My computer is infected- please help!

View previous topic View next topic Go down

Solved My computer is infected- please help!

Post by Anthony X on Sat Jun 07, 2014 8:35 pm

Dear Dr. Inferno,
I bow to your greatness. I plead for your assistance. I accidentally downloaded some fkd up program and now my internet protocols are being blocked and there are rogue search bar type programs programs turning up. I have run adw, Malware, etc but the program seems to dodge these and replicate itself after startup. I am posting logs below. Please help!

# AdwCleaner v3.212 - Report created 07/06/2014 at 09:32:45
# Updated 05/06/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Anthony X - ANTHONYX
# Running from : C:\Users\Anthony X\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\IePluginServices
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BrowserSafeguard
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\predm
Folder Deleted : C:\Program Files (x86)\uTorrentControl_v6
Folder Deleted : C:\Users\Anthony X\AppData\Local\BrowserSafeguard
Folder Deleted : C:\Users\Anthony X\AppData\Local\Conduit
Folder Deleted : C:\Users\Anthony X\AppData\Local\SwvUpdater
Folder Deleted : C:\Users\ANTHON~1\AppData\Local\Temp\CT3289847
Folder Deleted : C:\Users\ANTHON~1\AppData\Local\Temp\CT3289075
Folder Deleted : C:\Users\Anthony X\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Anthony X\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Anthony X\AppData\LocalLow\uTorrentControl_v6
Folder Deleted : C:\Users\Anthony X\AppData\Roaming\Mozilla\Firefox\Profiles\rxw6nnwi.default\CT3289847
Folder Deleted : C:\Users\Anthony X\AppData\Roaming\Mozilla\Firefox\Profiles\rxw6nnwi.default\CT3289075
Folder Deleted : C:\Users\Anthony X\AppData\Roaming\Mozilla\Firefox\Profiles\rxw6nnwi.default\Extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}
Folder Deleted : C:\Users\Anthony X\AppData\Roaming\Mozilla\Firefox\Profiles\rxw6nnwi.default\Extensions\{96f454ea-9d38-474f-b504-56193e00c1a5}
File Deleted : C:\END
File Deleted : C:\Program Files (x86)\Mozilla Firefox\nsprotector.js
File Deleted : C:\Users\Anthony X\AppData\Roaming\Mozilla\Firefox\Profiles\rxw6nnwi.default\searchplugins\Conduit.xml
File Deleted : C:\Users\Anthony X\AppData\Roaming\Mozilla\Firefox\Profiles\rxw6nnwi.default\searchplugins\trovi-search.xml
File Deleted : C:\Windows\System32\Tasks\BrowserSafeguard Update Task

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3289075
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3289847
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{065C1A21-97F8-45FB-A9F0-861B60FACEC8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3204358F-5904-46A6-841F-D6B5BE3EF4E3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3AE67737-0E3E-44AA-AA5E-46A68BF017FF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3EE5B726-044A-48D2-AA7B-049BD9A0F62A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{60FBBE03-57FF-49D8-B38E-053D3F489825}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6A5182F1-C0B8-42B8-96CC-7F329CD46913}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C153418-8E4D-4FAF-AF27-5201E38463A7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A26A2F05-AC4D-4A1E-9531-9125F7309B78}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5D6240-7DF0-435D-9B9B-F8586A99DE86}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F343045E-E20A-46E1-82D8-9962C43EFC9E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FBB360DC-CB6C-4D6A-808A-2C773151BFFF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFD7DDAC-EC28-42A5-8D39-917B9078604B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{96F454EA-9D38-474F-B504-56193E00C1A5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CD90659F-D5B2-4104-9504-7CA36E6532DF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96F454EA-9D38-474F-B504-56193E00C1A5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{96F454EA-9D38-474F-B504-56193E00C1A5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{96F454EA-9D38-474F-B504-56193E00C1A5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CD90659F-D5B2-4104-9504-7CA36E6532DF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2BDD9801-C928-47A3-89A6-D1D010274FF7}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07308663-E77A-4B70-8684-08260BDE1BC1}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{96F454EA-9D38-474F-B504-56193E00C1A5}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{96F454EA-9D38-474F-B504-56193E00C1A5}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{96F454EA-9D38-474F-B504-56193E00C1A5}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Software\uTorrentControl_v6
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\uTorrentControl_v6
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uTorrentControl_v6 Toolbar

