Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reformatted but still having issues, Am I infected still?


  • Please log in to reply
13 replies to this topic

#1 LionessLeona

LionessLeona

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Illinois
  • Local time:09:01 PM

Posted 16 December 2015 - 01:35 PM

I had my laptop reformatted but I have been scanning everything with Virustotal that he was able to save.  I had Geek Squad to remote into my computer to hook up a wireless printer  and they completely disabled my laptop.  I took it into the shop where they replaced the hard drive.  I am still seeing some programs with the wrong symbol for the item such as Dropbox and Mozilla browser (which I deleted).  I have scanned some of the programs they left on my laptop and they are coming up with a back door virus in the files.  This is an Acer laptop.  They changed it from a 32 bit to a 64 bit.  I dont know what other info you need or how to go about this as I am new to this forum stuff.  



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 17 December 2015 - 08:00 AM

Hi Lioness :)

My name is Aura and I'll be assisting you with your issue. Follow the instructions below please.

3Al62Pm.pngMiniToolBox
  • Download MiniToolBox and move the file to your Desktop;
  • Right-click on MiniToolBox.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options:
    • Flush DNS;
    • Report IE Proxy Settings;
    • Reset IE Proxy Settings;
    • Report FF Proxy Settings;
    • Reset FF Proxy Settings;
    • List content of Hosts;
    • List IP Configuration;
    • List Winsock Entries;
    • List Last 10 Event Viewer Errors;
    • List Installed Programs;
    • List Devices - Only Problems;
    • List Users, Partitions and Memory size;
      OQmAcqS.png
  • Once this is done, click on Go and wait for the scan to complete;
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 LionessLeona

LionessLeona
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Illinois
  • Local time:09:01 PM

Posted 17 December 2015 - 09:43 PM

Thank you for your help.  I am sorry i am a beginner and I pretty much know nothing about this whole computer stuff. Can you tell me what is wrong from this?  I had the hard drive replaced and now in my processes the thing is going nuts.  It appears they didnt do a very good job huh?   I am posting the log as well.  

 

 

 

MiniToolBox by Farbar  Version: 02-11-2015
Ran by Owner (administrator) on 17-12-2015 at 20:06:14
Running from "C:\Users\Owner\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Model: Aspire 5250 Manufacturer: Acer
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
========================= IP Configuration: ================================
 
Atheros AR5B95 Wireless Network Adapter = Wireless Network Connection (Connected)
Qualcomm Atheros AR8152/8158 PCI-E Fast Ethernet Controller (NDIS 6.20) = Local Area Connection (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : Owner-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : hsd1.il.comcast.net
 
Ethernet adapter Local Area Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 00305.geek.local
   Description . . . . . . . . . . . : Qualcomm Atheros AR8152/8158 PCI-E Fast Ethernet Controller (NDIS 6.20)
   Physical Address. . . . . . . . . : B8-70-F4-88-48-24
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Wireless Network Connection:
 
   Connection-specific DNS Suffix  . : hsd1.il.comcast.net
   Description . . . . . . . . . . . : Atheros AR5B95 Wireless Network Adapter
   Physical Address. . . . . . . . . : 68-A3-C4-DD-95-C1
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:246:4400:f119::1850(Preferred) 
   Lease Obtained. . . . . . . . . . : Thursday, December 17, 2015 7:31:27 PM
   Lease Expires . . . . . . . . . . : Thursday, December 24, 2015 7:31:27 PM
   IPv6 Address. . . . . . . . . . . : 2601:246:4400:f119:c1c1:bc3b:b369:3171(Preferred) 
   Temporary IPv6 Address. . . . . . : 2601:246:4400:f119:785e:6c84:76bd:5732(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::c1c1:bc3b:b369:3171%11(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.0.0.47(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, December 17, 2015 7:31:25 PM
   Lease Expires . . . . . . . . . . : Thursday, December 24, 2015 7:31:25 PM
   Default Gateway . . . . . . . . . : fe80::2cab:a4ff:fe4e:c0df%11
                                       10.0.0.1
   DHCP Server . . . . . . . . . . . : 10.0.0.1
   DHCPv6 IAID . . . . . . . . . . . : 191407044
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-FD-F1-2B-68-A3-C4-DD-95-C1
   DNS Servers . . . . . . . . . . . : 2001:558:feed::1
                                       2001:558:feed::2
                                       75.75.75.75
                                       75.75.76.76
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.hsd1.il.comcast.net:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : hsd1.il.comcast.net
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  cdns01.comcast.net
Address:  2001:558:feed::1
 
Name:    google.com
Addresses:  2607:f8b0:4009:808::200e
 216.58.216.78
 
 
Pinging google.com [2607:f8b0:4009:80b::200e] with 32 bytes of data:
Reply from 2607:f8b0:4009:80b::200e: time=18ms 
Reply from 2607:f8b0:4009:80b::200e: time=21ms 
 
Ping statistics for 2607:f8b0:4009:80b::200e:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 18ms, Maximum = 21ms, Average = 19ms
Server:  cdns01.comcast.net
Address:  2001:558:feed::1
 
Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
 2001:4998:58:c02::a9
 2001:4998:c:a06::2:4008
 98.139.183.24
 206.190.36.45
 98.138.253.109
 
 
Pinging yahoo.com [2001:4998:44:204::a7] with 32 bytes of data:
Reply from 2001:4998:44:204::a7: time=100ms 
Reply from 2001:4998:44:204::a7: time=91ms 
 
Ping statistics for 2001:4998:44:204::a7:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 91ms, Maximum = 100ms, Average = 95ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 12...b8 70 f4 88 48 24 ......Qualcomm Atheros AR8152/8158 PCI-E Fast Ethernet Controller (NDIS 6.20)
 11...68 a3 c4 dd 95 c1 ......Atheros AR5B95 Wireless Network Adapter
  1...........................Software Loopback Interface 1
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.0.1        10.0.0.47     25
         10.0.0.0    255.255.255.0         On-link         10.0.0.47    281
        10.0.0.47  255.255.255.255         On-link         10.0.0.47    281
       10.0.0.255  255.255.255.255         On-link         10.0.0.47    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         10.0.0.47    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link         10.0.0.47    281
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 11    281 ::/0                     fe80::2cab:a4ff:fe4e:c0df
  1    306 ::1/128                  On-link
 11     33 2601:246:4400:f119::/64  On-link
 11    281 2601:246:4400:f119::1850/128
                                    On-link
 11    281 2601:246:4400:f119:785e:6c84:76bd:5732/128
                                    On-link
 11    281 2601:246:4400:f119:c1c1:bc3b:b369:3171/128
                                    On-link
 11    281 fe80::/64                On-link
 11    281 fe80::c1c1:bc3b:b369:3171/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (12/17/2015 07:33:01 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/17/2015 05:29:39 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/16/2015 10:27:14 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/16/2015 11:44:14 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/15/2015 02:08:32 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/14/2015 07:47:42 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/14/2015 04:57:14 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/14/2015 03:21:42 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/14/2015 03:05:55 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/14/2015 12:43:07 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
 
System errors:
=============
Error: (12/17/2015 06:16:10 PM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
 
Error: (12/17/2015 02:32:06 AM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
 
Error: (12/16/2015 01:16:48 PM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
 
Error: (12/16/2015 01:47:45 AM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
 
Error: (12/15/2015 01:39:13 AM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
 
Error: (12/14/2015 11:03:46 PM) (Source: DCOM) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (12/14/2015 06:55:28 PM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
 
Error: (12/14/2015 04:59:23 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
%%5
 
Error: (12/14/2015 03:22:17 PM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
 
Error: (12/14/2015 03:20:34 PM) (Source: NetBT) (User: )
Description: The name "OWNER-PC       :20" could not be registered on the interface with IP address 192.168.24.218.
The computer with the IP address 192.168.24.106 did not allow the name to be claimed by
this computer.
 
 
Microsoft Office Sessions:
=========================
Error: (12/17/2015 07:33:01 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/17/2015 05:29:39 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/16/2015 10:27:14 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/16/2015 11:44:14 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/15/2015 02:08:32 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/14/2015 07:47:42 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/14/2015 04:57:14 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/14/2015 03:21:42 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/14/2015 03:05:55 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/14/2015 12:43:07 PM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifestG:\esetsmartinstaller_enu.exe
 
 
=========================== Installed Programs ============================
 
Auto-Pet-Buy version 1.2.2.2 (HKLM-x32\...\{F6A21126-4EB9-48CF-91DC-63AEF81D7872}_is1) (Version: 1.2.2.2 - Rodolfo U. Batista)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 47.0.2526.106 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.29.1 - Google Inc.) Hidden
HP ENVY 7640 series Basic Device Software (HKLM\...\{24BF3898-2667-4645-9448-8C6765B801A5}) (Version: 34.2.117.50647 - Hewlett-Packard Co.)
HP ENVY 7640 series Help (HKLM-x32\...\{5845A5C9-AA03-4D91-9793-1A2563CE0129}) (Version: 34.0.0 - Hewlett Packard)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Support Assistant (HKLM-x32\...\{79C54A05-F146-4EA0-8A70-D4EFE6181E52}) (Version: 8.1.40.3 - Hewlett-Packard Company)
HP Support Solutions Framework (HKLM-x32\...\{55065080-504F-43BB-BE00-36B80D7D39A5}) (Version: 12.0.30.219 - Hewlett-Packard Company)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
Kaspersky Internet Security (HKLM-x32\...\{77E7AE5C-181C-4CAF-ADBF-946F11C1CE26}) (Version: 16.0.0.614 - Kaspersky Lab) Hidden
Kaspersky Internet Security (HKLM-x32\...\InstallWIX_{77E7AE5C-181C-4CAF-ADBF-946F11C1CE26}) (Version: 16.0.0.614 - Kaspersky Lab)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Pale Moon 24.0.2 (x86 en-US) (HKLM-x32\...\Pale Moon 24.0.2 (x86 en-US)) (Version: 24.0.2 - Mozilla)
Product Improvement Study for HP ENVY 7640 series (HKLM\...\{9913BFAE-5E18-4863-8354-452337781573}) (Version: 34.2.117.50647 - Hewlett-Packard Co.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Skype™ 7.17 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.17.104 - Skype Technologies S.A.)
 
========================= Devices: ================================
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 65%
Total physical RAM: 2794.9 MB
Available physical RAM: 971.39 MB
Total Virtual: 5588.01 MB
Available Virtual: 3460.7 MB
 
========================= Partitions: =====================================
 
1 Drive c: () (Fixed) (Total:465.66 GB) (Free:386.83 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\OWNER-PC
 
Administrator            Guest                    Owner                    
 
 
**** End of log ****


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 18 December 2015 - 07:57 AM

I don't see anything wrong in your MiniToolBox log. This being said...

I am still seeing some programs with the wrong symbol for the item such as Dropbox and Mozilla browser (which I deleted).


What do you mean by that? Like the Dropbox shortcut will have another icon? If so, what is that icon?

I have scanned some of the programs they left on my laptop and they are coming up with a back door virus in the files.


What did you scan the files with? What were the detection? Which programs are we talking about? Can you upload these files to VirusTotal and give me the report URLs?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 LionessLeona

LionessLeona
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Illinois
  • Local time:09:01 PM

Posted 18 December 2015 - 01:26 PM

I was having issues before and I had Geek Squad remote access my computer.  All he needed to do was hook up a wireless printer i was having issues with.  By the time I got back home my computer was completely disabled and none of the links worked to my files or anything.  The local store had me bring in the computer and they determined the HD was bad and they replaced it.  The system was a 32 bit and they replaced it with a 64 bit.  (idk if this is an issue or not)  They took all the info from the old HD and saved it on their server then put it into the new HD.  I am not sure if anything I am saying is helpful info but I wanted to let you know in case it is. 

 

I was looking at the minitool box report and was concerned about a few things.  What about where it says it has Application errors, system errors, and Microsoft office errors?  That isn't a problem?  Also the Wireless LAN adapter wireless network connection: under that there is something about a license,  What does that mean and why is it saying it expires on Christmas Eve?  Is this something I should worry about? 

 

The dropbox and it was Mozilla browser had the download icon that was downloaded by the Geek Squad agent.  I am finding now that isnt the only things that are affected.  All of my updates for windows have the same icon.  I found Skype also had the icon but now it has changed.  Not sure how or why but it no longer has that icon it is normal now.  The updates I took a screen print of it.  (i will put them on Imgur because I cannot figure out how to put pictures on here).  http://imgur.com/On8GkYv this is the one for Skype

http://imgur.com/iGWhpmt  This is what my windows updates look like.  

 

 I scanned the files with virustotal this is one of the links to a program i use to play a game.  https://www.virustotal.com/en/file/1029d92a67acc9a2e5107dea540817253affafed71d04e13ccc65ffbf1e5257a/analysis/1450460998/

 

This is from dropbox installer from my downloads 

https://www.virustotal.com/en/file/b2176cd3fa29e7ed60ca823210b47e2c36343fc6e3b59ad00f61269062fbc930/analysis/1450461186/

 

This is from the mozilla browser setup

https://www.virustotal.com/en/file/40460e9ceeb06fd0710e3f80a67a5c6cbc610e4b481396c2bc6dbac74540a586/analysis/1450461327/

 

I had several others but I have deleted them.  I also have been trying to find a CCleaner download but everyone i come across one, it  has something wrong with it once i download it.  I have been scanning everything with virustotal before i download and after.  Once i download it the thing always comes up dirty.  Like I said I am not computer savvy so maybe they need these things to run but i am very unsure about downloading anything.  My processes also at times nothing will open  and they will go up to 100% they jump back and forth.  Other times it will run at like 2% at idle.  It seems something is running in the background.  

 

 

 

 

 

 

 

 

 

 



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 18 December 2015 - 02:17 PM

The system was a 32 bit and they replaced it with a 64 bit. (idk if this is an issue or not)


It isn't an issue, but considering you have under 4GB of RAM, you would have been better set with 32-bit, but it's good.

I was looking at the minitool box report and was concerned about a few things. What about where it says it has Application errors, system errors, and Microsoft office errors? That isn't a problem? Also the Wireless LAN adapter wireless network connection: under that there is something about a license, What does that mean and why is it saying it expires on Christmas Eve? Is this something I should worry about?


For the Network, I guess you are talking about the "Lease Expires" line. This have nothing to do with a licence for your network or adapter, don't worry. It have to do with networking and local network connections. You can also ignore the "errors" you see in the Event Log, since they are not critical and don't affect your system in any way as of now.

The dropbox and it was Mozilla browser had the download icon that was downloaded by the Geek Squad agent. I am finding now that isnt the only things that are affected. All of my updates for windows have the same icon. I found Skype also had the icon but now it has changed. Not sure how or why but it no longer has that icon it is normal now. The updates I took a screen print of it. (i will put them on Imgur because I cannot figure out how to put pictures on here). http://imgur.com/On8GkYv this is the one for Skype
http://imgur.com/iGWhpmt This is what my windows updates look like.


I don't understand what you mean here. In the first screenshot, I can see that you are showing me the content of your Downloads folder, what am I supposed to look at? In your second screenshot, you're showing me your list of installed updates, what am I supposed to look at again? For now, both the folder and update history looks fine to me.

I scanned the files with virustotal this is one of the links to a program i use to play a game. https://www.virustotal.com/en/file/1029d92a67acc9a2e5107dea540817253affafed71d04e13ccc65ffbf1e5257a/analysis/1450460998/

This is from dropbox installer from my downloads
https://www.virustotal.com/en/file/b2176cd3fa29e7ed60ca823210b47e2c36343fc6e3b59ad00f61269062fbc930/analysis/1450461186/

This is from the mozilla browser setup
https://www.virustotal.com/en/file/40460e9ceeb06fd0710e3f80a67a5c6cbc610e4b481396c2bc6dbac74540a586/analysis/1450461327/

I had several others but I have deleted them. I also have been trying to find a CCleaner download but everyone i come across one, it has something wrong with it once i download it. I have been scanning everything with virustotal before i download and after. Once i download it the thing always comes up dirty. Like I said I am not computer savvy so maybe they need these things to run but i am very unsure about downloading anything.


These files are legitimate. There's what we call "false positive" in the security industry. A false positive is when a legitimate file, process, etc. is being flagged as malicious by a security vendor, but isn't. When this happens, usually the users report the false positive to the vendor, which then adjust his detection mechanism so the file or process isn't flagged anymore. Right now, the false positives all come from not so popular Antivirus, and unknown ones as well, so I wouldn't worry about it.

My processes also at times nothing will open and they will go up to 100% they jump back and forth. Other times it will run at like 2% at idle. It seems something is running in the background.


It's normal for processes to run in the background (and services as well), otherwise, Windows wouldn't work. This being said, sometimes when you open the Task Manager, you'll see a process using a lot of CPU or RAM, but calm down quickly after. There's no real way to know what causes this, but most of time, there's nothing wrong with the process. If a process keeps on using a lot of CPU and RAM for a long, sustained time, then that's another story.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 LionessLeona

LionessLeona
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Illinois
  • Local time:09:01 PM

Posted 18 December 2015 - 07:08 PM

If you look at the icons in the imgur pictures all of the updates have the same symbol as the printer had  when he downloaded it.  Every so often my programs will change to the same icon.  The updates are the worst because there is over 257 updates and they all have the same icon at the beginning.  If you look at the skype imgur it also has the same icon.  I am seeing them change as i said every once in a while.  

 

The guy at Geek Squad told me that the processes being that high meant the motherboard was possibly going and that if they hooked it up to see if there was another virus that it would either blow the motherboard or possibly a chip.  It depends sometimes when i turn on the computer it does have high processes constantly but other times it is lower around 2% to about 40%.  When they are high at idle it is around 70% to 100%  and to stop it from doing this i have to shut it down.  It seems to be the only thing that works.  It is good to know that things seem ok from your side of things but I am worried about the changing icons for programs though.  If i can catch more I will screen print them as well.



#8 LionessLeona

LionessLeona
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Illinois
  • Local time:09:01 PM

Posted 19 December 2015 - 10:16 PM

I am not sure what is wrong but something is wrong.  I have had to reinstall programs and all kinds of stuff today that wouldnt work.  It started with a pop up that said the RPC server was unavailable.  I am not sure what that is but I couldnt open anything from downloads or pictures or control panel.  I had to shut it off and restart it .  idk what is going on but something isnt right. 



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 20 December 2015 - 09:25 AM

If you look at the icons in the imgur pictures all of the updates have the same symbol as the printer had when he downloaded it. Every so often my programs will change to the same icon. The updates are the worst because there is over 257 updates and they all have the same icon at the beginning. If you look at the skype imgur it also has the same icon. I am seeing them change as i said every once in a while.


It's normal for Windows Updates to have that icon. This is the default icon on Windows for an executable file. It's like that on every single Windows system. So there's nothing wrong here :) Also, if you are talking about the "SkypeSetupFull" icon, this is normal as well. This is the installer for Skype, and not the actual Skype executable, so it have a normal icon as well.

The guy at Geek Squad told me that the processes being that high meant the motherboard was possibly going and that if they hooked it up to see if there was another virus that it would either blow the motherboard or possibly a chip.


It seems like your local GeekSquad are ignorant, sorry to tell you that. What he told you doesn't make sense at all, nor is it true. In the future, if you need assistance with your computer, I suggest you to post here on BleepingComputer, or ask a friend and/or relative who knows his way around computers.

I am not sure what is wrong but something is wrong. I have had to reinstall programs and all kinds of stuff today that wouldnt work. It started with a pop up that said the RPC server was unavailable. I am not sure what that is but I couldnt open anything from downloads or pictures or control panel. I had to shut it off and restart it . idk what is going on but something isnt right.


To me, it seems like your local GeekSquad didn't reinstall Windows properly, on top of making it 64-bit and not 32-bit. Isn't there a friend or relative that could reinstall Windows for you? Someone who knows what he's doing?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 LionessLeona

LionessLeona
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Illinois
  • Local time:09:01 PM

Posted 20 December 2015 - 05:43 PM

OK i kept seeing this icon everywhere so i thought something was wrong.  It was the same icon that was on the printer when Geek Squad installed the printer to the computer.  Yea that is what I was wondering.  I didnt think them installing a 64bit was a good thing.  No I don't know anyone to reinstall it.  Thanks so much for your help.  I thought this was the problem in the beginning.  I also seen that this chrome browser is a huge problem.  Every time I open it  the processes go to 100% as long as i dont open it the processes stay well under 50% and under.  Not sure what that means but it don't seem good.  Is it possible my gmail is infected that i have hooked to the Chrome?  I'm not sure if this is possible but Im trying to figure out what is the problem and I am questioning everything. 



#11 LionessLeona

LionessLeona
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Illinois
  • Local time:09:01 PM

Posted 20 December 2015 - 07:50 PM

I am sorry for the second post but I forgot to ask about the Windows.  Is it because of all of the errors in that was found in the report above or the RPC server not working or both? Is those errors related to windows installation?   Another question is when they installed the 64bit HD did that mess up things as well?  Could they have installed a 32bit with less problems or what is your opinion?  I noticed they installed a 32 Office suite as well.  Is this an issue?  My room mate paid them good money for insurance and that is why I went to them because it covered three computers plus i have no family and my friends know nothing about computers.  



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 21 December 2015 - 07:53 AM

The Google Chrome issue is because of your 64-bit installation. When you run 32-bit programs (like Google Chrome) under a 64-bit version of Windows, these processes have to be emulated to be compatible, therefore they take more resources than if they were run natively in 64-bit. Since Google Chrome is a multi-process program (one process for every open tab, extension and plug-in, on top of sandboxing them) and you are running the 32-bit version of it, it's "normal" for it to take all your resources when you open it, because it uses a lot of them. You aren't infected.

Also, I suspect all your errors (like the RPC one) to be caused by a bad installation/restore of Windows, which was done by the GeekSquad. And they didn't make a good call by installing a 64-bit version of Windows on a computer with these specs. It's okay for them to have installed the 32-bit version of Office, since the 64-bit version of Office 2010 is known to be unstable, even Microsoft recommends the 32-bit version. Starting in Office 2013, the 64-bit version is quite good.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 LionessLeona

LionessLeona
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Illinois
  • Local time:09:01 PM

Posted 21 December 2015 - 11:25 PM

ok Thank you so much for your help and knowledge.  Is there anything I can do to make the system perform better?  I have spoken to the manager at GS and I have told them about their mistake honestly I am scared to take it back to them haha ...anyway Is there anything I can do to optimize the computer and make the performance better?  Please let me know.  So the errors I had in Mini toolbox are they from the Windows being installed improperly?  If so would reinstalling it be advisable?  I have also complained about the 64bit HD as well.  They wanted me to bring it in today but I wanted to ask your opinion since I am not very computer savvy. 



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 22 December 2015 - 06:27 AM

The only thing you can do within your range of skills and knowledge is to uninstall Google Chrome 32-bit, and install the 64-bit of it. And in the future, if you have to install any program, check if there's a 64-bit version of it as well and if it does, install it. Your Pale Moon is also 32-bit, so you would have to uninstall it and install the 64-bit version of it.

And no, the errors in your Event Viewer are pretty much normals, these are "common" errors (not really errors if you ask me, more like warnings) that occurs on a lot of systems. Also, your "hard drive" (if that's what you meant by HD) isn't 64-bit, your Windows installation is. So they would have to format the current Windows install, and reinstall Windows 32-bit from scratch on it. Ideally, they would proceed as follow.
  • Back-up all your data and make sure there's nothing else you want to keep on your computer;
  • Proceed to format the hard drive (can be done during the Windows installation) and install Windows 7 32-bit on it;
  • Install your missing drivers;
  • Install your Windows Updates (all of them, takes a couple of restarts and a few hours);
  • Install Microsoft Office 2010 (but you could install it yourself);
  • Install Kaspersky (but you could install it yourself);
  • Put back the data they backed up on your new installation;
For the rest, you could just come back here and I, or another helper, would assist you with the rest. Like installing Skype, your printer, etc.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users