Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Programs Will Open - No Internet - Pop ups


  • This topic is locked This topic is locked
65 replies to this topic

#1 withavision

withavision

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 02 December 2014 - 06:53 PM

Hello,

 

I have a friends computer here that basically will not work at all.  I cannot open any programs including any internet browsers. 

 

They said when they first noticed something was wrong they were getting pop ups saying that 1 of 3 things happened, either you have illegal software installed, and two other things I cannot remember, but it then said to fix this problem you must pay the government $300 or something and gave a number to call.

 

That has since stopped popping up, but nothing works.

 

I have taken a few pictures of the pop ups that come up when I do anything....see below.

 

Please let me know what steps I need to do.  I am sure I will need to go to the virus removal forum, but wanted to check here first.

 

30j4keu.jpg

 

2llkis3.jpg



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:51 PM

Posted 02 December 2014 - 07:12 PM

Welcome aboard p22002758.gif

 

See if same thing happens in safe mode with networking.

How to start Windows in Safe Mode


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 withavision

withavision
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 02 December 2014 - 07:46 PM

Yes, the same thing happens.

 

The first pop up I get says werfault.exe - application error, then when I exit that another pop up comes up with the specific program I am trying to open saying for example firefox.exe - application error.

 

Or if I tried to open avast it would say avast.exe - application error.... etc.



#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:51 PM

Posted 02 December 2014 - 07:54 PM

I'll report this topic to appropriate helpers.

1. Please let us know what Windows version you have and if it's 32- or 64-bit.
2. Is the computer bootable in any mode?

Hold on there....


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 withavision

withavision
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 02 December 2014 - 07:57 PM

windows 7 premium 64 bit

 

as far as I can tell yes it bootable in any mode



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:51 AM

Posted 02 December 2014 - 08:49 PM

Hi and welcome.
 
Please download Farbar Recovery Scan Tool and save it to a flash drive.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 
Plug the flash drive into the infected PC.
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
  •  
    If you are using Vista or Windows 7 enter System Recovery Options.
     
    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
  •  
     
    To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt
  •  
    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

  • No request for help throughout private messaging will be attended.

    If I have helped you, consider making a donation to help me continue the fight against Malware!
    btn_donate_SM.gif


    #7 withavision

    withavision
    • Topic Starter

    • Members
    • 94 posts
    • OFFLINE
    •  
    • Local time:01:51 AM

    Posted 02 December 2014 - 09:18 PM

    Thanks for the help ... here is the log.

     

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-12-2014
    Ran by SYSTEM on MININT-6BV2GS8 on 02-12-2014 21:15:54
    Running from g:\
    Platform: Windows 7 Home Premium (X64) OS Language: English (United States)
    Internet Explorer Version 10
    Boot Mode: Recovery

    The current controlset is ControlSet001
    ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    HKLM-x32\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
    HKLM-x32\...\Run: [HP Remote Solution] => C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-05-26] ()
    HKLM-x32\...\Run: [HP Software Update] => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
    HKLM-x32\...\Run: [] => [X]
    HKLM-x32\...\Run: [UpdatePRCShortCut] => C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
    HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [4085896 2014-07-31] (AVAST Software)
    HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
    HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
    HKLM\...\RunOnce: [NCPluginUpdater] => C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe [21720 2014-11-11] (Hewlett-Packard)
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$10219958271e31d273cf780f6504c73e\n. ATTENTION! ====> ZeroAccess?
    HKU\Default\...\Run: [HPADVISOR] => [X]
    HKU\Default User\...\Run: [HPADVISOR] => [X]
    HKU\Millers\...\Run: [KGShareApp] => C:\Program Files (x86)\Kodak\KODAK Share Button App\KGShare_App.exe [394752 2012-06-26] (Eastman Kodak Company)
    HKU\Millers\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-08-07] (Apple Inc.)
    HKU\Millers\...\Policies\Explorer: [HideSCAHealth] 1

    ==================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [140672 2011-08-11] (SUPERAntiSpyware.com)
    S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-07-27] (AVAST Software)

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-07-27] ()
    S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-07-27] (AVAST Software)
    S1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-07-27] (AVAST Software)
    S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-07-27] ()
    S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1041168 2014-07-27] (AVAST Software)
    S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427360 2014-07-27] (AVAST Software)
    S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [92008 2014-07-27] (AVAST Software)
    S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [224896 2014-07-27] ()
    S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

    ==================== NetSvcs (Whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2014-12-02 21:15 - 2014-12-02 21:15 - 00000000 ____D () C:\FRST
    2014-12-02 21:09 - 2014-12-02 21:09 - 00000000 ____D () C:\ProgramData\Recovery
    2014-11-10 12:10 - 2014-11-10 12:50 - 00000000 ___HD () C:\Users\Public\Documents\Report
    2014-11-02 09:39 - 2014-11-02 09:39 - 00001851 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
    2014-11-02 09:38 - 2014-11-02 09:39 - 00000000 ____D () C:\Program Files (x86)\QuickTime
    2014-11-02 09:37 - 2014-11-02 09:37 - 00001789 _____ () C:\Users\Public\Desktop\iTunes.lnk
    2014-11-02 09:36 - 2014-11-02 09:37 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
    2014-11-02 09:36 - 2014-11-02 09:37 - 00000000 ____D () C:\Program Files\iTunes
    2014-11-02 09:36 - 2014-11-02 09:36 - 00000000 ____D () C:\Program Files\iPod

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2014-12-02 16:53 - 2009-11-25 08:29 - 01237377 _____ () C:\Windows\WindowsUpdate.log
    2014-12-02 16:45 - 2012-01-02 14:12 - 00008844 _____ () C:\Windows\setupact.log
    2014-12-02 16:32 - 2009-07-13 21:13 - 00726270 _____ () C:\Windows\System32\PerfStringBackup.INI
    2014-12-02 16:27 - 2013-06-18 04:09 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2014-12-02 16:27 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2014-12-02 16:08 - 2013-06-18 04:09 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2014-12-02 15:27 - 2012-06-30 06:27 - 00000340 _____ () C:\Windows\Tasks\HPCeeScheduleForMillers.job
    2014-12-02 15:27 - 2009-12-28 21:07 - 00000552 _____ () C:\Windows\Tasks\PCDRScheduledMaintenance.job
    2014-11-13 17:40 - 2009-07-13 20:45 - 00015792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2014-11-13 17:40 - 2009-07-13 20:45 - 00015792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2014-11-12 04:48 - 2013-06-17 15:33 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
    2014-11-10 12:11 - 2012-06-30 06:27 - 00003198 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForMillers
    2014-11-10 12:11 - 2011-10-29 05:43 - 00000000 _____ () C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
    2014-11-10 12:11 - 2009-12-29 17:25 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
    2014-11-04 11:48 - 2012-01-02 14:11 - 00387530 _____ () C:\Windows\PFRO.log
    2014-11-02 09:37 - 2009-12-29 09:40 - 00000000 ____D () C:\Program Files (x86)\iTunes
    2014-11-02 09:36 - 2014-02-02 11:33 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
    2014-11-02 09:36 - 2009-12-29 09:39 - 00000000 ____D () C:\Program Files\Common Files\Apple

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-21-1908465097-1785418037-3201896278-1001\$10219958271e31d273cf780f6504c73e

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-18\$10219958271e31d273cf780f6504c73e

    Files to move or delete:
    ====================
    C:\Users\Millers\acrobatreader.exe
    C:\Users\Millers\mstsc.exe
    C:\Users\Millers\rundll32.exe
    C:\Users\Millers\skype.exe
    C:\Users\Millers\spoolsv.exe


    Some content of TEMP:
    ====================
    C:\Users\Millers\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpb84jqn.dll
    C:\Users\Millers\AppData\Local\Temp\FP_PL_PFS_INSTALLER_32bit.exe
    C:\Users\Millers\AppData\Local\Temp\HPHelpUpdater.exe
    C:\Users\Millers\AppData\Local\Temp\Resource.exe
    C:\Users\Millers\AppData\Local\Temp\setup.exe
    C:\Users\Millers\AppData\Local\Temp\sp54931.exe
    C:\Users\Millers\AppData\Local\Temp\sp58915.exe
    C:\Users\Millers\AppData\Local\Temp\UninstallHPSA.exe
    C:\Users\Millers\AppData\Local\Temp\_unps.exe


    ==================== Known DLLs (Whitelisted) ================


    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

    ==================== EXE Association (whitelisted) =============


    ==================== Restore Points  =========================

    Restore point made on: 2014-09-20 09:10:09
    Restore point made on: 2014-09-27 16:18:28
    Restore point made on: 2014-10-05 15:43:00
    Restore point made on: 2014-10-14 05:29:42
    Restore point made on: 2014-10-22 15:44:06
    Restore point made on: 2014-10-30 11:09:23
    Restore point made on: 2014-11-10 12:39:40
    Restore point made on: 2014-11-19 19:05:02
    Restore point made on: 2014-11-28 17:54:37

    ==================== Memory info ===========================

    Percentage of memory in use: 23%
    Total physical RAM: 2942.49 MB
    Available physical RAM: 2246.82 MB
    Total Pagefile: 2940.64 MB
    Available Pagefile: 2234.19 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.89 MB

    ==================== Drives ================================

    Drive c: (COMPAQ) (Fixed) (Total:454.76 GB) (Free:373.96 GB) NTFS
    Drive e: (FACTORY_IMAGE) (Fixed) (Total:10.9 GB) (Free:2.01 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Drive g: (PENDRIVE) (Removable) (Total:7.45 GB) (Free:5.99 GB) FAT32
    Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS
    Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 465.8 GB) (Disk ID: 1549F232)
    Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=454.8 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=10.9 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (Size: 7.5 GB) (Disk ID: 00000000)

    Partition: GPT Partition Type.


    LastRegBack: 2014-12-02 15:48

    ==================== End Of Log ============================



    #8 JSntgRvr

    JSntgRvr

      Master Surgeon General


    • Malware Response Team
    • 11,750 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Puerto Rico
    • Local time:02:51 AM

    Posted 03 December 2014 - 11:04 AM

    Download the enclosed file. [attachment=158845:fixlist.txt]

     

    Save it in the same location FRST is saved. Open FRST. Click on the Fix button and wait. The tool will produce a log, Fixlog.txt, in the same location FRST is saved. Please post its contents in your next reply.

     

    Attempt to boot in Normal Mode and let me know the outcome.


    No request for help throughout private messaging will be attended.

    If I have helped you, consider making a donation to help me continue the fight against Malware!
    btn_donate_SM.gif


    #9 withavision

    withavision
    • Topic Starter

    • Members
    • 94 posts
    • OFFLINE
    •  
    • Local time:01:51 AM

    Posted 03 December 2014 - 11:10 AM

    1.  The computer is still on from the system recovery boot above, do I need to restart it or can I just do this without reboot?

     

    2.  Open FRST the same way as above? via command prompt?

     

    I will not be around the computer until about 7pm EST tonight.  Please answer the above quesitons and I will do these steps at that time.

     

    Thanks a lot.



    #10 JSntgRvr

    JSntgRvr

      Master Surgeon General


    • Malware Response Team
    • 11,750 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Puerto Rico
    • Local time:02:51 AM

    Posted 03 December 2014 - 11:41 AM

    Save the file in the same location FRST is saved. Run FRST as you did before, via Command prompt. and click on the Fix button. Once done, restart into Normal Windows. Post the log and let me know the outcome.


    No request for help throughout private messaging will be attended.

    If I have helped you, consider making a donation to help me continue the fight against Malware!
    btn_donate_SM.gif


    #11 withavision

    withavision
    • Topic Starter

    • Members
    • 94 posts
    • OFFLINE
    •  
    • Local time:01:51 AM

    Posted 03 December 2014 - 07:31 PM

    herre is the log.

     

    I booted regular and a pop up saying KGShare_App.exe - application error came up without me doing anything.  I closed out of that and another one saying werfault.exe - application error came up.

     

    When I closed that out one that said runonce.exe - application error came up.  I closed that and none came back up until I tried to open any program then it would pop up with the program I tried to open as application error....

     

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-12-2014
    Ran by SYSTEM at 2014-12-03 19:24:29 Run:1
    Running from g:\
    Boot Mode: Recovery
    ==============================================

    Content of fixlist:
    *****************
    Start
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$10219958271e31d273cf780f6504c73e\n. ATTENTION! ====> ZeroAccess?
    HKU\Default\...\Run: [HPADVISOR] => [X]
    HKU\Default User\...\Run: [HPADVISOR] => [X]
    C:\$Recycle.Bin\S-1-5-21-1908465097-1785418037-3201896278-1001\$10219958271e31d273cf780f6504c73e
    C:\$Recycle.Bin\S-1-5-18\$10219958271e31d273cf780f6504c73e
    C:\Users\Millers\acrobatreader.exe
    C:\Users\Millers\mstsc.exe
    C:\Users\Millers\rundll32.exe
    C:\Users\Millers\skype.exe
    C:\Users\Millers\spoolsv.exe
    C:\Users\Millers\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpb84jqn.dll
    C:\Users\Millers\AppData\Local\Temp\FP_PL_PFS_INSTALLER_32bit.exe
    C:\Users\Millers\AppData\Local\Temp\HPHelpUpdater.exe
    C:\Users\Millers\AppData\Local\Temp\Resource.exe
    C:\Users\Millers\AppData\Local\Temp\setup.exe
    C:\Users\Millers\AppData\Local\Temp\sp54931.exe
    C:\Users\Millers\AppData\Local\Temp\sp58915.exe
    C:\Users\Millers\AppData\Local\Temp\UninstallHPSA.exe
    C:\Users\Millers\AppData\Local\Temp\_unps.exe
    DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
    End






    *****************

    HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
    HKU\Default\Software\Microsoft\Windows\CurrentVersion\Run\\HPADVISOR => value deleted successfully.
    HKU\Default User\Software\Microsoft\Windows\CurrentVersion\Run\\HPADVISOR => Value not found.
    C:\$Recycle.Bin\S-1-5-21-1908465097-1785418037-3201896278-1001\$10219958271e31d273cf780f6504c73e => Moved successfully.
    C:\$Recycle.Bin\S-1-5-18\$10219958271e31d273cf780f6504c73e => Moved successfully.
    C:\Users\Millers\acrobatreader.exe => Moved successfully.
    C:\Users\Millers\mstsc.exe => Moved successfully.
    C:\Users\Millers\rundll32.exe => Moved successfully.
    C:\Users\Millers\skype.exe => Moved successfully.
    C:\Users\Millers\spoolsv.exe => Moved successfully.
    C:\Users\Millers\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpb84jqn.dll => Moved successfully.
    C:\Users\Millers\AppData\Local\Temp\FP_PL_PFS_INSTALLER_32bit.exe => Moved successfully.
    C:\Users\Millers\AppData\Local\Temp\HPHelpUpdater.exe => Moved successfully.
    C:\Users\Millers\AppData\Local\Temp\Resource.exe => Moved successfully.
    C:\Users\Millers\AppData\Local\Temp\setup.exe => Moved successfully.
    C:\Users\Millers\AppData\Local\Temp\sp54931.exe => Moved successfully.
    C:\Users\Millers\AppData\Local\Temp\sp58915.exe => Moved successfully.
    C:\Users\Millers\AppData\Local\Temp\UninstallHPSA.exe => Moved successfully.
    C:\Users\Millers\AppData\Local\Temp\_unps.exe => Moved successfully.
    "C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
    "C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
    "C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
    "C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
    "C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.

    ==== End of Fixlog ====



    #12 JSntgRvr

    JSntgRvr

      Master Surgeon General


    • Malware Response Team
    • 11,750 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Puerto Rico
    • Local time:02:51 AM

    Posted 04 December 2014 - 11:13 AM

    That error seems to be related to your Kodak application, the other with an HP installation. We will take care of these after the cleaning.

     

    thisisujrt.gif  Please download Junkware Removal Tool to your desktop.

    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.

    Download AdwCleaner from here. Save the file to the desktop.
      
    NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.
     
    Close all open windows and browsers.

    • XP users: Double click the AdwCleaner icon to start the program.
    • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
      You will see the following console:

    AdwScan.jpg?

    • Click the Scan button and wait for the scan to finish.
    • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
    • Click the Clean button.
    • Everything checked will be deleted.
    • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

    adwcleaner_delete_restart.jpg

    • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

    Iconic_normal.png Please download Malwarebytes' Anti-Malware from Here
     
    Double Click mbam-setup-2.0..exe to install the application. (The revision number may vary.)

    • Select the language and click OK.
    • Accept the agreement
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Scan Now".
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click on Quanrantee All,.
    • When disinfection is completed, a dialog will open and you may be prompted to Restart.(See Extra Note)
    • Upon restart, launch Malwarebytes Antimalware and select History.
    • Double click on the last scan done, then on Copy to Clipboard.
    • Right click on your next reply and select Paste.
    • Submit your reply.
    • Extra Note:
       
      If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

    Edited by JSntgRvr, 04 December 2014 - 11:22 AM.

    No request for help throughout private messaging will be attended.

    If I have helped you, consider making a donation to help me continue the fight against Malware!
    btn_donate_SM.gif


    #13 withavision

    withavision
    • Topic Starter

    • Members
    • 94 posts
    • OFFLINE
    •  
    • Local time:01:51 AM

    Posted 04 December 2014 - 05:50 PM

    It will not let me open any of these programs in order to be able to run them.  It pops up with the application error and will not open any of them when I right click and try to run as admin ....



    #14 JSntgRvr

    JSntgRvr

      Master Surgeon General


    • Malware Response Team
    • 11,750 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Puerto Rico
    • Local time:02:51 AM

    Posted 04 December 2014 - 05:59 PM

    RKill is a program developed at BleepingComputer.com that was originally designed for the use in our virus removal guides. It was created so that we could have an easy to use tool that kills known processes and remove Windows Registry entries that stop a user from using their normal security applications. Simple as that. Nothing fancy. Just kill known malware processes and clean up some Registry keys so that your security programs can do their job.
     
    So in summary, RKill just kills 32-bit and 64-bit malware processes and scans the registry for entries that would not allow you to run various legitimate programs. When scanning the Registry, Rkill will search for malicious Image File Execution Objects, DisallowRuns entries, executable hijacks, and policies that restrict your use of various Windows utilities. When changing Windows Registry entries it will create a backup of these entries and save them in the rkill folder on your desktop. Each registry backup will contain a time stamp so that the backups are not overwritten on subsequent runs of Rkill. 
     
    Since RKill only terminates processes and does not remove the offending files, when it is finished you should not reboot your computer. If you do, these malware processes that are set to start automatically, will just start up again. Instead, after running RKill you should scan your computer using your malware removal tool of choice. If there is a problem after running RKill, just reboot your computer and you will be back to where you started before running the program.
     
    RKill can be downloaded from the following location:
     
     
    A report, rkill.log will be created in the root directory, usualy C:\. Post that report on your next reply
     
    Attempt to run the applications on POST # 12, after running Rkill.

    No request for help throughout private messaging will be attended.

    If I have helped you, consider making a donation to help me continue the fight against Malware!
    btn_donate_SM.gif


    #15 withavision

    withavision
    • Topic Starter

    • Members
    • 94 posts
    • OFFLINE
    •  
    • Local time:01:51 AM

    Posted 04 December 2014 - 06:08 PM

    how should  I run rkill?  I cannot double click to run, the command prompt comes up, but I get that application error again and nothing happens, the command prompt just sits there blank.

     

    Isn't there a way to put it in a folder so it runs on boot and stops anything before it can even start?


    Edited by withavision, 04 December 2014 - 06:15 PM.





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users