DaveUpNorth Posted January 26, 2017 ID:1096103 Share Posted January 26, 2017 An 81-year-old relative responded to a "Microsoft Warning" pop-up and provided access to remote tech support. I've looked at the affected laptop and am not convinced it's safe for use. The oldest restore point is a week after tech support "fixed" the computer. A program titled "Microsoft Office Powerpoint Viewer" was installed when the tech support work was done; that program can't be removed, and when I click to open it, it takes me to what looks like the "My Computer" directory. The laptop is an ACER Aspire 5552-3691 with Windows 7 Home Premium, I believe. I downloaded and ran MBAM and no malware shows. I'm not convinced. Ideas? Help? Thanks so much. Link to post Share on other sites More sharing options...
kevinf80 Posted January 26, 2017 ID:1096116 Share Posted January 26, 2017 Hello DaveUpNorth and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop:Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen. NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.Change default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties" In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK" Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location..... Next, Follow the instructions in the following link to show hidden files:http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs... Thank you, Kevin.. Link to post Share on other sites More sharing options...
DaveUpNorth Posted January 26, 2017 Author ID:1096145 Share Posted January 26, 2017 Thanks, Kevin. Here we go! D Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted January 26, 2017 ID:1096147 Share Posted January 26, 2017 Also need the primary log FRST.txt Link to post Share on other sites More sharing options...
DaveUpNorth Posted January 26, 2017 Author ID:1096148 Share Posted January 26, 2017 Sorry about that. Here ''tis. D FRST.txt Link to post Share on other sites More sharing options...
kevinf80 Posted January 26, 2017 ID:1096178 Share Posted January 26, 2017 Thankys for the logs, AVG is the current AV program, but there are remnants of McAfee and Avast, both need to be removed... McAfee removal tool available here: https://service.mcafee.com/webcenter/portal/cp/home/articleview;jsessionid=lhzb4qvUXe07IhjyHrE2_8KVU7uDSGsEzEjgZTDh2uU2suvtmsFt!-1106176838!949291104?articleId=TS101331&_afrLoop=3162593463126847#!%40%40%3F_afrLoop%3D3162593463126847%26articleId%3DTS101331%26centerWidth%3D100%2525%26leftWidth%3D0%2525%26rightWidth%3D0%2525%26showFooter%3Dfalse%26showHeader%3Dfalse%26_adf.ctrl-state%3D1coo97ysc3_4 Avast removal tool available here: https://www.avast.com/uninstall-utility Next. Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan Scan within Archives are both on.... Leave all other settings to default.. Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply... Next, Download AdwCleaner by Xplode onto your Desktop. Double click on Adwcleaner.exe to run the tool. Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Download and save ESET Online scanner to your Desktop from the following Link:http:/download.eset.com/special/eos/esetonlinescanner_enu.exe Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how Right click on and select "Run as Administrator" In the new Window accept the terms of service In the new Window select "Enable detection of potentially unwanted applictions" then expand "Advanced Settings" In the new Window checkmark (tick) the entries as shown, make sure "Clean threats automatically" is not checkmarked. Now select "Scan" In the new Window new virus database signatures will download, Do Not Select Stop The Window will progress showing the scan in action.... In the new Window if no threats are found, select "Delete applications data on close" then select "Finish" no log is produced, confirm that in your reply... If threats are found the following Window will open: Click on "Select All" then "Save to Text file" name and save that file, attach to your reply. Now select "Do not clean" and then close out.... Let me see those logs in your reply, also tell me if there are any remaining issues or concerns... Thank you, Kevin... fixlist.txt Link to post Share on other sites More sharing options...
DaveUpNorth Posted January 26, 2017 Author ID:1096250 Share Posted January 26, 2017 The original "Powerpoint viewer" program that was installed when the remote "tech support" folks "helped out" still remains. Perhaps it's now benign, Also, I can't find AVG software anywhere on this PC. THanks. Fixlog.txt 01262017daveupnorthexport.txt AdwCleaner[C0]DaveUpNorth.txt esetscanresultsDAveUpNorth.txt Link to post Share on other sites More sharing options...
kevinf80 Posted January 26, 2017 ID:1096260 Share Posted January 26, 2017 AVG shows in the Installed programs list, it also appears under "Security Center" in FRST additional log: Quote ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: AVG AntiVirus Free Edition 2014 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9} AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: AVG AntiVirus Free Edition 2014 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664} Next, To shift eset entries... Open Notepad, select "Format" from the menu bar, make sure "Word Wrap" is not checked. Copy the text from the quote box below to Notepad. Quote @echo off del /f /s /q "C:\Users\Walmart\Downloads\hp8w49nolrd37t35e64b8vf2 (1).zip" del /f /s /q "C:\Users\Walmart\Downloads\hp8w49nolrd37t35e64b8vf2.zip" del /f /s /q "C:\Windows\CouponPrinter.ocx" del %0 Save the Notepad file on your desktop...as delfile.bat... save type as "All Files" It should look like this: <--XP <--vista or windows 7/8 Double click on delfile.bat to execute it. A black CMD window will flash, then disappear...this is normal. The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted. Next, Microsoft PowerPoint Viewer is a known legitimate program, as MS office is already installed it seems odd that a seperate version of PowerPoint should be installed. You did mention that it would not uninstall, try with the following: Download GeekUninstaller from here: http://www.geekuninstaller.com/download (Choose free version) Save Geek.zip to your Desktop. (Visit the Home page at that link for necessary information) Extract Geek Uninstaller and save to your Desktop. There is no need to install, the executable is portable and can also be run from a USB if required. Run the tool, the main GUI will populate with installed programs list, Left click on Program name to highlight that entry. Select Action from the Menu bar, then Uninstall from there follow the prompts. If Uninstall fails open the "Action" menu one more time and use "Force Removal" option Let me know if there any remaining issues or concerns.... Thank you, Kevin... Link to post Share on other sites More sharing options...
DaveUpNorth Posted January 26, 2017 Author ID:1096279 Share Posted January 26, 2017 The CMD action completed, and I was able to uninstall the rouge incidence of the PPT Viewer. I still cannot find any AVG program; searching for AVG brings up the txt files I've sent you, as well as AVG search. But nothing else. It's not listed as a program through the control panel. (It goes right from ATI to Bing) The laptop owner has a paid subscription to McAfee and I would have recommended Avast, because it doesn't have the confusing popup upsells that AVG does. Any thoughts on how to uninstall AVG? I tried to install a new version, but it won't let me until I uninstall the existing one, which I cannot find. Thanks. Link to post Share on other sites More sharing options...
DaveUpNorth Posted January 26, 2017 Author ID:1096283 Share Posted January 26, 2017 Searching the "computer" I found a host of AVG-related results. I need to figure out which will either set it up properly or uninstall. Link to post Share on other sites More sharing options...
kevinf80 Posted January 26, 2017 ID:1096289 Share Posted January 26, 2017 AVG has a removal tool available here: http://www.avg.com/gb-en/utilities Let me know if we can clean up, or if there are any remaining issues or concerns.... Regarding Security, Malwarebytes is Premium version, that does have AV components.... The OS is Windows 7, i`d stick with windows own firewall and try Microsoft Secuirty Essentials, should be ok with MB realtime protection turned on. Also version 3.6 is out now, check and update current version.... Link to post Share on other sites More sharing options...
DaveUpNorth Posted January 26, 2017 Author ID:1096291 Share Posted January 26, 2017 Thanks. Looks like we are good. I'll do a final once-over in the morning and report back. Have a great night. Thanks again for your help. D Link to post Share on other sites More sharing options...
kevinf80 Posted January 26, 2017 ID:1096296 Share Posted January 26, 2017 If all is ok run the following from an admin account with the system in Normal mode: Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down:"Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked: Remove disinfection tools <----- this will remove tools we have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
DaveUpNorth Posted January 26, 2017 Author ID:1096297 Share Posted January 26, 2017 Thanks. Will do! Link to post Share on other sites More sharing options...
kevinf80 Posted January 26, 2017 ID:1096299 Share Posted January 26, 2017 You`re very welcome.... Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 11, 2017 Root Admin ID:1100885 Share Posted February 11, 2017 Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts