|
Post by avidtr on Jun 30, 2014 8:35:36 GMT -8
Attachment DeletedHi Quads. Please see requested txt file. I hope it's OK and was completed. This is because when FRST64 was working and creating the txt file, Windows decided to do one of its periodic updates without me being aware of it ! This resulted in an automatic restart, without consultation. (The joys of Windows !! ). I didn't repeat the FIX step as you said to press FIX just once. You might please advise. Can I please ask you about sending email during the current situation. I use Windows Live Mail 2012. Is it best not to send emails, to avoid possible spread of malware ? Many thanks.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jun 30, 2014 10:38:52 GMT -8
It is OK to email, most of the problems appear to be stubborn PUP's and some other settings. It looks as though FRST cannot get some items possibly due to the account being limited and not admin so some keys are a no go according to Windows and Windows did restart while FRST was processing. Log out of the Limited account so that it is not running and login to the Account with the Admin rights and do this below while in that account Read Slowly and all of it.Please download www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ You need to download the 64 bit version.Or you could take / copy the FRST64 from the Desktop of the limited account and transfer it to the Desktop of the Admin account. Place FRST64.exe onto your desktop from where ever it downloaded to. Start FRST64 that is on your DesktopThe tool will start to run.When the tool opens click Yes to disclaimer. (if it does) Press Scan button. It will make a logs ( FRST.txt and addition.txt) on your Desktop Please attach the log in your reply back. Or open the logs in notepad and copy the logs and paste back in a message as a reply. Quads
|
|
|
Post by avidtr on Jun 30, 2014 12:33:23 GMT -8
Attachment DeletedHi Quads. Followed your instructions, in admin account. Scan in FRST seems to have created only 1 log file, frst.txt that I have attached. Addition.txt is not apparent ! Thanks.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jun 30, 2014 14:08:04 GMT -8
OK
Go back to the other account and delete the addition.txt from that accounts Desktop. Then log back out and go back into the Admin (Owner) account.
Start FRST64 again and before running a scan tick / check the box for the option to create a addition.txt Once that option is selected click the scan button.
Quads
|
|
|
Post by avidtr on Jun 30, 2014 15:27:41 GMT -8
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jun 30, 2014 15:39:09 GMT -8
I just have to change the script as FRST did manage to grab some of the items, so that now the registry keys looks different and hahaha I spotted this running process
() C:\FRST\Quarantine\C\Program Files (x86)\webget\bin\utilwebget.exe.xBAD
and
(MyPCBackup.com) C:\FRST\Quarantine\C\Program Files (x86)\MyPC Backup\MyPC Backup\MyPC Backup.exe
FRST managed to move the file but them somehow the file process loaded to change location to run from inside the Quarantine.
Does your windows 8 give you the option to right click a program and choose "Run as Administrator" from the menu.
Quads
|
|
|
Post by avidtr on Jun 30, 2014 20:55:59 GMT -8
Hi Quads.
My Windows 8 gives the option of run as administrator from a right-click on a program. Now in non-admin account and this option is available.
Thanks.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jun 30, 2014 21:10:21 GMT -8
Using the Admin account (Owner) and logged out of the other accounts
Make sure Windows has no updates waiting to install,
Then
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the script attached, needs to be the same file name as well (fixlist.txt), have it on the Desktop, so that fixlist.txt is next to FRST64.exe,
DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
The script tells FRST what to do.
Start FRST64 that is on the desktop (right click FRST64 and choose from the menu "Run as Administrator" it it gives the option) When the tool opens click Yes to disclaimer. (if it still does)
Press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
Quads
|
|
|
Post by avidtr on Jun 30, 2014 21:43:13 GMT -8
Attachment DeletedHi Quads. Exactly as per your instructions. During the Fix Windows restarted with message similar to "Restarting to complete fix". On re-log in as admin account got message that Fix now complete and log file on Desktop. I Hope this is normal and expected ! Many thanks.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jun 30, 2014 21:53:40 GMT -8
BINGO, that has appeared to have broken them apart, unless they have found another way to use the running from FRST Quarantine again, But using admin and having admin rights I was able to take the Services and Registry keys. Using the Admin (Owner) account. Read carefully
Download Adwcleaner www.bleepingcomputer.com/download/adwcleaner/ on to your desktop The Blue Download Now @bleeping Computer button and run a scan ( Scan Button). It will create a log after. Or there is a Report button, ONE SCAN ONLY
Attach or paste the log back here Quads
|
|