Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
21 - 38 of 38 Posts
Sounds like we are making some progress.

I am baffled by the error you got after running the System File Checker:

'M' is not recognized as an internal or external command, operable program or batch file.

There is no 'M' in the command so why it is saying that is a mystery, could you try it again and send me a screenshot of the Command box.

You can continue with the Disk Check and send the results from that with your next reply.

You can post screenshots as an attachment which you may find easier.

How to take a screen shot in Vista/Windows 7

How to post a screenshot.

  • Below the Message Box click on Go Advanced.
  • Then scroll down until you see a button, Manage Attachments. Click on that and a new window opens.
  • Click on the Browse button, find the screenshot you made earlier and doubleclick on it.
  • Now click on the Upload button. When done, click on the Close this window button at the bottom of the page.
  • Enter your message-text in the message box, then click on Submit Message/Reply.
 
Discussion starter · #22 ·
I said that very same thing about the 'M' and copy/pasted it a 2nd time then typed it out.

Unfortunately, the same return was received and the screenshot is attached.

Here is the chkdsk log: (i hope i did it correctly)

Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 2/17/2013 3:05:39 PM
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: MALSKL-LaptopA
Description:

Checking file system on C:
The type of the file system is NTFS.
A disk check has been scheduled.
Windows will now check the disk.
CHKDSK is verifying files (stage 1 of 5)...
115200 file records processed.
File verification completed.
346 large file records processed.
0 bad file records processed.
0 EA records processed.
43 reparse records processed.
CHKDSK is verifying indexes (stage 2 of 5)...
143156 index entries processed.
Index verification completed.
0 unindexed files scanned.
0 unindexed files recovered.
CHKDSK is verifying security descriptors (stage 3 of 5)...
115200 file SDs/SIDs processed.
Cleaning up 4170 unused index entries from index $SII of file 0x9.
Cleaning up 4170 unused index entries from index $SDH of file 0x9.
Cleaning up 4170 unused security descriptors.
Security descriptor verification completed.
13979 data files processed.
CHKDSK is verifying Usn Journal...
34353568 USN bytes processed.
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
115184 files processed.
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
10285112 free clusters processed.
Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.
62417919 KB total disk space.
21013588 KB in 66723 files.
45192 KB in 13980 indexes.
0 KB in bad sectors.
218687 KB in use by the system.
65536 KB occupied by the log file.
41140452 KB available on disk.
4096 bytes in each allocation unit.
15604479 total allocation units on disk.
10285113 allocation units available on disk.
Internal Info:
00 c2 01 00 4b 3b 01 00 6f 4b 02 00 00 00 00 00 ....K;..oK......
25 04 00 00 2b 00 00 00 00 00 00 00 00 00 00 00 %...+...........
a8 8a 15 00 50 01 14 00 e8 17 14 00 00 00 14 00 ....P...........
Windows has finished checking your disk.
Please wait while your computer restarts.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
<EventID Qualifiers="16384">1001</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-17T21:05:39.000000000Z" />
<EventRecordID>57875</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>MALSKL-LaptopA</Computer>
<Security />
</System>
<EventData>

Checking file system on C:
The type of the file system is NTFS.
A disk check has been scheduled.
Windows will now check the disk.
CHKDSK is verifying files (stage 1 of 5)...
115200 file records processed.
File verification completed.
346 large file records processed.
0 bad file records processed.
0 EA records processed.
43 reparse records processed.
CHKDSK is verifying indexes (stage 2 of 5)...
143156 index entries processed.
Index verification completed.
0 unindexed files scanned.
0 unindexed files recovered.
CHKDSK is verifying security descriptors (stage 3 of 5)...
115200 file SDs/SIDs processed.
Cleaning up 4170 unused index entries from index $SII of file 0x9.
Cleaning up 4170 unused index entries from index $SDH of file 0x9.
Cleaning up 4170 unused security descriptors.
Security descriptor verification completed.
13979 data files processed.
CHKDSK is verifying Usn Journal...
34353568 USN bytes processed.
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
115184 files processed.
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
10285112 free clusters processed.
Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.
62417919 KB total disk space.
21013588 KB in 66723 files.
45192 KB in 13980 indexes.
0 KB in bad sectors.
218687 KB in use by the system.
65536 KB occupied by the log file.
41140452 KB available on disk.
4096 bytes in each allocation unit.
15604479 total allocation units on disk.
10285113 allocation units available on disk.
Internal Info:
00 c2 01 00 4b 3b 01 00 6f 4b 02 00 00 00 00 00 ....K;..oK......
25 04 00 00 2b 00 00 00 00 00 00 00 00 00 00 00 %...+...........
a8 8a 15 00 50 01 14 00 e8 17 14 00 00 00 14 00 ....P...........
Windows has finished checking your disk.
Please wait while your computer restarts.

</EventData>
</Event>

Thank you for the info on the screenshop upload and all that you have worked through with me.
 

Attachments

Check Disk has come back clean which is good. That weird error when trying the get the SFC log I can't answer and it gives zero results on Google, I doubt the error will have any detrimental effect on the system, the good news is I can see the scan completed without any errors.

Are there any remaining issues?
 
Discussion starter · #24 ·
Greeting Mark,

After seeing your reply and the computer running much better, I was making a list of things we would delete. When I had ran the Tweek program, i thought that I had changed the download destination. I guess I missed that somehow. So while in the root c: I found the Tweaking.com Windows Repair folder with a log inside. It appears to be very similar log to the one I posted but noticed a difference in the Temp folder actions.

Could you please take a look?

Also, would appreciat any advice or articles you would recommend on add on like WinPatrol and/or others.

Thank you so very much . I will probaly not be on till late tomorrow so no hurry on this one. Take care.


Starting Repairs...
Start (2/17/2013 12:21:50 PM)
Reset Registry Permissions 01/03
HKEY_CURRENT_USER & Sub Keys
Start (2/17/2013 12:21:50 PM)
Running Repair Under Current User Account
Done (2/17/2013 12:21:52 PM)
Reset Registry Permissions 02/03
HKEY_LOCAL_MACHINE & Sub Keys
Start (2/17/2013 12:21:52 PM)
Running Repair Under System Account
Done (2/17/2013 12:21:55 PM)
Reset Registry Permissions 03/03
HKEY_CLASSES_ROOT & Sub Keys
Start (2/17/2013 12:21:55 PM)
Running Repair Under System Account
Done (2/17/2013 12:21:57 PM)
Register System Files
Start (2/17/2013 12:21:57 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:22:02 PM)
Repair WMI
Start (2/17/2013 12:22:02 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:22:07 PM)
Repair Internet Explorer
Start (2/17/2013 12:22:07 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:22:12 PM)
Remove Policies Set By Infections
Start (2/17/2013 12:22:12 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:22:17 PM)
Repair Missing Start Menu Icons Removed By Infections
Start (2/17/2013 12:22:17 PM)
Running Repair Under System Account
Done (2/17/2013 12:22:19 PM)
Repair Icons
Start (2/17/2013 12:22:19 PM)
Running Repair Under System Account
Done (2/17/2013 12:22:22 PM)
Repair Winsock & DNS Cache
Start (2/17/2013 12:22:22 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:22:26 PM)
Remove Temp Files
Start (2/17/2013 12:22:26 PM)
Running Repair Under System Account
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
C:\Users\S&MPRO~1\AppData\Local\Temp\FXSAPIDebugLogFile.txt - The process cannot access the file because it is being used by another process.
C:\Users\S&MPRO~1\AppData\Local\Temp\~DFA7AA3AEF1773C957.TMP - The process cannot access the file because it is being used by another process.
Done (2/17/2013 12:22:29 PM)
Set Windows Services To Default Startup
Start (2/17/2013 12:22:29 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:22:34 PM)
Repair MSI (Windows Installer)
Start (2/17/2013 12:22:34 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:22:38 PM)
Repair lnk (Shortcuts) Association
Start (2/17/2013 12:22:39 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:22:43 PM)
Cleaning up empty logs...
All Selected Repairs Done.
Done (2/17/2013 12:22:43 PM)
Total Repair Time: 00:01:07

...YOU MUST RESTART YOUR SYSTEM...
Starting Repairs...
Start (2/17/2013 12:24:40 PM)
Reset Registry Permissions 01/03
HKEY_CURRENT_USER & Sub Keys
Start (2/17/2013 12:24:40 PM)
Running Repair Under Current User Account
Done (2/17/2013 12:24:42 PM)
Reset Registry Permissions 02/03
HKEY_LOCAL_MACHINE & Sub Keys
Start (2/17/2013 12:24:42 PM)
Running Repair Under System Account
Done (2/17/2013 12:24:45 PM)
Reset Registry Permissions 03/03
HKEY_CLASSES_ROOT & Sub Keys
Start (2/17/2013 12:24:45 PM)
Running Repair Under System Account
Done (2/17/2013 12:24:47 PM)
Register System Files
Start (2/17/2013 12:24:47 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:24:52 PM)
Repair WMI
Start (2/17/2013 12:24:52 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:24:57 PM)
Repair Internet Explorer
Start (2/17/2013 12:24:57 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:25:02 PM)
Remove Policies Set By Infections
Start (2/17/2013 12:25:02 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:25:06 PM)
Repair Missing Start Menu Icons Removed By Infections
Start (2/17/2013 12:25:06 PM)
Running Repair Under System Account
Done (2/17/2013 12:25:09 PM)
Repair Icons
Start (2/17/2013 12:25:09 PM)
Running Repair Under System Account
Done (2/17/2013 12:25:11 PM)
Repair Winsock & DNS Cache
Start (2/17/2013 12:25:11 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:25:16 PM)
Remove Temp Files
Start (2/17/2013 12:25:16 PM)
Running Repair Under System Account
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
C:\Users\S&MPRO~1\AppData\Local\Temp\FXSAPIDebugLogFile.txt - The process cannot access the file because it is being used by another process.
C:\Users\S&MPRO~1\AppData\Local\Temp\~DFA7AA3AEF1773C957.TMP - The process cannot access the file because it is being used by another process.
The system cannot find the file specified.
The system cannot find the file specified.
Done (2/17/2013 12:25:18 PM)
Set Windows Services To Default Startup
Start (2/17/2013 12:25:18 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:25:23 PM)
Repair MSI (Windows Installer)
Start (2/17/2013 12:25:23 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:25:28 PM)
Repair lnk (Shortcuts) Association
Start (2/17/2013 12:25:28 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/17/2013 12:25:33 PM)
Cleaning up empty logs...
All Selected Repairs Done.
Done (2/17/2013 12:25:33 PM)
Total Repair Time: 00:01:07

...YOU MUST RESTART YOUR SYSTEM...
 
That is a bit strange as the first log shows the exact same time as the previous one you posted but with the additional part about the temp file it could not remove. Anyway, it is nothing to worry about. If you want to keep the system clear of temp files I would use this program Temporary file cleaner

We now need to do a check on your security and uninstall the tools used.
I shall post some advice on additional security software when we are done.

To re-enable your CD Emulation drivers if you disabled them, double click DeFogger.exe to run the tool again.

  • The application window will appear.
  • Click the Re-enable button to re-enable your CD Emulation drivers.
  • Click Yes to continue.
  • A 'Finished!' message will appear.
  • Click OK.
  • DeFogger will now ask to reboot the machine...click OK.

To uninstall ComboFix, press the WINKEY + R keys on your keyboard or click on Start
and type Run into the search box and hit Enter.
In the Run box type: ComboFix /Uninstall (Be sure to leave a space before the forward slash).



  • Click on OK.
  • If you encounter any problems using the switch from the Run dialog box, just rename ComboFix.exe to Uninstall.exe, then double-click on it to remove.
  • This will delete ComboFix's related folders/files, reset the clock settings, hide file extensions/system files, clear the System Restore cache to prevent possible reinfection and create a new Restore point.
  • When it has finished you will see a dialog box stating that "ComboFix has been uninstalled".
  • After that, you can delete the ComboFix.exe program from your computer (Desktop).

Next

  • Download OTC by OldTimer and save it to your desktop.
  • Double click
    icon to start the program.
    If you are using Vista or Windows 7, please right-click and choose Run as Administrator
  • Then Click the big
    button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

-- Doing this will remove any specialized tools downloaded and used. If OTC does not delete itself, then delete the file manually when done.
-- Any leftover folders/files related to ComboFix or other tools which OTC did not remove can be deleted manually (right-click on it and choose delete).


Please post back when this is complete and let me know if you have had any problems.

===================================================================

Download Security Check by screen317 from Here or Here.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please Copy & Paste the contents of that document into your next reply.
 
Discussion starter · #26 ·
Hi Mark,

Sorry for the delay in responding. Our hot water heater burst on Monday...

Also, Norton has been a bit a little odd since the Microsoft updates as well as with a couple of things we've worked with here. Sunday, I received an error, Norton did an autofix and had me reboot. Monday I received another Norton error and later while updating it had a patch to install.

However, I have used the Temp File cleaner and it cleaned up some stuff. :)

I re-enabled using Defogger and will work on the next 2 steps, so far so good.

We are in the track of quite a storm and may not have power but I will respond as soon as possible.

Thanks so much for all of your assistance. Take good care, Susan
 
Susan, sorry to hear about the water heater, I've replaced a few of them in my time as a plumber so am well aware of the devastation it can cause. Hope the storm doesn't cause too much damage.

If Norton continues to pop up errors I would suggest you either re-install it or replace it with Microsoft Security Essentials, if you do replace it then you should run the Norton Uninstall Tool, but only after uninstalling it.

There is no rush to post back if the storm cuts your power, the thread will remain open until we are done.
 
Discussion starter · #28 ·
Greetings Mark!

Sorry for the delay in getting back to you. We are still in a winter wonderland here but have had power the entire day today since Tuesday!!!

To begin, I wish to thank you very much for your assistance. Confirming the adware was removed was very reassuring. You were kind in words and talk to people in a way we can easily understand.

I did uninstall Norton and re-installed but found that I had a corrupted file in Windows as you had suspected.

I received a Windows 8 Update when I purchased my new laptop in DEC so I did a Win 7 re-install and Upgraded to the Win 8. I wasn't sure how it would run on this laptop...but it's a new challenge!!!

I appreciate the time you extended me and I hope it was not a waste of your time. I love this site and admire all the great people that assist here.

Take good care!
 
That all sounds good and you're most welcome.

Just one thing you have missed, Security Check at the bottom of post 25.
 
As far as I know it is the same as Windows 7, not done much with Windows 8 yet.

Strange that all the logs show you are on WIndows 7 :confused:
 
Discussion starter · #34 ·
Thank you again, kind sir! Hope you sleep well.

Here are the results of Security Check:

Results of screen317's Security Check version 0.99.60
x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Defender
Norton 360 Premier Edition
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.70.0.1100
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````
 
Discussion starter · #35 ·
I've not yet installed many apps but will be sure to download the most current versions. LOL, I was just excited that the install and connecting to the home network worked without issue. :D

Sorry, I mentioned I had upgraded because of a few corrupted windows files. Did a clean install.
 
Ok, you are good to go.

I shall now mark this thread as Solved and leave you with some security advice, but please feel free to post back if you have any remaining issues or concerns.

There are many places where you will find security advice, but most are biased towards a particular item of software that they are trying to promote. I have given some unbiased advice below that should help keep you better protected. Unfortunately there is no "best protection", new Malware is being produced every minute of the day so it is a cat & mouse game for all security software vendors to keep up with the latest infections.

It has always been the case that what one Anti Virus program will detect another one will miss and vice versa. That being said, never be tempted to install more than one Anti Virus program thinking that will give you better protection as in fact the reverse is true. Two or more AV programs will (in most cases) conflict with each other, slow your system down and actually reduce your security level. Don't assume that your present Anti Virus is no good on the grounds that you got infected, if I have seen you are using a poor Anti Virus I will have advised you earlier in the thread. There are a lot of nasty infections out there waiting to jump onto a PC and with some of the newest infections there is very little that will block them. Fortunately there are those who dedicate their spare time, for little reward, in making the tools we use here to remove these infections. It is those people that we have to thank as without them a reinstall would often be the only way out.

Some additional security measures.
If your present security software does not include a third party Firewall or AntiSpyware.

Go Here for a selection of third party Firewalls.

Go Here or Here for Anti Spyware.

Malwarebytes free version (which you may have used during this thread) is worth having for regular scans of your system, always check for updates before using it. If you can afford the Malwarebytes Pro version it will provide even better protection with a full time active scanner. Never have more than one active anti virus, anti spyware or firewall running on your system as it can cause conflicts and slow down the PC. You can safely run the Pro version of Malwarebytes with any Anti Virus software.

WOT (Web OF Trust) Will warn you (in most cases) about dangerous web sites. (This is only available for use with Internet Explorer).

Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly "popular"among criminals.

WinPatrol is a useful facility to have. WinPatrol takes snapshots of your critical system resources and alerts you to any changes that may occur without your knowledge. It can also be used to control all your start up programs.

Finally, make sure that Windows Update is turned on as many updates are to fix newly discovered security holes in the Windows Operating System. You should also make sure that any Java or Adobe products are kept up to date and any old versions are uninstalled. Never use Registry Cleaners as they can and do damage the systems registry and stay well clear of P2P file sharing sites as these are one of the best places to get your PC infected.
 
Discussion starter · #37 ·
Thanks for the great info. Emsisoft Online firewall seems to have some great reviews and sounds as though it would run easily alongside Norton and MalwareBytes.

What is your professional opinion of SpywareBlaster, that is, if you are allowed to comment on that.

Again, thanks so very much.
 
You're welcome, it has been a pleasure helping you.

I've never used SpywareBlaster so can't pass comment on it although it is recommended. I use the free version of SuperAntiSpyware which can only be used for running regular scans as it has no active component, the paid for version does.

You may like to know that the Windows Defender included in Windows 8 is the same as Microsoft Security Essentials so you could just stick with that as your Anti Virus and do away with Norton if you wanted to.
 
21 - 38 of 38 Posts
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top