Scammed-need to clear computer of contamination!

I am not sure where to place this issue.....but can you help me.
Yesterday, I was scammed into paying for my Windows to be "reactivated" in order to get rid of all the "hackers/viruses/malware" on my computer (which could only be done by him) or face having my new week-old computer blocked . Before I knew it, a "technician" was remotely manipulating my computer and downloading programs.  My computer is still useable, runs as good as new but now has programs on it that I don't trust. This event took place on 4/26/2014 between 3-5pm est.   Here's what I now have found on my computer:

***ON THE DESKTOP, THE FOLLOWING SHORTCUTS:
-Anti Hacker
-ATF Cleaner
-Malwarebytes AntiMalware Pro
-WebShield
   (the 4 above all have what looks like the Microsoft shield logo on the icon but at
    closer look it is actually a blue and yellow shield in the same shape and reflection as
    the MS shield-and I also see another icon with this shield called Lenovo Veriface and
    I'm not sure if this icon was present before the event.  I did see the technician pop
    by the Lenovo site-I watched him.....)
Computer Performance
CCleaner
Google Chrome
EventC (this does not have a shortcut symbol on it)

***"GLOBAL IT" FOLDER ON THE DESKTOP CONTAINS:
Anti Hacker  (.exe)
ATF-Cleaner (.exe) by Attribune.org
ccsetup406 -by Piriform Ltd. (in Properties it says application.exe) Digital signature is OK.   The certificate is valid from 6/24/2013-9/24/2015

Computer Performance (in Properties it says application.exe)Description: Sysinternals Process Explorer.  Digital signature is OK. ..but certificate is valid from 1/24/2013-4/24/2014

desktop.ini file
DisableUACforAdmin
Evntvwr Cleanr
favicon ICO File (.ico) (looks like a Microsoft Globe image and says Microsoft)
Malwarebytes licene Key text document
mbam-setup-1.75.0.1300 Signature is OK but valid from 5/23/2011-6/4/2013
WebShield, by Bleeping Computer LLC (in Properties>Digital Signatures>details: it says, the signature is not valid.

***IN THE DOWNLOAD FOLDER:
-aa_v3 - application (.exe) Description Ammyy Admin. Signature is OK. Certificate valid 1/13/2014-1/14/2015
-aa_v3 text document (.log)
-ccsetup-application (.exe) signature OK . Certificate 6/24/2013-9/24/2015.
-mbam-setup-1.75.0.1300 - application (.exe) Signature is OK but valid from 5/23/2011-6/4/2013
-Support-LogMeInRescue (1)
-Support-LogMeInRescue(2)
-Support-LogMeInRescue - application (.exe) Signature OK. Certificate valid 9/24/2012-10/10/2015

***IN THE PROGRAM FILES, I ONLY SEE, (IN REGARDS TO THIS EVENT):
-CCleaner
***IN THE PROGRAM FILES (x86), I FIND THE FOLLOWING FOLDERS (IN REGARDS TO THIS EVENT):
-Google (with a Chrome folder inside)
-LogMeIn Rescue RC - 7d1e22b2-8121-4749-8fd7-c5ab2887aff5  (Interesting that the date modified of this folder says 4/27/2014 at 9:04am when I believe that this was installed on 4/26/2014....are they still making changes to my computer????)
-Malwarebytes' Anti-Malware

***IN THE "UNINSTALL A PROGRAM" AREA, IN REGARDS TO THIS EVENT, I ONLY FIND:
-Malwarebytes Anti-Malware version 1.75.0.1300
-Google Chrome
-CCleaner

So where are the rest of the programs that link to the desktop shortcuts?
I've blocked my Visa card, changed my yahoo & amazon passwords. I do not do banking on line.  What else do I need to do to get rid of this mess???

How can I be sure that they can not take remote control again or are popping in on my computer ??

I read about someone else that this happened to and they reinstalled Windows (I guess they were able to regain control of their computer that way)....do I need to do that? go back to factory specs???

I am currently using a 30 day trial of McAfee and have a licensed copy of Panda on hand for afterwards and also want to buy the pro version of Malwarebytes (which I see that you offer an affiliate link for). Otherwise, everything seems to be  working fine, but I don't trust any of what was done nor the software that was added!

Do I need to change my wifi password? Could these bad people remotely take over another computer on my wifi???  Is it safe for THAT computer to pay bills? Is it safe for me to use my computer on other wifi systems??

You helped me out a few years back, which I was very grateful for.  Can you help me now, please??? With as traumatic as this event was, I " won't be fooled again!"
PS: What is a P2P program which I need to "uninstall before asking for help?"??

-----------------------------------------------
Hope it was OK to start this as I found posted on your site....

