Malwarebytes Detection and Freezing

[uvris3]

Hello, my original problem was that Malwarebytes detected eight infected objects and then froze, followed by bluescreen.  I have followed the instructions, run dds.scr, and attached attach.txt and dds.txt.  Thank you.

attach.txt

dds.txt

[Maniac]

Hello uvris3! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
• Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

Step 1

Please uninstall the following applications:

Avira SearchFree Toolbar

Radio 1.1 Toolbar

SearchAssist

Yahoo! Search Protection

Step 2

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

Step 3

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Scan button. Wait until is finished.
• Click on Clean.
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner\AdwCleaner[s0].txt as well.

Step 4

• Launch Malwarebytes' Anti-Malware
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

• Junkware Removal Tool log
• AdwCleaner log
• Malwarebytes' Anti-Malware log

[uvris3]

Hello uvris3! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
• Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

Step 1

Please uninstall the following applications:

Avira SearchFree Toolbar

Radio 1.1 Toolbar

SearchAssist

Yahoo! Search Protection

Step 2

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

Step 3

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Scan button. Wait until is finished.
• Click on Clean.
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner\AdwCleaner[s0].txt as well.

Step 4

• Launch Malwarebytes' Anti-Malware
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

• Junkware Removal Tool log
• AdwCleaner log
• Malwarebytes' Anti-Malware log

 

Hello, I followed the instructions and have pasted the contents of JRT.txt and AdwCleaner.txt below.  I encountered my original problem in Step 4:  Malwarebytes detected two objects and then froze, and I got a blue screen when I tried to unfreeze or exit Malwarebytes.  Previously, the same thing happened, but Malwarebytes had detected eight objects.  So, I think the computer is still infected.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.1.0 (01.07.2014:1)

OS: Microsoft Windows XP x86

Ran by HAL on Thu 01/09/2014 at 13:37:45.14

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{3004627E-F8E9-4E8B-909D-316753CBA923}

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page

Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page

Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page

Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page

Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page

Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-3106242995-1852642597-4043359429-1006\Software\Microsoft\Internet Explorer\Main\\Start Page

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs\\Tabs

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escort.dll

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escortapp.dll

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escorteng.dll

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escortlbr.dll

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\esrv.exe

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\dsiteproducts

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\installcore

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\mysearchdial

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\installcore

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\esrv.mysearchdialesrvc

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\esrv.mysearchdialesrvc.1

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialappcore

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialappcore.1

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialdskbnd

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialdskbnd.1

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialhlpr

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialhlpr.1

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6db9fdfe-b718-4962-be0c-0a5fce7f7f7b}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{6db9fdfe-b718-4962-be0c-0a5fce7f7f7b}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\HAL\Application Data\mysearchdial"

Successfully deleted: [Folder] "C:\Program Files\jump flip"

Successfully deleted: [Folder] "C:\Program Files\mysearchdial"

Successfully deleted: [Folder] "C:\Program Files\openit"

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\start menu\programs\open it!"

~~~ FireFox

Successfully deleted: [File] C:\Documents and Settings\HAL\Application Data\mozilla\firefox\profiles\6m7ci4cn.default\user.js

Successfully deleted: [File] C:\Documents and Settings\HAL\Application Data\mozilla\firefox\profiles\6m7ci4cn.default\searchplugins\mysearchdial.xml

Successfully deleted: [Folder] C:\Documents and Settings\HAL\Application Data\mozilla\firefox\profiles\6m7ci4cn.default\extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8}

Successfully deleted the following from C:\Documents and Settings\HAL\Application Data\mozilla\firefox\profiles\6m7ci4cn.default\prefs.js

user_pref("browser.search.defaultenginename", "Mysearchdial");

user_pref("browser.search.selectedEngine", "Mysearchdial");

user_pref("extensions.mysearchdial.aflt", "dsites0101");

user_pref("extensions.mysearchdial.appId", "{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}");

user_pref("extensions.mysearchdial.cd", "2XzuyEtN2Y1L1QzutDtDtC0EyE0CyByCtC0A0BzytC0DyBtDtN0D0Tzu0SyByEtDtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutDzytDtC0B");

user_pref("extensions.mysearchdial.cr", "1877023167");

user_pref("extensions.mysearchdial.dfltLng", "");

user_pref("extensions.mysearchdial.dfltSrch", true);

user_pref("extensions.mysearchdial.dnsErr", true);

user_pref("extensions.mysearchdial.excTlbr", false);

user_pref("extensions.mysearchdial.hmpg", true);

user_pref("extensions.mysearchdial.id", "001E4C761AB91D70");

user_pref("extensions.mysearchdial.instlDay", "16079");

user_pref("extensions.mysearchdial.instlRef", "");

user_pref("extensions.mysearchdial.prdct", "mysearchdial");

user_pref("extensions.mysearchdial.prtnrId", "mysearchdial");

user_pref("extensions.mysearchdial.srchPrvdr", "Mysearchdial");

user_pref("extensions.mysearchdial.tlbrId", "base");

user_pref("extensions.mysearchdial.vrsn", "1.8.21.0");

user_pref("extensions.mysearchdial.vrsni", "1.8.21.0");

user_pref("extensions.mysearchdial_i.hmpg", true);

user_pref("extensions.mysearchdial_i.newTab", false);

user_pref("extensions.mysearchdial_i.smplGrp", "none");

user_pref("extensions.mysearchdial_i.vrsnTs", "1.8.21.013:31:50");

~~~ Chrome

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Thu 01/09/2014 at 13:44:42.82

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

# AdwCleaner v3.016 - Report created 09/01/2014 at 13:55:44

# Updated 23/12/2013 by Xplode

# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

# Username : HAL - LAPTOP2007

# Running from : C:\Documents and Settings\HAL\My Documents\Downloads\AdwCleaner.exe

# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\LocalService\Local Settings\Application Data\Conduit

Folder Deleted : C:\Documents and Settings\HAL\Application Data\Mozilla\Firefox\Profiles\6m7ci4cn.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

Folder Deleted : C:\Documents and Settings\HAL\Application Data\Mozilla\Firefox\Profiles\6m7ci4cn.default\Extensions\ffxtlbr@mysearchdial.com

File Deleted : C:\Documents and Settings\HAL\Local Settings\Application Data\mysearchdial-speeddial.crx

File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v41ure3k.default\searchplugins\Mysearchdial.xml

File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v41ure3k.default\user.js

File Deleted : C:\Documents and Settings\HAL\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pflphaooapbgpeakohlggbpidpppgdff_0.localstorage

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\conduit.com

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3004627E-F8E9-4E8B-909D-316753CBA923}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4ED063C9-4A0B-4B44-A9DC-23AFF424A0D3}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C358B3D0-B911-41E3-A276-E7D43A6BA56D}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D40753C7-8A59-4C1F-BE88-C300F4624D5B}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF5625A3-37AB-4BDB-9875-2A3D91CD0DFD}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C292AD0A-C11F-479B-B8DB-743E72D283B0}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF5625A3-37AB-4BDB-9875-2A3D91CD0DFD}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{219046AE-358F-4CF1-B1FD-2B4DE83642A8}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Documents and Settings\HAL\Application Data\Mozilla\Firefox\Profiles\6m7ci4cn.default\prefs.js ]

[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v41ure3k.default\prefs.js ]

Line Deleted : user_pref("browser.search.selectedEngine", "Mysearchdial");

Line Deleted : user_pref("browser.search.defaultenginename", "Mysearchdial");

-\\ Google Chrome v32.0.1700.72

[ File : C:\Documents and Settings\HAL\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage

Deleted : urls_to_restore_on_startup

*************************

AdwCleaner[R0].txt - [4487 octets] - [09/01/2014 13:52:02]

AdwCleaner[s0].txt - [4474 octets] - [09/01/2014 13:55:44]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [4534 octets] ##########

 

[Maniac]

Please scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.

  ESET OnlineScan

• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.

    Save it to your Desktop.

  • Double click on the to download the ESET Smart Installer. icon on your Desktop.
• Check "YES, I accept the Terms of Use."
• Click the Start button.
• Accept any security warnings from your browser.
• Under Scan Settings, check "Scan Archives" and "Remove found threats"
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click List Threats
• Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Click the Back button.
• Click the Finish button.

[uvris3]

Hello.  I include the contents of the ESET scan below.  I chose to have ESET remove the quarantined objects after the scan.  I know you did not instruct me to do this, but I did a quick scan with Malwarebytes following the ESET scan and had the same problem:  Malwarebytes detected two objects, it stopped, and then I got the blue screen.  So, I guess something is still on the computer.  Thank you in advance for any follow-on help.

 

 

:\RECYCLER\S-1-5-21-3106242995-1852642597-4043359429-1006\Dc46.exe    a variant of Win32/InstallCore.D application    
C:\Documents and Settings\HAL\Application Data\Mozilla\Firefox\Profiles\6m7ci4cn.default\extensions\firefox@jumpflip.net.xpi    Win32/BrowseFox.B application    deleted - quarantined
C:\Documents and Settings\HAL\Local Settings\temp\+uSWTWrT.exe.part    Win32/DownloadAdmin.G application    cleaned by deleting - quarantined
C:\Documents and Settings\HAL\Local Settings\temp\13CLMTLq.exe.part    Win32/AdWare.1ClickDownload.AQ application    cleaned by deleting - quarantined
C:\Documents and Settings\HAL\Local Settings\temp\G6boqvUW.exe.part    Win32/DownloadAdmin.G application    cleaned by deleting - quarantined
C:\Documents and Settings\HAL\Local Settings\temp\ia7bgByC.exe.part    Win32/DownWare.I application    cleaned by deleting - quarantined
C:\Documents and Settings\HAL\Local Settings\temp\P3VwCVM0.exe.part    Win32/AdWare.1ClickDownload.AQ application    cleaned by deleting - quarantined
C:\Documents and Settings\HAL\Local Settings\temp\T8qkdHWD.exe.part    Win32/Adware.1ClickDownload.AM application    cleaned by deleting - quarantined
C:\Documents and Settings\HAL\Local Settings\temp\tbRad0.dll    a variant of Win32/Toolbar.Conduit.B application    cleaned by deleting - quarantined
C:\Documents and Settings\HAL\Local Settings\temp\xz_+frUK.exe.part    multiple threats    cleaned by deleting - quarantined
C:\Documents and Settings\HAL\Local Settings\temp\ZHpWgoiy.exe.part    Win32/Adware.1ClickDownload.AM application    cleaned by deleting - quarantined
C:\Documents and Settings\HAL\Local Settings\temp\is1590112554\5094600_stp\Mysearchdial.exe    a variant of Win32/Toolbar.Funmoods.D application    cleaned by deleting - quarantined
C:\Documents and Settings\HAL\Local Settings\Temporary Internet Files\Content.IE5\78KPN2P6\Setup[1].exe    multiple threats    cleaned by deleting - quarantined
C:\Documents and Settings\LocalService\Local Settings\Application Data\Radio_1.1\ldrtbRad2.dll    a variant of Win32/Toolbar.Conduit.P application    cleaned by deleting - quarantined
C:\Documents and Settings\LocalService\Local Settings\Application Data\Radio_1.1\tbRad2.dll    a variant of Win32/Toolbar.Conduit.B application    cleaned by deleting - quarantined
C:\Program Files\Avira\AntiVir Desktop\offercast_avirav7_.exe    a variant of Win32/Bundled.Toolbar.Ask.D application    cleaned by deleting (after the next restart) - quarantined
C:\RECYCLER\S-1-5-21-3106242995-1852642597-4043359429-1006\Dc47.exe    a variant of Win32/InstallIQ.A application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074134.exe    multiple threats    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074140.dll    a variant of Win32/Toolbar.Conduit.P application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074141.dll    a variant of Win32/Toolbar.Conduit.P application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074142.dll    a variant of Win32/Toolbar.Conduit.P application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074143.dll    a variant of Win32/PriceGong.A application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074144.dll    a variant of Win32/Toolbar.Conduit.B application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074146.dll    a variant of Win32/Toolbar.Conduit.B application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074147.dll    a variant of Win32/Toolbar.Conduit.B application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074153.dll    a variant of Win32/Toolbar.Conduit.P application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074154.dll    a variant of Win32/Toolbar.Conduit.P application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074155.dll    a variant of Win32/Toolbar.Conduit.P application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074158.dll    Win32/Toolbar.Conduit.O application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074161.dll    a variant of Win32/Toolbar.Conduit.B application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074162.dll    a variant of Win32/Toolbar.Conduit.B application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074163.dll    a variant of Win32/Toolbar.Conduit.B application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1130\A0074207.rbf    a variant of Win32/Bundled.Toolbar.Ask.E application    cleaned by deleting - quarantined
C:\WINDOWS\temp\AskSLib.dll    a variant of Win32/Bundled.Toolbar.Ask application    cleaned by deleting - quarantined
C:\WINDOWS\temp\avnwldrtemp\setup\Offercast_AVIRAV7_.exe    a variant of Win32/Bundled.Toolbar.Ask.D application    cleaned by deleting - quarantined
 

[Maniac]

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage and read the ComboFix User's Guide:

• Once you've read the article and are ready to use the program you can download it directly from the link below.
• Important! - Please make sure you save combofix to your desktop and do not run it from your browser
• Direct download link for: ComboFix.exe
• Please make sure you disable your security applications before running ComboFix.
• Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
• Please copy/paste the contents or attach that log file to your next reply.
• If needed the file can be located here: C:\combofix.txt
• NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

[uvris3]

Hello, I ran ComboFix.exe and have attached the log file.  After completing ComboFix, I did a quick scan with Malwarebytes, and it is still detecting two objects.  I did not get a bluescreen this time, but Malwarebytes did freeze again, and I had to manually shut down the computer and re-start.  I greatly appreciate your continuing help in this matter.log.txt

[Maniac]

Do not run any scan while working together and don't attach your log files I already explain about that.

Step 1

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1

Link 2

• On Windows XP double-click on the Rkill desktop icon to run the tool.
• On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.
• Do not reboot the computer, you will need to run the application again.

Step 2

Please download unhide.exe from here and save it to your Desktop. Double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run. When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt . Post the log file in your next reply here.

Step 3

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

  

• Put a checkmark beside loaded modules.

  

• A reboot will be needed to apply the changes. Do it.
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
• Then click on Change parameters in TDSSKiller.
• Check all boxes then click OK.

  

• Click the Start Scan button.

  

• The scan should take no longer than 2 minutes.
• If a suspicious object is detected, the default action will be Skip, click on Continue.

  

• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

  

  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
• Step 4

  Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.

    ESET OnlineScan

  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.

      Save it to your Desktop.

    • Double click on the to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  In your next reply, post the following log files:
  • RKill log
  • unhide log
  • TDSSKiller log
  • ESET Online Scanner log

[uvris3]

Hello.  I have pasted the contents of the RKill, unhide, and ESET log files below.  When I pasted the TDSSKiller log, I got an error message stating that the post was too long, so I have attached it as a file.  Thank you for your continuing help!

 

###########################################################################

 

RKill log:

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/12/2014 01:42:58 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\WINDOWS\System32\WLTRYSVC.EXE (PID: 1864) [WD-HEUR]
 * C:\WINDOWS\System32\bcmwltry.exe (PID: 1896) [WD-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

###########################################################################

 

unhide log:

 

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
  http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 01/12/2014 01:44:36 PM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 303052 files processed.

The C:\DOCUME~1\HAL\LOCALS~1\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.
 - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
  * HidNoChangingWallPaperden policy was found and deleted!
 - Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  * Start_ShowMyMusic was set to 0! It was set back to 1!
  * Start_ShowMyPics was set to 0! It was set back to 1!
  * Start_ShowPrinters was set to 0! It was set back to 1!
  * Start_ShowSetProgramAccessAndDefaults was set to 0! It was set back to 1!
  * Start_ShowRecentDocs was set to 0! It was set back to 2!
  * Start_ShowNetConn was set to 0! It was set back to 1!
  * Start_ShowNetPlaces was set to 0! It was set back to 1!

Program finished at: 01/12/2014 02:04:57 PM
Execution time: 0 hours(s), 20 minute(s), and 20 seconds(s)

 

###########################################################################

 

ESETScan log:

 

C:\Program Files\Avira\AntiVir Desktop\Offercast_AVIRAV7_.exe    a variant of Win32/Bundled.Toolbar.Ask.D application    cleaned by deleting (after the next restart) - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1131\A0075355.dll    a variant of Win32/Toolbar.Conduit.P application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1131\A0075356.dll    a variant of Win32/Toolbar.Conduit.B application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1131\A0075357.exe    a variant of Win32/InstallIQ.A application    cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1131\A0076305.exe    a variant of Win32/Bundled.Toolbar.Ask.D application    cleaned by deleting - quarantined
 

###########################################################################

 

 

TDSSKiller.3.0.0.19_12.01.2014_15.18.37_log.txt

[Maniac]

• Launch Malwarebytes' Anti-Malware
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

[uvris3]

Hello, I followed your instructions and started a Quick Scan with MBAM.  It identified two objects (I think in "Documents and Settings" but am not sure), then my computer shut down due to an unexpected error (blue screen) approximately 30 minutes into the scan.  This is the same thing that happened prior to running Rkill, unhide, TDSSKiller, and ESET.  The computer required a complete OS restoration this time.  Thank you for your continuing help.

[uvris3]

To clarify my previous post, the computer put itself through a complete system check (disks, etc.) before starting back up after the shut down.  I did not mean that I had to re-install the OS.

[uvris3]

Hello, if it would help, I can re-do the quick scan, stopping it after the two detections but before I get a bluescreen and then send you the report on the two detected objects.

[uvris3]

Hello, is anyone aware of a virus that causes system shutdown while scanning with Malwarebytes?

[Maniac]

That's strange.

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

[uvris3]

That's strange.

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

 

Hello, I was able to solve the problem by running Malwarebytes in safe mode.  I thought I saved the log file to my desktop but cannot find it.  It detected nine objects, asked me to restart the computer, and it seems to be running better.  I appreciate the help you provided.  If I find the log file I'll post it.

[Maniac]

Thanks for letting me know!

Last steps:

Step 1

Please run OTL and click on CleanUp button.

Step 2

• Double click on AdwCleaner.exe to run the tool.
• Click on Uninstall
• Confirm with Yes

Step 3

Please uninstall ESET Online Scanner .

Step 4

Some malware preventions:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing!

[uvris3]

Thanks for letting me know!

Last steps:

Step 1

Please run OTL and click on CleanUp button.

Step 2

• Double click on AdwCleaner.exe to run the tool.
• Click on Uninstall
• Confirm with Yes

Step 3

Please uninstall ESET Online Scanner .

Step 4

Some malware preventions:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing!

 

Done.  Thank you very much for your help!

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!