Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Infected Laptop


trich13
 Share

Recommended Posts

I started having problems with my laptop over this past weekend. The laptop shut down on it's own and for quite a while I couldn't start Windows 7. Windows ran a start repair and that didn't work. A system restore didn't work. Finally after a memory scan (??) I was able to log on. Microsoft Security Essentials did nothing to fix the problem, so I googled Malware and downloaded the Malwarebytes free. I upgraded to pro this morning. After a couple of full scans, yesterday and today, it seems the laptop is still infected. Things seem to be getting worse. I hope you can help. It said to just copy and paste the info of the dds files so I hope I'm doing this right. Thank you.

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.16518
Run by Boo at 11:23:15 on 2014-02-24
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.2038.777 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SearchProtect\Main\bin\CltMngSvc.exe
C:\Windows\system32\taskhost.exe
C:\PROGRA~1\SearchProtect\SearchProtect\bin\cltmng.exe
C:\PROGRA~1\SearchProtect\UI\bin\cltmngui.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe
C:\Users\Boo\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Boo\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.

uProxyOverride = <local>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
uRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
uRun: [Akamai NetSession Interface] "c:\users\boo\appdata\local\akamai\netsession_win.exe"
uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [sPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
dRunOnce: [spUninstallDeleteDir] rmdir /s /q "\SearchProtect"
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

TCP: NameServer = 192.168.0.1
TCP: Interfaces\{69865A12-E19F-41B4-BCF4-268341ACE47E} : DHCPNameServer = 64.59.176.13 64.59.177.226
TCP: Interfaces\{80EF980A-5A76-49F0-A178-93B5D7F68C6F} : DHCPNameServer = 64.59.176.13 64.59.177.226
TCP: Interfaces\{93EEF87A-84A5-4E96-922A-9F7EDBD78062} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{93EEF87A-84A5-4E96-922A-9F7EDBD78062}\635483031324 : DHCPNameServer = 64.59.176.13 64.59.177.226
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\progra~1\searchprotect\searchprotect\bin\spvc32loader.dll c:\progra~2\browse~1\browse~1.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\boo\appdata\roaming\mozilla\firefox\profiles\os5fki2v.default\

FF - prefs.js: browser.search.selectedEngine - Bing


FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_44.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-9-27 214696]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 CltMngSvc;Search Protect by Conduit Service;c:\progra~1\searchprotect\main\bin\CltMngSvc.exe [2014-2-6 2360608]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2014-2-24 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2014-2-24 701512]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-1-20 104768]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-2-24 22856]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-10-23 280288]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 2db04d42;Browser Stabilizer;c:\windows\system32\rundll32.exe [2009-7-13 44544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-2-12 108032]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-6-1 14848]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-6-1 49664]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-5-19 1343400]
.
=============== Created Last 30 ================
.
2014-02-24 17:22:34    62576    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{efd11a60-c2eb-4fac-b600-ce086acfb7b7}\offreg.dll
2014-02-24 17:21:15    765968    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{0b883dcd-2f6e-4dc7-b621-4b2b6f5c0516}\gapaengine.dll
2014-02-24 17:15:38    7947048    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{efd11a60-c2eb-4fac-b600-ce086acfb7b7}\mpengine.dll
2014-02-24 17:06:56    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-02-24 17:02:46    719224    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{c819261a-b380-2719-df8c-8f9d7a70b444}\GapaEngine.dll
2014-02-24 17:02:00    7760024    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-02-24 14:47:19    --------    d-----w-    c:\program files\Malwarebytes Secure Backup
2014-02-23 21:10:20    --------    d-----w-    c:\users\boo\appdata\roaming\Malwarebytes
2014-02-23 21:10:04    --------    d-----w-    c:\programdata\Malwarebytes
2014-02-23 21:10:01    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2014-02-12 16:41:11    251392    ----a-w-    c:\program files\internet explorer\IEShims.dll
2014-02-12 16:40:58    4244480    ----a-w-    c:\windows\system32\jscript9.dll
2014-02-12 16:15:01    454656    ----a-w-    c:\windows\system32\vbscript.dll
2014-02-12 15:28:19    1237504    ----a-w-    c:\windows\system32\msxml3.dll
2014-02-12 15:28:18    2048    ----a-w-    c:\windows\system32\msxml3r.dll
2014-02-12 15:28:16    3419136    ----a-w-    c:\windows\system32\d2d1.dll
2014-02-12 15:28:16    1987584    ----a-w-    c:\windows\system32\d3d10warp.dll
2014-02-12 15:27:58    594944    ----a-w-    c:\windows\system32\RMActivate_isv.exe
2014-02-12 15:27:57    572416    ----a-w-    c:\windows\system32\RMActivate.exe
2014-02-12 15:27:57    510976    ----a-w-    c:\windows\system32\RMActivate_ssp.exe
2014-02-12 15:27:57    508928    ----a-w-    c:\windows\system32\RMActivate_ssp_isv.exe
2014-02-12 15:27:57    423936    ----a-w-    c:\windows\system32\secproc_isv.dll
2014-02-12 15:27:56    87040    ----a-w-    c:\windows\system32\secproc_ssp.dll
2014-02-12 15:27:56    428032    ----a-w-    c:\windows\system32\secproc.dll
2014-02-12 15:27:56    390144    ----a-w-    c:\windows\system32\msdrm.dll
2014-02-12 15:27:55    87040    ----a-w-    c:\windows\system32\secproc_ssp_isv.dll
2014-02-03 14:59:22    --------    d-----w-    c:\programdata\73a340fb195c717c
2014-02-03 14:59:20    --------    d-----w-    c:\programdata\UtubeAdRemOvael
2014-02-03 14:59:17    --------    d-----w-    c:\programdata\cnddgachlnoljencgaapagmpbahdkmpe
2014-01-29 17:33:51    --------    d-----w-    c:\program files\iPod
2014-01-29 17:33:48    --------    d-----w-    c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-01-29 17:33:48    --------    d-----w-    c:\program files\iTunes
.
==================== Find3M  ====================
.
2014-02-24 17:19:42    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-02-24 17:19:42    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-02-06 10:20:26    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-02-06 10:19:55    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-02-06 10:01:36    61952    ----a-w-    c:\windows\system32\iesetup.dll
2014-02-06 10:00:46    51200    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-02-06 09:47:22    112128    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-02-06 09:47:18    108032    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-02-06 09:46:27    553472    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-02-06 09:09:30    1964032    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-02-06 08:41:35    1820160    ----a-w-    c:\windows\system32\wininet.dll
2014-01-19 07:32:23    231584    ------w-    c:\windows\system32\MpSigStub.exe
2013-11-27 01:14:25    258560    ----a-w-    c:\windows\system32\drivers\usbhub.sys
2013-11-27 01:13:46    284672    ----a-w-    c:\windows\system32\drivers\usbport.sys
2013-11-27 01:13:44    76288    ----a-w-    c:\windows\system32\drivers\usbccgp.sys
2013-11-27 01:13:41    43520    ----a-w-    c:\windows\system32\drivers\usbehci.sys
2013-11-27 01:13:38    20480    ----a-w-    c:\windows\system32\drivers\usbohci.sys
2013-11-27 01:13:36    24064    ----a-w-    c:\windows\system32\drivers\usbuhci.sys
2013-11-27 01:13:33    6016    ----a-w-    c:\windows\system32\drivers\usbd.sys
.
============= FINISH: 11:24:44.61 ===============
 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 5/18/2013 1:48:19 AM
System Uptime: 2/24/2014 11:01:36 AM (0 hours ago)
.
Motherboard: Dell Inc. |  |       
Processor: Intel® Core2 Duo CPU     T5250  @ 1.50GHz | Microprocessor | 1500/166mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 86.995 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP86: 1/15/2014 3:08:45 PM - Windows Update
RP87: 1/18/2014 6:41:15 PM - Windows Update
RP88: 1/21/2014 6:55:33 PM - Windows Update
RP89: 1/25/2014 9:44:08 AM - Windows Update
RP90: 1/29/2014 11:29:09 AM - Windows Update
RP91: 2/3/2014 8:49:48 AM - Windows Update
RP92: 2/6/2014 10:14:03 AM - Windows Update
RP93: 2/10/2014 12:18:21 PM - Windows Update
RP94: 2/12/2014 10:13:06 AM - Windows Update
RP95: 2/15/2014 6:07:45 PM - Windows Update
RP96: 2/19/2014 5:07:16 PM - Windows Update
RP97: 2/22/2014 1:29:58 PM - Windows Update
RP98: 2/23/2014 1:17:49 PM - Windows Update
RP99: 2/24/2014 8:46:50 AM - Installed Malwarebytes Secure Backup
RP100: 2/24/2014 11:14:28 AM - Windows Update
.
==== Installed Programs ======================
.
Adobe Flash Player 12 ActiveX
Adobe Flash Player 12 Plugin
Adobe Reader XI (11.0.06)
Advanced Audio FX Engine
Advanced Video FX Engine
Akamai NetSession Interface
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVS Update Manager 1.0
AVS Video Converter 8
AVS4YOU Software Navigator 1.4
Bonjour
Browser Stabilizer
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DELL Webcam Center
DELL Webcam Manager
DVD Shrink 3.2
HP Product Detection
iCloud
Intel® Graphics Media Accelerator Driver
Intel® TV Wizard
iTunes
Laptop Integrated Webcam Driver (1.04.01.1011)  
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 27.0.1 (x86 en-US)
Mozilla Maintenance Service
QuickTime
RICOH Media Driver ver.2.10.01.01
RICOH R5U8xx Media Driver ver.3.63.02
saffE save
Search Protect
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2898855v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2901110v2)
Security Update for Microsoft Excel 2010 (KB2826033) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826023) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826035) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837583) 32-Bit Edition
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2775360) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition
UtubeAdRemOvael
WinRAR 4.00 (32-bit)
.
==== Event Viewer Messages From Past Week ========
.
2/24/2014 11:02:36 AM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Browser Stabilizer service to connect.
2/23/2014 1:04:54 PM, Error: Service Control Manager [7022]  - The Windows Update service hung on starting.
2/22/2014 3:01:49 PM, Error: Disk [11]  - The driver detected a controller error on \Device\Harddisk1\DR1.
2/18/2014 2:51:21 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.      New Signature Version:       Previous Signature Version: 1.165.4167.0      Update Source: Microsoft Update Server      Update Stage: Install      Source Path: http://www.microsoft.com      Signature Type: AntiVirus      Update Type: Full      User: NT AUTHORITY\SYSTEM      Current Engine Version:       Previous Engine Version: 1.1.10201.0      Error code: 0x8024001e      Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
2/18/2014 2:11:57 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.      New Signature Version:       Previous Signature Version: 1.165.4167.0      Update Source: Microsoft Update Server      Update Stage: Download      Source Path: http://www.microsoft.com      Signature Type: AntiVirus      Update Type: Full      User: NT AUTHORITY\SYSTEM      Current Engine Version:       Previous Engine Version: 1.1.10201.0      Error code: 0x8024001e      Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
2/18/2014 2:11:57 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.      New Signature Version:       Previous Signature Version: 1.165.4167.0      Update Source: Microsoft Update Server      Update Stage: Download      Source Path: http://www.microsoft.com      Signature Type: AntiVirus      Update Type: Full      User: NT AUTHORITY\SYSTEM      Current Engine Version:       Previous Engine Version: 1.1.10201.0      Error code: 0x8024001e      Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
.
==== End Of File ===========================
 

Link to post
Share on other sites

Welcome to the forum.

Please uninstall Search Protect from your add/remove programs.

Then........

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes and use the default font)

General Forum P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.
Failure to remove such software will result in your topic being closed and no further assistance being provided.


MrC


Note:
Please read all of my instructions completely including these.

Make sure system restore is turned on and running, please create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly


Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive


<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.


<+>The removal of malware isn't instantaneous, please be patient.


<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs


<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.


------->Your topic will be closed if you haven't replied within 3 days!<--------
(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Does it take very long to uninstall Search Protect? I'm trying but it doesn't look like anything is happening. I get a pop up saying please wait until current program is finished uninstalling or being changed. I've removed programs before and recall seeing a box showing activity.  

Link to post
Share on other sites

RogueKiller V8.8.9 [Feb 24 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Boo [Admin rights]
Mode : Scan -- Date : 02/24/2014 13:08:46
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[sUSP PATH] Au_.exe -- C:\Users\Boo\AppData\Local\Temp\~nsu.tmp\Au_.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 5 ¤¤¤
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[APPINIT][sUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll c:\progra~2\browse~1\browse~1.dll [7][-]) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS542516K9SA00 ATA Device +++++
--- User ---
[MBR] 16faca6b1674e58aa1e4c5f13b55f698
[bSP] 30c3d00eaa9c3d282a0ed75b98f4e042 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 152525 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_02242014_130846.txt >>



 

Link to post
Share on other sites

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

 

[APPINIT][sUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll c:\progra~2\browse~1\browse~1.dll [7][-]) -> FOUND

Now click Delete on the right hand column under Options

-------------

Then.......

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    image000q.png

  • Put a checkmark beside loaded modules.

    2012081514h0118.png

  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.

    clip.jpg

  • Click the Start Scan button.

    19695967.jpg

  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    67776163.jpg

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If in doubt about an entry....please ask or choose Skip

  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    62117367.jpg

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

Last:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

I couldn't find a report folder in my root directory. Only a folder that said TDSSKiller Quarentine. Didn't know if that was it, or if I should attach that one.  I got a report from the program itself. Not sure if that's what you need though. I also noticed a Search Protect folder there. Is it supposed to still be there? I'm sorry. I'm doing my best to follow instructions, but I'm not very knowledgeable with computers.

 

15:54:06.0778 0x0f64  TDSS rootkit removing tool 3.0.0.23 Feb 10 2014 23:32:41
15:54:08.0791 0x0f64  ============================================================
15:54:08.0791 0x0f64  Current date / time: 2014/02/24 15:54:08.0791
15:54:08.0791 0x0f64  SystemInfo:
15:54:08.0791 0x0f64  
15:54:08.0791 0x0f64  OS Version: 6.1.7601 ServicePack: 1.0
15:54:08.0791 0x0f64  Product type: Workstation
15:54:08.0791 0x0f64  ComputerName: COLTSFAN
15:54:08.0791 0x0f64  UserName: Boo
15:54:08.0791 0x0f64  Windows directory: C:\Windows
15:54:08.0791 0x0f64  System windows directory: C:\Windows
15:54:08.0791 0x0f64  Processor architecture: Intel x86
15:54:08.0791 0x0f64  Number of processors: 2
15:54:08.0791 0x0f64  Page size: 0x1000
15:54:08.0791 0x0f64  Boot type: Normal boot
15:54:08.0791 0x0f64  ============================================================
15:54:08.0791 0x0f64  BG loaded
15:54:11.0318 0x0f64  System UUID: {4885564A-127F-5524-848F-D4F7A87EF5FB}
15:54:15.0078 0x0f64  Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
15:54:15.0234 0x0f64  ============================================================
15:54:15.0234 0x0f64  \Device\Harddisk0\DR0:
15:54:15.0234 0x0f64  MBR partitions:
15:54:15.0234 0x0f64  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
15:54:15.0234 0x0f64  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x129E6800
15:54:15.0234 0x0f64  ============================================================
15:54:15.0280 0x0f64  C: <-> \Device\Harddisk0\DR0\Partition2
15:54:15.0280 0x0f64  ============================================================
15:54:15.0280 0x0f64  Initialize success
15:54:15.0280 0x0f64  ============================================================
 

Link to post
Share on other sites

That quarentine file was the only one I could find. Yes, it found what your reply said it would for Search Protect. I followed your instructions to delete it, cure and reboot. I just don't know where to find the other report. I do recall that after it deleted, it showed "replaced" on the screen in the scan window. I don't know if that means anything. My computer is now saying that my Windows 7 is not a genuine copy. Is that the virus?

Link to post
Share on other sites

If you're  not good with computers I'm going to stop here. See if you can get someone to help you or else you're going to end up with a computer that no longer works!

 

These are powerful programs we run and when run properly things will go smoothly but wrong the incorrect way...there will be problems.

 

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.