in need of help.

Hello! I’ve been to this site once before and It really helped me out a lot, so I thought I would come here after trying to help fix my brothers pc.

He’s been having some problems for the last couple of months and he’s ran a couple of programs to try and figure out what the problem is; Such as malwarebytes and avast. But every time he thought he had it fixed, it would come back even worse. After looking over his pc, I’ve noticed that he has a lot of useless and unknown programs starting up and running at all times.

I’ve tried to turn them off and remove them, but it didn’t do any good. When he starts up his pc, it takes about 10-15 minutes before it’s finally finished booting up. Also, when you open up firefox, the pc shuts off. I’ve noticed that the pc is running very hot and if you try to do anything else other then turn it on, the temperature spikes and it shuts down.

Any help would be greatly appreciated! I will answer any question you might have to the best of my knowledge. Again, thank you for any and all help.

scroll Down to OTL…run it and attach diagnostic log http://forum.avast.com/index.php?topic=53253.0

Here is the file, hope it helps you with what you need. Thanks for your help!

Hi,

First we will run JRT tool to clean up some junk and then we will go straight to ComboFix.

http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool to your desktop.

[]Shut down your protection software now to avoid potential conflicts.
[
]Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select “Run as Administrator”.
[]The tool will open and start scanning your system.
[
]Please be patient as this can take a while to complete depending on your system’s specifications.
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[
]Post the contents of JRT.txt into your next message.

----- next -----

  1. Please download ComboFix from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]=> Again, right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.


  1. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.


  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

OK, I just ran both programs and I have the logs attached below.

You are running more than 1 Antivirus program!

Running - more than one - antivirus program is not recommended because:

[*]They can conflict with each other.
[*]Report the other antivirus software as malicious.
[*]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[*]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc
I strongly suggest you uninstall one of them. Which one, is your decision.

----- next -----

Download uninstall tool from the links below for remove any AntiVirus program leftovers, remove chosen.
http://singularlabs.com/uninstallers/security-software/
http://www.askvg.com/ultimate-collection-of-uninstallers-removal-tools-for-all-popular-anti-virus-software/

You have leftovers related to AVG and Samantec ( Norton ) AntiVirus.

----- next -----

Open notepad and copy/paste the text present inside the code box below:


FileLook::
c:\windows\SysWow64\setup16.exe
c:\windows\SysWow64\instnm.exe
c:\windows\SysWow64\user.exe

Folder::
c:\windows\1C4551A64743409391E41477CD655043.TMP
c:\windows\9530AE42DAE146199594B23487285D17.TMP
c:\programdata\AVG SafeGuard toolbar
c:\program files (x86)\AVG SafeGuard toolbar
c:\program files (x86)\Common Files\AVG Secure Search

DirLook::
c:\programdata\Sendori
c:\program files (x86)\Sendori

Driver::
vToolbarUpdater15.5.0

DDS::
uStart Page = hxxp://feed.helperbar.com/?publisher={Publisher}&dpid={DownloadProvider}&co={CountryTwoLettersISO}&userid={InstallationHashID}&affid={affid}&searchtype=hp&babsrc=lnkry_nt&installDate={installDate}
uSearchAssistant = hxxp://feed.helperbar.com/?publisher={Publisher}&dpid={DownloadProvider}&co={CountryTwoLettersISO}&userid={InstallationHashID}&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}&installDate={installDate}
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com

ClearJavaCache::

Firefox::
FF - ProfilePath - c:\users\Chase Maxwell\AppData\Roaming\Mozilla\Firefox\Profiles\uqy4fjls.default-1369017205415\
FF - prefs.js: keyword.URL - hxxp://feed.helperbar.com/?publisher={Publisher}&dpid={DownloadProvider}&co={CountryTwoLettersISO}&userid={InstallationHashID}&affid={affid}&searchtype=ds&babsrc=lnkry&installDate={installDate}&q=
FF - ExtSQL: 2013-08-24 18:03; avg@toolbar; c:\programdata\AVG SafeGuard toolbar\FireFoxExt\15.6.1.2


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

OK, So I believe I removed the virus programs. I went ahead and removed both Norton and avg just to be sure. I was having a little bit of trouble trying to remove Norton, so that’s why i also removed avg.

I believe this is the log you are requesting and i hope it will help.

Hi,

I still see some antivirus leftovers. We will use Combofix to remove them. Afterwards, we shall re-check all that and system with FRST tool.

Open notepad and copy/paste the text present inside the code box below:

DRIVER::
msav
avgtp
FOLDER::
c:\program files (x86)\Moon Secure Antivirus
c:\programdata\AVG SafeGuard toolbar
FILE::
c:\windows\system32\drivers\avgtpx64.sys
REGISTRY::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.google.com"
FIREFOX::
FF - ProfilePath - c:\users\Chase Maxwell\AppData\Roaming\Mozilla\Firefox\Profiles\uqy4fjls.default-1369017205415\
FF - prefs.js: browser.startup.homepage - hxxp://mysearch.avg.com?pid=safeguard&sg=0&cid=%7Bab6937ae-ac76-40fe-bd0b-15544e640819%7D&mid=5cd4c5277cdf47d0baaf6de7835bbca6-5f907cf681e007ee709e3de7d9da16bb8c13f488&ds=ts019&v=15.6.1.2&lang=en&pr=sa&d=2013-09-02%2011%3A21%3A43&sap=hp
FF - ExtSQL: 2013-08-24 18:03; avg@toolbar; c:\programdata\AVG SafeGuard toolbar\FireFoxExt\15.6.1.2

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

----- next -----

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

alright, here are the newest logs. Thank you again for all your help. Log 3 is the last combo fix log you requested.

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

START
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM-x32 - DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = 
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://mysearch.avg.com/search?cid={78F1162F-B19C-4E64-AA96-140FD5AE25F7}&mid=5cd4c5277cdf47d0baaf6de7835bbca6-5f907cf681e007ee709e3de7d9da16bb8c13f488&lang=en&ds=ts019&pr=sa&d=2013-09-02 11:21:43&v=15.6.1.2&pid=safeguard&sg=0&sap=dsp&q={searchTerms}
SearchScopes: HKCU - ÛŸÆîZ§’2¹Þpv¨IÍá*X(Ž2s(ÛÎÀJºÔÓµ± vË°!×—(ä¼48иpatm6êo^Mp`Ëõ÷_i£w˜¾!„Áû†x¢8€ÙjÀÿþ ´Ñ;áa´[¦†8 º~RÙxœòÜ8'£-)x­ä­ URL = 
BHO-x32: No Name - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -  No File
Toolbar: HKLM-x32 -  No Name - {06C7AD57-B655-418D-9AB8-9526A6D2E052} -  No File
Toolbar: HKLM-x32 -  No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKCU -  No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 %SystemRoot%\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
FF HKLM\...\Firefox\Extensions: [{336D0C35-8A85-403a-B9D2-65C292C39087}] - C:\Program Files\IB Updater\Firefox
FF HKLM\...\Firefox\Extensions: [{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}] - C:\Program Files\Updater By SweetPacks\Firefox
FF Extension: Updater By SweetPacks - C:\Program Files\Updater By SweetPacks\Firefox
C:\Program Files\Updater By SweetPacks
C:\Program Files\IB Updater
FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\15.6.1.2
C:\ProgramData\AVG SafeGuard toolbar
CHR HKLM-x32\...\Chrome\Extension: [hbcennhacfaagdopikcegfcobcadeocj] - C:\Program Files (x86)\Common Files\Spigot\GC\saebay_1.0.crx
CHR HKLM-x32\...\Chrome\Extension: [icdlfehblmklkikfigmjhbmmpmkmpooj] - C:\Program Files (x86)\Common Files\Spigot\GC\errorassistant_1.1.crx
CHR HKLM-x32\...\Chrome\Extension: [mhkaekfpcppmmioggniknbnbdbcigpkk] - C:\Program Files (x86)\Common Files\Spigot\GC\coupons_2.3.crx
CHR HKLM-x32\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\AVG SafeGuard toolbar\ChromeExt\15.6.1.2\avg.crx
CHR HKLM-x32\...\Chrome\Extension: [ogccgbmabaphcakpiclgcnmcnimhokcj] - C:\Windows\SysWOW64\jmdp\SweetNT.crx
CHR HKLM-x32\...\Chrome\Extension: [pfndaklgolladniicklehhancnlgocpp] - C:\Program Files (x86)\Common Files\Spigot\GC\saamazon_1.0.crx
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
C:\Program Files (x86)\Common Files\Spigot
C:\Windows\SysWOW64\jmdp\SweetNT.crx
C:\Program Files (x86)\Common Files\Spigot
C:\Users\Chase Maxwell\AppData\Local\AVG SafeGuard toolbar
C:\Windows\system32\Drivers\avgtpx64.sys
(AVG Technologies CZ, s.r.o.) C:\Users\Chase Maxwell\Downloads\avgremoverx64 (1).exe
2013-09-18 15:06 - 2011-05-08 20:35 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-09-18 15:06 - 2011-04-08 12:15 - 00000000 ____D C:\ProgramData\Norton
2013-08-24 19:28 - 2013-08-24 18:07 - 00000000 ____D C:\Users\Chase Maxwell\AppData\Local\AVG SafeGuard toolbar
C:\ProgramData\hash.dat
C:\Users\Chase Maxwell\APB_Reloaded_Installer.exe
Task: {0D9EC20C-551A-4E45-BB77-5CFF9A6A87C0} - System32\Tasks\task102582903 => C:\Windows\Temp\kb383816.exe
Task: {15C04C3D-0ACD-4E1B-AAB9-A04CCDE399C2} - \b5aa7440 No Task File
C:\Windows\Temp\kb383816.exe
Task: {4EE73EA3-D2A3-41F2-8675-4FBE18DB4FCC} - System32\Tasks\RunAsStdUser Task => C:\Users\Chase Maxwell\AppData\Local\seeqdoSA\bin\1.0.4.0\SeeqDoSA.exe
C:\Users\Chase Maxwell\AppData\Local\seeqdoSA\bin\1.0.4.0\SeeqDoSA.exe
Task: {A0B248C9-00C6-4893-B812-53DB450D2B90} - \82293880 No Task File
Task: {AB764CD7-16DF-4DBC-8FC3-4D6B21CD6433} - \3c086ec0 No Task File
Task: {DB88F22C-B4E6-4BE3-8E71-F84CA5F97BEC} - System32\Tasks\cdba0d40 => C:\Users\CHASEM~1\AppData\Local\Temp\\setup1469687232.exe
C:\Users\CHASEM~1\AppData\Local\Temp\\setup1469687232.exe
Task: {F4A8DE59-191E-406C-9A8C-ADC6D604C64D} - System32\Tasks\task163581213 => C:\Windows\Temp\kb677391.exe
C:\Windows\Temp\kb677391.exe
Folder: C:\Windows\Temp
AlternateDataStreams: C:\ProgramData\TEMP:D1B5B4F1
AlternateDataStreams: C:\ProgramData\TEMP:DFC5A2B2
END
  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

[color=#008000]Note: If the tool warned you about the outdated version please download and run the updated version.

Ok, I feel Silly for asking this, but when you say they need to be in the same location, you just mean in the same folder right? Or do i have to drag the fixlist to the program like the combo fix?

I ran it when the fixlist was in the same folder and it said that there was no fixlist. I went to try again, but the frst program was gone, so i got it again and this time it did run. Only thing, the fixlist text document is now missing.

FRST has been running from download folder:

Running from C:\Users\Chase Maxwell\Downloads

Feel free to download fresh FRST.exe to you Desktop and create new FixList.txt with above script. Just run FRST and hit Fix button.
FRST will search FixList.txt only at the location from where it was started.

OK, I just ran the program and got the fixlog.

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


START
2013-09-20 07:12 - 2013-09-20 07:15 - 0000000 ____D () C:\Windows\Temp\CR_7331E.tmp
2013-09-18 21:01 - 2013-09-19 22:16 - 0221495 ____A () C:\Windows\Temp\CertsFF.dat
2013-09-18 21:01 - 2013-09-19 22:16 - 0047860 ____A () C:\Windows\Temp\CertsIE.dat
2013-09-20 03:00 - 2013-09-20 03:00 - 0000000 ____A () C:\Windows\Temp\HFI5C28.tmp
2013-09-20 03:00 - 2013-09-20 03:00 - 0000000 ____A () C:\Windows\Temp\HFI5DEF.tmp
2013-09-19 03:00 - 2013-09-19 03:00 - 0000000 ____A () C:\Windows\Temp\HFIF857.tmp
2013-09-19 03:00 - 2013-09-19 03:00 - 0000000 ____A () C:\Windows\Temp\HFIF9A0.tmp
2013-09-18 20:26 - 2013-09-18 20:26 - 0016384 ____A () C:\Windows\Temp\~DF4A61F86E2E685A39.TMP
2013-09-19 22:14 - 2013-09-19 22:14 - 0016384 ____A () C:\Windows\Temp\~DF575A1B466BFB0BDE.TMP
2013-09-19 13:45 - 2013-09-19 13:45 - 0016384 ____A () C:\Windows\Temp\~DF58D94F7DF9692F13.TMP
2013-09-18 21:02 - 2013-09-18 21:02 - 0016384 ____A () C:\Windows\Temp\~DF5A873E99F58A81C5.TMP
2013-09-18 22:39 - 2013-09-18 22:39 - 0016384 ____A () C:\Windows\Temp\~DFCE0A006BE67BBFEB.TMP
2013-09-20 07:12 - 2013-09-20 07:12 - 0001197 ____A () C:\Windows\Temp\CR_7331E.tmp\SETUP_PATCH.PACKED.7Z
File: C:\Windows\Temp\avast_ash\QuickTime\QuickTimeInstaller.exe
END

  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

----- next -----

Re-check:

Re-run FRST and attach here fresh created FRST.txt logreport.

Ok, I believe I have both of the files you requested. I ran it with the fix log and then i did a scan, because it wouldn’t let me run fix, with out a fixlist. So I assumed re-running it meant to scan it.

Hi,

...and then i did a scan, because it wouldn't let me run fix, with out a fixlist. So I assumed re-running it meant to scan it.
That's right, you've done it right.

We shall re-run FRST with fresh FRST Script. Close Chrome browser and run FRST again via FixList.txt.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


START
SearchScopes: HKCU - ÛŸÆîZ§’2¹Þpv¨IÍá*X(Ž2s(ÛÎÀJºÔÓµ± vË°!×—(ä¼48иpatm6êo^Mp`Ëõ÷_i£w˜¾!„Áû†x¢8€ÙjÀÿþ ´Ñ;áa´[¦†8 º~RÙxœòÜ8'£-)x­ä­ URL = 
CHR HKLM-x32\...\Chrome\Extension: [hbcennhacfaagdopikcegfcobcadeocj] - C:\Program Files (x86)\Common Files\Spigot\GC\saebay_1.0.crx
CHR HKLM-x32\...\Chrome\Extension: [icdlfehblmklkikfigmjhbmmpmkmpooj] - C:\Program Files (x86)\Common Files\Spigot\GC\errorassistant_1.1.crx
CHR HKLM-x32\...\Chrome\Extension: [mhkaekfpcppmmioggniknbnbdbcigpkk] - C:\Program Files (x86)\Common Files\Spigot\GC\coupons_2.3.crx
C:\Program Files (x86)\Common Files\Spigot
CHR HKLM-x32\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\AVG SafeGuard toolbar\ChromeExt\15.6.1.2\avg.crx
CHR HKLM-x32\...\Chrome\Extension: [ogccgbmabaphcakpiclgcnmcnimhokcj] - C:\Windows\SysWOW64\jmdp\SweetNT.crx
C:\ProgramData\AVG SafeGuard toolbar
C:\Windows\SysWOW64\jmdp\SweetNT.crx
CHR HKLM-x32\...\Chrome\Extension: [pfndaklgolladniicklehhancnlgocpp] - C:\Program Files (x86)\Common Files\Spigot\GC\saamazon_1.0.crx
C:\Program Files (x86)\Common Files\Spigot
File: C:\Users\Chase Maxwell\Downloads\NoNav.exe
END

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

ok, here is the new fixlog. Thank you for all of your help. The pc is ruining so much better now and isn’t shutting down every time i open up a program.

Nice. 8)

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

----- next -----

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

------------------------------------------------

I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

OK, I just ran and downloaded those programs. Is that all that we needed to do?

Yap. :wink: