[FrustratedScott]

Hello community!  I discovered this morning MicroSoft Essentials is no longer running and the icon was removed.  I tried running Malwarebytes and in the middle of running, it disappeared.  Please help.  Thank you!

[Advertisements]

Hi there, first I will need to take a look at your system

Download OTL to your Desktop
Secondary link

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
  
• Select All Users
• Select LOP and Purity
• Under the Custom Scan box paste this in
  
  netsvcs
  BASESERVICES
  %SYSTEMDRIVE%\*.exe
  c:\program files (x86)\Google\Desktop
  c:\program files\Google\Desktop
  dir "%systemdrive%\*" /S /A:L /C
  /md5start
  rpcss.dll
  /md5stop
  CREATERESTOREPOINT
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Attach both logs

THEN

Download aswMBR.exe ( 4.9mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan
If Avast is not your AV it will ask to download virus definitions, allow this




On completion of the scan click save log, save it to your desktop and post in your next reply

[Essexboy]

Hi there, first I will need to take a look at your system

Download OTL to your Desktop
Secondary link

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
  
• Select All Users
• Select LOP and Purity
• Under the Custom Scan box paste this in
  
  netsvcs
  BASESERVICES
  %SYSTEMDRIVE%\*.exe
  c:\program files (x86)\Google\Desktop
  c:\program files\Google\Desktop
  dir "%systemdrive%\*" /S /A:L /C
  /md5start
  rpcss.dll
  /md5stop
  CREATERESTOREPOINT
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Attach both logs

THEN

Download aswMBR.exe ( 4.9mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan
If Avast is not your AV it will ask to download virus definitions, allow this




On completion of the scan click save log, save it to your desktop and post in your next reply

[FrustratedScott]

Thank you for helping me.  Here are the posts.

 

 

Attached Files

•  OTL.Txt   573.42KB   353 downloads
•  Extras.Txt   66.84KB   362 downloads
•  aswMBR.txt   2.51KB   373 downloads

[Essexboy]

OK lets start the removal process

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-3259559039-2231235213-3042515664-1000\..\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}: "URL" = http://search.conduit.com/Results.aspx?ctid=CT3317742&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=2&UP=SPCC169658-09D0-4211-AA8A-F68449E5784A&q={searchTerms}&SSPV=
IE - HKU\S-1-5-21-3259559039-2231235213-3042515664-1000\..\SearchScopes\{DCCE059C-9593-402B-A280-18E63B8EFCCF}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=DE489241-DEC3-4A79-A52F-B1DBB427D9FF&apn_sauid=9DA921BA-75E8-4F68-910D-83F11D870594
IE - HKU\S-1-5-21-3259559039-2231235213-3042515664-1000\..\SearchScopes\Comcast: "URL" = http://search.xfinity.com/?cat=subweb&con=mmchrome&q={searchTerms}&cid=xfstart_tech_search
[2013/11/22 08:12:34 | 000,001,449 | ---- | M] () -- C:\Users\Maxwell\AppData\Roaming\Mozilla\Firefox\Profiles\s9fpqa9e.default-1361625995253\searchplugins\100-search-engines.xml
[2014/01/12 20:20:10 | 000,000,975 | ---- | M] () -- C:\Users\Maxwell\AppData\Roaming\Mozilla\Firefox\Profiles\s9fpqa9e.default-1361625995253\searchplugins\conduit-search.xml
[2013/11/22 08:11:30 | 000,002,492 | ---- | M] () -- C:\Users\Maxwell\AppData\Roaming\Mozilla\Firefox\Profiles\s9fpqa9e.default-1361625995253\searchplugins\ixquick-https.xml
O2 - BHO: (XFINITY Toolbar) - {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - C:\Program Files (x86)\xfin_portal\comcastdx.dll ()
O2 - BHO: (no name) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - No CLSID value found.
O2 - BHO: (no name) - {9A87E478-A2BD-44C4-9F8C-D3989A5271B1} - No CLSID value found.
O2 - BHO: (Updater For XFIN_PORTAL) - {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - C:\Program Files (x86)\xfin_portal\auxi\comcastAu.dll (Visicom Media)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll File not found
O3:64bit: - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (XFINITY Toolbar) - {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - C:\Program Files (x86)\xfin_portal\comcastdx.dll ()
O3 - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3259559039-2231235213-3042515664-1000\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [{45068476-562d-e319-cb2f-de91457e2232}] C:\ProgramData\Microsoft\{45068476-562d-e319-cb2f-de91457e2232}\{45068476-562d-e319-cb2f-de91457e2232}.exe ()
O4 - HKLM..\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: {45068476-562d-e319-cb2f-de91457e2232} = "C:\ProgramData\Microsoft\{45068476-562d-e319-cb2f-de91457e2232}\{45068476-562d-e319-cb2f-de91457e2232}.exe" ()

:Files
C:\Users\Maxwell\Desktop\From old computer\Kathy's Folder\RADTools.exe
C:\ProgramData\Microsoft\{45068476-562d-e319-cb2f-de91457e2232}
C:\$Recycle.Bin\S-1-5-21-3259559039-2231235213-3042515664-1000\$596cab13ea850690f5e9f2697e76d4c2

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
@="ShellFolder for CD Burning"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\
65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00

"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\MergedFolder]
"Location"="@shell32.dll,-12591"
"Attributes"="0x0"
"AttributeMask"="0xffffffff"
"ConflictOverlayIcon"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\
6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,69,00,6d,00,61,00,67,00,65,00,72,00,65,00,73,00,2e,00,64,00,6c,00,\
6c,00,2c,00,2d,00,31,00,36,00,39,00,00,00


:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  http://img.photobuck...claimer_ENG.png
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
  • Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
    3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
    
    
    Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[FrustratedScott]

Thanks very much for your help.  It seems to be running quite well now.  I attached the logs as instructed.  Please let me know if there are more steps required.

Attached Files

•  06282014_065017.log   24.88KB   408 downloads
•  combofix log.txt   16.49KB   385 downloads

[Essexboy]

Nearly done I feel

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:
 

File::
c:\windows\system32\drivers\tiafclbz.sys

Driver::
tiafclbz

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Scan.
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.

[FrustratedScott]

Okay.....I followed your instructions.  Here are the logs.

Attached Files

•  combofix log 2.txt   16.49KB   411 downloads
•  AdwCleanerS0.txt   7.18KB   429 downloads

[Essexboy]

Now for the big question.......... How is the computer behaving, any problems ?

[FrustratedScott]

Much better!!!  Thanks much for the help.  Everything seems to be working fine now.  Are there any more steps I need to take?

[Essexboy]

Just this


Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes.

Update and run weekly to keep your system clean


It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

[Essexboy]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.