willbrown2000 Posted October 22, 2014 ID:894302 Share Posted October 22, 2014 Hi All, So I'm a vet with computers, getting hacked, etc. It's been a while and I suppose I've gotten too confident because I was hiring employees from craigslist (first mistake) and then I got an email from some guy named l33t h4xor and I was like "well, this sounds legit." Let's see what l33t has to offer and download his resume. No sooner than hitting download did my computer start acting funny, my firewall started turning itself off and when it was on it was blocking multiple attacks on my computer. *sigh*. Anyway, I suspect they may have gotten a keylogger on to my computer because some funny things started happening with my dup email that I use specifically for these circumstances. Please take a look at my hijack this log and tell me what you think: Boot mode: Normal Running processes:C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exeC:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXEC:\Program Files (x86)\Dell Backup and Recovery\TOASTER.EXEC:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\DBRUpd.exeC:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\WDExpress.exeC:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\PerfWatson2.exeC:\PROGRAM FILES (X86)\MICROSOFT VISUAL STUDIO 12.0\COMMON7\IDE\COMMONEXTENSIONS\MICROSOFT\TESTWINDOW\vstest.discoveryengine.x86.exeC:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\vcpackages\VCPkgSrv.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Users\Will\Downloads\HijackThis.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dell13.msn.com/?pc=DCJBR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htmR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exeO2 - BHO: The Amazon 1Button App for IE - {26B19FA4-E8A1-4A1B-A163-1A1E46F830DD} - C:\AmazonAppIE.dllO4 - HKLM\..\Run: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunO4 - HKLM\..\Run: [mcpltui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkeyO4 - HKCU\..\Run: [1793306958] C:\Users\Will\AppData\Roaming\msfahq.exeO4 - HKLM\..\Policies\Explorer\Run: [btvStack] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe"O4 - HKLM\..\Policies\Explorer\Run: [1793306958] C:\PROGRA~3\msfahq.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000O8 - Extra context menu item: Se&nd to OneNote - res://C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\Office15\ONBttnIE.dllO9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\Office15\ONBttnIE.dllO9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\Office15\ONBttnIELinkedNotes.dllO9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\Office15\ONBttnIELinkedNotes.dllO11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphicsO18 - Protocol: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLLO18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dllO18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\mcafee\msc\mcsniepl.dllO23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSr64.exeO23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)O23 - Service: AMD External Events Utility - Unknown owner - C:\WINDOWS\system32\atiesrxx.exe (file missing)O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - c:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exeO23 - Service: AtherosSvc - Windows ® Win 7 DDK provider - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exeO23 - Service: Dell Digital Delivery Service (DellDigitalDelivery) - Dell Products, LP. - c:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exeO23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exeO23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exeO23 - Service: McAfee Home Network (HomeNetSvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exeO23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\WINDOWS\system32\IEEtwCollector.exe (file missing)O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: McAfee AP Service (McAPExe) - McAfee, Inc. - C:\Program Files\McAfee\MSC\McAPExe.exeO23 - Service: McAfee Activation Service (McAWFwk) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\ActWiz\McAWFwk.exeO23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exeO23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\mcafee\VirusScan\mcods.exeO23 - Service: McAfee OOBE Service2 (McOobeSv2) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exeO23 - Service: McAfee Platform Services (mcpltsvc) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exeO23 - Service: McAfee Anti-Malware Core (mfecore) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\AMCore\mcshield.exeO23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exeO23 - Service: McAfee Validation Trust Protection Service (mfevtp) - Unknown owner - C:\Windows\system32\mfevtps.exe (file missing)O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exeO23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)O23 - Service: Realtek Audio Service (RtkAudioService) - Realtek Semiconductor - C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exeO23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell Backup and Recovery\SftService.exeO23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\WINDOWS\System32\spoolsv.exe (file missing)O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\WINDOWS\system32\sppsvc.exe (file missing)O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\WINDOWS\system32\UI0Detect.exe (file missing)O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\WINDOWS\system32\vssvc.exe (file missing)O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\WINDOWS\system32\wbengine.exe (file missing)O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\WmiApSrv.exe (file missing)O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)O23 - Service: Wyse PocketCloud (WysePocketCloud) - Unknown owner - C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudService.exeO23 - Service: Wyse Remote Access (WyseRemoteAccess) - Wyse Technology. - C:\Program Files (x86)\Wyse\PocketCloud\WyseRemoteAccess.exeO23 - Service: ZAtheros Wlan Agent - Atheros - C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe Link to post Share on other sites More sharing options...
