Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Miight have something in start-up not letting me use virus scan


  • This topic is locked This topic is locked
18 replies to this topic

#1 jfoxxtail

jfoxxtail

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 05 December 2016 - 08:59 PM

I have some windows that pop up and they so not seem authentic windows. I think their is something blocking me to use Housecall.



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:08 AM

Posted 06 December 2016 - 09:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.
==============================

#3 jfoxxtail

jfoxxtail
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 07 December 2016 - 12:11 AM

Attached File  FRST.txt   90.46KB   6 downloadsAttached File  Addition.txt   39.1KB   1 downloadsAttached File  hijackthis.log   10.82KB   0 downloads



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:08 AM

Posted 07 December 2016 - 08:31 AM

If this program was not installed by you remove it via the Control Panel > Programs > Programs and Features.
PRO PC Cleaner (HKLM-x32\...\PRO PC Cleaner) (Version: 3.0.5 - PRO PC Cleaner) <==== ATTENTION
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

IFEO\agentpackage.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\avbugreport.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\BSTGameLauncher.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\COMScore.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\GameConsole-wt.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\GameConsole.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\GameLauncher.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\GameLicensing.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\GamesAppIntegrationService.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\GamesAppService.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\glcheck.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\HD-InstallChecker.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\maintenanceservice.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\MUILink.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\NativeUserProxy.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\PatchHelper.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\Restore.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\ScreenOrientationx64.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\secureline.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\ShortcutHlp.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
IFEO\vpnsvc.exe: [Debugger] C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\AutoReactivator.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} =>  No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR Extension: (Chrome Web Store Payments) - C:\Users\removevirus\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-11-30]
CHR Extension: (Chrome Media Router) - C:\Users\removevirus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-30]
S4 HP LaserJet Service;  [X]
S4 Intel(R) Security Assist;  [X]
S4 isaHelperSvc;  [X]
S4 SecurityService;  [X]
U0 aswVmm; no ImagePath
S3 MFE_RR; \??\C:\Users\removevirus\AppData\Local\Temp\mfe_rr.sys [X]
AlternateDataStreams: C:\Users\Debbie\Downloads\DCF6.tmp:BDU [0]
AlternateDataStreams: C:\Users\removevirus\Downloads\HousecallLauncher64.exe:BDU [0]
C:\Users\removevirus\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\removevirus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.


Please let me know what problem persists with this computer.

#5 jfoxxtail

jfoxxtail
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 08 December 2016 - 06:07 AM

I cannot find directory for FRST. It is only in an exe format on my desktop



#6 jfoxxtail

jfoxxtail
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 08 December 2016 - 10:12 AM

 
Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by removevirus on Thu 12/08/2016 at  7:07:54.06.
Microsoft Windows 10 Home 10.0.14393  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\removevirus\Desktop\zoek (1).exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
12/8/2016 7:10:32 AM Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~3\Comms deleted successfully
C:\PROGRA~3\KMSAuto deleted successfully
C:\PROGRA~3\SoftwareDistribution deleted successfully
C:\PROGRA~3\{BE2ACE5C-32B7-4777-9BDF-ECF87CDAB705} deleted successfully
C:\Users\Debbie\AppData\Local\ActiveSync deleted successfully
C:\Users\Debbie\AppData\Local\NetworkTiles deleted successfully
C:\Users\Debbie\AppData\Local\VirtualStore deleted successfully
C:\Users\Debbie\AppData\Local\{B5F70934-5E12-42d2-882D-62D42EA1FA67} deleted successfully
C:\Users\removevirus\AppData\Local\FSDART deleted successfully
C:\Users\removevirus\AppData\Local\NetworkTiles deleted successfully
C:\Users\removevirus\AppData\Local\VirtualStore deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Maps deleted successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\NetworkTiles deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:08 AM

Posted 08 December 2016 - 10:38 AM

Place the fixlist.txt on your desktop and run the Farbar tool as suggested.

p.s.
The DESKTOP is a folder.

Located here.
Running from C:\Users\Debbie\Desktop

#8 jfoxxtail

jfoxxtail
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 12 December 2016 - 01:48 PM

 
Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by removevirus on Mon 12/12/2016 at 10:32:13.50.
Microsoft Windows 10 Home 10.0.14393  x64
Running in: Safe Mode NETWORK No Internet Access Detected
Launched: C:\Users\Debbie\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== Older Logs ======================
 
\zoek-results2016-12-08-144751.log 12223 bytes
\zoek-results2016-12-12-063142.log 6914 bytes
\zoek-results2016-12-12-172648.log 1668 bytes
 
==== System Restore Info ======================
 
==== Empty Folders Check ======================
 
C:\Users\Debbie\AppData\Local\NetworkTiles deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Firefox Extensions Registry ======================
 
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"bdwteffv20@bitdefender.com"="C:\Program Files\Bitdefender\Bitdefender 2017\antispam32\bdwteff" [11/29/2016 01:42 PM]
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"bdwteffv20@bitdefender.com"="C:\Program Files\Bitdefender\Bitdefender 2017\antispam32\bdwteff" [11/29/2016 01:42 PM]
 
==== Chromium Look ======================
 
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
gannpgaobkkhmpomoijebaigcapoeebl - No path found[]
 
Advanced Font Settings - Debbie\AppData\Local\Google\Chrome\User Data\Default\Extensions\caclkomlalccbpcdllchkeecicepbmbm
Bitdefender Wallet - Debbie\AppData\Local\Google\Chrome\User Data\Default\Extensions\gannpgaobkkhmpomoijebaigcapoeebl
Chrome Media Router - Debbie\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
Bitdefender Wallet - removevirus\AppData\Local\Google\Chrome\User Data\Default\Extensions\gannpgaobkkhmpomoijebaigcapoeebl
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
==== All HKCU SearchScopes ======================
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
 
==== Empty IE Cache ======================
 
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Debbie\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\removevirus\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Debbie\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\removevirus\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\Debbie\AppData\Local\ASUS GIFTBOX\User Data\Default\Cache emptied successfully
C:\Users\Debbie\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
C:\Users\removevirus\AppData\Local\ASUS GIFTBOX\User Data\Default\Cache emptied successfully
C:\Users\removevirus\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
No Flash Cache Found
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=182 folders=39 12076747 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\Debbie\AppData\Temp emptied successfully
C:\Users\removevirus\AppData\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp successfully emptied
C:\Users\removevirus\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on Mon 12/12/2016 at 11:47:07.74 ======================


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:08 AM

Posted 12 December 2016 - 02:28 PM

Is the problem persisting?

#10 jfoxxtail

jfoxxtail
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 13 December 2016 - 12:53 AM

yes, I cannot seem to get rid of phony windows, they always prompt.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:08 AM

Posted 13 December 2016 - 08:04 AM

Run the Farbar tool one more time.

Post fresh FRST and Addition.txt log for my review.

#12 jfoxxtail

jfoxxtail
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 14 December 2016 - 12:48 AM

this still comes up in desktop.ini:

 

 
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
 
 
I cannot get fixlog, there is a delayed screen that appears stating that Driver Booster cannot start...


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:08 AM

Posted 14 December 2016 - 09:30 AM


Delete any occurrences of the Desktop.ini file that contains the lines described earlier.
Locate each of the following folders in bold, right-click the Desktop.ini file (if the file exists in that folder), and then click Open:

drive:\Documents and Settings\All Users\Start Menu\Programs\Startup
drive:\Documents and Settings\All Users\Start Menu\Programs
drive:\Documents and Settings\All Users\Start Menu
where drive is the drive on which Windows is installed.

Verify that the file contains the following lines:
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

If the file contains the line, right-click the file, click Delete, and then click Yes when you are prompted to confirm the deletion.

Restart your computer and verify that the issue is resolved.

#14 jfoxxtail

jfoxxtail
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 14 December 2016 - 10:41 AM

 
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
 
was posted at start up
 
I try to delete it and it tells me access is denied.


#15 jfoxxtail

jfoxxtail
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 14 December 2016 - 10:50 AM

I go to start menu and it tells me access is denied.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users