Jump to content

Help needed with infected machine


Recommended Posts

Hello,

        I have been unable to stop the bleeding my pc has. Having a number of issues that are not detected by ANY tools and/or anti virus/malware programs. Today  I got the Win32/bundle,toolbar while updating CCleaner and its now time to let somebody more educated in this area take the wheel. Here are the requested logs:

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer:
Run by Timelord at 15:41:21 on 2014-02-26
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1900.770 [GMT -6:00]
.
AV: ESET NOD32 Antivirus 7.0 *Disabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ESET NOD32 Antivirus 7.0 *Disabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Users\Timelord\Downloads\GnuPG\dirmngr.exe
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Program Files (x86)\Launch Manager\LMutilps32.exe
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
C:\Program Files (x86)\Malwarebytes Secure Backup\SAgent.Service.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\System32\hkcmd.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe
C:\Program Files (x86)\Malwarebytes Secure Backup\SMessaging.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Acer\clear.fi\MVP\.\Kernel\DMR\DMREngine.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\prevhost.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\CCleaner\CCleaner64.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.



BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
mRun: [backupManagerTray] "C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [sOSUAUI] "C:\Program Files (x86)\Malwarebytes Secure Backup\sosuploadagent.exe" -showui
mRun: [sMessaging] C:\Program Files (x86)\Malwarebytes Secure Backup\SMessaging.exe
dRunOnce: [isMyWinLockerReboot] msiexec.exe /qn /x{voidguid}
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Translate Selection - C:\Program Files (x86)\TGF Interactive\Translate Genius\ContextMenu.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
Trusted Zone: adobe.com
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{9A130A72-9EF6-42C2-BBBC-1A5BF9E45E7A} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{9A130A72-9EF6-42C2-BBBC-1A5BF9E45E7A}\144545536303 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{9A130A72-9EF6-42C2-BBBC-1A5BF9E45E7A}\2484747457563747 : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{9A130A72-9EF6-42C2-BBBC-1A5BF9E45E7A}\4457E6B696E60244F6E65747370275966496 : DHCPNameServer = 192.168.1.254 205.152.37.23
TCP: Interfaces\{B3917305-A200-44C0-9D84-D55943D066B9} : DHCPNameServer = 192.168.1.254
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [Power Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
x64-Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Timelord\AppData\Roaming\Mozilla\Firefox\Profiles\6qad75db.default\


