Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Virus Help


  • This topic is locked This topic is locked
30 replies to this topic

#16 silver1111

silver1111
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 27 June 2012 - 03:50 PM

Got it this time

C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ReactivateIE.exe.vir Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Toolbar32.dll.vir Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarBroker.exe.vir Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe.vir Win32/Toolbar.Zugo application
C:\Users\carrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\158ef697-41457bcb Java/TrojanDownloader.Agent.NDR trojan
C:\Users\carrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\41510b58-6f460252 multiple threats
C:\Users\carrie\Desktop\MyInstalledPrograms\PDFCreatorSetup.exe a variant of Win32/Kryptik.HAZ trojan
C:\Users\Public\Documents\FREE_Zip_Utility7zipap_718.exe a variant of Win32/InstallIQ application
C:\Users\Public\Documents\oi_PhotoScapeSetup.exe a variant of Win32/OpenInstall application

BC AdBot (Login to Remove)

 


#17 silver1111

silver1111
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 27 June 2012 - 07:31 PM

C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ReactivateIE.exe.vir
Win32/Toolbar.Zugo application

C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Toolbar32.dll.vir
Win32/Toolbar.Zugo application

C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarBroker.exe.vir
Win32/Toolbar.Zugo application

C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe.vir
Win32/Toolbar.Zugo application

C:\Users\carrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\158ef697-41457bcb
Java/TrojanDownloader.Agent.NDR trojan

C:\Users\carrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\41510b58-6f460252
multiple threats

C:\Users\carrie\Desktop\MyInstalledPrograms\PDFCreatorSetup.exe
a variant of Win32/Kryptik.HAZ trojan

C:\Users\Public\Documents\FREE_Zip_Utility7zipap_718.exe
a variant of Win32/InstallIQ application

C:\Users\Public\Documents\oi_PhotoScapeSetup.exe
a variant of Win32/OpenInstall application

#18 silver1111

silver1111
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 27 June 2012 - 08:23 PM

ESET report:

C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ReactivateIE.exe.vir Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Toolbar32.dll.vir Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarBroker.exe.vir Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe.vir Win32/Toolbar.Zugo application
C:\Users\carrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\158ef697-41457bcb Java/TrojanDownloader.Agent.NDR trojan
C:\Users\carrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\41510b58-6f460252 multiple threats
C:\Users\carrie\Desktop\MyInstalledPrograms\PDFCreatorSetup.exe a variant of Win32/Kryptik.HAZ trojan
C:\Users\Public\Documents\FREE_Zip_Utility7zipap_718.exe a variant of Win32/InstallIQ application
C:\Users\Public\Documents\oi_PhotoScapeSetup.exe a variant of Win32/OpenInstall application

#19 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:42 PM

Posted 28 June 2012 - 12:03 AM

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Users\carrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\158ef697-41457bcb
C:\Users\carrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\41510b58-6f460252
C:\Users\carrie\Desktop\MyInstalledPrograms\PDFCreatorSetup.exe
C:\Users\Public\Documents\FREE_Zip_Utility7zipap_718.exe
C:\Users\Public\Documents\oi_PhotoScapeSetup.exe


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log. Any issues left?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#20 silver1111

silver1111
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 28 June 2012 - 08:22 AM

Something strange here. I posted this list a few times already yet everytime I come back its gone. I'm trying again:

---C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ReactivateIE.exe.vir Win32/Toolbar.Zugo application---
---C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Toolbar32.dll.vir Win32/Toolbar.Zugo application---
---C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarBroker.exe.vir Win32/Toolbar.Zugo application---
---C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe.vir Win32/Toolbar.Zugo application---
---C:\Users\carrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\158ef697-41457bcb Java/TrojanDownloader.Agent.NDR trojan---
---C:\Users\carrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\41510b58-6f460252 multiple threats---
---C:\Users\carrie\Desktop\MyInstalledPrograms\PDFCreatorSetup.exe a variant of Win32/Kryptik.HAZ trojan---
---C:\Users\Public\Documents\FREE_Zip_Utility7zipap_718.exe a variant of Win32/InstallIQ application---
---C:\Users\Public\Documents\oi_PhotoScapeSetup.exe a variant of Win32/OpenInstall application---