# AdwCleaner v3.204 - Report created 28/04/2014 at 02:47:04
# Updated 26/04/2014 by Xplode
# Operating System : Windows 8.1  (64 bits)
# Username : Diana - MAGICSTAR
# Running from : C:\Users\Diana\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Diana\AppData\Local\Pokki
Folder Deleted : C:\Users\Public\Pokki

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Classes\AllFileSystemObjects\shell\pokki
Key Deleted : HKCU\Software\Classes\Directory\shell\pokki
Key Deleted : HKCU\Software\Classes\Drive\shell\pokki
Key Deleted : HKCU\Software\Classes\lnkfile\shell\pokki
Key Deleted : HKCU\Software\Classes\pokki
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Pokki]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{A75BE48D-BF58-4A8B-B96C-F9A09DFB9844}
Key Deleted : HKCU\Software\Pokki
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17037


-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Users\Diana\AppData\Roaming\Mozilla\Firefox\Profiles\kylr0zt8.default\prefs.js ]


-\\ Google Chrome v34.0.1847.131

[ File : C:\Users\Diana\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************


AdwCleaner[R0].txt - [1545 octets] - [28/04/2014 02:42:15]
AdwCleaner[S0].txt - [1445 octets] - [28/04/2014 02:47:04]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1505 octets] ##########

How should I go about redowning loading Malwarebytes when I already have if installed (altho it is a suspicious copy?)??

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.  

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*******************************************************
You can uninstall MBAM and download this one. Update it and run a scan.
Don't change any passwords until later.
********************************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Hello Dave,
1. Please be patient with my responding as my current situation has me without a internet connection and dependent on other networks.
2.The "infected" computer CAN access the internet but is it safe to use someone else's WiFi?  (this would be the easiest way to download your apps) or should I use a storage device just to be on the safe side?
3. The links in your answer do not work. Although they are blue, in checking the html, I find they are not actively hot linked. So I could not download malwarebytes or the other link. 
Hope to hear from you soon with updated links so I can try again at my next WiFi visit... (using my mobile right now)...thanks again.

The links work well for me so it must be a problem with the computer. Download MBAM on another cumputer and transfer it to your computer.

I did manage to download Malwarebytes after I logged into GeekPolice onto a storage device. Since I didn't get an answer about using someone else's wifi, I assume that it was OK, held my breath and installed it on the "infected computer". It did seem to be a different version than the one that I uninstalled first (and loaded by the bad person). The format was different than what I was use to and it did not give me an option for quick or full scan....just scan... so that's what I chose. When I went to remove the storage device, there was a small symbol of Malwarebytes with an exclamation mark on it.....what does that imply?
The results are as follows (How is it I have a Premium version??? I notice that the rootkits are disabled....did I really run a full scan?):

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/30/2014
Scan Time: 3:50:39 PM
Logfile: malwarebytes results 4_30_2014.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.30.10
Rootkit Database: v2014.03.27.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Diana

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 255043
Time Elapsed: 18 min, 51 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

The format was different than what I was use to and it did not give me an option for quick or full scan....just scan... so that's what I chose.

That's the second time I've heard that. I'm going to download a new version and try it.

When I went to remove the storage device, there was a small symbol of Malwarebytes with an exclamation mark on it.....what does that imply?

I'll see if I duplicate that.

Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page for performing a scan.
  
• Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  
• When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  
• Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  
• Copy and paste the contents of these two log files in your next reply.
  

(How is it I have a Premium version??? I notice that the rootkits are disabled....did I really run a full scan?):

You must have downloaded the Premium version. After we're finished, you can download the free version, if you wish, and keep it on your computer. I run mine once a week. The Rootkits are disabled because they have a separate scanner for rootkits.

I think that there might be something hinkey with the way MBAM loaded. First, I uninstalled the version that the hacker technian loaded (which was a PRO/premium version). I did NOT reboot...maybe I should have? When I went to install your version, it walked me thru the whole accept the terms, next...next...next ...finish and then I was suddenly back to the beginning of the whole procedure! Went thru it again and this time this premium versioncame up. I am familiar with M.B.'s free version. I intend to buy the premium version thru your site when we are done here but I have NEVER bought or ordered the premium version otherwise. I need to get to a wifi to download your latest link . Again, I will uninstall MB but should I reboot before install of the beta version?

Writing from my mobile. At a certain point the reply box does not allow me to review my message...sorry. I'm a little confused...in rereading your post...the very next thing that you want me to do, is to download MBAR and run that....&leave MBAR alone for the moment....correct?
Fyi: I have removed all personal data except for MBAM LOGS. Also when I changed my passwords, mentioned in my initial request, I used another computer.

Thats leave MBAM alone (darn auto-correct)

I will uninstall MB but should I reboot before install of the beta version?.

Yes, some uninstalls require a re-boot.
I need to see the log for MBAR when you able to get it to me.

Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org

Database version: v2014.05.01.12

Windows 8 x64 NTFS
Internet Explorer 11.0.9600.17031
Diana :: MAGICSTAR [administrator]

5/1/2014 3:15:50 PM
mbar-log-2014-05-01 (15-15-50).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 252248
Time elapsed: 16 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 6.2.9200 Windows 8 x64

Account is Administrative

Internet Explorer version: 11.0.9600.17031

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.394000 GHz
Memory total: 8497946624, free: 6443999232

Downloaded database version: v2014.05.01.12
Downloaded database version: v2014.03.27.01
Initializing...
======================
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: 7D9FBC7E

GPT Protective MBR Partition information:

Partition 0 type is EFI-GPT (0xee)
Partition is NOT ACTIVE.
Partition starts at LBA: 1 Numsec = 4294967295

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

GPT Partition information:

GPT Header Signature 4546492050415254
GPT Header Revision 65536 Size 92 CRC 1868343819
GPT Header CurrentLba = 1 BackupLba 1953525167
GPT Header FirstUsableLba 34 LastUsableLba 1953525134
GPT Header Guid 80ca6d62-504e-43a6-a41e-5573ba17365e
GPT Header Contains 128 partition entries starting at LBA 2
GPT Header Partition entry size = 128

Backup GPT header Signature 4546492050415254
Backup GPT header Revision 65536 Size 92 CRC 1868343819
Backup GPT header CurrentLba = 1953525167 BackupLba 1
Backup GPT header FirstUsableLba 34 LastUsableLba 1953525134
Backup GPT header Guid 80ca6d62-504e-43a6-a41e-5573ba17365e
Backup GPT header Contains 128 partition entries starting at LBA 1953525135
Backup GPT header Partition entry size = 128

Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID b2128ffa-6eac-4191-8691-bd1a38e572ff
FirstLBA 2048 Last LBA 2050047
Attributes 1
Partition Name Basic data partition

Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
Partition ID c6f6e5e7-4e50-4ea1-a3e0-ead7876e61bb
FirstLBA 2050048 Last LBA 2582527
Attributes 1
Partition Name EFI system partition

GPT Partition 1 is bootable
Partition 2 Type bfbfafe7-a34f-448a-9a5b-6213eb736c22
Partition ID c44120d1-bd51-4091-a063-87e14789a43c
FirstLBA 2582528 Last LBA 4630527
Attributes 1
Partition Name Basic data partition

Partition 3 Type e3c9e316-b5c-4db8-817d-f92df0215ae
Partition ID b7eb7258-98d-46e9-b56b-2c50359d380
FirstLBA 4630528 Last LBA 4892671
Attributes 0
Partition Name Microsoft reserved partition

Partition 4 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Partition ID b54680f9-d2cd-4e9f-b30-7b235e9b3136
FirstLBA 4892672 Last LBA 1874599935
Attributes 0
Partition Name Basic data partition

Partition 5 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Partition ID f0c68125-3e1a-40e6-9dc9-c1748d1c7887
FirstLBA 1874599936 Last LBA 1927028735
Attributes 0
Partition Name Basic data partition

Partition 6 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID 20d2e21b-d373-4c4b-a580-bcb7be45fc2d
FirstLBA 1927028736 Last LBA 1953523711
Attributes 1
Partition Name Basic data partition

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished

It said I had no malware and did not offer a cleanup button! so I ended and here are the reports.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.

• Leave the check mark next to Remove found threats.
  

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

After 3 hours+ and only being at 47%, I left the computer running at a friend's house. This morning, the power seemed to be off and needed to be restarted but amazingly found on the desktop everything the way I had left it and still at 47% but still scanning files. After 21+ hours it finally went from 78% to done!! It said that there were no threats (amazing) and gave me no option for the button "List of Found Threats" or "Export to text file"...only an option to Finish. So I found the log thanks to your posting where I could find it in the ESET program files.  Here is the log:

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=1e44cf19a861ce4ba2b8376f6b3fcb43
# engine=18117
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-05-02 06:31:03
# local_time=2014-05-02 02:31:03 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT
# compatibility_mode=5122 16777214 66 62 0 25360149 0 0
# compatibility_mode=5893 16776574 100 94 1030033 23015156 0 0
# scanned=5742
# found=0
# cleaned=0
# scan_time=127
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=1e44cf19a861ce4ba2b8376f6b3fcb43
# engine=18117
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-05-03 05:01:02
# local_time=2014-05-03 01:01:02 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT
# compatibility_mode=5122 16777214 66 62 0 25441148 0 0
# compatibility_mode=5893 16776574 100 94 1111032 23096155 0 0
# scanned=208165
# found=0
# cleaned=0
# scan_time=80885

How's the computer now? Any other issues?

I didn't remove any of the ESET scan downloads....and have closed out those screens.......?

"by Superdave on Sat 03 May 2014, 2:10 pm
How's the computer now? Any other issues?"

My computer has run smoothly all along but I was concerned about threats, changes of settings and all these programs that were installed and staring at me on my desk top (see my initial post):

1. Are you saying my computer is clear...no problems?
2. other issues: when I boot up, I see a flash of the black run window and at the same time it shows an icon on the task bar but both are gone in a flash. I don't remember seeing this prior to this hacking/technician event....maybe this doesn't have anything to do with it or maybe someone can access my computer thru this???? (He did change settings here and there and I took photos while he did it...and I don't know what those changes imply)

3. Previously, I had a house button on the task bar and it was sort of like a START button....had put off exploring it but now it's not there.....was it removed somewhere along all of this??
4. The regular icon for Mozilla/Firefox appears as a sheet with a turned down corner....how do I get back the regular fox in a circle icon back???
5. what do I do with all these programs that were installed??? 4 have MS blue & yellow shields on them...does that mean they have been OKed???

Did you still want me to run Security Check by screen317?

Previously, I had a house button on the task bar and it was sort of like a START button....had put off exploring it but now it's not there.....was it removed somewhere along all of this??

I'm not sure about that button. I've never seen it before. Is it something you installed yourself?

The regular icon for Mozilla/Firefox appears as a sheet with a turned down corner....how do I get back the regular fox in a circle icon back???

Your best bet would be to uninstall and re-install Firefox.

what do I do with all these programs that were installed??? 4 have MS blue & yellow shields on them...does that mean they have been OKed???

You may keep AdwCleaner and MBAM and run them on a regular basis, if you have room for them.

Did you still want me to run Security Check by screen317?.

I just wanted to see what you have for protection but this next scanner will tell me.

Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

"To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure."

I am unsure and the "here" link comes up with an "error|PC Help Forum" (and I'm logged in). need new link, please.

Sorry, To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

1. Thank's for the new link, however, McAfee LiveSafe-Internet Security (the 30 day trial included with this new computer) is not listed.  I tried the other McAfee options to see if they led me to possibly disabling it. Will turning off the Real-Time scanning be ENOUGH? or do I need to turn something else off as well? like the firewall? I checked to see if the Windows firewall was on but it said that it was under the control of McAfee (which expires in 11 days but I would like to delete the whole thing and install Panda in the next 5 days).

2. Do I need to also disable Malwarebytes, which opened upon bootup, for the first time today, and said that I was updated and protected! And what about all that other stuff that was put on my computer: Anti Hacker, AFT Cleaner, Webshield, Computer Performance, Event C, & CCleaner???? Do any of these need to be disabled? (I have not even opened them and don’t know if they are actively running).

3. I thought that I’d download ComboFix and be ready for your responses. While trying to do this, suddenly McAfee said that I had a Trojan:
Item: Wcj+TfdH.exe.part     Threat:   Artemis!D0270A3C736B  
and was put in quarantine...no further actions were necessary. I tried to download 3 more times with the other Artemis items being E4LK7Y0y.exe.part and twice it was ComboFix.exe

4. So, I realized that I needed to turn off McAfee's Real-Time scanning just to download ComboFix. I did that, without McAfee’s interference, put the icon on the desktop & double clicked; I got the following message and have no idea where to look to change the “Modes”:
“ComboFix is not meant to run in ‘Compatibility Mode’.  The program shall now exit”.
FYI, I am now back home and hope to respond more quickly....thanks for your patience and guidance.

It appears that bleeping computer is the designated site (?) for combofix based on this following guide: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

so I assume they have the latest version. I believe that I chose the BC link that you offered to download from. It appears that combofix is still not compatible with 8.1....Do you want me to uninstall it, make sure it is downloaded from BC and try again? what do you want me to do next?

In my reading about Combofix, it says to basically NOT touch or click on the computer. This brings me to my concern about any of these scans...before doing them, is it OK to go to Power options>change when the computer sleeps>and since I have it plugged in, choose to NEVER put the computer to sleep?....so that I don't have to jiggle the mouse or tap something......?

Will turning off the Real-Time scanning be ENOUGH?

That's it.

or do I need to turn something else off as well? like the firewall?

Only if it interferes with the running of CF.

Do I need to also disable Malwarebytes, which opened upon bootup, for the first time today, and said that I was updated and protected! And what about all that other stuff that was put on my computer: Anti Hacker, AFT Cleaner, Webshield, Computer Performance, Event C, & CCleaner???? Do any of these need to be disabled? (I have not even opened them and don’t know if they are actively running).

No, that shouldn't be necessary.

is it OK to go to Power options>change when the computer sleeps>and since I have it plugged in, choose to NEVER put the computer to sleep?....so that I don't have to jiggle the mouse or tap something......?.

Try changing the settings before running CF.

I just turned off the Real time scanning in McAfee, changed the power options to Never and double clicked on the CF icon and again (as I mentioned two posts ago-above) I got the following message and have no idea where to look to change the “Modes”:
“ComboFix is not meant to run in ‘Compatibility Mode’.  The program shall now exit”. What do I do?

Ok, here's what I found in my Windows 8 about compatibility. You can access it by going to Start, Control Panel and clicking on Troubleshooting. Click on Programs to run ComboFix in normal mode.

Program Compatibility Assistant

When you install or run an app, Windows monitors the app for symptoms of known compatibility issues. If it finds an issue, Program Compatibility Assistant provides some recommended actions that you can take to help the app run properly on Windows 8.