MrCharlie Posted October 22, 2014 ID:894304 Share Posted October 22, 2014 Welcome to the forum. (Do what you can) General P2P/Piracy Warning: 1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here. 2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy. Failure to remove such software will result in your topic being closed and no further assistance being provided. <====><====><====><====><====><====><====><====> 1. Please run a Threat Scan with Malwarebytes (if possible) Start Malwarebytes 2.0......... Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware Same for PUM (Potentially Unwanted Modifications) Quarantine all that's found Post the log (save the log as a .txt file not .xml) Then...... 2. Please download Farbar Recovery Scan Tool (FRST) and save it to a folder. (use correct version for your system.....Which system am I using?) FRST <----for 32 bit systems FRST64 <----for 64 bit systemsDouble-click to run it. When the tool opens click Yes to disclaimer.Press Scan button. (make sure the Addition box is checked)It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.If the logs are large, you can attach them: To attach a log: Bottom right corner of this page. New window that comes up. Last................ 3. Please download and run RogueKiller 32 bit to your desktop. RogueKiller<---use this one for 64 bit systems Which system am I using? Quit all running programs. For Windows XP, double-click to start. For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run. Wait for the Prescan to finish Click Scan to scan the system. When the scan completes > Don't Fix anything! > Click on the Report Button > Copy and paste the Report back here. Don't run any other options, they're not all bad!!!!!!! RogueKiller logs will also be located here: %programdata%/RogueKiller/Logs <-------W7 C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP (please don't put logs in code or quotes and use the default font) MrC Note: Please read all of my instructions completely including these. Make sure system restore is turned on and running. Create a new restore point Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive <+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you. <+>The removal of malware isn't instantaneous, please be patient. <+>When we are done, I'll give to instructions on how to cleanup all the tools and logs <+>Please stick with me until I give you the "all clear". ------->Your topic will be closed if you haven't replied within 3 days!<-------- If I don't respond within 24 hours, please send me a PM Link to post Share on other sites More sharing options...
willbrown2000 Posted October 22, 2014 Author ID:894459 Share Posted October 22, 2014 I attached the logs from the scans. Let me know.10.22.2014 Addition.txt10.22.2014 FRST.txt10.22.14 malwarebytes scans.txt Link to post Share on other sites More sharing options...
MrCharlie Posted October 22, 2014 ID:894493 Share Posted October 22, 2014 The log you attached from Malwarebytes is the Protection log. I need to see Scan logs You also didn't post the log from RogueKiller ========================================== Make sure you have created a restore point and..... Download Delfix from Here and save it to your desktop.Place a check mark in front of .......Create registry backup <---only!Uncheck the rest!Click the Run button. Close the tool out when it's done....we'll use it later. ======================================= Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe. Run FRST.exe/FRST64.exe and click Fix only once and wait The tool will create a log (Fixlog.txt) in the folder, please post it to your reply. ======================================== Make sure you have created that system restore point before you continue! Please read the directions carefully so you don't end up deleting something that is good!! If in doubt about an entry....please ask or choose Skip!!!! Don't Delete anything unless instructed to! If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose Skip and click on Continue If a suspicious object is detected, the default action will be Skip, click on Continue Please note that TDSSKiller can be run in safe mode if needed. Please download the latest version of TDSSKiller from HERE and save it to your Desktop.Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked) Put a checkmark beside loaded modules. A reboot will be needed to apply the changes. Do it.TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.Then click on Change parameters in TDSSKiller.Check all boxes then click OK. Click the Start Scan button. The scan should take no longer than 2 minutes.If a suspicious object is detected, the default action will be Skip, click on Continue. Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip. If in doubt about an entry....please ask or choose SkipIf malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options. Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process. Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.Here's a summary of what to do if you would like to print it out:If in doubt about an entry....please ask or choose Skip Don't Delete anything unless instructed to! If a suspicious object is detected, the default action will be Skip, click on Continue If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose Skip and click on Continue Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip. If malicious objects are found, they will show in the Scan results and offer three (3) options. Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process. Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed. ~~~~~~~~~~~~~~~~~~~~ You can attach the logs if they're too long: Bottom right corner of this page. New window that comes up. MrC Link to post Share on other sites More sharing options...
willbrown2000 Posted October 23, 2014 Author ID:894733 Share Posted October 23, 2014 Thanks so much! I'm booked up tomorrow. I'll start working these taskers on Friday and should have a response by Saturday. Just to be clear the fixlist you attached is all the crap you think is wrong wtih my computer so far, correct? Link to post Share on other sites More sharing options...
MrCharlie Posted October 23, 2014 ID:894897 Share Posted October 23, 2014 Yes, unless you know what these are for, this is the problem: C:\ProgramData\msfahq.exe C:\Users\Will\AppData\Roaming\msfahq.exe It's from: CyberGhost S.R.L. Before you run the fix: Please upload this file to VirusTotal for a free scan. Let me know the results...just copy back the URL. C:\ProgramData\msfahq.exe MrC Link to post Share on other sites More sharing options...
willbrown2000 Posted October 24, 2014 Author ID:895606 Share Posted October 24, 2014 alright, so I'm embarrassed to ask this question. I can't find the file in those directories. I thought I ensured nothing was hidden in the directories, but the file isn't showing up. What am I missing? Link to post Share on other sites More sharing options...
MrCharlie Posted October 24, 2014 ID:895609 Share Posted October 24, 2014 Using FRST64.exeType the following in the edit box after "Search:".msfahq.exe It then should look like:Search: msfahq.exe Click Search button and post the log (Search.txt) it makes to your reply.MrC Link to post Share on other sites More sharing options...
willbrown2000 Posted October 24, 2014 Author ID:895621 Share Posted October 24, 2014 Search file and latest malwarebytes scan attached10.24.14 Search.txt10.24.14 malwarebytes scans.txt Link to post Share on other sites More sharing options...
MrCharlie Posted October 24, 2014 ID:895657 Share Posted October 24, 2014 Re-scan with FRST and Make sure the Addition Box is checked. Post or attach the 2 logs FRST(64).txt and Addition.txt MrC Link to post Share on other sites More sharing options...
willbrown2000 Posted October 24, 2014 Author ID:895722 Share Posted October 24, 2014 here ya go10.24.2014 Addition.txt10.24.2014 FRST.txt Link to post Share on other sites More sharing options...
MrCharlie Posted October 24, 2014 ID:895788 Share Posted October 24, 2014 Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe. Run FRST.exe/FRST64.exe and click Fix only once and wait The tool will create a log (Fixlog.txt) in the folder, please post it to your reply. ======================================== Please read the directions carefully so you don't end up deleting something that is good!! If in doubt about an entry....please ask or choose Skip!!!! Don't Delete anything unless instructed to! If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose Skip and click on Continue If a suspicious object is detected, the default action will be Skip, click on Continue Please note that TDSSKiller can be run in safe mode if needed. Please download the latest version of TDSSKiller from HERE and save it to your Desktop.Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked) Put a checkmark beside loaded modules. A reboot will be needed to apply the changes. Do it.TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.Then click on Change parameters in TDSSKiller.Check all boxes then click OK. Click the Start Scan button. The scan should take no longer than 2 minutes.If a suspicious object is detected, the default action will be Skip, click on Continue. Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip. If in doubt about an entry....please ask or choose SkipIf malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options. Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process. Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.Here's a summary of what to do if you would like to print it out: If in doubt about an entry....please ask or choose Skip Don't Delete anything unless instructed to! If a suspicious object is detected, the default action will be Skip, click on Continue If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose Skip and click on Continue Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip. If malicious objects are found, they will show in the Scan results and offer three (3) options. Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process. Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed. ~~~~~~~~~~~~~~~~~~~~ You can attach the logs if they're too long: Bottom right corner of this page. New window that comes up. Then........... Please download and run ComboFix. The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop. Please visit this webpage for download links, and instructions for running ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-combofix http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download Please make sure you click download buttons that look similar to this, not "sponsored ad links": Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Information on disabling your malware programs can be found Here. Make sure you run ComboFix from your desktop. Give it at least 30-45 minutes to finish if needed. Please include the C:\ComboFix.txt in your next reply for further review. ---------->NOTE<----------If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed. MrC Link to post Share on other sites More sharing options...
willbrown2000 Posted October 25, 2014 Author ID:896099 Share Posted October 25, 2014 here ya go. Not sure what's up. Most of the nasty stuff seems gone, but my firewall still continues to turn off with no explanation (McAfee). Fixlog.txt Link to post Share on other sites More sharing options...
MrCharlie Posted October 25, 2014 ID:896106 Share Posted October 25, 2014 Did you run ComboFix and TDSSKiller?? MrC Link to post Share on other sites More sharing options...
willbrown2000 Posted October 25, 2014 Author ID:896271 Share Posted October 25, 2014 Attached the TDSkiller log and the RogueKiller scan. TDS killer did not detect any problems. Rogue kill picked up a few issues. Let me know what you think. Combo fix gave me the error "No longer supported on windows 2000," which I don't understand because I'm running windows 810.25.14 RKreport_SCN_10252014_123322.log10.25.14 TDSKiller log.txt Link to post Share on other sites More sharing options...
MrCharlie Posted October 25, 2014 ID:896301 Share Posted October 25, 2014 I'm sorry, ComboFix doesn't run on W8 yet. Lets check for any adware/spyware next: Please download AdwCleaner from HERE or HERE to your desktop.Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As AdministratorClick on the Scan button.AdwCleaner will begin...be patient as the scan may take some time to complete.When it's done you'll see: Pending: Please uncheck elements you don't want removed.Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.Look over the log especially under Files/Folders for any program you want to save.If there's a program you may want to save, just uncheck it from AdwCleaner.If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)If you're ready to clean it all up.....click the Clean button.After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.Copy and paste the contents of that logfile in your next reply.A copy of that logfile will also be saved in the C:\AdwCleaner folder.Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\QuarantineTo restore an item that has been deleted:Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.Next.................. Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.The tool will open and start scanning your system.Please be patient as this can take a while to complete depending on your system's specifications.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next message.Next......... Please run a Threat Scan (Malwarebytes) Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware Same for PUM (Potentially Unwanted Modifications) Quarantine All that's found MrC Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 30, 2014 Root Admin ID:899590 Share Posted October 30, 2014 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts