Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

Microsoft Tech Support Scam

This is a discussion on Microsoft Tech Support Scam within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. My grandfather got taken in by a Microsoft Windows Support Scam and I'm fairly certain that his laptop's got a


Closed Thread
 
Thread Tools Search this Thread
Old 02-18-2016, 04:04 PM   #1
Registered Member
 
Join Date: Feb 2014
Location: Ohio, USA
Posts: 18
OS: Windows 10 Home Edition


Exclamation

My grandfather got taken in by a Microsoft Windows Support Scam and I'm fairly certain that his laptop's got a bug that I can't get rid of.

What happened:

He got a popup (while using Internet Explorer and after downloading an Adobe update) that said there was a security issue and that he needed to call a number for Windows Firewall Service.
(I looked up the number and apparently other people have been taken in by this scam. Here it is on a Microsoft forum:
MICROSOFT TECH SUPPORT SCAM CALL - Microsoft Community)

This is what the Popup said:

Quote:
""windows firewall service has been stopped due to virus/adware on your computer. please visit www.scannow.com/support or call toll free 1 888 447 4192 for support. root-kits/spyware may have caused the security breach on your network location. call toll free 1 888 447 4192 for technical assistance."
So he called the number (1-888-447-4192) not knowing it was a scam and they said they were from Windows and that they needed remote access to his laptop to solve the security issue, which he gave them. (He said he did not give them any personal information, however.)

After he told me what happened, I checked out his laptop. He had about a dozen popups that wouldn't close and some malware programs were added, which I have removed.

Those programs were:
Knctr itibiti
One SystemCare
WebDiscover Browser
some kind of remote access/assistance program and a player program that I forgot to write down.

So I removed all of the programs I could find in the programs window (including a program called PCKeeper that he already had) and restarted the laptop. After that, I tried to scan his laptop using Windows Defender (he has Windows 10) but the scan kept stopping/canceling about two-thirds of the way through. I also tried to defrag (optimize) but that too kept stopping. Then I tried to do a maintenance check with the Windows Maintenance tool, that kept cycling and never went through. Same thing when I did a Windows Update check. The spinning wheel just kept spinning and spinning, and wouldn't go through.

So I tried to restart the laptop, but even after nearly 30 minutes, the laptop wouldn't complete the restart. So I just did a hard shut down and let it sit overnight, off. I turned it back on today to install a cleaning and up-kept program I use on my own laptop called Advanced SystemCare. I was hoping that it would work since it's not a Windows program. It installed, but I can't open it, despite it running in the background and the icon on the toolbar.

So I'm fairly certain that there is a bug on it somewhere that's taken control, but nothing I've tried has worked so far.

Does anyone have any idea of how I can fix this issue?
I'm not overly versed in bios or how to do in-depth maintenance.
serenshadow is offline  
Sponsored Links
Advertisement
 
Old 02-18-2016, 10:19 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Registry cleaners(Advanced SystemCare, One SystemCare, etc.) are usually more harmful than helpful. Don't use them.

Our colleague miekiemoes has an excellent writeup here

------------------------------------------------------

See if FRST64.exe will run in Normal Mode.

Please download Farbar Recovery Scan Tool and save it to your desktop.
  • Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-19-2016, 09:06 AM   #3
Registered Member
 
Join Date: Feb 2014
Location: Ohio, USA
Posts: 18
OS: Windows 10 Home Edition



I will give it a try.
serenshadow is offline  
Sponsored Links
Advertisement
 
Old 02-19-2016, 10:03 AM   #4
Registered Member
 
Join Date: Feb 2014
Location: Ohio, USA
Posts: 18
OS: Windows 10 Home Edition



I tried it. The tool ran for several minutes, but now it's Not Responding.
The status is still "scanning, please wait", but it's non-responsive. It has already produced the txt files you mentioned. Should I go ahead and copy/attach those?
serenshadow is offline  
Old 02-19-2016, 06:24 PM   #5
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You do have a 64-bit machine, correct? Yes, please post/attach the logs, unless they are empty.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-19-2016, 09:05 PM   #6
Registered Member
 
Join Date: Feb 2014
Location: Ohio, USA
Posts: 18
OS: Windows 10 Home Edition



Yes, his laptop is 64.

FRST and addition are attached. (I couldn't post FRST in this reply because there were too many characters.)
Attached Files
File Type: txt Addition.txt (31.8 KB, 52 views)
File Type: txt FRST.txt (132.7 KB, 43 views)
serenshadow is offline  
Old 02-20-2016, 11:07 AM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, serenshadow. Please don't choose extra options when running tools, unless asked to do so. Thanks.

Do you know what applications are using those open ports with no description that are listed in your Addition.txt log?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Back up and restore your files - Windows Help

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe
  • If asked to change 'Encoding:' to 'Unicode:', please agree and save it.

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden
    Task: {0FE6C9E1-4EF4-48B3-8F5B-3FB660313159} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
    Task: {187766FD-5BF6-473A-B501-0C161163FA28} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
    Task: {3F43E538-06D8-46C8-A4D6-947F2F3E25AF} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
    Task: {508D3083-F1DD-4A0A-9F7A-B8C0F89B7789} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
    Task: {6DB4D1BE-C321-4892-A13E-12B9661D43AD} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
    Task: {7A34B6E0-1402-435D-8BA7-1513837FF980} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
    Task: {9E58BD44-82BF-4E4B-BF1E-24F909D696E2} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
    Task: {A5A7DB95-6EFA-41A9-B9A7-7015686930C6} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
    Task: {A9FB48AB-CB19-46BC-9B64-4271041D181E} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
    Task: {D0AECD96-9233-4F55-8315-F30A780884E0} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
    Task: {E2DEDA16-166C-4CAD-8211-EACCE694ADB0} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
    Task: {FA37C980-B81F-425E-B77B-046CAE06AC2F} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTIONe
    HKU\S-1-5-21-158861091-2992931431-3164375879-1000\...\Run: [Itibiti.exe] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
    HKU\S-1-5-21-158861091-2992931431-3164375879-1000\...\Run: [NowUSeeIt Player] => "C:\Program Files (x86)\NowUSeeItPlayer\NowUSeeItPlayer.exe" /autostart=1
    URLSearchHook: HKU\S-1-5-21-158861091-2992931431-3164375879-1000 - (No Name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - No File
    SearchScopes: HKU\S-1-5-21-158861091-2992931431-3164375879-1000 -> DefaultScope {C04B7D22-5AEC-4561-8F49-27F6269208F6} URL = hxxp://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=82201&iwk=362&lng=en
    SearchScopes: HKU\S-1-5-21-158861091-2992931431-3164375879-1000 -> {C04B7D22-5AEC-4561-8F49-27F6269208F6} URL = hxxp://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=82201&iwk=362&lng=en
    Toolbar: HKU\S-1-5-21-158861091-2992931431-3164375879-1000 -> No Name - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} -  No File
    R2 LiveUpdateSvc; C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2934048 2015-10-09] (IObit)
    S2 AdvancedSystemCareService9; C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe [X]
    C:\Program Files (x86)\NowUSeeItPlayer
    C:\Windows\pss\MyPC Backup.lnk.Startup
    2016-02-18 17:56 - 2016-02-19 12:20 - 00000000 ____D C:\ProgramData\ProductData
    2016-02-18 17:26 - 2016-02-18 17:26 - 00000000 ____D C:\Users\Butch\AppData\Roaming\ProductData
    2016-02-18 17:25 - 2016-02-19 12:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare
    2016-02-18 17:25 - 2016-02-19 12:20 - 00000000 ____D C:\Users\Butch\AppData\LocalLow\IObit
    2016-02-18 17:25 - 2016-02-18 17:25 - 00000000 ____D C:\WINDOWS\Tasks\ImCleanDisabled
    2016-02-18 17:25 - 2016-02-18 17:25 - 00000000 ____D C:\ProgramData\{FD6F83C0-EC70-4581-8361-C70CD1AA4B98}
    2016-02-18 17:23 - 2016-02-18 17:25 - 00000000 ____D C:\Users\Butch\AppData\Roaming\IObit
    2016-02-18 17:22 - 2016-02-19 12:20 - 00000000 ____D C:\ProgramData\IObit
    2016-02-18 17:22 - 2016-02-18 17:25 - 00000000 ____D C:\Program Files (x86)\IObit
    Folder: C:\ProgramData\bea17193-27a5-1
    Folder: C:\ProgramData\bea17193-27a5-1
    Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Butch^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MyPC Backup.lnk" /f
    Reg: reg delete HKU\S-1-5-21-158861091-2992931431-3164375879-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "NowUSeeIt Player" /f
    Reg: reg delete HKU\S-1-5-21-158861091-2992931431-3164375879-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "PCKeeper Remote Assistance" /f
    Reg: reg delete HKU\S-1-5-21-158861091-2992931431-3164375879-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Itibiti.exe" /f
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-20-2016, 10:20 PM   #8
Registered Member
 
Join Date: Feb 2014
Location: Ohio, USA
Posts: 18
OS: Windows 10 Home Edition



Quote:
Do you know what applications are using those open ports with no description that are listed in your Addition.txt log?
No, I'm sorry, I do not. And neither does my grandfather. But he said he doesn't use any programs other than IE and Microsoft Word. He's kinda computer illiterate and only uses it for the basics. Unless it's something my cousin has put on there. He occasionally borrows the laptop to play games.

Fixlog is attached.
Attached Files
File Type: txt Fixlog.txt (13.8 KB, 31 views)
serenshadow is offline  
Old 02-21-2016, 12:16 PM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, serenshadow. How is the machine now? Any improvement?

------------------------------------------------------

Press the Windows "logo" key and "R" key then copy/paste the following single-line command into the Run box and click OK:

cmd /c rd /s /q "C:\ProgramData\bea17193-27a5-1"

A DOS window will open and close again, this is normal.

Repeat for the following:

cmd /c rd /s /q "C:\ProgramData\bea17193-1163-0"

------------------------------------------------------

Please uninstall the following via Start->(or My Computer)->Control Panel->(Programs)->Programs and Features if they still exist:

Itibiti RTC<<Please read this

Please delete the following Folder if it still exists:

C:\Program Files (x86)\Itibiti Soft Phone

------------------------------------------------------

Press the Windows "logo" key and "R" key then copy/paste the following single-line command into the Run box and click OK:

cmd /c rd /s /q "%userprofile%\AppData\Roaming\Itibiti Soft Phone"

A DOS window will open and close again, this is normal.

------------------------------------------------------

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here and here

I would strongly recommend that you uninstall it. You can do so via Programs and Features(right-click the Windows "logo" button > Programs and Features).

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Cleaning
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-21-2016, 12:57 PM   #10
Registered Member
 
Join Date: Feb 2014
Location: Ohio, USA
Posts: 18
OS: Windows 10 Home Edition



Yes, his laptop has been running much better, thank you!

I did everything you asked, including removing the utorrent program, which I'm sure was put on there by my cousin; my grandpa doesn't know what torrenting is, let alone how to do it.


Log is attached.
Attached Files
File Type: txt AdwCleaner[C1].txt (5.9 KB, 31 views)
serenshadow is offline  
Old 02-21-2016, 01:22 PM   #11
Registered Member
 
Join Date: Feb 2014
Location: Ohio, USA
Posts: 18
OS: Windows 10 Home Edition



I just tried to do an update check and a proper restart, but the laptop still got stuck on both.

I let the update checker go for a good 15 minutes, but it wouldn't go through. And when I tried to do a proper restart from the start menu, it got stuck on the restart screen. So I just did a hard shut down.
serenshadow is offline  
Old 02-21-2016, 05:17 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, serenshadow. You're very welcome.

Not all problems are due to malware. Let's see what else we find.

------------------------------------------------------

Press the Windows "logo" key and "R" key then copy/paste the following single-line command into the Run box and click OK:

cmd /c rd /s /q "C:\Users\Butch\AppData\Roaming\uTorrent"

A DOS window will open and close again, this is normal.

Repeat for the following:

cmd /c del /a/f/q "C:\Users\Butch\Downloads\Downloaded Software\uTorrent.exe"

------------------------------------------------------

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Double-click mbam-setup-2.2.0.1024.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish
  • At the end of the installation, a database update will be performed.
  • Click on Scan Now
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
  • In most cases, a restart will be required and a prompt will be shown.
  • Wait for the prompt to restart the computer to appear, then click on Yes
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double-click on the Scan Log which shows the Date and Time of the scan just performed.
  • Click Export
  • Click Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named File Saved should appear stating "Your file has been successfully exported".
  • Click Ok
  • Post that saved log in your next reply.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'Run ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan. Here's how
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Once the components have downloaded, tick the option Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked:
    • Scan Archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-22-2016, 08:36 PM   #13
Registered Member
 
Join Date: Feb 2014
Location: Ohio, USA
Posts: 18
OS: Windows 10 Home Edition



Problem.

I installed and started the Malwarebytes (I made sure the open after installation box was clicked), but just like when I tried Advanced SystemCare (which, I've uninstalled), the program won't open up on screen. I can see the icon down in the toolbar, that it is running, but it won't open up all the way... it won't pull up on screen.

There's also a problem with the online scanner. It's been going for over 15 minutes now, but it's still at 0%. Should I let it keep going?
serenshadow is offline  
Old 02-23-2016, 12:45 PM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Yes, let ESET keep going. Let me know and we'll go from there.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-24-2016, 12:57 AM   #15
Registered Member
 
Join Date: Feb 2014
Location: Ohio, USA
Posts: 18
OS: Windows 10 Home Edition



I let it run for just under four hours today, but again, it didn't progress past 0%

The log after I stopped it showed zero scanned files.

And I still can't get the anti-malware program to open all the way.
serenshadow is offline  
Old 02-24-2016, 07:17 PM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the Internet Services option remains checked.
  • Check all the other boxes.
  • Click Scan.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log in your next reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-25-2016, 04:18 PM   #17
Registered Member
 
Join Date: Feb 2014
Location: Ohio, USA
Posts: 18
OS: Windows 10 Home Edition



Farbar Service Scanner Version: 27-01-2016
Ran by Butch (administrator) on 25-02-2016 at 19:15:02
Running from "C:\Users\Butch\Desktop"
Microsoft Windows 10 Pro (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****
Attached Files
File Type: txt FSS.txt (2.4 KB, 26 views)
serenshadow is offline  
Old 02-25-2016, 07:16 PM   #18
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Please don't wrap logs in code or quoteboxes. Thanks.

Please rerun FRST64 again and post/attach the logs as before.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-25-2016, 09:52 PM   #19
Registered Member
 
Join Date: Feb 2014
Location: Ohio, USA
Posts: 18
OS: Windows 10 Home Edition



Sorry. Files are attached.

He's really anxious to get his laptop back. Do you think that backing up his files to a flash, then reinstalling Windows 10 would be a good idea?
Attached Files
File Type: txt Addition.txt (35.5 KB, 27 views)
File Type: txt FRST.txt (36.8 KB, 32 views)
serenshadow is offline  
Old 02-27-2016, 01:47 PM   #20
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, serenshadow. That should fix all your problems, yes.

If FRST and other programs will run, they all should run.

It is weird that some programs will work, and some won't.

What error message do you get when trying Windows Updates?

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe
  • If asked to change 'Encoding:' to 'Unicode:', please agree and save it.

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    FirewallRules: [{63DD7A13-0E99-4DDC-A1D2-6C6B9EAC8964}] => (Allow) C:\Users\Butch\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{45C658CC-64E6-4670-8438-87B0CFA94213}] => (Allow) C:\Users\Butch\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{99F295E4-22CD-4E3F-A0CA-3107939A34FC}] => (Allow) C:\Users\Butch\Downloads\Downloaded Software\uTorrent.exe
    FirewallRules: [{8A3EDEB3-2838-44D0-90F4-4FB7CF3A6CD3}] => (Allow) C:\Users\Butch\Downloads\Downloaded Software\uTorrent.exe
    HKU\S-1-5-21-158861091-2992931431-3164375879-1000\...\Run: [PCKeeper Remote Assistance] => C:\Release\PCKeeperRemoteAssistance.exe
    C:\Release\PCKeeperRemoteAssistance.exe
    Reg: reg delete HKU\S-1-5-21-158861091-2992931431-3164375879-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "PCKeeper Remote Assistance" /f
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Win10 upgrade, "Win Command Processor"?
This problem is very similar to the one described in thread: https://www.techsupportforum.com/forums/f100/windows-command-processor-x3-in-startup-1046785.html HP Pavilion g6 laptop purchased with Win8 now upgraded to Win10, running Norton Antivirus. Norton Startup Manager lists "Windows...
Andy Kay Resolved HJT Threads 14 12-10-2015 08:57 AM
Multiple computer issues, Win Explorer stops responding
I'm having numerous issues on my computer, all of them starting a couple weeks ago. The problems include: random shut downs, missing desktop icons, applications hang when starting, unable to stop processes using task manager (and sometimes unable to even start task manager), unable to shut down...
Ugarte Resolved HJT Threads 9 06-28-2014 09:32 AM
UKASH Command prompt Virus help
Hi, I managed to get rid of the original Ukash (cheshire police) virus last year from my computer with help from spyhunter and spybot search and destroy, unfortunately I have encountered a similar virus, this time every safe mode that I log into it gives me a black screen with no toolbars or menus...
DrakeRx Resolved HJT Threads 45 06-08-2013 08:24 AM
Bing Search Results Redirect
I started encountering redirects from Bing search results. This does not occur very time, but about 50% of the time. Then I've started experiencing various svchost consuming all CPU after about 10 minutes of a reboot causing everything to freeze up. The PC also reboots every so often for no...
John Douglas Resolved HJT Threads 32 06-03-2013 11:16 PM
Need help removing Trojan:DOS/Alureon.A
Hi there. I work for a non-profit organization and we really do not have an IT department so that responsibility defaults to me since I am the most familiar with computers which isn't saying a lot. I am working on this one computer that keeps showing the BSOD. It is running Windows 7 Home...
dmack410 Resolved HJT Threads 26 11-14-2012 10:27 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:16 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts