My friend has a poorly running Windows 7 pc. I installed Avast and it “fixed” multiple issues. It still runs horribly slow, if at all. Avast says to create a rescue disc from an uninfected computer. I only have her infected one because all of mine are Macs. Once I reboot her computer you can do ONE thing only, as in opening a file, but then it crashes with a faded out, somewhat white, screen. I tried to run an Avast boot scan and after 6 hours it never got past 0%. Avast found no viruses on the last successful scan. So what do I do now? I read that you can’t even get a rescue disk directly from Avast! What gives? This is horrible!
Are you able to get to safe mode with networking on the computer ?
If so then do the following
Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.
https://dl.dropboxusercontent.com/u/73555776/frst.JPG
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.
I am hoping to go to her house and try this tomorrow or Friday. Thank you!
The file was downloaded and these are the two files you requested.
Thank you for your help!
After the FRST fix allow the computer to boot to normal mode
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-3597405480-2688951806-1060124722-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION ProxyServer: [S-1-5-21-3597405480-2688951806-1060124722-1000] => 127.0.0.1:8118 HKU\S-1-5-21-3597405480-2688951806-1060124722-1000\Software\Microsoft\Internet Explorer\Main,Start Page = https://search.protectedio.com/?u=68426608-4143-e628-bbe4-ce7789520613&c=p1&s=hp&inst=1436052568 SearchScopes: HKLM-x32 -> {20B9D1AE-AD1A-38B4-87FE-AF278DA9861D} URL = https://search.protectedio.com/search.php/?q={searchTerms}&u=68426608-4143-e628-bbe4-ce7789520613&c=p1&s=srch&inst=1436052568 SearchScopes: HKLM-x32 -> {E270AB13-B5EB-44F8-A715-4D8D9BC2A16C} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl SearchScopes: HKU\S-1-5-21-3597405480-2688951806-1060124722-1000 -> DefaultScope {20B9D1AE-AD1A-38B4-87FE-AF278DA9861D} URL = https://search.protectedio.com/search.php/?q={searchTerms}&u=68426608-4143-e628-bbe4-ce7789520613&c=p1&s=srch&inst=1436052568 SearchScopes: HKU\S-1-5-21-3597405480-2688951806-1060124722-1000 -> {20B9D1AE-AD1A-38B4-87FE-AF278DA9861D} URL = https://search.protectedio.com/search.php/?q={searchTerms}&u=68426608-4143-e628-bbe4-ce7789520613&c=p1&s=srch&inst=1436052568 SearchScopes: HKU\S-1-5-21-3597405480-2688951806-1060124722-1000 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = https://gosearch.me/?q={searchTerms}&u=7d1dbe5f00a142e368b7e2f64f50a2df&c=up1&src=srch&inst=1435092689 SearchScopes: HKU\S-1-5-21-3597405480-2688951806-1060124722-1000 -> {DC5D0470-72A9-43F3-9C5D-3F520809459C} URL = http://search.avg.com/route/?d=4d8782cd&v=6.11.25.1&i=26&tp=chrome&q={searchTerms}&lng={language}&iy=&ychte=us BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File Toolbar: HKLM-x32 - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File Toolbar: HKU\S-1-5-21-3597405480-2688951806-1060124722-1000 -> No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File Toolbar: HKU\S-1-5-21-3597405480-2688951806-1060124722-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File FF HKLM-x32\...\Firefox\Extensions: [m3ffxtbr@mywebsearch.com] - C:\Program Files (x86)\MyWebSearch\bar\1.bin FF HKLM-x32\...\Firefox\Extensions: [KavAntiBanner@Kaspersky.ru] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\FFExt\KavAntiBanner@kaspersky.ru FF HKLM-x32\...\Firefox\Extensions: [linkfilter@kaspersky.ru] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\FFExt\linkfilter@kaspersky.ru FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird FF Extension: No Name - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010-06-23] FF HKU\S-1-5-21-3597405480-2688951806-1060124722-1000\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi S2 PrivoxyService; C:\Program Files (x86)\Techsmart Computer\privoxy.exe [371200 2015-07-04] (The Privoxy team - www.privoxy.org) [File not signed] <==== ATTENTION S2 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [163888 2010-03-24] (ESET) 2015-07-04 18:29 - 2015-07-06 21:31 - 00003276 _____ C:\Windows\System32\Tasks\Techsmart Computer Task 2015-07-04 18:29 - 2015-07-04 19:12 - 00000000 ____D C:\Users\Roger\AppData\Roaming\InetStat 2015-07-04 18:29 - 2015-07-04 18:29 - 00003662 _____ C:\Windows\System32\Tasks\Personal Computer Security Task 2015-07-04 18:29 - 2015-07-04 18:29 - 00000000 ____D C:\Users\Roger\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\InetStat 2015-07-04 18:29 - 2015-07-04 18:29 - 00000000 ____D C:\Program Files (x86)\Personal Computer Security 2015-07-04 18:27 - 2015-07-04 18:27 - 00070144 _____ C:\Windows\SysWOW64\tasks.dll 2015-06-23 19:03 - 2015-06-23 19:03 - 00003126 _____ C:\Windows\System32\Tasks\{768B4973-B6C4-423E-A6CF-4B187DAA68C7} 2015-06-23 15:56 - 2015-07-05 15:56 - 00000328 _____ C:\Windows\Tasks\Chromium.job 2015-06-23 15:56 - 2015-06-23 15:56 - 00003268 _____ C:\Windows\System32\Tasks\Chromium 2015-06-23 15:55 - 2015-07-05 16:29 - 00000000 ____D C:\Users\Roger\AppData\Local\Chromium 2015-06-23 15:54 - 2015-06-23 19:04 - 00000000 ____D C:\Users\Roger\AppData\Roaming\uTorrent 2015-06-23 15:53 - 2015-06-23 15:53 - 00000000 ____D C:\Users\Roger\AppData\Roaming\0V1L2Z2Z1T1I1L1T 2015-06-23 15:33 - 2015-07-04 19:12 - 00000000 ____D C:\Users\Roger\AppData\Roaming\Updater 2015-06-23 15:33 - 2015-06-23 15:33 - 00000000 ____D C:\Program Files (x86)\Techsmart Computer 2015-06-23 15:33 - 2015-06-23 15:33 - 00000000 _____ C:\Users\Roger\AppData\Roaming\6F95.tmp 2015-06-13 11:00 - 2014-11-14 12:15 - 00000000 __SHD C:\Users\Roger\AppData\Local\EmieBrowserModeList 2015-06-13 11:00 - 2014-04-24 02:26 - 00000000 __SHD C:\Users\Roger\AppData\Local\EmieUserList 2015-06-13 11:00 - 2014-04-24 02:26 - 00000000 __SHD C:\Users\Roger\AppData\Local\EmieSiteList 2011-03-17 22:36 - 2011-03-19 22:54 - 0008514 ___SH () C:\Users\Roger\AppData\Local\1368123653 2011-03-17 22:36 - 2011-03-17 22:38 - 0008576 ___SH () C:\ProgramData\1368123653 AS: ESET NOD32 Antivirus 4.2 (Disabled - Out of date) {706E6083-750B-B597-533E-5FF310EF4B18} Task: {0BE9106F-5254-45E8-8487-32A5727C4A5E} - System32\Tasks\Techsmart Computer Task => C:\Program Files (x86)\Techsmart Computer\ittask.exe [2015-07-04] (SecureSoft) Task: {28480C99-2BAB-46B3-ACDE-0D3B6C0DD64C} - System32\Tasks\Chromium => C:\Users\Roger\AppData\Local\Chromium\APPLIC~1\450242~1.0\INSTAL~1\UNINST~1.EXE Task: {8ADBF20A-BB75-41B7-84E7-B66C5CF1AAE4} - System32\Tasks\{768B4973-B6C4-423E-A6CF-4B187DAA68C7} => pcalua.exe -a C:\Users\Roger\AppData\Roaming\uTorrent\uTorrent.exe -c /UNINSTALL Task: {B65BA222-A64A-4D17-8450-79FB1BF1640A} - System32\Tasks\Personal Computer Security Task => C:\Program Files (x86)\Personal Computer Security\Personal ComputerSecurity.exe [2015-07-04] (Secure Updater) Task: C:\Windows\Tasks\Chromium.job => C:\Users\Roger\AppData\Local\Chromium\APPLIC~1\450242~1.0\INSTAL~1\UNINST~1.EXE C:\Program Files (x86)\Techsmart Computer C:\Program Files (x86)\MyWebSearch C:\Program Files (x86)\Kaspersky Lab C:\Program Files\ESET C:\ProgramData\McAfee Security Scan C:\Users\Roger\AppData\Local\Chromium C:\Program Files (x86)\Personal Computer Security CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.
File resulting from frst64 and fix
Adware cleaned
I do have a comment, adding the AdwCleaner.exe changed a setting on the google homepage. It now says iLivid is running and has made a change. The gentleman here has dementia and that will confuse him, so I went into settings and told it to pull up the google.com screen. I don’t understand what this added chrome file was even for. Why was it necessary? Is this malware sufficient to run all of the time? I noticed a different one being recommended on this site…
AdwCleaner should not have added iLivid as that is malware
Please download Malwarebytes Anti-Malware to your desktop
[*]Double-click mbam-setup-version.exe and follow the prompts to install the program.
[*]At the end, be sure a check-mark is placed next to the following:
[*]Ensure that “Enable free trial of Malwarebytes Anti-Malware Premium” is unchecked
[*]Launch Malwarebytes Anti-Malware
[*]Then click Finish.
[*]If an update is found, you will be prompted to download and install the latest version.
[*]Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
[*]When the scan is complete , make sure that everything is set to “Quarantine”, and click Apply Actions.
[*]Reboot your computer if prompted.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
To access logs from Malwarebytes Anti-Malware 2.0:
https://dl.dropboxusercontent.com/u/73555776/mbamlogs.JPG
1.Open Malwarebytes Anti-Malware 2.0
2.Click History > Application Logs
3.Double-click the log you would like to open
Scan Logs record detections from manual scans, including threats detected and the actions taken against them
To save a Scan Log:
1.Open the log file you would like to save
2.Click Export
3.Choose to export to a .txt
4.Choose a folder to save the log file in, then click Save
5.Post that log here
I tried to download the file. Twice. Neither will open. The blue circular item won’t stop spinning and nothing opens. Now it says Windows Explorer is not responding.
Could I have a fresh FRST log please
I ran it in safe mode after a reboot since the screen had turned whiteish again… it found nothing to fix, but created a new log. Should I run it again in normal mode? It did NOT reboot into normal mode…
The log looks good, could you reboot to normal mode and let me know what problems you are having
Seems to be working so far… I was able to install the malware and ran a scan. It only found PUPs.
All in firefox … How is the computer behaving now ?
Firefox was deleted weeks ago. The only browser is Chrome. I didn’t see any issues but told them to call if it acted up and I’d go back over. Thanks for your help!
Subject to no further problems
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Remove tools
Download and run Delfix
Select the options as shown
https://dl.dropboxusercontent.com/u/73555776/delfix.JPG
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version
https://dl.dropboxusercontent.com/u/73555776/javara.JPG
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Update and run weekly to keep your system clean
Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe