KNedyalkov Posted December 21, 2013 ID:767297 Share Posted December 21, 2013 Hello, Before a few days I connected my hard drives to my mother's computer. After I connected them again to my computer I found a folder named $Recycle.Bin. Then I downloaded Malwarebytes, updated it and start a scan. I check what is the situation after an hour and the whole computer was not responding. So I restarted it and try to scan it again, but... same situation. After a few tries I went to Safe mode but Malwarebytes crashed every time when start scanning C:/Windows/System32/wlandlg.dll . I'll be glad if you have idea why is this happening and is it possible to finish the scan and remove the founded malware. Thank you in advance. Link to post Share on other sites More sharing options...
kevinf80 Posted December 21, 2013 ID:767378 Share Posted December 21, 2013 That file you quote causing the crash is a legitimate Windows system file, are you sure that is causing the issue you mention.. Download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. Kevin... Link to post Share on other sites More sharing options...
KNedyalkov Posted December 21, 2013 Author ID:767380 Share Posted December 21, 2013 My first scan with Farbar: And sadly Yes, I am sure that this dll file is the problem. FRST.txt Link to post Share on other sites More sharing options...
KNedyalkov Posted December 21, 2013 Author ID:767382 Share Posted December 21, 2013 Here is the Addition.txt file Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 21, 2013 ID:767391 Share Posted December 21, 2013 Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Run FRST and press the Fix button just once and wait.The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply. Next, Run Malwarebytes, Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.Please Update and run a Full scanMake sure that everything is checked, and click Remove Selected on any found items. Post the produced log... Next, Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop. Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator Click on the Scan button. AdwCleaner will begin...be patient as the scan may take some time to complete. When it's done you'll see: Pending: Uncheck any elements you don't want removed. Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review. Look over the log especially under Files/Folders for any program you want to save. If there's a program you want to save, just uncheck it from AdwCleaner. If you're not sure, post the log for review. If you're ready to clean it all up.....click the Clean button. After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically. Copy and paste the contents of that logfile in your next reply. A copy of that logfile will also be saved in the C:\AdwCleaner folder. Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine To restore an item that has been deleted (if necessary): Go to Tools > Quarantine Manager > check what you want restored > now click on Restore. Next, Download Security Check by screen317 from either of the following: http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exeSave it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.A Notepad document should open automatically called checkup.txt; please post the contents of that document. Let me see those logs, also zip up and attach the following file: C:\Windows\Minidump\112813-35069-01.dmp Thanks, Kevin fixlist.txt Link to post Share on other sites More sharing options...
KNedyalkov Posted December 21, 2013 Author ID:767399 Share Posted December 21, 2013 First will post FRST Log: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 20-12-2013 02Ran by Kiril at 2013-12-21 23:23:22 Run:2Running from C:\Users\Kiril\DesktopBoot Mode: Normal ============================================== Content of fixlist:*****************StartMountPoints2: I - I:\AutoRun.exeMountPoints2: {00c64b4f-4e3e-11e3-b9e7-f04da2d32cbf} - H:\_AUTORUN\AUTORUN.EXEMountPoints2: {00c64b52-4e3e-11e3-b9e7-f04da2d32cbf} - J:\_AUTORUN\AUTORUN.EXEMountPoints2: {00c64c33-4e3e-11e3-b9e7-f04da2d32cbf} - I:\AutoRun.exeMountPoints2: {00c64c58-4e3e-11e3-b9e7-002268defd87} - I:\AutoRun.exeMountPoints2: {81581599-1b93-11e2-9323-002268defd87} - G:\_AUTORUN\AUTORUN.EXEMountPoints2: {8587b800-06d9-11e3-8d18-f04da2d32cbf} - F:\Windows\AutoRun.exeHKU\Mcx1-LAPTOP\...\Winlogon: [shell] C:\Windows\eHome\McrMgr.exe [ 2009-07-14] (Microsoft Corporation) <==== ATTENTION URLSearchHook: HKLM - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)URLSearchHook: HKCU - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)SearchScopes: HKCU - DefaultScope {1BC142EF-4C3A-4E7B-8F78-042BA0E7F974} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468SearchScopes: HKCU - {1BC142EF-4C3A-4E7B-8F78-042BA0E7F974} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468BHO: uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)Toolbar: HKLM - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)Toolbar: HKCU - uTorrentControl_v2 Toolbar - {7473B6BD-4691-4744-A82B-7854EB3D70B6} - C:\Program Files\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)C:\Program Files\uTorrentControl_v2C:\Users\Kiril\AppData\Local\Temp\avguidx.dllC:\Users\Kiril\AppData\Local\Temp\DTLite4481-0347.exeC:\Users\Kiril\AppData\Local\Temp\GenericWndApi.dllC:\Users\Kiril\AppData\Local\Temp\GomEncDnInstaller.exeC:\Users\Kiril\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exeC:\Users\Kiril\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exeC:\Users\Kiril\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exeC:\Users\Kiril\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exeC:\Users\Kiril\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exeC:\Users\Kiril\AppData\Local\Temp\MachineIdCreator.exeC:\Users\Kiril\AppData\Local\Temp\mirc727.exeC:\Users\Kiril\AppData\Local\Temp\oi_{32FF9F70-3304-4F97-9EA6-3D5853A19366}.exeC:\Users\Kiril\AppData\Local\Temp\ose00000.exeC:\Users\Kiril\AppData\Local\Temp\SkypeSetup.exeC:\Users\Kiril\AppData\Local\Temp\SRLDetectionLibrary290113829818175543.dllC:\Users\Kiril\AppData\Local\Temp\swt-win32-3349.dllC:\Users\Kiril\AppData\Local\Temp\tbedrs.dllC:\Users\Kiril\AppData\Local\Temp\UNINSTALL.EXEAlternateDataStreams: C:\ProgramData\TEMP:1CE11B51C:\Users\Kiril\AppData\Local\Temp\utt3BAB.tmp.exeEnd ***************** HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I => Key not found.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{00c64b4f-4e3e-11e3-b9e7-f04da2d32cbf} => Key not found.HKCR\CLSID\{00c64b4f-4e3e-11e3-b9e7-f04da2d32cbf} => Key not found.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{00c64b52-4e3e-11e3-b9e7-f04da2d32cbf} => Key not found.HKCR\CLSID\{00c64b52-4e3e-11e3-b9e7-f04da2d32cbf} => Key not found.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{00c64c33-4e3e-11e3-b9e7-f04da2d32cbf} => Key not found.HKCR\CLSID\{00c64c33-4e3e-11e3-b9e7-f04da2d32cbf} => Key not found.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{00c64c58-4e3e-11e3-b9e7-002268defd87} => Key not found.HKCR\CLSID\{00c64c58-4e3e-11e3-b9e7-002268defd87} => Key not found.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81581599-1b93-11e2-9323-002268defd87} => Key not found.HKCR\CLSID\{81581599-1b93-11e2-9323-002268defd87} => Key not found.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8587b800-06d9-11e3-8d18-f04da2d32cbf} => Key not found.HKCR\CLSID\{8587b800-06d9-11e3-8d18-f04da2d32cbf} => Key not found.HKU\Mcx1-LAPTOP\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value not found.HKLM\Software\Microsoft\Internet Explorer\URLSearchHooks\\{7473b6bd-4691-4744-a82b-7854eb3d70b6} => Value not found.HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{7473b6bd-4691-4744-a82b-7854eb3d70b6} => Value not found.HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1BC142EF-4C3A-4E7B-8F78-042BA0E7F974} => Key not found.HKCR\Wow6432Node\CLSID\{1BC142EF-4C3A-4E7B-8F78-042BA0E7F974} => Key not found.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7473b6bd-4691-4744-a82b-7854eb3d70b6} => Key not found.HKCR\CLSID\{7473b6bd-4691-4744-a82b-7854eb3d70b6} => Key not found.HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{7473b6bd-4691-4744-a82b-7854eb3d70b6} => Value not found.HKCR\CLSID\{7473b6bd-4691-4744-a82b-7854eb3d70b6} => Key not found.HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7473B6BD-4691-4744-A82B-7854EB3D70B6} => Value not found.HKCR\CLSID\{7473B6BD-4691-4744-A82B-7854EB3D70B6} => Key not found."C:\Program Files\uTorrentControl_v2" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\avguidx.dll" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\DTLite4481-0347.exe" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\GenericWndApi.dll" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\GomEncDnInstaller.exe" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\MachineIdCreator.exe" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\mirc727.exe" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\oi_{32FF9F70-3304-4F97-9EA6-3D5853A19366}.exe" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\ose00000.exe" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\SkypeSetup.exe" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\SRLDetectionLibrary290113829818175543.dll" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\swt-win32-3349.dll" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\tbedrs.dll" => File/Directory not found."C:\Users\Kiril\AppData\Local\Temp\UNINSTALL.EXE" => File/Directory not found.C:\ProgramData\TEMP => ":1CE11B51" ADS removed successfully."C:\Users\Kiril\AppData\Local\Temp\utt3BAB.tmp.exe" => File/Directory not found. ==== End of Fixlog ==== If I finish the scan with Malwarebyte I'll post it in next post. Link to post Share on other sites More sharing options...
kevinf80 Posted December 21, 2013 ID:767410 Share Posted December 21, 2013 OK thanks, very strange FRST fix only find/fix two entries from fix script.....Post other logs when ready.. Link to post Share on other sites More sharing options...
KNedyalkov Posted December 22, 2013 Author ID:767559 Share Posted December 22, 2013 Good morning, First I want to apologize for the FRST report. I contact another forum a week ago and they start with some of these procedures, but now no one is responding anymore :S. Here is fresh FRST log and Addition.txt Addition.txtFRST.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 22, 2013 ID:767581 Share Posted December 22, 2013 If you are already receiving help elsewhere you should be patient and stick with that helper or you will only cause confusion.... Link to post Share on other sites More sharing options...
KNedyalkov Posted December 22, 2013 Author ID:767647 Share Posted December 22, 2013 Ok and sorry again, but if the other forum will not reply me in next few days I'll come back here. Thank you again for the help. Link to post Share on other sites More sharing options...
kevinf80 Posted December 22, 2013 ID:767715 Share Posted December 22, 2013 Thats ok, I understand you want a fix as quick as possible. We will close out now, stick with your other helper until you get a conclusion. Take care, Kevin..... Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 25, 2013 Root Admin ID:768704 Share Posted December 25, 2013 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts