[Bruce1270]

Hi Rusty2

Ok. we'll see if a system file check throws anything up.


SFC Scan

1.Click on the Start button and in the search box, type Command Prompt
2.When you see Command Prompt on the list, right-click on it and select Run as administrator
3.When command prompt opens, copy and paste the following commands into it and press enter.

sfc /scannow

Please note: there is one space between the c and the /

4.Let the scan complete.

If you get the message "Windows Resource Protection did not find any integrity violations" this means all is OK. If you get this message let me know.

If you get any other message then copy and paste the following command at the command prompt and press enter

findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcdetails.txt"

5.This will create a file, sfcdetails.txt on your Desktop.
6.Type exit to close the command prompt window.
7.Open file sfcdetails.txt and copy/paste this in your next reply.
8.If the file is too large you can zip the file and attach to your post.

[Advertisements]

Hi Ran the scan and got the message "Windows Resource Protection did not find any integrity violations"

[RUSTY2]

Hi Ran the scan and got the message "Windows Resource Protection did not find any integrity violations"

[Bruce1270]

Hi Rusty2

Thats good news in that there are no corrupted files.

I'm a bit baffled as to why AdwCleaner is giving you issues but we'll crack on with a couple of other tools.

Please disable your anti-virus prior to running these tools.

Step1 - Junkware Removal Tool

Download Junkware Removal Tool by Malwarebytes and save it to your desktop.

Important: Please disable your anti virus prior to running this program.. Advice on how to do this for your anti virus can be found here

1.Ensure all programs and windows are closed before proceeding.
2.Right click on the file and select Run As administrator
3.A black window will appear. Press any key to continue.
4.Wait for it to finish.
5.A log will automatically pop-up once done. Alternatively, you can find JRT.txt at your desktop.
6.Copy (CTRL + C) and paste (CTRL + V) the content of the log in your next reply.


Step2 - Emsisoft Emergency Kit

• Download the Emsisoft Emergency Kit and execute it. From there, click on the Extract button to extract the program in the EEK folder;
• Once the extraction is complete, Emsisoft Emergency Kit will open, and suggest you to run an online update before using the program. Click on Yes to launch it.
• After the update, click on Malware Scan under 2. Scan and accept to let Emsisoft Emergency Kit detect PUPs (click on Yes).
• Once the scan is complete, if items are detected make sure that every item in the list is checked, and click on Quarantine selected;
  
• If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
• After the restart, click on the Start Emsisoft Emergency Kit icon again on your desktop to open it;
• This time, click on Logs;
• From there, go under the Quarantine Log tab, and click on the Export button;
  
• Save the log on your desktop, then open it, and copy/paste its content in your next reply;

[RUSTY2]

cannot run both program's !! on the junkware I get Junkware Removal Tool Error,error during execution desktop\ jrt\get.bat"  the system cannot find the file specified

 

on the Emsisoft Emergency Kit i get an error c;\eek folder is not accessible 

[Bruce1270]

Hi Rusty2

You have Cryptoprevent installed and I'm wondering if this is preventing some of the tools from running.

Open the Cryptoprevent application. On version 8.03.2 you will see tab called Apply Protection.

You will see choose a protection plan with options. Select None. Click on Apply Protection Plan.

You may be asked to reboot. Choose yes to do so.


Once the system has rebooted disable your anti virus and try running JRT again. Copy and paste the log in your next reply.

[RUSTY2]

Ok ran the program but mine says it is  V7.4.21 dont know if that makes any difference hit NONE and rebooted. tried jrt again got the same message I will try running it again  

[RUSTY2]

ok tried it again this time when I rebooted I get a message on start up that Cryptoprevent was not taking effect. should I uninstall it ? dont even remember installing it in the first place

[Bruce1270]

Hi Rusty2

You probably installed crytoprevent on the recommendation of a previous helper.

Have you tried running any of the programs in safe mode?

Can you boot into safe mode and give it a try?


Start Windows 7/Vista/XP in Safe Mode

• Immediately after the computer is powered on or restarted (usually after you hear your computer beep), tap the F8 key in 1 second intervals.
• After your computer displays hardware information and runs a memory test, the Advanced Boot Options menu will appear.
• Use the arrow keys to select Safe Mode or Safe Mode with Networking and press ENTER.
  
  
  
  
  Try running adwCleaner and JRT. If they run post the logs.
  
  Thanks

[RUSTY2]

sorry I should have mentioned it before but I cant get into save mode at all when my pc first starts up I loose keyboard and mouse movement . Sometimes if I have to reboot it I have to shut down by hitting the on-off button because it just sits on (shutting down) for hrs

[Bruce1270]

Hi Rusty2

Thanks for the update. A few of my colleagues have suggested it may be a permissions issue causing the problem.

I would like you to run windows repair all in one to reset the windows permissions back to default. This tool works best in safe mode with networking. However if you are having issues with safe mode then use clean boot.

To do this follow the steps in this guide.

StepOne - Windows Repair (All In One):

Boot your system into safe mode with networking.
Download the installer for Windows Repair (All In One) from here. Don't download the portable version.
Browse to the file called tweaking.com_windows_repair_aio_setup. Right click on this file and select Run as Administrator
Follow on screen instructions to install it.
Locate the file called Repair_Windows.exe. Right click on this file and select Run as Administrator. Click continue on the User Account Control prompt.
The below GUI(graphical user interface) will appear/load:-





Click on the Step 5 tab >> Under 1. Registry Backup click on Backup
When the above has been created, under the 2. System Restore setting click on the Create tab.
Then after Restore point created at date/time is denoted >> click on Repairs >> deselect Automatically do a registry backup if it is ticked.
Click Open Repairs
Ensure only options 1,2,3 are ticked.
Now click on the Start Repairs and the repair process will begin. Do not use your machine for anything else until the repairs are completed.
Upon completion your machine should automatically reboot, if it does not do so manually please.

Disable your anti virus.

Then try downloading adwCleaner to your desktop again. If it says file already exists say yes to overwrite it.



Download AdwCleaner from here to the Desktop

• Close all open windows and browsers
• Double click the Adwcleaner icon to execute the program
• When the Tool opens for the first time accept the Terms of use
  
• Click the Scan button and wait for the program to finish.
• Click on options
  
  tick to reset -
  IPSec
  IE policies
  Chrome policies
  Chrome preferences
• When finished, please click Cleaning button.
• when cleaning is finished, you may be prompted to restart your computer.
• Upon completion, a log (AdwCleaner[C*].txt) will open.
• Please copy and paste this in your next reply.

[RUSTY2]

running very slow now but got the Adwcleaner working

 

 

# AdwCleaner v6.044 - Logfile created 11/03/2017 at 04:35:13
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-11.1 [Server]
# Operating System : Windows 7 Home Premium Service Pack 1 (X64)
# Username : BR - BRIAN-PC
# Running from : C:\Users\BR\Desktop\adwcleaner_6.044.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

 

***** [ Services ] *****

 

***** [ Folders ] *****

[-] Folder deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}
[-] Folder deleted: C:\extensions

***** [ Files ] *****

[-] File deleted: C:\Users\BR\Downloads\DriverDetective.exe
[-] File deleted: C:\Users\BRIAN\AppData\Roaming\Mozilla\Firefox\Profiles\rvkciqtl.default\extensions\staged\[email protected]

***** [ DLL ] *****

 

***** [ WMI ] *****

 

***** [ Shortcuts ] *****

 

***** [ Scheduled Tasks ] *****

 

***** [ Registry ] *****

[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{27B53C99-64EB-4685-A7D8-A232296A4535}
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2B9E9341-A610-4D3E-8379-E1CACB916585}
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3384D3D3-863B-4C9F-98CD-EFDDFE9407F}
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{707E6CB9-2715-4229-81EA-B5C179FB7FB5}
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A56750AD-D8FC-49E0-AB3A-3CCF5D0FD1F}
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BD5D71-DEA7-4DAD-9034-918A6757860}
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\ComputerUpdater Service
[#] Key deleted on reboot: [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\ComputerUpdater Service
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}
[-] Key deleted: HKU\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\shopperz
[-] Key deleted: HKU\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\Web Assistant
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
[-] Key deleted: HKU\S-1-5-21-998330651-303224156-1059126384-1004\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: HKU\S-1-5-21-998330651-303224156-1059126384-1004\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[#] Key deleted on reboot: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

***** [ Web browsers ] *****

[-] Firefox preferences cleaned: "extensions.installCache" -  "[{\"name\":\"winreg-app-global\",\"addons\":{\"[email protected]\":{\"descriptor\":\"C:\\\\Program Files (x86)\\\\HP\\\\Digital Imaging\\\\Smart Web Printing\\\\MozillaAddOn3\",\"mtime\":1331652061464}}},{\"name\":\"app-global\",\"addons\":{\"{972ce4c6-7e08-4474-a285-3208198ce6fd}\":{\"descriptor\":\"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\extensions\\\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\",\"mtime\":1332029777398},\"{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\":{\"descriptor\":\"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\extensions\\\\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\",\"mtime\":1332357302790}}},{\"name\":\"winreg-app-user\",\"addons\":{\"{8A9386B4-E958-4c4c-ADF4-8F26DB3E4829}\":{\"descriptor\":\"C:\\\\Program Files (x86)\\\\PriceGong\\\\2.5.3\\\\FF\",\"mtime\":1331645712723},\"[email protected]\":{\"descriptor\":\"C:\\\\Program Files (x86)\\\\HP\\\\Digital Imaging\\\\Smart Web Printing\\\\MozillaAddOn3\",\"mtime\":1331652061464}}},{\"name\":\"app-profile\",\"addons\":{\"[email protected]\":{\"descriptor\":\"C:\\\\Users\\\\BRIAN\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\rvkciqtl.default\\\\extensions\\\\[email protected]\",\"mtime\":1331887036019},\"[email protected]\":{\"descriptor\":\"C:\\\\Users\\\\BRIAN\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\rvkciqtl.default\\\\extensions\\\\[email protected]\",\"mtime\":1331885462148},\"[email protected]\":{\"descriptor\":\"C:\\\\Users\\\\BRIAN\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\rvkciqtl.default\\\\extensions\\\\[email protected]\",\"mtime\":1331886969308}}}]"
[-] Firefox preferences cleaned: "browser.search.selectedEngine" -  "Search Provided by Yahoo"
[-] Firefox preferences cleaned: "browser.search.defaultenginename" -  "Ask Search"
[-] Firefox preferences cleaned: "extensions.saeListDS" -  "[\"Ask Search\",\"[email protected]\"]"
[-] [C:\Users\BR\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com
[-] [C:\Users\BR\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: g
[-] [C:\Users\BR\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: start.mysearchdial.com
[-] [C:\Users\BR\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: search.conduit.com___
[-] [C:\Users\BR\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: www2.delta-search.com
[-] [C:\Users\BR\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: search.conduit.com__
[-] [C:\Users\BR\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: search.conduit.com_
[-] [C:\Users\BR\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: search.conduit.com

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared
:: IPSec settings cleared
:: IE policies deleted
:: Chrome policies deleted
:: Chrome preferences reset: C:\Users\BR\AppData\Local\Google\Chrome\User Data\Default

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [7269 Bytes] - [11/03/2017 04:35:13]
C:\AdwCleaner\AdwCleaner[S0].txt - [5692 Bytes] - [11/03/2017 04:31:55]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [7415 Bytes] ##########

[Bruce1270]

Hi Rusty2

OK, that's good news AdwCleaner worked. Let's try Malwarebytes again.


Please download Malwarebytes to your desktop.

Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.

Once the program has fully updated, Proceed with the Scan options and select "Threat Scan".

The Scan Pane is the introduction to scan-related options in the program. When you click Scan in the Menu Pane, you will see the screen shown below.



After a scan has been executed, scan results are displayed as shown below. In this scan, three threats were detected.



Put a checkmark on all detected and click on "Quarantine Selected"



Selected reports may be viewed on screen, or exported to a text file for later viewing. Please note that only manual (on demand) scans are available for users of the free version of Malwarebytes.



Please note that an Export button is shown at the bottom left corner of this screen. This allows you to make a copy of the log for use by other programs. You may export to your clipboard or to a text (TXT) file. Export to a .txt file and post its contents.


Also there is this file I would like checked out at Virus Total.

First unhide all folders.

• Open Folder Options by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
• Click the Viewtab.
• Under Advanced settings, click Show hidden files and folders, and then click OK.
  
  Then
  • Please upload the file C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe to virustotal
  • To do this click on Choose file. When the window opens navigate to the location C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG. Locate file mdm.exe and click on it to select it.
  • Once you have selected the file, click the Scan It! button.
  • If file already analysed window will appear, click on reanalyse button.
  • When scan will be finished, post the link to result (you can copy it from address bar in your browser) in your next message.
  Other analysis site alternatives are VirScan.org and Jotti .

[RUSTY2]

https://www.virustot...sis/1489338909/

[RUSTY2]

Maleware  ran great no viruses 

[Bruce1270]

Hi Rusty2

You have two anti-virus programs installed ( Microsoft Security Essentials & Avast anti-Virus). I strongly recommend that you have only one antivirus product installed and running on your computer at a time.

Multiple installed antivirus products can lead to a clash as products fight for access to files which are being opened since they need to be checked for viruses.
In general terms, the programs may conflict and cause:
False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
System Performance Problems: Your system may lock up due to multiple products attempting to access the same file at the same time.

I would remove Microsoft Security Essentials and keep Avast.

Follow the below instructions and remove the programs: Microsoft Security Essentials

• Please go to Start Menu -> Control Panel -> Programs and Features
• In the list of installed programs locate and click on Microsoft Security Essentials.
• Click uninstall.
  
  Often Anti Virus programs are not complety removed by the above method and most have their own removal tool to completely remove them from your system.
  
  If you have any problems removing Microsoft Security Essentials please download MSE removal Tool to the desktop and follow the instructions.
  
  
  Then run a fresh set of FRST logs to see if any issues remain.
• Please run Farbars Recovery Scan Tool again. Run FRST by right clicking on it and selecting Run as Administrator. Allow it to update if it wants to.
• Please tick the Addition.txt box under Optional Scan.
• Press Scan button.
• It will make logs FRST.txt & Addition.txt in the same directory the tool is run.
• Please copy and paste the FRST.txt and Addition.txt to your reply.
  
  
  How is the computer runnning now?