Jump to content

Infected PC


LisaK2
 Share

Recommended Posts

Hi,

I am running Win 7 with Avast Free Ed, Malwarebytes Anti-Malware, SuperAntiSpyware Free, and Comodo AV & -Firewall.

My pc has been infected with some rootkit virus/malware, that not only ups my cpu usage to 100% (under different processes - avast/comodo/nvidia/adobe/etc.) but has managed to crawl in behind/into all these programs.

When I update these programs, i usually get error msgs at first attempt (or eternally hanging) before updating takes place. But when in SafeMode, all the above programs show that it has not been updated for days!

 

When I noticed my pc started running crazy before I even logged in, I knew something was wrong! I immediately unplugged my internet to stop whoever from doing whatever and spreading that to my mail contacts. Bit too late though! My husbands' pc at work crashed, as well as my sons laptop. Laptop had to be formatted and Win re-installed, I am now sending this from the laptop.

I ran various scans on my pc, nothing serious popped up. I am not a pc guru (unfortunately!), but after some research on the internet (via the laptop), I started checking different things on my system, like the event viewer etc. Also started double checking all services running - all were legal and running from the "correct" folders. Then I stumbled on this website (thank God!! :-) for that)!

 

I downloaded a newer Malwarebytes via the laptop and installed on my pc; plugged internet back in and updated. Then I ran scan and after that I uninstalled all the suspect programs/games. Found an adobe reader x which would not allow me to uninstall since I am not connected to the network ?! Ran malwarebytes again this morning, yet the whole pc froze and I had to use power button to restart. Comodo scan did the same thing! Logged in on SafeMode, and once again all my 'security' programs were way behind their daily updates - including th Malwarebytes!(that was 186 days behind i think!)

 

Then disabled all the security apps, copied dds and ran it. Attached are the two txt files.

Thank you so much for giving your time to help with this.

attach.txtdds.txt

Link to post
Share on other sites

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, Adobe host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Thank you MrC.

Downloaded and installed RK. Ran scan.

 

RogueKiller V8.7.2 [Oct  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : User [Admin rights]
Mode : Scan -- Date : 10/12/2013 09:28:43
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][sUSP PATH] CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805} : C:\Users\User\AppData\Local\Temp\cis76F0.exe - --PostUninstall {15198508-521A-4D69-8E5B-B94A6CCFF805} [x][x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] IRP[iRP_MJ_CREATE] : C:\Windows\system32\drivers\winhv.sys -> HOOKED (Unknown @ 0x85A641E8)
[Address] IRP[iRP_MJ_CLOSE] : C:\Windows\system32\drivers\winhv.sys -> HOOKED (Unknown @ 0x85A641E8)
[Address] IRP[iRP_MJ_DEVICE_CONTROL] : C:\Windows\system32\drivers\winhv.sys -> HOOKED (Unknown @ 0x85A641E8)
[Address] IRP[iRP_MJ_INTERNAL_DEVICE_CONTROL] : C:\Windows\system32\drivers\winhv.sys -> HOOKED (Unknown @ 0x85A641E8)
[Address] IRP[iRP_MJ_POWER] : C:\Windows\system32\drivers\winhv.sys -> HOOKED (Unknown @ 0x85A641E8)
[Address] IRP[iRP_MJ_SYSTEM_CONTROL] : C:\Windows\system32\drivers\winhv.sys -> HOOKED (Unknown @ 0x85A641E8)
[Address] IRP[iRP_MJ_PNP] : C:\Windows\system32\drivers\winhv.sys -> HOOKED (Unknown @ 0x85A641E8)
[inline] EAT @explorer.exe (?MILLIS_PER_SECOND@GCDate@@2JB) : GrooveUtil.DLL -> HOOKED (Unknown @ 0xC8F70CD4)
[inline] EAT @explorer.exe (@Classes@TFiler@) : rtl150.bpl -> HOOKED (Unknown @ 0x3059296C)
[inline] EAT @explorer.exe (@Classes@TReader@) : rtl150.bpl -> HOOKED (Unknown @ 0xB45933BC)
[inline] EAT @explorer.exe (@Classes@TStreamWriter@) : rtl150.bpl -> HOOKED (Unknown @ 0x54599FB5)
[inline] EAT @explorer.exe (@Comobj@TAutoObjectEvent@) : rtl150.bpl -> HOOKED (Unknown @ 0xDC5BB8A4)
[inline] EAT @explorer.exe (@Msxml@IID_ISAXEntityResolver) : rtl150.bpl -> HOOKED (Unknown @ 0x1FB8BAB5)
[inline] EAT @explorer.exe (@Oledb@DBOBJECT_DOMAIN) : rtl150.bpl -> HOOKED (Unknown @ 0x43E12FD7)
[inline] EAT @explorer.exe (@Oledb@DBOBJECT_SCHEMA) : rtl150.bpl -> HOOKED (Unknown @ 0x43E12FC7)
[inline] EAT @explorer.exe (@System@ExceptionClass) : rtl150.bpl -> HOOKED (Unknown @ 0xDD6A1039)
[inline] EAT @explorer.exe (@Wincodec@CATID_WICFormatConverters) : rtl150.bpl -> HOOKED (Unknown @ 0x6490FC7F)
[inline] EAT @explorer.exe (@Controls@TCustomTouchManager@) : vcl150.bpl -> HOOKED (Unknown @ 0x34772A44)
[inline] EAT @explorer.exe (@Controls@TDockTree@) : vcl150.bpl -> HOOKED (Unknown @ 0xC0779121)
[inline] EAT @explorer.exe (@Controls@TTouchManager@) : vcl150.bpl -> HOOKED (Unknown @ 0x34772FF8)
[inline] EAT @explorer.exe (@Jclmath@Catalan) : Jcl150.bpl -> HOOKED (Unknown @ 0x00BF2040)
[inline] EAT @explorer.exe (@Jclmath@Cbrt3) : Jcl150.bpl -> HOOKED (Unknown @ 0x90B1D717)
[inline] EAT @explorer.exe (@Jclmath@LnPi) : Jcl150.bpl -> HOOKED (Unknown @ 0xCA671DA3)
[inline] EAT @explorer.exe (@Jclmath@Log3) : Jcl150.bpl -> HOOKED (Unknown @ 0x84D25F65)
[inline] EAT @explorer.exe (@Jclsimplexml@TJclSimpleXMLProps@) : Jcl150.bpl -> HOOKED (Unknown @ 0x4858BACA)
[inline] EAT @explorer.exe (@Jclstructstorage@UnitVersioning) : Jcl150.bpl -> HOOKED (Unknown @ 0xF469DFA7)
[inline] EAT @explorer.exe (@Jclwin32@RtdlNetGroupAdd) : Jcl150.bpl -> HOOKED (Unknown @ 0x3467D32D)
[inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_AsymmetricSignatureDeformatter) : Jcl150.bpl -> HOOKED (Unknown @ 0x269C6902)
[inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_Buffer) : Jcl150.bpl -> HOOKED (Unknown @ 0x8313E316)
[inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_CaseInsensitiveComparer) : Jcl150.bpl -> HOOKED (C:\Windows\System32\wscui.cpl @ 0x6C9E7D34)
[inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_FileNotFoundException) : Jcl150.bpl -> HOOKED (Unknown @ 0xEB14FC04)
[inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_JulianCalendar) : Jcl150.bpl -> HOOKED (Unknown @ 0x607DE6A9)
[inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_PKCS1MaskGenerationMethod) : Jcl150.bpl -> HOOKED (Unknown @ 0x5E0E5459)
[inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_ProgIdAttribute) : Jcl150.bpl -> HOOKED (Unknown @ 0x64693527)
[inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_SHA384) : Jcl150.bpl -> HOOKED (Unknown @ 0x062DADDF)
[inline] EAT @explorer.exe (@Mscorlib_tlb@CLASS_SoapDateTime) : Jcl150.bpl -> HOOKED (Unknown @ 0x886A688F)
[inline] EAT @explorer.exe (@Mscorlib_tlb@IID_IChannel) : Jcl150.bpl -> HOOKED (Unknown @ 0xB577C87E)
[inline] EAT @explorer.exe (@Mscorlib_tlb@IID__BitConverter) : Jcl150.bpl -> HOOKED (Unknown @ 0xD97E4C5E)
[inline] EAT @explorer.exe (@Mscorlib_tlb@IID__CryptographicException) : Jcl150.bpl -> HOOKED (Unknown @ 0xFA6AC5AF)
[inline] EAT @explorer.exe (@Mscorlib_tlb@IID__CustomAttributeBuilder) : Jcl150.bpl -> HOOKED (Unknown @ 0x47E035A9)
[inline] EAT @explorer.exe (@Mscorlib_tlb@IID__ExternalException) : Jcl150.bpl -> HOOKED (C:\Windows\system32\PortableDeviceApi.dll @ 0x70C9C911)
[inline] EAT @explorer.exe (@Mscorlib_tlb@IID__IsolatedStorageFilePermission) : Jcl150.bpl -> HOOKED (Unknown @ 0x292E9B90)
[inline] EAT @explorer.exe (@Mscorlib_tlb@IID__Pointer) : Jcl150.bpl -> HOOKED (Unknown @ 0x03125CDC)
[inline] EAT @explorer.exe (@Mscorlib_tlb@IID__RegionInfo) : Jcl150.bpl -> HOOKED (Unknown @ 0xD76F9F58)
[inline] EAT @explorer.exe (@Mscorlib_tlb@IID__SiteIdentityPermission) : Jcl150.bpl -> HOOKED (Unknown @ 0x4E9A9BCB)
[inline] EAT @explorer.exe (@Mscorlib_tlb@IID__ThaiBuddhistCalendar) : Jcl150.bpl -> HOOKED (Unknown @ 0xA3E88D47)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1001namen.com
127.0.0.1    1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    100sexlinks.com
127.0.0.1    www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST31000528AS ATA Device +++++
--- User ---
[MBR] 6aec600e05f6745786100572072e34cb
[bSP] 64cf7b4991551554b7eee46f94e5092f : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953766 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) (Standard disk drives) - Lexar JD FireFly USB Device +++++
--- User ---
[MBR] afe07965a7a693748f42bb7fb6d1fe0f
[bSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 2720 | Size: 15038 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_10122013_092843.txt >>



 

Link to post
Share on other sites

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

AV: COMODO Antivirus *Disabled/Updated* {B74CC7D2-B407-E1DC-1033-DD315BCDC8C8}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Spybot - Search and Destroy *Disabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

SP: COMODO Antivirus *Disabled/Updated* {0C2D2636-923D-EE52-2A83-E643204A8275}

FW: COMODO Firewall *Disabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}

 

You have 2 anti-virus programs installed and running, this only causes conflicts and spotty protection.

 

I don't see any reason for having Spybot installed either.

Pick either avast or COMODO as your anti-virus and uninstall the other, also make sure Windows Defender stays disabled.

Dangers of running 2 anti-virus programs

http://www.howtogeek.com/howto/15788/how-to-uninstall-disable-and-remove-windows-defender.-also-how-turn-it-off/ <---disable WD

------------------------------------------------------------------

Not much showing, lets run some scans.

First:

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

a) 2 virus programs. Avast and a few other icons suddenly disappeared off my desktop. When I created new ones, I checked the properties and there was an "unknown user" listed in all of those! I only downloaded Comodo recently because I discovered what a firewall is and why I needed one {yeah...I know...in this day and age?!}

In your personal opinion and from experience, would you say that Comodo av is better than Avast? Unfortunately, I am not in a position to buy any package, :-( so free protection is all I have...

I checked some reviews and Comodo was listed as one of the top free firewalls available...that the truth?

 

b) Spybot was installed by a local pc company after they upgraded my pc about 5 years ago - I have no problem uninstalling it.

 

Downloaded, installed, ran mbar.exe, updated and now running scan.

Will post result as soon as done.

Link to post
Share on other sites

OK.....Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Attached are the files you requested:

 

# AdwCleaner v3.007 - Report created 13/10/2013 at 18:34:28
# Updated 09/10/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : User - RENE-PC
# Running from : C:\Users\User\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Trymedia
Folder Deleted : C:\ProgramData\AlawarWrapper
Folder Deleted : C:\ProgramData\wxDownload
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\myfree codec
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\DAEMON Tools Toolbar
Folder Deleted : C:\Program Files\myfree codec
Folder Deleted : C:\Program Files\wxDownload
Folder Deleted : C:\Users\User\AppData\Local\Conduit
Folder Deleted : C:\Users\User\AppData\Local\iWin
Folder Deleted : C:\Users\User\AppData\Local\MyScrapNook_12
Folder Deleted : C:\Users\User\AppData\LocalLow\AVG Security Toolbar
Folder Deleted : C:\Users\User\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\User\AppData\LocalLow\Funmoods
Folder Deleted : C:\Users\User\AppData\LocalLow\MyScrapNook_12
Folder Deleted : C:\Users\User\AppData\Roaming\Babylon
Folder Deleted : C:\Users\User\AppData\Roaming\DriverCure
Folder Deleted : C:\Users\User\AppData\Roaming\ExpressFiles
Folder Deleted : C:\Users\User\AppData\Roaming\SpeedMaxPc
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Deleted : C:\Windows\System32\Tasks\Express FilesUpdate

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Express FilesUpdate
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{719F56C0-B5FE-45C6-868A-F27B75F657A4}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{719F56C0-B5FE-45C6-868A-F27B75F657A4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar
Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1
Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook
Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BundleSweetIMSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BundleSweetIMSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\speedmaxpc_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\speedmaxpc_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\sweetim_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\sweetim_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\sweetpacksupdatemanager_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_samsung-kies(1)_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_samsung-kies(1)_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_samsung-kies_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_samsung-kies_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_samsung-new-pc-studio_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_samsung-new-pc-studio_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C3110516-8EFC-49D6-8B72-69354F332062}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{13119113-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{33119133-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{03119103-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Deleted : HKCU\Software\1ClickDownload
Key Deleted : HKCU\Software\ExpressFiles
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\SpeedMaxPC
Key Deleted : HKCU\Software\AppDataLow\SProtector
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\smartbar
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\BabylonToolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\ExpressFiles
Key Deleted : HKLM\Software\SP Global
Key Deleted : HKLM\Software\SpeedMaxPC
Key Deleted : HKLM\Software\SProtector
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16502

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [start Page]

-\\ Mozilla Firefox v22.0 (en-US)

[ File : C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\t53weeer.default-1378102569937\prefs.js ]


-\\ Google Chrome v

[ File : C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage
Deleted : urls_to_restore_on_startup

*************************

AdwCleaner[R0].txt - [8310 octets] - [13/10/2013 18:20:33]
AdwCleaner[s0].txt - [8409 octets] - [13/10/2013 18:34:28]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [8469 octets] ##########
 

mbam-log-2013-10-13 (18-49-45).txt

Will check my pc performance and let you know. Thank you so much!

 

AdwCleanerS0.txt

Link to post
Share on other sites

Leave the Windows firewall disabled.

If it's OK......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

 Results of screen317's Security Check version 0.99.74  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 Windows Firewall Disabled!  
COMODO Antivirus   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 SUPERAntiSpyware     
 Malwarebytes Anti-Malware version 1.75.0.1300  
 CCleaner     
 Adobe Flash Player     11.8.800.94  
 Adobe Reader 10.1.7 Adobe Reader out of Date!  
 Mozilla Firefox 22.0 Firefox out of Date!  
 Google Chrome 28.0.1500.95  
 Google Chrome 30.0.1599.69  
````````Process Check: objlist.exe by Laurent````````  
 Comodo Firewall cmdagent.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 

 

PS.

I have completely uninstalled Adobe, yet this Adobe Reader x is still on my system! It is now listed as A?dobe Reader x (10.1.7) located in folder C:\Programs\Adobe\Reader10.0\Reader\ with source location c:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\

 

When I try to uninstall it (in CtrlPanel), Windows Installer Msg Box pops up "The feature you are trying to use is on a network resource that is unavailable." OK / Cancel / Browse.

 

Pressing Ok brings up another msg box "The path C:\{ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\Acroread.msi cannot be found. Verify that you have access to this location and try again, or try to find the installation package 'AcroRead.msi' in a folder from which you can install the product A?dobe reader X (10.1.7). OK. Press Ok takes me back to previous uninstall msg box.

 

Pressing Cancel, brings up Windows Installer Msgbox "The installation source for this product is not available. Verify that the source exists and that you can access it" Ok.

 

Link to post
Share on other sites

Even though CPU usage doesnt seem to go above 20-30%, there are 13 svchost.exe running crazily (by user network service x3, system x5, local service x5), plus 3 system search services (filterhoste.exe, indexer.exe & protocolhost.exe).

 

There is also mdm.exe run by user System from C:\Program Files\Common Files\microsoft shared\VS7Debug\mdm.exe. Should this not be running from system32 folder?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.