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17041


-\\ Mozilla Firefox v13.0.1 (en-US)

[ File : C:\Users\Anthony X\AppData\Roaming\Mozilla\Firefox\Profiles\rxw6nnwi.default\prefs.js ]

Line Deleted : user_pref("CT3289075.FF19Solved", "true");
Line Deleted : user_pref("CT3289075.UserID", "UN22667055591281762");
Line Deleted : user_pref("CT3289075.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3289075.fullUserID", "UN22667055591281762.IN.20130803160714");
Line Deleted : user_pref("CT3289075.installDate", "03/08/2013 16:07:14");
Line Deleted : user_pref("CT3289075.installSessionId", "-1");
Line Deleted : user_pref("CT3289075.installSp", "TRUE");
Line Deleted : user_pref("CT3289075.installerVersion", "1.5.4.4");
Line Deleted : user_pref("CT3289075.keyword", "true");
Line Deleted : user_pref("CT3289075.originalHomepage", "hxxp://www.yahoo.com/");
Line Deleted : user_pref("CT3289075.originalSearchAddressUrl", "");
Line Deleted : user_pref("CT3289075.originalSearchEngine", "");
Line Deleted : user_pref("CT3289075.originalSearchEngineName", "");
Line Deleted : user_pref("CT3289075.searchRevert", "FALSE");
Line Deleted : user_pref("CT3289075.searchUserMode", "2");
Line Deleted : user_pref("CT3289075.smartbar.homepage", "true");
Line Deleted : user_pref("CT3289075.versionFromInstaller", "10.16.70.7");
Line Deleted : user_pref("CT3289075.xpeMode", "0");
Line Deleted : user_pref("CT3289847.FF19Solved", "true");
Line Deleted : user_pref("CT3289847.UserID", "UN20871659092384527");
Line Deleted : user_pref("CT3289847.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3289847.fullUserID", "UN20871659092384527.IN.20130820092119");
Line Deleted : user_pref("CT3289847.installDate", "20/08/2013 09:21:19");
Line Deleted : user_pref("CT3289847.installSessionId", "{FFCDBAF7-643B-41BD-A6BA-43AA84021BA3}");
Line Deleted : user_pref("CT3289847.installSp", "false");
Line Deleted : user_pref("CT3289847.installerVersion", "1.5.4.5");
Line Deleted : user_pref("CT3289847.keyword", "true");
Line Deleted : user_pref("CT3289847.originalHomepage", "hxxp://search.conduit.com/?ctid=CT3289075&CUI=UN22667055591281762&UM=2&SearchSource=13&sspv=SSPV_AB_FF_2");
Line Deleted : user_pref("CT3289847.originalSearchAddressUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289075&SearchSource=2&CUI=UN22667055591281762&UM=2&sspv=SSPV_AB_FF_2&q=");
Line Deleted : user_pref("CT3289847.originalSearchEngine", "uTorrentControl_v6 Customized Web Search");
Line Deleted : user_pref("CT3289847.originalSearchEngineName", "uTorrentControl_v6 Customized Web Search");
Line Deleted : user_pref("CT3289847.searchRevert", "true");
Line Deleted : user_pref("CT3289847.searchUserMode", "2");
Line Deleted : user_pref("CT3289847.smartbar.homepage", "true");
Line Deleted : user_pref("CT3289847.versionFromInstaller", "10.16.9.6");
Line Deleted : user_pref("CT3289847.xpeMode", "0");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289075&SearchSource=2&CUI=UN22667055591281762&UM=2&sspv=SSPV_AB_FF_2&q=");
Line Deleted : user_pref("browser.search.defaultenginename", "WhiteSmoke New Customized Web Search");
Line Deleted : user_pref("browser.search.defaultthis.engineName", "WhiteSmoke New Customized Web Search");
Line Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&CUI=UN20871659092384527&UM=2&SearchSource=3&q={searchTerms}");
Line Deleted : user_pref("browser.search.selectedEngine", "WhiteSmoke New Customized Web Search");
Line Deleted : user_pref("browser.startup.homepage", "hxxp://search.conduit.com/?ctid=CT3289847&CUI=UN20871659092384527&UM=2&SearchSource=13");
Line Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&SearchSource=2&CUI=UN20871659092384527&UM=2&q=");
Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3289847");
Line Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3289075&CUI=UN22667055591281762&UM=2&SearchSource=13&sspv=SSPV_AB_FF_2,hxxp://search.conduit.com/?ctid=CT3289847&CUI=UN2087[...]
Line Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289075&SearchSource=2&CUI=UN22667055591281762&UM=2&sspv=SSPV_AB_FF_2&q=,hxxp://search.conduit.com/R[...]
Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3289847");
Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3289847");
Line Deleted : user_pref("smartbar.machineId", "KRB2TSNBD5EBMC7Y5DEORACV5RN7Q0MMEO1O5ALWK5WZNKO5XDNZMSERDW0OCLDCDLZDMCII67BODXV/2CWDUG");

*************************

AdwCleaner[R0].txt - [10194 octets] - [07/06/2014 09:13:39]
AdwCleaner[S0].txt - [10246 octets] - [07/06/2014 09:32:45]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [10307 octets] ##########



Malwarebytes Anti-Malware 1.75.0.1300
[You must be registered and logged in to see this link.]

Database version: v2014.06.07.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17107
Anthony X :: ANTHONYX [administrator]

6/7/2014 10:02:51 AM
mbam-log-2014-06-07 (10-02-51).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 527705
Time elapsed: 2 hour(s), 36 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\BROWSERSAFEGUARD (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SOFTWARE\Browsersafeguard|sourceid (PUP.Optional.BrowserSafeGuard.A) -> Data: google_zoomdownloadmngr-display-US-728x90-23609154882 -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




Results of screen317's Security Check version 0.99.83
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.75.0.1300
Adobe Flash Player 13.0.0.214
Adobe Reader 10.1.10 Adobe Reader out of Date!
Mozilla Firefox 13.0.1 Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
AVAST Software Avast afwServ.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

Anthony X
Intermediate
Intermediate

Posts Posts : 94
Joined Joined : 2009-05-17
OS OS : vista
Points Points : 27840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: My computer is infected- please help!

Post by Superdave on Sat Jun 07, 2014 10:34 pm

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please download [You must be registered and logged in to see this link.] to your desktop.

Warning! Once the scan is complete JRT will shut down your browser with NO warning.

Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click [You must be registered and logged in to see this link.] link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
*****************************************
Please download [You must be registered and logged in to see this link.] to the desktop and run it on the computer with the issue.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Make sure FRST is run under administrator privileges.
Make sure that the Whitelist section is checked.Otherwise, the log will be very long.
You Security programs may prevent the tool from running. If this happens, disable the security program until the scan is completed.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.

  • Press "Scan".

    [You must be registered and logged in to see this link.]

    [You must be registered and logged in to see this link.]

  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.


Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Solved JRT and FSS

Post by Anthony X on Sat Jun 07, 2014 11:21 pm

Dear Super Dave,
God bless you and your help. I ran JRT and FSS. Logs posted below. Did i run FSS right? it was really quick and just a short log. I did not see an 'addition.txt' come up.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Anthony X on Sat 06/07/2014 at 15:51:54.39
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\whitesmoke_new
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BF6E1830-885A-48BB-A410-0145666F50DB}



~~~ Files



~~~ Folders

Failed to delete: [Folder] "C:\ProgramData\boost_interprocess"
Successfully deleted: [Folder] "C:\Users\Anthony X\AppData\Roaming\thinstall"
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{08536B9E-EC71-4316-8BC2-AEAE7AAFB70B}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{2A78D387-17FE-4EEC-B1A7-54DFE66BD5B5}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{3F499E9C-E3E2-48ED-875C-7198F4165617}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{3FB447B8-CCC9-40F6-9FDA-AA5C96FED420}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{41E86F25-727A-4F20-9DCC-580E4C118EE4}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{47AC83C4-78FD-4F2F-8F4A-4C1D396A87A0}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{4A746501-E20B-4B75-A695-50CFF09544B2}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{4ADF254E-3CF6-4119-9BE0-61AADAA5E339}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{4C76E50E-6F23-4030-A1BC-698531986DDF}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{4E313DDB-3FB0-4414-807F-6065C7C75935}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{5034C844-687F-459D-AD38-31F2830DC3D0}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{6232D811-76EE-465F-95C1-90F3168B484D}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{78621C8A-EE5A-4750-8927-AB9C267AF69D}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{7B8AD55E-2359-44BA-834A-7CE95F64652B}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{7DFF3D82-C5F4-48B9-9A10-A4DD6EAD7C95}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{7EEBC1FD-24DD-44E5-8542-75712812037A}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{83E2CB40-6B52-4D4F-98C3-AC1F35237DAF}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{9A928587-0A9B-4A5D-8469-722264EA3C27}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{B7324BA4-884E-4AA5-9A64-8D6A7917849F}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{B8AB3163-1F3B-4FFA-B026-5D123133C4F0}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{D9F8327C-CD86-494E-8215-314791B4BA67}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{F36B1E5A-2A52-4F0B-B828-A3699CABC040}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{FC7067FF-AC8E-46C4-8F41-91329D3BD827}
Successfully deleted: [Empty Folder] C:\Users\Anthony X\appdata\local\{FDCD62DD-7C4F-448C-ADFC-C29E96AF611F}



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 06/07/2014 at 16:15:27.58
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




Farbar Service Scanner Version: 21-05-2014
Ran by Anthony X (administrator) on 07-06-2014 at 16:16:43
Running from "C:\Users\Anthony X\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
IE proxy is enabled.
ProxyServer: http=127.0.0.1:49201;https=127.0.0.1:49201


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****


Anthony X
Intermediate
Intermediate

Posts Posts : 94
Joined Joined : 2009-05-17
OS OS : vista
Points Points : 27840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: My computer is infected- please help!

Post by Superdave on Sat Jun 07, 2014 11:47 pm

Please download [You must be registered and logged in to see this link.] to Desktop and run it.



Checkmark the following boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • List content of Hosts
  • List IP Configuration
  • Lst Last 10 Event Viewer Errors
  • List Users, Partitions and Memory Size

Click Go and copy/paste the log (Result.txt) into your next post.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Mini Tool

Post by Anthony X on Sun Jun 08, 2014 12:27 am

Super Dave,
Thank you. Pasted below.

MiniToolBox by Farbar Version: 23-01-2014
Ran by Anthony X (administrator) on 07-06-2014 at 17:24:18
Running from "C:\Users\Anthony X\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is enabled.
ProxyServer: http=127.0.0.1:49201;https=127.0.0.1:49201

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 hl2rcv.adobe.com
127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 adobe.activate.com
127.0.0.1 adobeereg.com
127.0.0.1 [You must be registered and logged in to see this link.]
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 125.252.224.90

There are 1 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

Intel(R) Centrino(R) Wireless-N 1030 = Wireless Network Connection (Connected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 3 (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : AnthonyX
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : socal.rr.com

Wireless LAN adapter Wireless Network Connection 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #2
Physical Address. . . . . . . . . : AC-72-89-CE-5D-7F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
Physical Address. . . . . . . . . : AC-72-89-CE-5D-7F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : AC-72-89-CE-5D-82
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : socal.rr.com
Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 1030
Physical Address. . . . . . . . . : AC-72-89-CE-5D-7E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::bd52:2270:887b:a82b%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.105(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, June 07, 2014 2:04:21 PM
Lease Expires . . . . . . . . . . : Sunday, June 08, 2014 4:30:41 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 195850889
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-22-DA-9D-84-8F-69-AF-5D-F0
DNS Servers . . . . . . . . . . . : 209.18.47.61
209.18.47.62
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Reusable ISATAP Interface {750DC487-EA23-47F5-B83B-873B486B55EC}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : socal.rr.com
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 14:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:301e:297b:3f57:fe96(Preferred)
Link-local IPv6 Address . . . . . : fe80::301e:297b:3f57:fe96%42(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{8B16F82D-82FE-4BFA-AE2C-3F40ABEB0CB6}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{504F77BE-5DA8-48DC-8F23-9A96FC2BBA70}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{BED4DF89-5FDF-4938-A0BB-2D57B1F0FAEE}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: google.com
Addresses: 2607:f8b0:4007:801::1007
74.125.239.2
74.125.239.3
74.125.239.4
74.125.239.5
74.125.239.6
74.125.239.7
74.125.239.8
74.125.239.9
74.125.239.14
74.125.239.0
74.125.239.1


Pinging google.com [74.125.224.78] with 32 bytes of data:
Reply from 74.125.224.78: bytes=32 time=32ms TTL=52
Reply from 74.125.224.78: bytes=32 time=13ms TTL=52

Ping statistics for 74.125.224.78:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 13ms, Maximum = 32ms, Average = 22ms
Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: yahoo.com
Addresses: 98.139.183.24
206.190.36.45
98.138.253.109


Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=114ms TTL=45
Reply from 98.139.183.24: bytes=32 time=117ms TTL=45

Ping statistics for 98.139.183.24:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 114ms, Maximum = 117ms, Average = 115ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
17...ac 72 89 ce 5d 7f ......Microsoft Virtual WiFi Miniport Adapter #2
16...ac 72 89 ce 5d 7f ......Microsoft Virtual WiFi Miniport Adapter
14...ac 72 89 ce 5d 82 ......Bluetooth Device (Personal Area Network)
11...ac 72 89 ce 5d 7e ......Intel(R) Centrino(R) Wireless-N 1030
1...........................Software Loopback Interface 1
22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
42...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
43...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
44...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
45...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.105 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.105 281
192.168.1.105 255.255.255.255 On-link 192.168.1.105 281
192.168.1.255 255.255.255.255 On-link 192.168.1.105 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.105 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.105 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
42 58 ::/0 On-link
1 306 ::1/128 On-link
42 58 2001::/32 On-link
42 306 2001:0:9d38:6abd:301e:297b:3f57:fe96/128
On-link
11 281 fe80::/64 On-link
42 306 fe80::/64 On-link
42 306 fe80::301e:297b:3f57:fe96/128
On-link
11 281 fe80::bd52:2270:887b:a82b/128
On-link
1 306 ff00::/8 On-link
11 281 ff00::/8 On-link
42 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================

System errors:
=============
Error: (06/07/2014 04:17:47 PM) (Source: DCOM) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}


Microsoft Office Sessions:
=========================

========================= Memory info: ===================================

Percentage of memory in use: 33%
Total physical RAM: 8086.17 MB
Available physical RAM: 5407.65 MB
Total Pagefile: 16170.52 MB
Available Pagefile: 13112.69 MB
Total Virtual: 4095.88 MB
Available Virtual: 3968.7 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:679 GB) (Free:539.85 GB) NTFS
3 Drive e: (Lexar) (Removable) (Total:3.73 GB) (Free:0.08 GB) FAT32

========================= Users: ========================================

User accounts for \\ANTHONYX

Administrator Anthony X Guest


**** End of log ****

Anthony X
Intermediate
Intermediate

Posts Posts : 94
Joined Joined : 2009-05-17
OS OS : vista
Points Points : 27840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: My computer is infected- please help!

Post by Superdave on Sun Jun 08, 2014 1:29 am

Malwarebytes' Anti-Rootkit

Please download [You must be registered and logged in to see this link.] and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and [You must be registered and logged in to see this link.] all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.


Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Super Dave you are the man!

Post by Anthony X on Sun Jun 08, 2014 6:35 am

Super Daaaave!!!

Thank youuuuuuu!!!!! My computer is back, baby! I'm back!! I owe it all to you.... thank you!!!!!

I am headed over to the DONATE now!

Anthony X

Anthony X
Intermediate
Intermediate

Posts Posts : 94
Joined Joined : 2009-05-17
OS OS : vista
Points Points : 27840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: My computer is infected- please help!

Post by Superdave on Sun Jun 08, 2014 5:07 pm

I would still like for you to run the Malwarebytes-anti-rootkit scan and also this one to make sure everything is gone.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
[You must be registered and logged in to see this link.]

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.

  • Leave the check mark next to Remove found threats.

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Solved ESET run

Post by Anthony X on Sun Jun 08, 2014 8:17 pm

Superdave,

I ran the ESET and it found 13 potentially malicious items, with the name Conduit which is what we were seeing at the outset. This worried me but I think those files are under quarantine with CDW. Anyway I clicked to delete and ESET said that all was clean. I ran a Malaware bytes full scan and got zero malicious items.

The ESET report screen is not visible to me, I don't know how to get the log. It just closed itself after i deleted the bad files.

Anthony X

Anthony X
Intermediate
Intermediate

Posts Posts : 94
Joined Joined : 2009-05-17
OS OS : vista
Points Points : 27840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: My computer is infected- please help!

Post by Superdave on Sun Jun 08, 2014 10:44 pm

Ok, let's do some cleanup.

Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
******************************************
Go to [You must be registered and logged in to see this link.] and get all critical updates.

----------

I suggest using [You must be registered and logged in to see this link.]. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

Check out [You must be registered and logged in to see this link.] for tips and free tools to help keep you safe in the future.

Also see [You must be registered and logged in to see this link.] for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum