Jump to content

Told by helper in other forum that I'm infected.


00sweeney
 Share

Recommended Posts

Posted about CPU slowdown and helper (Firefox) looked at my logs and said "Your logs indicate you are probably infected and there are other services failing including explorer.exe. It would be best to have an expert help you sort it out." So here I am to be sorted. Here are the logs, other than getting a lot of "not responding" from task manager, I wouldn't have noticed anything. When I saw MBAM services were always at about 20-30% I asked what was up. I rarely use explorer, so I hadn't noticed anything, I use an alternative called Everything. I've attached the files asked for previously. Thanks in advance for any help. 

Addition.txt

FRST.txt

CheckResults.txt

Link to post
Share on other sites

  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

Posted about high CPU usage from MBAM services and helper (Firefox) looked at my logs and said "Your logs indicate you are probably infected and there are other services failing including explorer.exe. It would be best to have an expert help you sort it out." So here I am to be sorted. Here are the logs, other than getting a lot of "not responding" from task manager, I haven't noticed much other than searches in Explorer being really slow. 

 

Please help.

Addition.txt

CheckResults.txt

FRST.txt

Link to post
Share on other sites

Welcome to the forum. (Do what you can)

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

Please run a Threat Scan with Malwarebytes

Start Malwarebytes 2.0..........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log (save the log as a .txt file not .xml)

Then......

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button and post the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

Link to post
Share on other sites

Nothing found from the MB threat scan today but attaching results from two days ago as well as logs of the RK scan from today as well as yesterday in case that helps. I don't think I did anything drastic after the first RK scan, just some free software related browser crap I'd seen before. I left the more ambiguous stuff alone. I hope. No ill effects so far but I won't do anything further without approval. The two items from the MB scan are still quarantined. 

 

As RK was doing the prescan today, I got a crash related to 'irql_not_less_or_equal', which I think I've gotten once before but it's not a regular thing. After rebooting prescan and scan went fine. 

 

Also, I have no torrent uploads or downloads running---not paused, but deleted, and I won't add any more. Is that enough or should I uninstall? I understand not to use it while we're trying to fix my problem and I promise I won't. 

 

Thanks so much for your help. 

MBAM 9-26.txt

RKreport_SCN_09272014_004950.log

RKreport_SCN_09282014_193306.log

Link to post
Share on other sites

OK...lets run some scans:

Make sure you have created a restore point and.....

bwebb7v.jpgDownload Delfix from Here and save it to your desktop.

  • Place a check mark in front of .......
  • Create registry backup <---only!
  • Uncheck the rest!
  • Click the Run button.

    Close the tool out when it's done....we'll use it later.

    ======================

    Please download AdwCleaner from HERE or HERE to your desktop.

    • Double click on AdwCleaner.exe to run the tool.

      Vista/Windows 7/8 users right-click and select Run As Administrator

    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
    • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
    • Look over the log especially under Files/Folders for any program you want to save.
    • If there's a program you may want to save, just uncheck it from AdwCleaner.
    • If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
    • If you're ready to clean it all up.....click the Clean button.
    • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
    • Copy and paste the contents of that logfile in your next reply.
    • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
    • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
    • To restore an item that has been deleted:
    • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
    Next..................

    thisisujrt.gif Please download Junkware Removal Tool to your desktop.

    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
    Next.........

    Please run a Threat Scan

    Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

    Same for PUM (Potentially Unwanted Modifications)

    Quarantine All that's found

    MrC

Link to post
Share on other sites

Here are the logs. But when I went to turn off Norton prior to running JRT, I couldn't find it in the system tray and couldn't open it through shortcuts. Eventually I got a message saying "error 8504, 104", and apparently the fix for that is to uninstall Norton, then reinstall and get rid of any other security software. I've never had any probs with MB and Norton before. Unless I hear back from you differently, I guess I'll uninstall/reinstall but hold off on uninstalling MB.

 

Running another threat scan now. 

 

# AdwCleaner v3.310 - Report created 28/09/2014 at 20:49:33

# Updated 12/09/2014 by Xplode

# Operating System : Windows 8.1  (64 bits)

# Username : Matt - SWEENMAN

# Running from : C:\Users\Matt\Desktop\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

[#] Service Deleted : ExpatShieldService

[#] Service Deleted : ExpatSrv

[#] Service Deleted : ExpatTrayService

[#] Service Deleted : ExpatWd

 

***** [ Files / Folders ] *****

 

Folder Deleted : C:\Expat Shield

Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Expat Shield

Folder Deleted : C:\Program Files (x86)\Expat Shield

Folder Deleted : C:\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpegkgagfojjbcpkihigfmkojdmmimdf

Folder Deleted : C:\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehgldbbpchgpcfagfpfjgoomddhccfgh

Folder Deleted : C:\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Extensions\eommhojjeeaapcofdjleiamnokcfdnna

Folder Deleted : C:\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Extensions\iflpcokdamgefbghpdipcibmhlkdopop

File Deleted : C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\aal33em8.default\user.js

 

***** [ Scheduled Tasks ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bpegkgagfojjbcpkihigfmkojdmmimdf

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ehgldbbpchgpcfagfpfjgoomddhccfgh

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE

Key Deleted : HKLM\SOFTWARE\Classes\ExpatIE.ExpatIEApp

Key Deleted : HKLM\SOFTWARE\Classes\ExpatIE.ExpatIEApp.1

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{F5A29F21-B121-48A0-A317-737AF8BB106A}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}

Key Deleted : HKCU\Software\OCS

Key Deleted : HKLM\SOFTWARE\ExpatShield

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ExpatShield

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v11.0.9600.17278

 

 

-\\ Mozilla Firefox v29.0.1 (en-US)

 

[ File : C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\aal33em8.default\prefs.js ]

 

 

-\\ Google Chrome v37.0.2062.124

 

[ File : C:\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\preferences ]

 

 

*************************

 

AdwCleaner[R0].txt - [3848 octets] - [28/09/2014 20:45:58]

AdwCleaner[s0].txt - [3816 octets] - [28/09/2014 20:49:33]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [3876 octets] ##########

 

 

 

 

 

 

 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.2.3 (09.27.2014:1)

OS: Windows 8.1 x64

Ran by Matt on Sun 09/28/2014 at 21:39:13.57

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Registry Values

 

 

 

~~~ Registry Keys

 

 

 

~~~ Files

 

 

 

~~~ Folders

 

Successfully deleted: [Folder] "C:\windows\syswow64\ai_recyclebin"

 

 

 

~~~ Chrome

 

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Policies\Google [blacklisted Policy]

Successfully deleted: [Folder] C:\Users\Matt\appdata\local\Google\Chrome\User Data\Default\Extensions\ihdkejbciahopmbagpnjmmkkdpfpaaak

 

 

 

~~~ Event Viewer Logs were cleared

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sun 09/28/2014 at 21:43:27.37

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Link to post
Share on other sites

Threat scan completed, nothing found. I'm going to have a quick bite and then I guess do the uninstall/reinstall with Norton.

 

Thanks again for your help. Here's the MB log just in case:

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 9/28/2014
Scan Time: 9:54:27 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.09.29.02
Rootkit Database: v2014.09.19.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Matt
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 323857
Time Elapsed: 11 min, 34 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to post
Share on other sites

Please download and install CCleaner (free) to clean out temp files:

http://www.piriform.com/ccleaner <---download

http://www.howtogeek.com/113382/how-to-use-ccleaner-like-a-pro-9-tips-tricks/ <---CCleaner tutorial

=====================

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked)

    tds2.jpg

  • Put a checkmark beside loaded modules.

    13040712472913819.png

  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.

    clip.jpg

  • Click the Start Scan button.

    tds2.jpg

  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    tdsskiller_guide_5.gif

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If in doubt about an entry....please ask or choose Skip

  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    tdsskiller_guide_3.gif

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

Link to post
Share on other sites

Oh, and I forgot to say that after the irql_not_less_or_equal crash I ran a disk check and there was an error. Here's what it said:   

 

C:\ Volume Label: Windows8_OS,   File System: NTFS
 
Volume label is Advanced SystemCare8_OS.
Stage 1: Examining basic file system structure ...
433408 file records processed.
File verification completed.
5949 large file records processed.
0 bad file records processed.
Stage 2: Examining file name linkage ...
Index entry FontCache-S-1-5-18.dat in index $I30 of file 4328 is incorrect.
Index entry FONTCA~1.DAT in index $I30 of file 4328 is incorrect.
Index entry Preferences in index $I30 of file 81172 is incorrect.
Index entry PREFER~1 in index $I30 of file 81172 is incorrect.
Index entry TransportSecurity in index $I30 of file 81172 is incorrect.
Index entry TRANSP~1 in index $I30 of file 81172 is incorrect.
Index entry Local State in index $I30 of file 81582 is incorrect.
Index entry LOCALS~1 in index $I30 of file 81582 is incorrect.
546696 index entries processed.
Index verification completed.
Errors found.  CHKDSK cannot continue in read-only mode.
Link to post
Share on other sites

Here's the chkdsk log: 

 

             Index verification completed.
                0 unindexed files scanned.                                        
                0 unindexed files recovered.                                      
              
              Stage 3: Examining security descriptors ...
              Cleaning up 1765 unused index entries from index $SII of file 0x9.
              Cleaning up 1765 unused index entries from index $SDH of file 0x9.
              Cleaning up 1765 unused security descriptors.
              Security descriptor verification completed.
                55479 data files processed.                                           
              CHKDSK is verifying Usn Journal...
                33740896 USN bytes processed.                                                           
              Usn Journal verification completed.
              
              Stage 4: Looking for bad clusters in user file data ...
                433392 files processed.                                                               
              File data verification completed.
              
              Stage 5: Looking for bad, free clusters ...
                94196366 free clusters processed.                                                       
              Free space verification is complete.
              CHKDSK discovered free space marked as allocated in the volume bitmap.
              
              Windows has made corrections to the file system.
              No further action is required.
              
               949227519 KB total disk space.
               571689356 KB in 336749 files.
                  188036 KB in 55480 indexes.
                       0 KB in bad sectors.
                  564659 KB in use by the system.
                   65536 KB occupied by the log file.
               376785468 KB available on disk.
              
                    4096 bytes in each allocation unit.
               237306879 total allocation units on disk.
                94196367 allocation units available on disk.
              
              Internal Info:
              00 9d 06 00 29 fc 05 00 2e fd 0a 00 00 00 00 00  ....)...........
              83 27 00 00 31 00 00 00 00 00 00 00 00 00 00 00  .'..1...........
              
              Windows has finished checking your disk.
              Please wait while your computer restarts.
Link to post
Share on other sites

Sorry, here's the full log:
 

TimeCreated : 9/29/2014 3:42:14 PM
Message     : 
              
              Checking file system on C:
              The type of the file system is NTFS.
              Volume label is Windows8_OS.
              
              A disk check has been scheduled.
              Windows will now check the disk.                         
              
              Stage 1: Examining basic file system structure ...
                433408 file records processed.                                                        
              File verification completed.
                5916 large file records processed.                                   
                0 bad file records processed.                                     
              
              Stage 2: Examining file name linkage ...
                544364 index entries processed.                                                       
              Index verification completed.
                0 unindexed files scanned.                                        
                0 unindexed files recovered.                                      
              
              Stage 3: Examining security descriptors ...
              Cleaning up 1765 unused index entries from index $SII of file 0x9.
              Cleaning up 1765 unused index entries from index $SDH of file 0x9.
              Cleaning up 1765 unused security descriptors.
              Security descriptor verification completed.
                55479 data files processed.                                           
              CHKDSK is verifying Usn Journal...
                33740896 USN bytes processed.                                                           
              Usn Journal verification completed.
              
              Stage 4: Looking for bad clusters in user file data ...
                433392 files processed.                                                               
              File data verification completed.
              
              Stage 5: Looking for bad, free clusters ...
                94196366 free clusters processed.                                                       
              Free space verification is complete.
              CHKDSK discovered free space marked as allocated in the volume bitmap.
              
              Windows has made corrections to the file system.
              No further action is required.
              
               949227519 KB total disk space.
               571689356 KB in 336749 files.
                  188036 KB in 55480 indexes.
                       0 KB in bad sectors.
                  564659 KB in use by the system.
                   65536 KB occupied by the log file.
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.