PLease HELP ME. My PC has slowed to almost a stand still. INFECTED

[MarshallK]

 please help i think my pc has been infected with some kind of pup or virus.

 

the computer is running really slow, tons of long 30-45 sec pauses where nothing happens at all. its like the pc isfoze.

 

after this went on for a few hrs. then the pc started saying low on some kindd of ,memory.  and has got worse over the last 12 hrsa.

 

Task manager is saying that explorer.exe is deadlocked.  

 

Its jsut all bad.   Please help hopefully tonight would be awesome

 

 

Thank you Marshall

[MarshallK]

"";"Found MalSign.Generic.373, i:\FileHistory\Marshall\MARSHALLK-PC\Data\C\Users\Marshall\Music\YouTube Downloader my music\Mike-Dash-E - Takin Mine ft. Iamsu! (CDQ) (2014_06_02 05_19_20 UTC).exe";"Infected";"File or Directory";"6/2/2014, 2:25:18 AM"

 

I wanted to add this.  My AVG free anti virus just popped it up on my screen

 thank you

[MarshallK]

 

 

thanky you

FRST.txtFRST.txtmalwarebytes scan found malware.txt

 

Addition.txt

[kevinf80]

Hello and

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• 
  

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin....

[MarshallK]

my pc is running horrible.   slower than a snail.   both anti-malwarebytes and my anti virus continue to detect several viruses and says that they are going to fix it. But there are still more that come up.  

 

Can some one please help me fix this before it takes over my computer.

 

also task manager is saying that Im using 100% of my disk .

1.  

I ran Farbar and attached the 2 reports .  I will be awaiting your response

 

Thank you

 

Marshall Kline

 

 

FRST.txt

 

Addition.txt

[MarshallK]

sorry I took long to respond .  I didnt realize you had replied.  I didnt see any emails letting me know.  

 

Thank you.   I am attaching the FRST.txt and Addition.txt and sending it along

 

.  

FRST.txt

FRST.txt

Addition.txt

[kevinf80]

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

• 
  

Double click on Adwcleaner.exe to run the tool.
Click on Scan
Once the scan is done, click on the Clean button.
You will get a prompt asking to close all programs. Click OK.
Click OK again to reboot your computer.
A text file will open after the restart. Please post the content of that logfile in your reply.
You can also find the logfile at C:\AdwCleaner[sn].txt.

 

Next,

 

Please download Junkware Removal Tool to your desktop.

• 
  

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Next,

 

Open Malwarebytes 2.0, run a Threat Scan

 

• 
  

On the Dashboard, click the 'Update Now >>' link
After the update completes, click the 'Scan Now >>' button.
Or, on the Dashboard, click the Scan Now >> button.
If an update is available, click the Update Now button.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
In most cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.

 

Post log:

 

• 
  

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Copy to Clipboard'
Paste the contents of the clipboard into your reply.

 

Next,

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 

• Quit all running programs.
  
• For Windows XP, double-click to start.
  
• For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  
• Read and accept the EULA (End User Licene Agreement)
  
• Click Scan to scan the system.
  
• When the scan completes Close the program > Don't Fix anything!
  
• Post back the report which should be located on your desktop.
  

 

Let me see those logs, also give an update on any remaining issues or concerns...

 

Kevin

 

 

 

fixlist.txt

[MarshallK]

here is step 1 

 

fix.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-06-2014

Ran by Marshall at 2014-06-05 21:22:52 Run:1

Running from C:\Users\Marshall\Desktop

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

Start

C:\ProgramData\MakeMarkerFile.exe

C:\Users\EasySurvey\EasySurvey.exe

AlternateDataStreams: C:\ProgramData\Temp:EE9B88C9

AlternateDataStreams: C:\Users\Marshall\SkyDrive:ms-properties

End

*****************

 

C:\ProgramData\MakeMarkerFile.exe => Moved successfully.

C:\Users\EasySurvey\EasySurvey.exe => Moved successfully.

C:\ProgramData\Temp => ":EE9B88C9" ADS removed successfully.

"C:\Users\Marshall\SkyDrive" => ":ms-properties" ADS not found.

 

==== End of Fixlog ====

 

downloading adaware now

[MarshallK]

step 2 adware results

 

# AdwCleaner v3.212 - Report created 05/06/2014 at 21:36:59

# Updated 05/06/2014 by Xplode

# Operating System : Windows 8.1  (64 bits)

# Username : Marshall - MARSHALLK-PC

# Running from : C:\Users\Marshall\Desktop\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj

Key Deleted : HKCU\Software\Conduit

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v11.0.9600.17037

 

 

-\\ Google Chrome v35.0.1916.114

 

[ File : C:\Users\Marshall\AppData\Local\Google\Chrome\User Data\Default\preferences ]

 

 

*************************

 

AdwCleaner[R0].txt - [910 octets] - [05/06/2014 21:28:10]

AdwCleaner[s0].txt - [795 octets] - [05/06/2014 21:36:59]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [854 octets] ##########

[MarshallK]

step 3

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.1.4 (04.06.2014:1)

OS: Windows 8.1 x64

Ran by Marshall on Thu 06/05/2014 at 22:00:02.99

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Registry Values

 

 

 

~~~ Registry Keys

 

 

 

~~~ Files

 

 

 

~~~ Folders

 

Successfully deleted: [Folder] "C:\ProgramData\boost_interprocess"

Successfully deleted: [Folder] "C:\Users\Marshall\appdata\locallow\boost_interprocess"

 

 

 

~~~ Event Viewer Logs were cleared

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Thu 06/05/2014 at 22:24:03.70

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[MarshallK]

Malwarebytes Anti-Malware

www.malwarebytes.org

 

 

Protection, 6/6/2014 12:01:31 AM, SYSTEM, MARSHALLK-PC, Protection, Malware Protection, Starting, 

Protection, 6/6/2014 12:01:31 AM, SYSTEM, MARSHALLK-PC, Protection, Malware Protection, Started, 

Protection, 6/6/2014 12:01:31 AM, SYSTEM, MARSHALLK-PC, Protection, Malicious Website Protection, Starting, 

Protection, 6/6/2014 12:01:47 AM, SYSTEM, MARSHALLK-PC, Protection, Malicious Website Protection, Started, 

 

(end)

 

 

I have noticed that the task manager is still suspending some things.   have never seen that happen before.  earlier today the disk was at 100% for a long time.  the pc really slow.   now it gets up to 80-98% on the doisk, but  seems to be sharing the load with memory.  memory goes high then they trade off and disk goes high.    im not sure the issue is fixed yet.   

 

What do you think?  Your the expert.   

 

 

Malwarebytes didnt find any thing this time though

 

here is the suspended host.   there are alot of wwahost as well as alot of svchost.exe  like 13 of them......

 

Name PID Status User name CPU Memory (private working set) Description

WWAHost.exe 8000 Suspended Marshall 00 70,444 K Microsoft WWA Host

 

Thank you

 

Marshall

[kevinf80]

Have you ran RogueKiller, can I see that log...

[MarshallK]

yep its finishing up now ill  get that right over.

 

sorry it took me so long. 

[MarshallK]

ok here is the results

 

 

 

RogueKiller V9.0.2.0 [Jun  3 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version

Started in : Normal mode

User : Marshall [Admin rights]

Mode : Scan -- Date : 06/06/2014  02:10:04

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 8 ¤¤¤

[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-915191271-1565821320-4066514102-1002\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND

[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-915191271-1565821320-4066514102-1002\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND

[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-915191271-1565821320-4066514102-1002\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND

[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-915191271-1565821320-4066514102-1002\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ HOSTS File : 0 ¤¤¤

 

¤¤¤ Antirootkit : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: ST500LM012 HN-M500MBB +++++

--- User ---

[MBR] 11e157aa40e27e587a674048f755a16d

[bSP] 11f9135eb99d0a61cacb54a11aba445a : Unknown MBR Code

Partition table:

0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB

User = LL1 ... OK

User = LL2 ... OK

[kevinf80]

Thanks for the log, do not see anything obviously wrong....  We need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

• 
  

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is UNticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 

• 
  

If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 

• 
  

click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply.

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7/8 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

If Security Check will not run or you get an alert saying it is not supported, Re-boot your PC then try again...

 

Let me see those two logs, also give an update on any remaining issues or concerns...

 

Thanks,

 

Kevin

[MarshallK]

ESET SCAN RESULTS

 

C:\$Recycle.Bin\S-1-5-21-915191271-1565821320-4066514102-1002\$RJ90KSB.exe Win32/OpenCandy potentially unsafe application

C:\ProgramData\DDNi\Smart Advisor\Bits\SmartAdvisorCareCenter.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application

C:\ProgramData\{59F69B16-1A51-4796-B052-2F5E519860C3}\OFFLINE\8C3DB186\4678C949\SmartAdvisorCareCenter.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application

C:\Users\All Users\DDNi\Smart Advisor\Bits\SmartAdvisorCareCenter.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application

C:\Users\All Users\{59F69B16-1A51-4796-B052-2F5E519860C3}\OFFLINE\8C3DB186\4678C949\SmartAdvisorCareCenter.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application

C:\Users\Marshall\AppData\Local\Temp\FreemakeVideoDownloader_3.7.0.1.exe Win32/OpenCandy potentially unsafe application

C:\Users\Marshall\Downloads\cbsidlm-cbsi183-Free_Movie_DVD_Maker-ORG-10669082.exe a variant of Win32/CNETInstaller.B potentially unwanted application

C:\Users\Marshall\Downloads\ccsetup414.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

C:\Users\Marshall\Downloads\FreemakeVideoConverterSetup.exe Win32/OpenCandy potentially unsafe application

C:\Users\Marshall\Downloads\FreemakeVideoDownloaderSetup.exe Win32/OpenCandy potentially unsafe application

[MarshallK]

 Results of screen317's Security Check version 0.99.83  

   x64 (UAC is enabled)  

 Internet Explorer 11  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

AVG Internet Security 2014   

Windows Defender             

 Antivirus out of date!  

`````````Anti-malware/Other Utilities Check:````````` 

 Java 7 Update 60  

 Java version out of Date! 

 Adobe Reader 10.1.3 Adobe Reader out of Date!  

 Google Chrome 34.0.1847.137  

 Google Chrome 35.0.1916.114  

````````Process Check: objlist.exe by Laurent````````  

 Malwarebytes Anti-Malware mbamservice.exe  

 Malwarebytes Anti-Malware mbam.exe  

 AVG avgwdsvc.exe 

 Malwarebytes Anti-Malware mbamscheduler.exe   

 NetRatingsNetSight NetSight NielsenOnline.exe  

 NetRatingsNetSight NetSight meter1 NielsenOnline64.exe 

 NetRatingsNetSight NetSight NielsenOnline.exe  

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C:  % 

````````````````````End of Log`````````````````````` 

[kevinf80]

Download OTM from either of the following links and save to your Desktop: (If your security alerts to OTM, either accept the alert or turn off security to allow OTM to run)

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe  

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

• Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Files
  
  

  :FilesC:\$Recycle.Bin\S-1-5-21-915191271-1565821320-4066514102-1002\$RJ90KSB.exeC:\ProgramData\DDNiC:\ProgramData\{59F69B16-1A51-4796-B052-2F5E519860C3}C:\Users\All Users\DDNiC:\Users\All Users\{59F69B16-1A51-4796-B052-2F5E519860C3}C:\Users\Marshall\AppData\Local\Temp\FreemakeVideoDownloader_3.7.0.1.exeC:\Users\Marshall\Downloads\cbsidlm-cbsi183-Free_Movie_DVD_Maker-ORG-10669082.exeC:\Users\Marshall\Downloads\ccsetup414.exeC:\Users\Marshall\Downloads\FreemakeVideoConverterSetup.exeC:\Users\Marshall\Downloads\FreemakeVideoDownloaderSetup.exe:Commands[EmptyTemp]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

 

Next,

 

Adobe Reader is outdated...

Visit http://get.adobe.com/uk/reader/otherversions/ and download the latest version of Acrobat Reader

 

Step 1 - Select your Operating System.

Step 2 - Select your Langauge.

Step 3 - Select latest version.

 

Untick the option for any security scanner or toolbar if offered.

 

Download and install.

 

Having the latest updates ensures there are no security vulnerabilities in your system.

 

Next,

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version of Java components and upgrade the application.

 

Upgrading Java:

 

Go to http://java.com/en/ and click on "Do I have Java"

It will check your current version and then offer to update to the latest version

Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

 

***Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if so - remove them. <<-- Very Important

 

Post log from OTM, let me know if Adobe and Java updates were successful, also if any remaining issues or concerns..

 

Kevin...

[MarshallK]

Thank you . I will get on top of that  now.  

 

As far as how the pc is running.   I must say it is better then when this started .  It still seems a little slow at times but much much better thanks to your direction.  I have mentioned it be for but one thing I have never seen this happen before is that there are 3 or so processes that go suspended for periods of time. i will attach a snip it so you can see exactly what im looking at.   

 

Also there seems to be muc h more processes running then normal.  its like every one is turned on.    Ive never seen it like that before...

[kevinf80]

Post logs when you`re ready, also the snip you mention..

 

Thanks,

 

Kevin

[MarshallK]

 

 

Here is that snip it .  and I fell aslewep.  but am going to do what you asked in your last post.

 

Thank you

[kevinf80]

Those suspended processes are related to the metro splash screen and windows apps. If you are in Desktop mode the processes show as suspended...

[MarshallK]

oh cool.  thanks for that info.  This is the 1st time i have worked in win 8.  I didnt know that.   

 

 

I am having issues with the otm i have installed 2 of those links the top one and the bottom one.  but when i double click on the icon torun it.  the icon disappears.  i looked everywhere and cant find it . ive searched but it says the program isnt there.   help please

[MarshallK]

when i look in my download folder it says removed next to the app i downloaded from those 2 links you sent

[kevinf80]

Try right click, then run as administrator.... If that still fails turn off security the right click, run as administrator...