Csrss.exe virus

Closed
Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017 - Dec 28, 2016 at 08:52 PM
Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 - Jan 6, 2017 at 06:05 PM
Hello,

My computer has been acting weird, doing funky stuff on its own! Someone had me checked task manager and told noticed that I have 2 csrss.exe running.i tried running a regedit to locate and remove, however it keeps coming back as 'finished searching' with no results. I've done it in safe mode too. I've ran spybot several times in regular and safe mode, no luck. I also have macfee installed. How can I get this virus off my computer? Pls help, I'm a very novice user, pls explain in simple terms :-) Thanks


9 responses

Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,177
Dec 29, 2016 at 05:07 AM
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a report.

1. Open this link and download ZHPDiag :
https://nicolascoolman.eu
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.) Click on the download button

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

(For Vista, Win 7 and 8 users, click right to ensure you execute with admin right)

4. Double click on the short cut ZHPDiag on your Destktop.

5 Click on scan
Wait for the tool to finished (maybe a long time)

6. Close ZHPDiag.

7. To transmit the report, click on this link :

http://www.tinyupload.com/index.php

8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).

9. Copy the url link obtained from tinyupload and paste it here in your reply.

Ambucias
Moderator and Virus/Security Contributor
0
Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017
Dec 29, 2016 at 09:56 PM
Hi I tried to follow the instructions however, my screen keeps moving up and down too fast and I'm unable to complete the test :-(
0
Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,177
Dec 30, 2016 at 05:04 AM
Hi

Download Free Malwarebyte here:

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/


Find installer
Look for the mb3-setup.exe file in your Downloads folder (or where you saved it).
Open installer
Double click the file and run the program.
Follow installer instructions
Read the instructions to complete installation.

Use Malwarebyte to scan and delete the virus.

Good luck
0
Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017
Updated by Queen1628 on 30/12/16 at 01:59 PM
Hi Ambucias, I was finally able to complete the diagnosis, and upload to to the link above:

http://s000.tinyupload.com/?del_id=75674696328680947905

Pls let me know if you received it. Thanks
0
Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,177 > Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017
Dec 30, 2016 at 04:25 PM
Thanks hold on.
0
Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,177
Dec 30, 2016 at 04:59 PM
Hello Deb,

You live dangerously with your downloads while looking for bargains. Your machine is badly infected with hijackers, adware, spyware and Trojans, altogether there 97 of them.

You are also seriously compromising your machine as you do not have any antivirus software. An antivirus software is an absolute must if you wish to use internet.

Without an antivirus, you will be here again next week asking for help. If you can't purchase one, I can get you one for free.

There are also there are 439 superfluous files.

csrss.exe was not your virus.

Here is how we will disinfect your machine.

1. Download ZHPFix here

https://nicolascoolman.eu

2. Select and copy all of the following bold lines.

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
O4 - HKLM\..\Wow6432Node\Run: [ApnTBMon] C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe (.not file.)
G2 - GCE: Preference [User Data\Default] [nmmhkkegccagdldgiimedpiccmgmieda] __MSG_1847180208764925264__
C2 - CDE: Preference [User Data\Default] [cmaiofennmphjldldcpphcechfnnohja] http://privdog.com/updates/865/dragon/update.xml PrivDog
P2 - EXT: (...) -- C:\Users\Queen Thorpe\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
C:\Users\Queen Thorpe\AppData\Roaming\Mozilla\Firefox\Profiles\x80rf77a.default\smartbar
R0 - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://hp.myway.com/
R5 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>;*.local
O2 - BHO: Search App by Ask BHO [64Bits] - {5245414C-392D-4700-76A7-7A786E7484D7} . (...) -- "C:\Program Files (x86)\AskPartnerNetwork\Toolbar\REAL9-G\Passport.dll" (.not file.)
O3 - Toolbar: 0x4C4145522D39004776A77A786E7484D7 - [HKCU]{5245414C-392D-4700-76A7-7A786E7484D7} . (...) -- C:\Program Files (x86)\AskPartnerNetwork\Toolbar\REAL9-G\Passport.dll (.not file.)
O3 - Toolbar: (no name) - [HKLM]{5245414C-392D-4700-76A7-7A786E7484D7} (.Orphan.) (.not file.)
O42 - Logiciel: QuickTime 7 - (.Apple Inc..) [HKLM][64Bits] -- {FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}
O42 - Logiciel: Search App by Ask - (.APN, LLC.) [HKLM][64Bits] -- {5245414C-392D-4700-76A7-A758B70C2500}
HKLM\SOFTWARE\Wow6432Node\Solid Savings
HKCU\SOFTWARE\AppDataLow\Software\SmartBar
3 - CFD: 10/12/2015 - [] D -- C:\Program Files (x86)\AskPartnerNetwork
3 - CFD: 02/05/2016 - [] D -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
3 - CFD: 27/12/2016 - [] D -- C:\Users\Queen Thorpe\AppData\Roaming\FileOpenerWindows
O61 - LFC: 2016/12/26 18:57:52 A . (.Copyright © 2015.) -- C:\Users\Queen Thorpe\AppData\Roaming\FileOpenerWindows\wfo.exe [72400] {009CE8C65D74ED2966895A28DB6BF87BF3}
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.LOCAL_COOKIE_THROTTLE_BASEloopbackhttp://up.autocompleteplus.com/up?q=compound%20subject%20verb%20agreement&[...]
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.mam_gk_appState_PriceGong.enc", "b24=");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.mam_gk_appState_WindowShopper.enc", "b24=");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.originalSearchEngine", "Vgrabber v1.9 Customized Web Search");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.originalSearchEngineName", "Vgrabber v1.9 Customized Web Search");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.smartbar.CTID", "CT3289664");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.smartbar.Uninstall", "0");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.smartbar.homepage", "true");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.smartbar.toolbarName", "InternetHelper3.2 ");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.LOCAL_COOKIE_THROTTLE_BASEloopbackhttp://up.autocompleteplus.com/up?q=1%2B800%2Bmattress&l=www.1800mattress.[...]
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.mam_gk_appState_PriceGong.enc", "b24=");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.mam_gk_appState_WindowShopper.enc", "b24=");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"string\",\"data\":\"http://Vgrabber[...]
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"string\",\"data\":\"Vgrabber v1.9 \[...]
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.smartbar.CTID", "CT3303797");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.smartbar.Uninstall", "0");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.smartbar.homepage", "true");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.smartbar.isHidden", false);
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.smartbar.toolbarName", "Vgrabber v1.9 ");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("Smartbar.TBHomepagesList", "");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("Smartbar.TBSearchEngineList", "");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("Smartbar.TBSearchUrlList", "");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("Smartbar.keywordURLSelectedCTID", "CT3289664");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("iminent.version", "7.33.3.1");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("iminent.versioning", "{\"CurrentVersion\":\"7.33.3.1\",\"InstallEventCTime\":1377619097602,\"InstallEvent\":\"True\"}")[...]
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("keyword.URL", "http://trovi.com/ResultsExt.aspx?ctid=CT3289664&SearchSource=2&CUI=UN28677475992940717&UM=2&q=");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("plugin.blocklisted.npviewpoint", true);
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("smartbar.addressBarOwnerCTID", "CT3289664");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("smartbar.defaultSearchOwnerCTID", "CT3289664");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("smartbar.homePageOwnerCTID", "CT3303797");
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("smartbar.machineId", "74E2M6FB6I3FDGKIVM+7OVSAD2JV+C7GLUAW+ATO3EUYIHNBEM/JU4OPU9VWOKKBDWZ74HPXHG7EBU+B398ACW");
O90 - PUC: "C4145425D2930074677A7A857BC05200" . (.Search App by Ask.) -- C:\Windows\Installer\{5245414C-392D-4700-76A7-A758B70C2500}\ToolbarIcon.exe
[MD5.] [WIS][2015/11/30 03:06:45] (.APN, LLC - Ask.com ® - Install Builder.) -- C:\Windows\Installer\185276ea.msi [34080]
HKLM\SOFTWARE\Microsoft\Tracing\BackupStack_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\BackupStack_RASMANCS
HKLM\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
HKLM\SOFTWARE\Microsoft\Tracing\updateWebConnect_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\updateWebConnect_RASMANCS
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\Iminent_RASAPI32
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\Iminent_RASMANCS
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASAPI32
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASMANCS
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\WajamInternetEnhancer_RASAPI32
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\WajamInternetEnhancer_RASMANCS
C:\Users\Queen Thorpe\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\cmaiofennmphjldldcpphcechfnnohja
C:\Users\Queen Thorpe\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5245414C-392D-4700-76A7-7A786E7484D7}
HKLM\Software\Classes\CLSID\{5245414C-392D-4700-76A7-7A786E7484D7}
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5245414C-392D-4700-76A7-7A786E7484D7}
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5245414C-392D-4700-76A7-7A786E7484D7}
[HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser]:{5245414C-392D-4700-76A7-7A786E7484D7}
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]:{5245414C-392D-4700-76A7-7A786E7484D7}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5245414C-392D-4700-76A7-A758B70C2500}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5245414C-392D-4700-76A7-A758B70C2500}
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}
C:\Program Files (x86)\AskPartnerNetwork
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
C:\Users\Queen Thorpe\AppData\Roaming\FileOpenerWindows
C:\Users\Queen Thorpe\AppData\Roaming\FileOpenerWindows\wfo.exe
C:\Windows\Installer\{5245414C-392D-4700-76A7-A758B70C2500}\ToolbarIcon.exe
HKLM\Software\Classes\Installer\Products\C4145425D2930074677A7A857BC05200
HKLM\Software\Classes\Installer\Features\C4145425D2930074677A7A857BC05200
C:\Windows\Installer\185276ea.msi
HKLM64\SOFTWARE\Microsoft\Tracing\BackupStack_RASAPI32
HKLM64\SOFTWARE\Microsoft\Tracing\BackupStack_RASMANCS
HKLM64\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
HKLM64\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
HKLM64\SOFTWARE\Microsoft\Tracing\updateWebConnect_RASAPI32
HKLM64\SOFTWARE\Microsoft\Tracing\updateWebConnect_RASMANCS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{977AE9CC-AF83-45E8-9E03-E2798216E2D5}


3 Close all applications and open ZHP Fix

4. Click on the Import button and the lines will automatically paste themselves.

5. Click on the Go button to clean

6. Confirm by clicking OK

7. ZHP Fix will ask if you wish to empty the bin, click on your choice...it may take time

8. A report will appear on your desktop and on C:\ZHP\ZHPFix[R1].txt which you can copy and paste in your reply.

Good luck and let me know

Best regards
0
Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017
Dec 30, 2016 at 06:07 PM
Hi Ambucias, I have Macafee... I'm confused now... let me run the check that you said
0
Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,177 > Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017
Dec 30, 2016 at 06:30 PM
Deb, sorry, I over looked, you have Mcafee, I have the same. But you also have AVG and Spybot, You should have only one antivirus software otherwise they come in conflict, create false positive or let viruses through. Just stick with McAfee.
0
Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,177 > Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023
Dec 30, 2016 at 06:33 PM
None of your antivirus software is active !!!!
0
Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,177 > Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023
Dec 30, 2016 at 06:43 PM
I must soon logout and may not be able to continue with you till tomorrow at 5am New Years Eve, eastern standard time.

After ZHP Fix, restart your computer. After you restarted I will require a new ZHP diag report. So please, generate a new report and upload it on tinyupload McAfee has been disabled we must get it going again.

Cheers
0
Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017
Dec 30, 2016 at 07:00 PM
Ok that makes sense. I only downloaded spybot to see if I could clean out the computer. I'll remove once the program is finished running. Should I also remove the malware as well?
0
Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017
Dec 30, 2016 at 07:16 PM
Hi Ambucias, here is the path to the report from ZHP Fix: http://s000.tinyupload.com/?del_id=92479594161799083170 ... I'll run the diag and send soon. Thank you so much for your help and wising you a great night.
0
Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017
Dec 30, 2016 at 07:48 PM
Hi Ambucias, here is the path to the diag:

http://s000.tinyupload.com/?del_id=81317352523846788425
0

Didn't find the answer you are looking for?

Ask a question
Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,177
Dec 31, 2016 at 06:18 AM
Hi Deb

There 30 malware that remain.

Your antivirus is still deactivated.

Please download and run ZHP Cleaner

https://nicolascoolman.eu

click on scan, then on clean and produce a report to be pasted here.

Open your McAfee and tell me of any me it says that your computer is secured.

Catch you later
0
Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017
Updated by Queen1628 on 2/01/17 at 12:11 PM
0
Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017
Jan 2, 2017 at 12:16 PM
Hi Ambucias, Happy New year, I cleaned the computer, but when I tried to respond to you via the computer, I couldn't. There's still something that's controlling the computer. The screen kept going up and down really fast. :-(
0
Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,177
Jan 2, 2017 at 04:59 PM
Hi Deb

I have a three more things for you to do, but you must not omit anyone.

First

Go to your control panel, add/uninstall programs. Search for QuickTimePlayer and uninstall it.

Second

Copy the following bold lines:

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
O4 - GS\CommonDesktop [Public]: QuickTime Player.lnk . (...) C:\Program Files (x86)\QuickTime\QuickTimePlayer.exe
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.LOCAL_COOKIE_THROTTLE_BASEloopbackhttp://up.autocompleteplus.com/up?q=compound%20subject%20verb%20agreement&[...]
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.LOCAL_COOKIE_THROTTLE_BASEloopbackhttp://up.autocompleteplus.com/up?q=1%2B800%2Bmattress&l=www.1800mattress.[...]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{977AE9CC-AF83-45E8-9E03-E2798216E2D5}


Open ZHP Fix, close all other programs including this one, click on Import and clean as you did the first time.

Third and extremely important

Open your McAfee antivirus programme, tell me if it says that your computer is protected.

Good luck
0
Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017
Jan 4, 2017 at 03:15 PM
Hi Ambucias, when I searched for QuickTimePlayer, it says that it cannot find... I also did a line by line check and cannot locate.. could it be under a different name?
0
Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,177
Jan 4, 2017 at 05:13 PM
Okay, go to the second phase and QuickPlayer.exe should get deleted.

Don't forget step three.
0
Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017
Jan 5, 2017 at 07:06 PM
HI Ambucias: path to report: http://s000.tinyupload.com/?file_id=90218358427889129335

McAfee Total Protection: Virus and Spyware Protection: on
Web and Email protect: on
Mcafee Updates: current
subscription: active
0
Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,177
Jan 6, 2017 at 04:57 AM
Hi Deb

Using Explorer (not internet explorer but Windows file explorer) please find this file:

C:\Program Files (x86)\QuickTime\QuickTimePlayer.exe

Once you have found it, please delete it.

Does your McAfee icon appear in your task bar, right bottom corner of your screen?

How is your machine performing ?
0
Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017
Jan 6, 2017 at 03:50 PM
path to new diag: http://s000.tinyupload.com/?file_id=03957778325916113326

mcAfee: is appearing on task bar. is active and on, and so far, appears to be good!
0
Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017
Updated by Queen1628 on 6/01/17 at 04:06 PM
yikes, looks like I prematurely assessed! Screen still moving on it's own!
0
Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,177 > Queen1628 Posts 13 Registration date Wednesday December 28, 2016 Status Member Last seen January 6, 2017
Jan 6, 2017 at 05:01 PM
Hold on Deb I am working on it.
0
Ambucias Posts 47357 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,177
Jan 6, 2017 at 06:05 PM
Deb,

The log you recently sent indicates that you do not have any antivirus nor a firewall.

In your system, not your own but your computer's there are remnants of AVG, Norton and Spybot. There is Norton Toolbar which may cause the flickering.

One

We will do a ZHP Fix again.

These are the lines:

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3289664.LOCAL_COOKIE_THROTTLE_BASEloopbackhttp://up.autocompleteplus.com/up?q=compound%20subject%20verb%20agreement&[...]
O69 - SBI: prefs.js [Queen Thorpe - x80rf77a.default] user_pref("CT3303797.LOCAL_COOKIE_THROTTLE_BASEloopbackhttp://up.autocompleteplus.com/up?q=1%2B800%2Bmattress&l=www.1800mattress.[...]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID<bold>\{977AE9CC-AF83-45E8-9E03-E2798216E2D5}
O3 - Toolbar: 0xB1C218236549D4119B18009027A5CD4F - [HKCU]{2318C2B1-4965-11D4-9B18-009027A5CD4F} . (...) -- (.not file.)
O3 - Toolbar: Norton Toolbar - [HKLM]{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} . (...) -- (.not file.)
HKCU\SOFTWARE\ASKDefaultSearch
O23 - Service: TightVNC Server (tvnserver) . (...) - C:\Program Files (x86)\ShowMyPCService\tvnserver.exe (.not file.)
[MD5.00000000000000000000000000000000] [APT] [AVG-Secure-Search-Update_0214b_rel] (...) -- C:\Program Files (x86)\AVG SafeGuard toolbar\AVG-Secure-Search-Update_0214b.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [AVG-Secure-Search-Update_0214b_rmv] (...) -- C:\Program Files (x86)\AVG SafeGuard toolbar\AVG-Secure-Search-Update_0214b.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [Lenovo\SimpleTap\Start SimpleTap for QueenThorpe.Queen Thorpe] (...) -- C:\Program Files\Lenovo\SimpleTap\SimpleTap.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
O39 - APT: AVG-Secure-Search-Update_0214b_rel - (...) -- C:\Windows
\Tasks\AVG-Secure-Search-Update_0214b_rel.job [372] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: AVG-Secure-Search-Update_0214b_rmv - (...) -- C:\Windows\Tasks\AVG-Secure-Search-Update_0214b_rmv.job [374] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: AVG-Secure-Search-Update_0214b_rel - (...) -- C:\Windows\System32\Tasks\AVG-Secure-Search-Update_0214b_rel [2666] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: AVG-Secure-Search-Update_0214b_rmv - (...) -- C:\Windows\System32\Tasks\AVG-Secure-Search-Update_0214b_rmv [2668] (.Orphan.) =>.Superfluous.Orphan
O4 - HKLM\..\Wow6432Node\Run: [CouponXplorer Search Scope Monitor] C:\PROGRA~2\COUPON~2\bar\1.bin\5zsrchmn.exe (.not file.)
O4 - HKLM\..\Wow6432Node\Run: [CouponXplorer_5z Browser Plugin Loader] C:\PROGRA~2\COUPON~2\bar\1.bin\5zbrmon.exe (.not file.)
O4 - HKLM\..\Wow6432Node\Run: [Price Finder] . (.MindSpark Interactive Network - Price Finder Helper.) -- C:\Program Files (x86)\Price Finder\PriceFinderHelper.exe {35A3F5CD3C5AFA643D822A93B2E89076}
P2 - EXT: (.ClientConnect Ltd. - InternetHelper3.2 .) -- C:\Users\Queen Thorpe\AppData\Roaming\Mozilla\Firefox\Profiles\x80rf77a.default\extensions\{4f223aef-c5be-479c-9070-c89015ff8348}
O34 - HKLM BootExecute: (sdnclean64.exe)
O43 - CFD: 03/09/2013 - [0] D -- C:\ProgramData\xfinity
O43 - CFD: 02/01/2017 - [0] D -- C:\Users\Queen Thorpe\AppData\Local\CrashRpt
O68 - StartMenuInternet: <aolfile_HTM> <AOL>[HKLM\..\InstallInfo\ShowIconsCommand] (...) -- C:\PROGRA~2\AOLDES~1.7\aol.exe (.not file.)
O68 - StartMenuInternet: <aolfile_HTM> <AOL>[HKLM\..\InstallInfo\ReinstallCommand] (...) -- C:\PROGRA~2\AOLDES~1.7\aol.exe (.not file.)
O68 - StartMenuInternet: <aolfile_HTM> <AOL>[HKLM\..\InstallInfo\HideIconsCommand] (...) -- C:\PROGRA~2\AOLDES~1.7\aol.exe (.not file.)
[MD5.] [WIS][2016/12/30 13:22:39] (.Slimware Utilities Holdings, Inc. - Windows Installer XML Toolset (3.9.1006.0).) -- C:\Windows\Installer\66137.msi [34080]
C:\Program Files (x86)\Price Finder\PriceFinderHelper.exe
C:\Users\Queen Thorpe\AppData\Roaming\Mozilla\Firefox\Profiles\x80rf77a.default\extensions\{4f223aef-c5be-479c-9070-c89015ff8348}
C:\Users\Queen Thorpe\AppData\Local\CrashRpt
C:\Windows\Installer\66137.msi
</bold>

Two(VBS script can't be found

This has to do with McAfee, to fix it:

Click on start button, type cmd. In the search result right-click on cmd and selectRun as administrator.
Type cd %windir%\system32 and press enter.
Type regsvr32 vbscript.dll in command prompt and press enter.

Three

Download and run this Malwarebyte cleaning software

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/

Four

Another ZHP Diag report.

You have your work cut out.

Cheers and have fun

P.S. Bizarre you got a very bad virus file connected from this site:www.1800mattress which is difficult to removed
0