nuscher143

It created 2 files. They are attached but no threats. TDSSKiller.3.0.0.39_23.06.2014_15.26.40_log.txt TDSSKiller.3.0.0.39_23.06.2014_15.29.21_log.txt

Ok it says 1 hour and 5 minutes more. So as long as it continues I will let it. If not I will try the other download above. Thanks..."see" you in about an hour. Elaine

It says that it is going to take more than an hour to run the scan. I did the first step in safe mode but when I rebooted as per instruction it would not boot into safe mode and therefore the scan began in normal mode. Should I just let it run or should I start again?

ok

I can not create a system restore point. I get a message saying system restore does not appear to be functioning correctly on this system. A volume shadow copy service component encountered an unexpected error. Check the Application event log for more information. That is in safe mode. In regular mode those dllhost are still popping up which then eats up all the memory. I click to create a restore point and nothing happens for along time. Then I get a pop up saying starting system restore but nothing happens..it just keeps acting like it is going to create a restore point. Then another pop up comes up and asks me if I want to leave or stay on this page but I am not trying to access a webpage. Then another restore point window opens up and now both search and search. Finally I get 2 identical boxes saying restore system files and settings. No restore points have been created on your computer's system drive. To create a restore point open system protection. I was afraid to click on it. Should I skip the restore?

Yeah those 2 files are the nasty virus files. Attached is the next combo log combofix log2.txt

I ran Combofix from my desktop in safe mode. Attached is the log combofix log.txt

I ran it in normal mode and I have attached the log. Task manager was still showing all of the dllhost.exe *32 Com Surrogate so I rebooted and it is still happening. Was the fix supposed to take care of that? What's next? Fixlog.txt

I am able to get the option to run recovery mode. It says starting windows and then I get a blue screen that says A problem has been detected and windows has been shut down to prevent damage to your computer. BAD_SYSTEM_CONFIG_INFO. I shut down the computer went in to safe mode and clicked restart and the same thing happened again. I can get in to windows in safe mode or booting regularly. Should I try another way to use the fixlist? I will wait for you to tell me what to do next.

Ok thank you. Have a good night. Elaine

I was able to run it by going thru recovery and command prompt. I was not able to run it with safe mode and command prompt. Attached are the files. Addition.txt FRST.txt

Ok ty...will be back in a few

I didn't try again...can I run it with safe mode command prompt? Please read what I wrote above and then I will move forward.

oops forgot to attach the rogue killer reports justnowRKreport_SCN_06222014_192643.txt RKreport_DEL_06222014_114305.log

Here are 2 rogue killer reports. One from earlier today when I hadn't started with you yet and then one I ran just now. The one I ran just now did not come up with anything. Question on FRST. If I can start in safe mode command prompt is that ok? I am able to get FRST to run but then it just hangs at that spot that says getting application errors 69644. And it looked like it was still scanning but it was doing it for over 2 hours. I will wait to hear from you before trying to run that again. I did download it on a clean computer and put on the infected computer. Thanks.

That is where I am stuck...on FRST

I ran a quick scan and nothing showed up (attached) When I ran this yesterday nothing showed up until I did a full scan but I did click remove but that did not seem to get rid of the issues. As far as Farbar I had to download it onto a flash drive from another computer and then put on my laptop. It has been running for about 20 minutes and it has been saying the same thing...getting application errors: 69644. I can only work with my computer in safe mode. I can not use safe mode with networking. I downloaded Farbar to the flash drive and then copy and paste it into a folder on the infected laptop and then ran it from that folder. Is that ok? How long should I let it run before I cancel or should I skip this process? Thank you. Elaine mbam-log-2014-06-22 (16-25-46).txt

I ran a full scan and malware did find infections. Even after removing them successfully I am still having issues. If I try to run roguekiller the computer finds root,zekos but then as soon as it finds it, the computer reboots. I have to do all of this in safe mode without any networking or the dllhost.exe propogates so much that it eats up all of the memory and CPU usage.

Can someone please help. My computer was running slow and I ran malwarebytes and it came up with a few infections. I used removal and it said it was successful. However, my computer was still acting very strange. I opened task manager and dll host keeps recreating and uses up all my memory and CPU. If I delete it, it comes right back. Running malware comes up clean. I am using another computer to post because I can't even run in safe mode with networking to download or try any other programs on that computer. I did some other things in my registry as well.

Can someone please help. dll host keeps propogating and eating up memory and CPU usage.

Thank you so much! It looks like everything is running smoothly now. Just running through all your preventive maintenance.

Results of screen317's Security Check version 0.99.56 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Disabled! AVG Internet Security 2013 Antivirus up to date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.65.1.1000 Adobe Flash Player 11.4.402.287 Flash Player out of Date! Adobe Reader 9 Adobe Reader out of Date! Mozilla Firefox 16.0.2 Firefox out of Date! Google Chrome 21.0.1180.89 Google Chrome 22.0.1229.79 Google Chrome 22.0.1229.92 Google Chrome 22.0.1229.94 Google Chrome 23.0.1271.64 Google Chrome 23.0.1271.91 Google Chrome 23.0.1271.95 ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe AVG avgwdsvc.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0% ````````````````````End of Log``````````````````````

OMG finally. That saveas program was the culprit. Everything seems ok now. Please let me know if there is anything else I should do from the log I just posted. THANK YOU THANK YOU THANK YOU

All processes killed ========== OTL ========== Releasing module C:\ProgramData\SaveAs\509818124f872.ocx C:\ProgramData\SaveAs\509818124f872.ocx moved successfully. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C34F43D-8C1D-4118-F130-21D1F94ACC5B}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C34F43D-8C1D-4118-F130-21D1F94ACC5B}\ deleted successfully. File C:\ProgramData\SaveAs\509818124f872.ocx not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B84CDBE7-1B46-494B-A188-01D4C52DEB61}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B84CDBE7-1B46-494B-A188-01D4C52DEB61}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully. Registry value HKEY_USERS\S-1-5-21-1763447205-1324904601-2387708082-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully. C:\Users\Elaine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2X Client.lnk moved successfully. 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall\ deleted successfully. File Protocol\Handler\livecall - No CLSID value found not found. 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim\ deleted successfully. File Protocol\Handler\msnim - No CLSID value found not found. 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype-ie-addon-data\ deleted successfully. File Protocol\Handler\skype-ie-addon-data - No CLSID value found not found. 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlmailhtml\ deleted successfully. File Protocol\Handler\wlmailhtml - No CLSID value found not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found. ========== FILES ========== C:\ProgramData\SaveAs\data folder moved successfully. C:\ProgramData\SaveAs folder moved successfully. ========== COMMANDS ========== [EMPTYJAVA] User: Administrator User: All Users User: Default User: Default User User: Elaine ->Java cache emptied: 83914853 bytes User: Public Total Java Files Cleaned = 80.00 mb [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Elaine ->Temp folder emptied: 948514 bytes ->Temporary Internet Files folder emptied: 590158829 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 198308025 bytes ->Google Chrome cache emptied: 60610162 bytes ->Flash cache emptied: 109533 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 50235 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 36054365 bytes RecycleBin emptied: 289 bytes Total Files Cleaned = 845.00 mb [EMPTYFLASH] User: Administrator User: All Users User: Default User: Default User User: Elaine ->Flash cache emptied: 0 bytes User: Public Total Flash Files Cleaned = 0.00 mb OTL by OldTimer - Version 3.2.69.0 log created on 11292012_093910 Files\Folders moved on Reboot... C:\Users\Elaine\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully. C:\Users\Elaine\AppData\Local\Temp\VGX5B52.tmp moved successfully. File\Folder C:\Users\Elaine\AppData\Local\Temp\~DF6F6A31F258115017.TMP not found! File\Folder C:\Users\Elaine\AppData\Local\Temp\~DFB48D7070729AF347.TMP not found! File\Folder C:\Users\Elaine\AppData\Local\Temp\~DFE967B6660E4DA73A.TMP not found! File\Folder C:\Users\Elaine\AppData\Local\Temp\~DFF01B443A40B96CBE.TMP not found! File\Folder C:\Users\Elaine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Z0XQUBZQ\fastbutton[8].htm not found! File\Folder C:\Users\Elaine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WGF9O1XC\EFpQQyG9GqCrobXxL-KRMWzklk6MJbhg7BmBP42CjCQ[1].eot not found! File\Folder C:\Users\Elaine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VJ2NPSXO\s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM[1].eot not found! File\Folder C:\Users\Elaine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PVWSQEMM\res[1].htm not found! C:\Users\Elaine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully. C:\Users\Elaine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IJ3LBY6D\PIE[1].htc moved successfully. C:\Users\Elaine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IJ3LBY6D\spacer[1].htm moved successfully. C:\Users\Elaine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DLQY1DQ0\myriadpro-boldcond-webfont[1].eot moved successfully. C:\Users\Elaine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DLQY1DQ0\myriadpro-cond-webfont[1].eot moved successfully. C:\Users\Elaine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\42ZJG3Y0\leaders[4].htm moved successfully. PendingFileRenameOperations files... Registry entries deleted on Reboot...