[Lorenzo Baltazar Perez]

Windows Defender is now listed in the services but it fails to start.  It produces error 0x80070002.  

 

FRST Fix Log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01

Ran by Liyah241 (2016-03-26 14:29:35) Run:4

Running from C:\Users\Liyah241\Desktop

Loaded Profiles: Liyah241 (Available Profiles: AAliyah & aavar_000 & Liyah241 & Amanda)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

Start

CreateRestorePoint:

CloseProcesses:

 

C:\ProgramData\Start Menu\Programs\pepperzip

 

Emptytemp:

End

*****************

 

Restore point was successfully created.

Processes closed successfully.

"C:\ProgramData\Start Menu\Programs\pepperzip" => not found.

EmptyTemp: => 48 MB temporary data Removed.

 

 

The system needed a reboot.

 

==== End of Fixlog 14:30:20 ====

 

 

MBAM Log:

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 3/26/2016

Scan Time: 2:49 PM

Logfile: 

Administrator: Yes

 

Version: 2.2.1.1043

Malware Database: v2016.03.26.06

Rootkit Database: v2016.03.12.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 8.1

CPU: x64

File System: NTFS

User: Liyah241

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 474503

Time Elapsed: 58 min, 9 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 1

PUP.Optional.VBates, HKU\S-1-5-21-2316278512-3877362351-3516534219-1005_Classes\SOFTWARE\{834577C4-76E6-41B3-AD02-B2C0C53586F2}, Quarantined, [dc82325ac1d8241201a5b0e207fdc53b], 

 

Registry Values: 2

PUP.Optional.BrowserAir, HKU\S-1-5-21-2316278512-3877362351-3516534219-1005\SOFTWARE\REGISTEREDAPPLICATIONS|BrowserAir.K32EKWI7WBZLQUBOKZLFEFLTIA, Software\Clients\StartMenuInternet\BrowserAir.K32EKWI7WBZLQUBOKZLFEFLTIA\Capabilities, Quarantined, [cb93a3e9cdcc57df0c1fc6cd47bd728e]

PUP.Optional.VBates, HKU\S-1-5-21-2316278512-3877362351-3516534219-1005_Classes\SOFTWARE\{834577C4-76E6-41B3-aD02-B2C0C53586F2}|Name, C:\Program Files\shopperz270120160220\Duahmi.exe, Quarantined, [dc82325ac1d8241201a5b0e207fdc53b]

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

 

ESET Log:  (This scan took almost 4 hrs and found 9 threats but the log says almost nothing)

 

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

Update Init

Update Download

Update Finalize

Updated modules version: 28769

 

 

[Advertisements]

Hi Lorenzo Baltazar Perez,
 
Looking real good there.
 

 

 

but the log says almost nothing

 

You should be able to locate the log at C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt. Please locate and post.
 
Let's try another method to resolve your Windows Defender issue. Error 0x80070002 is caused by Windows Update. 
 
Windows Update Troubleshooter

• Click here
• Scroll down to the section "Windows 8.1, Windows 8, or Windows 7"
• Follow the instruction and click on the "run now"
• "WindowsUpdateDiagnostic.diagcab" will be downloaded to your machine.
• Double-click to run, and follow the instruction as prompted.

Once completed, please reboot your machine and then try again.
 
 
In the event that it doesn't help, please try this as well.


Security Center

• Click Windows key + R.
• Type services.msc and Press OK.
• Please ensure the below service must be set to Started and Automatic (Delayed Start).
  
  Security Center
• If the above services are not set to Started and Automatic (Delayed Start), please right click on that particular service and select properties.
• On properties window, please change the Start-up type to Automatic (Delayed Start) and use the Start button to start the service.
• Click Apply, click OK.
• Close the Services window
• Please restart the computer.

Let me know of the result.

 

In your next reply, please include the following:

• ESET log
• Are you able to start up Windows Defender?
• Any other issue?

[Jr0x]

Hi Lorenzo Baltazar Perez,
 
Looking real good there.
 

 

 

but the log says almost nothing

 

You should be able to locate the log at C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt. Please locate and post.
 
Let's try another method to resolve your Windows Defender issue. Error 0x80070002 is caused by Windows Update. 
 
Windows Update Troubleshooter

• Click here
• Scroll down to the section "Windows 8.1, Windows 8, or Windows 7"
• Follow the instruction and click on the "run now"
• "WindowsUpdateDiagnostic.diagcab" will be downloaded to your machine.
• Double-click to run, and follow the instruction as prompted.

Once completed, please reboot your machine and then try again.
 
 
In the event that it doesn't help, please try this as well.


Security Center

• Click Windows key + R.
• Type services.msc and Press OK.
• Please ensure the below service must be set to Started and Automatic (Delayed Start).
  
  Security Center
• If the above services are not set to Started and Automatic (Delayed Start), please right click on that particular service and select properties.
• On properties window, please change the Start-up type to Automatic (Delayed Start) and use the Start button to start the service.
• Click Apply, click OK.
• Close the Services window
• Please restart the computer.

Let me know of the result.

 

In your next reply, please include the following:

• ESET log
• Are you able to start up Windows Defender?
• Any other issue?

[Lorenzo Baltazar Perez]

Windows defender still not working.  When I try to start it, notice says "The Windows Defender Service service on Local Computer started and stopped.  Some services stop automatically if they are not in use by other services or programs.  If I search for it and try to select it, it gives notice "The app is turned off by group policy".  If you're using another app to check for malicious or unwanted software, use Security and Maintenance to check the app's status.  To allow this app to run, contact your security administrator to enable the program via group policy.

 

 

ESET LOG:

 

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
Update Init
Update Download
Update Finalize
Updated modules version: 28769
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=459289a032bf6743b602f69b14c36037
# end=init
# utc_time=2016-03-27 07:28:23
# local_time=2016-03-27 12:28:23 (-0800, Pacific Daylight Time)
# country="United States"
# osver=6.2.9200 NT
Update Init
Update Download
esets_scanner_update returned -1 esets_gle=45315
Update Finalize
Updated modules version: 28769
Update Init
Update Download
Update Finalize
Updated modules version: 28778
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=459289a032bf6743b602f69b14c36037
# end=updated
# utc_time=2016-03-27 07:32:44
# local_time=2016-03-27 12:32:44 (-0800, Pacific Daylight Time)
# country="United States"
# osver=6.2.9200 NT
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7777
# api_version=3.1.1
# EOSSerial=459289a032bf6743b602f69b14c36037
# engine=28778
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2016-03-27 11:50:25
# local_time=2016-03-27 04:50:25 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT
# compatibility_mode_1='Windows Defender'
# compatibility_mode=5896 16777214 100 94 0 22825795 0 0
# scanned=286301
# found=9
# cleaned=0
# scan_time=15461
sh=8C2886691F8436F1863526799846C680E723F3D5 ft=1 fh=0215353e4cd99a38 vn="a variant of Win32/Adware.ConvertAd.ACZ application" ac=I fn="C:\FRST\Quarantine\C\Program Files (x86)\02459A70-1448145496-D265-7A86-42E8B3913FF8\rnsk6569.exe"
sh=BF7B6C82418BF9545E7D44404CC79C9762973DB6 ft=1 fh=4e76bb3090d503da vn="Win32/Adware.ConvertAd.AEY application" ac=I fn="C:\FRST\Quarantine\C\Program Files (x86)\02459A70-1448145496-D265-7A86-42E8B3913FF8\Uninstall.exe"
sh=96EDAD94BE1A45EC7D5E7D67B97FE20C1DE1D676 ft=0 fh=0000000000000000 vn="JS/Toolbar.Crossrider.C potentially unwanted application" ac=I fn="C:\FRST\Quarantine\C\Users\Liyah241\AppData\Roaming\NVDVJDI.xBAD"
sh=96EDAD94BE1A45EC7D5E7D67B97FE20C1DE1D676 ft=0 fh=0000000000000000 vn="JS/Toolbar.Crossrider.C potentially unwanted application" ac=I fn="C:\FRST\Quarantine\C\Users\Liyah241\AppData\Roaming\QXEBESK.xBAD"
sh=003785F7F95E374926E228835D0C243F6C5A04BA ft=1 fh=aa329ae356319fda vn="a variant of Win64/Toolbar.Perion.K potentially unwanted application" ac=I fn="C:\FRST\Quarantine\C\WINDOWS\system32\Drivers\bsdriver.sys.xBAD"
sh=114BF833F97FD6633CA3B8C8396704921E9EBB71 ft=1 fh=aa140b1ea370b199 vn="Win64/Conduit.SearchProtect.C potentially unwanted application" ac=I fn="C:\FRST\Quarantine\C\WINDOWS\system32\Drivers\SPPD.sys.xBAD"
sh=BC6B52090EBEF071D6821A2F527E1D28B9BA1694 ft=1 fh=d286fc917d7a7383 vn="a variant of Win32/Toolbar.Conduit.H potentially unwanted application" ac=I fn="C:\Program Files (x86)\NCH Software\Orion\orion.exe"
sh=11382A56129BBC95D45F59BB0C8DB566A0DF22DB ft=1 fh=8be8dff001f217e3 vn="a variant of Win32/Toolbar.Conduit.H potentially unwanted application" ac=I fn="C:\Program Files (x86)\NCH Software\Orion\orionsetup_v1.07.exe"
sh=DF5B23305CC193663E553EE2B4C8E4D9B07F3E50 ft=0 fh=0000000000000000 vn="a variant of Android/AdDisplay.RevMob.A potentially unwanted application" ac=I fn="C:\Users\Liyah241\Downloads\build.zip"
 

[Jr0x]

Hi Lorenzo Baltazar Perez,
 
Alright, we will need to try other ways to have it turned on. Please be patient as this may not go as well as expected.
 
Norton Removal Tool

• Click and download Norton Removal Tool
• Follow instruction given except for the last part on reinstalling

McAfee Removal Tool

• Click and download McAfee Removal Tool
• Scroll down to the part where it says "Download and run the McAfee Consumer Product Removal (MCPR) tool:"
• Follow instruction give except for the last part on reinstalling

Run Registry Export

• Open an elevated command prompt. To do this,
• Swipe in from the right edge of the screen, and then tap Search. Or, if you are using a mouse, point to the lower-right corner of the screen, and then click Search.
• Type Command Prompt in the Search box, right-click Command Prompt, and then click Run as administrator.
• If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.
  
  
  
  When command prompt opens, copy and paste the following commands into it.
  
  regedit /e "%userprofile%\Desktop\IFEO.txt" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
  
  This should take only a second.
  
  
• This will create a file, IFEO.txt on your Desktop.
• Type exit to close the command prompt window.
• Open file IFEO.txt and copy/paste this in your next reply.
• If the file is too large you can zip the file and attach to your post.

In your next reply, please include the following:

• Any issue running both removal tool?
• IFEO.txt content

[Jr0x]

In addition to the above, please also run this.

Farbar Service Scanner

Please download Farbar Service Scanner to your desktop and double click on the file to run it.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
  • Other Services
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

[Lorenzo Baltazar Perez]

No issues running the removal tools.

 

IFEO Log:

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cnfnot32.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe]
"DisableExceptionChainValidation"=dword:00000003

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe]
"DisableExceptionChainValidation"=dword:00000003

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions]
"mscoree.dll"=dword:00000001
"NAVOPTRF.dll"=dword:00000001
"jvm.dll"=dword:00000001
"mscorwks.dll"=dword:00000001
"javai.dll"=dword:00000001
"PMSTE.dll"=dword:00000001
"Vegas60k.dll"=dword:00000001
"Cleanup.dll"=dword:00000001
"symlcnet.dll"=dword:00000001
"main123w.dll"=dword:00000001
"DJSMAR00.dll"=dword:00000001
"divx.dll"=dword:00000001
"ppw32hlp.dll"=dword:00000001
"ASSTE.dll"=dword:00000001
"msjava.dll"=dword:00000001
"TFDTCTT8.dll"=dword:00000001
"mscorsvr.dll"=dword:00000001
"DRMINST.dll"=dword:00000001
"vb40032.dll"=dword:00000001
"NPMLIC.dll"=dword:00000001
"eMigrationmmc.dll"=dword:00000001
"mso.dll"=dword:00000001
"eProcedureMMC.dll"=dword:00000001
"eQueryMMC.dll"=dword:00000001
"vbe6.dll"=dword:00000001
"xlmlEN.dll"=dword:00000001
"msci_uno.dll"=dword:00000001
"divxdec.ax"=dword:00000001
"Apitrap.dll"=dword:00000001
"NSWSTE.dll"=dword:00000001
"udtapi.dll"=dword:00000001
"ISSTE.dll"=dword:00000001
"EncryptPatchVer.dll"=dword:00000001
"jvm_g.dll"=dword:00000001
"fullsoft.dll"=dword:00000001
"ums.dll"=dword:00000001
"AVSTE.dll"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drvinst.exe]
"DisableExceptionChainValidation"=dword:00000003

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ehexthost32.exe]
"DisableExceptionChainValidation"=dword:00000003

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
"DisableExceptionChainValidation"=dword:00000003

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firstrun.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerPlugin_21_0_0_197.exe]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_145_pepper.exe]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_15_0_0_152_pepper.exe]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_15_0_0_223_pepper.exe]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_15_0_0_239_pepper.exe]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_15_0_0_246_pepper.exe]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_21_0_0_197_Plugin.exe]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_14_0_0_145_pepper.exe]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_15_0_0_152_pepper.exe]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_15_0_0_223_pepper.exe]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_15_0_0_239_pepper.exe]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_15_0_0_246_pepper.exe]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_21_0_0_197_Plugin.exe]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00
"DisableExceptionChainValidation"=dword:00000000
"DisableUserModeCallbackFilter"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LICLUA.EXE]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe]
"DisableExceptionChainValidation"=dword:00000003

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MovieMaker.exe]
"CWDIllegalInDllSearch"=dword:ffffffff

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe]
"MitigationOptions"=hex(b):00,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe]
"MitigationOptions"=hex(b):00,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe]
"MitigationOptions"=hex(b):00,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OSPPREARM.EXE]
"DisableExceptionChainValidation"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outlook.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe]
"MitigationOptions"=hex(b):11,11,11,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe]
"MitigationOptions"=hex(b):00,00,20,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe]
"DisableExceptionChainValidation"=dword:00000003

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe]
"MitigationOptions"=hex(b):00,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanost.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpst.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotocolhost.exe]
"DisableExceptionChainValidation"=dword:00000003

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe]
"Debugger"="C:\\Windows\\System32\\msconfig.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe]
"MitigationOptions"=hex(b):00,00,20,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe]
"MitigationOptions"=hex(b):00,00,20,00,00,00,00,00
"DisableExceptionChainValidation"=dword:00000003

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe]
"MitigationOptions"=hex(b):00,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLXAlbumDownloadWizard.exe]
"CWDIllegalInDllSearch"=dword:ffffffff

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe]
"MitigationOptions"=hex(b):00,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe]
"DisableExceptionChainValidation"=dword:00000003

 

 

FSS Log:

 

Farbar Service Scanner Version: 27-01-2016
Ran by Liyah241 (administrator) on 28-03-2016 at 08:23:54
Running from "C:\Users\Liyah241\Desktop"
Microsoft Windows 8.1  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

[Jr0x]

Hi Lorenzo Baltazar Perez,
 
Now, let's try this and see if we can get it back.

Tweaking Registry Backup

• Double-click on the Tweaking.com Registry Backup icon.
• The tool should automatically open to the Backup Registry tab. If not, click the Backup Registry tab.
• Press Backup Now.
• Once complete, the tool will tell you that Successful */* Files Backed Up.
• You have now successfully backed up your Registry.

Registry Fix

Copy the contents of the Code Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the Desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=-

Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will fix the registry entry.

NOTE: This fix has been designed specifically for this user - If you are not this user please do not use this file.

Please reboot your machine.

Once the above is done, please try to enable Windows Defender again.

Windows Defender Service

• Click Windows key + R.
• Type services.msc and Press OK.
• Please ensure the below service must be set to Started and Automatic.
  
  Windows Defender Service
• If the above services are not set to Started and Automatic, please right click on that particular service and select properties.
• On properties window, please change the Start-up type to Automatic and use the Start button to start the service.
• Click Apply, click OK.
• Close the Services window
• Please restart the computer.

[Lorenzo Baltazar Perez]

Ok, so Defender is now on, but it can't update.  Virus and spyware definitions couldn't be updated.  Error Code 0x80004004.  It tells me to check my internet connection.  But I know my internet is fine.

[Lorenzo Baltazar Perez]

Also, in the Defender all the options to do anything (scan) are grayed out.  I can't select anything.

[Jr0x]

Let's try this again.

Registry Fix

Copy the contents of the Code Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the Desktop.
 

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]

Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will fix the registry entry.

NOTE: This fix has been designed specifically for this user - If you are not this user please do not use this file.

Please reboot your machine.

[Jr0x]

And please run Farbar Service Scanner again as mentioned in Post #20.

[Lorenzo Baltazar Perez]

Defender is now working properly.  It is up to date and it allows me to run a scan.

 

FSS Log:

 

Farbar Service Scanner Version: 27-01-2016
Ran by Liyah241 (administrator) on 29-03-2016 at 00:02:21
Running from "C:\Users\Liyah241\Desktop"
Microsoft Windows 8.1  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Policy:
========================

Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuaueng.dll".

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

[Jr0x]

Hi Lorenzo Baltazar Perez,
 
Glad to hear that your Windows Defender is working again. 
 
I see that there is some issue with Windows update service, so let's fix it.

Windows Repair (All in One):

Download Windows Repair (All in One) from this site.

• Choose the Download under Portable (10.17MB) to your Desktop - Either of the link will be fine
• Unzip it to your Desktop
• Run the program (Repair_Windows.exe)

NOTE 1. In Windows Vista, 7 and 8 right click on the program, click "Run As Administrator".
NOTE 2. Disable your antivirus program before running Windows Repair.
NOTE 3. The current images below may be slightly different from your current version.

• Go to Step 3 and click on Check button next to 1. See If Check Disk Is Needed.
• If the tool indicates that the Check Disk is needed click on Do It button next to 2. Check Disk. In that case make sure you restart computer.

• Go to Step 5 and under "System Restore" click on Create button:

• Go to Repairs tab and click Open Repairs button. Uncheck all checkmarks except for Repair Windows Updates.
• Click on Start Repairs button.

NOTE for Windows 8 users. Reset Registry Permissions is NOT checked by design. Click on Start button.

• Post Windows Repair log which is located in the Logs folder

Reboot your machine once you're done. 

 

Once rebooted, please run Farbar Service Scanner again and post the log.

[Lorenzo Baltazar Perez]

Windows Repair Log:

 

Tweaking.com - Windows Repair v3.8.5
--------------------------------------------------------------------------------

System Variables
--------------------------------------------------------------------------------
OS: Windows 8.1
OS Architecture: 64-bit
OS Version: 6.3.9600
OS Service Pack:
Computer Name: DIVAS-PC
Windows Drive: C:\
Windows Path: C:\WINDOWS
Program Files: C:\Program Files
Program Files (x86): C:\Program Files (x86)
Current Profile: C:\Users\Liyah241
Current Profile SID: S-1-5-21-2316278512-3877362351-3516534219-1005
Current Profile Classes: S-1-5-21-2316278512-3877362351-3516534219-1005_Classes
Profiles Location: C:\Users
Profiles Location 2: C:\WINDOWS\ServiceProfiles
Local Settings AppData: C:\Users\Liyah241\AppData\Local
--------------------------------------------------------------------------------

System Information
--------------------------------------------------------------------------------
System Up Time: 0 Days 00:12:44

Process Count: 59
Commit Total: 1.06 GB
Commit Limit: 4.22 GB
Commit Peak: 1.24 GB
Handle Count: 17855
Kernel Total: 262.57 MB
Kernel Paged: 213.04 MB
Kernel Non Paged: 49.53 MB
System Cache: 1.68 GB
Thread Count: 638
--------------------------------------------------------------------------------

Memory Before Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 3.60 GB
Memory Used: 967.41 MB(26.2721%)
Memory Avail.: 2.65 GB
--------------------------------------------------------------------------------

Cleaning Memory Before Starting Repairs...

Memory After Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 3.60 GB
Memory Used: 755.37 MB(20.5138%)
Memory Avail.: 2.86 GB
--------------------------------------------------------------------------------

Starting Repairs...
   Started at (3/29/2016 11:48:13 PM)

17 - Repair Windows Updates
   Start (3/29/2016 11:48:16 PM)

Decompressing & Updating Windows Permission File C:\Users\Liyah241\Desktop\Logs\Tweaking.com - Windows Repair\files\permissions\8\services.7z
Done,  0.48 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Setting Windows Updates Files That Are In Use To Be Removed At Next Boot.
   Done (3/29/2016 11:49:13 PM)

Cleaning up empty logs...

All Selected Repairs Done.
   Done at (3/29/2016 11:49:13 PM)
   Total Repair Time: 00:01:03

...YOU MUST RESTART YOUR SYSTEM...

 

 

FSS LOG: 

 

Farbar Service Scanner Version: 27-01-2016
Ran by Liyah241 (administrator) on 30-03-2016 at 00:09:52
Running from "C:\Users\Liyah241\Desktop"
Microsoft Windows 8.1  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

[Jr0x]

OK! Well done. Here is the best part of the process! The mullygrubs are gone! That's a technical term for your log(s) appear to be clean! If you have no further issues with your computer, please complete the housekeeping procedures outlined below.
The first thing we need to do is to remove all the tools that we have used. This is so that should you ever be re-infected, you will download updated versions.

If you didn't uninstall ESET after running the program we will do it now.

Uninstall ESET

• Swipe in from the right edge of the screen, then tap Search. (If you're using a mouse, point to the top-right corner of the screen, move the mouse pointer down, then click Search.)
• Enter control panel in the search box, then tap or click Control Panel.
• Under View by:, select Large Icons, then tap or click Programs and features.
• In the list of programs installed, locate the following program(s):
  
  ESET
• Click on each program to highlight it and right click the program and click Uninstall.
• After the programs have been uninstalled, close the Installed Programs window and the Control Panel
• Reboot the computer.

Delete the folders associated with the uninstalled programs.(Only do this if you uninstalled the program)

1. Using Windows Explorer (to get there right-click your Start button and click "Explore"), please delete the following folders(s) (if present):

C:\Program Files\ESET
C:\Program Files (86)\ESET

2. Close Windows Explorer.

Tools CleanUp with DelFix

Download Delfix and save it to the Desktop.

• Right click the and click Run as Administrator.
• Ensure ALL boxes are checked.
  
• Click the Run button.
• The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.

Delete the following Files and Folders (If Present):

Chrome Installer (ChromeSetup.exe)
Tweaking Registry Backup Installer (tweaking.com_registry_backup_setup.exe)
BFE.reg

Delete any other .bat, .log, .reg, .txt, and any other files created or downloaded during this process, and left on the desktop and empty the Recycle Bin.

Keeping your software updated

Windows Updates

• Swipe in from the right edge of the screen, then tap Search. (If you're using a mouse, point to the top-right corner of the screen, move the mouse pointer down, then click Search.)
• Enter control panel in the search box, then tap or click Control Panel.
• Under View by:, select Large Icons, then tap or click Windows Update.
• Click on Change Settings
  
  
• Select "Install updates automatically (recommended)" from the Important updates drop-down.
  
  
• Choose a day and a time when you know the computer will be on and connected to the internet. The default is 3:00AM every day.
• Ensure that all of the other check boxes are checked.
• Click OK.

Malwarebytes Anti-Malware

I recommend keeping Malwarebytes Anti-Malware installed. Make sure to update it and run it at least once a week. If it finds things such as PUP's (Potentially Unwanted Programs) you can delete those with no worries. However, if it finds something like a trojan, come see us.

Keep Java Updated

Java has become the #1 program exploited by thieves and hackers as of today. It's gotten so bad, the Department of Homeland Security recently recommended that users disable Java on their machines.

For more information regarding this, see the two articles below:

Forbes: US Department of Homeland Security Calls on user do disable Java

US warns on Java software

Unless you have software on your machine that absolutely requires Java, I highly recommend you completely remove it from your system.
If you do have software that requires it, then disable it until such time as it's needed by those programs.
Please click the link below for instructions to disable and uninstall Java.

How to Disable Java in your Web Browser

How to Completely Remove and Uninstall Java From Windows PC

Filehippo Updatechecker

Another weapon against malicious programs and viruses is to keeping other programs updated. There are several programs out there that can check for out of date programs on your computer. One is Filehippo. You can run this on a weekly or monthly basis to check your programs for updates and then it will provide a link for you to download them.

Download Filehippo Updatechecker

Tips, Information, and Optional Installation

Watch what you open in your emails. If you get an email from an unknown source with any attached files, do not open it.

Be careful of the websites you visit.

When installing new programs, don't be "click happy" and click through the screens. Many programs come with adware in them and are set to install them by default. Several programs require that you uncheck or select no to prevent the installation. Take you time and read each screen as you go.

To help protect yourself while on the web, I recommend you read Answers to common security questions - Best Practices

Installation of Unchecky (Optional)

This is a very good little program that will automatically uncheck any boxes during a software installation. This helps prevent the software from installing any malware that is by default checked while the program is being installed.

Click here to be taken to Unchecky.com

Click the very large Download button.

Click Save

Once downloaded, double click the program (Vista, Win 7, and 8, right click and Run as Administrator)

Once open, click the Install button.



Then click Finish



Unchecky is now installed and will help you keep unwanted check boxes unchecked.

Installation of CryptoPrevent (Optional)

CryptoPrevent is a free program that prevents CryptoLocker / ransomware from infecting your PC by locking down the OS so the malware can not get a grip on your system. You may read more about this here.

To download and install:

• Click CryptoPrevent
• Under the Free Edition column, enter your name and email and click on Request Download Link button to request for a download link
• Once received a link in your email (may need to check your Junk mail), download the tool to your Desktop
• Open the program by clicking Run when prompted from your browser or by going to the Desktop where the file was saved and right-click and select Run as Administrator
• Accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This is good and will launch the program once you click Finish.
• You will get a prompt asking if you purchased a Product Key for Automatic Updates. You can answer No.
• You will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to.
• You will be prompted to click OK to continue and select your protection level. Go ahead and click OK.
• Click the Apply button to set Default protection.
• You may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.
• That's it. The protection is in place.

Note: The free version doesn't provide automatic updates. Periodically, you should open up the program (there is a shortcut on your desktop now) and select the Updates! menu....and select Check for Updates to see if there are any as this infection has serious consequences.

If you have any other questions, please feel free to ask me.