\Users\Dennis Woods\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - FOUND]
-> E:\Users\QBDataServiceUser17\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> E:\Users\QBDataServiceUser22\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) OCZ-VERTEX3 ATA Device +++++
--- User ---
[MBR] 3caee1e344a26f8c192bf6b23b77d12c
[BSP] 8e45a3090038bd1d7d3f1735575e7ab9 : Linux MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 114371 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) ST1500DL003-9VT16L ATA Device +++++
--- User ---
[MBR] 3cc1df2336373ab2790dd55417dbaa70
[BSP] ec85f2a3d418a084ac39ca131f06a164 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1430797 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ IDE) WDC WD5000AAKS-00YGA0 ATA Device +++++
--- User ---
[MBR] 743b7498ce9340db5ec66f1b1f5fb218
[BSP] 352e663e4e37f9c44f52ab8c8f5c81e2 : Legit.A MBR Code
Partition table:
0 - [XXXXXX] LINUX (0x83) [VISIBLE] Offset (sectors): 2048 | Size: 457599 Mo
1 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 937166846 | Size: 19339 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_01282014_172108.txt >>
RKreport[0]_S_01262014_220252.txt;RKreport[0]_S_01282014_172059.txt

RogueKiller V8.8.4 _x64_ [Jan 27 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : 314 [Admin rights]
Mode : Shortcuts HJfix -- Date : 01/28/2014 17:21:24
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤
-> E:\Users\Default\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> E:\Users\Dennis Woods\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - FOUND]
-> E:\Users\QBDataServiceUser17\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> E:\Users\QBDataServiceUser22\NTUSER.DAT | DRVINFO [Drv - E:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 0 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 0 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 5 / Fail 6
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\HarddiskVolume5 -- 0x3 --> Restored
[F:] \Device\CdRom0 -- 0x5 --> Skipped
[Z:] \Device\LanmanRedirector\;Z:000000000008381e\BRYAN-I5\TibbyTwo -- 0x4 --> Skipped

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[0]_SC_01282014_172124.txt >>
RKreport[0]_D_01282014_172108.txt;RKreport[0]_S_01262014_220252.txt;RKreport[0]_S_01282014_172059.txt

#22
godawgs

Posted 28 January 2014 - 11:58 PM

Teacher

Retired Staff
8,228 posts

Run Windows All-In-One

Download Windows Repair (all in one) from this site. Under the Installer (4.81 MB) click the Download button beside Direct Download and save the tweaking.com_windows_repair_aio_setup.exe file to the desktop.

Close the browser and all open windows

Right click the tweaking.com_windows_repair_aio_setup.exe file, click Run as Administrator and allow any UAC prompts to install the program. Let it install to the default locations. After the program has been installed:
Right click the Windows Repair (All-In-One) icon on the desktop, click Run as Administrator and OK any UAC prompts to launch the program.
Go to Step 4 to create a Restore point and backup the Registry
- Under System Restore click the Restore button. You will see a message saying that system Restore is creating a Restore point. when it is finished you will see a message saying that the Restore point was created.
- Under Registry Backup click the Backup button. When it is finished you will see the message telling you that the Registry is backed up.
Click the Next button. You will be taken to the Start Repairs screen.
On the Start Repairs tab click Start. You will see a Repair Options screen like the image below with the Default options checked"

Please make the following changes:
Click the box beside the following numbers to remove the checkmark:
07
08
17
Leave the rest of the boxes checked.
In the lower right corner click the box beside Shutdown/Restart System when Finished and tick the radio button beside Restart System.
Click the Start button.

NOTE: These repairs will take some time to complete depending on the speed of the system, the number of files and the number of reg keys. On a few systems it is possible for these repairs to get stuck in an infinite loop and thus never complete. This is because of symbolic links. Symbolic links are a way for a folder or reg key to point to a different location. On a normal system this isn't a problem. But if a system has a bad link that points back to a parent path then everything it hits in that link it will hit it again and again forever.
IF the repairs are running for a insane amount of time then they are most likely stuck in a loop. If that is the case stop the repairs and let me know.

Now check and see if IE is functioning properly. Also check the icons on the desktop. And finally try to uninstall the programs that you couldn't uninstall and see if you still get the permissions error.

#23
314

Posted 29 January 2014 - 02:12 AM

Member

Topic Starter
Member
65 posts

ie does not function properly, i can't uninstall only 3 programs now, snap.do(just doesnt come up with any prompt), Myclean pc(says that it cant find the unintsaller), mcaffee site advisor(tells me to contact them for help removing it) and open file location works now

also my start page for chrome is still amazon smart search, and opening a new tab is going to an extention that it can't find, my shortcut for chrome is looks like a blue magnifier

Edited by 314, 29 January 2014 - 02:16 AM.

#24
godawgs

Posted 29 January 2014 - 12:33 PM

Teacher

Retired Staff
8,228 posts

i can't uninstall only 3 programs now,

Acknowledged. The issues with snap.do and MyCleanPC are because AdwCleaner or JRT removed the uninstall .exe files. SiteAdvisor poses a different issue. We will see if another program can handle them.

also my start page for chrome is still amazon smart search, and opening a new tab is going to an extention that it can't find, my shortcut for chrome is looks like a blue magnifier

I'm not that familiar with Chrome, so I'm researching that.

...and open file location works now

ie does not function properly,

Acknowledged.

I have a question. Did you ever have any other McAfee product installed, like the antivirus program or the Security Suite?

Posted Image

:COMMANDS
[createrestorepoint]

:OTL
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

:COMMANDS
[emptytemp]

on your desktop. To do that:

Vista and 7 users: Right click the icon and click Run as Administrator

3. Place the mouse pointer inside the Posted Image

textbox, right click and click Paste. This will put the above script inside the textbox.
4. Click the Posted Image

button.
5. Let the program run unhindered.
6. OTL may ask to reboot the machine. Please do so if asked.
7. Click the Posted Image

button.
8. A report will open. Copy and Paste that report in your next reply.
9. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).

Things For Your Next Post:
Please post the logs in the order requested. Please don't attach the logs unless I request it.
1. Answer my question above.
2. Let me know if IE is functioning properly now.
3. The OTL fixes log

#25
314

Posted 29 January 2014 - 12:41 PM

Member

Topic Starter
Member
65 posts

Yes i had macaffee suite.
no IE doesn't work properly
also just noticed that there is a shortcut to something called VOpackage but the files are located in the otl moved files, can i delete the shortcut

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: 314
->Temp folder emptied: 47931386 bytes
->Temporary Internet Files folder emptied: 3292874 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 67592541 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: DefaultAppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 30983 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 113.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 01292014_113659

Files\Folders moved on Reboot...
C:\Users\314\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\314\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\Windows\temp\vmware-SYSTEM\vmauthd.log scheduled to be moved on reboot.
File move failed. C:\Windows\temp\vmware-SYSTEM\vmware-usbarb-3420.log scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Edited by 314, 29 January 2014 - 12:53 PM.

#26
godawgs

Posted 29 January 2014 - 02:03 PM

Teacher

Retired Staff
8,228 posts

OK let's trudge on...

Posted Image

:COMMANDS
[createrestorepoint]

:OTL
SRV - [2014/01/07 10:43:12 | 000,123,384 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe -- (McAfee SiteAdvisor Service)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\McAfee\MSK
O2:64bit: - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll File not found
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll File not found
O3:64bit: - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll File not found
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll File not found
O18:64bit: - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll File not found
O18:64bit: - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll File not found
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\Amazon\AMAZON~1\AMAZON~2.DLL) - File not found

:FILES
C:\Users\314\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil\1.97.38_0

:COMMANDS
[emptytemp]

on your desktop. To do that:

Vista and 7 users: Right click the icon and click Run as Administrator

3. Place the mouse pointer inside the Posted Image

textbox, right click and click Paste. This will put the above script inside the textbox.
4. Click the Posted Image

button.
5. Let the program run unhindered.
6. OTL may ask to reboot the machine. Please do so if asked.
7. Click the Posted Image

#27
314

Posted 29 January 2014 - 09:52 PM

Member

Topic Starter
Member
65 posts

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Service McAfee SiteAdvisor Service stopped successfully!
Service McAfee SiteAdvisor Service deleted successfully!
c:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected] deleted successfully.
File C:\Program Files\McAfee\MSK not found.
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\dssrequest\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5}\ deleted successfully.
File {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\sacore\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5}\ not found.
File {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll File not found not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\PROGRA~2\Amazon\AMAZON~1\AMAZON~2.DLL deleted successfully.
========== FILES ==========
C:\Users\314\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil\1.97.38_0\_locales\en folder moved successfully.
C:\Users\314\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil\1.97.38_0\_locales\de folder moved successfully.
C:\Users\314\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil\1.97.38_0\_locales folder moved successfully.
C:\Users\314\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil\1.97.38_0\video folder moved successfully.
C:\Users\314\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil\1.97.38_0\startpage\png folder moved successfully.
C:\Users\314\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil\1.97.38_0\startpage\hu folder moved successfully.
C:\Users\314\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil\1.97.38_0\startpage\3rd folder moved successfully.
C:\Users\314\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil\1.97.38_0\startpage folder moved successfully.
C:\Users\314\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil\1.97.38_0\extension folder moved successfully.
C:\Users\314\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil\1.97.38_0\ebay folder moved successfully.
C:\Users\314\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil\1.97.38_0\downloader folder moved successfully.
C:\Users\314\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil\1.97.38_0 folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: 314
->Temp folder emptied: 53939871 bytes
->Temporary Internet Files folder emptied: 2700579 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 10879839 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: DefaultAppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8178 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 64.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 01292014_204445

Files\Folders moved on Reboot...
C:\Users\314\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\314\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\Windows\temp\vmware-SYSTEM\vmauthd.log scheduled to be moved on reboot.
C:\Windows\temp\vmware-SYSTEM\vmware-usbarb-3420.log moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

no change in ie but it will work properly if i run ie as admin

#28
godawgs

Posted 30 January 2014 - 10:22 AM

Teacher

Retired Staff
8,228 posts

also just noticed that there is a shortcut to something called VOpackage but the files are located in the otl moved files, can i delete the shortcut

Yep. You can delete the shortcut.

no change in ie but it will work properly if i run ie as admin

Well, let's see if another add-on is causing the problem.

Run IE as Administrator.
Go to "Tools > Internet Options > Programs," then click Manage add-ons
In the lower left pane, select Show: All add-ons
Click one of the add-ons in the right panel to highlight it and push the Ctrl+A keys. This will select all add-ons.
At the bottom of the right pane click Disable all, then click Close. (Make sure all add-ons' status are 'Disabled')
Close IE, then open it again. This time, not as Administrator of course.

Does IE work now? If it does then an add-on is the culprit. We just need to find which one it is.

IF IE works correctly with the add-ons disabled:

Repeat steps 1 and 2 above.
Next, click one of the add-ons and then click the Enable button at the bottom of the window to enable it.
Close IE. Then re-open it (not as an Administrator) and see if it still functions properly. If it does, keep repeating these steps until you enable the add-on that causes IE not to run unless it is run as an Administrator. That's the bad add-on.
Disable it again and then continue to enable the rest of the add-ons to make sure that IE still functions correctly.
Next, you will need to uninstall the program that the bad add-on is linked to and reinstall it. Like Java or FlashPlayer etc;

If there isn't a program associated with the add-on just leave it disabled. It can't do any harm.

#29
314

Posted 30 January 2014 - 11:39 AM

Member

Topic Starter
Member
65 posts

no that doesnt work no addon is causing the problem, it seems like running ie in non admin mode that the window is not responding

#30
godawgs

Posted 30 January 2014 - 12:07 PM

Teacher

Retired Staff
8,228 posts

OK. Let's see if this will repair IE

Repair Internet Explorer with Fix IE Utility

Download the Fix IE Utility and save it to the desktop. To do that click here and then click the Download File button.

Close all open windows and browsers, especially Internet Explorer
Right click the Fix IE.zip file on the desktop and click Extract All. The Select a destination window will open.
Click the Extract button. This will put a folder named IE on the desktop.
Double click the IE folder to open it.
Double click the IE folder there to open it.
Right click the Fix IE Utility.exe file and click Run as Administrators to run the program.
Click on the Run Utility button as shown in the image
Wait until the following message appears
Then click on OK
Restart your machine to see if your Internet Explorer is now working again