Jump to content


Photo
- - - - -

Trojan.Bitcoin.Miner

iswizard iswizard.7z Trojan.Bitcoin.Miner dwm.exe

  • This topic is locked This topic is locked
24 replies to this topic

#1 brandonb

brandonb

    New Member

  • Members
  • Pip
  • 16 posts

Posted 02 July 2013 - 08:50 AM

Hi,

 

Recently ive had problems with a Trojan.Bitcoin.Miner in a folder iswizard (C:\Users\Name\AppData\Local\Temp\iswizard\) its located in a .7z zip file: dwm.exe when i remove it with Malwarebytes Anti-Malware it seems to relocate itself in that folder. Then Anti-Malware puts it back in Quarantine. My anti-virus program seems to also not solve this problem.

 

Please help,

 

Brandonb



#2 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 02 July 2013 - 08:53 AM

Welcome to the forum, please start HERE
Post back the 2 logs here.....DDS.txt and Attach.txt
(please don't put logs in code or quotes)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
2. If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.


<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes)
MrC


Note:
Please read all of my instructions completely including these.

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly


Removing malware can be unpredictable...things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive


<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.


<+>The removal of malware isn't instantaneous, please be patient.


<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.


------->Your topic will be closed if you haven't replied within 3 days!<--------
(If I don't respond within 24 hours, please send me a PM)


Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#3 brandonb

brandonb

    New Member

  • Members
  • Pip
  • 16 posts

Posted 02 July 2013 - 09:38 AM

Hi,

Thanks for your help

 