FF - prefs.js: network.proxy.type - 4
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Users\Timelord\AppData\Roaming\Mozilla\plugins\np-mswmp.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1205146.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_70.dll
.
============= SERVICES / DRIVERS ===============
.
R1 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2013-9-17 239320]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [2014-2-14 62168]
R2 DirMngr;DirMngr;C:\Users\Timelord\Downloads\GnuPG\dirmngr.exe [2011-3-2 224256]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2011-7-14 352336]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2013-9-12 1337752]
R2 epfwwfpr;epfwwfpr;C:\Windows\System32\drivers\epfwwfpr.sys [2013-9-17 157432]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2011-8-20 872552]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-7-14 13336]
R2 Live Updater Service;Live Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2013-10-25 255376]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-2-20 1809720]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-2-20 856376]
R2 McciCMService64;McciCMService64;C:\Program Files\Common Files\Motive\McciCMService.exe [2012-2-19 517632]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [2011-4-23 256832]
R2 sagentservice;Online Backup Service;C:\Program Files (x86)\Malwarebytes Secure Backup\SAgent.Service.exe [2013-8-15 39832]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-8-20 2656280]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-7-14 317440]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-7-14 169584]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-2-20 25816]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-2-14 119000]
R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-2-20 63192]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 AmUStor;AM USB Stroage Driver;C:\Windows\System32\drivers\AmUStor.sys [2011-1-13 74840]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-10-25 19456]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\System32\drivers\rtl8192Ce.sys [2011-7-14 1109096]
S3 SystemExplorerHelpService;System Explorer Service;C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe [2012-9-25 821720]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-10-25 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-10-25 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-3-4 1255736]
.
=============== Created Last 30 ================
.
2014-02-26 11:02:37    75888    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{832679A4-AEA7-4EB8-B310-6B9C520CF682}\offreg.dll
2014-02-26 00:03:56    10536864    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{832679A4-AEA7-4EB8-B310-6B9C520CF682}\mpengine.dll
2014-02-24 04:11:06    --------    d-----w-    C:\Users\Timelord\VirtualBox VMs
2014-02-24 01:56:05    --------    d-----w-    C:\Users\Timelord\.VirtualBox
2014-02-24 01:50:31    252688    ----a-w-    C:\Windows\System32\drivers\VBoxDrv.sys
2014-02-24 01:50:16    126736    ----a-w-    C:\Windows\System32\drivers\VBoxUSBMon.sys
2014-02-24 01:49:54    --------    d-----w-    C:\Program Files\Oracle
2014-02-23 20:26:43    --------    d-----w-    C:\Program Files (x86)\MSXML 4.0
2014-02-22 20:28:40    --------    d-----w-    C:\Program Files (x86)\Common Files\MSSoap
2014-02-22 20:28:27    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Secure Backup
2014-02-21 02:13:43    --------    d-----w-    C:\Program Files (x86)\Guitar Pro 5
2014-02-20 22:52:51    92376    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-02-20 22:52:51    63192    ----a-w-    C:\Windows\System32\drivers\mwac.sys
2014-02-20 22:52:51    25816    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-02-20 20:45:52    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-02-19 05:01:36    --------    d-----w-    C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-02-16 02:02:30    --------    d-----w-    C:\FRST
2014-02-16 01:53:47    31344    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\CommandExecuteHandler.exe
2014-02-15 04:35:42    119000    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-02-15 04:32:29    2565120    ----a-w-    C:\Windows\System32\d3d10warp.dll
2014-02-15 04:32:29    1987584    ----a-w-    C:\Windows\SysWow64\d3d10warp.dll
2014-02-15 04:32:28    3928064    ----a-w-    C:\Windows\System32\d2d1.dll
2014-02-15 04:32:28    3419136    ----a-w-    C:\Windows\SysWow64\d2d1.dll
2014-02-15 04:05:25    --------    d-----w-    C:\ProgramData\Malwarebytes
2014-02-12 00:56:53    --------    d-----w-    C:\Program Files (x86)\Common Files\Intel Corporation
2014-02-11 23:54:32    --------    d-----w-    C:\Users\Timelord\AppData\Roaming\Intel Corporation
2014-02-11 20:41:53    658432    ----a-w-    C:\Windows\System32\RMActivate_isv.exe
2014-02-11 20:41:53    626176    ----a-w-    C:\Windows\System32\RMActivate.exe
2014-02-11 20:41:53    594944    ----a-w-    C:\Windows\SysWow64\RMActivate_isv.exe
2014-02-11 20:41:53    572416    ----a-w-    C:\Windows\SysWow64\RMActivate.exe
2014-02-11 20:41:53    553984    ----a-w-    C:\Windows\System32\RMActivate_ssp.exe
2014-02-11 20:41:53    552960    ----a-w-    C:\Windows\System32\RMActivate_ssp_isv.exe
2014-02-11 20:41:53    508928    ----a-w-    C:\Windows\SysWow64\RMActivate_ssp_isv.exe
2014-02-11 20:41:52    390144    ----a-w-    C:\Windows\SysWow64\msdrm.dll
2014-02-05 02:15:40    --------    d-----w-    C:\Users\Timelord\AppData\Local\{8EA20FF4-16AE-4D06-A6B0-E8F9BF030AE5}
2014-02-03 23:37:14    --------    d-----w-    C:\Program Files\ESET
.
==================== Find3M  ====================
.
2014-02-21 22:33:40    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-21 22:33:40    692616    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2014-02-05 10:00:21    2334720    ----a-w-    C:\Windows\System32\jscript9.dll
2014-02-05 09:54:06    1392128    ----a-w-    C:\Windows\System32\wininet.dll
2014-02-05 09:52:51    1494528    ----a-w-    C:\Windows\System32\inetcpl.cpl
2014-02-05 09:51:59    173056    ----a-w-    C:\Windows\System32\ieUnatt.exe
2014-02-05 09:51:52    599040    ----a-w-    C:\Windows\System32\vbscript.dll
2014-02-05 09:50:40    2382848    ----a-w-    C:\Windows\System32\mshtml.tlb
2014-02-05 08:56:17    1806848    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2014-02-05 08:50:39    1129472    ----a-w-    C:\Windows\SysWow64\wininet.dll
2014-02-05 08:49:56    1427968    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2014-02-05 08:48:40    142848    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2014-02-05 08:48:27    421376    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2014-02-05 08:47:16    2382848    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2014-01-16 02:07:33    96168    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-12-18 23:16:44    154896    ----a-w-    C:\Windows\System32\drivers\VBoxNetFlt.sys
2013-12-18 23:16:44    140560    ----a-w-    C:\Windows\System32\drivers\VBoxNetAdp.sys
2013-12-18 23:13:30    204048    ----a-w-    C:\Windows\System32\VBoxNetFltNobj.dll
2013-12-18 12:13:56    270496    ------w-    C:\Windows\System32\MpSigStub.exe
2013-12-18 06:11:52    354656    ----a-w-    C:\Windows\SysWow64\DivXControlPanelApplet.cpl
2013-12-06 02:30:08    2048    ----a-w-    C:\Windows\System32\msxml3r.dll
2013-12-06 02:30:08    1882112    ----a-w-    C:\Windows\System32\msxml3.dll
2013-12-06 02:02:08    2048    ----a-w-    C:\Windows\SysWow64\msxml3r.dll
2013-12-06 02:02:08    1237504    ----a-w-    C:\Windows\SysWow64\msxml3.dll
2013-12-04 02:27:33    485888    ----a-w-    C:\Windows\System32\secproc_isv.dll
2013-12-04 02:27:33    123392    ----a-w-    C:\Windows\System32\secproc_ssp_isv.dll
2013-12-04 02:27:33    123392    ----a-w-    C:\Windows\System32\secproc_ssp.dll
2013-12-04 02:27:16    488448    ----a-w-    C:\Windows\System32\secproc.dll
2013-12-04 02:26:32    528384    ----a-w-    C:\Windows\System32\msdrm.dll
2013-12-04 02:03:20    87040    ----a-w-    C:\Windows\SysWow64\secproc_ssp_isv.dll
2013-12-04 02:03:20    87040    ----a-w-    C:\Windows\SysWow64\secproc_ssp.dll
2013-12-04 02:03:20    423936    ----a-w-    C:\Windows\SysWow64\secproc_isv.dll
2013-12-04 02:03:08    428032    ----a-w-    C:\Windows\SysWow64\secproc.dll
2013-12-04 01:54:14    510976    ----a-w-    C:\Windows\SysWow64\RMActivate_ssp.exe
.
============= FINISH: 15:42:28.26 ===============

