Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer not completely frozen, but sits and spins [Solved]


  • This topic is locked This topic is locked

#61
cowpuncher

cowpuncher

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
I'm fixing to run RogueKiller, and yes, I believed I was hacked back in February. I changed some of my passwords then
and I'm fixing to change my e-mail address. It totally creeped me out when I found out this guy from India was trying to
access my facebook account. Thank goodness facebook denied him and then sent me a message!

Change subject, Even with all that was deleted, I still found a folder with more that were quarantined, plus some that
were deleted but still had their empty folders. (under Downloads) Also there are still some in 'Recycle'.

Hope your still feeling better! :D
  • 0

Advertisements


#62
cowpuncher

cowpuncher

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
RogueKiller V8.8.11 _x64_ [Mar 14 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : star[Admin rights]
Mode : Scan -- Date : 03/16/2014 21:35:53
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 2 ¤¤¤
[Default][SUSP PATH] Best Buy pc app.lnk : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\PROGRA~3\BESTBU~1\CLICKO~1.EXE "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][-][-] -> FOUND
[McAfeeMVSUser][SUSP PATH] Best Buy pc app.lnk : C:\Users\McAfeeMVSUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\PROGRA~3\BESTBU~1\CLICKO~1.EXE "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][-][-] -> FOUND

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST31000528AS ATA Device +++++
--- User ---
[MBR] d11133611b8eb8e4538ab7b5635a804a
[BSP] b7f1af624ca415852c3eb9ae77b37bea : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 2048 | Size: 14524 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 29747200 | Size: 939343 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_03162014_213553.txt >>
RogueKiller V8.8.11 _x64_ [Mar 14 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : star [Admin rights]
Mode : Remove -- Date : 03/16/2014 21:37:28
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> [0x2] The system cannot find the file specified.
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified.
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 2 ¤¤¤
[Default][SUSP PATH] Best Buy pc app.lnk : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\PROGRA~3\BESTBU~1\CLICKO~1.EXE "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][-][-] -> DELETED
[McAfeeMVSUser][SUSP PATH] Best Buy pc app.lnk : C:\Users\McAfeeMVSUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\PROGRA~3\BESTBU~1\CLICKO~1.EXE "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][-][-] -> DELETED

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST31000528AS ATA Device +++++
--- User ---
[MBR] d11133611b8eb8e4538ab7b5635a804a
[BSP] b7f1af624ca415852c3eb9ae77b37bea : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 2048 | Size: 14524 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 29747200 | Size: 939343 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_03162014_213728.txt >>
RKreport[0]_S_03162014_213553.txt


RogueKiller V8.8.11 _x64_ [Mar 14 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : star [Admin rights]
Mode : HOSTSFix -- Date : 03/16/2014 21:38:09
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ Reset HOSTS: ¤¤¤
127.0.0.1 localhost


Finished : << RKreport[0]_H_03162014_213809.txt >>
RKreport[0]_D_03162014_213728.txt;RKreport[0]_S_03162014_213553.txt

RogueKiller V8.8.11 _x64_ [Mar 14 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : star [Admin rights]
Mode : ProxyFix -- Date : 03/16/2014 21:38:45
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[0]_PR_03162014_213845.txt >>
RKreport[0]_D_03162014_213728.txt;RKreport[0]_H_03162014_213809.txt;RKreport[0]_S_03162014_213553.txt


RogueKiller V8.8.11 _x64_ [Mar 14 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : star [Admin rights]
Mode : DNSFix -- Date : 03/16/2014 21:39:24
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[0]_DN_03162014_213924.txt >>
RKreport[0]_D_03162014_213728.txt;RKreport[0]_H_03162014_213809.txt;RKreport[0]_S_03162014_213553.txt
:happy:
  • 0

#63
cowpuncher

cowpuncher

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Just did a little 'surfing'. The speed has improved about 60%. E-mail speed very good. Still not the best
at Yahoo.com, when I clicked on a news story, the first 2 said 'This Page Cannot Be Displayed'.
The next showed the story, but not all the pictures were visable.

Facebook better than it has been in a couple of months. Was able to read all.

Pinterest still very slow to load, but more of the posts showed than they did yesterday.

Next I checked out my computer files. I found a folder titled 'PC App', I opened it and it was Best Buy, so
Deleted it. Next I found one titled 'New Folder (C:)'. I opened it and it had a Warning 'Location Unavailable'
with a red circle with an X. So I closed it and moved on.

There were 3 'BUP' files in Quarantine. I left them alone!

I found a file titled '3rd Party'. When I tried to open it I got a message 'Cannot open because either not
supported file type or file has been damaged. Another file in that main folder was titled 'cmj.exe'. When I
tried to open it I got the message, 'Publisher Unknown' and 'File is in the Hard Drive'. More looking at the
other things in that file, revealed that it is for my keyboard. It looks like maybe all my downloaded CD (that
came with it)was deleted. Hope I just read it wrong. :upset:

That's all that I looked at. Hope you were to deciper all the info I just gave you.
  • 0

#64
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts
Sorry about the long response time. I got saddled with an out of town, west coast assignment.

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop ( it will be randomly named )

First we will run a virus scan
Select the cog to access scan areas
Posted Image

On the first tab select all elements down to OS C and then select start scan
Posted Image

Once it has finished select reports and post the detected threats
.

Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button

Posted Image

Once it has completed then click Step 2 Report sending
Posted Image

Click avptool.sysinfo.zip
And you will be taken to the zip file that needs to be attached
  • 0

#65
cowpuncher

cowpuncher

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
No Biggie! I took the day off and went to town, so I wasn't around anyway.

I tried to download the Virus Removal Tool.It said it would take 2hrs, but after 1hr, 25min,
I got a Failed-Network error.

I got that same message the first time I tried to download RogueKiller. But it worked the 2nd try.

I guess you want me to try again, or try something else? :confused:
  • 0

#66
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts
If you could try again, that would be helpful?

Also, absent times when you have malware on your system, do you often experience connectivity issues? What is your method of connecting to the internet?


  • 0

#67
cowpuncher

cowpuncher

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
I didn't have that big of a problem connecting until recently.

Most of my connecting is thru Internet Explorer. But it doesn't seem like that much
of an issue, until I continue thru Yahoo.com.

Example, would be Craigslist or my banking, I click Start, move up to where it says
Internet Explorer, and across to "Pinned", which is where those 2 mentioned places are, but
it's also where I click on Yahoo.com. Then that's where the connection really slows.

CL and Bank are sometimes a little sluggish, but Never like Yahoo.

My main search engine is now Google. Been using it for about a month. Before that it
was Bing.

Also, I am fixing to try loading Kaspersky again. Does it ususally take about 2hours?
  • 0

#68
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts
Sorry, I should have been more clear.

I was wondering if you connect to the internet via Cable Modem, DSL, maybe who your carrier is, etc. It "seems" like your connection is dropping in and out and that is causing some of your downloading issues.

ALthhough I'm not so concerned about IE, there are other choices for Browsers (Firefox, Chrome). However, if there's still malware on the computer, the next Browser you select will have problems too.

As for download speed of Kasparsky, it depends on the connection and the connection speed, etc., but 2 hours seems on the long side. I've not downloaded it in a while.
  • 0

#69
cowpuncher

cowpuncher

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
I use DSL WildBlue. We live so far from anywhere, that's currently my only affordable option.

I know from experience that it's not the fastest, but at least I have internet. We still don't
have phone service, except for cellular.

As I was starting to type this, A message showed up in the right lower corner:
"You have 3 important updates now available".

1. Microsoft .NET Framework 4.5.1 for Windows 7
2.Windows Malicious Sortware Removal Tool
3. Updates for Windows 7

I just closed it.
  • 0

#70
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts
We encourage the application of updates to your computer. They help keep things safer and secure.
  • 0

Advertisements


#71
cowpuncher

cowpuncher

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Okey Dokey! Will just apply the updates and then Download the Kaspersky.

Thank You! :)
  • 0

#72
cowpuncher

cowpuncher

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Whew that ended up being an all day deal! Sending you the first Report, the Detected Threats.
Then I'm startin g the Analysis Scan.

Automatic Scan: completed 12 minutes ago (events: 1009266, objects: 1005651, time: 03:45:01)
  • 0

#73
cowpuncher

cowpuncher

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 19/03/2014; 08:02)

List of processes

File name PID Description Copyright MD5 Information
mcshield.exe
Script: Quarantine, Delete, BC delete, Terminate 2216 ?? error getting file info
Command line:
mfeann.exe
Script: Quarantine, Delete, BC delete, Terminate 2612 ?? error getting file info
Command line:
saHookMain.exe
Script: Quarantine, Delete, BC delete, Terminate 2716 ?? error getting file info
Command line:
wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate 1568 ?? error getting file info
Command line:
c:\program files (x86)\yahoo!\ynanoclient\cpn0\ynanoservice.exe
Script: Quarantine, Delete, BC delete, Terminate 2168 YNanoClient Service Copyright © 2012 Yahoo! Inc. All rights reserved. ?? 153.34 kb, rsAh,
created: 23.05.2012 08:11:32,
modified: 23.05.2012 08:11:32
Command line:
"C:\Program Files (x86)\Yahoo!\YNanoClient\cpn0\YNanoService.exe"
Detected:62, recognized as trusted 57

Module name Handle Description Copyright MD5 Used by processes
Modules detected:307, recognized as trusted 307

Kernel Space Modules Viewer

Module Base address Size in memory Description Manufacturer
C:\Windows\system32\DRIVERS\57811395.sys
Script: Quarantine, Delete, BC delete 9C7E000 75F000 (7729152)
C:\Windows\System32\Drivers\dump_atapi.sys
Script: Quarantine, Delete, BC delete 64C4000 009000 (36864)
C:\Windows\System32\Drivers\dump_dumpata.sys
Script: Quarantine, Delete, BC delete 64B8000 00C000 (49152)
C:\Windows\System32\Drivers\dump_dumpfve.sys
Script: Quarantine, Delete, BC delete 64CD000 013000 (77824)
Modules detected - 208, recognized as trusted - 204

Services

Service Description Status File Group Dependencies
0280211389918049mcinstcleanup
Service: Stop, Delete, Disable, BC delete McAfee Application Installer Cleanup (0280211389918049) Not started C:\Users\STARLA~1.NIC\AppData\Local\Temp\028021~1.EXE
Script: Quarantine, Delete, BC delete
vToolbarUpdater18.0.0
Service: Stop, Delete, Disable, BC delete vToolbarUpdater18.0.0 Not started C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\ToolbarUpdater.exe
Script: Quarantine, Delete, BC delete
Detected - 175, recognized as trusted - 173

Drivers

Service Description Status File Group Dependencies
57811395
Driver: Unload, Delete, Disable, BC delete 57811395 Running 57811395.sys
Script: Quarantine, Delete, BC delete
Detected - 266, recognized as trusted - 265

Autoruns

File name Status Startup method Description
C:\PROGRA~2\TELEVI~2\bar\1.bin\AppIntegrator64.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TelevisionFanatic Home Page Guard 64 bit
Delete
C:\Program Files (x86)\McAfee\Managed VirusScan\DesktopUI\McTrayEventLog.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\McAfee Win32 GUI Support Library, EventMessageFile
C:\Program Files (x86)\iYogi Support Dock\Download\vssetup.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSASaPInstall, EventMessageFile
C:\Users\starla.nicholson\AppData\Local\Temp\_uninst_54432125.bat
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Users\starla.nicholson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\starla.nicholson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_54432125.lnk,
C:\Windows\System32\MsSpellCheckingFacility.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Windows\system32\psxss.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
auditcse.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName
Delete
rdpclip
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms
Delete
Autoruns items detected - 603, recognized as trusted - 592

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name Type Description Manufacturer CLSID
Explorer Bar {555D4D79-4BD2-4094-A395-CFC534424A05}
Delete
Elements detected - 6, recognized as trusted - 5

Windows Explorer extension modules

File name Destination Description Manufacturer CLSID
ColumnHandler {F9DB5320-233E-11D1-9F84-707F02C10627}
Delete
Elements detected - 12, recognized as trusted - 11

Printing system extensions (print monitors, providers)

File name Type Name Description Manufacturer
hpinksts4812LM.dll
Script: Quarantine, Delete, BC delete Monitor HP 4812 Status Monitor
HPDiscoPM4812.dll
Script: Quarantine, Delete, BC delete Monitor HP Discovery Port Monitor (HP Officejet 7500 E910)
hpf3l70v.dll
Script: Quarantine, Delete, BC delete Monitor hpf3l70v.dll
localspl.dll
Script: Quarantine, Delete, BC delete Monitor Local Port
FXSMON.DLL
Script: Quarantine, Delete, BC delete Monitor Microsoft Shared Fax Monitor
tcpmon.dll
Script: Quarantine, Delete, BC delete Monitor Standard TCP/IP Port
usbmon.dll
Script: Quarantine, Delete, BC delete Monitor USB Monitor
WSDMon.dll
Script: Quarantine, Delete, BC delete Monitor WSD Port
inetpp.dll
Script: Quarantine, Delete, BC delete Provider HTTP Print Services
Elements detected - 10, recognized as trusted - 1

Task Scheduler jobs

File name Job name Job status Description Manufacturer
Elements detected - 3, recognized as trusted - 3

SPI/LSP settings
Namespace providers (NSP)
Provider Status EXE file Description GUID
Detected - 8, recognized as trusted - 8
Transport protocol providers (TSP, LSP)
Provider EXE file Description
Detected - 10, recognized as trusted - 10
Results of automatic SPI settings check LSP settings checked. No errors detected


TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [728] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
554 LISTENING 0.0.0.0 0 [1568] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
1025 LISTENING 0.0.0.0 0 [452] wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
1026 LISTENING 0.0.0.0 0 [872] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1027 LISTENING 0.0.0.0 0 [172] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1028 LISTENING 0.0.0.0 0 [1288] spoolsv.exe
Script: Quarantine, Delete, BC delete, Terminate
1029 LISTENING 0.0.0.0 0 [528] lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
1030 LISTENING 0.0.0.0 0 [508] services.exe
Script: Quarantine, Delete, BC delete, Terminate
2869 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
6515 LISTENING 0.0.0.0 0 [1884] c:\program files (x86)\mcafee\managed virusscan\agent\myagtsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
10243 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [172] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [984] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [984] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [172] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5004 LISTENING -- -- [1568] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5005 LISTENING -- -- [1568] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1164] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
6514 LISTENING -- -- [1884] c:\program files (x86)\mcafee\managed virusscan\agent\myagtsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
6515 LISTENING -- -- [1728] c:\program files (x86)\mcafee\managed virusscan\agent\myagtsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
6516 LISTENING -- -- [1728] c:\program files (x86)\mcafee\managed virusscan\agent\myagtsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
49195 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49197 LISTENING -- -- [984] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
63830 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
63831 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Elements detected - 1, recognized as trusted - 1

Control Panel Applets (CPL)

File name Description Manufacturer
C:\Windows\system32\FlashPlayerCPLApp.cpl
Script: Quarantine, Delete, BC delete Adobe Flash Player Control Panel Applet Copyright © 1996 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
Elements detected - 19, recognized as trusted - 18

Active Setup

File name Description Manufacturer CLSID
Elements detected - 8, recognized as trusted - 8

HOSTS file

Hosts file record
127.0.0.1 localhost


Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 15, recognized as trusted - 12

Suspicious objects

File Description Type


Main script of analysis
Windows version: Windows 7 Home Premium, Build=7601, SP="Service Pack 1"
System Restore: enabled
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: sending Remote Assistant queries is enabled
>> Process termination timeout is out of admissible values
>> Service termination timeout is out of admissible values
>> Timeout of "Not Responding" verdict for processes is out of admissible values
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
System Analysis in progress

System Analysis - complete


Script commands
Add commands to script:
•Blocking hooks using Anti-Rootkit

•Enable AVZGuard

•Operations with AVZPM (true=enable,false=disable)

•BootCleaner - import list of deleted files

•BootCleaner - import all

•Registry cleanup after deleting files

•ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard

•BootCleaner - activate

•Reboot

•Insert template for QuarantineFile() - quarantining file

•Insert template for BC_QrFile() - quarantining file via BootCleaner

•Insert template for DeleteFile() - deleting file

•Insert template for DelCLSID() - deleting CLSID item from registry

Additional operations:•Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)

•Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)

•Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)

•Security tweaking: disable CD autorun

•Security tweaking: disable administrative shares

•Security: disable sending Remote Assistant queries


--------------------------------------------------------------------------------

File list
  • 0

#74
cowpuncher

cowpuncher

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
On the lower right of the computer screen, I had a 'flag'it said "Problems with Windows Update".

I clicked on it, recived this, "Performance Problem", then "Toubleshooting couldn't Identify Problem".

Next it asked, "Do you want to allow Diagasnostic Toubleshooting Wizard?" I clicked "Yes".

This message, "Troubleshooting Problems Preventing Windows Update from Working Properly."


Change subject. As I looked thru the last Log I sent you, under AutoRun, about 3 down, It shows
iYogi Support Dock. I'm obviously still having trouble getting them completely off my computer
I would really like them gone!! :surrender:

No hurry, but I will check my messages in the morning, then I am going out of town until probably
Saturday afternoon. Just wanted you to know in case you try to contact me.

Have a nice weekend, and hope you feel better than you did the last one! Thanks, again for your Help. :D
  • 0

#75
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi my apologies for the delay but Biscuithd has fallen ill and I will be taking over.

First thing to do is take a quick look at your services due to the windows updates problem, if you could also give me a run down on the current problems whilst I re-read the thread

Download and run farbar service scanner

Posted Image

Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP