trich13 Posted February 24, 2014 ID:795880 Share Posted February 24, 2014 I started having problems with my laptop over this past weekend. The laptop shut down on it's own and for quite a while I couldn't start Windows 7. Windows ran a start repair and that didn't work. A system restore didn't work. Finally after a memory scan (??) I was able to log on. Microsoft Security Essentials did nothing to fix the problem, so I googled Malware and downloaded the Malwarebytes free. I upgraded to pro this morning. After a couple of full scans, yesterday and today, it seems the laptop is still infected. Things seem to be getting worse. I hope you can help. It said to just copy and paste the info of the dds files so I hope I'm doing this right. Thank you. DDS (Ver_2012-11-20.01) - NTFS_x86Internet Explorer: 11.0.9600.16518Run by Boo at 11:23:15 on 2014-02-24Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2038.777 [GMT -6:00].AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}.============== Running Processes ================.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exec:\Program Files\Microsoft Security Client\MsMpEng.exeC:\Windows\system32\atiesrxx.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\atieclxx.exeC:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\PROGRA~1\SearchProtect\Main\bin\CltMngSvc.exeC:\Windows\system32\taskhost.exeC:\PROGRA~1\SearchProtect\SearchProtect\bin\cltmng.exeC:\PROGRA~1\SearchProtect\UI\bin\cltmngui.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Microsoft Security Client\msseces.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Windows\OEM02Mon.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exeC:\Users\Boo\AppData\Local\Akamai\netsession_win.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\system32\SearchIndexer.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\system32\SearchProtocolHost.exeC:\Users\Boo\AppData\Local\Akamai\netsession_win.exeC:\Program Files\iPod\bin\iPodService.exeC:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXEc:\Program Files\Microsoft Security Client\NisSrv.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\system32\taskeng.exec:\Program Files\Microsoft Security Client\MpCmdRun.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\conhost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k LocalServicePeerNet.============== Pseudo HJT Report ===============.uProxyOverride = <local>BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLLBHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLLuRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /suRun: [Akamai NetSession Interface] "c:\users\boo\appdata\local\akamai\netsession_win.exe"uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRunmRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkeymRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exemRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [Persistence] c:\windows\system32\igfxpers.exemRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exemRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServicesmRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silentdRunOnce: [sPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601dRunOnce: [spUninstallDeleteDir] rmdir /s /q "\SearchProtect"mPolicies-System: ConsentPromptBehaviorAdmin = dword:5mPolicies-System: ConsentPromptBehaviorUser = dword:3mPolicies-System: EnableUIADesktopToggle = dword:0IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dllIE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dllTCP: NameServer = 192.168.0.1TCP: Interfaces\{69865A12-E19F-41B4-BCF4-268341ACE47E} : DHCPNameServer = 64.59.176.13 64.59.177.226TCP: Interfaces\{80EF980A-5A76-49F0-A178-93B5D7F68C6F} : DHCPNameServer = 64.59.176.13 64.59.177.226TCP: Interfaces\{93EEF87A-84A5-4E96-922A-9F7EDBD78062} : DHCPNameServer = 192.168.0.1TCP: Interfaces\{93EEF87A-84A5-4E96-922A-9F7EDBD78062}\635483031324 : DHCPNameServer = 64.59.176.13 64.59.177.226Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLLNotify: igfxcui - igfxdev.dllAppInit_DLLs= c:\progra~1\searchprotect\searchprotect\bin\spvc32loader.dll c:\progra~2\browse~1\browse~1.dllSSODL: WebCheck - <orphaned>SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL.================= FIREFOX ===================.FF - ProfilePath - c:\users\boo\appdata\roaming\mozilla\firefox\profiles\os5fki2v.default\FF - prefs.js: browser.search.selectedEngine - BingFF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLLFF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLLFF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dllFF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_44.dll.============= SERVICES / DRIVERS ===============.R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-9-27 214696]R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]R2 CltMngSvc;Search Protect by Conduit Service;c:\progra~1\searchprotect\main\bin\CltMngSvc.exe [2014-2-6 2360608]R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2014-2-24 418376]R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2014-2-24 701512]R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-1-20 104768]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-2-24 22856]R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-10-23 280288]R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]S2 2db04d42;Browser Stabilizer;c:\windows\system32\rundll32.exe [2009-7-13 44544]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-2-12 108032]S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-6-1 14848]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-6-1 49664]S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-5-19 1343400].=============== Created Last 30 ================.2014-02-24 17:22:34 62576 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{efd11a60-c2eb-4fac-b600-ce086acfb7b7}\offreg.dll2014-02-24 17:21:15 765968 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{0b883dcd-2f6e-4dc7-b621-4b2b6f5c0516}\gapaengine.dll2014-02-24 17:15:38 7947048 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{efd11a60-c2eb-4fac-b600-ce086acfb7b7}\mpengine.dll2014-02-24 17:06:56 22856 ----a-w- c:\windows\system32\drivers\mbam.sys2014-02-24 17:02:46 719224 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{c819261a-b380-2719-df8c-8f9d7a70b444}\GapaEngine.dll2014-02-24 17:02:00 7760024 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll2014-02-24 14:47:19 -------- d-----w- c:\program files\Malwarebytes Secure Backup2014-02-23 21:10:20 -------- d-----w- c:\users\boo\appdata\roaming\Malwarebytes2014-02-23 21:10:04 -------- d-----w- c:\programdata\Malwarebytes2014-02-23 21:10:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2014-02-12 16:41:11 251392 ----a-w- c:\program files\internet explorer\IEShims.dll2014-02-12 16:40:58 4244480 ----a-w- c:\windows\system32\jscript9.dll2014-02-12 16:15:01 454656 ----a-w- c:\windows\system32\vbscript.dll2014-02-12 15:28:19 1237504 ----a-w- c:\windows\system32\msxml3.dll2014-02-12 15:28:18 2048 ----a-w- c:\windows\system32\msxml3r.dll2014-02-12 15:28:16 3419136 ----a-w- c:\windows\system32\d2d1.dll2014-02-12 15:28:16 1987584 ----a-w- c:\windows\system32\d3d10warp.dll2014-02-12 15:27:58 594944 ----a-w- c:\windows\system32\RMActivate_isv.exe2014-02-12 15:27:57 572416 ----a-w- c:\windows\system32\RMActivate.exe2014-02-12 15:27:57 510976 ----a-w- c:\windows\system32\RMActivate_ssp.exe2014-02-12 15:27:57 508928 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe2014-02-12 15:27:57 423936 ----a-w- c:\windows\system32\secproc_isv.dll2014-02-12 15:27:56 87040 ----a-w- c:\windows\system32\secproc_ssp.dll2014-02-12 15:27:56 428032 ----a-w- c:\windows\system32\secproc.dll2014-02-12 15:27:56 390144 ----a-w- c:\windows\system32\msdrm.dll2014-02-12 15:27:55 87040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll2014-02-03 14:59:22 -------- d-----w- c:\programdata\73a340fb195c717c2014-02-03 14:59:20 -------- d-----w- c:\programdata\UtubeAdRemOvael2014-02-03 14:59:17 -------- d-----w- c:\programdata\cnddgachlnoljencgaapagmpbahdkmpe2014-01-29 17:33:51 -------- d-----w- c:\program files\iPod2014-01-29 17:33:48 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E12014-01-29 17:33:48 -------- d-----w- c:\program files\iTunes.==================== Find3M ====================.2014-02-24 17:19:42 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2014-02-24 17:19:42 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe2014-02-06 10:20:26 2724864 ----a-w- c:\windows\system32\mshtml.tlb2014-02-06 10:19:55 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll2014-02-06 10:01:36 61952 ----a-w- c:\windows\system32\iesetup.dll2014-02-06 10:00:46 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll2014-02-06 09:47:22 112128 ----a-w- c:\windows\system32\ieUnatt.exe2014-02-06 09:47:18 108032 ----a-w- c:\windows\system32\ieetwcollector.exe2014-02-06 09:46:27 553472 ----a-w- c:\windows\system32\jscript9diag.dll2014-02-06 09:09:30 1964032 ----a-w- c:\windows\system32\inetcpl.cpl2014-02-06 08:41:35 1820160 ----a-w- c:\windows\system32\wininet.dll2014-01-19 07:32:23 231584 ------w- c:\windows\system32\MpSigStub.exe2013-11-27 01:14:25 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys2013-11-27 01:13:46 284672 ----a-w- c:\windows\system32\drivers\usbport.sys2013-11-27 01:13:44 76288 ----a-w- c:\windows\system32\drivers\usbccgp.sys2013-11-27 01:13:41 43520 ----a-w- c:\windows\system32\drivers\usbehci.sys2013-11-27 01:13:38 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys2013-11-27 01:13:36 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys2013-11-27 01:13:33 6016 ----a-w- c:\windows\system32\drivers\usbd.sys.============= FINISH: 11:24:44.61 =============== .UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows 7 UltimateBoot Device: \Device\HarddiskVolume1Install Date: 5/18/2013 1:48:19 AMSystem Uptime: 2/24/2014 11:01:36 AM (0 hours ago).Motherboard: Dell Inc. | | Processor: Intel® Core2 Duo CPU T5250 @ 1.50GHz | Microprocessor | 1500/166mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 149 GiB total, 86.995 GiB free.D: is CDROM ().==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP86: 1/15/2014 3:08:45 PM - Windows UpdateRP87: 1/18/2014 6:41:15 PM - Windows UpdateRP88: 1/21/2014 6:55:33 PM - Windows UpdateRP89: 1/25/2014 9:44:08 AM - Windows UpdateRP90: 1/29/2014 11:29:09 AM - Windows UpdateRP91: 2/3/2014 8:49:48 AM - Windows UpdateRP92: 2/6/2014 10:14:03 AM - Windows UpdateRP93: 2/10/2014 12:18:21 PM - Windows UpdateRP94: 2/12/2014 10:13:06 AM - Windows UpdateRP95: 2/15/2014 6:07:45 PM - Windows UpdateRP96: 2/19/2014 5:07:16 PM - Windows UpdateRP97: 2/22/2014 1:29:58 PM - Windows UpdateRP98: 2/23/2014 1:17:49 PM - Windows UpdateRP99: 2/24/2014 8:46:50 AM - Installed Malwarebytes Secure BackupRP100: 2/24/2014 11:14:28 AM - Windows Update.==== Installed Programs ======================.Adobe Flash Player 12 ActiveXAdobe Flash Player 12 PluginAdobe Reader XI (11.0.06)Advanced Audio FX EngineAdvanced Video FX EngineAkamai NetSession InterfaceApple Application SupportApple Mobile Device SupportApple Software UpdateAVS Update Manager 1.0AVS Video Converter 8AVS4YOU Software Navigator 1.4BonjourBrowser StabilizerDefinition Update for Microsoft Office 2010 (KB982726) 32-Bit EditionDELL Webcam CenterDELL Webcam ManagerDVD Shrink 3.2HP Product DetectioniCloudIntel® Graphics Media Accelerator DriverIntel® TV WizardiTunesLaptop Integrated Webcam Driver (1.04.01.1011) Live! Cam Avatar CreatorLive! Cam Avatar v1.0Malwarebytes Anti-Malware version 1.75.0.1300Microsoft .NET Framework 4 Client ProfileMicrosoft Office Access MUI (English) 2010Microsoft Office Access Setup Metadata MUI (English) 2010Microsoft Office Excel MUI (English) 2010Microsoft Office Groove MUI (English) 2010Microsoft Office InfoPath MUI (English) 2010Microsoft Office OneNote MUI (English) 2010Microsoft Office Outlook MUI (English) 2010Microsoft Office PowerPoint MUI (English) 2010Microsoft Office Professional Plus 2010Microsoft Office Proof (English) 2010Microsoft Office Proof (French) 2010Microsoft Office Proof (Spanish) 2010Microsoft Office Proofing (English) 2010Microsoft Office Publisher MUI (English) 2010Microsoft Office Shared MUI (English) 2010Microsoft Office Shared Setup Metadata MUI (English) 2010Microsoft Office Word MUI (English) 2010Microsoft Security ClientMicrosoft Security EssentialsMicrosoft Visual C++ 2005 RedistributableMozilla Firefox 27.0.1 (x86 en-US)Mozilla Maintenance ServiceQuickTimeRICOH Media Driver ver.2.10.01.01RICOH R5U8xx Media Driver ver.3.63.02saffE saveSearch ProtectSecurity Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2898855v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2901110v2)Security Update for Microsoft Excel 2010 (KB2826033) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2553284) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2687423) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2826023) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2826035) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2850016) 32-Bit EditionService Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit EditionSynaptics Pointing Device DriverUpdate for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217)Update for Microsoft .NET Framework 4 Client Profile (KB2836939)Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)Update for Microsoft Access 2010 (KB2553446) 32-Bit EditionUpdate for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit EditionUpdate for Microsoft InfoPath 2010 (KB2817369) 32-Bit EditionUpdate for Microsoft InfoPath 2010 (KB2817396) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2589298) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2589352) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2589375) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2597087) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2760598) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2760631) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2794737) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2825640) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2837583) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2850079) 32-Bit EditionUpdate for Microsoft OneNote 2010 (KB2837595) 32-Bit EditionUpdate for Microsoft Outlook 2010 (KB2687567) 32-Bit EditionUpdate for Microsoft PowerPoint 2010 (KB2553145) 32-Bit EditionUpdate for Microsoft PowerPoint 2010 (KB2775360) 32-Bit EditionUpdate for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit EditionUpdate for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit EditionUpdate for Microsoft Word 2010 (KB2837593) 32-Bit EditionUtubeAdRemOvaelWinRAR 4.00 (32-bit).==== Event Viewer Messages From Past Week ========.2/24/2014 11:02:36 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Browser Stabilizer service to connect.2/23/2014 1:04:54 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.2/22/2014 3:01:49 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.2/18/2014 2:51:21 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.165.4167.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10201.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.2/18/2014 2:11:57 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.165.4167.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10201.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.2/18/2014 2:11:57 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.165.4167.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10201.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support..==== End Of File =========================== Link to post Share on other sites More sharing options...
MrCharlie Posted February 24, 2014 ID:795887 Share Posted February 24, 2014 Welcome to the forum.Please uninstall Search Protect from your add/remove programs.Then........Please download and run RogueKiller 32 Bit to your desktop.RogueKiller 64 Bit <---use this one for 64 bit systemsWhich system am I using?Quit all running programs.For Windows XP, double-click to start.For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.Click Scan to scan the system.When the scan completes > Close out the program > Don't Fix anything!Don't run any other options, they're not all bad!!!!!!!Post back the report which should be located on your desktop.(please don't put logs in code or quotes and use the default font)General Forum P2P/Piracy Warning:1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.Failure to remove such software will result in your topic being closed and no further assistance being provided.MrCNote:Please read all of my instructions completely including these.Make sure system restore is turned on and running, please create a new restore pointMake sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to InstantlyRemoving malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.<+>The removal of malware isn't instantaneous, please be patient.<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.------->Your topic will be closed if you haven't replied within 3 days!<--------(If I don't respond within 24 hours, please send me a PM) Link to post Share on other sites More sharing options...
trich13 Posted February 24, 2014 Author ID:795898 Share Posted February 24, 2014 Does it take very long to uninstall Search Protect? I'm trying but it doesn't look like anything is happening. I get a pop up saying please wait until current program is finished uninstalling or being changed. I've removed programs before and recall seeing a box showing activity. Link to post Share on other sites More sharing options...
MrCharlie Posted February 24, 2014 ID:795900 Share Posted February 24, 2014 OK, just skip it and move on to RogueKiller. MrC Link to post Share on other sites More sharing options...
trich13 Posted February 24, 2014 Author ID:795906 Share Posted February 24, 2014 RogueKiller V8.8.9 [Feb 24 2014] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://forum.adlice.comWebsite : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.comOperating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits versionStarted in : Normal modeUser : Boo [Admin rights]Mode : Scan -- Date : 02/24/2014 13:08:46| ARK || FAK || MBR |¤¤¤ Bad processes : 1 ¤¤¤[sUSP PATH] Au_.exe -- C:\Users\Boo\AppData\Local\Temp\~nsu.tmp\Au_.exe [7] -> KILLED [TermProc]¤¤¤ Registry Entries : 5 ¤¤¤[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[APPINIT][sUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll c:\progra~2\browse~1\browse~1.dll [7][-]) -> FOUND¤¤¤ Scheduled tasks : 0 ¤¤¤¤¤¤ Startup Entries : 0 ¤¤¤¤¤¤ Web browsers : 0 ¤¤¤¤¤¤ Browser Addons : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [LOADED] ¤¤¤¤¤¤ External Hives: ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS542516K9SA00 ATA Device +++++--- User ---[MBR] 16faca6b1674e58aa1e4c5f13b55f698[bSP] 30c3d00eaa9c3d282a0ed75b98f4e042 : Windows 7/8 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 152525 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[0]_S_02242014_130846.txt >> Link to post Share on other sites More sharing options...
MrCharlie Posted February 24, 2014 ID:795918 Share Posted February 24, 2014 Run RogueKiller again and click Scan When the scan completes > click on the Registry tab Put a check next to all of these and uncheck the rest: (if found) [APPINIT][sUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll c:\progra~2\browse~1\browse~1.dll [7][-]) -> FOUND Now click Delete on the right hand column under Options ------------- Then....... Please read the directions carefully so you don't end up deleting something that is good!! If in doubt about an entry....please ask or choose Skip!!!! Don't Delete anything unless instructed to! If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose Skip and click on Continue If a suspicious object is detected, the default action will be Skip, click on Continue Please note that TDSSKiller can be run in safe mode if needed. Please download the latest version of TDSSKiller from HERE and save it to your Desktop.Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. Put a checkmark beside loaded modules. A reboot will be needed to apply the changes. Do it.TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.Then click on Change parameters in TDSSKiller.Check all boxes then click OK. Click the Start Scan button. The scan should take no longer than 2 minutes.If a suspicious object is detected, the default action will be Skip, click on Continue. Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip. If in doubt about an entry....please ask or choose SkipIf malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options. Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process. Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.Here's a summary of what to do if you would like to print it out: If in doubt about an entry....please ask or choose Skip Don't Delete anything unless instructed to! If a suspicious object is detected, the default action will be Skip, click on Continue If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose Skip and click on Continue Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip. If malicious objects are found, they will show in the Scan results and offer three (3) options. Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process. Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed. ~~~~~~~~~~~~~~~~~~~~ You can attach the logs if they're too long: Bottom right corner of this page. New window that comes up. Last: Please download and run ComboFix. The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop. Please visit this webpage for download links, and instructions for running ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-combofix Please make sure you click download buttons that look similar to this, not "sponsored ad links": Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Information on disabling your malware programs can be found Here. Make sure you run ComboFix from your desktop. Give it at least 30-45 minutes to finish if needed. Please include the C:\ComboFix.txt in your next reply for further review. ---------->NOTE<----------If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed. MrC Link to post Share on other sites More sharing options...
trich13 Posted February 24, 2014 Author ID:795990 Share Posted February 24, 2014 I couldn't find a report folder in my root directory. Only a folder that said TDSSKiller Quarentine. Didn't know if that was it, or if I should attach that one. I got a report from the program itself. Not sure if that's what you need though. I also noticed a Search Protect folder there. Is it supposed to still be there? I'm sorry. I'm doing my best to follow instructions, but I'm not very knowledgeable with computers. 15:54:06.0778 0x0f64 TDSS rootkit removing tool 3.0.0.23 Feb 10 2014 23:32:4115:54:08.0791 0x0f64 ============================================================15:54:08.0791 0x0f64 Current date / time: 2014/02/24 15:54:08.079115:54:08.0791 0x0f64 SystemInfo:15:54:08.0791 0x0f64 15:54:08.0791 0x0f64 OS Version: 6.1.7601 ServicePack: 1.015:54:08.0791 0x0f64 Product type: Workstation15:54:08.0791 0x0f64 ComputerName: COLTSFAN15:54:08.0791 0x0f64 UserName: Boo15:54:08.0791 0x0f64 Windows directory: C:\Windows15:54:08.0791 0x0f64 System windows directory: C:\Windows15:54:08.0791 0x0f64 Processor architecture: Intel x8615:54:08.0791 0x0f64 Number of processors: 215:54:08.0791 0x0f64 Page size: 0x100015:54:08.0791 0x0f64 Boot type: Normal boot15:54:08.0791 0x0f64 ============================================================15:54:08.0791 0x0f64 BG loaded15:54:11.0318 0x0f64 System UUID: {4885564A-127F-5524-848F-D4F7A87EF5FB}15:54:15.0078 0x0f64 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x0000005015:54:15.0234 0x0f64 ============================================================15:54:15.0234 0x0f64 \Device\Harddisk0\DR0:15:54:15.0234 0x0f64 MBR partitions:15:54:15.0234 0x0f64 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x3200015:54:15.0234 0x0f64 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x129E680015:54:15.0234 0x0f64 ============================================================15:54:15.0280 0x0f64 C: <-> \Device\Harddisk0\DR0\Partition215:54:15.0280 0x0f64 ============================================================15:54:15.0280 0x0f64 Initialize success15:54:15.0280 0x0f64 ============================================================ Link to post Share on other sites More sharing options...
MrCharlie Posted February 24, 2014 ID:796001 Share Posted February 24, 2014 That's one of two logs from TDSSKiller, can you find the other?? Do you remember if it found anything??? MrC Link to post Share on other sites More sharing options...
trich13 Posted February 24, 2014 Author ID:796008 Share Posted February 24, 2014 That quarentine file was the only one I could find. Yes, it found what your reply said it would for Search Protect. I followed your instructions to delete it, cure and reboot. I just don't know where to find the other report. I do recall that after it deleted, it showed "replaced" on the screen in the scan window. I don't know if that means anything. My computer is now saying that my Windows 7 is not a genuine copy. Is that the virus? Link to post Share on other sites More sharing options...
MrCharlie Posted February 24, 2014 ID:796014 Share Posted February 24, 2014 If you're not good with computers I'm going to stop here. See if you can get someone to help you or else you're going to end up with a computer that no longer works! These are powerful programs we run and when run properly things will go smoothly but wrong the incorrect way...there will be problems. MrC Link to post Share on other sites More sharing options...
trich13 Posted February 24, 2014 Author ID:796017 Share Posted February 24, 2014 Oh okay. Thank you for your time. Link to post Share on other sites More sharing options...
MrCharlie Posted February 24, 2014 ID:796019 Share Posted February 24, 2014 Get someone to help you so we can continue, MrC Link to post Share on other sites More sharing options...
MrCharlie Posted February 27, 2014 ID:797155 Share Posted February 27, 2014 How are we doing?? Do you still need help or can I close this post?? MrC Link to post Share on other sites More sharing options...
trich13 Posted February 27, 2014 Author ID:797157 Share Posted February 27, 2014 You can just close the post. I'm still waiting for help. Thank you. Link to post Share on other sites More sharing options...
Recommended Posts