dds.txt

DDS (Ver_2012-11-20.01) - NTFS_AMD64 

Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 10.25.2
Run by Branden at 16:12:27 on 2013-07-02
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.4082.2246 [GMT 2:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files (x86)\DAP\DAP.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MMLoadDrv.exe
C:\Program Files\Common Files\SpeedBit\SBUpdate\sbu.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe
C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = about:blank
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: SpeedBit Link Verification Helper: {D5974A72-C81C-4DC3-BE77-A8A7BBC8864E} - C:\Program Files (x86)\DAP\LinkVerifier.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [ISUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [PC Suite Tray] "C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
uRun: [DownloadAccelerator] "C:\Program Files (x86)\DAP\DAP.EXE" /STARTUP
uRun: [AdobeBridge] <no file>
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [BlackBerryAutoUpdate] C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [BrowserPlugInHelper] C:\Program Files (x86)\Wondershare\Video Converter Ultimate\BrowserPlugInHelper.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: &Download with &DAP - C:\Program Files (x86)\DAP\dapextie.htm
IE: &Verify with DAP - C:\Program Files (x86)\DAP\dapverify.htm
IE: Download &all with DAP - C:\Program Files (x86)\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
TCP: NameServer = 192.168.137.1
TCP: Interfaces\{9AD8CC99-7BA1-4DD1-8C01-B6007AAAE3C3} : DHCPNameServer = 192.168.137.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\Program Files (x86)\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\Program Files (x86)\DAP\dapie.dll
SSODL: WebCheck - <orphaned>
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = about:blank
x64-BHO: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\Program Files (x86)\DAP\dapie64.dll
x64-Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\Program Files (x86)\DAP\dapie64.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-6-24 65336]
R0 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-6-24 189936]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-11-3 52856]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-6-24 1030952]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-6-24 378944]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-7-28 361984]
R2 AODDriver4.01;AODDriver4.01;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2011-6-24 55424]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-6-24 33400]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-6-24 80816]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-6-24 46808]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-11-2 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-11-2 701512]
R2 SBUpd;SpeedBit Update;C:\Program Files\Common Files\SpeedBit\SBUpdate\sbu.exe [2013-2-27 1097848]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-1-18 383264]
R2 VMCService;Vodafone Mobile Connect Service;C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2008-7-4 14336]
R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2008-1-7 46136]
R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2011-3-4 126952]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2011-3-4 390632]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-11-2 25928]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2008-1-7 646248]
R3 SBUpdd;SpeedBit UpdateD;C:\Program Files\Common Files\SpeedBit\SBUpdate\sbw.sys [2013-2-27 40856]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2008-1-7 44672]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-1-8 161536]
S3 DigiartyVirtualCDBus;Digiarty Virtual Driver;C:\Windows\System32\drivers\DigiartyVirtualCDBus.sys [2013-5-19 276256]
S3 nmwcdnsucx64;Nokia USB Flashing Generic;C:\Windows\System32\drivers\nmwcdnsucx64.sys [2012-1-9 12800]
S3 nmwcdnsux64;Nokia USB Flashing Phone Parent;C:\Windows\System32\drivers\nmwcdnsux64.sys [2012-1-9 171008]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-4-22 1255736]
.
=============== Created Last 30 ================
.
2013-07-01 20:20:50 -------- d-----w- C:\Users\Branden\AppData\Roaming\FreeFixer
2013-07-01 20:20:50 -------- d-----w- C:\Users\Branden\AppData\Local\FreeFixer
2013-06-29 18:55:51 -------- d-----w- C:\Users\Branden\AppData\Roaming\KeeperData
2013-06-29 18:55:42 -------- d-----w- C:\Program Files (x86)\Keeper Security
2013-06-29 14:02:27 -------- d-----w- C:\Users\Branden\AppData\Roaming\VoipBuster
2013-06-28 20:13:26 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe
2013-06-28 13:08:56 -------- d-----w- C:\Program Files (x86)\DeskPins
2013-06-26 11:14:55 -------- d-----w- C:\Users\Branden\AppData\Roaming\AVS4YOU
2013-06-26 11:14:01 -------- d-----w- C:\Program Files (x86)\Common Files\AVSMedia
2013-06-26 11:13:29 24576 ----a-w- C:\Windows\SysWow64\msxml3a.dll
2013-06-26 11:13:29 1700352 ----a-w- C:\Windows\SysWow64\GdiPlus.dll
2013-06-26 11:13:29 -------- d-----w- C:\ProgramData\AVS4YOU
2013-06-26 11:13:17 -------- d-----w- C:\Program Files (x86)\AVS4YOU
2013-06-26 09:21:28 -------- d-----w- C:\Users\Branden\AppData\Roaming\Xilisoft
2013-06-26 08:58:09 -------- d-----w- C:\Users\Branden\AppData\Roaming\Wondershare Video Converter Ultimate
2013-06-26 08:57:50 -------- d-----w- C:\Program Files\Common Files\Wondershare
2013-06-26 08:57:41 727952 ----a-w- C:\Windows\SysWow64\WSCM64.dll
2013-06-26 08:57:33 -------- d-----w- C:\ProgramData\Wondershare Video Converter Ultimate
2013-06-26 08:57:30 -------- d-----w- C:\Program Files (x86)\Wondershare
2013-06-25 17:31:20 -------- d-----w- C:\Users\Branden\AppData\Roaming\EQATEC Analytics
2013-06-25 17:27:30 -------- d-----w- C:\ProgramData\SpeedBit
2013-06-25 17:27:15 -------- d-----w- C:\Program Files (x86)\DAP
2013-06-25 17:26:37 172032 ----a-w- C:\Windows\SysWow64\AniGIF.ocx
2013-06-25 17:26:20 -------- d-----w- C:\Program Files\Common Files\SpeedBit
2013-06-25 17:18:26 -------- d-----w- C:\Program Files (x86)\Common Files\SpeedBit
2013-06-25 13:18:54 -------- d-----w- C:\Users\Branden\AppData\Local\skybn
2013-06-25 13:14:09 249856 ------w- C:\Windows\Setup1.exe
2013-06-25 13:14:08 73216 ----a-w- C:\Windows\ST6UNST.EXE
2013-06-24 11:31:36 72016 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2013-06-24 11:31:33 1030952 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2013-06-24 11:31:31 189936 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
2013-06-24 11:31:28 65336 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
2013-06-24 11:31:27 80816 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2013-06-24 11:30:31 41664 ----a-w- C:\Windows\avastSS.scr
2013-06-24 11:30:21 -------- d-----w- C:\Program Files\AVAST Software
2013-06-24 11:12:02 -------- d-----w- C:\ProgramData\AVAST Software
2013-06-24 09:22:20 236467 ----a-w- C:\ProgramData\1372065591.bdinstall.bin
2013-06-22 11:57:45 -------- d-----w- C:\Program Files (x86)\Matrix Screen Locker
2013-06-22 11:53:42 -------- d-----w- C:\Program Files (x86)\OApps
2013-06-21 10:13:34 -------- d-----w- C:\Program Files (x86)\FVD Suite
2013-06-21 09:25:13 -------- d-----w- C:\Users\Branden\AppData\Local\iLivid
2013-06-21 09:12:52 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-21 08:55:58 -------- d-----w- C:\Program Files\WinPcap
2013-06-21 08:55:23 -------- d-----w- C:\ProgramData\Freemake
2013-06-21 08:55:19 -------- d-----w- C:\Program Files (x86)\Freemake
2013-06-09 07:04:10 91264 ----a-w- C:\Windows\SysWow64\EasyHook32.dll
.
==================== Find3M  ====================
.
2013-07-02 12:50:01 99384 ----a-w- C:\Users\Branden\AppData\Roaming\inst.exe
2013-07-02 12:50:01 82816 ----a-w- C:\Users\Branden\AppData\Roaming\pcouffin.sys
2013-06-21 09:12:46 867240 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-06-21 09:12:46 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-05-19 11:50:23 276256 ----a-w- C:\Windows\System32\drivers\DigiartyVirtualCDBus.sys
2013-04-21 23:08:29 1187328 ----a-w- C:\ProgramData\1366570614.bdinstall.bin
2013-04-21 18:40:49 151552 ----a-w- C:\Windows\KMSEmulator.exe
2013-04-21 18:39:13 207814 ----a-w- C:\ProgramData\1366569462.bdinstall.bin
2013-04-21 18:09:32 560184 ----a-w- C:\Windows\System32\drivers\sptd.sys
2013-04-21 16:49:59 373630 ----a-w- C:\ProgramData\1366562159.bdinstall.bin
2013-04-21 15:49:09 49834 ----a-w- C:\ProgramData\1366559343.bdinstall.bin
2013-04-21 15:28:48 1024712 ----a-w- C:\ProgramData\1366555127.bdinstall.bin
2013-04-21 14:34:55 49834 ----a-w- C:\ProgramData\1366554890.bdinstall.bin
2013-04-21 14:33:21 1029253 ----a-w- C:\ProgramData\1366551834.bdinstall.bin
2013-04-21 12:53:03 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-04 12:50:32 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-02-17 03:27:32 2174976 ----a-w- C:\Program Files (x86)\Common Files\atimpenc.dll
2006-05-03 09:06:54 163328 --sha-r- C:\Windows\SysWOW64\flvDX.dll
2007-02-21 10:47:16 31232 --sha-r- C:\Windows\SysWOW64\msfDX.dll
2008-03-16 12:30:52 216064 --sha-r- C:\Windows\SysWOW64\nbDX.dll
2010-01-06 21:00:00 107520 --sha-r- C:\Windows\SysWOW64\TAKDSDecoder.dll
.
============= FINISH: 16:12:53.03 ===============
 
attach.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate 
Boot Device: \Device\HarddiskVolume1
Install Date: 1/7/2008 8:58:12 AM
System Uptime: 7/2/2013 3:10:02 PM (1 hours ago)
.
Motherboard: MSI |  | 970A-G46 (MS-7693)
Processor: AMD Phenom™ II X4 965 Processor | CPU 1 | 2176/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 107.714 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP94: 6/25/2013 4:51:39 PM - Installed 1CLICK DVD COPY PRO
RP95: 6/25/2013 6:05:19 PM - Installed 1CLICK DVD COPY PRO
RP96: 7/2/2013 2:48:58 PM - Removed Bluesoleil2.6.0.8 Release 070517
RP97: 7/2/2013 2:54:05 PM - Removed Skype Click to Call
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.6)
AMD APP SDK Runtime
AMD Catalyst Install Manager
AMD Fuel
Asmedia ASM104x USB 3.0 Host Controller Driver
avast! Free Antivirus
BlackBerry Desktop Software 5.0.1
BlackBerry® Media Sync
Catalyst Control Center
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
Catalyst Control Center Profiles Mobile
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 64-Bit Edition
Download Accelerator Plus (DAP)
DVD Decrypter (Remove Only)
Google Chrome
Google Drive
Google Update Helper
iLivid
ImgBurn
Java 7 Update 25
Java Auto Updater
Keeper Password & Data Vault
LAME v3.99.3 (for Windows)
LightScribe System Software
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office Language Interface Pack 2010 - Afrikaans
Microsoft Office Office 32-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared 32-bit MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft WSE 3.0 Runtime
Microsoft_VC80_CRT_x86
Microsoft_VC90_CRT_x86
Movie Maker
MSVC90_x64
MSVC90_x86
MSVCRT
MSVCRT110
MSVCRT110_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network Play System (Patching)
Nokia Connectivity Cable Driver
Nokia PC Suite
NVIDIA 3D Vision Controller Driver 306.97
NVIDIA 3D Vision Driver 311.06
NVIDIA Control Panel 311.06
NVIDIA Graphics Driver 311.06
NVIDIA HD Audio Driver 1.3.18.0
NVIDIA Install Application
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.0604
NVIDIA Stereoscopic 3D Driver
NVIDIA Update 1.11.3
NVIDIA Update Components
Origin
PC Connectivity Solution
Photo Common
Photo Gallery
Realtek Ethernet Controller Driver
Roxio Media Manager
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
SimCity™ Societies
Skype™ 6.1
SUPER © v2012.build.54 (Nov 18, 2012) version v2012.build.54
The Sims 2 Family Fun Stuff
The Sims 2 Glamour Life Stuff
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims™ 2 Apartment Life
The Sims™ 2 Bon Voyage
The Sims™ 2 Double Deluxe
The Sims™ 2 FreeTime
The Sims™ 2 H&M® Fashion Stuff
The Sims™ 2 IKEA® Home Stuff
The Sims™ 2 Kitchen & Bath Interior Design Stuff
The Sims™ 2 Mansion and Garden Stuff
The Sims™ 2 Seasons
The Sims™ 2 Teen Style Stuff
The Sims™ 3
The Sims™ 3 70s, 80s, & 90s Stuff
The Sims™ 3 Ambitions
The Sims™ 3 Create a Sim
The Sims™ 3 Diesel Stuff
The Sims™ 3 Fast Lane Stuff
The Sims™ 3 Generations
The Sims™ 3 High-End Loft Stuff
The Sims™ 3 Katy Perry's Sweet Treats
The Sims™ 3 Late Night
The Sims™ 3 Master Suite Stuff
The Sims™ 3 Outdoor Living Stuff
The Sims™ 3 Pets
The Sims™ 3 Seasons
The Sims™ 3 Showtime
The Sims™ 3 Supernatural
The Sims™ 3 Town Life Stuff
The Sims™ 3 World Adventures
UltraISO Premium V9.35
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2010 (KB2553092)
VD64Inst
VLC media player 2.0.7
Vodafone Mobile Connect Lite
Windows Driver Package - Nokia Modem  (02/25/2011 4.7)
Windows Driver Package - Nokia Modem  (02/25/2011 7.01.0.9)
Windows Driver Package - Nokia pccsmcfd LegacyDriver  (05/31/2012 7.1.2.0)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
WinPcap 4.1.2
WinRAR 4.00 (64-bit)
X-Blades
Yahoo! Detect
.
==== Event Viewer Messages From Past Week ========
.
7/2/2013 3:13:24 PM, Error: Service Control Manager [7038]  - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:  Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
7/2/2013 3:13:24 PM, Error: Service Control Manager [7000]  - The NVIDIA Update Service Daemon service failed to start due to the following error:  The service did not start due to a logon failure.
7/2/2013 3:11:23 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  BTHidMgr
7/2/2013 3:11:21 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Roxio Hard Drive Watcher 9 service to connect.
7/1/2013 9:53:56 AM, Error: Service Control Manager [7024]  - The Background Intelligent Transfer Service service terminated with service-specific error %%-2147024846.
7/1/2013 9:53:56 AM, Error: Microsoft-Windows-Bits-Client [16392]  - The BITS service failed to start.  Error 0x80070032.
6/28/2013 9:53:09 PM, Error: Disk [11]  - The driver detected a controller error on \...\DR4.
6/26/2013 10:42:42 AM, Error: Microsoft-Windows-DistributedCOM [10016]  - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID  {9BA05972-F6A8-11CF-A442-00A0C90A8F39}  and APPID  {9BA05972-F6A8-11CF-A442-00A0C90A8F39}  to the user BRANDON-PC\Branden SID (S-1-5-21-579728-3509017212-2056715366-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
6/25/2013 6:17:42 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001]  - The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000003b (0x00000000c0000046, 0xfffff80002ea2bf4, 0xfffff8800a3420d0, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 062513-33649-01.
6/25/2013 6:12:26 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001]  - The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000003b (0x00000000c0000046, 0xfffff80002efabf4, 0xfffff88008dd70d0, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 062513-31855-01.
6/25/2013 2:09:44 PM, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
.
==== End Of File ===========================
 