#21 silver1111

silver1111
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 28 June 2012 - 09:01 AM

Man am I blonde. Just figured out my post disappeared to a 2nd page. Sorry. I do have another issue
maybe you can help with: I try to go on Amazon.com and it wont let me. I don't know if there are other sites this
will happen with. My son said it happens to him on youtube.com. He said it is an http/https issue but when I put in
https to go on Amazon it doesnt go thru anyway. I get InternetExplorer cannot display the webpage.

Under Internet Options/Advanced/Security:
use ssl 2.0
use ssl 3.0 checked
use tls 1.0 checked
use tls 1.1
use tls 1.0
Could something above be causing it?

ComboFix 12-06-25.03 - carrie 06/28/2012 8:29.5.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8151.5564 [GMT -5:00]
Running from: c:\users\carrie\Desktop\ComboFix.exe
Command switches used :: c:\users\carrie\Desktop\CFScript.txt
AV: Total Defense Anti-Virus Plus *Disabled/Updated* {57B5C44D-AAB5-DBC9-741B-542BE5A132EA}
FW: Total Defense Personal Firewall *Disabled* {6F8E4568-E0DA-DA91-5F44-FD1E1B727591}
SP: Total Defense Anti-Virus Plus *Disabled/Updated* {ECD425A9-8C8F-D447-4EAB-6F599E267857}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\carrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\158ef697-41457bcb"
"c:\users\carrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\41510b58-6f460252"
"c:\users\carrie\Desktop\MyInstalledPrograms\PDFCreatorSetup.exe"
"c:\users\Public\Documents\FREE_Zip_Utility7zipap_718.exe"
"c:\users\Public\Documents\oi_PhotoScapeSetup.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\carrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\158ef697-41457bcb
c:\users\carrie\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\41510b58-6f460252
c:\users\carrie\Desktop\MyInstalledPrograms\PDFCreatorSetup.exe
c:\users\Public\Documents\FREE_Zip_Utility7zipap_718.exe
c:\users\Public\Documents\oi_PhotoScapeSetup.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-28 )))))))))))))))))))))))))))))))
.
.
2012-06-28 13:42 . 2012-06-28 13:42 -------- d-----w- c:\users\silver\AppData\Local\temp
2012-06-28 13:42 . 2012-06-28 13:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-27 08:06 . 2012-06-27 08:06 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{48C58C3D-5D3C-4B77-B0F2-61293672B240}\offreg.dll
2012-06-27 08:04 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{48C58C3D-5D3C-4B77-B0F2-61293672B240}\mpengine.dll
2012-06-25 19:48 . 2012-06-25 19:48 -------- d-----w- c:\program files (x86)\ESET
2012-06-25 15:54 . 2012-06-25 15:54 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-25 15:54 . 2012-06-25 15:54 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-24 21:49 . 2012-06-24 21:49 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-06-24 21:49 . 2012-06-24 21:49 -------- d-----w- c:\program files (x86)\Oracle
2012-06-24 21:47 . 2012-05-05 00:29 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-06-24 20:05 . 2012-06-24 20:05 -------- d-----w- c:\users\carrie\AppData\Local\Macromedia
2012-06-23 23:49 . 2012-06-23 23:49 -------- d-----w- c:\windows\SysWow64\Adobe
2012-06-23 07:02 . 2012-06-23 07:02 -------- d-----w- c:\users\carrie\AppData\Local\Mozilla
2012-06-23 07:02 . 2012-06-23 07:02 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-06-22 18:08 . 2012-06-22 18:08 -------- d-----w- c:\users\carrie\AppData\Roaming\uTorrent
2012-06-17 17:35 . 2012-04-04 10:19 95248 ----a-w- c:\windows\system32\drivers\AtihdW76.sys
2012-06-17 06:19 . 2012-06-18 14:23 -------- d-----w- c:\programdata\Yahoo!
2012-06-17 06:19 . 2012-06-17 06:19 -------- d-----w- c:\users\carrie\AppData\Local\NanoService
2012-06-17 06:19 . 2012-06-17 06:19 -------- d-----w- c:\users\carrie\AppData\Local\Yahoo!
2012-06-17 06:18 . 2012-06-17 06:19 -------- d--h--w- c:\windows\msdownld.tmp
2012-06-17 05:34 . 2012-06-17 05:35 21520 ----a-w- c:\windows\DCEBoot64.exe
2012-06-15 08:08 . 2012-06-15 08:08 741414 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-06-15 03:26 . 2012-06-15 03:26 -------- d-----w- c:\program files\iTunes
2012-06-15 03:26 . 2012-06-15 03:26 -------- d-----w- c:\program files (x86)\iTunes
2012-06-15 03:26 . 2012-06-15 03:26 -------- d-----w- c:\program files\iPod
2012-06-15 03:22 . 2012-06-15 03:22 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-06-15 03:22 . 2012-06-15 03:22 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-06-15 03:22 . 2012-06-15 03:22 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-06-15 03:22 . 2012-06-15 03:22 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-06-15 03:22 . 2012-06-15 03:22 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-06-15 03:22 . 2012-06-15 03:22 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-06-15 03:22 . 2012-06-15 03:22 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-06-15 03:22 . 2012-06-15 03:22 -------- d-----w- c:\program files (x86)\QuickTime
2012-06-04 02:03 . 2012-06-04 02:03 -------- d-----w- c:\program files (x86)\Xenu
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 19:06 . 2012-05-05 19:06 8769696 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-19 01:56 . 2012-04-19 01:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-19 01:56 . 2012-04-19 01:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
.
.
((((((((((((((((((((((((((((( SnapShot_2012-06-26_17.04.27 )))))))))))))))))))))))))))))))))))))))))
.
- 2011-01-24 02:35 . 2012-06-26 14:30 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-01-24 02:35 . 2012-06-28 10:42 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-01-24 02:35 . 2012-06-26 14:30 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-01-24 02:35 . 2012-06-28 10:42 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-26 14:30 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-06-28 10:42 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-06-28 10:42 . 2012-06-02 20:12 33792 c:\windows\SoftwareDistribution\SelfUpdate\Packages\WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.6.7600.256_none_09f272fb52ab0c3f\wuapp.exe
- 2012-06-25 02:20 . 2012-06-02 20:12 33792 c:\windows\SoftwareDistribution\SelfUpdate\Packages\WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.6.7600.256_none_09f272fb52ab0c3f\wuapp.exe
+ 2012-06-28 10:42 . 2012-06-02 20:15 36864 c:\windows\SoftwareDistribution\SelfUpdate\Packages\WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256\amd64_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.6.7600.256_none_66110e7f0b087d75\wuapp.exe
- 2012-06-25 02:20 . 2012-06-02 20:15 36864 c:\windows\SoftwareDistribution\SelfUpdate\Packages\WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256\amd64_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.6.7600.256_none_66110e7f0b087d75\wuapp.exe
+ 2011-04-06 04:09 . 2012-06-28 13:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-06 04:09 . 2012-06-26 16:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-06 04:09 . 2012-06-26 16:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-04-06 04:09 . 2012-06-28 13:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-04-06 19:35 . 2012-06-28 00:28 463846 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
- 2009-07-14 02:36 . 2012-06-26 08:02 624614 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-06-27 08:01 624614 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-06-26 08:02 106926 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-06-27 08:01 106926 c:\windows\system32\perfc009.dat
- 2012-06-25 02:20 . 2012-06-02 20:19 171904 c:\windows\SoftwareDistribution\SelfUpdate\Packages\WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.6.7600.256_none_09f272fb52ab0c3f\wuwebv.dll
+ 2012-06-28 10:42 . 2012-06-02 20:19 171904 c:\windows\SoftwareDistribution\SelfUpdate\Packages\WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.6.7600.256_none_09f272fb52ab0c3f\wuwebv.dll
+ 2012-06-28 10:42 . 2012-06-02 20:19 186752 c:\windows\SoftwareDistribution\SelfUpdate\Packages\WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256\amd64_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.6.7600.256_none_66110e7f0b087d75\wuwebv.dll
- 2012-06-25 02:20 . 2012-06-02 20:19 186752 c:\windows\SoftwareDistribution\SelfUpdate\Packages\WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256\amd64_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.6.7600.256_none_66110e7f0b087d75\wuwebv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 44544]
"MoneyAgent"="c:\program files (x86)\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PDF Complete"="c:\program files (x86)\PDF Complete\pdfsty.exe" [2009-10-14 563736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Name.lnk - c:\program files (x86)\OLYMPUS\DeviceDetector\DeviceDetector4.exe [2011-1-14 417792]
PHOTOfunSTUDIO 6.0.lnk - c:\program files (x86)\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe [2011-12-27 174064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2011-02-24 19:33 79368 ----a-w- c:\windows\System32\UmxWNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-25 257224]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe [2009-10-14 635416]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WinExtManager;WinSock Extention Manager;c:\windows\SysWOW64\mdmcls32.exe [2011-06-29 3207184]
R3 WinSvchostManagerSrv;WinSvchostManagerSrv;c:\windows\SysWOW64\cfgmig32.exe [2011-09-14 263504]
R3 X6va005;X6va005;c:\users\carrie\AppData\Local\Temp\00588EA.tmp [x]
R4 CAAMSvc;CAAMSvc;c:\program files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe [2011-10-17 291656]
R4 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [2012-03-08 287280]
R4 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-06-13 400368]
R4 CLKMSVC10_C6F09094;CyberLink Product - 2011/01/23 18:44;c:\program files (x86)\Hewlett-Packard\Media\DVD\Kernel\HDDVD\NavFilter\kmsvc.exe [2010-06-30 245232]
R4 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-09 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-09 136176]
R4 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-14 113120]
R4 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
R4 Olympus DVR Service;Olympus DVR Service;c:\program files (x86)\Common Files\Olympus Shared\DeviceManager\olydvrsv.exe [2010-12-14 176128]
R4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files (x86)\CA\PCPitstopScheduleService.exe [2010-09-29 90864]
R4 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R4 UmxEngine;TM Engine;c:\program files\CA\SharedComponents\TMEngine\UmxEngine.exe [2011-04-04 920656]
R4 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-10-01 2320920]
S0 KmxAMRT;KmxAMRT;c:\windows\system32\DRIVERS\KmxAMRT.sys [x]
S0 KmxFw;KmxFw;c:\windows\System32\DRIVERS\kmxfw.sys [x]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [x]
S1 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [x]
S1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys [x]
S1 KmxFilter;HIPS Core Filter Driver;c:\windows\system32\DRIVERS\KmxFilter.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [x]
S2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.sys [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-25 15:55]
.
2012-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-09 20:00]
.
2012-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-09 20:00]
.
2012-06-28 c:\windows\Tasks\HPCeeScheduleForcarrie.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 11:53]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-18 568888]
"cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\UmxSbxExA64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: youtube.com\www
TCP: DhcpNameServer = 192.168.1.1
DPF: {070DC617-E3B7-468B-A29C-D4E84FAE938C} - hxxp://utilities.pcpitstop.com/pctuneup2/controls/pctuneup.cab
FF - ProfilePath - c:\users\carrie\AppData\Roaming\Mozilla\Firefox\Profiles\n9wi0jmm.default\
FF - prefs.js: network.proxy.type - 0
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va005]
"ImagePath"="\??\c:\users\carrie\AppData\Local\Temp\00588EA.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-505140225-2426945190-52439312-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-505140225-2426945190-52439312-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-06-28 08:45:21
ComboFix-quarantined-files.txt 2012-06-28 13:45
ComboFix2.txt 2012-06-27 13:43
ComboFix3.txt 2012-06-26 17:07
ComboFix4.txt 2012-06-25 15:33
ComboFix5.txt 2012-06-28 13:27
.
Pre-Run: 788,618,031,104 bytes free
Post-Run: 788,428,996,608 bytes free
.
- - End Of File - - 0BBB8554545CF2D6BE41493BDF702E5D

#22 silver1111

silver1111
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 28 June 2012 - 09:04 AM

PS: Am I good to go now as far as virus stuff goes? You are wonderful to have helped me.
Is there a link here somewhere I can donate to?

#23 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:42 PM

Posted 28 June 2012 - 12:40 PM

Hi,

I do have another issue maybe you can help with: I try to go on Amazon.com and it wont let me. I don't know if there are other sites this
will happen with. My son said it happens to him on youtube.com. He said it is an http/https issue but when I put in
https to go on Amazon it doesnt go thru anyway. I get InternetExplorer cannot display the webpage.

Under Internet Options/Advanced/Security:
use ssl 2.0
use ssl 3.0 checked
use tls 1.0 checked
use tls 1.1
use tls 1.0
Could something above be causing it?

I have those settings set in the same way and can access both above mentioned domains. Could you install and test with Firefox if same thing happens with it?


Am I good to go now as far as virus stuff goes?

Yes unless the remaining problem is somehow related. We have to take a look at it.


Is there a link here somewhere I can donate to?

If you wish you may donate to some cause here :)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#24 silver1111

silver1111
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 28 June 2012 - 06:27 PM

I tested it with Firefox and it worked then I tested it agin on explorer and it worked. I guess whatever problem
it had went away. Thank you soooooooo much from the bottom of my heart for all your help.

#25 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:42 PM

Posted 29 June 2012 - 12:13 AM

You're welcome :)

Let's see the final steps.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Select c: drive and click Configure...
7. Select Turn off protection
8. Press OK.
Repeat steps 6-8 for each hard drive.

B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 7. select Restore system settings and previous versions of files -option.


Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.


Download and run Secunia Personal Software Inspector (PSI) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade B)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#26 silver1111

silver1111
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 29 June 2012 - 07:20 AM

I will do the above in a bit but I have to run out right now. I wanted to say though that I tried Amazon.com again using internet expplorer and it did't work
again. I also tried a yahoo.com news story with a video: http://news.yahoo.com/video/oddnews-22772304/ghost-believed-to-be-cause-of-creepy-happenings-at-texas-store-29827011.html
and the video would not play. When I use firefox, Amazon.com works but the video page above tells me to download adobe flash instead of showing the video. You already had me reinstall flash so I should have the latest version.

#27 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:42 PM

Posted 29 June 2012 - 07:34 AM

Hi,

If you start Internet Explorer with addons disabled are those sites still inaccessible (Click Start -> All Programs -> Accessories -> System Tools, and then click Internet Explorer (No Add-ons))?

When I use firefox, Amazon.com works but the video page above tells me to download adobe flash instead of showing the video. You already had me reinstall flash so I should have the latest version.

Firefox uses different Flash Player plugin than Internet Explorer. That's why browser prompts to install missing plugin.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#28 silver1111

silver1111
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 29 June 2012 - 10:48 AM

That didn't work

#29 silver1111

silver1111
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 29 June 2012 - 10:58 AM

I followed your instructions to disable the system restore feature to the turn off protection #7. How do I turn off protection? It is in a box with 2 drives, C and HP Recovery (D). C is on, HP is off. There is no selection to change it. I click, right click, left click and nothing. Below are 2 options. 1 is to Configure Restore settings, manage disk space, and delete restore points.(Configure button) The 2nd option: Create a restore point right now for the drives that have system protection turned on. (Create button)

#30 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:42 PM

Posted 30 June 2012 - 04:00 PM

Hi,

If you click on C drive and then configure button does the System Protection window open up with "Turn off system protection" option available? If so you need to select that. Drive D should be leave as it is.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users