Jump to content

iexplorer running in the background


Recommended Posts

Internet explorer processes are running in the back ground, I do not use IE, I can not end the processes (they immediately restart). When using other browser they seem to use more memory then they should be, to the point fire fox is unusable. I have used Malwarebytes, adware cleaner, and AVG. Occasionaly at random malware is detected and removed(without having dounloaded anything), this makes me think my PC is infected.

Addition.txt

FRST.txt

Link to post
Share on other sites

Minion%20Welcome.jpg


My name's Naathim and I'm a GeekU Minion! Now that we are mates and will be working together to clean your machine out of any junkware, feel free to call me Naat :)

Before we start please note the following:

  • Analysis and research take some time, also sometimes real life gets in the way, please be patient.
  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Paste the logs in your posts, attachments make my work harder and more complicated.
  • Stay with me to the end, the absence of symtoms doesn't mean that your machine is fully operational.
  • Note that we may live in totally different time zones, what may cause some delays between answers.

I can't foresee everything, so if anything unexpected happens, please stop and inform me!
There are no silly questions. Never be afraid to ask if in doubt!

Let's start and enjoy the fight! :)
 

 


warning.gif Rules and policies

We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 

 


51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

Please download and install Malwarebytes Anti-Malware, or re-run it if you already have it installed.

  • First of all select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

Link to post
Share on other sites

No malware detected. here is the scan log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 25/08/2014
Scan Time: 11:36:51 PM
Logfile: ScanLog.txt
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.08.26.01
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Don
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 404564
Time Elapsed: 10 min, 43 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to post
Share on other sites

AdwCleaner[R0]:

# AdwCleaner v3.308 - Report created 24/08/2014 at 10:40:08
# Updated 20/08/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Don - DON-PC
# Running from : C:\Users\Don.Don-PC\Downloads\adwcleaner_3.308.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Found : C:\END
File Found : C:\Windows\System32\roboot64.exe
Folder Found : C:\Program Files (x86)\Conduit
Folder Found : C:\Program Files (x86)\WinZip Registry Optimizer
Folder Found : C:\ProgramData\SoftSafe
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\AVG Nation toolbar
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFE66D00-A56A-4F7F-81D7-4A28C5816D6C}
Key Found : HKCU\Software\Softonic
Key Found : [x64] HKCU\Software\APN PIP
Key Found : [x64] HKCU\Software\AVG Nation toolbar
Key Found : [x64] HKCU\Software\Softonic
Key Found : HKLM\SOFTWARE\AVG Nation toolbar
Key Found : HKLM\SOFTWARE\AVG Secure Search
Key Found : HKLM\SOFTWARE\AVG Security Toolbar
Key Found : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Found : HKLM\SOFTWARE\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\privitizevpn_1_rasapi32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\privitizevpn_1_rasmancs
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_daemon-tools_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_daemon-tools_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_rasapi32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_rasmancs
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\wajamupdater_rasapi32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\wajamupdater_rasmancs
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\wsconduit__166_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\wsconduit__166_RASMANCS
Key Found : HKLM\SOFTWARE\PIP
Key Found : HKLM\SOFTWARE\SProtector
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17239
 
 
-\\ Mozilla Firefox v31.0 (x86 en-GB)
 
-\\ Google Chrome v36.0.1985.143
 
*************************
 
AdwCleaner[R0].txt - [3298 octets] - [24/08/2014 10:40:08]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3358 octets] ##########
 
AdwCleaner[R1]:
# AdwCleaner v3.308 - Report created 24/08/2014 at 10:57:20
# Updated 20/08/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Don - DON-PC
# Running from : C:\Users\Don.Don-PC\Downloads\adwcleaner_3.308.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17239
 
 
-\\ Mozilla Firefox v
 
-\\ Google Chrome v36.0.1985.143
 
*************************
 
AdwCleaner[R0].txt - [3462 octets] - [24/08/2014 10:40:08]
AdwCleaner[R1].txt - [665 octets] - [24/08/2014 10:57:20]
AdwCleaner[s0].txt - [3466 octets] - [24/08/2014 10:41:27]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [784 octets] ##########
 
AdwCleaner[s0]:
# AdwCleaner v3.308 - Report created 24/08/2014 at 10:41:27
# Updated 20/08/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Don - DON-PC
# Running from : C:\Users\Don.Don-PC\Downloads\adwcleaner_3.308.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\SoftSafe
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\WinZip Registry Optimizer
File Deleted : C:\END
File Deleted : C:\Windows\System32\roboot64.exe
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\privitizevpn_1_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\privitizevpn_1_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajamupdater_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajamupdater_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wsconduit__166_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wsconduit__166_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_daemon-tools_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_daemon-tools_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFE66D00-A56A-4F7F-81D7-4A28C5816D6C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\AVG Nation toolbar
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\SOFTWARE\AVG Nation toolbar
Key Deleted : HKLM\SOFTWARE\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\PIP
Key Deleted : HKLM\SOFTWARE\SProtector
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17239
 
 
-\\ Mozilla Firefox v31.0 (x86 en-GB)
 
-\\ Google Chrome v36.0.1985.143
 
*************************
 
AdwCleaner[R0].txt - [3462 octets] - [24/08/2014 10:40:08]
AdwCleaner[s0].txt - [3314 octets] - [24/08/2014 10:41:27]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [3374 octets] ##########
 
Link to post
Share on other sites

Hi :)



warning.gif Pando Media Booster warning!

Pando Media Booster, which is installed (intentially or not) with some gaming tools, has been known to download/send some uncontrollable data. You can never be sure what it really downloads/uploads.

My advice is to uninstall this program. To do so:

  • Press the WindowsKey.png + R on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for Pando Media Booster, right-click the entry and click Uninstall.

This is optional, but please consider it.



FRST.gif Fix with Farbar Recovery Scan Tool
 

This fix was created for this user for use on that particular machine.
 Running it on another one may cause damage and render the system unstable. 


Press the WindowsKey.png + R on your keyboard at the same time. Type Notepad and click OK.

  • Copy the entire content of the codebox below and paste into the Notepad document:
    startHKU\S-1-5-21-1059671473-2825028816-1146270915-1001\...\Run: [Orwgics] => regsvr32.exe C:\Users\Don.Don-PC\AppData\Local\Orwgics\RFCom.dll <===== ATTENTIONC:\Users\Don.Don-PC\AppData\Local\OrwgicHKU\S-1-5-21-1059671473-2825028816-1146270915-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Orwgics] => regsvr32.exe C:\Users\Don.Don-PC\AppData\Local\Orwgics\RFCom.dll <===== ATTENTIONToolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No FileHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No FileHandler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No FileC:\Users\Don.Don-PC\AppData\Roaming\UzowfoC:\Users\Don.Don-PC\AppData\Local\OhdwicsEmptyTemp:Hosts:end
  • Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.



JRTbythisisu.png Fix with Junkware Removal Tool

Please download JRT by Thisisu and save the file to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on JRTbythisisu.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Follow the prompts and let this process run uninterrupted.
  • This scan can take a while, depending on your System specs.
  • Upon completion, a log (JRT.txt) will open on your desktop.

Please include the contents of that file in your reply.
Do not forget to re-enable your previously switched off protection software!
Please also manually reboot your machine after this procedure.

Link to post
Share on other sites

Farbar worked no problems Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-08-2014 03
Ran by Don at 2014-08-26 10:56:07 Run:1
Running from C:\Users\Don.Don-PC\Desktop\Farbar
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
HKU\S-1-5-21-1059671473-2825028816-1146270915-1001\...\Run: [Orwgics] => regsvr32.exe C:\Users\Don.Don-PC\AppData\Local\Orwgics\RFCom.dll <===== ATTENTION
C:\Users\Don.Don-PC\AppData\Local\Orwgic
HKU\S-1-5-21-1059671473-2825028816-1146270915-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Orwgics] => regsvr32.exe C:\Users\Don.Don-PC\AppData\Local\Orwgics\RFCom.dll <===== ATTENTION
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
C:\Users\Don.Don-PC\AppData\Roaming\Uzowfo
C:\Users\Don.Don-PC\AppData\Local\Ohdwics
EmptyTemp:
Hosts:
end
*****************
 
HKU\S-1-5-21-1059671473-2825028816-1146270915-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Orwgics => value deleted successfully.
"C:\Users\Don.Don-PC\AppData\Local\Orwgic" => File/Directory not found.
HKU\S-1-5-21-1059671473-2825028816-1146270915-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Run\\Orwgics => Value not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => value deleted successfully.
"HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}" => Key not found.
"HKCR\PROTOCOLS\Handler\linkscanner" => Key deleted successfully.
"HKCR\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}" => Key not found.
"HKCR\Wow6432Node\PROTOCOLS\Handler\linkscanner" => Key not found.
"HKCR\Wow6432Node\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}" => Key not found.
C:\Users\Don.Don-PC\AppData\Roaming\Uzowfo => Moved successfully.
C:\Users\Don.Don-PC\AppData\Local\Ohdwics => Moved successfully.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 635.9 MB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog ====
 
looks like JRT found some nasty junk:
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Don on 26/08/2014 at 11:06:11.33
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Users\Don.Don-PC\AppData\Roaming\searchprotect"
Successfully deleted: [Folder] "C:\Users\Don.Don-PC\appdata\locallow\conduit"
Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 26/08/2014 at 11:10:08.26
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Link to post
Share on other sites

aswMBR.png Scan with aswMBR

Please download aswMBR by Avast! & Gmer and save it to your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on the aswMBR.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Allow virtualisation if offered.
  • If you are prompted to download the latest anti-virus definitions from avast!, click Yes.
  • Click the AV Scan: drop down box and select C:\.
  • Select scan.
  • Upon completion, you will see Scan finished successfully. Click Save log.

Do NOT click Fix or FixMBR!

A file (MBR.dat) will be created on your desktop. Do NOT click or delete it!

Copy the contents of the logfile ans paste in into your next reply.

Do not forget to re-enable your previously switched-off protection software!

FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    > XP users click run after receipt of Windows Security Warning - Open File.

    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.

  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

Link to post
Share on other sites

aswMBR crashes when it scans its always crashes at the file:

c:\Program Files (x86)\Microsoft SDKs\Windows\v8.1\ExtensionSDKs\CppUni(the window cuts off here)

i have restarted the computer, run offline and online. tried 5 times. 

 

went into the file location the directory is CppUnitTestFramework (did not touch anything further)

 

Farbar files Addition.txt and FRST.txt, the text files are too large for a forum post had to attach them.

 

Addition.txt

FRST.txt

Link to post
Share on other sites

OK, let's run this tool instead.



TDSSKiller_Kaspersky.png Scan with TDSSKiller

Please download TDSSKiller by Kaspersky and save it to your desktop.

  • Right-click on TDSSKiller_Kaspersky.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.
  • Your machine may appear very slow and unusable after that - it's normal.
  • TDSSKiller will run automaticaly. Click on Change parameters and click OK.
  • Make sure that Verify driver digital signatures & Detect TDLFS File System are marked and click OK.
  • Click the Start Scan button and wait patiently.

If anything will be found follow this guidelines:

  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    > Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    > If Cure is not available, please choose Skip instead.
  • Do not choose Delete unless instructed!

A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt. Please include the contents of that file in your next post.

Link to post
Share on other sites

51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

Please re-run 51a46ae42d560-malwarebytes_anti_malware. Malwarebytes' Anti-Malware.

  • First of all, select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the newest Scan Log.
  • At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

Link to post
Share on other sites

while running malwarebytes scan: AVG Detected Crypt_s.HIJ trojan running with the Malwarebytes process, i clicked the "protect me" option, objects name was c:\Users\Don.Don-PC\AppData\Local\Orwgics\RFCom.dll (i haven't downloaded anything since i started this thread)

Malware bytes did not detect anything

 

restarted my comp ran another scan

Again Nothing

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 28/08/2014
Scan Time: 6:35:01 PM
Logfile: ScanLog.txt
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.08.28.06
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Don
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 402690
Time Elapsed: 9 min, 45 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to post
Share on other sites

OK, let's take a bigger axe.

FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif


Press the WindowsKey.png + R on your keyboard at the same time. Type Notepad and click OK.

  • Copy the entire content of the codebox below and paste into the Notepad document:
    startRemoveDirectory: C:\Users\Don.Don-PC\AppData\Local\Orwgicsend
  • Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.

Link to post
Share on other sites

Removed successfully 

Fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-08-2014 03
Ran by Don at 2014-08-29 10:03:01 Run:2
Running from C:\Users\Don.Don-PC\Desktop\Farbar
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
RemoveDirectory: C:\Users\Don.Don-PC\AppData\Local\Orwgics
end
*****************
 
"C:\Users\Don.Don-PC\AppData\Local\Orwgics" => removed successfully.
 
==== End of Fixlog ====
Link to post
Share on other sites

Chrome opens each tab as a new process. Due to that, you should be able to work on another tabs even if one is stall and not responding. This is how it is, and you can'd do anything for it :)

Let's take two more scans, hopefully the last ones :)



panda-av.jpg Scan with Panda Cloud Cleaner

This type of scan often produces false positives. In any case do not remove on your own any of its findings! Removal will be made after the careful analysis of the scan results.

Please download Panda Cloud Cleaner and save the file to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Install the scanner by right-click on panda-av.jpg icon and select RunAsAdmin.jpg Run as Administrator.
  • It should start itself automaticaly after the installation.
  • In the main console click Accept and Scan.
  • This scan won't take long, about several minutes (depending on your system specs). Let it run uninterrupted.
  • At the last stage you will see a couple of messages about veryfying & analyzing results. Wait patiently.
  • Upon completion you will see detections window. Enter one of them and click there View Report at the bottom right side.
  • A notepad window named PCloudCleaner.log will open. Save it to your desktop.

Please include the contents of that file in your next reply.
Don't forget to re-enable your switched-off protection software!
After that you may uninstall Panda Cloud Cleaner from your machine, if you wish to.



51c9d14017fa0-SecurityCheck.PNG Scan with Security Check

Please download Security Check by Screen317 and save it to your desktop.

  • Right-click on 51c9d14017fa0-SecurityCheck.PNG icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Follow onscreen instructions inside the black box. This scan won't take long.
  • Soon a notepad document called checkup.txt will open automaticaly.

Please include the content of that document.

Link to post
Share on other sites

Panda Scan:

Broken Link. FILE: File not found:C:\PROGRAM FILES (X86)\OVERWOLF\OVERWOLF.EXE -SILENT to be deleted.

Broken Link. REGKEY: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[Overwolf]. Value: Overwolf To be deleted.

Broken Link. REGKEY: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[Overwolf]. Value: Overwolf To be deleted.

Malware. FILE: C:\USERS\DON.DON-PC\DESKTOP\SECURITYCHECK.EXE to be deleted.

Malware. FILE: C:\USERS\DON.DON-PC\DESKTOP\ASWMBR.EXE to be deleted.

Unknown. FILE: C:\WINDOWS\SYSTEM32\DRIVERS\DUALSHOCK3_X64.SYS to be deleted.

Unknown. REGKEY: HKLM\SYSTEM\CurrentControlSet\Services\dualshock3. Key to be deleted.

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[HIDEFILEEXT] to be changed to: 0

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[HIDEFILEEXT] to be changed to: 0

Malware. REGKEY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[DISABLEREGISTRYTOOLS]. Value: DISABLEREGISTRYTOOLS To be deleted.

Malware. REGKEY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[DISABLETASKMGR]. Value: DISABLETASKMGR To be deleted.

. FILE: C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SEARCHNEWTAB\SEARCHNEWTAB.LNK to be deleted.

. FILE: (null) to be deleted.

. FILE: C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SEARCHNEWTAB\UNINSTALL.LNK to be deleted.

. FILE: C:\ProgramData\SearchNewTab\uninstall.exe to be deleted.

. FOLDER: C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SEARCHNEWTAB to be deleted.

. FOLDER: C:\USERS\DON.DON-PC\APPDATA\LOCAL\CONDUIT to be deleted.
 

Security check:

 Results of screen317's Security Check version 0.99.87  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Panda Cloud Cleaner   
 Java 8 Update 11  
 Visual Studio Extensions for Windows Library for JavaScript
 JavaScript Tooling    
 Java version out of Date!
 Adobe Flash Player 14.0.0.179  
 Adobe Reader 10.1.11 Adobe Reader out of Date!  
 Mozilla Firefox (31.0)
 Google Chrome 37.0.2062.102  
 Google Chrome 37.0.2062.94  
````````Process Check: objlist.exe by Laurent````````  
 AVG avgwdsvc.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

Hi and I'm very sorry for the delay. I had a short-circuit accident which deeply fried my home PC's hard drive. As you may know, it's quite hard to run a PC without it :)

After some time, I'd like to see a fresh report.


FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

Link to post
Share on other sites

FRST.gif Fix with Farbar Recovery Scan Tool

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif

icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

Press the WindowsKey.png + R on your keyboard at the same time. Type Notepad and click OK.

  • Copy the entire content of the codebox below and paste into the Notepad document:

    startHKLM-x32\...\Run: [] => [X]ShellIconOverlayIdentifiers: 1CryptoProviderIcons -> {24808826-C2BF-4269-B3BA-89D1D5F431A4} => C:\ProgramData\Microsoft\Crypto\RSA64\CryptoProvider.dll (Microsoft)C:\ProgramData\Microsoft\Crypto\RSA64S3 gdrv; \??\C:\Windows\gdrv.sys [X]end
  • Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    > XP users click run after receipt of Windows Security Warning - Open File.

    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.

  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.

Link to post
Share on other sites

no restart required (did anyway)

 

fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-08-2014 02
Ran by Don at 2014-09-03 16:00:55 Run:4
Running from C:\Users\Don.Don-PC\Desktop\Farbar
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
HKLM-x32\...\Run: [] => [X]
ShellIconOverlayIdentifiers: 1CryptoProviderIcons -> {24808826-C2BF-4269-B3BA-89D1D5F431A4} => C:\ProgramData\Microsoft\Crypto\RSA64\CryptoProvider.dll (Microsoft)
C:\ProgramData\Microsoft\Crypto\RSA64
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
end
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\1CryptoProviderIcons" => Key deleted successfully.
"HKCR\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}" => Key deleted successfully.
C:\ProgramData\Microsoft\Crypto\RSA64 => Moved successfully.
gdrv => Service deleted successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.