RKreport[0]_S_07022013_163451.txt
 
RogueKiller V8.6.2 _x64_ [Jul  2 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Branden [Admin rights]
Mode : Scan -- Date : 07/02/2013 16:34:51
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 1 ¤¤¤
[DLL] rundll32.exe -- C:\Users\Branden\AppData\Local\Temp\\tsiVi132.dll [-] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : tsiVideo (C:\Windows\SysWOW64\rundll32.exe C:\Users\Branden\AppData\Local\Temp\\tsiVi132.dll,start [7][-]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-579728-3509017212-2056715366-1000\[...]\Run : tsiVideo (C:\Windows\SysWOW64\rundll32.exe C:\Users\Branden\AppData\Local\Temp\\tsiVi132.dll,start [7][-]) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ST3250318AS ATA Device +++++
--- User ---
[MBR] 1e4159a852eadab4f17ce3ad0e66272f
[BSP] dedd7f18e2b98e2b9a2d75421fc63bca : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 238372 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_07022013_163451.txt >>
 
---------------------------------------------------------------------------
 
Brandonb


#4 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 02 July 2013 - 10:05 AM

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these and uncheck the rest: (if found)
 

[RUN][SUSP PATH] HKCU\[...]\Run : tsiVideo (C:\Windows\SysWOW64\rundll32.exe C:\Users\Branden\AppData\Local\Temp\\tsiVi132.dll,start [7][-]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-579728-3509017212-2056715366-1000\[...]\Run : tsiVideo (C:\Windows\SysWOW64\rundll32.exe C:\Users\Branden\AppData\Local\Temp\\tsiVi132.dll,start [7][-]) -> FOUND


Now click Delete on the right hand column under Options

-------------

Next click on the Processes tab and put a check next to these and uncheck the rest. (if found)
 

[DLL] rundll32.exe -- C:\Users\Branden\AppData\Local\Temp\\tsiVi132.dll [-] -> KILLED [TermProc]


Now click Delete on the right hand column under Options

-------------

Then........

Download Malwarebytes Anti-Rootkit from HERE
  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.
more-reply-options.jpg

New window that comes up.
choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
Internet access
Windows Update
Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.


MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#5 brandonb

brandonb

    New Member

  • Members
  • Pip
  • 16 posts

Posted 02 July 2013 - 12:08 PM

Hi,

 

Thanks again

 

Loggs attached

 

Brandonb

Attached Files



#6 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 02 July 2013 - 12:08 PM

OK...Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#7 brandonb

brandonb

    New Member

  • Members
  • Pip
  • 16 posts

Posted 02 July 2013 - 01:27 PM

Hi,

 

Thanks once again.

 

Log attached

 

Brandonb

Attached Files



#8 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 02 July 2013 - 01:42 PM

Next:


Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.

AdwCleaner is a tool that deletes :
· Adwares (software ads)
· PUP/LPI (Potentially Undesirable Program)
· Toolbars
· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion method. It can be easily uninstalled using the "Uninstall" mode.

  • Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  • Now click on the Search tab.
  • Please post the contents of the log-file created in your next post.
Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Note:
Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.
If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

Please note that Antivir Webguard uses ASK Toolbar as part of its web security. If you remove ASK by using Adwcleaner, Antivir Webguard will no longer work properly. Therefore, if you use this program please use the instructions below to access the options screen where you should enable /DisableAskDetections before using AdwCleaner.

You can click on the question mark (?) in the upper left corner of the program and then click on Options. You will then be presented with a dialog where you can disable various detections. These options are described below:

/DisableAskDetection - This option disables Ask Toolbar detection.


MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#9 brandonb

brandonb

    New Member

  • Members
  • Pip
  • 16 posts

Posted 02 July 2013 - 01:47 PM

Ok just want to ad this - I found this in my Windows 7 task manager, processes. It shows dwm.exe is a desktop window manager. It also shows it uses memory. Recently i checked out free programs that can make windows in Windows 7 topmost ( To let a window always be on top) the infection may have come from one of these programs. But i uninstalled them all.

 
Cropped Printscreen attached.


#10 brandonb

brandonb

    New Member

  • Members
  • Pip
  • 16 posts

Posted 02 July 2013 - 01:49 PM

Sorry. Here:

Attached Files



#11 brandonb

brandonb

    New Member

  • Members
  • Pip
  • 16 posts

Posted 02 July 2013 - 01:54 PM

Hi,

 

Log attached. Dont have anything in temp folders.

Attached Files



#12 brandonb

brandonb

    New Member

  • Members
  • Pip
  • 16 posts

Posted 02 July 2013 - 01:58 PM

Sorry. I mean i dont mind deleting the things found in Adwcleaner



#13 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 02 July 2013 - 02:01 PM

That's a good process and shows the correct path for the file.

Lots of adware found....lets clear it out.....
  • Please re-run AdwCleaner
  • Click on Delete button.
  • Confirm each time with OK if asked.
  • Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.
Note: You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#14 brandonb

brandonb

    New Member

  • Members
  • Pip
  • 16 posts

Posted 02 July 2013 - 02:08 PM

Hi,

 

AdwCleaner[S1].txt

 

# AdwCleaner v2.303 - Logfile created 07/02/2013 at 21:03:04
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Ultimate  (64 bits)
# User : Branden - BRANDON-PC
# Boot Mode : Normal
# Running from : C:\Users\Branden\Desktop\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
File Deleted : C:\Users\Branden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\iLivid.lnk
File Deleted : C:\Users\Branden\Desktop\iLivid.lnk
Folder Deleted : C:\Program Files (x86)\Common Files\Speedbit
Folder Deleted : C:\Program Files (x86)\OApps
Folder Deleted : C:\Program Files (x86)\Wondershare
Folder Deleted : C:\ProgramData\Speedbit
Folder Deleted : C:\Users\Branden\AppData\Local\Ilivid
Folder Deleted : C:\Users\Branden\AppData\LocalLow\Speedbit
Folder Deleted : C:\Users\Branden\AppData\LocalLow\Toolbar4
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\SpeedBit
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{7F4EFF06-7032-458E-AE16-1C1D8255C28A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{96BD48DD-741B-41AE-AC4A-AFF96BA00F7E}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\SpeedBit
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{7F4EFF06-7032-458E-AE16-1C1D8255C28A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ilivid
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16476
 
 
-\\ Google Chrome v27.0.1453.116
 
File : C:\Users\Branden\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R1].txt - [2627 octets] - [02/07/2013 20:51:39]
AdwCleaner[S1].txt - [2382 octets] - [02/07/2013 21:03:04]
 
########## EOF - C:\AdwCleaner[S1].txt - [2442 octets] ##########
 
-----------------------------------------------------------------------------------------------------------


#15 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 02 July 2013 - 02:22 PM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
http://www.eset.eu/online-scanner
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats is unchecked and the option Scan unwanted applications is checked
Click Advanced settings and select the following:

  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

Click Start
Wait for the scan to finish
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

MrC


Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#16 brandonb

brandonb

    New Member

  • Members
  • Pip
  • 16 posts

Posted 02 July 2013 - 03:59 PM

Hi,

 

This is the log i got.

 

log.txt

 

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
--------------------------------------------------


#17 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 02 July 2013 - 04:09 PM

Do you remember if it found anything??

And how is it??

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#18 brandonb

brandonb

    New Member

  • Members
  • Pip
  • 16 posts

Posted 02 July 2013 - 04:13 PM

It found 1 threat not the iswizard.7z one but something about winhack. My pc hasnt alerted about the iswizard for a while now.



#19 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 02 July 2013 - 04:16 PM

Good, on your desktop should be a RK_Quarantine folder, can you zip it up and attach it for me.

What problems if any remain??

MrC


Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#20 brandonb

brandonb

    New Member

  • Members
  • Pip
  • 16 posts

Posted 02 July 2013 - 04:21 PM

There are no problems that remain from the look of it.

 

Attached RK_Quarantine.zip

Attached Files







Also tagged with one or more of these keywords: iswizard, iswizard.7z, Trojan.Bitcoin.Miner, dwm.exe

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users