The Return of Resident Evil !

Okay Fellas, I’m back with the same old problem. This PC ran great for one day after your help…then it started to slow down again. With four processors we should be kickin’ butt…BUT I have run every program our last meeting left on this machine, and I think I must have a nasty hidden rootkit or something.

Using my "User Account, I went to my email and was going to email a song to a friend. But when the attachment Explorer popped up…there were none of my 12,000 songs or documents or anything that I know is loaded onto the hard drive listed. There was a text document that I did not and would not have created called PARENTAL CONTROLS. I got no kids and have no reason to have ever used PARENTAL CONTROLS. I AM ATTACHING A SCREEN SHOT and the associated notepad…

But when I pull up the regular explorer window I can see everything I have. WTF? Also have a problem with my Amazon Music Player app which lost all of my music, but Amazon is working on that. My Avast expired today, but I still have several other anti malware and anti spy programs, but they seem to be rendered ineffective, so I haven’t re-installed Avast. Just ran sfc /scannow which said it could not complete and the Tweaking. com program in its entirety which seemed to no effect. And JRT quit working. Also a folder under C: called boot with language subfolders. Never seen before? Hard drive seems to be working overtime. No Improvement. I’m lost again. This has been going on for so long that I am now thinking about using this PC for target practice.

Thank you for your continuing support
April Rose

The Boot folder is normal. Do NOT remove it!

I will apprise Essexboy of your situation :slight_smile:

Thanks…is it also normal for EVERYONE…including all users, and trusted installer to have full permission for the Boot Folder??

Thanks!

TrustedInstaller is Windows Stuff. As for users, I don’t think so. Essexboy should be here (soon) to answer your questions

What does the parental control text file say ? You can open it and copy the detail or add it to your next post

Download AVZ tool from here to your desktop
Unzip all files to a folder on your desktop
Open the folder and double click the AVZ icon
https://dl.dropboxusercontent.com/u/73555776/avz.JPG

When the tool opens select “File” > “Standards scripts”

https://dl.dropboxusercontent.com/u/73555776/avz1.jpg

Place a tick in :

7. Database update and system analysis

Then press “Execute selected scripts”

https://dl.dropboxusercontent.com/u/73555776/avz2.JPG

There will be several warnings, OK them all and the system will reboot on completion of the analysis

After the reboot look in the folder AVZ4 on your desktop
Open the LOG folder
Upload KL_syscure.zip to a file sharing site for me to collect

https://dl.dropboxusercontent.com/u/73555776/vz3.JPG

Essex, April4 had attached the Text File.

This is what it reads.


Log Name:      Microsoft-Windows-ParentalControls/Operational
Source:        Microsoft-Windows-ParentalControls
Date:          11/23/2014 3:13:36 PM
Event ID:      1
Task Category: SettingChange
Level:         Information
Keywords:      WPC
User:          Mobo9-HP\Administrator
Computer:      WIN-G2BTSRMU4GD
Description:
A Setting changed inside of the parental controls settings
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ParentalControls" Guid="{01090065-B467-4503-9B28-533766761087}" />
    <EventID>1</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>1</Task>
    <Opcode>21</Opcode>
    <Keywords>0x8000000000000010</Keywords>
    <TimeCreated SystemTime="2014-11-23T22:13:36.029552100Z" />
    <EventRecordID>14</EventRecordID>
    <Correlation />
    <Execution ProcessID="3216" ThreadID="2464" />
    <Channel>Microsoft-Windows-ParentalControls/Operational</Channel>
    <Computer>WIN-G2BTSRMU4GD</Computer>
    <Security UserID="S-1-5-21-2062462054-714083117-4280944507-500" />
  </System>
  <UserData>
    <SettingChangeEvent xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows.ParentalControls/1.0.0.0">
      <Class>WpcSystemSettings</Class>
      <Setting>9</Setting>
      <AccountOwner>
      </AccountOwner>
      <OldValue>C:\Program Files\Windows Media Player\Wmpnscfg.exe</OldValue>
      <NewValue>
      </NewValue>
      <Reason>0</Reason>
      <Optional>C:\Program Files\Windows Media Player\Wmpnscfg.exe</Optional>
    </SettingChangeEvent>
  </UserData>
</Event>

Dear EssexBoy, Greetings and thank you again for sharing your time and expertise. Without you all I am a sheep among wolves.

I believe you have seen the text of the Notepad labeled ‘Parental Control’.

I followed your instructions to the letter. Below is the link which I believe will allow you to find the AZ file. I hope I have done this right. But some things are worth mentioning:

  1. something interfered with operation of the program and hopefully you will see it in the log.

  2. I ran the program from a Standard User Account. You did not specify and I did not realize it until I had started the program.

  3. There were no warnings at all

  4. As I watched I saw that it said “User Disabled”. I haven’t disabled anything.

Many thanks. I will watch for your reply.

Yours, April

https://www.dropbox.com/home
[KL_syscure.zip]

Could you put the zip file in your public folder and then copy the download link

Hey…sorry but I am somewhat inept in areas of sharing. I put that KL_syscure.zip in my Public User folder, then copied the link but when I tried to paste it here the paste option was greyed out. So I attached in the usual place and of course it won’t accept that kind of file. Was there a problem with Drop Box? Can you suggest another file sharing site? Let me know if I effed it up, and I will try again.

OK to get the link open the dropbox public folder
Right click the zip file
Select “copy public link”
This will then add the link to your clipboard to past :

It will look like this https://dl.dropboxusercontent.com/u/73555776/clear-notification-items.vbs

https://www.dropbox.com/s/7ohmew7e14q68f6/KL_syscure.zip?dl=0

Like Dat? Hey…with the proper instructions I could be KING…ER UH, QUEEN OF THE WORLD.

Maybe I’ll wait on your successful download before I celebrate?

I wonder if DIRECTV Player is inserting some parental controls, as the text file links it to windows media player .

Also Chrome is taking a lot of resources

The only thing I could see there was that anonymous user is enable, I will disable that for now

FIX

Open AVZ as before
Click “File” > “Custom scripts”

https://dl.dropboxusercontent.com/u/73555776/avzfix1.png

A dialogue will open
Copy and paste the following script into the marked space then press run

https://dl.dropboxusercontent.com/u/73555776/avzfix2.JPG

Script for insertion :


begin
RegKeyIntParamWrite('HKEY_LOCAL_MACHINE', 'SYSTEM\CurrentControlSet\Control\LSA','RestrictAnonymous', 2);
end.

Ensure that you copy from begin to end

Okay, I did that successfully. I attached the text I found in the dialogue box.

Thanks, and I think you maybe right about Chrome. I have 3 tabs active in Chrome yet Task Manager shows nine Chrome.exe processes currently running. Is that normal? Do you need a screenshot?

Thanks again. I await your advice.

What happened? Been waiting for a response to my last question. Was it something I said. Just this one answer from my previous post and I won’t bother you…PLEASE???

Sorry I missed the notification for this thread for some reason

How many extensions do you have in Chrome ?

Thank you, no worry…I’m sure you are busy. As I write I have five tabs open and ELEVEN instances of Chrome.exe with CPU averaging 10% to 25%…
.63 processes.

Thank you!

Lets have a look at the extensions

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

Logs Attached.
Thank you

Temporarily disable the following start up items from starting, does it make a difference ?

GoogleChromeAutoLaunch
PCShowServer
Amazon Music

I will be away for the next 10 days so will be unable to respond

Hi essexboy,

Enjoy your Season’s holidays, all the best from all of us here,
and we will meet again in the New Year 2015.

from a grateful bunch of avast support forum users,

polonus