Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS Security Essentials Problems.


  • This topic is locked This topic is locked
8 replies to this topic

#1 pzahra

pzahra

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 10 July 2015 - 12:00 PM

My MS security essentials real time scanning will not turn on,  Earlier this week was getting process stop errors  and the full scan would not complete.  I uninstalled and re-installed MS SE and then the real time protection  stopped and cannot be restarted.

 

Operating System Windows 7 Professional  service pack 1, 64 bit operating system

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:09-07-2015
Ran by Paul (administrator) on PAUL-THINK on 10-07-2015 09:47:10
Running from C:\Users\Paul\Downloads
Loaded Profiles: Paul (Available Profiles: Paul)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Lenovo.) C:\Windows\System32\ibmpmsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
(Alcatel-Lucent) C:\Program Files (x86)\ATT\8.3.1.7\ma\bin\MAHostService.exe
(Lenovo) C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\CamMute.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
(Alcatel-Lucent) C:\Program Files (x86)\Common Files\Motive\pcCMService.exe
(Joyent, Inc) C:\Program Files (x86)\ATT\8.3.1.7\ma\bin\node.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
(Ulead Systems, Inc.) C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\micmute.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tphkload.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\shtctky.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpnumlkd.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Lenovo.) C:\Windows\System32\TpShocks.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel Corporation) C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe
(Dolby Laboratories Inc.) C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\ControlCenter3\BrccMCtl.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe
(Lenovo Group Limited) C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.EXE
(Lenovo) C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(Lenovo) C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
(Microsoft Corporation) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13653208 2013-09-13] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-08-30] (Realtek Semiconductor)
HKLM\...\Run: [TpShocks] => C:\Windows\system32\TpShocks.exe [384344 2014-02-17] (Lenovo.)
HKLM\...\Run: [LENOVO.TPKNRRES] => C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe [295712 2014-07-24] (Lenovo Group Limited)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1337000 2015-04-30] (Microsoft Corporation)
HKLM\...\Run: [AcWin7Hlpr] => C:\Program Files (x86)\Lenovo\Access Connections\AcTBenabler.exe [63832 2014-03-14] (Lenovo)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-04-19] (Intel Corporation)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [133400 2012-02-28] (Intel Corporation)
HKLM-x32\...\Run: [PWMTRV] => rundll32 "C:\Program Files (x86)\ThinkPad\Utilities\PWMTR64V.DLL",PwrMgrBkGndMonitor
HKLM-x32\...\Run: [Fastboot] => C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe [1091376 2012-01-16] (Lenovo)
HKLM-x32\...\Run: [Intel AppUp(SM) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [155488 2012-07-12] (Intel Corporation)
HKLM-x32\...\Run: [Lenovo Registration] => C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe [4351712 2011-07-13] (Lenovo, Inc.)
HKLM-x32\...\Run: [BrMfcWnd] => C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [ControlCenter3] => C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [Dolby Advanced Audio v2] => C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe [508656 2012-08-31] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [703888 2013-03-26] (Cisco Systems, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-1189826940-687842569-1934206052-1000\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-1189826940-687842569-1934206052-1000\...\MountPoints2: {1666c438-eb20-11e1-a416-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-1189826940-687842569-1934206052-1000\...\MountPoints2: {aa1951b9-c2b2-11e3-94e3-e9425de1bd46} - D:\LaunchU3.exe -a
HKU\S-1-5-21-1189826940-687842569-1934206052-1000\...\MountPoints2: {cec58008-625f-11e2-b672-0021ccc5fb4f} - E:\LaunchU3.exe -a
HKU\S-1-5-21-1189826940-687842569-1934206052-1000\...\MountPoints2: {fd2386eb-fa35-11e1-add6-0021ccc5fb4f} - D:\LaunchU3.exe -a
HKU\S-1-5-18\...\RunOnce: [{90140000-003D-0000-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-05-14] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-05-14] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-05-14] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-05-14] (SugarSync, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-1189826940-687842569-1934206052-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1189826940-687842569-1934206052-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Symantec VIP Access Add-On -> {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} -> C:\Program Files (x86)\Symantec\VIP Access Client\64bit\VIPAddOnForIE64.dll [2012-04-19] (Symantec Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll [2015-02-05] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Symantec VIP Access Add-On -> {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} -> C:\Program Files (x86)\Symantec\VIP Access Client\VIPAddOnForIE.dll [2012-04-19] (Symantec Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-02-05] (Oracle Corporation)
DPF: HKLM-x32 {357A8DEC-0CAC-4D8D-9869-C2C356B844F7} http://192.168.1.101/RSVideoOcx.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{30D99D1A-D25F-48B3-AD5F-DBA628D46655}: [DhcpNameServer] 192.168.1.254
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_246.dll [2014-12-10] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_246.dll [2014-12-10] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-05] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-05] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-02-05] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-02-05] (Oracle Corporation)
FF Plugin-x32: @mcafee.com/MVT -> C:\Program Files (x86)\McAfee\Supportability\MVT\NPMVTPlugin.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @Motive.com/NpMotive,version=1.0 -> C:\Program Files (x86)\ATT\8.3.1.7\ma\bin\npMotive.dll [2013-07-03] (Alcatel-Lucent)
FF Plugin-x32: @Motive.com/npMotiveRequest,version=1.0 -> C:\Program Files (x86)\Common Files\Motive\npMotiveRequest.dll [2011-12-06] (Alcatel-Lucent)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro PDF\Professional 7\npnitromozilla.dll [2012-05-23] ( )
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-15] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [VIP5X@verisign.com] - C:\Program Files (x86)\Symantec\VIP Access Client
FF Extension: Symantec VIP Access Add-On - C:\Program Files (x86)\Symantec\VIP Access Client [2012-08-20]
 
Chrome: 
=======
CHR Profile: C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Motive Extension) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\edmgmpmklgfbohogafcfobonnkogchec [2015-04-30]
CHR Extension: (IE Tab) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\hehijbfgiekmjfkfjpbkbammjbdenadd [2015-04-30]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-04]
CHR Extension: (Google Wallet) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-20]
CHR HKLM-x32\...\Chrome\Extension: [edmgmpmklgfbohogafcfobonnkogchec] - C:\Program Files (x86)\Common Files\Motive\extensions\MotiveRequest.crx [2013-08-03]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ATT MAHostService; C:\Program Files (x86)\ATT\8.3.1.7\ma\bin\MAHostService.exe [321024 2013-07-03] (Alcatel-Lucent) [File not signed]
S3 DozeSvc; C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [319536 2014-08-05] (Lenovo.)
R2 FastbootService; C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [169776 2012-01-16] (Lenovo)
R2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1037824 2009-09-08] (Hewlett-Packard Co.) [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-28] (Intel Corporation)
S3 Lenovo EasyPlus Hotspot; C:\Program Files (x86)\Common Files\lenovo\easyplussdk\bin\EPHotspot64.exe [559872 2014-08-06] (Lenovo)
R2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [115184 2014-07-08] (Lenovo Group Limited)
S3 LSCWinService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [272440 2015-03-09] (Lenovo)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2015-04-30] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2008-12-03] (Hewlett-Packard) [File not signed]
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366544 2015-04-30] (Microsoft Corporation)
R2 NitroDriverReadSpool2; C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe [216072 2012-05-23] (Nitro PDF Software)
R2 pcCMService; C:\Program Files (x86)\Common Files\Motive\pcCMService.exe [369152 2013-03-02] (Alcatel-Lucent) [File not signed]
S2 pcCMService64; C:\Program Files\Common Files\Motive\pcCMService.exe [460288 2013-03-02] (Alcatel-Lucent) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2008-12-03] (Hewlett-Packard) [File not signed]
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [24560 2014-06-18] ()
R2 UleadBurningHelper; C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [61440 2008-01-10] (Ulead Systems, Inc.) [File not signed]
R2 VIPAppService; C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe [84080 2012-04-19] (Symantec Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 Fastboot; C:\Windows\System32\DRIVERS\Fastboot.sys [70416 2012-01-16] (Windows ® Win 7 DDK provider)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
S3 MREMP50; C:\Program Files (x86)\Common Files\Motive\MREMP50.sys [21248 2010-02-02] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MREMP50a64; C:\Program Files\Common Files\Motive\MREMP50a64.SYS [43008 2010-02-02] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\Program Files (x86)\Common Files\Motive\MRESP50.sys [20096 2010-02-02] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MRESP50a64; C:\Program Files\Common Files\Motive\MRESP50a64.SYS [40960 2010-02-02] (Printing Communications Assoc., Inc. (PCAUSA))
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [45296 2014-07-28] (Synaptics Incorporated)
R3 TVTI2C; C:\Windows\System32\DRIVERS\Tvti2c.sys [40248 2011-05-29] (Lenovo Information Product(ShenZhen China) Inc.)
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-07-10 09:47 - 2015-07-10 09:48 - 00021477 _____ C:\Users\Paul\Downloads\FRST.txt
2015-07-10 09:46 - 2015-07-10 09:46 - 02112512 _____ (Farbar) C:\Users\Paul\Downloads\FRST64.exe
2015-07-10 08:17 - 2015-07-10 08:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo ThinkVantage
2015-07-07 13:09 - 2015-07-07 13:09 - 00002002 _____ C:\Users\Public\Desktop\Lenovo Solution Center.lnk
2015-07-07 06:48 - 2015-07-07 06:48 - 00000000 ____D C:\Users\Paul\AppData\Roaming\Citrix
2015-06-17 12:56 - 2015-06-17 12:56 - 00013732 _____ C:\Users\Paul\Downloads\Attachments_2015617.zip
2015-06-11 19:46 - 2015-06-11 19:46 - 00378138 _____ C:\Users\Paul\Downloads\84RAV3HM6.wav
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-07-10 09:47 - 2014-02-08 12:37 - 00000000 ____D C:\FRST
2015-07-10 09:45 - 2009-07-13 21:45 - 00034432 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-10 09:45 - 2009-07-13 21:45 - 00034432 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-10 09:37 - 2012-08-20 16:42 - 01081132 _____ C:\Windows\WindowsUpdate.log
2015-07-10 09:05 - 2014-01-20 22:11 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-10 08:34 - 2009-07-13 21:51 - 00205876 _____ C:\Windows\setupact.log
2015-07-10 08:26 - 2012-08-30 06:19 - 00000000 ____D C:\Users\Paul\AppData\Roaming\Nitro PDF
2015-07-10 08:24 - 2014-01-20 22:11 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-10 08:19 - 2013-08-03 11:00 - 00000000 ____D C:\Program Files (x86)\ATT
2015-07-10 08:18 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-10 08:17 - 2012-08-20 16:50 - 00000000 ____D C:\Windows\System32\Tasks\Lenovo
2015-07-10 08:17 - 2012-08-20 16:49 - 00000000 ___HD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo ThinkVantage Tools
2015-07-10 08:17 - 2012-08-20 16:45 - 00000000 ____D C:\Program Files (x86)\Lenovo
2015-07-10 08:16 - 2012-08-20 16:50 - 00000000 ____D C:\Windows\Downloaded Installations
2015-07-10 03:00 - 2014-02-14 23:14 - 00001945 _____ C:\Windows\epplauncher.mif
2015-07-09 18:48 - 2014-02-14 23:14 - 00002128 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-07-09 18:48 - 2014-02-14 23:14 - 00000000 ____D C:\Program Files\Microsoft Security Client
2015-07-09 18:47 - 2014-02-14 23:14 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2015-07-07 13:15 - 2014-11-13 08:33 - 00000000 ____D C:\Users\Paul\AppData\Roaming\LSC
2015-07-07 13:04 - 2012-09-03 09:59 - 00002222 _____ C:\Users\Paul\Documents\Default.rdp
2015-07-07 08:06 - 2014-01-20 22:13 - 00002194 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-07-05 03:08 - 2010-11-20 20:27 - 00300704 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-06-30 15:27 - 2013-10-20 20:02 - 00000000 ____D C:\Users\Paul\Documents\Frances
2015-06-24 12:08 - 2014-12-29 21:13 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-06-16 15:02 - 2009-07-13 22:13 - 00782510 _____ C:\Windows\system32\PerfStringBackup.INI
2015-06-14 19:48 - 2009-07-13 22:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-06-10 22:16 - 2012-09-07 18:40 - 00000000 ____D C:\Users\Paul\Documents\Receipts
2015-06-10 04:26 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache
2015-06-10 03:49 - 2009-07-13 21:45 - 00378344 _____ C:\Windows\system32\FNTCACHE.DAT
2015-06-10 03:48 - 2010-11-20 20:47 - 01032666 _____ C:\Windows\PFRO.log
2015-06-10 03:45 - 2014-12-10 04:28 - 00000000 ____D C:\Windows\system32\appraiser
2015-06-10 03:45 - 2014-05-06 03:00 - 00000000 ___SD C:\Windows\system32\CompatTel
2015-06-10 03:45 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2015-06-10 03:22 - 2012-08-30 07:02 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-06-10 03:14 - 2013-07-12 07:15 - 00000000 ____D C:\Windows\system32\MRT
2015-06-10 03:04 - 2012-08-31 20:48 - 140135120 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
 
==================== Files in the root of some directories =======
 
2013-04-29 20:51 - 2014-01-05 14:37 - 0000600 _____ () C:\Users\Paul\AppData\Local\PUTTY.RND
2012-09-03 11:14 - 2012-09-03 11:14 - 0000017 _____ () C:\Users\Paul\AppData\Local\resmon.resmoncfg
2014-10-12 18:34 - 2014-10-12 18:34 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-05-28 07:57 - 2014-05-28 08:02 - 0000378 _____ () C:\ProgramData\hpzinstall.log
2015-04-27 07:37 - 2015-04-27 07:37 - 0000848 ___SH () C:\ProgramData\KGyGaAvL.sys
2013-03-31 14:05 - 2015-04-04 14:11 - 0000935 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2014-11-01 17:07 - 2014-11-01 17:07 - 0000239 _____ () C:\ProgramData\RSUserCfg.ini
 
Some files in TEMP:
====================
C:\Users\Paul\AppData\Local\Temp\Quarantine.exe
C:\Users\Paul\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-04 01:15
 
==================== End of log ============================

Attached Files



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:35 AM

Posted 14 July 2015 - 08:53 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

EmptyTemp:
CloseProcesses:

SearchScopes: HKU\S-1-5-21-1189826940-687842569-1934206052-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @mcafee.com/MVT -> C:\Program Files (x86)\McAfee\Supportability\MVT\NPMVTPlugin.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
AlternateDataStreams: C:\Windows:nlsPreferences
AlternateDataStreams: C:\Users\Paul\Desktop\Antoinette_2013.jpg:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Paul\Desktop\Antoinette_2013.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\Paul\Desktop\ICS Request.tiff:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Paul\Desktop\ICS Request.tiff:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\Paul\Desktop\TEST.jpg:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Paul\Desktop\TEST.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\Paul\Desktop\TEST.tiff:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Paul\Desktop\TEST.tiff:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\Paul\Desktop\Washington Hosp 8_5.bmp:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Paul\Desktop\Washington Hosp 8_5.bmp:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

===

#3 pzahra

pzahra
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 14 July 2015 - 11:55 AM

In regards to the problem with MS SE,  I still cannot turn on real time protection.

 

Here are the logs.

Fix result of Farbar Recovery Scan Tool (x64) Version:13-07-2015
Ran by Paul at 2015-07-14 08:21:03 Run:1
Running from C:\Users\Paul\Downloads
Loaded Profiles: Paul (Available Profiles: Paul)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
EmptyTemp:
CloseProcesses:
 
SearchScopes: HKU\S-1-5-21-1189826940-687842569-1934206052-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @mcafee.com/MVT -> C:\Program Files (x86)\McAfee\Supportability\MVT\NPMVTPlugin.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
AlternateDataStreams: C:\Windows:nlsPreferences
AlternateDataStreams: C:\Users\Paul\Desktop\Antoinette_2013.jpg:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Paul\Desktop\Antoinette_2013.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\Paul\Desktop\ICS Request.tiff:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Paul\Desktop\ICS Request.tiff:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\Paul\Desktop\TEST.jpg:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Paul\Desktop\TEST.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\Paul\Desktop\TEST.tiff:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Paul\Desktop\TEST.tiff:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\Paul\Desktop\Washington Hosp 8_5.bmp:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Paul\Desktop\Washington Hosp 8_5.bmp:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
 
End
*****************
 
Processes closed successfully.
"HKU\S-1-5-21-1189826940-687842569-1934206052-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found. 
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@mcafee.com/MVT" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
esgiguard => Service removed successfully
MBAMSwissArmy => Service removed successfully
MREMPR5 => Service removed successfully
MRENDIS5 => Service removed successfully
C:\Windows => ":nlsPreferences" ADS removed successfully.
"C:\Users\Paul\Desktop\Antoinette_2013.jpg" => ":3or4kl4x13tuuug3Byamue2s4b" ADS not found.
C:\Users\Paul\Desktop\Antoinette_2013.jpg => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.
"C:\Users\Paul\Desktop\ICS Request.tiff" => ":3or4kl4x13tuuug3Byamue2s4b" ADS not found.
C:\Users\Paul\Desktop\ICS Request.tiff => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.
"C:\Users\Paul\Desktop\TEST.jpg" => ":3or4kl4x13tuuug3Byamue2s4b" ADS not found.
C:\Users\Paul\Desktop\TEST.jpg => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.
"C:\Users\Paul\Desktop\TEST.tiff" => ":3or4kl4x13tuuug3Byamue2s4b" ADS not found.
C:\Users\Paul\Desktop\TEST.tiff => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.
"C:\Users\Paul\Desktop\Washington Hosp 8_5.bmp" => ":3or4kl4x13tuuug3Byamue2s4b" ADS not found.
C:\Users\Paul\Desktop\Washington Hosp 8_5.bmp => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.
EmptyTemp: => 1 GB temporary data Removed.
 
 
The system needed a reboot.. 
 
==== End of Fixlog 08:24:37 ====
 
Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Paul on Tue 07/14/2015 at  9:24:05.47.
Microsoft Windows 7 Professional  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Paul\Downloads\zoek.exe    [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
7/14/2015 9:27:32 AM Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~2\Malwarebytes' Anti-Malware deleted successfully
C:\PROGRA~2\MSXML 4.0 deleted successfully
C:\PROGRA~2\VideoLAN deleted successfully
C:\PROGRA~2\COMMON~1\Symantec Shared deleted successfully
C:\Program Files\Google deleted successfully
C:\Program Files\stinger deleted successfully
C:\Users\Paul\AppData\Roaming\Malwarebytes deleted successfully
C:\Users\Paul\AppData\Local\EmieSiteList deleted successfully
C:\Users\Paul\AppData\Local\LSC deleted successfully
C:\Users\Paul\AppData\Local\RealVNC deleted successfully
C:\Users\Paul\AppData\Local\VeriSign deleted successfully
C:\Users\pzahra\AppData\Local\VirtualStore deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~2\VideoLAN not found
C:\found.000 deleted
C:\found.001 deleted
C:\found.002 deleted
C:\found.003 deleted
C:\found.004 deleted
C:\found.005 deleted
C:\found.006 deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\gpt.ini deleted
 
==== Firefox Extensions Registry ======================
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"VIP5X@verisign.com"="C:\Program Files (x86)\Symantec\VIP Access Client" [09/03/2014 08:49 PM]
 
==== Chromium Look ======================
 
Google Chrome Version: 43.0.2357.132
 
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
edmgmpmklgfbohogafcfobonnkogchec - C:\Program Files (x86)\Common Files\Motive\extensions\MotiveRequest.crx[08/03/2013 11:00 AM]
 
Motive Extension - Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\edmgmpmklgfbohogafcfobonnkogchec
IE Tab - Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\hehijbfgiekmjfkfjpbkbammjbdenadd
Chrome Hotword Shared Module - Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
SiteAdvisor - pzahra\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho
 
==== Chromium Startpages ======================
 
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Preferences
extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":"D23EC431560A80C6FD569C32141928AE04002FA216199FF74DFC4CC8EBA69777","bepbmhgboaologfdajaanbcjmnhjmhfn":"492466C8F56527D9CAD20EA32A8328E969963BE8CFA4570CE75907299364B35C","edmgmpmklgfbohogafcfobonnkogchec":"FE7003AA4FB6A34732775E283F4320D6D60B63768BB90ACA66A66D1B176246FA","eemcgdkfndhakfknompkggombfjjjeno":"BA52EE4D6B8D304E51E2E2AADDD8AF4854BF79E0580679A25B9E68C4195B6CE6","ennkphjdgehloodpbhlhldgbnhmacadg":"20BE91F4637A76C0B6FE57066141D49E41155DF25E1D588A3A1B7AA2043E91AD","gfdkimpbcpahaombhbimeihdjnejgicl":"9AAAB5B397B34D79016BFC49D9513CF7CF63C045F02DC035A3ED85D0C1059E44","hehijbfgiekmjfkfjpbkbammjbdenadd":"2202C6027E39A84640135474FA2F6B157E6AB21B21B6F0A611400863BC04E51A","kmendfapggjehodndflmmgagdbamhnfd":"22BA47A84985C848DF54FC7FCA8FC28818D7BEAFF9EA29EADE60F47D655C340B","lccekmodgklaepjeofjdjpbminllajkg":"399A4B65A6A092969B1B6F29548C6EE110B667D419E008503FDE03050B19AD4D","mfehgcgbbipciphmccgaenjidiccnmng":"7D56ABA3BB8D5BF2B2B45789355E5B949DAE95E7A03E6A5EC2E1533A1C39FDE5","mfffpogegjflfpflabcdkioaeobkgjik":"C05AEA8F974B8DBF5EF9336F7F8C515F442C613A0325EE0B8561540EAE31FA06","mgndgikekgjfcpckkfioiadnlibdjbkf":"8B165B95EA6B44A2EF60B679550A047994DEAD8BC7B3D959871C6CBB23E4EC08","mhjfbmdgcfjbbpaeojofohoefgiehjai":"9B4848742305666658471ADDBE305165F88BAA5F8B9DA7D5D5B94F46BD72642A","nbpagnldghgfoolbancepceaanlmhfmd":"D4A48B467F37CAFC6C43C02780D47CE9AE2D65AC65484B5C1D130F1BEEB8BEE6","neajdppkdcdipfabeoofebfddakdcjhd":"E26B03517A7F9B6AA0512F8BAB8AB608E2DDCE27FCAEFF4590CAE1619A1E72CD","nkeimhogjdpnpccoofpliimaahmaaome":"5D780B7955C2E18BA127DA244ECBBC69E235769A1148A156423791E9B1E23A03","nmmhkkegccagdldgiimedpiccmgmieda":"992B9DEB558ECD629B2DA30DDC4460DD2E384C07F5D46D1E19C60FB89CAA9B1C","pafkbggdmjlpgkdkcbjmhmfcdpncadgh":"5EA12BD01A4D27A7C36B570679E0941868F7AFD2851810B5EB349D021E203D11"}},"google":{"services":{"last_username":"25D3753C667CEF6CFD4A8F2B0AACB882825E8C4A75BAF90DA9A8E4E9CAB81113","username":"B2588A10C4428995B0909C63905BCAAC53FA3C75866C2D3D25C2876BD0B745D3"}},"homepage":"DFC3AF7B294CEE978CF82FF5650F2001E96B0907585CB2B085F7EDC36D673DDD","homepage_is_newtabpage":"95F3A9E52971090EC19DF6698164A73A8A7EDF146795F974949AAFA2E166989C","pinned_tabs":"8466FBF33A3922B1FFCB335AF7BCF23744950CAF7E58B3A8A8864E677FF0A425","prefs":{"preference_reset_time":"22A4056E6533F537CA96E9C18182F9DBD7BA7A1EA590FE8498BB283EC3DE54BC"},"profile":{"reset_prompt_memento":"EED1F7CDA48E089F4ED97E4A514C04F80C903A5748E1375A11FB1254A2613F25"},"safebrowsing":{"incidents_sent":"EEDC9A674ED9AE6F9374CC14997C9FFE50E104356547FE1DD4F5CA99A9D3846F"},"search_provider_overrides":"DAD2DAA2CAD78392CB9DBEAF35B5857ABD4D74CF9B8ABCB1D3CB25F2A6C9D5F4","session":{"restore_on_startup":"55284BC5417CD18B89441B90CFC37096E79891816C5AA267F0FCD72485FB090E","startup_urls":"41997B4C7914CCB98A90CF393C1FF9038842A89B96F60C6F1EE96A2E56739CA9"},"software_reporter":{"prompt_reason":"38444C7DC53EA33F21EDAA0977AFD5FED3D949D94B743F55D2137D4A7E5D2D6E","prompt_seed":"B3D1EB55FB48085958D754DA84236B03183A3675BD0983396C2425FB03182341","prompt_version":"100D2271C043D23A104CD5383DF622BF297AB4FC1BE439231BE2E72F2C7FD62E"},"sync":{"remaining_rollback_tries":"EE30C7EFD471D5672819C3FFC7005C139D1F5F428964EA4E0EC59E00A678AB35"}},"super_mac":"3DD2EA4B5F879D077690390F57392C63DF3624FF7BB893B3F19940E0B47A494F"},"session":{"restore_on_startup":5,"startup_urls":["https://www.google.com/"]},"sync":{"remaining_rollback_tries":0}}
 
C:\Users\pzahra\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
==== All HKCU SearchScopes ======================
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
 
==== Deleting Registry Keys ======================
 
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Riva FLV Player_is1 deleted successfully
 
==== Empty IE Cache ======================
 
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Paul\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
C:\Users\pzahra\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
Java Cache cleared successfully
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=33 folders=24 18722433 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Paul\AppData\Local\Temp will be emptied at reboot
C:\Users\pzahra\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\Windows\Temp successfully emptied
C:\Users\Paul\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on Tue 07/14/2015 at  9:43:49.37 ======================


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:35 AM

Posted 15 July 2015 - 07:35 AM

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

===

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

Please post the logs for my review.

#5 pzahra

pzahra
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 15 July 2015 - 09:16 PM

Here are the logs,

 

 

 

 

Security Check Log:

 

 Results of screen317's Security Check version 1.005  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Java 8 Update 31  
 Java version 32-bit out of Date! 
  Adobe Flash Player 15.0.0.246 Flash Player out of Date!  
 Adobe Reader XI  
 Google Chrome (43.0.2357.132) 
 Google Chrome (43.0.2357.134) 
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 2% 
````````````````````End of Log`````````````````````` 
 
 
 

Farbar Service Scanner Version: 17-01-2015
Ran by Paul (administrator) on 15-07-2015 at 19:12:55
Running from "C:\Users\Paul\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
 
 
**** End of log ****


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:35 AM

Posted 16 July 2015 - 07:32 AM

Read this Microsoft Article.
Real-time protection won't turn on in Microsoft Security Essentials
https://support.microsoft.com/en-us/kb/2688670


I suggest you remove this program in bold using the Add/Remove programs.


McAfee Virtual Technician (HKLM-x32\...\McAfee Virtual Technician) (Version: 7.1.0.2483 - McAfee, Inc.)

Restart the computer normally.

How is MSE now?

p.s.

Was any other McAfee software installed on this computer previously and was removed?
http://service.mcafee.com/faqdocument.aspx?id=TS101111

#7 pzahra

pzahra
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 16 July 2015 - 09:38 PM

I have removed all of McAfee software using the McAfee software removal tool and all seems well.  I will let the system sit for a couple of days as is and let you know.

 

Thank you for your help!



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:35 AM

Posted 17 July 2015 - 07:17 AM

Glad we could help.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:35 AM

Posted 23 July 2015 - 08:18 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users