Note that Program Compatibility Assistant doesn't monitor apps that work at low system levels (for example, kernel mode drivers, security, and backup apps). Due to the dependency of these apps on Windows system internals, you generally can't apply compatibility fixes to them.

If you try to run an app with known incompatibilities, you'll see a message telling you about the problem, and, depending on the severity of the problem, Program Compatibility Assistant might prevent the app from running.

Troubleshoot for app compatibility

1.
From Start, swipe in from the right edge of the screen and then tap Search (or if you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search).

2.
Enter troubleshoot in the search box, choose Settings, and then choose Troubleshooting.

3.
Tap or click Run programs made for previous versions of Windows.

4.
Follow the steps provided.

Apply a compatibility mode

If you know the compatibility mode that your app needs to run, here is how to apply it:
1.
From Start, enter the name of the app you want to run in compatibility mode, and in the search results list, swipe down or right-click to select the app, and choose Open file location.

2.
In File Explorer, swipe down on the app or right-click it, and choose Properties.

3.
In the Properties dialog, choose the Compatibility tab.

4.
Select the compatibility mode and other options you want to apply, and then click OK.

In addition to different operating system compatibility modes, you can also run apps in reduced color modes or with administrator permissions. You can apply the settings for everyone who uses the computer or only for you.

OK…..I have been messing with this all evening and feel that I am spinning my wheels, banging my head against the wall and dead in the water! Here’s what I did:

First I disabled McAfee.
Since 8.1 does not have a Start button (at least like win7), the closest thing that I can do is press the WIN-logo-key + X >an options window opens in lower left corner on Desktop>
Clicked control panel > under System and Security clicked Find and Fix problems>
“Troubleshooting” window opens>
Under Programs, I chose “Run programs made for previous version of Windows”>
“Program Compatibility Troubleshooter” opens>
Click NEXT> “detecting issues” scans and generates a list of programs (are these all my programs or just specific programs that have issues?-some 64+ programs….must be everything on the computer)
“Select the program you’re having problems with”
Click on “ComboFix NSIS Installer” to highlight>
Click NEXT
“Select Troublshooting option:”

Option 1) Try recommended settings –select this option to test run program using recommended compatibility settings

Option 2) Troubleshoot program – select this option to choose compatibility settings based on problems you notice

I chose to click option 1, try recommended settings.
“Test Compatibility settings for the program” opens :
It states: Settings applied to ComboFix NSIS Installer: Windows compatibility mode: Windows 7”
“You need to test the program to make sure these new settings fixed the problem before you can click NEXT to continue.” So I clicked on the button that says “Test the program…”
ComboFix window opens: “ComboFix is not meant to run in ‘Compatibility Mode’.  The program shall now exit.”……!!!!!!

Click OK and instead of choosing NEXT, I chose CANCEL.
Back to Program Compatibility Troubleshooter, re-choose ComboFix, troubleshoot program, and this time chose option 2 listed above, “Troubleshoot Program” window opens>
“What problems do you notice?” with 4 choice boxes to check off.
-The program worked in earlier versions of windows but won’t install or run now (hovering over the box pops up “Example: the setup program won’t begin”)

-The program opens but doesn’t display correctly

-The program requires additional permissions (Example: Access denial errors appear, or the program requests administrative permissions to run.”)

-I don’t see my problem listed

NEXT     or      CANCEL……I chose cancel….because I really didn’t know what I was getting into.

Up to this point, this would all follow YOUR instructions and the first set of steps 1-4 “Trouble shoot for app compatibility” that you posted.

"APPLY a Compatibiliity Mode" follows (the next 4 steps that you posted):
Step 1-since I don’t have a start button, I pulled up search, which came from the Charms area-the right>
Typed ComboFix and first listed was the Combo icon.  I figured that was the application, but I could not right click on it. …and so could not Open File Location as a result!
Step 2- Win-logo-ket+X>
Chose File Explorer> clicked the desktop>scrolled to find ComboFix (not a shortcut but the actual application-and btw, it has one of those MS blue & yellow shields on it)>
Right clicked on it>properties>
Step 3-click Compatibility tab
Step 4-“Run this program in Compatibility mode for:” It had a drop-down menu and had selected Win7. I checked the box next to it and it allowed me to make another choice. Win7 had already not worked so I chose Win8.  There was not 8.1 option. There was NO option it run it in NORMAL mode, either.
I clicked APPLY and then OK.  The window closed.

Double clicked ComboFix and got that old familiar song:
“ComboFix is not meant to run in ‘Compatibility Mode’.  The program shall now exit.”……!!!!!!

Closed everything out. Turned McAfee back on, and did some reading up on ComboFix at Bleeping Computer.
At http://www.bleepingcomputer.com/forums/t/511930/how-do-i-get-combofix-to-run-on-windows-81/ on April 18, 2014, they say "This program does not work on Windows 8.1 at this time!"
At http://www.bleepingcomputer.com/forums/t/533021/combofix-for-windows-81/ one week ago, someone asked Is there COMBO FIX software being developed to be compatible in a Windows 8.1 OS? And amongst their answers is
“sUBs (the creator of ComboFix-who seems to have a connection with BC) has advised that he is holding off releasing any working version of his tools for Windows 8.1 which includes both ComboFix and DDS. Meaning he is fully aware of the compatibility issue but needs time for thorough testing to ensure they work safely on that OS.”
I have not asked them for help over there at BC, it’s just that every question involving ComboFix that I google leads me back to their site.
 I think we are barking up the wrong tree at this point involving the use of ComboFix for 8.1.

I never scanned with Security Check…do you still want me to do that?

What should I do next? :/

Last edited by macmanetz on 10th May 2014, 5:25 am; edited 1 time in total (Reason for editing : clarity)

Since 8.1 does not have a Start button (at least like win7),

8.1 was supposed to install the Start button. I downloaded and install one myself from here and it's free.

I never scanned with Security Check…do you still want me to do that?

Yes, please but don't be surprised if 8.1 gives you problems with this also.
I need to know if you have any other problems with your computer?

Results of screen317's Security Check version 0.99.83
x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
McAfee Anti-Virus and Anti-Spyware
Windows Defender
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Adobe Flash Player 13.0.0.206
Adobe Reader XI
Mozilla Firefox (29.0.1)
Google Chrome 34.0.1847.131
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbam.exe
Malwarebytes Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````

Thank you for the tip on the Start Button! There is talk of a release in August that would have one for 8.1 and I have concerns about uninstalling it at that time....hopefully without issues....but this Start button looks great for the mean time!!!

My "infected" computer seems to be running fine as it has all along. My big concerns now are:

1. why do I see a black run-type screen flash upon bootup once I am on the desktop screen? what is it and how do I get rid of it? This morning when it flashed, I caught "windows/system32/_____" and something else that I couldn't make out.

2. I'm concerned about anyone EVER getting into my computer remotely again, so I located System Properties folder> remote tab> and unchecked "Allow Remote Assistance to this computer">apply>OK... Is there someone out there that would need access without first discussing it with me?? Is this OK to not allow open access? Will this block these hackers who now know the codes in my computer from ever entering my computer by remote, again???? What is LogMeInRescue RC-something that allows them to reenter my computer?

3. After performing these scans, can I now trust my computer & browser to type in usernames and passwords at this point? use charge cards? make purchases??? Trust that someone isn't stealing my info?

4. When can I change out McAfee for Panda and what's the best way to remove all traces of McAfee?

5. What about all this software that was loaded onto my computer??? (please refer to my first post where I listed everything which is all still there even after the scans) Can I trust any of it?? or should I just trash it all??? I don't even know what half of it is!!! ...and some items in the folder look suspicious to me! Like the Notepad file with a gear on it or the Registration Entry (.reg); Windows Batch file, ICO file??....what are those all about???

The only thing I see that has changed was caught by adwcleaner and deleted: a user file called pokki, an icon that SEEMED like a start button on the task bar (shaped like a white silhouette of a house which I can not find in google searches) and another icon on the task bar that was another link to windows store but pink background with a different bag on it.

BTW, even though I uninstalled Malwarebytes and reinstalled YOUR free version, it comes up occasionally and starts scanning just like a licensed version! can I trust it???

...and on a bright note, this morning, after booting, the Mozilla icon reappeared....without having done anything (maybe it updated over night)!

I realize that we have been trying to establish that there is no malware or virus but all the above things REALLY bother me....I haven't been doing anything involving a username, PW or purchase on this new computer since this all happened-no email or social networking- just working with you and looking at stuff....but thanks for helping....

Windows 8 comes with its own AV called Windows Defender. If you wish to run McAfee instead Windows Defender should be de-activated. Having more than one AV active on a computer can cause conflicts.

why do I see a black run-type screen flash upon bootup once I am on the desktop screen? what is it and how do I get rid of it? This morning when it flashed, I caught "windows/system32/_____" and something else that I couldn't make out.

I'm not sure what that could be but you try running this tool by my buddy Broni. It should fix any anomalies in your OS.

I'm concerned about anyone EVER getting into my computer remotely again, so I located System Properties folder> remote tab> and unchecked "Allow Remote Assistance to this computer">apply>OK... Is there someone out there that would need access without first discussing it with me?? Is this OK to not allow open access? Will this block these hackers who now know the codes in my computer from ever entering my computer by remote, again???? What is LogMeInRescue RC-something that allows them to reenter my computer?

They shouldn't be able to access your computer unless you give them permission. As discussed in a previous post, they will need your permission. I would never give anyone access to my computer unless I knew and trusted them. I've never heard of LogMeInRescue RC but, from what I can find, it's some kind of method of logging into your computer from a remote site but I would imagine that you would have to have your computer set up in order to do this.

After performing these scans, can I now trust my computer & browser to type in usernames and passwords at this point? use charge cards? make purchases??? Trust that someone isn't stealing my info?

About the only way that your computer would be considered safe again is to re-format and re-install the OS or run the Recovery Console which will restore your computer back to the day you took it out of the box. I couldn't find any programs that were installed by this hacker but I wouldn't consider the computer safe. Your best bet would be to save your data and do a Recovery.

Will running the Recovery Console also automatically re-install the OS? It sounds like I need to do  Recovery...and that would delete all their stuff and make their presence disappear....correct?....and will it also delete my adobe photoshop/primiere elements? MS office???? I have the disk for adobe but I have a card for ms office and originally there was an icon on the desktop to start the download...do you think that icon will reappear after recovery? Can you guide me through that or should I refer to Lenovo, or microsoft?

Would bringing it back to a previous stored backup point do (because the first thing that this hacker did was to set a backup point!) or is the best thing to restore or reset or recover (I see all 3 of these terms being used)?

"I've never heard of LogMeInRescue RC but, from what I can find, it's some kind of method of logging into your computer from a remote site but I would imagine that you would have to have your computer set up in order to do this. "

Yes, I believe that they did do that!!!



Last edited by macmanetz on 11th May 2014, 6:53 pm; edited 2 times in total (Reason for editing : an after-thought & yet another after thought!)

Will running the Recovery Console also automatically re-install the OS? It sounds like I need to do Recovery...and that would delete all their stuff and make their presence disappear....correct?...

Yes, it will restore your computer back to the day you purchased it. Any programs that the hacker installed will be gone.

and will it also delete my adobe photoshop/primiere elements? MS office???? I have the disk for adobe but I have a card for ms office and originally there was an icon on the desktop to start the download...do you think that icon will reappear after recovery? Can you guide me through that or should I refer to Lenovo, or microsoft?

You will need to make a note of the programs that you now have on your computer because they will have to be re-installed. You will also need to save all your important data to an external drive or DVD's.

Would bringing it back to a previous stored backup point do (because the first thing that this hacker did was to set a backup point!) or is the best thing to restore or reset or recover (I see all 3 of these terms being used)?

Doing a System Restore would not be as good as doing a Recovery.
In Windows 8 they call it Refresh and Reset. Here's more information about how to do that.

I guess I need to do  reset. Thanks for the link, it sure seemed easy to do but it was about 2 years out dated...I found a video on Youtube also outdated but helpful and I am currently reading a user guide.  I have a question. If the hacker changed (and he did) something in the registry, that will all be undone and cleared also, right?

I guess I need to do reset. Thanks for the link, it sure seemed easy to do but it was about 2 years out dated...I found a video on Youtube also outdated but helpful and I am currently reading a user guide. I have a question. If the hacker changed (and he did) something in the registry, that will all be undone and cleared also, right?.

It's hard to believe that Windows 8 has been out that long. Yes, all the registry will be back to when it was new.

Sorry about the delay, but I had family issues out of state for weeks!  
I finally reset/recovery my Windows yesterday (after doing a lot of research on this procedure) and am writing from that computer. All went very smoothly. All my personal files & apps were gone, as expected, as well as, all the programs that the hackers installed AND I no longer see the black box flash on the desktop upon boot-up (yay!-I think it had something to do with the command prompt).
I changed the password to my Microsoft account,
password to log into my computer,
the name of my computer,
my last name,
AND under system properties>remote tab>  I unchecked the box for "Allow Remote Assistance connections to this computer". Also, uninstalled McAfee Trial and installed Panda Antivirus that I have a license for....and downloaded Mozilla. But I still have some concerns:

1. When I made my selections for the reset, one option was to select just the drive that Windows was on (the C:drive) or all drives which included the D:drive Lenovo. I chose the first option because I figured that I needed the info on the D:drive to get back to factory specs.  Because I didn't reset the D:drive, containing factory specs, would my computer still be considered secure at this point or is it possible that something could have been installed there by the hackers??

2. Also, I selected a deep clean that would "take hours" (took a little over 2 hours) in order to really wipe things out. Oddly, when everything rebooted, the desktop was the pale blue solid color wallpaper like I had selected prior to reset and not the Lenovo photo that first came on it. AND the Start Screen displayed the customized patterned wallpaper background that I had pre-selected, again, prior to the reset (not factory specs). Upon the first Windows log-in, the same pre-selected photo that I had by user name/password came up....and I had to go to the MS account to change the photo.  If everything was wiped clean, then why did these come up? or are these held in memory at the Microsoft Account online (I
didn't see anything about the wallpaper/screen choices there)?

3.  In light of #2 above, I want to be assured that all is wiped clean and am truly starting over with a clean slate. Have all restore points also been cleared (he saw him create a restore point and even know it's name)? DLLS all reset? He left a folder that he worked from on the desktop that were things over my head....(besides installing 6 applications, he disabled UAC for admin, configuration settings for the desktop file, favicon-ICO file, windows batch file-Evntvwr Cleanr....)have they all been removed/reset,
as it appears?

4. Pokki seems to be a free download that changes the start screen with a Start Button, etc. It was on my computer and was deleted as a possible virus with one of the first programs that you had me scan my computer with....and now it's on here again.  I do not see it on my apps page nor do I see their acorn icon in the task bar. But today, I suddenly see the little white house in the task bar again (I had previously asked you about this but you said you didn't know anything about it... It appears to be a start button and connected to the App store). But a search for Pokki definitely turns up files on my computer. Might this "house" be the results of Pokki?? Could it be something Lenovo included?? Might this be a border line virus conductive app and an antivirus would target it?

5. AND finally, I want to BUY a licensed version of Malwarebytes through your site. Which brings me to, can I feel safe/secure now to use a credit card (and make purchases, look at bank statements, etc) on this reset computer? Do you want me to download and run anything as a final check?  Should I redownload Adwcleaner, which got deleted?

I know that you were helping me with viruses and malware and I may be asking more than what might be your area of expertise. But I sure to appreciate any help you can pass my way. Thanks so much for being there.

and installed Panda Antivirus that I have a license for...

Don't forget to disable Windows Defender, the AV that comes with Windows 8.

Because I didn't reset the D:drive, containing factory specs, would my computer still be considered secure at this point or is it possible that something could have been installed there by the hackers??

The D drive is where you have the Recovery Console which you just used. I can't see any possibility of that drive being infected.

If everything was wiped clean, then why did these come up? or are these held in memory at the Microsoft Account online (I
didn't see anything about the wallpaper/screen choices there)?

The only real way to wipe the drive is to choose Reformat.

Have all restore points also been cleared (he saw him create a restore point and even know it's name)? DLLS all reset? He left a folder that he worked from on the desktop that were things over my head....(besides installing 6 applications, he disabled UAC for admin, configuration settings for the desktop file, favicon-ICO file, windows batch file-Evntvwr Cleanr....)have they all been removed/reset,
as it appears?

Not being seated in front of your computer it's difficult for me to say for certain that they're gone but I would have to guess yes.

It appears to be a start button and connected to the App store). But a search for Pokki definitely turns up files on my computer. Might this "house" be the results of Pokki?? Could it be something Lenovo included?? Might this be a border line virus conductive app and an antivirus would target it?

I know nothing about this site but here's a reputable site with one review. When free download is mention one has to take that with a grain of salt. In other words, be a bit leery.

AND finally, I want to BUY a licensed version of Malwarebytes through your site. Which brings me to, can I feel safe/secure now to use a credit card (and make purchases, look at bank statements, etc) on this reset computer? Do you want me to download and run anything as a final check?  Should I redownload Adwcleaner, which got deleted?

It would depend on the site where you use your card. PayPal is dependable and it should be safe. My bank offers a free security app called Rapport Trusteer which you can configure to protect any site you want. It's very good. You could check with your bank to see if they provide it. You can download and keep AdwCleaner on your computer. Update it and run it on a regular basis.

Last edited by Superdave on 29th June 2014, 12:22 am; edited 2 times in total

and installed Panda Antivirus that I have a license for...

Don't forget to disable Windows Defender, the AV that comes with Windows 8.
Oh, my! I didn't realize that there already was an antivirus on Win8! I just did a search for Windows defender, clicked on the icon and a speech box appeared saying that the app is turned off and is not protecting my  computer. McAfee or Panda must have turned it off. Good, thanks for drawing that to my attention.

If everything was wiped clean, then why did these come up? or are these held in memory at the Microsoft Account online (I didn't see anything about the wallpaper/screen choices there)?

The only real way to wipe the drive is the chose Reformat.

I realized that I did not reformat the entire physical drive containing both the C: & D: drives, but you are also saying that it is unlikely that the D:drive was tampered with.  So isn't reinstalling Windows8.1 reformatting the C:drive??? You had said "About the only way that your computer would be considered safe again is to re-format and re-install the OS or run the Recovery Console which will restore your computer back to the day you took it out of the box." "Your best bet would be to save your data and do a Recovery." So I did do a Recovery from the Recovery Console.  Please tell me you're really not suggesting that I actually reformat the whole drive and deal with partitioning. I was really hoping for a clean bill of health!

PayPal is dependable and it should be safe. My bank offers a free security app called Rapport Trusteer which you can configure to protect any site you want. It's very good. You could check with your bank to see if they provide it. [/quote]

Thanks for that tip...I have paypal and I will look into the Rapport Trusteer.

Last edited by macmanetz on 29th June 2014, 1:35 pm; edited 1 time in total

So isn't reinstalling Windows8.1 reformatting the C:drive???

Here's more information about wiping and re-formatting. You did the correct thing in using the Recovery Console and your computer can be considerd safe to use.

THANK YOU SSSOOOO MUCH!!!!!