Jump to content

Infected computer


TedB

Recommended Posts

Hi.

 

Issue started when mbam wouldn't update or run.

Posted in another forum, ran tests they suggested. Determination was that the computer is infected so I was sent here.

 

I ran DDS, Farbar, and mbam-check. Logs are attached.

 

Only change made to machine since then is:

Was told there was two anti virus programs on the machine. I've left AVG and removed the other using it's uninstall tool, then restarted computer.

I can run the tools again if necessary, but this is the only change made.

 

Any help would be greatly appreciated. Thanks!

 

Ted

Addition.txt

FRST.txt

attach.txt

CheckResults.txt

dds.txt

Link to post
Share on other sites

  • Staff

Hello TedB

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 DeleteJunctionsInDirectory: C:\Program Files\Windows DefenderDeleteJunctionsInDirectory: C:\Program Files\Microsoft Security ClientDeleteJunctionsIndirectory: C:\Windows\system64cmd: Dir /b /a:l "C:\Program Files" /s
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST again like we did before but this time press the Fix button just once and wait.

The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo

Link to post
Share on other sites

Hi Gringo,

 

Thanks for the fast reply.

Followed directions and will post log.

Once the computer has rebooted....do I attempt to download and run mbam again?

 

Thanks,

Ted

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 27-02-2014 02
Ran by Hy-Tech at 2014-02-27 14:01:07 Run:1
Running from G:\
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
DeleteJunctionsInDirectory: C:\Program Files\Windows Defender
DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client
DeleteJunctionsIndirectory: C:\Windows\system64
cmd: Dir /b /a:l "C:\Program Files" /s
*****************

"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client" => Not Found
"C:\Windows\system64" => Deleting reparse point and unlocking started.
"C:\Windows\system64" => Deleting reparse point and unlocking done.
"C:\Windows\system64" => Deleting reparse point and unlocking completed.

=========  Dir /b /a:l "C:\Program Files" /s =========

File Not Found

========= End of CMD: =========


==== End of Fixlog ====

Link to post
Share on other sites

  • Staff

Hello TedB

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo

Link to post
Share on other sites

Good Morning Gringo,

 

Disabled AVG, ran the programs just as you instructed.

Results are:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows 7 Home Premium x64
Ran by Hy-Tech on Fri 02/28/2014 at  9:20:14.79
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\msntask_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\msntask_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\msntask_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\msntask_RASMANCS



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\Hy-Tech\AppData\Roaming\getrighttogo"



~~~ FireFox

Emptied folder: C:\Users\Hy-Tech\AppData\Roaming\mozilla\firefox\profiles\8okl92si.default\minidumps [213 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 02/28/2014 at  9:26:13.86
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

==================================================================================================

==================================================================================================

 

# AdwCleaner v3.020 - Report created 28/02/2014 at 08:42:30
# Updated 27/02/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Hy-Tech - WAREHOUSE
# Running from : C:\Users\Hy-Tech\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : APNMCP

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\apn
Folder Deleted : C:\ProgramData\AskPartnerNetwork
Folder Deleted : C:\Program Files (x86)\AskPartnerNetwork
Folder Deleted : C:\Users\Hy-Tech\AppData\Local\PackageAware
Folder Deleted : C:\Users\Hy-Tech\AppData\Local\TempDir
Folder Deleted : C:\Users\Hy-Tech\AppData\Local\Temp\apn

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnTbMon]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKCU\Software\AskPartnerNetwork
Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKLM\Software\AskPartnerNetwork

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16798


-\\ Mozilla Firefox v27.0.1 (en-US)

[ File : C:\Users\Hy-Tech\AppData\Roaming\Mozilla\Firefox\Profiles\8okl92si.default\prefs.js ]


[ File : C:\Users\apache2triad.Warehouse-1\AppData\Roaming\Mozilla\Firefox\Profiles\c75z2bt9.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [3237 octets] - [28/02/2014 08:40:40]
AdwCleaner[s0].txt - [3128 octets] - [28/02/2014 08:42:30]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [3188 octets] ##########
 

 

Thanks again for the help. Let me know if these show anything important.

 

Ted

Link to post
Share on other sites

  • Staff

Hello Ted

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
Link to post
Share on other sites

Hi Gringo,

 

Ran ComboFix just as you suggested.

Only thing that seems to have changed is when I opened the browser to get to this site, I got a message that Firefox isn't the default browser (which it always has been). I clicked to make it the default again.

 

Computer seems fine but it always has seemed that way. Only issue is when I tried to install and rum mbam. That's what has led to all this.

I still haven't done anything with mbam (downloaded or installed) because I've just been following your direction.

 

ComboFix log:

 

ComboFix 14-02-24.02 - Hy-Tech 02/28/2014  12:12:47.6.1 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3838.2314 [GMT -5:00]
Running from: c:\users\Hy-Tech\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system64
F:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2014-01-28 to 2014-02-28  )))))))))))))))))))))))))))))))
.
.
2014-02-28 17:19 . 2014-02-28 17:19    --------    d-----w-    c:\users\Test account\AppData\Local\temp
2014-02-28 17:19 . 2014-02-28 17:19    --------    d-----w-    c:\users\Public\AppData\Local\temp
2014-02-28 17:19 . 2014-02-28 17:19    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-02-28 17:19 . 2014-02-28 17:19    --------    d-----w-    c:\users\apache2triad\AppData\Local\temp
2014-02-28 17:19 . 2014-02-28 17:19    --------    d-----w-    c:\users\apache2triad.Warehouse-1\AppData\Local\temp
2014-02-28 14:20 . 2014-02-28 14:20    --------    d-----w-    c:\windows\ERUNT
2014-02-28 13:40 . 2014-02-28 13:42    --------    d-----w-    C:\AdwCleaner
2014-02-27 14:09 . 2014-02-27 19:01    --------    d-----w-    C:\FRST
2014-02-26 17:37 . 2014-02-26 17:37    --------    d-----w-    c:\users\Hy-Tech\AppData\Local\Programs
2014-02-12 14:13 . 2013-12-21 09:39    600064    ----a-w-    c:\windows\system32\vbscript.dll
2014-02-12 14:13 . 2013-12-21 07:56    523776    ----a-w-    c:\windows\SysWow64\vbscript.dll
2014-02-12 14:10 . 2013-12-06 02:30    2048    ----a-w-    c:\windows\system32\msxml3r.dll
2014-02-12 14:10 . 2013-12-06 02:30    1882112    ----a-w-    c:\windows\system32\msxml3.dll
2014-02-12 14:10 . 2013-12-06 02:02    2048    ----a-w-    c:\windows\SysWow64\msxml3r.dll
2014-02-12 14:10 . 2013-12-06 02:02    1237504    ----a-w-    c:\windows\SysWow64\msxml3.dll
2014-02-12 14:08 . 2013-12-24 23:09    1987584    ----a-w-    c:\windows\SysWow64\d3d10warp.dll
2014-02-12 14:08 . 2013-12-24 22:48    2565120    ----a-w-    c:\windows\system32\d3d10warp.dll
2014-02-12 14:08 . 2013-11-26 08:16    3419136    ----a-w-    c:\windows\SysWow64\d2d1.dll
2014-02-12 14:08 . 2013-11-22 22:48    3928064    ----a-w-    c:\windows\system32\d2d1.dll
2014-02-03 15:20 . 2014-02-03 15:20    --------    d-----w-    c:\programdata\UPS
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-24 13:17 . 2012-09-04 20:23    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-24 13:17 . 2012-09-04 20:23    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-02-12 14:21 . 2010-08-25 16:35    88567024    ----a-w-    c:\windows\system32\MRT.exe
2013-12-19 02:09 . 2014-01-21 14:02    96168    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-12-12 02:02 . 2013-12-12 02:02    16384    ----a-w-    c:\windows\SysWow64\GetHostIP.exe
2013-12-12 02:01 . 2013-12-12 02:01    1311    ----a-w-    c:\windows\SysWow64\mc.fot
2013-12-12 02:01 . 2013-12-12 02:01    364544    ----a-w-    c:\windows\SysWow64\softokn3.dll
2013-12-12 02:01 . 2013-12-12 02:01    339968    ----a-w-    c:\windows\SysWow64\nss3.dll
2013-12-12 02:01 . 2013-12-12 02:01    28672    ----a-w-    c:\windows\SysWow64\plc4.dll
2013-12-12 02:01 . 2013-12-12 02:01    24576    ----a-w-    c:\windows\SysWow64\plds4.dll
2013-12-12 02:01 . 2013-12-12 02:01    180224    ----a-w-    c:\windows\SysWow64\nssckbi.dll
2013-12-12 02:01 . 2013-12-12 02:01    155648    ----a-w-    c:\windows\SysWow64\nspr4.dll
2013-12-12 02:01 . 2013-12-12 02:01    110592    ----a-w-    c:\windows\SysWow64\ssl3.dll
2013-12-12 02:01 . 2013-12-12 02:01    106496    ----a-w-    c:\windows\SysWow64\smime3.dll
2013-12-04 03:09 . 2013-12-04 03:09    128512    ----a-w-    c:\windows\SysWow64\HttpComm.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uploader"="c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe" [2013-10-19 122984]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2013-11-20 4411952]
"DBAgent"="c:\program files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe" [2013-10-19 1517128]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2013-12-3 415840]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2013-12-3 41056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys;c:\windows\SYSNATIVE\drivers\TfFsMon.sys [x]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys;c:\windows\SYSNATIVE\drivers\TfSysMon.sys [x]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SlimFTPd;Apache2Triad SlimFTPd Server;c:\apache2triad\ftp\SlimFTPd.exe;c:\apache2triad\ftp\SlimFTPd.exe [x]
R3 Apache2SSL;Apache2Triad Apache2 Service with SSL;c:\apache2triad\bin\httpd.exe;c:\apache2triad\bin\httpd.exe [x]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [x]
R3 PgSql;Apache2Triad PostgreSQL Service;c:\apache2triad\pgsql\bin\pg_ctl.exe;c:\apache2triad\pgsql\bin\pg_ctl.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys;c:\windows\SYSNATIVE\drivers\TfNetMon.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys;c:\windows\SYSNATIVE\drivers\WSDScan.sys [x]
R3 XMail;Apache2Triad Xmail Service;c:\apache2triad\mail\bin\XMail.exe;c:\apache2triad\mail\bin\XMail.exe [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [x]
S2 Seagate Dashboard Services;Seagate Dashboard Services;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-17 21:59]
.
2014-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-17 21:59]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: Interfaces\{5548AE38-75DF-4258-AE49-0A3A998B005C}: NameServer = 65.32.5.74,65.32.5.75

FF - ProfilePath - c:\users\Hy-Tech\AppData\Roaming\Mozilla\Firefox\Profiles\8okl92si.default\

.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-02-28  12:21:11
ComboFix-quarantined-files.txt  2014-02-28 17:21
ComboFix2.txt  2012-08-06 16:09
ComboFix3.txt  2012-08-03 17:29
ComboFix4.txt  2012-08-02 19:50
ComboFix5.txt  2014-02-28 17:11
.
Pre-Run: 73,279,123,456 bytes free
Post-Run: 73,185,161,216 bytes free
.
- - End Of File - - 974323966CDD20E956239EAC7F6AE1A7
B9E42F49ABAFA9C9635A9DA88DCEB8D1
 

Link to post
Share on other sites

Hi Gringo,

 

Here's what I did:

Went to the mbam site and downloaded the chameleon version to a USB drive.

Changed the name before downloading.

Restarted in safe mode with networking.

Unzipped to a folder on the USB drive.

Ran all 12 tests. Results were the same.

When it tries to update the update window flashes on the screen and disappears.

When it tries to run the program it flashes on the screen and disappears.

The window shows the same results every time:

 

MBAM-Chameleon ver. 1.62.1.1000
Press any key to continue
Installing Driver...
Protected Path: G:\Tool\
...Done!
Trying to update Malwarebytes Anti-Malware, please wait...
...Done!
Killing known malicious processes, please wait...
...Done!
Trying to run Malwarebytes Anti-Malware, please wait...
...Done!
Removing protection driver...
...Done!
Press any key to continue
 

 

Frustrating, huh?

Link to post
Share on other sites

  • Staff

Hello

hAVE YOU JUST TRIED TO INSTALL MALWAREBYTES?

Run Malwarebytes

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Link to post
Share on other sites

  • Staff

Hello TedB

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit

2.Unzip the contents to a folder in a convenient location.

3.Open the folder where the contents were unzipped and run mbar.exe

4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.

5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.

6.Wait while the system shuts down and the cleanup process is performed.

7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.

8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

  • •Internet access

    •Windows Update

    •Windows Firewall

9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.

10.Verify that your system is now functioning normally.

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit

  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+
send me the reports made from MBAR and Roguekiller and also let me know how the computer is doing at this time.

Gringo

Link to post
Share on other sites

Hi Gringo,

 

Tried running the malwarebytes anti-rootkit...but the same thing happens as when I try to run malwarebytes.

The program opens for a flash on the screen then closes.

 

Moved on to the RogueKiller program.

It produced two text files but neither was named RKreport[2]. They're both named RKreport[0] with different numbered extensions at the end. I'll include both.

 

RKreport[0]_D_03052014_094419.txt

RogueKiller V8.8.10 _x64_ [Feb 28 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Hy-Tech [Admin rights]
Mode : Remove -- Date : 03/05/2014 09:44:19
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified.
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 3 ¤¤¤
[V2][sUSP PATH] Hy-Tech : C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\NBCore.exe - "C:\Users\Hy-Tech\AppData\Roaming\Seagate\Seagate Dashboard 2.0\Files\Hy-Tech.nji" [7][-] -> DELETED
[V2][sUSP PATH] Hy-Tech Merge : "C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\NBCore.exe" - "C:\Users\Hy-Tech\AppData\Roaming\Seagate\Seagate Dashboard 2.0\Files\Hy-Tech Merge.nji" [7][-] -> DELETED
[V2][sUSP PATH] {5AB7EBD1-D03B-4734-8592-BC17235C78D0} : C:\Users\Hy-Tech\Desktop\Bravo.exe [x] -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST350041 8AS SCSI Disk Device +++++
--- User ---
[MBR] ec111efaecce2e8fa7b983636f171ef0
[bSP] 2747c6d13b951c3b88c0a3d25db4b736 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 466707 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 956022784 | Size: 10131 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] Incorrect function. )

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) Seagate Backup+ BK USB Device +++++
--- User ---
[MBR] bee699a00b78b16d63363894da60f7cd
[bSP] 8a09adc5af4063e8ec63bedc823f4ee8 : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953868 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) USB DISK 2.0 USB Device +++++
--- User ---
[MBR] dab5ab23d20c87ad5a6993df3bcfb23d
[bSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7631 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

Finished : << RKreport[0]_D_03052014_094419.txt >>
RKreport[0]_S_03052014_094222.txt



===============================================================================================

RKreport[0]_S_03052014_094222.txt

RogueKiller V8.8.10 _x64_ [Feb 28 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Hy-Tech [Admin rights]
Mode : Scan -- Date : 03/05/2014 09:42:22
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 11 ¤¤¤
[DNS][PUM] HKLM\[...]\CCSet\[...]\{5548AE38-75DF-4258-AE49-0A3A998B005C} : NameServer (65.32.5.74,65.32.5.75 [uNITED STATES (US) - UNITED STATES (US)]) -> FOUND
[DNS][PUM] HKLM\[...]\CS001\[...]\{5548AE38-75DF-4258-AE49-0A3A998B005C} : NameServer (65.32.5.74,65.32.5.75 [uNITED STATES (US) - UNITED STATES (US)]) -> FOUND
[DNS][PUM] HKLM\[...]\CS002\[...]\{5548AE38-75DF-4258-AE49-0A3A998B005C} : NameServer (65.32.5.74,65.32.5.75 [uNITED STATES (US) - UNITED STATES (US)]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 3 ¤¤¤
[V2][sUSP PATH] Hy-Tech : C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\NBCore.exe - "C:\Users\Hy-Tech\AppData\Roaming\Seagate\Seagate Dashboard 2.0\Files\Hy-Tech.nji" [7][-] -> FOUND
[V2][sUSP PATH] Hy-Tech Merge : "C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\NBCore.exe" - "C:\Users\Hy-Tech\AppData\Roaming\Seagate\Seagate Dashboard 2.0\Files\Hy-Tech Merge.nji" [7][-] -> FOUND
[V2][sUSP PATH] {5AB7EBD1-D03B-4734-8592-BC17235C78D0} : C:\Users\Hy-Tech\Desktop\Bravo.exe [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST350041 8AS SCSI Disk Device +++++
--- User ---
[MBR] ec111efaecce2e8fa7b983636f171ef0
[bSP] 2747c6d13b951c3b88c0a3d25db4b736 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 466707 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 956022784 | Size: 10131 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] Incorrect function. )

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) Seagate Backup+ BK USB Device +++++
--- User ---
[MBR] bee699a00b78b16d63363894da60f7cd
[bSP] 8a09adc5af4063e8ec63bedc823f4ee8 : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953868 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) USB DISK 2.0 USB Device +++++
--- User ---
[MBR] dab5ab23d20c87ad5a6993df3bcfb23d
[bSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7631 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

Finished : << RKreport[0]_S_03052014_094222.txt >>



 

Link to post
Share on other sites

  • Staff

Hello TedB

I would like you to try and run these next.

TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • more than one report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". The one that I need is the larger one. Please copy and paste the contents of that file here.

    Note** this report can be very long - so if the website gives you an error saying it is to long you may attache it

    If the forum still complains about it being to long send me everything that is at the end of the report after where it says

    ==================

    Scan finished

    ==================

and I will see if I want to see the whole report

send me the reports made from TDSSKiller

Gringo

Link to post
Share on other sites

  • Staff

I would like to know how the computer is doing at this time and I would like you to rerun FRST for me and send me a new report

If you cannot find it here is the link again.

Please download the Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ - Click on the BLUE download buttons only - ( The GREEN ones are ads)

save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it.

When the tool opens click Yes to disclaimer.

Press the Scan button.

It will make a log (FRST.txt) in the same directory the tool is run.

Please attach that log to your reply.

The first time the tool is run, it makes a second log (Addition.txt).

Please attach that to your reply as well

Link to post
Share on other sites

  • Staff

You will need to perform a clean uninstall using our tool. If using the PRO version, locate the confirmation email that was sent by Cleverbridge at the time of purchase so that you have your ID and Key handy for the reinstall.

• Download and run "mbam-clean.exe" from here: http://downloads.malwarebytes.org/file/mbam_clean

• It will ask to restart your computer, please allow it to do so (this is very important)

Next, download the latest version of Malwarebytes Anti-Malware via the link below:

http://downloads.malwarebytes.org/file/mbam

NOTE - All downloads and set up files are the Free version, registration with your ID & key will activate the Pro features.

Save the file to your desktop then double-click it to begin installation. If you're using the PRO version you will need to re-register.

Launch Malwarebytes Anti-Malware by double clicking the desktop icon. When the program opens, click on the Activate button at the bottom of the window.

In the next window that pops open, copy/paste the ID and license key directly from the confirmation email into the proper fields.

** Please make sure you are only including the letters and numbers and not the words ID or Key.

Finally, make sure you are not including additional spaces before or after the ID and Key.

Click the Activate button once again. If done correctly you should see the word (PRO) in the Malwarebyte's Anti-Malware header.

Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

Hi Gringo,

 

Sorry....was house sitting for a couple days and not near my computer.

 

I cleaned as instructed, downloaded the latest version, and tried to run.

Same thing happened. Update window opened for one second then closed.

Link to post
Share on other sites

  • Staff

We are going to be upgrading Malwarebytes Antimalware very soon. I would like you to download the new version now and see if you have the same trouble.

To upgrade to the new version first we will have to uninstall the old version from the control panel - in (XP) add/remove and in (Vista and later) program and features

Then download the new version from here

http://downloads.malwarebytes.org/file/mbam_public_beta

As long as Malwarebytes Antimalware was already registered it will remember your ID and Key

Regards,

William Rowland

Consumer Support Specialist

Malwarebytes

Link to post
Share on other sites

  • Staff

I would like you to rerun FRST for me and send me a new report

If you cannot find it here is the link again.

Please download the Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ - Click on the BLUE download buttons only - ( The GREEN ones are ads)

save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it.

When the tool opens click Yes to disclaimer.

Press the Scan button.

It will make a log (FRST.txt) in the same directory the tool is run.

Please attach that log to your reply.

The first time the tool is run, it makes a second log (Addition.txt).

Please attach that to your reply as well

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.