 

 

.

.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 1/31/2012 9:59:56 PM
System Uptime: 2/26/2014 2:47:37 PM (1 hours ago)
.
Motherboard: Acer |  | HMA51_HR
Processor: Intel® Celeron® CPU B800 @ 1.50GHz | CPU1 | 1500/1067mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 218 GiB total, 25.141 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Realtek RTL8188CE Wireless LAN 802.11n PCI-E NIC
Device ID: PCI\VEN_10EC&DEV_8176&SUBSYS_81861025&REV_01\4&193E79E5&0&00E5
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8188CE Wireless LAN 802.11n PCI-E NIC
PNP Device ID: PCI\VEN_10EC&DEV_8176&SUBSYS_81861025&REV_01\4&193E79E5&0&00E5
Service: RTL8192Ce
.
==== System Restore Points ===================
.
RP323: 2/19/2014 2:19:42 AM - Configured clear.fi
RP324: 2/21/2014 4:05:59 PM - Windows Update
RP325: 2/22/2014 2:27:56 PM - Installed Malwarebytes Secure Backup
RP326: 2/23/2014 2:25:54 PM - Windows Update
RP327: 2/23/2014 7:00:14 PM - Windows Backup
RP328: 2/23/2014 7:49:15 PM - Installed Oracle VM VirtualBox 4.3.6
.
==== Installed Programs ======================
.
7-Zip 9.22 (x64 edition)
AC3Filter 2.6.0b
Acer Backup Manager
Acer Crystal Eye Webcam
Acer ePower Management
Acer eRecovery Management
Acer Gamess
Acer Updater
Adobe Flash Player 12 Plugin
Adobe Reader XI (11.0.06)
Adobe Shockwave Player 12.0
Agatha Christie - Death on the Nile
Alcor Micro USB Card Reader
Any Video Converter 5.5.1
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
Backup Manager V3
BBC iPlayer Downloads
Bejeweled 2 Deluxe
Bitcoin
Build-a-lot 4 - Power Source
CCleaner
Chronicles of Albian
Chuzzle Deluxe
clear.fi
clear.fi Client
ConvertHelper 2.2
Cradle of Rome 2
D3DX10
Defraggler
DivX Setup
Dora's World Adventure
ESET NOD32 Antivirus
FATE: The Cursed King
FileASSASSIN
FileHippo.com Update Checker
Final Drive: Nitro
Galerie de photos Windows Live
Governor of Poker 2 Premium Edition
Gpg4win (2.1.0)
Guitar Pro 5.0
Identity Card
Intel® Control Center
Intel® Management Engine Components
Intel® OpenCL CPU Runtime
Intel® Processor Graphics
Intel® Rapid Storage Technology
Intel® SDK for OpenCL* Applications 2012
Java 7 Update 51
Java Auto Updater
Jewel Match 3
Junk Mail filter update
Launch Manager
Malwarebytes Anti-Exploit version 0.09.5.1000
Malwarebytes Anti-Malware version 2.00.0.0503
Malwarebytes Secure Backup
Microsoft .NET Framework 4.5.1
Microsoft Application Error Reporting
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 28.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mystery of Mortlake Mansion
NTI Media Maker 9
Oracle VM VirtualBox 4.3.6
PeerBlock 1.1+ (r677)
Penguins!
Plants vs. Zombies - Game of the Year
Polar Bowler
Polar Golfer
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
swMSM
Synaptics Pointing Device Driver
System Explorer 4.5.0
Torchlight
Translate Genius
TrueCrypt
VC80CRTRedist - 8.0.50727.6195
Virtual Villagers 5 - New Believers
VLC media player 2.1.2
Windows Live
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
xplorer² lite 32 bit
Zuma's Revenge
.
==== Event Viewer Messages From Past Week ========
.
2/26/2014 2:25:55 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Online Backup Service service to connect.
2/26/2014 2:25:55 PM, Error: Service Control Manager [7000]  - The Online Backup Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
2/25/2014 12:50:52 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Intel® Rapid Storage Technology service to connect.
2/25/2014 12:50:52 PM, Error: Service Control Manager [7000]  - The Intel® Rapid Storage Technology service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
2/25/2014 11:18:06 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the wscsvc service.
2/25/2014 11:18:06 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IPBusEnum service.
2/24/2014 7:02:07 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
2/24/2014 6:51:04 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
2/24/2014 6:51:04 PM, Error: Service Control Manager [7000]  - The Windows Search service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
2/24/2014 6:50:55 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
2/24/2014 6:50:46 PM, Error: Service Control Manager [7031]  - The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
2/24/2014 6:50:42 PM, Error: Service Control Manager [7024]  - The Windows Search service terminated with service-specific error %%-1073473535.
2/24/2014 6:46:18 PM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
2/24/2014 6:03:20 PM, Error: Service Control Manager [7001]  - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
2/24/2014 6:01:42 PM, Error: Service Control Manager [7001]  - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
2/24/2014 6:01:41 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
2/24/2014 6:01:41 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
2/24/2014 6:01:39 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/24/2014 6:01:33 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
2/24/2014 6:01:20 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  discache eamonm ehdrv ESProtectionDriver spldr truecrypt VBoxDrv VBoxUSBMon Wanarpv6
2/24/2014 2:38:29 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WerSvc service.
2/22/2014 2:28:48 PM, Error: Service Control Manager [7030]  - The Online Backup Service service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
2/21/2014 4:04:28 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HomeGroupListener service.
2/21/2014 2:42:30 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
2/20/2014 9:26:08 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
2/20/2014 5:58:16 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the DsiWMIService service.
2/20/2014 12:24:40 PM, Error: Service Control Manager [7023]  - The Server service terminated with the following error:  The service has not been started.
2/20/2014 11:35:29 PM, Error: Server [2505]  - The server could not bind to the transport \Device\NetBT_Tcpip_{B3917305-A200-44C0-9D84-D55943D066B9} because another computer on the network has the same name.  The server could not start.
2/19/2014 7:31:17 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the EapHost service.
.
==== End Of File ===========================

 

 

Thanks in advance for ANY and ALL help. It is greatly appreciated.

 

Timelord
 

 

 

Link to post
Share on other sites

Welcome to the forum.

Please run a Quick Scan with Malwarebytes like this and post the log:

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

---------------------

Then........

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

General Forum P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running, please create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Malwarebytes Anti-Malware

www.malwarebytes.org

Scan Date: 2/26/2014

Scan Time: 7:34:36 PM

Logfile: log for removal  tech.txt

Administrator: Yes

 

Version: 2.00.0.0503

Malware Database: v2014.02.26.10

Rootikt Database: v2014.02.20.01

License: Trial

Malware Protection: Enabled

Malicious Website Protection: Enabled

Chameleon: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: Timelord

Scan Type: Hyper Scan

Result: Completed

Objects Scanned: 219397

Time Elapsed: 6 min, 55 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Disabled

Archives: Enabled

Rootkits: Enabled

Shuriken: Enabled

PUP: Enabled

PUM: Enabled

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

(end)

Link to post
Share on other sites

RogueKiller V8.8.9 _x64_ [Feb 24 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Timelord [Admin rights]
Mode : Scan -- Date : 02/26/2014 19:53:38
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1    localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS543225A7A384 +++++
--- User ---
[MBR] ee24c993f426bac9ab74c5a828d0acd3
[bSP] 881e3dd2699467a6214aca2bc05bae2c : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15360 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31459328 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 31664128 | Size: 223013 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_02262014_195338.txt >>


 

Link to post
Share on other sites

AV: ESET NOD32 Antivirus 7.0 *Disabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: ESET NOD32 Antivirus 7.0 *Disabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}

 

I notice you have Defender running, If ESET is your anti-virus, you should keep Defender disabled ( permanently).

Having two or more anti-virus programs running on a system only causes poor performance, conflicts and spotty protection.

How to Disable Defender

Dangers of running 2 anti-virus programs

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I got the Win32/bundle,toolbar while updating CCleaner

I'm not sure how you did this but next time download it directly from the author: (install right over the top of existing program)

http://www.piriform.com/ccleaner/download

Just about any other download location will bring you adware/crapware.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please create a new system restore point before continuing.

Lets clean out any adware/spyware now: (this will require a reboot so save all your work)

Please download AdwCleaner from HERE or HERE to your desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

Then........

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

MrC

Link to post
Share on other sites

 I got the win32 message while I was updating CCleaner. Both piriform and file hippo triggered the message. I looked it up and lots of other people having same issue and it appears ESet is the only program that is detecting it.

 

https://www.virustotal.com/en/file/7158ff00c1ff3b2965a0cbfb67fcf77e580dae5f74fe9d66bfe48940ec37602a/analysis/

 

My oversight on Defender. I don't use it and it totally slipped my mind.  I have all the tools you require info from logs incoming shortly.

Link to post
Share on other sites

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows 7 Home Premium x64
Ran by Timelord on Wed 02/26/2014 at 22:31:24.67
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Empty Folder] C:\Users\Timelord\appdata\local\{8EA20FF4-16AE-4D06-A6B0-E8F9BF030AE5}



~~~ FireFox

Emptied folder: C:\Users\Timelord\AppData\Roaming\mozilla\firefox\profiles\6qad75db.default\minidumps [4 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 02/26/2014 at 22:42:06.55
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link to post
Share on other sites

yes I did run adw......

 

Eset is picking the win32/bundle up and thats about it. I didn't download anything because of the warning message. If you go to this update page notice that it isn't piriform in the download link but file hippo. This is where CCleaner took me when prompted to upgrade to newer version. As stated before others have had the exact same issue. Eset caught it but other programs didn't. Anyway back to task at hand.

 

 

 

# AdwCleaner v3.019 - Report created 26/02/2014 at 22:17:44
# Updated 17/02/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Timelord - TARDIS
# Running from : C:\Users\Timelord\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4C836512-BB70-11D2-A5A7-00105A9C91C6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DB797681-40E0-11D2-9BD5-0060082AE372}

***** [ Browsers ] *****

-\\ Internet Explorer v0.0.0.0


-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Users\Timelord\AppData\Roaming\Mozilla\Firefox\Profiles\6qad75db.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [1223 octets] - [03/01/2014 20:30:42]
AdwCleaner[R1].txt - [903 octets] - [10/01/2014 19:21:53]
AdwCleaner[R2].txt - [1076 octets] - [10/02/2014 03:30:37]
AdwCleaner[R3].txt - [1197 octets] - [19/02/2014 00:59:12]
AdwCleaner[R4].txt - [1492 octets] - [26/02/2014 22:12:55]
AdwCleaner[s0].txt - [1298 octets] - [03/01/2014 20:32:51]
AdwCleaner[s1].txt - [963 octets] - [10/01/2014 19:27:32]
AdwCleaner[s2].txt - [1143 octets] - [10/02/2014 03:32:30]
AdwCleaner[s3].txt - [1263 octets] - [19/02/2014 01:15:57]
AdwCleaner[s4].txt - [1419 octets] - [26/02/2014 22:17:44]

########## EOF - C:\AdwCleaner\AdwCleaner[s4].txt - [1479 octets] ##########

 

 

This just a reminder (mostly for me) once all the tools have been exhausted I want to give info on any unanswered issues not revealed here.

Link to post
Share on other sites

Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

MrC

Link to post
Share on other sites

I just uploaded it myself:

https://www.virustotal.com/en/file/62349575e4fd2b6effd7073baaca9e0af3978378de8afe21b85ebee95ea1fa93/analysis/

I updated 2 of my computers with that file and no problems.

I can't remember if when you install it are you given the chance to install something from Google??

EDIT: I just uninstalled CCleaner and downloaded and re-installed, no problems.

-----------------------

The logs look OK.....How is it???

MrC

Link to post
Share on other sites

Eset seems to be the only program detecting that win32. Dunno.  No change in the computer. I wanted to make sure I followed everything you said first before I chime in foolishy lol. It is at a creeping pace! The processes are in the 70's,SEVERAL ports listening,event log full of crap I didn't do. See if the task manager looks ok to you.

process list.txt

Link to post
Share on other sites

Also I want clear fi GONE. It seems to be involved with damn near everything. I don't use it and have tried to get rid of it but its just like The Walking Dead keeps coming and coming at you lol. Some of the stuff I have seen clear fi involved with seems waaay off. Why would that kind of program be so involved with areas that it wasn't intended for?

Link to post
Share on other sites

Run these two scans:

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    image000q.png

  • Put a checkmark beside loaded modules.

    2012081514h0118.png

  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.

    clip.jpg

  • Click the Start Scan button.

    19695967.jpg

  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    67776163.jpg

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If in doubt about an entry....please ask or choose Skip

  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    62117367.jpg

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

--------------------------------------------

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.