Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Computer not completely frozen, but sits and spins [Solved]

Started by cowpuncher , Mar 03 2014 11:04 PM

Page 5 of 7
3
4
5
6
7

This topic is locked

#61
cowpuncher

Posted 16 March 2014 - 08:08 PM

Member

Topic Starter
Member
58 posts

I'm fixing to run RogueKiller, and yes, I believed I was hacked back in February. I changed some of my passwords then
and I'm fixing to change my e-mail address. It totally creeped me out when I found out this guy from India was trying to
access my facebook account. Thank goodness facebook denied him and then sent me a message!

Change subject, Even with all that was deleted, I still found a folder with more that were quarantined, plus some that
were deleted but still had their empty folders. (under Downloads) Also there are still some in 'Recycle'.

Hope your still feeling better!

#62
cowpuncher

Posted 16 March 2014 - 09:12 PM

Member

Topic Starter
Member
58 posts

RogueKiller V8.8.11 _x64_ [Mar 14 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : star[Admin rights]
Mode : Scan -- Date : 03/16/2014 21:35:53
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 2 ¤¤¤
[Default][SUSP PATH] Best Buy pc app.lnk : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\PROGRA~3\BESTBU~1\CLICKO~1.EXE "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][-][-] -> FOUND
[McAfeeMVSUser][SUSP PATH] Best Buy pc app.lnk : C:\Users\McAfeeMVSUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\PROGRA~3\BESTBU~1\CLICKO~1.EXE "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][-][-] -> FOUND

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST31000528AS ATA Device +++++
--- User ---
[MBR] d11133611b8eb8e4538ab7b5635a804a
[BSP] b7f1af624ca415852c3eb9ae77b37bea : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 2048 | Size: 14524 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 29747200 | Size: 939343 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_03162014_213553.txt >>
RogueKiller V8.8.11 _x64_ [Mar 14 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : star [Admin rights]
Mode : Remove -- Date : 03/16/2014 21:37:28
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> [0x2] The system cannot find the file specified.
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified.
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 2 ¤¤¤
[Default][SUSP PATH] Best Buy pc app.lnk : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\PROGRA~3\BESTBU~1\CLICKO~1.EXE "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][-][-] -> DELETED
[McAfeeMVSUser][SUSP PATH] Best Buy pc app.lnk : C:\Users\McAfeeMVSUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\PROGRA~3\BESTBU~1\CLICKO~1.EXE "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][-][-] -> DELETED

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST31000528AS ATA Device +++++
--- User ---
[MBR] d11133611b8eb8e4538ab7b5635a804a
[BSP] b7f1af624ca415852c3eb9ae77b37bea : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 2048 | Size: 14524 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 29747200 | Size: 939343 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_03162014_213728.txt >>
RKreport[0]_S_03162014_213553.txt

RogueKiller V8.8.11 _x64_ [Mar 14 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : star [Admin rights]
Mode : HOSTSFix -- Date : 03/16/2014 21:38:09
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

¤¤¤ Reset HOSTS: ¤¤¤
127.0.0.1 localhost

Finished : << RKreport[0]_H_03162014_213809.txt >>
RKreport[0]_D_03162014_213728.txt;RKreport[0]_S_03162014_213553.txt

RogueKiller V8.8.11 _x64_ [Mar 14 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : star [Admin rights]
Mode : ProxyFix -- Date : 03/16/2014 21:38:45
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[0]_PR_03162014_213845.txt >>
RKreport[0]_D_03162014_213728.txt;RKreport[0]_H_03162014_213809.txt;RKreport[0]_S_03162014_213553.txt

RogueKiller V8.8.11 _x64_ [Mar 14 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : star [Admin rights]
Mode : DNSFix -- Date : 03/16/2014 21:39:24
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[0]_DN_03162014_213924.txt >>
RKreport[0]_D_03162014_213728.txt;RKreport[0]_H_03162014_213809.txt;RKreport[0]_S_03162014_213553.txt
:happy:

#63
cowpuncher

Posted 16 March 2014 - 11:39 PM

Member

Topic Starter
Member
58 posts

Just did a little 'surfing'. The speed has improved about 60%. E-mail speed very good. Still not the best
at Yahoo.com, when I clicked on a news story, the first 2 said 'This Page Cannot Be Displayed'.
The next showed the story, but not all the pictures were visable.

Facebook better than it has been in a couple of months. Was able to read all.

Pinterest still very slow to load, but more of the posts showed than they did yesterday.

Next I checked out my computer files. I found a folder titled 'PC App', I opened it and it was Best Buy, so
Deleted it. Next I found one titled 'New Folder (C:)'. I opened it and it had a Warning 'Location Unavailable'
with a red circle with an X. So I closed it and moved on.

There were 3 'BUP' files in Quarantine. I left them alone!

I found a file titled '3rd Party'. When I tried to open it I got a message 'Cannot open because either not
supported file type or file has been damaged. Another file in that main folder was titled 'cmj.exe'. When I
tried to open it I got the message, 'Publisher Unknown' and 'File is in the Hard Drive'. More looking at the
other things in that file, revealed that it is for my keyboard. It looks like maybe all my downloaded CD (that
came with it)was deleted. Hope I just read it wrong. :upset:

That's all that I looked at. Hope you were to deciper all the info I just gave you.

#64
Biscuithd

Posted 18 March 2014 - 10:19 AM

Trusted Helper

Malware Removal
2,573 posts

Sorry about the long response time. I got saddled with an out of town, west coast assignment.

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop ( it will be randomly named )

First we will run a virus scan
Select the cog to access scan areas
Posted Image

On the first tab select all elements down to OS C and then select start scan
Posted Image

Once it has finished select reports and post the detected threats
.

Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button

Posted Image

Once it has completed then click Step 2 Report sending
Posted Image

Click avptool.sysinfo.zip
And you will be taken to the zip file that needs to be attached

#65
cowpuncher

Posted 18 March 2014 - 09:27 PM

Member

Topic Starter
Member
58 posts

No Biggie! I took the day off and went to town, so I wasn't around anyway.

I tried to download the Virus Removal Tool.It said it would take 2hrs, but after 1hr, 25min,
I got a Failed-Network error.

I got that same message the first time I tried to download RogueKiller. But it worked the 2nd try.

I guess you want me to try again, or try something else? :confused:

#66
Biscuithd

Posted 19 March 2014 - 08:49 AM

Trusted Helper

Malware Removal
2,573 posts

If you could try again, that would be helpful?

Also, absent times when you have malware on your system, do you often experience connectivity issues? What is your method of connecting to the internet?

#67
cowpuncher

Posted 19 March 2014 - 09:01 AM

Member

Topic Starter
Member
58 posts

I didn't have that big of a problem connecting until recently.

Most of my connecting is thru Internet Explorer. But it doesn't seem like that much
of an issue, until I continue thru Yahoo.com.

Example, would be Craigslist or my banking, I click Start, move up to where it says
Internet Explorer, and across to "Pinned", which is where those 2 mentioned places are, but
it's also where I click on Yahoo.com. Then that's where the connection really slows.

CL and Bank are sometimes a little sluggish, but Never like Yahoo.

My main search engine is now Google. Been using it for about a month. Before that it
was Bing.

Also, I am fixing to try loading Kaspersky again. Does it ususally take about 2hours?

#68
Biscuithd

Posted 19 March 2014 - 09:07 AM

Trusted Helper

Malware Removal
2,573 posts

Sorry, I should have been more clear.

I was wondering if you connect to the internet via Cable Modem, DSL, maybe who your carrier is, etc. It "seems" like your connection is dropping in and out and that is causing some of your downloading issues.

ALthhough I'm not so concerned about IE, there are other choices for Browsers (Firefox, Chrome). However, if there's still malware on the computer, the next Browser you select will have problems too.

As for download speed of Kasparsky, it depends on the connection and the connection speed, etc., but 2 hours seems on the long side. I've not downloaded it in a while.

#69
cowpuncher

Posted 19 March 2014 - 09:22 AM

Member

Topic Starter
Member
58 posts

I use DSL WildBlue. We live so far from anywhere, that's currently my only affordable option.

I know from experience that it's not the fastest, but at least I have internet. We still don't
have phone service, except for cellular.

As I was starting to type this, A message showed up in the right lower corner:
"You have 3 important updates now available".

1. Microsoft .NET Framework 4.5.1 for Windows 7
2.Windows Malicious Sortware Removal Tool
3. Updates for Windows 7

I just closed it.

#70
Biscuithd

Posted 19 March 2014 - 09:25 AM

Trusted Helper

Malware Removal
2,573 posts

We encourage the application of updates to your computer. They help keep things safer and secure.

#71
cowpuncher

Posted 19 March 2014 - 09:33 AM

Member

Topic Starter
Member
58 posts

Okey Dokey! Will just apply the updates and then Download the Kaspersky.

Thank You!

#72
cowpuncher

Posted 19 March 2014 - 06:51 PM

Member

Topic Starter
Member
58 posts

Whew that ended up being an all day deal! Sending you the first Report, the Detected Threats.
Then I'm startin g the Analysis Scan.

Automatic Scan: completed 12 minutes ago (events: 1009266, objects: 1005651, time: 03:45:01)

#73
cowpuncher

Posted 19 March 2014 - 07:13 PM

Member

Topic Starter
Member
58 posts

Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 19/03/2014; 08:02)

List of processes

File name PID Description Copyright MD5 Information
mcshield.exe
Script: Quarantine, Delete, BC delete, Terminate 2216 ?? error getting file info
Command line:
mfeann.exe
Script: Quarantine, Delete, BC delete, Terminate 2612 ?? error getting file info
Command line:
saHookMain.exe
Script: Quarantine, Delete, BC delete, Terminate 2716 ?? error getting file info
Command line:
wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate 1568 ?? error getting file info
Command line:
c:\program files (x86)\yahoo!\ynanoclient\cpn0\ynanoservice.exe
Script: Quarantine, Delete, BC delete, Terminate 2168 YNanoClient Service Copyright © 2012 Yahoo! Inc. All rights reserved. ?? 153.34 kb, rsAh,
created: 23.05.2012 08:11:32,
modified: 23.05.2012 08:11:32
Command line:
"C:\Program Files (x86)\Yahoo!\YNanoClient\cpn0\YNanoService.exe"
Detected:62, recognized as trusted 57

Module name Handle Description Copyright MD5 Used by processes
Modules detected:307, recognized as trusted 307

Kernel Space Modules Viewer

Module Base address Size in memory Description Manufacturer
C:\Windows\system32\DRIVERS\57811395.sys
Script: Quarantine, Delete, BC delete 9C7E000 75F000 (7729152)
C:\Windows\System32\Drivers\dump_atapi.sys
Script: Quarantine, Delete, BC delete 64C4000 009000 (36864)
C:\Windows\System32\Drivers\dump_dumpata.sys
Script: Quarantine, Delete, BC delete 64B8000 00C000 (49152)
C:\Windows\System32\Drivers\dump_dumpfve.sys
Script: Quarantine, Delete, BC delete 64CD000 013000 (77824)
Modules detected - 208, recognized as trusted - 204

Services

Service Description Status File Group Dependencies
0280211389918049mcinstcleanup
Service: Stop, Delete, Disable, BC delete McAfee Application Installer Cleanup (0280211389918049) Not started C:\Users\STARLA~1.NIC\AppData\Local\Temp\028021~1.EXE
Script: Quarantine, Delete, BC delete
vToolbarUpdater18.0.0
Service: Stop, Delete, Disable, BC delete vToolbarUpdater18.0.0 Not started C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\ToolbarUpdater.exe
Script: Quarantine, Delete, BC delete
Detected - 175, recognized as trusted - 173

Drivers

Service Description Status File Group Dependencies
57811395
Driver: Unload, Delete, Disable, BC delete 57811395 Running 57811395.sys
Script: Quarantine, Delete, BC delete
Detected - 266, recognized as trusted - 265

Autoruns

File name Status Startup method Description
C:\PROGRA~2\TELEVI~2\bar\1.bin\AppIntegrator64.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TelevisionFanatic Home Page Guard 64 bit
Delete
C:\Program Files (x86)\McAfee\Managed VirusScan\DesktopUI\McTrayEventLog.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\McAfee Win32 GUI Support Library, EventMessageFile
C:\Program Files (x86)\iYogi Support Dock\Download\vssetup.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSASaPInstall, EventMessageFile
C:\Users\starla.nicholson\AppData\Local\Temp\_uninst_54432125.bat
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Users\starla.nicholson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\starla.nicholson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_54432125.lnk,
C:\Windows\System32\MsSpellCheckingFacility.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Windows\system32\psxss.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
auditcse.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName
Delete
rdpclip
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms
Delete
Autoruns items detected - 603, recognized as trusted - 592

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name Type Description Manufacturer CLSID
Explorer Bar {555D4D79-4BD2-4094-A395-CFC534424A05}
Delete
Elements detected - 6, recognized as trusted - 5

Windows Explorer extension modules

File name Destination Description Manufacturer CLSID
ColumnHandler {F9DB5320-233E-11D1-9F84-707F02C10627}
Delete
Elements detected - 12, recognized as trusted - 11

Printing system extensions (print monitors, providers)

File name Type Name Description Manufacturer
hpinksts4812LM.dll
Script: Quarantine, Delete, BC delete Monitor HP 4812 Status Monitor
HPDiscoPM4812.dll
Script: Quarantine, Delete, BC delete Monitor HP Discovery Port Monitor (HP Officejet 7500 E910)
hpf3l70v.dll
Script: Quarantine, Delete, BC delete Monitor hpf3l70v.dll
localspl.dll
Script: Quarantine, Delete, BC delete Monitor Local Port
FXSMON.DLL
Script: Quarantine, Delete, BC delete Monitor Microsoft Shared Fax Monitor
tcpmon.dll
Script: Quarantine, Delete, BC delete Monitor Standard TCP/IP Port
usbmon.dll
Script: Quarantine, Delete, BC delete Monitor USB Monitor
WSDMon.dll
Script: Quarantine, Delete, BC delete Monitor WSD Port
inetpp.dll
Script: Quarantine, Delete, BC delete Provider HTTP Print Services
Elements detected - 10, recognized as trusted - 1

Task Scheduler jobs

File name Job name Job status Description Manufacturer
Elements detected - 3, recognized as trusted - 3

SPI/LSP settings
Namespace providers (NSP)
Provider Status EXE file Description GUID
Detected - 8, recognized as trusted - 8
Transport protocol providers (TSP, LSP)
Provider EXE file Description
Detected - 10, recognized as trusted - 10
Results of automatic SPI settings check LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [728] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
554 LISTENING 0.0.0.0 0 [1568] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
1025 LISTENING 0.0.0.0 0 [452] wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
1026 LISTENING 0.0.0.0 0 [872] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1027 LISTENING 0.0.0.0 0 [172] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1028 LISTENING 0.0.0.0 0 [1288] spoolsv.exe
Script: Quarantine, Delete, BC delete, Terminate
1029 LISTENING 0.0.0.0 0 [528] lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
1030 LISTENING 0.0.0.0 0 [508] services.exe
Script: Quarantine, Delete, BC delete, Terminate
2869 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
6515 LISTENING 0.0.0.0 0 [1884] c:\program files (x86)\mcafee\managed virusscan\agent\myagtsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
10243 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [172] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [984] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [984] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [172] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5004 LISTENING -- -- [1568] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5005 LISTENING -- -- [1568] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1164] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
6514 LISTENING -- -- [1884] c:\program files (x86)\mcafee\managed virusscan\agent\myagtsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
6515 LISTENING -- -- [1728] c:\program files (x86)\mcafee\managed virusscan\agent\myagtsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
6516 LISTENING -- -- [1728] c:\program files (x86)\mcafee\managed virusscan\agent\myagtsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
49195 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49197 LISTENING -- -- [984] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
63830 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
63831 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Elements detected - 1, recognized as trusted - 1

Control Panel Applets (CPL)

File name Description Manufacturer
C:\Windows\system32\FlashPlayerCPLApp.cpl
Script: Quarantine, Delete, BC delete Adobe Flash Player Control Panel Applet Copyright © 1996 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
Elements detected - 19, recognized as trusted - 18

Active Setup

File name Description Manufacturer CLSID
Elements detected - 8, recognized as trusted - 8

HOSTS file

Hosts file record
127.0.0.1 localhost

Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 15, recognized as trusted - 12

Suspicious objects

File Description Type

Main script of analysis
Windows version: Windows 7 Home Premium, Build=7601, SP="Service Pack 1"
System Restore: enabled
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: sending Remote Assistant queries is enabled
>> Process termination timeout is out of admissible values
>> Service termination timeout is out of admissible values
>> Timeout of "Not Responding" verdict for processes is out of admissible values
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
System Analysis in progress

System Analysis - complete

Script commands
Add commands to script:
•Blocking hooks using Anti-Rootkit

•Enable AVZGuard

•Operations with AVZPM (true=enable,false=disable)

•BootCleaner - import list of deleted files

•BootCleaner - import all

•Registry cleanup after deleting files

•ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard

•BootCleaner - activate

•Reboot

•Insert template for QuarantineFile() - quarantining file

•Insert template for BC_QrFile() - quarantining file via BootCleaner

•Insert template for DeleteFile() - deleting file

•Insert template for DelCLSID() - deleting CLSID item from registry

Additional operations:•Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)

•Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)

•Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)

•Security tweaking: disable CD autorun

•Security tweaking: disable administrative shares

•Security: disable sending Remote Assistant queries

--------------------------------------------------------------------------------

File list

#74
cowpuncher

Posted 19 March 2014 - 10:45 PM

Member

Topic Starter
Member
58 posts

On the lower right of the computer screen, I had a 'flag'it said "Problems with Windows Update".

I clicked on it, recived this, "Performance Problem", then "Toubleshooting couldn't Identify Problem".

Next it asked, "Do you want to allow Diagasnostic Toubleshooting Wizard?" I clicked "Yes".

This message, "Troubleshooting Problems Preventing Windows Update from Working Properly."

Change subject. As I looked thru the last Log I sent you, under AutoRun, about 3 down, It shows
iYogi Support Dock. I'm obviously still having trouble getting them completely off my computer
I would really like them gone!! :surrender:

No hurry, but I will check my messages in the morning, then I am going out of town until probably
Saturday afternoon. Just wanted you to know in case you try to contact me.

Have a nice weekend, and hope you feel better than you did the last one! Thanks, again for your Help.

#75
Essexboy

Posted 23 March 2014 - 03:12 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi my apologies for the delay but Biscuithd has fallen ill and I will be taking over.

First thing to do is take a quick look at your services due to the windows updates problem, if you could also give me a run down on the current problems whilst I re-read the thread

Download and run farbar service scanner

Posted Image

Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.