TheDarkKnight

Good morning fosternguyen, ***Your log shows you have the uTorrent client installed, which is a P2P (Peer-to-Peer) file sharing program.*** I highly recommend that you consider uninstalling it. P2P programs represent a security threat to the information on your system as they allow others to access your system. Just look at the number of high profile compromises in the news as a result of P2P software: Data about Obama's helicopter breached via P2P? Leak of congressional ethics document prompts calls for cybersecurity probe Walter Reed suffers peer-to-peer data breach Update: Seattle man arrested for p-to-p ID theft More listed here: Data Security Threats And Breaches You should read the link at the bottom of that page: Why File Sharing Networks Are Dangerous (Dartmouth study, .pdf file) In many cases P2P programs also represent a risk of infection from the program itself, as some have installed adware/spyware, or other programs without consent. Even if the program itself is clean, many P2P networks are riddled with malware, and it's often the newest, most difficult to-remove malware. There are many risks associated with P2P programs; none are worth the risks. If you don't uninstall the P2P software, I will continue to help clean your system, but please realise that it's likely only a matter of time before you are infected again. ===== Please download Junkware Removal Tool to your Desktop. Please close your security software to avoid potential conflicts. Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator. The tool will open and start scanning your system. Please be patient as this can take a while to complete, depending on your system's specifications. On completion, a log (JRT.txt) is saved to your Desktop and will automatically open. Please post the contents of JRT.txt into your reply.

Hello migs102006, Do you live in a college or are you in a business? It could be your ISP or similar just checking that you aren't making a server. How long have you been observing this for?

Good morning Mars25, Please do the following to re-run AdwCleaner: Please close all open programs and internet browsers. Double click on adwcleaner.exe to run the tool. Click on Delete. Confirm each time with OK. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply. You can find the logfile at C:\AdwCleaner[s1].txt as well. Note: If you get a message that you must reboot the computer before starting deletion, please do. At reboot, only AdwCleaner will run and you can only click on the Delete button. When the deletion is done, AdwCleaner will reboot the computer again and open the logfile. ===== Also, please re-run RogueKiller. Click on the Delete button. The report has been created on the Desktop. Please post it in your reply. ===== Please provide the two reports and let me know how things are now.

I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. Please download to the Desktop RogueKiller (by tigzy). Please quit all programs. Start RogueKiller.exe. Wait until Prescan has finished. Click on Scan. Click on Report and copy/paste the contents of the report in your next reply. ===== Also, please download AdwCleaner by Xplode onto your Desktop. Double click on AdwCleaner.exe to run the tool. Click on Search. A logfile will automatically open after the scan has finished. Please post the content of that logfile in your reply. You can find the logfile at C:\AdwCleaner[R1].txt as well. ===== In your reply please provide the contents of the logs from RogueKiller and AdwCleaner. How is the computer running?

Hello migs102006, Thank you. Well that came up clean. I am not familiar with the McAfee Firewall; are you able to block certain IP addresses? If so, please block this one: 192.168.1.1 And see if the probing continues.

Good morning fosternguyen, No worries about ComboFix. Please do the following to re-run AdwCleaner: Please close all open programs and internet browsers. Double click on adwcleaner.exe to run the tool. Click on Delete. Confirm each time with OK. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply. You can find the logfile at C:\AdwCleaner[s1].txt as well. Note: If you get a message that you must reboot the computer before starting deletion, please do. At reboot, only AdwCleaner will run and you can only click on the Delete button. When the deletion is done, AdwCleaner will reboot the computer again and open the logfile. ===== Also, please download OTL.exe by OldTimer to your Desktop. Close all windows and double click OTL.exe. In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold: netsvcs drivers32 %SYSTEMDRIVE%\*.* %systemroot%\*. /mp /s CREATERESTOREPOINT HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs Click Run Scan and let the program run uninterrupted. When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread. You may need to use two posts to get it all. ===== In your reply please provide the contents of the following (you may need to use multiple posts): AdwCleaner[s1].txt. OTL.txt. Extras.txt. How is the computer currently running?

Good morning Jedarius, OK the scan found two Registry Keys, so let's see how that goes. Please follow these instructions to remove the remaining malicious entries: Please close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open Notepad and copy/paste the text in the quotebox below into it: Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail. Save this as CFScript.txt, in the same location as ComboFix.exe. Referring to the picture above, drag CFScript into ComboFix.exe. When finished, it shall produce a log for you at C:\ComboFix.txt. Please post the ComboFix.txt in your next reply. ===== Also, please run a new MBAM scan and see what it finds. Post that in your reply, along with the contents of ComboFix.txt.

Good morning Kirbett, I'm afraid I have bad news about your computer. Your log shows a dangerous worm was residing on your computer with a backdoor functionality. It is possible that a remote attacker has already breached your computer. For more information on this worm, please see here. Please consider disconnecting this computer from the Internet after you finish reading this and use a known clean computer to follow my suggestions regarding your personal information. If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Though the worm has been identified and can be removed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of worm, the best course of action would be a reformat and reinstall of the Operating System. Please visit the following sites for more information on internet theft and when to reformat! How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud? When Should I Format, How Should I Reinstall I will of course do my best to help clean the computer of any infections that I can see if you would like to continue. If you have any questions before making a final decision, please feel free to ask. Instructions on how to format and reinstall Windows can be found here ===== Now, it is possible that this worm has been dealt with, and no lasting damage has been carried out. Please run a free online scan with the ESET Online Scanner. Note: You can use Internet Explorer or Mozilla Firefox for this scan. Tick the box next to YES, I accept the Terms of Use. Click Start. When asked, allow the ActiveX control to install. Click Start. Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked. Click Scan. Wait for the scan to finish. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt. Copy and paste that log as a reply to this topic. Are there any current issues on the computer?

I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool: http://www.bleepingc...to-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF). Please go here to see a list of programs that need to be disabled. **Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.** **Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.** Please include the C:\ComboFix.txt in your next reply for further review. ===== Also, please download to the Desktop RogueKiller (by tigzy). Please quit all programs. Start RogueKiller.exe. Wait until Prescan has finished. Click on Scan. Click on Report and copy/paste the contents of the report in your next reply. ===== In your reply please provide the contents of the following: ComboFix.txt. RogueKiller log. How is your computer running now?

I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. That should be fine. Please download AdwCleaner by Xplode onto your Desktop. Double click on AdwCleaner.exe to run the tool. Click on Search. A logfile will automatically open after the scan has finished. Please post the content of that logfile in your reply. You can find the logfile at C:\AdwCleaner[R1].txt as well. ===== Also, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF). Please go here to see a list of programs that need to be disabled. **Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.** **Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.** Please include the C:\ComboFix.txt in your next reply for further review. ===== In your reply please provide the contents of the following: AdwCleaner[R1].txt. ComboFix.txt. How is the computer running?

Hello Jedarius, OK weird that the file wasn't found. Please run SystemLook again but with this command: :regfind WindowsLiveUpdate Please post the results.

Hello Woe_is_Me_n_myPC, To do this, please set Win7 to show hidden/system files and folders so that you can find them: Please click Start and open My Computer. On the Organize tab, click on Folder and search options. On the View tab, uncheck Hide file extensions for known file types. Also uncheck Hide protected operating system files (Recommended) and click Yes on the warning message. Under Hidden files and folders, check Show hidden files, folders, or drives. Click Apply. Click OK and close My Computer. I will give you instructions for hiding them again after it looks like your computer is clean. ===== Then, please go to http://www.virustotal.com, click on Choose File, and upload the following file for analysis: You will only be able to have one file scanned at a time. C:\Users\CHRIST~1\AppData\Local\Temp\7zS7737\hpslpsvc64.dll Then click Scan It!. Allow the file to be scanned, and then please copy/paste the results here for me to see. Note: If a message appears saying the file has already been analysed, please resend the file.

Hello migs102006, Please upload it to a file sharing site, like mega upload, and provide me with a link.

OK sounds great!

Hey migs102006, Please re-run MBRScan. Click Dump. Once you have selected your MBR code, please click Dump Selected MBR (if there are multiple codes please do this for each of them).

Howdy Jedarius, Please download to your Desktop SystemLook by jpshortstuff from here. Double-click SystemLook.exe and copy and paste the content of the following codebox (starting with :filefind) into the main textfield and click the Look button to start the scan: :filefind WindowsLiveUpdate.exe When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt.

Howdy Woe_is_Me_n_myPC, Updates we can do later. For the interim don't do Windows Updates. For x32 (x86) bit systems please download the Farbar Recovery Scan Tool 32-Bit and save it to a flash drive. For x64 bit systems please download the Farbar Recovery Scan Tool 64-Bit and save it to a flash drive. Plug the flashdrive into the infected PC. Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options: Restart the computer. As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears. Use the arrow keys to select the Repair your computer menu item. Select US as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account and click Next. To enter System Recovery Options by using the Windows installation disc: Insert the installation disc. Restart your computer. If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings. Click Repair your computer. Select US as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account and click Next. On the System Recovery Options menu you will get the following options: Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt [*]Select Command Prompt. [*]In the command window type in notepad and press Enter. [*]The notepad opens. Under File menu select Open. [*]Select Computer, find your flash drive letter and close the notepad. [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter. Note: Replace letter e with the drive letter of your flash drive. [*]The tool will start to run. [*]When the tool opens click Yes to the disclaimer. [*]Press the Scan button. [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your reply.

Hello aryama, Is there a reason why you don't want to make a bootable CD? Because it will work better than the USB. I think you should make a topic in the hardware section of this forum, as I don't think your issues are malware related.

Hello Kirbett, Please try downloading now. That was just temporary I think.

Good evening Jedarius, Please run OTL.exe. Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): :OTL O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present @Alternate Data Stream - 5120 bytes -> C:\ProgramData:gs5sys @Alternate Data Stream - 1536 bytes -> C:\Users\Public\Documents\desktop.ini:gs5sys @Alternate Data Stream - 1536 bytes -> C:\Users\Hai\Documents\desktop.ini:gs5sys @Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:553CA6CA :Commands [EmptyTemp] Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste. Click the red Run Fix button. A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTL.exe If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. ==== Now try MBAM please.

Good afternoon migs102006, Please try this tool in the meantime then. Please download MBRScan and save it to your Desktop. Doubleclick on MBRScan.exe and click the Report button. (Vista and Windows 7 Users, right click on MBRScan and then click on Run as administrator). Please don't use the computer while the scan is running. The computer may not respond until the scan is done. Please be patient and don't force a restart of the computer. When the scan is finished, a log file will appear. Save that log file to your Desktop and post its content in your next reply.

Hey QubicComputers, That sounds like normal Adobe. ===== A little housekeeping to uninstall ComboFix: Please click Start>Run and copy/paste the following text, including the space between "ComboFix and "/uninstall", into the Run box and click OK: ComboFix /uninstall And AdwCleaner: Please double click on adwcleaner.exe to run the tool. Click on Uninstall. Confirm with Yes. To remove all of the tools we used and the files and folders they created do the following: Double click OTL.exe. Click the CleanUp button. Select Yes when the "Begin cleanup Process?" prompt appears. If you are prompted to reboot during the cleanup, select Yes. The tool will delete itself once it finishes. Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually. Right-click the Recycle Bin and please select Empty Recycle Bin. ===== Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup: IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure. As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program. Please consider installing and running the following program (there is a free version available): SpywareBlaster A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here. Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them. Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here: http://www.spywarewarrior.com/rogue_anti-spyware.htm A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above. Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options. Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates. Please also read Tony Klein's excellent article: How did I get infected in the first place. Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

Good morning migs102006, Did you run aswMBR?

Good morning QubicComputers, When this topic is finished, you might like to fnd and post in the forum for CloudComputing as they will be better to equipped with that aprticular issue. I notice that you have the User Account Control turned off. This is a very important security feature on Windows Vista and 7, as it allows you to restrict access to your computer and control programs that try to run. Please see below on how to turn it on: http://windows.microsoft.com/en-AU/windows-vista/Turn-User-Account-Control-on-or-off ===== Your version of Java is out of date. It's important to remove older versions of Java since it does not do so automatically and older versions can leave you vulnerable. Please follow the instructions below to update Java: Please go to the below link and download the latest Windows 7 version: http://www.java.com/en/download/manual.jsp Save it to your Desktop. Please go to Start>Control Panel>Programs. Navigate to any versions of Java (J2SE Runtime Environment) you have installed. They will have this icon next to them: Select Uninstall. Please double-click the installer and follow the prompts to install the latest version once all the previous versions have been successfully removed. ===== Next, your version of Adobe Reader is out of date. It could have security vulnerabilities, so please follow these instructions to update it: Please go to Start>All Programs>Adobe Reader. Open Adobe Reader and navigate to Help>Check for Updates. Please follow the prompts to install the latest version. Also, your version of Adobe Flash Player is out of date. Please follow these instructions to update to the latest version: Go to the Adobe Global Notifications Update website here: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html#118377 A small box to the right within the window should load. Please select how often you would like Adobe to check for a new update for its Flash Player. Note: This has to be done separately for Firefox and IE. If a new version is found: Please tick the License Agreement. Click Install. Note: If you are running Mozilla Firefox all of its windows will need to be closed.Click Done. Note: In future if an update is available Adobe will notify you on your Desktop via the Adobe Download Manager. ===== Finally, your version of Mozilla Firefox is out of date. Please do the following to update it: Go to Start>All Programs>Mozilla Firefox. Click Firefox>Help>About Firefox. Let it search for any updates and install them when found. Please restart your computer if prompted. ===== In your reply please let me know how the updates go.

Good morning Kirbett, Yes, this is very common. Please do the following to re-run AdwCleaner: Please close all open programs and internet browsers. Double click on adwcleaner.exe to run the tool. Click on Delete. Confirm each time with OK. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply. You can find the logfile at C:\AdwCleaner[s1].txt as well. Note: If you get a message that you must reboot the computer before starting deletion, please do. At reboot, only AdwCleaner will run and you can only click on the Delete button. When the deletion is done, AdwCleaner will reboot the computer again and open the logfile. ===== TDSSKiller came back clean. Please download the Kaspersky Virus Removal Tool from here to your Desktop. Double-click the Removal Tool. Click the cog in the upper right corner: Select down to and including your main drive. Once done please select the Automatic Scan tab and press Start Scan. Allow AVP to delete all infections found. Once it has finished select the Report tab. Select the Detected threats report from the left and press the Save button. Save it to your Desktop and post the contents in your next reply. ===== Please provide the reports from AdwCleaner and Kaspersky.