Report

Csrss.exe virus

Ask a question Queen1628 13Posts Wednesday December 28, 2016Registration date January 6, 2017 Last seen - Last answered on Jan 6, 2017 at 06:05 PM by Ambucias
Hello,

My computer has been acting weird, doing funky stuff on its own! Someone had me checked task manager and told noticed that I have 2 csrss.exe running.i tried running a regedit to locate and remove, however it keeps coming back as 'finished searching' with no results. I've done it in safe mode too. I've ran spybot several times in regular and safe mode, no luck. I also have macfee installed. How can I get this virus off my computer? Pls help, I'm a very novice user, pls explain in simple terms :-) Thanks


Helpful
+0
plus moins
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a report.

1. Open this link and download ZHPDiag :
http://www.nicolascoolman.fr/download/zhpdiag/
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.) Click on the download button

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

(For Vista, Win 7 and 8 users, click right to ensure you execute with admin right)

4. Double click on the short cut ZHPDiag on your Destktop.

5 Click on scan
Wait for the tool to finished (maybe a long time)

6. Close ZHPDiag.

7. To transmit the report, click on this link :

http://www.tinyupload.com/index.php

8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).

9. Copy the url link obtained from tinyupload and paste it here in your reply.

Ambucias
Moderator and Virus/Security Contributor
Queen1628 13Posts Wednesday December 28, 2016Registration date January 6, 2017 Last seen - Dec 29, 2016 at 09:56 PM
Hi I tried to follow the instructions however, my screen keeps moving up and down too fast and I'm unable to complete the test :-(
Reply
Leave a comment
Helpful
+0
plus moins
Hi

Download Free Malwarebyte here:

http://ccm.net/download/download-105-malwarebytes-anti-malware


Find installer
Look for the mb3-setup.exe file in your Downloads folder (or where you saved it).
Open installer
Double click the file and run the program.
Follow installer instructions
Read the instructions to complete installation.

Use Malwarebyte to scan and delete the virus.

Good luck
Queen1628 13Posts Wednesday December 28, 2016Registration date January 6, 2017 Last seen - Dec 30, 2016 at 01:55 PM
Hi Ambucias, I was finally able to complete the diagnosis, and upload to to the link above:

http://s000.tinyupload.com/?del_id=75674696328680947905.

Pls let me know if you received it. Thanks
Reply
Ambucias 44866Posts Monday February 1, 2010Registration date ModeratorStatus September 24, 2017 Last seen - Dec 30, 2016 at 04:25 PM
Thanks hold on.
Reply
Leave a comment
Helpful
+0
plus moins
Hello Deb,

You live dangerously with your downloads while looking for bargains. Your machine is badly infected with hijackers, adware, spyware and Trojans, altogether there 97 of them.

You are also seriously compromising your machine as you do not have any antivirus software. An antivirus software is an absolute must if you wish to use internet.

Without an antivirus, you will be here again next week asking for help. If you can't purchase one, I can get you one for free.

There are also there are 439 superfluous files.

csrss.exe was not your virus.

Here is how we will disinfect your machine.

1. Download ZHPFix here

http://www.nicolascoolman.fr/download/zhpfix/

2. Select and copy all of the following bold lines.

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
O4 - HKLM\..\Wow6432Node\Run: [ApnTBMon] C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe (.not file.)
G2 - GCE: Preference [User Data\Default] [nmmhkkegccagdldgiimedpiccmgmieda] __MSG_1847180208764925264__
C2 - CDE: Preference [User Data\Default] [cmaiofennmphjldldcpphcechfnnohja] http://privdog.com/updates/865/dragon/update.xml PrivDog
P2 - EXT: (...) -- C:\Users\Queen Thorpe\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
C:\Users\Queen Thorpe\AppData\Roaming\Mozilla\Firefox\Profiles\x80rf77a.default\smartbar
R0 - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://hp.myway.com/
R5 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>;*.local
O2 - BHO: Search App by Ask BHO [64Bits] - {5245414C-392D-4700-76A7-7A786E7484D7} . (...) -- "C:\Program Files (x86)\AskPartnerNetwork\Toolbar\REAL9-G\Passport.dll" (.not file.)
O3 - Toolbar: 0x4C4145522D39004776A77A786E7484D7 - [HKCU]{5245414C-392D-4700-76A7-7A786E7484D7} . (...) -- C:\Program Files (x86)\AskPartnerNetwork\Toolbar\REAL9-G\Passport.dll (.not file.)
O3 - Toolbar: (no name) - [HKLM]{5245414C-392D-4700-76A7-7A786E7484D7} (.Orphan.) (.not file.)
O42 - Logiciel: QuickTime 7 - (.Apple Inc..) [HKLM][64Bits] -- {FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}
O42 - Logiciel: Search App by Ask - (.APN, LLC.) [HKLM][64Bits] -- {5245414C-392D-4700-76A7-A758B70C2500}
HKLM\SOFTWARE\Wow6432Node\Solid Savings
HKCU\SOFTWARE\AppDataLow\Software\SmartBar
3 - CFD: 10/12/2015 - [] D -- C:\Program Files (x86)\AskPartnerNetwork
3 - CFD: 02/05/2016 - [] D -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
3 - CFD: 27/12/2016 - [] D -- C:\Users\Queen Thorpe\AppData\Roaming\FileOpenerWindows
O61 - LFC: 2016/12/26 18:57:52 A . (.Copyright © 2015.) -- C:\Users\Queen Thorpe\AppData\Roaming\FileOpenerWindows\wfo.exe [72400] {009CE8C65D74ED2966895A28DB6BF87BF3}
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.LOCAL_COOKIE_THROTTLE_BASEloopbackhttp://up.autocompleteplus.com/up?q=compound%20subject%20verb%20agreement&[...]
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.mam_gk_appState_PriceGong.enc", "b24=");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.mam_gk_appState_WindowShopper.enc", "b24=");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.originalSearchEngine", "Vgrabber v1.9 Customized Web Search");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.originalSearchEngineName", "Vgrabber v1.9 Customized Web Search");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.smartbar.CTID", "CT3289664");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.smartbar.Uninstall", "0");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.smartbar.homepage", "true");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.smartbar.toolbarName", "InternetHelper3.2 ");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.LOCAL_COOKIE_THROTTLE_BASEloopbackhttp://up.autocompleteplus.com/up?q=1%2B800%2Bmattress&l=www.1800mattress.[...]
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.mam_gk_appState_PriceGong.enc", "b24=");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.mam_gk_appState_WindowShopper.enc", "b24=");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"string\",\"data\":\"http://Vgrabber[...]
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"string\",\"data\":\"Vgrabber v1.9 \[...]
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.smartbar.CTID", "CT3303797");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.smartbar.Uninstall", "0");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.smartbar.homepage", "true");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.smartbar.isHidden", false);
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.smartbar.toolbarName", "Vgrabber v1.9 ");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("Smartbar.TBHomepagesList", "");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("Smartbar.TBSearchEngineList", "");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("Smartbar.TBSearchUrlList", "");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("Smartbar.keywordURLSelectedCTID", "CT3289664");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("iminent.version", "7.33.3.1");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("iminent.versioning", "{\"CurrentVersion\":\"7.33.3.1\",\"InstallEventCTime\":1377619097602,\"InstallEvent\":\"True\"}")[...]
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("keyword.URL", "http://trovi.com/ResultsExt.aspx?ctid=CT3289664&SearchSource=2&CUI=UN28677475992940717&UM=2&q=");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("plugin.blocklisted.npviewpoint", true);
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("smartbar.addressBarOwnerCTID", "CT3289664");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("smartbar.defaultSearchOwnerCTID", "CT3289664");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("smartbar.homePageOwnerCTID", "CT3303797");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("smartbar.machineId", "74E2M6FB6I3FDGKIVM+7OVSAD2JV+C7GLUAW+ATO3EUYIHNBEM/JU4OPU9VWOKKBDWZ74HPXHG7EBU+B398ACW");
O90 - PUC: "C4145425D2930074677A7A857BC05200" . (.Search App by Ask.) -- C:\Windows\Installer\{5245414C-392D-4700-76A7-A758B70C2500}\ToolbarIcon.exe
[MD5.] [WIS][2015/11/30 03:06:45] (.APN, LLC - Ask.com ® - Install Builder.) -- C:\Windows\Installer\185276ea.msi [34080]
HKLM\SOFTWARE\Microsoft\Tracing\BackupStack_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\BackupStack_RASMANCS
HKLM\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
HKLM\SOFTWARE\Microsoft\Tracing\updateWebConnect_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\updateWebConnect_RASMANCS
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\Iminent_RASAPI32
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\Iminent_RASMANCS
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASAPI32
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASMANCS
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\WajamInternetEnhancer_RASAPI32
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\WajamInternetEnhancer_RASMANCS
C:\Users\Queen Thorpe\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\cmaiofennmphjldldcpphcechfnnohja
C:\Users\Queen Thorpe\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5245414C-392D-4700-76A7-7A786E7484D7}
HKLM\Software\Classes\CLSID\{5245414C-392D-4700-76A7-7A786E7484D7}
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5245414C-392D-4700-76A7-7A786E7484D7}
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5245414C-392D-4700-76A7-7A786E7484D7}
[HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser]:{5245414C-392D-4700-76A7-7A786E7484D7}
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]:{5245414C-392D-4700-76A7-7A786E7484D7}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5245414C-392D-4700-76A7-A758B70C2500}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5245414C-392D-4700-76A7-A758B70C2500}
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}
C:\Program Files (x86)\AskPartnerNetwork
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
C:\Users\Queen Thorpe\AppData\Roaming\FileOpenerWindows
C:\Users\Queen Thorpe\AppData\Roaming\FileOpenerWindows\wfo.exe
C:\Windows\Installer\{5245414C-392D-4700-76A7-A758B70C2500}\ToolbarIcon.exe
HKLM\Software\Classes\Installer\Products\C4145425D2930074677A7A857BC05200
HKLM\Software\Classes\Installer\Features\C4145425D2930074677A7A857BC05200
C:\Windows\Installer\185276ea.msi
HKLM64\SOFTWARE\Microsoft\Tracing\BackupStack_RASAPI32
HKLM64\SOFTWARE\Microsoft\Tracing\BackupStack_RASMANCS
HKLM64\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
HKLM64\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
HKLM64\SOFTWARE\Microsoft\Tracing\updateWebConnect_RASAPI32
HKLM64\SOFTWARE\Microsoft\Tracing\updateWebConnect_RASMANCS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{977AE9CC-AF83-45E8-9E03-E2798216E2D5}


3 Close all applications and open ZHP Fix

4. Click on the Import button and the lines will automatically paste themselves.

5. Click on the Go button to clean

6. Confirm by clicking OK

7. ZHP Fix will ask if you wish to empty the bin, click on your choice...it may take time

8. A report will appear on your desktop and on C:\ZHP\ZHPFix[R1].txt which you can copy and paste in your reply.

Good luck and let me know

Best regards
Queen1628 13Posts Wednesday December 28, 2016Registration date January 6, 2017 Last seen - Dec 30, 2016 at 06:07 PM
Hi Ambucias, I have Macafee... I'm confused now... let me run the check that you said
Reply
Ambucias 44866Posts Monday February 1, 2010Registration date ModeratorStatus September 24, 2017 Last seen - Dec 30, 2016 at 06:30 PM
Deb, sorry, I over looked, you have Mcafee, I have the same. But you also have AVG and Spybot, You should have only one antivirus software otherwise they come in conflict, create false positive or let viruses through. Just stick with McAfee.
Reply
Ambucias 44866Posts Monday February 1, 2010Registration date ModeratorStatus September 24, 2017 Last seen - Dec 30, 2016 at 06:33 PM
None of your antivirus software is active !!!!
Reply
Ambucias 44866Posts Monday February 1, 2010Registration date ModeratorStatus September 24, 2017 Last seen - Dec 30, 2016 at 06:43 PM
I must soon logout and may not be able to continue with you till tomorrow at 5am New Years Eve, eastern standard time.

After ZHP Fix, restart your computer. After you restarted I will require a new ZHP diag report. So please, generate a new report and upload it on tinyupload McAfee has been disabled we must get it going again.

Cheers
Reply
Leave a comment
Helpful
+0
plus moins
Ok that makes sense. I only downloaded spybot to see if I could clean out the computer. I'll remove once the program is finished running. Should I also remove the malware as well?
Queen1628 13Posts Wednesday December 28, 2016Registration date January 6, 2017 Last seen - Dec 30, 2016 at 07:16 PM
Hi Ambucias, here is the path to the report from ZHP Fix: http://s000.tinyupload.com/?del_id=92479594161799083170 ... I'll run the diag and send soon. Thank you so much for your help and wising you a great night.
Reply
Queen1628 13Posts Wednesday December 28, 2016Registration date January 6, 2017 Last seen - Dec 30, 2016 at 07:48 PM
Hi Ambucias, here is the path to the diag:

http://s000.tinyupload.com/?del_id=81317352523846788425
Reply
Leave a comment
Helpful
+0
plus moins
Hi Deb

There 30 malware that remain.

Your antivirus is still deactivated.

Please download and run ZHP Cleaner

https://www.nicolascoolman.com/fr/download/zhpcleaner/

click on scan, then on clean and produce a report to be pasted here.

Open your McAfee and tell me of any me it says that your computer is secured.

Catch you later
Queen1628 13Posts Wednesday December 28, 2016Registration date January 6, 2017 Last seen - Jan 2, 2017 at 12:16 PM
Hi Ambucias, Happy New year, I cleaned the computer, but when I tried to respond to you via the computer, I couldn't. There's still something that's controlling the computer. The screen kept going up and down really fast. :-(
Reply
Leave a comment
Helpful
+0
plus moins
Hi Deb

I have a three more things for you to do, but you must not omit anyone.

First

Go to your control panel, add/uninstall programs. Search for QuickTimePlayer and uninstall it.

Second

Copy the following bold lines:

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
O4 - GS\CommonDesktop [Public]: QuickTime Player.lnk . (...) C:\Program Files (x86)\QuickTime\QuickTimePlayer.exe
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.LOCAL_COOKIE_THROTTLE_BASEloopbackhttp://up.autocompleteplus.com/up?q=compound%20subject%20verb%20agreement&[...]
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.LOCAL_COOKIE_THROTTLE_BASEloopbackhttp://up.autocompleteplus.com/up?q=1%2B800%2Bmattress&l=www.1800mattress.[...]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{977AE9CC-AF83-45E8-9E03-E2798216E2D5}


Open ZHP Fix, close all other programs including this one, click on Import and clean as you did the first time.

Third and extremely important

Open your McAfee antivirus programme, tell me if it says that your computer is protected.

Good luck
Queen1628 13Posts Wednesday December 28, 2016Registration date January 6, 2017 Last seen - Jan 4, 2017 at 03:15 PM
Hi Ambucias, when I searched for QuickTimePlayer, it says that it cannot find... I also did a line by line check and cannot locate.. could it be under a different name?
Reply
Leave a comment
Helpful
+0
plus moins
Okay, go to the second phase and QuickPlayer.exe should get deleted.

Don't forget step three.
Queen1628 13Posts Wednesday December 28, 2016Registration date January 6, 2017 Last seen - Jan 5, 2017 at 07:06 PM
HI Ambucias: path to report: http://s000.tinyupload.com/?file_id=90218358427889129335

McAfee Total Protection: Virus and Spyware Protection: on
Web and Email protect: on
Mcafee Updates: current
subscription: active
Reply
Leave a comment
Helpful
+0
plus moins
Hi Deb

Using Explorer (not internet explorer but Windows file explorer) please find this file:

C:\Program Files (x86)\QuickTime\QuickTimePlayer.exe

Once you have found it, please delete it.

Does your McAfee icon appear in your task bar, right bottom corner of your screen?

How is your machine performing ?
Queen1628 13Posts Wednesday December 28, 2016Registration date January 6, 2017 Last seen - Jan 6, 2017 at 03:50 PM
path to new diag: http://s000.tinyupload.com/?file_id=03957778325916113326

mcAfee: is appearing on task bar. is active and on, and so far, appears to be good!
Reply
Queen1628 13Posts Wednesday December 28, 2016Registration date January 6, 2017 Last seen - Jan 6, 2017 at 03:52 PM
yikes, looks like I prematurely assessed! Screen still moving on it's own!
Reply
Ambucias 44866Posts Monday February 1, 2010Registration date ModeratorStatus September 24, 2017 Last seen - Jan 6, 2017 at 05:01 PM
Hold on Deb I am working on it.
Reply
Leave a comment
Helpful
+0
plus moins
Deb,

The log you recently sent indicates that you do not have any antivirus nor a firewall.

In your system, not your own but your computer's there are remnants of AVG, Norton and Spybot. There is Norton Toolbar which may cause the flickering.

One

We will do a ZHP Fix again.

These are the lines:

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.LOCAL_COOKIE_THROTTLE_BASEloopbackhttp://up.autocompleteplus.com/up?q=compound%20subject%20verb%20agreement&[...]
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.LOCAL_COOKIE_THROTTLE_BASEloopbackhttp://up.autocompleteplus.com/up?q=1%2B800%2Bmattress&l=www.1800mattress.[...]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID<bold>\{977AE9CC-AF83-45E8-9E03-E2798216E2D5}
O3 - Toolbar: 0xB1C218236549D4119B18009027A5CD4F - [HKCU]{2318C2B1-4965-11D4-9B18-009027A5CD4F} . (...) -- (.not file.)
O3 - Toolbar: Norton Toolbar - [HKLM]{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} . (...) -- (.not file.)
HKCU\SOFTWARE\ASKDefaultSearch
O23 - Service: TightVNC Server (tvnserver) . (...) - C:\Program Files (x86)\ShowMyPCService\tvnserver.exe (.not file.)
[MD5.00000000000000000000000000000000] [APT] [AVG-Secure-Search-Update_0214b_rel] (...) -- C:\Program Files (x86)\AVG SafeGuard toolbar\AVG-Secure-Search-Update_0214b.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [AVG-Secure-Search-Update_0214b_rmv] (...) -- C:\Program Files (x86)\AVG SafeGuard toolbar\AVG-Secure-Search-Update_0214b.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [Lenovo\SimpleTap\Start SimpleTap for QueenThorpe.Queen Thorpe] (...) -- C:\Program Files\Lenovo\SimpleTap\SimpleTap.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
O39 - APT: AVG-Secure-Search-Update_0214b_rel - (...) -- C:\Windows
\Tasks\AVG-Secure-Search-Update_0214b_rel.job [372] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: AVG-Secure-Search-Update_0214b_rmv - (...) -- C:\Windows\Tasks\AVG-Secure-Search-Update_0214b_rmv.job [374] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: AVG-Secure-Search-Update_0214b_rel - (...) -- C:\Windows\System32\Tasks\AVG-Secure-Search-Update_0214b_rel [2666] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: AVG-Secure-Search-Update_0214b_rmv - (...) -- C:\Windows\System32\Tasks\AVG-Secure-Search-Update_0214b_rmv [2668] (.Orphan.) =>.Superfluous.Orphan
O4 - HKLM\..\Wow6432Node\Run: [CouponXplorer Search Scope Monitor] C:\PROGRA~2\COUPON~2\bar\1.bin\5zsrchmn.exe (.not file.)
O4 - HKLM\..\Wow6432Node\Run: [CouponXplorer_5z Browser Plugin Loader] C:\PROGRA~2\COUPON~2\bar\1.bin\5zbrmon.exe (.not file.)
O4 - HKLM\..\Wow6432Node\Run: [Price Finder] . (.MindSpark Interactive Network - Price Finder Helper.) -- C:\Program Files (x86)\Price Finder\PriceFinderHelper.exe {35A3F5CD3C5AFA643D822A93B2E89076}
P2 - EXT: (.ClientConnect Ltd. - InternetHelper3.2 .) -- C:\Users\Queen Thorpe\AppData\Roaming\Mozilla\Firefox\Profiles\x80rf77a.default\extensions\{4f223aef-c5be-479c-9070-c89015ff8348}
O34 - HKLM BootExecute: (sdnclean64.exe)
O43 - CFD: 03/09/2013 - [0] D -- C:\ProgramData\xfinity
O43 - CFD: 02/01/2017 - [0] D -- C:\Users\Queen Thorpe\AppData\Local\CrashRpt
O68 - StartMenuInternet: <aolfile_HTM> <AOL>[HKLM\..\InstallInfo\ShowIconsCommand] (...) -- C:\PROGRA~2\AOLDES~1.7\aol.exe (.not file.)
O68 - StartMenuInternet: <aolfile_HTM> <AOL>[HKLM\..\InstallInfo\ReinstallCommand] (...) -- C:\PROGRA~2\AOLDES~1.7\aol.exe (.not file.)
O68 - StartMenuInternet: <aolfile_HTM> <AOL>[HKLM\..\InstallInfo\HideIconsCommand] (...) -- C:\PROGRA~2\AOLDES~1.7\aol.exe (.not file.)
[MD5.] [WIS][2016/12/30 13:22:39] (.Slimware Utilities Holdings, Inc. - Windows Installer XML Toolset (3.9.1006.0).) -- C:\Windows\Installer\66137.msi [34080]
C:\Program Files (x86)\Price Finder\PriceFinderHelper.exe
C:\Users\Queen Thorpe\AppData\Roaming\Mozilla\Firefox\Profiles\x80rf77a.default\extensions\{4f223aef-c5be-479c-9070-c89015ff8348}
C:\Users\Queen Thorpe\AppData\Local\CrashRpt
C:\Windows\Installer\66137.msi
</bold>

Two(VBS script can't be found

This has to do with McAfee, to fix it:

Click on start button, type cmd. In the search result right-click on cmd and selectRun as administrator.
Type cd %windir%\system32 and press enter.
Type regsvr32 vbscript.dll in command prompt and press enter.

Three

Download and run this Malwarebyte cleaning software

http://ccm.net/download/download-105-malwarebytes-anti-malware

Four

Another ZHP Diag report.

You have your work cut out.

Cheers and have fun

P.S. Bizarre you got a very bad virus file connected from this site:www.1800mattress which is difficult to removed
Leave a comment

Member requests are more likely to be responded to.

Members can monitor the statuses of their requests from their account pages.

A CCM membership gives you access to additional options.

Not a member yet?

Sign up now. It takes less than a minute and is completely free!