1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

.rar.exe

Discussion in 'Virus & Other Malware Removal' started by newspaper56, Feb 3, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. newspaper56

    newspaper56 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    396
    I dont know how, but probably an ad i think i downloaded a .exe file pretending to be a .rar file.

    Now, is it fine that i just deleted the .exe file or is it possible that the it had some other unknown drive by download that came with it?
     
  2. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    As you deleted the suspicious file then you are probably in the clear, but just to be sure run these three scans and post the results.

    SCAN 1
    Click on this link to download : ADWCleaner and save it to your desktop.

    NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

    Close your browser and click on this icon on your desktop: [​IMG]

    You will then see the screen below, click on the Delete button (as indicated), accept any prompts that appear and allow it to reboot the PC. When the PC has rebooted you will be presented with the report, copy & paste it into your next post.

    [​IMG]



    SCAN 2
    Download RogueKiller (by tigzy) and save direct to your Desktop.
    On the web page click on this: [​IMG]

    • Quit all running programs
    • Start RogueKiller.exe
    • Wait until Prescan has finished.
    • Ensure all boxes are ticked under "Report" tab.
    • Click on Scan.
    • Click on Report when complete. Copy/paste the contents of the report and paste into your next reply.
    • NOTE: DO NOT attempt to remove anything that the scan detects.

    [​IMG]


    SCAN 3
    Eset online scan instructions.
    IMPORTANT ---> Please make sure you follow the instruction to uncheck the box next to Remove found threats. Eset will detect anything that looks even remotely suspicious, this can include legitimate program files. If you do not uncheck the box, as instructed, Eset will automatically remove all suspect files which could leave some of your software inoperative. If you make a mistake these files can be restored from quarantine, but it would be preferable not to add any extra work to the clean up of your system.

    • Disable your existing Anti Virus following these instructions.
    • Please go here to use the Eset Online Scanner.
    • When the web page opens click on this button [​IMG]
    • If you are not using Internet Explorer you will see a message box open asking you to to download the ESET Smart Installer, click on the link and allow it to download and then run it. Accept the Terms of use and click on Start. The required components will download.
    • If using Internet Explorer the Terms of use box will open immediately, accept it and click on Start.
    • After the download is complete the Computer scan settings window will open, IMPORTANT ----> uncheck the box next to Remove found threats and click on Start. The virus signature database will then download which may take some time depending on the speed of your internet connection. The scan will automatically start when the download is complete.
    • This is a very thorough scan and may take several hours to complete depending on how much data you have on your hard drive. Do not interrupt it, be patient and let it finish.
    • A Scan Results window will appear at the end of the scan. If it lists any number of Infected Files click on List of found threats. Click on Copy to clipboard, come back to this thread and right click on the message box. Select Paste and the report will appear, add any comments you have and post the reply.
    • Back on the Eset window, click the Back button and then click on Finish.
     
  3. newspaper56

    newspaper56 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    396
    Nothing found from Eset.

    RogueKiller

    RogueKiller V8.4.4 _x64_ [Feb 4 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : newspaper56 [Admin rights]
    Mode : Scan -- Date : 02/06/2013 14:50:46
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 2 ¤¤¤
    [SUSP PATH] Runservice.exe -- C:\Windows\runservice.exe -> KILLED [TermProc]
    [SUSP PATH] Window Hide.exe -- C:\Users\newspaper56\Desktop\newspaper56 Folder\Window Hide.exe -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 8 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Services\Microsoft\Run : zHideWin (C:\Users\newspaper56\Desktop\newspaper56 Folder\Window Hide.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1603089102-2812627082-2370458291-1005[...]\Services-1603089102-2812627082-2370458291-1005\Run : zHideWin (C:\Users\newspaper56\Desktop\newspaper56 Folder\Window Hide.exe) -> FOUND
    [HJ] HKLM\[...]\Services\Microsoft\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ] HKLM\[...]\Wow6432Node\Services\Microsoft\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ] HKLM\[...]\Services\Microsoft\System : EnableLUA (0) -> FOUND
    [HJ] HKLM\[...]\Wow6432Node\Services\Microsoft\System : EnableLUA (0) -> FOUND
    [HJ DESK] HKLM\[...]\Services\Microsoft\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\Services\Microsoft\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ Extern Hives: ¤¤¤
    -> F:\windows\system32\config\SOFTWARE
    -> F:\windows\system32\config\SYSTEM
    -> F:\Users\Default\NTUSER.DAT
    -> F:\Users\Default User\NTUSER.DAT
    -> F:\Users\Microbots\NTUSER.DAT
    -> F:\Documents and Settings\Default\NTUSER.DAT
    -> F:\Documents and Settings\Default User\NTUSER.DAT
    -> F:\Documents and Settings\GuestUser\NTUSER.DAT

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\windows\system32\drivers\etc\hosts

    127.0.0.1 secure.tune-up.com


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: TOSHIBA MQ01ABD075 +++++
    --- User ---
    [MBR] 73f05d9f230be049d0e0bff191b14555
    [BSP] 33c05efc4141c5524db711debd96a558 : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 409765 Mo
    2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1440288768 | Size: 12138 Mo
    3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 842287950 | Size: 291992 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1]_S_02062013_02d1450.txt >>
    RKreport[1]_S_02062013_02d1450.txt

    Adwcleaner/B] (never knew IE and firefox were so bloated)

    # AdwCleaner v2.111 - Logfile created 02/06/2013 at 15:00:37
    # Updated 05/02/2013 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : newspaper56 - newspaper56-PC
    # Boot Mode : Normal
    # Running from : C:\Users\newspaper56\Desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\Users\newsaper56\AppData\Roaming\Mozilla\Firefox\Profiles\porh3vti.default\searchplugins\Conduit.xml
    Folder Deleted : C:\Users\newspaper56\AppData\LocalLow\boost_interprocess
    Folder Deleted : C:\Users\newspaper56\AppData\Roaming\Mozilla\Firefox\Profiles\porh3vti.default\Conduit

    ***** [Registry] *****

    Key Deleted : HKCU\Software\APN PIP
    Key Deleted : HKCU\Software\PIP
    Key Deleted : HKCU\Software\Softonic
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASMANCS
    Key Deleted : HKLM\Software\PIP
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2A42D13C-D427-4787-821B-CF6973855778}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}
    Key Deleted : HKLM\SOFTWARE\Software
    Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16457

    [OK] Registry is clean.

    -\\ Mozilla Firefox v18.0.1 (en-US)

    File : C:\Users\newspaper56\AppData\Roaming\Mozilla\Firefox\Profiles\porh3vti.default\prefs.js

    C:\Users\newspaper56\AppData\Roaming\Mozilla\Firefox\Profiles\porh3vti.default\user.js ... Deleted !

    Deleted : user_pref("CT1060933..clientLogIsEnabled", true);
    Deleted : user_pref("CT1060933..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.as[...]
    Deleted : user_pref("CT1060933..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Re[...]
    Deleted : user_pref("CT1060933.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
    Deleted : user_pref("CT1060933.CTID", "CT1060933");
    Deleted : user_pref("CT1060933.CommunitiesChangesLastCheckTime", "Sat Sep 22 2012 21:53:49 GMT+1000 (AUS Easte[...]
    Deleted : user_pref("CT1060933.CommunityChanged", true);
    Deleted : user_pref("CT1060933.CurrentServerDate", "22-9-2012");
    Deleted : user_pref("CT1060933.DialogsAlignMode", "LTR");
    Deleted : user_pref("CT1060933.DownloadDomainsCheckInterval", "168");
    Deleted : user_pref("CT1060933.DownloadDomainsListLastCheckTime", "Fri Sep 21 2012 11:48:32 GMT+1000 (AUS East[...]
    Deleted : user_pref("CT1060933.DownloadDomainsListLastServerUpdateTime", "1201069983");
    Deleted : user_pref("CT1060933.DownloadReferralCookieData", "");
    Deleted : user_pref("CT1060933.FirstServerDate", "8-4-2012");
    Deleted : user_pref("CT1060933.FirstTime", true);
    Deleted : user_pref("CT1060933.FirstTimeFF3", true);
    Deleted : user_pref("CT1060933.FixPageNotFoundErrors", true);
    Deleted : user_pref("CT1060933.GroupingServerCheckInterval", 1440);
    Deleted : user_pref("CT1060933.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
    Deleted : user_pref("CT1060933.HasUserGlobalKeys", true);
    Deleted : user_pref("CT1060933.Initialize", true);
    Deleted : user_pref("CT1060933.InitializeCommonPrefs", true);
    Deleted : user_pref("CT1060933.InstallationAndCookieDataSentCount", 3);
    Deleted : user_pref("CT1060933.InstalledDate", "Sun Apr 08 2012 14:23:52 GMT+1000 (AUS Eastern Standard Time)"[...]
    Deleted : user_pref("CT1060933.InvalidateCache", false);
    Deleted : user_pref("CT1060933.IsGrouping", false);
    Deleted : user_pref("CT1060933.IsMulticommunity", true);
    Deleted : user_pref("CT1060933.IsOpenThankYouPage", true);
    Deleted : user_pref("CT1060933.IsOpenUninstallPage", true);
    Deleted : user_pref("CT1060933.LanguagePackLastCheckTime", "Sat Sep 22 2012 13:13:33 GMT+1000 (AUS Eastern Sta[...]
    Deleted : user_pref("CT1060933.LanguagePackReloadIntervalMM", 1440);
    Deleted : user_pref("CT1060933.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
    Deleted : user_pref("CT1060933.LastLogin_3.2.5.2", "Sat Sep 22 2012 21:13:31 GMT+1000 (AUS Eastern Standard Ti[...]
    Deleted : user_pref("CT1060933.LatestVersion", "3.2.1.3");
    Deleted : user_pref("CT1060933.Locale", "en-us");
    Deleted : user_pref("CT1060933.MCDetectTooltipHeight", "83");
    Deleted : user_pref("CT1060933.MCDetectTooltipShow", false);
    Deleted : user_pref("CT1060933.MCDetectTooltipUrl", "hxxp://@[email protected]/rank/tooltip/?version=1");
    Deleted : user_pref("CT1060933.MCDetectTooltipWidth", "295");
    Deleted : user_pref("CT1060933.RadioIsPodcast", false);
    Deleted : user_pref("CT1060933.RadioLastCheckTime", "Sat Sep 22 2012 21:36:18 GMT+1000 (AUS Eastern Standard T[...]
    Deleted : user_pref("CT1060933.RadioLastUpdateIPServer", "0");
    Deleted : user_pref("CT1060933.RadioLastUpdateServer", "129326918102570000");
    Deleted : user_pref("CT1060933.RadioMediaID", "21504191");
    Deleted : user_pref("CT1060933.RadioMediaType", "Media Player");
    Deleted : user_pref("CT1060933.RadioMenuSelectedID", "EBRadioMenu_CT106093321504191");
    Deleted : user_pref("CT1060933.RadioStationName", "KFOG");
    Deleted : user_pref("CT1060933.RadioStationURL", "hxxp://live.cumulusstreaming.com/KFOG-FM");
    Deleted : user_pref("CT1060933.SavedHomepage", "hxxp:/www.google.com.au");
    Deleted : user_pref("CT1060933.SearchBoxWidth", 150);
    Deleted : user_pref("CT1060933.SearchFromAddressBarIsInit", true);
    Deleted : user_pref("CT1060933.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT106[...]
    Deleted : user_pref("CT1060933.SearchInNewTabEnabled", true);
    Deleted : user_pref("CT1060933.SearchInNewTabIntervalMM", 1440);
    Deleted : user_pref("CT1060933.SearchInNewTabLastCheckTime", "Sat Sep 22 2012 20:15:19 GMT+1000 (AUS Eastern S[...]
    Deleted : user_pref("CT1060933.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]
    Deleted : user_pref("CT1060933.SearchInNewTabUsageUrl", "hxxp://usage.hosting.toolbar.conduit-services.com/usa[...]
    Deleted : user_pref("CT1060933.ServiceMapLastCheckTime", "Sat Sep 22 2012 18:25:15 GMT+1000 (AUS Eastern Stand[...]
    Deleted : user_pref("CT1060933.SettingsLastCheckTime", "Sat Sep 22 2012 21:53:48 GMT+1000 (AUS Eastern Standar[...]
    Deleted : user_pref("CT1060933.SettingsLastUpdate", "1347202496");
    Deleted : user_pref("CT1060933.ThirdPartyComponentsInterval", 504);
    Deleted : user_pref("CT1060933.ThirdPartyComponentsLastCheck", "Tue Sep 11 2012 22:54:19 GMT+1000 (AUS Eastern[...]
    Deleted : user_pref("CT1060933.ThirdPartyComponentsLastUpdate", "1331805997");
    Deleted : user_pref("CT1060933.TrusteLinkUrl", "hxxp://trust.conduit.com/EB_ORIGINAL_CTID");
    Deleted : user_pref("CT1060933.UserID", "UN40875947111885846");
    Deleted : user_pref("CT1060933.ValidationData_Search", 0);
    Deleted : user_pref("CT1060933.ValidationData_Toolbar", 2);
    Deleted : user_pref("CT1060933.alertChannelId", "15651");
    Deleted : user_pref("CT1060933.myStuffEnabled", true);
    Deleted : user_pref("CT1060933.myStuffPublihserMinWidth", 400);
    Deleted : user_pref("CT1060933.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]
    Deleted : user_pref("CT1060933.myStuffServiceIntervalMM", 1440);
    Deleted : user_pref("CT1060933.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]
    Deleted : user_pref("CT1060933.testingCtid", "");
    Deleted : user_pref("CT1060933.toolbarAppMetaDataLastCheckTime", "Sat Sep 22 2012 18:25:23 GMT+1000 (AUS Easte[...]
    Deleted : user_pref("CT1060933.toolbarContextMenuLastCheckTime", "Wed Jul 11 2012 22:42:45 GMT+1000 (AUS Easte[...]
    Deleted : user_pref("CT1060933.usagesFlag", 2);
    Deleted : user_pref("CT2790392..clientLogIsEnabled", true);
    Deleted : user_pref("CT2790392..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.as[...]
    Deleted : user_pref("CT2790392..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Re[...]
    Deleted : user_pref("CT2790392.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
    Deleted : user_pref("CT2790392.CTID", "CT2790392");
    Deleted : user_pref("CT2790392.CurrentServerDate", "8-4-2012");
    Deleted : user_pref("CT2790392.DialogsAlignMode", "LTR");
    Deleted : user_pref("CT2790392.DownloadReferralCookieData", "");
    Deleted : user_pref("CT2790392.EMailNotifierPollDate", "Sun Apr 08 2012 14:23:31 GMT+1000 (AUS Eastern Standar[...]
    Deleted : user_pref("CT2790392.FeedLastCount129313977501788460", 243);
    Deleted : user_pref("CT2790392.FeedPollDate129313974171006416", "Mon Apr 09 2012 00:23:33 GMT+1000 (AUS Easter[...]
    Deleted : user_pref("CT2790392.FeedPollDate129313975698350231", "Mon Apr 09 2012 00:23:33 GMT+1000 (AUS Easter[...]
    Deleted : user_pref("CT2790392.FeedPollDate129313976370850190", "Mon Apr 09 2012 00:23:33 GMT+1000 (AUS Easter[...]
    Deleted : user_pref("CT2790392.FeedPollDate129313976648818968", "Mon Apr 09 2012 00:23:33 GMT+1000 (AUS Easter[...]
    Deleted : user_pref("CT2790392.FeedPollDate129313977444757117", "Mon Apr 09 2012 00:23:32 GMT+1000 (AUS Easter[...]
    Deleted : user_pref("CT2790392.FeedPollDate129313980389131455", "Mon Apr 09 2012 00:23:32 GMT+1000 (AUS Easter[...]
    Deleted : user_pref("CT2790392.FeedPollDate129313980655381977", "Mon Apr 09 2012 00:23:32 GMT+1000 (AUS Easter[...]
    Deleted : user_pref("CT2790392.FeedPollDate129313980886163259", "Mon Apr 09 2012 00:23:32 GMT+1000 (AUS Easter[...]
    Deleted : user_pref("CT2790392.FeedPollDate129313981234756535", "Mon Apr 09 2012 00:23:33 GMT+1000 (AUS Easter[...]
    Deleted : user_pref("CT2790392.FeedPollDate129313983226631720", "Mon Apr 09 2012 00:23:32 GMT+1000 (AUS Easter[...]
    Deleted : user_pref("CT2790392.FeedPollDate129313983607725691", "Mon Apr 09 2012 00:23:32 GMT+1000 (AUS Easter[...]
    Deleted : user_pref("CT2790392.FeedTTL129313974171006416", 10);
    Deleted : user_pref("CT2790392.FeedTTL129313977444757117", 15);
    Deleted : user_pref("CT2790392.FeedTTL129313980655381977", 5);
    Deleted : user_pref("CT2790392.FeedTTL129313981234756535", 5);
    Deleted : user_pref("CT2790392.FirstServerDate", "8-4-2012");
    Deleted : user_pref("CT2790392.FirstTime", true);
    Deleted : user_pref("CT2790392.FirstTimeFF3", true);
    Deleted : user_pref("CT2790392.FixPageNotFoundErrors", false);
    Deleted : user_pref("CT2790392.GroupingServerCheckInterval", 1440);
    Deleted : user_pref("CT2790392.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
    Deleted : user_pref("CT2790392.HasUserGlobalKeys", true);
    Deleted : user_pref("CT2790392.Initialize", true);
    Deleted : user_pref("CT2790392.InitializeCommonPrefs", true);
    Deleted : user_pref("CT2790392.InstallationAndCookieDataSentCount", 3);
    Deleted : user_pref("CT2790392.InstallationType", "UnknownIntegration");
    Deleted : user_pref("CT2790392.InstalledDate", "Sun Apr 08 2012 14:23:31 GMT+1000 (AUS Eastern Standard Time)"[...]
    Deleted : user_pref("CT2790392.IsGrouping", false);
    Deleted : user_pref("CT2790392.IsMulticommunity", false);
    Deleted : user_pref("CT2790392.IsOpenThankYouPage", true);
    Deleted : user_pref("CT2790392.IsOpenUninstallPage", false);
    Deleted : user_pref("CT2790392.LanguagePackLastCheckTime", "Sun Apr 08 2012 14:23:41 GMT+1000 (AUS Eastern Sta[...]
    Deleted : user_pref("CT2790392.LanguagePackReloadIntervalMM", 1440);
    Deleted : user_pref("CT2790392.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
    Deleted : user_pref("CT2790392.LastLogin_3.2.5.2", "Sun Apr 08 2012 22:23:31 GMT+1000 (AUS Eastern Standard Ti[...]
    Deleted : user_pref("CT2790392.LatestVersion", "3.10.0.1");
    Deleted : user_pref("CT2790392.Locale", "en");
    Deleted : user_pref("CT2790392.MCDetectTooltipHeight", "83");
    Deleted : user_pref("CT2790392.MCDetectTooltipUrl", "hxxp://@[email protected]/rank/tooltip/?version=1");
    Deleted : user_pref("CT2790392.MCDetectTooltipWidth", "295");
    Deleted : user_pref("CT2790392.SearchFromAddressBarIsInit", true);
    Deleted : user_pref("CT2790392.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT279[...]
    Deleted : user_pref("CT2790392.SearchInNewTabEnabled", true);
    Deleted : user_pref("CT2790392.SearchInNewTabIntervalMM", 1440);
    Deleted : user_pref("CT2790392.SearchInNewTabLastCheckTime", "Sun Apr 08 2012 14:23:33 GMT+1000 (AUS Eastern S[...]
    Deleted : user_pref("CT2790392.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]
    Deleted : user_pref("CT2790392.SearchInNewTabUsageUrl", "hxxp://usage.hosting.toolbar.conduit-services.com/usa[...]
    Deleted : user_pref("CT2790392.ServiceMapLastCheckTime", "Sun Apr 08 2012 14:23:32 GMT+1000 (AUS Eastern Stand[...]
    Deleted : user_pref("CT2790392.SettingsLastCheckTime", "Sun Apr 08 2012 14:23:30 GMT+1000 (AUS Eastern Standar[...]
    Deleted : user_pref("CT2790392.SettingsLastUpdate", "1331834905");
    Deleted : user_pref("CT2790392.ThirdPartyComponentsInterval", 504);
    Deleted : user_pref("CT2790392.ThirdPartyComponentsLastCheck", "Sun Apr 08 2012 14:23:30 GMT+1000 (AUS Eastern[...]
    Deleted : user_pref("CT2790392.ThirdPartyComponentsLastUpdate", "1312887586");
    Deleted : user_pref("CT2790392.TrusteLinkUrl", "hxxp://trust.conduit.com/EB_ORIGINAL_CTID");
    Deleted : user_pref("CT2790392.UserID", "UN74904549218121527");
    Deleted : user_pref("CT2790392.WeatherNetwork", "");
    Deleted : user_pref("CT2790392.WeatherPollDate", "Sun Apr 08 2012 14:23:31 GMT+1000 (AUS Eastern Standard Time[...]
    Deleted : user_pref("CT2790392.WeatherUnit", "C");
    Deleted : user_pref("CT2790392.alertChannelId", "1182482");
    Deleted : user_pref("CT2790392.myStuffEnabled", true);
    Deleted : user_pref("CT2790392.myStuffPublihserMinWidth", 400);
    Deleted : user_pref("CT2790392.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]
    Deleted : user_pref("CT2790392.myStuffServiceIntervalMM", 1440);
    Deleted : user_pref("CT2790392.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]
    Deleted : user_pref("CT2790392.testingCtid", "");
    Deleted : user_pref("CT2790392.toolbarAppMetaDataLastCheckTime", "Sun Apr 08 2012 14:23:31 GMT+1000 (AUS Easte[...]
    Deleted : user_pref("CT2790392.toolbarContextMenuLastCheckTime", "Sun Apr 08 2012 14:23:33 GMT+1000 (AUS Easte[...]
    Deleted : user_pref("CT488207..clientLogIsEnabled", false);
    Deleted : user_pref("CT488207..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asm[...]
    Deleted : user_pref("CT488207..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Reg[...]
    Deleted : user_pref("CT488207.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
    Deleted : user_pref("CT488207.CTID", "CT488207");
    Deleted : user_pref("CT488207.CurrentServerDate", "8-4-2012");
    Deleted : user_pref("CT488207.DialogsAlignMode", "LTR");
    Deleted : user_pref("CT488207.DownloadReferralCookieData", "");
    Deleted : user_pref("CT488207.EMailNotifierPollDate", "Sun Apr 08 2012 14:23:52 GMT+1000 (AUS Eastern Standard[...]
    Deleted : user_pref("CT488207.FirstServerDate", "8-4-2012");
    Deleted : user_pref("CT488207.FirstTime", true);
    Deleted : user_pref("CT488207.FirstTimeFF3", true);
    Deleted : user_pref("CT488207.FixPageNotFoundErrors", false);
    Deleted : user_pref("CT488207.GroupingServerCheckInterval", 1440);
    Deleted : user_pref("CT488207.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
    Deleted : user_pref("CT488207.HasUserGlobalKeys", true);
    Deleted : user_pref("CT488207.Initialize", true);
    Deleted : user_pref("CT488207.InitializeCommonPrefs", true);
    Deleted : user_pref("CT488207.InstallationAndCookieDataSentCount", 3);
    Deleted : user_pref("CT488207.InstalledDate", "Sun Apr 08 2012 14:23:44 GMT+1000 (AUS Eastern Standard Time)")[...]
    Deleted : user_pref("CT488207.InvalidateCache", false);
    Deleted : user_pref("CT488207.IsGrouping", false);
    Deleted : user_pref("CT488207.IsMulticommunity", false);
    Deleted : user_pref("CT488207.IsOpenThankYouPage", true);
    Deleted : user_pref("CT488207.IsOpenUninstallPage", true);
    Deleted : user_pref("CT488207.LanguagePackLastCheckTime", "Sun Apr 08 2012 14:23:43 GMT+1000 (AUS Eastern Stan[...]
    Deleted : user_pref("CT488207.LanguagePackReloadIntervalMM", 1440);
    Deleted : user_pref("CT488207.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx"[...]
    Deleted : user_pref("CT488207.LastLogin_3.2.5.2", "Sun Apr 08 2012 22:23:31 GMT+1000 (AUS Eastern Standard Tim[...]
    Deleted : user_pref("CT488207.LatestVersion", "3.10.0.1");
    Deleted : user_pref("CT488207.Locale", "en-US");
    Deleted : user_pref("CT488207.MCDetectTooltipHeight", "83");
    Deleted : user_pref("CT488207.MCDetectTooltipUrl", "hxxp://@[email protected]/rank/tooltip/?version=1");
    Deleted : user_pref("CT488207.MCDetectTooltipWidth", "295");
    Deleted : user_pref("CT488207.RadioIsPodcast", false);
    Deleted : user_pref("CT488207.RadioLastCheckTime", "Sun Apr 08 2012 14:23:54 GMT+1000 (AUS Eastern Standard Ti[...]
    Deleted : user_pref("CT488207.RadioLastUpdateIPServer", "3");
    Deleted : user_pref("CT488207.RadioLastUpdateServer", "0");
    Deleted : user_pref("CT488207.RadioMediaID", "6664");
    Deleted : user_pref("CT488207.RadioMediaType", "Real Player");
    Deleted : user_pref("CT488207.RadioMenuSelectedID", "EBRadioMenu_CT4882076664");
    Deleted : user_pref("CT488207.RadioStationName", "National%20-%20Radio%20Australia%20(Other)");
    Deleted : user_pref("CT488207.RadioStationURL", "hxxp://media4.abc.net.au/raflp");
    Deleted : user_pref("CT488207.SearchFromAddressBarIsInit", true);
    Deleted : user_pref("CT488207.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT4882[...]
    Deleted : user_pref("CT488207.SearchInNewTabEnabled", true);
    Deleted : user_pref("CT488207.SearchInNewTabIntervalMM", 1440);
    Deleted : user_pref("CT488207.SearchInNewTabLastCheckTime", "Sun Apr 08 2012 14:23:33 GMT+1000 (AUS Eastern St[...]
    Deleted : user_pref("CT488207.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_TO[...]
    Deleted : user_pref("CT488207.SearchInNewTabUsageUrl", "hxxp://usage.hosting.toolbar.conduit-services.com/usag[...]
    Deleted : user_pref("CT488207.ServiceMapLastCheckTime", "Sun Apr 08 2012 14:23:31 GMT+1000 (AUS Eastern Standa[...]
    Deleted : user_pref("CT488207.SettingsLastCheckTime", "Sun Apr 08 2012 14:23:31 GMT+1000 (AUS Eastern Standard[...]
    Deleted : user_pref("CT488207.SettingsLastUpdate", "1329984796");
    Deleted : user_pref("CT488207.ThirdPartyComponentsInterval", 504);
    Deleted : user_pref("CT488207.ThirdPartyComponentsLastCheck", "Sun Apr 08 2012 14:23:31 GMT+1000 (AUS Eastern [...]
    Deleted : user_pref("CT488207.ThirdPartyComponentsLastUpdate", "1312887586");
    Deleted : user_pref("CT488207.TrusteLinkUrl", "hxxp://trust.conduit.com/EB_ORIGINAL_CTID");
    Deleted : user_pref("CT488207.UserID", "UN13837640651204426");
    Deleted : user_pref("CT488207.WeatherNetwork", "");
    Deleted : user_pref("CT488207.WeatherPollDate", "Sun Apr 08 2012 14:23:54 GMT+1000 (AUS Eastern Standard Time)[...]
    Deleted : user_pref("CT488207.WeatherUnit", "C");
    Deleted : user_pref("CT488207.alertChannelId", "69079");
    Deleted : user_pref("CT488207.components.1000034", true);
    Deleted : user_pref("CT488207.components.1000082", true);
    Deleted : user_pref("CT488207.components.1000234", true);
    Deleted : user_pref("CT488207.myStuffEnabled", true);
    Deleted : user_pref("CT488207.myStuffPublihserMinWidth", 400);
    Deleted : user_pref("CT488207.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOri[...]
    Deleted : user_pref("CT488207.myStuffServiceIntervalMM", 1440);
    Deleted : user_pref("CT488207.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Com[...]
    Deleted : user_pref("CT488207.testingCtid", "");
    Deleted : user_pref("CT488207.toolbarAppMetaDataLastCheckTime", "Sun Apr 08 2012 14:23:34 GMT+1000 (AUS Easter[...]
    Deleted : user_pref("CT488207.toolbarContextMenuLastCheckTime", "Sun Apr 08 2012 14:23:33 GMT+1000 (AUS Easter[...]
    Deleted : user_pref("CT488207.usagesFlag", 1);
    Deleted : user_pref("CommunityToolbar.CantToolbarBeEngineOwner", "CT2790392,CT1060933");
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/CT1060933/CT1060933[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/CT488207/CT488207",[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/1182482/1178159/AU", "\"0\"[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/15651/15317/AU", "\"0\"");
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/69079/68508/AU", "\"0\"");
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT1060933", [...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2790392", [...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT488207", "[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/toolbar/", "\"f1c77625c0e9bd[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.search.conduit.com/root/CT2790392/CT2790392[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.search.conduit.com/root/CT488207/CT488207",[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=EB_LOCALE",[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en", "\"ced[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en-US", "\"[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en-us", "\"[...]
    Deleted : user_pref("CommunityToolbar.EngineOwner", "CT488207");
    Deleted : user_pref("CommunityToolbar.EngineOwnerGuid", "{1a4f6694-0079-4eee-af51-a8d991385a32}");
    Deleted : user_pref("CommunityToolbar.EngineOwnerToolbarId", "askme");
    Deleted : user_pref("CommunityToolbar.OriginalEngineOwner", "CT488207");
    Deleted : user_pref("CommunityToolbar.OriginalEngineOwnerGuid", "{1a4f6694-0079-4eee-af51-a8d991385a32}");
    Deleted : user_pref("CommunityToolbar.OriginalEngineOwnerToolbarId", "askme");
    Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "chrome://browser-region/locale/region.pr[...]
    Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT488207,CT2790392,CT1060933");
    Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT2790392,CT488207,CT1060933");
    Deleted : user_pref("CommunityToolbar.alert.alertInfoInterval", 1440);
    Deleted : user_pref("CommunityToolbar.alert.alertInfoLastCheckTime", "Sat Sep 22 2012 20:15:20 GMT+1000 (AUS E[...]
    Deleted : user_pref("CommunityToolbar.alert.clientsServerUrl", "hxxp://alert.client.conduit.com");
    Deleted : user_pref("CommunityToolbar.alert.locale", "en");
    Deleted : user_pref("CommunityToolbar.alert.loginIntervalMin", 1440);
    Deleted : user_pref("CommunityToolbar.alert.loginLastCheckTime", "Sat Sep 22 2012 18:54:48 GMT+1000 (AUS Easte[...]
    Deleted : user_pref("CommunityToolbar.alert.loginLastUpdateTime", "1313487611");
    Deleted : user_pref("CommunityToolbar.alert.messageShowTimeSec", 20);
    Deleted : user_pref("CommunityToolbar.alert.servicesServerUrl", "hxxp://alert.services.conduit.com");
    Deleted : user_pref("CommunityToolbar.alert.showTrayIcon", false);
    Deleted : user_pref("CommunityToolbar.alert.userCloseIntervalMin", 300);
    Deleted : user_pref("CommunityToolbar.alert.userId", "ee8b3c7b-8474-4193-b3ba-b126aeb701ce");
    Deleted : user_pref("CommunityToolbar.facebook.settingsLastCheckTime", "Sun Apr 08 2012 14:23:31 GMT+1000 (AUS[...]
    Deleted : user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT1060933");
    Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
    Deleted : user_pref("browser.search.defaultthis.engineName", "Freecorder Customized Web Search");
    Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&Sea[...]

    -\\ Google Chrome v24.0.1312.57

    File : C:\Users\newspaper56\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    -\\ Opera v12.10.1652.0

    File : C:\Users\newspaper56\AppData\Roaming\Opera\Opera\operaprefs.ini

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [27291 octets] - [03/02/2013 22:46:49]
    AdwCleaner[R2].txt - [27243 octets] - [06/02/2013 14:58:34]
    AdwCleaner[S1].txt - [27934 octets] - [06/02/2013 15:00:37]

    ########## EOF - C:\AdwCleaner[S1].txt - [27995 octets] ##########
     
  4. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    ADWCleaner has removed a load of junk from Firefox, the rest of your browsers are clean.

    RogueKiller only found a couple of suspicious items, runservice.exe and Window Hide.exe searches show these belong to legitimate programs called Autoit and eLicense please confirm that you have those programs.
     
  5. newspaper56

    newspaper56 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    396
    Uhh...

    Yes, i remember installing Autoit but it didn't' come with an uninstaller, so I did my best to delete it. Looks like it had remaining files lurking around.

    Also, No. I don't have ELicense or even remember installing it. Unless it came with my Toshiba laptop.

    Were those registry entries these two programs (autoIt and eLicense)?

    Yes, I did have Window hide running but i don't know what runservice.exe was/is.
     
  6. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Sounds like those entries are ok, here is a little more information which may help.

    Runservice.exe: http://www.neuber.com/taskmanager/process/runservice.exe.html relates to ELicense.

    Window Hide.exe: http://www.file.net/process/hide.exe.html relates to Autoit.

    As you no longer use Autoit please run RogueKiller again and hit the Scan button.
    Under the Registry tab unselect all the entries except for these two:

    HKCU\[...]\Services\Microsoft\Run : zHideWin (C:\Users\newspaper56\Desktop\newspaper56 Folder\Window Hide.exe)
    HKUS\S-1-5-21-1603089102-2812627082-2370458291-1005[...]\Services-1603089102-2812627082-2370458291-1005\Run : zHideWin (C:\Users\newspaper56\Desktop\newspaper56 Folder\Window Hide.exe)

    Then hit the delete button and Report, post the log.

    Then use Windows Explorer and navigate to this entry and delete the file:

    C:\Users\newspaper56\Desktop\newspaper56 Folder\Window Hide.exe <---this file


    Then please run this scan so we can just check important security items are up to date:

    Download Security Check by screen317 from Here or Here.
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please Copy & Paste the contents of that document into your next reply.
     
  7. newspaper56

    newspaper56 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    396
    I couldn't find those two entries in the program itself, so i'm just making sure this is correct.
     

    Attached Files:

  8. newspaper56

    newspaper56 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    396
    Here's the checkup

    Results of screen317's Security Check version 0.99.57
    Windows 7 Service Pack 1 x64 (UAC is disabled!)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    avast! Antivirus
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Spybot - Search & Destroy
    Malwarebytes Anti-Malware version 1.70.0.1100
    TuneUp Utilities 2012
    TuneUp Utilities Language Pack (en-US)
    Java(TM) 6 Update 17
    Java version out of Date!
    Adobe Flash Player 10 Flash Player out of Date!
    Adobe Reader 9 Adobe Reader out of Date!
    Mozilla Firefox (18.0.1)
    Google Chrome 24.0.1312.56
    Google Chrome 24.0.1312.57
    ````````Process Check: objlist.exe by Laurent````````
    Norton ccSvcHst.exe
    Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast AvastUI.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 1%
    ````````````````````End of Log``````````````````````
     
  9. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    In reply to post 7, that is correct.

    Security Check shows a few items that need attention.

    I would recommend you do not use Tuneup Utilities as any such optimizing program can cause more harm than good. Any specific performance problems found can be dealt with by much safer means.

    I would also recommend you replace Spybot Search & Destroy with SuperAntiSpyware, Spybot does not have a good reputation.


    Please go into Task Manager by pressing the Ctrl, Alt and Delete keys on your keyboard and select Task Manager from the list. Scroll down the list of processes and find Teatimer.exe, click on it and then click on the End Process button. The go into Programs and Features via the Control Panel and click on Spybot Search & Destroy, then click on Uninstall. If Teatimer is not present in the list of processes then please proceed with the uninstall. Next, download and install this: SuperAntiSpyware


    Finally, Java and two Adobe products need updating.

    Adobe
    Close any programs you may have running - especially your web browser.
    Click on Start [​IMG] > Control Panel, double-click on Programs and Features and uninstall the following Adobe entries:

    Adobe Flash Player 10
    Adobe Reader 9


    NOTE: For XP click on [​IMG] > Control Panel, double-click on Add or Remove Programs and continue as above.

    Then go to this link Adobe Downloads and select the latest version to download and install. You will see this page below, click on the appropriate button for for the Adobe product that was just removed.

    [​IMG]

    You will now see a page similar to this one:

    [​IMG]

    All four Adobe products, Reader, Flash Player, Air and Shockwave Player are set by default to download the version for Windows Operating Systems and for Internet Explorer in English. If you are using a Macintosh, or you want to use the Adobe product with a different Browser or language you must click on the line (as indicated in the above image) to make further selections to meet your requirements.

    As you will see in the above image the Adobe Reader is set for Windows 7, please click (as indicated) if you are using a different version of Windows to make further selections. All the other Adobe products are universal and you will only need to change the selection for different Browsers, Languages or for Macintosh.
    NOTE: In all the downloads look out for the Google Toolbar and uncheck the box if you do not need it.

    Some additional instructions may appear for XP installations. In all cases save the download to your desktop, then close your browser and double click on the Adobe icon on your desktop to install it. If you have any problems installing, disconnect from the internet and disable your Anti Virus and any other security software, instructions for most AV's, etc. can be found here: How to disable security software.
    ================================================================


    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
    Please follow these steps to remove older version of Java and update.

    How to update Java:
    Be aware that the act of downloading any Java installer means that you have read and agree to abide by the end users license agreement.
    End user licence agreement

    First uninstall all existing versions of Java.

    • Go to Start > Control Panel double-click on Add/Remove programs (or Programs and Features) and click on any item with Java, Java(TM), JRE or J2SE in the name.
    • Click the Uninstall, Remove or Change/Remove button and allow it to uninstall.
    • If a User Account Control warning appears click on Allow.
    • Repeat as many times as necessary to remove each and every item.
    • Reboot your computer once all Java components are removed.

    NOTE: If you have a 64bit version of Windows and are using the 64bit version of Internet Explorer the Java site will automatically give you the correct Java version using the instructions below,
    but it is recommended that you use only 32bit browsers and versions of Java. Please read this for further information: Which Java download should I choose for my 64bit operating system?.
    If you install Java for the 64bit version of Internet Explorer and you use any other browser you will also need to repeat the installation while using your other browser which will most likely be 32bit. If in doubt please ask.


    How to install the latest version.

    • Open the browser that you normally use and click on this link: Java Download
    • Click on the big red button Free Java Download
    • On the next page click on the big red button Agree and Start Free Download
    • Select Run whenever the option appears. If no Run option appears click on Save and then when the download completes click on Run. If a User Account Control warning appears click on Continue.
    • When the Welcome to Java window appears click on Install.
    • It may takes several minutes to download the installer depending on the speed of your connection, allow it to complete.
    • If any error messages appear click on OK and then click on the Agree and start free download button again.
    • Please wait for the Java Setup window to appear. Uncheck the box to install the Ask Toolbar and then click on Next.
    • NOTE: The Ask Toolbar option may change without notice to something different, please make sure you uncheck the box for anything else that is offered. On some systems this offer may not appear, in which case, continue with the next instruction.
    • You will then see the Java Setup Progress window and another will appear for JavaFX (on some systems the JavaFX will not appear or be installed). Finally the Java Setup Complete window will appear, click on Close.
    • If a Java page then appears with a button to Verify Java Version click on it and it will verify the installation.
    • The Installation is now complete, please reboot the system.
    • NOTE: The JavaFX component is not required unless you are developing Java applications. It is perfectly safe to keep on your system, but if you wish to uninstall it please do so.
     
  10. newspaper56

    newspaper56 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    396
    Here's the report for the Roguekiller deletion. It seemed to only have deleted one. Don't know why.

    RogueKiller V8.4.4 _x64_ [Feb 4 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Newspaper56 [Admin rights]
    Mode : Remove -- Date : 02/07/2013 13:15:07
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 2 ¤¤¤
    [SUSP PATH] Runservice.exe -- C:\Windows\runservice.exe -> KILLED [TermProc]
    [SUSP PATH] Window Hide.exe -- C:\Users\Newspaper56\Desktop\Newspaper56 Folder\Window Hide.exe -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 7 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Services\Microsoft\Run : zHideWin (C:\Users\Newspaper56\Desktop\Newspaper56 Folder\Window Hide.exe) -> DELETED
    [HJ] HKLM\[...]\Services\Microsoft\System : ConsentPromptBehaviorAdmin (0) -> NOT SELECTED
    [HJ] HKLM\[...]\Wow6432Node\Services\Microsoft\System : ConsentPromptBehaviorAdmin (0) -> NOT SELECTED
    [HJ] HKLM\[...]\Services\Microsoft\System : EnableLUA (0) -> NOT SELECTED
    [HJ] HKLM\[...]\Wow6432Node\Services\Microsoft\System : EnableLUA (0) -> NOT SELECTED
    [HJ DESK] HKLM\[...]\Services\Microsoft\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> NOT SELECTED
    [HJ DESK] HKLM\[...]\Services\Microsoft\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> NOT SELECTED

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ Extern Hives: ¤¤¤
    -> F:\windows\system32\config\SOFTWARE
    -> F:\windows\system32\config\SYSTEM
    -> F:\Users\Default\NTUSER.DAT
    -> F:\Users\Default User\NTUSER.DAT
    -> F:\Users\Microbots\NTUSER.DAT
    -> F:\Documents and Settings\Default\NTUSER.DAT
    -> F:\Documents and Settings\Default User\NTUSER.DAT
    -> F:\Documents and Settings\GuestUser\NTUSER.DAT

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\windows\system32\drivers\etc\hosts

    127.0.0.1 secure.tune-up.com


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: TOSHIBA MQ01ABD075 +++++
    --- User ---
    [MBR] 73f05d9f230be049d0e0bff191b14555
    [BSP] 33c05efc4141c5524db711debd96a558 : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 409765 Mo
    2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1440288768 | Size: 12138 Mo
    3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 842287950 | Size: 291992 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: SEMC Mass Storage USB Device +++++
    --- User ---
    [MBR] 8a4a3f84a9eda68451f8bdccda84c484
    [BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
    Partition table:
    0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8192 | Size: 7576 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[4]_D_02072013_02d1315.txt >>
    RKreport[1]_S_02062013_02d1450.txt ; RKreport[2]_S_02072013_02d0023.txt ; RKreport[3]_S_02072013_02d1311.txt ; RKreport[4]_D_02072013_02d1315.txt
     
  11. newspaper56

    newspaper56 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    396
    I already have SuperAntiSpyware, it seems it didnt' get picked up even though the process was running. Funnily, enough, spy bot wasn't running. Anyway, I uninstalled Spybot and some error came up.

    Service SBSD Security Center Service failed to uninstall with error: "System error. Code 1060" Specified service does not exist as an installed service.

    For the other stuff, I Uninstalled

    Adobe Flash Player 10 Active X
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3

    Java 7 Update 6 (64 bit)
    Java SE Development Kit 7 Update 6 (64bit)
    Java (TM) 6 Update 7

    Now, I'm a bit confused with the Java Installation. I downloaded through Chrome, but it's a chrome-install java. So, checking the programs list it seems it installed the Java 7 Update 13, but the SE dev kit and the Java(TM) haven't been installed. I know about the JRE but what is the Java(TM)?

    Also, is it necessary to re install Adobe reader? I don't even use that, i use Foxit.

    Flash player 11 Plugin is in.
     
  12. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    No problem with Spybot as the error is simply telling you the service does not exist.

    Java(TM) is the way the older versions were listed, newer versions simply show as Java X Update XX. As you are only seeing Java 7 Update 13 in your installed programs list that is correct. One tip I can give you about Java, I see you had 64bit versions installed, these are only required if you are using the 64bit version of Internet Explorer, the default version of IE is 32bit even if you are running 64bit Windows.

    If you don't use Adobe Reader there is no need to install it.

    We are all done. You can simply delete the RogueKiller icon from your desktop to remove it, ADWCleaner can be useful to keep and run from time to time to keep your browsers clear of Adware.
     
  13. newspaper56

    newspaper56 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    396
    Oh ok thanks for the help. Just one final question

    Error reading LL2 MBR!

    What did that mean in Rogue. It wasn't in the other logs.
     
  14. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    That error is showing for a USB device (either a Flash Drive or external Hard Drive that you have connected) and is nothing to worry about. It didn't show in the previous RK log as you probably didn't have it plugged in.
     
  15. newspaper56

    newspaper56 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    396
    One last quick question, what do I do with the RK quarintine folder that's sitting on my desktop?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1088005

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice