[godawgs]

Hi Matt,

The TDSSKiller log is clean. After this run, please let me know if any issues remain. I want to check for any residual malware files. For Steps 1 and 2 please disable any screen saver you might have running.


Step-1.

Malwarebytes' Anti-Malware

Close all programs and browsers on your computer.

Windows Vista/7 users will need to right click on the MalwareBytes icon and click Run As Administrator, then click the Continue button on the UAC window.) You will now be at the main program as shown below.

• Click the Update tab and update the program if required.
• Click the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer.
• MBAM will now start scanning your computer for malware. This process can take quite a while, so I suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
  
  
  
• When the scan is finished a message box will appear as shown in the image below.
  
  
  You should click on the OK button to close the message box and continue with the removal process.
  
• You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
• A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
  
  
  
• Make sure that everything is checked EXCEPT items in System Restore, and click Remove Selected.<---Very Important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Step-2.

Run ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista / 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

• Please go here then click on:
  
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Uncheck the box beside Remove Found Threats
• Make sure that the option Scan archives is checked.
• Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically. The scan may take several hours.
• Wait for the scan to finish. Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.

When The Scan is Complete:

• If No Threats Were Found:
  • Put a checkmark in "Uninstall application on close"
  • Close the program
  • Report to me that nothing was found
• If Threats Were Found:
  • Click on "list of threats found"
  • Click on "export to text file" and save it to the desktop as ESET SCAN.txt
  • Click on Back
  • Put a checkmark in "Uninstall application on close" (Be sure you have saved the file first)
  • Click on Finish
  • Close the program
  • Copy and paste the report here

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


Step-3.

Run Farbar Service Scanner

Please download Farbar Service Scanner to the desktop.
Vista and 7 users may need to right click the file and click Run as Administrator)

• 
• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
  • Other Services
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

Step-4.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. The MalwareBytes log
2. The ESET log (IF it found anything). If it didn't just tell me.
3. The FSS.txt log
4. How is the computer running now?

[Advertisements]

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.02.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Matt :: MATT-PC [administrator]

5/2/2013 10:41:38 PM
mbam-log-2013-05-02 (22-41-38).txt

Scan type: Full scan (C:\|E:\|F:\|G:\|H:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 376793
Time elapsed: 1 hour(s), 14 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


H:\MATT-PC\Backup Set 2012-05-14 160002\Backup Files 2012-05-14 160002\Backup files 13.zip Win32/Toolbar.SearchSuite application
H:\MATT-PC\Backup Set 2012-05-14 160002\Backup Files 2012-05-14 160002\Backup files 7.zip multiple threats
H:\MATT-PC\Backup Set 2012-06-04 160006\Backup Files 2012-06-04 160006\Backup files 13.zip Win32/Toolbar.SearchSuite application
H:\MATT-PC\Backup Set 2012-06-04 160006\Backup Files 2012-06-04 160006\Backup files 7.zip multiple threats
H:\MATT-PC\Backup Set 2012-06-04 160006\Backup Files 2012-06-11 160001\Backup files 1.zip a variant of Win32/Bunndle application
H:\MATT-PC\Backup Set 2012-06-25 160001\Backup Files 2012-06-25 160001\Backup files 13.zip Win32/Toolbar.SearchSuite application
H:\MATT-PC\Backup Set 2012-06-25 160001\Backup Files 2012-06-25 160001\Backup files 7.zip multiple threats
H:\MATT-PC\Backup Set 2012-08-20 160003\Backup Files 2012-08-20 160003\Backup files 13.zip Win32/Toolbar.SearchSuite application
H:\MATT-PC\Backup Set 2012-08-20 160003\Backup Files 2012-08-20 160003\Backup files 7.zip multiple threats
H:\MATT-PC\Backup Set 2012-10-08 160011\Backup Files 2012-10-08 160011\Backup files 13.zip Win32/Toolbar.SearchSuite application
H:\MATT-PC\Backup Set 2012-12-17 160011\Backup Files 2012-12-17 160011\Backup files 15.zip Win32/Toolbar.SearchSuite application
H:\MATT-PC\Backup Set 2013-02-04 160005\Backup Files 2013-02-04 160005\Backup files 14.zip Win32/Toolbar.SearchSuite application
H:\MATT-PC\Backup Set 2013-03-18 160005\Backup Files 2013-03-18 160005\Backup files 14.zip Win32/Toolbar.SearchSuite application



Farbar Service Scanner Version: 14-04-2013
Ran by Matt (administrator) on 03-05-2013 at 08:51:49
Running from "C:\Users\Matt\Desktop"
Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

[MattDMan1984]

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.02.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Matt :: MATT-PC [administrator]

5/2/2013 10:41:38 PM
mbam-log-2013-05-02 (22-41-38).txt

Scan type: Full scan (C:\|E:\|F:\|G:\|H:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 376793
Time elapsed: 1 hour(s), 14 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


H:\MATT-PC\Backup Set 2012-05-14 160002\Backup Files 2012-05-14 160002\Backup files 13.zip Win32/Toolbar.SearchSuite application
H:\MATT-PC\Backup Set 2012-05-14 160002\Backup Files 2012-05-14 160002\Backup files 7.zip multiple threats
H:\MATT-PC\Backup Set 2012-06-04 160006\Backup Files 2012-06-04 160006\Backup files 13.zip Win32/Toolbar.SearchSuite application
H:\MATT-PC\Backup Set 2012-06-04 160006\Backup Files 2012-06-04 160006\Backup files 7.zip multiple threats
H:\MATT-PC\Backup Set 2012-06-04 160006\Backup Files 2012-06-11 160001\Backup files 1.zip a variant of Win32/Bunndle application
H:\MATT-PC\Backup Set 2012-06-25 160001\Backup Files 2012-06-25 160001\Backup files 13.zip Win32/Toolbar.SearchSuite application
H:\MATT-PC\Backup Set 2012-06-25 160001\Backup Files 2012-06-25 160001\Backup files 7.zip multiple threats
H:\MATT-PC\Backup Set 2012-08-20 160003\Backup Files 2012-08-20 160003\Backup files 13.zip Win32/Toolbar.SearchSuite application
H:\MATT-PC\Backup Set 2012-08-20 160003\Backup Files 2012-08-20 160003\Backup files 7.zip multiple threats
H:\MATT-PC\Backup Set 2012-10-08 160011\Backup Files 2012-10-08 160011\Backup files 13.zip Win32/Toolbar.SearchSuite application
H:\MATT-PC\Backup Set 2012-12-17 160011\Backup Files 2012-12-17 160011\Backup files 15.zip Win32/Toolbar.SearchSuite application
H:\MATT-PC\Backup Set 2013-02-04 160005\Backup Files 2013-02-04 160005\Backup files 14.zip Win32/Toolbar.SearchSuite application
H:\MATT-PC\Backup Set 2013-03-18 160005\Backup Files 2013-03-18 160005\Backup files 14.zip Win32/Toolbar.SearchSuite application



Farbar Service Scanner Version: 14-04-2013
Ran by Matt (administrator) on 03-05-2013 at 08:51:49
Running from "C:\Users\Matt\Desktop"
Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

[godawgs]

Thanks for the logs. The MBAM scan was clean. ESET found the Search Suite Toolbar application, the W32/Bundle application and some multiple threats in the backups you have on the H: drive. I would suggest that you delete those back ups. When we are done you can make a fresh back up and be sure it doesn't have any adware or malware in it.


You didn't tell me how the computer is running. Are there any remaining issues?

Let's check for programs that need updating.


Run Security Check

Download Security Check from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. Answer my question above.
2. The checkup.txt log

[MattDMan1984]

I do not have any issues remaining from before. The only strange thing I have noticed since you began helping me is YouTube acting strangely: videos will restart suddenly for seemingly no reason or behave as if they have ended prematurely. This is not a major problem, but I thought I would mention it in case it has some significance.


Results of screen317's Security Check version 0.99.63
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AVG AntiVirus Free Edition 2013
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.75.0.1300
AVG PC Tuneup 2011 10.0.0.24
AVG PC Tuneup 2011
Java 7 Update 17
Java version out of Date!
Adobe Flash Player 11.6.602.180
Adobe Reader XI
Mozilla Firefox (20.0.1)
Google Chrome 26.0.1410.64
````````Process Check: objlist.exe by Laurent````````
Spybot Teatimer.exe is disabled!
AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:
````````````````````End of Log``````````````````````

[godawgs]

JAVA Advice
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software or need it to play games on-line.
In that instance I would recommend that you only use Firefox or Chrome to visit those sites and do the following:

• For Firefox, install the NoScript add-on.
• For Chrome, install the Script-No add-on.
  NOTE: After installing the add-ons you will need to tell them that the site you are visiting is allowed to run Java.
• Disable Java in your browsers until you need it for that software and then enable it. (See How to disable Java in your web browser or How to unplug Java from the browser)

If you still want to update your Java, follow the instructions below:

A.
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older versions of Java components and update:

• Download the latest version of the Java Runtime Environment (JRE) Version from Here or Here and save it to your desktop.
• Look for "Java Platform, Standard Edition". You will see the current Java version and update number under listed under the heading. Example: The newest update is Java SE 7u21
• Click the "Download JRE" button to the right.
• On the JSE Downloads page, click the button to "Accept License Agreement".
• Under the Java SE Runtime Environment 7u21 heading:
  To install the version for your system:
  • For Windows 32 bit systems, look for Windows x86 Offline 30.2MB, click the jre-7u21-windows-i586.exe file and save it to your desktop. Do Not run it from the Java site.
  • Close any programs you may have running - especially your web browser.
  
  B.
  Uninstall all versions of Java
  
  
  • Click Start > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Click to (highlight) any Java item. These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE or J2SE
    The versions I see on the computer are:
    [list] <list Java Versions here>
• Click the Remove or Change/Remove button and follow the on screen instructions for the Java uninstaller.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
  -- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

C.
Install the latest JAVA

• Back on your desktop:
  • Right click the jre-7u21-Windows-i586.exe file and click Run as Administrator and OK the UAC prompt to install the newest version.
• When the Java Setup - Welcome window opens, click the Install > button.
• If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version. It's on the Update tab in Java in the Control Panel.

[Note:] The Java Quick Starter (JQS.exe) adds a service to improve the initial start up time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > You will have to be in Classic View to see Java(It looks like a coffee cup). Double-click on Java click the Advanced Tab click Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.


Step-2.

OTL Scan

Please re-open on the desktop. To do that:

• Vista /7 users: right click the icon and click Run as Administrator.

Make sure all other windows are closed .

• You will see a console like the one below:
  
  
  
• At the top of the console, click the box beside Scan All Users
• Make sure the Output box at the top is set to Standard Output.
• In the Extra Registry section click the circle beside Use Safelist.<---Important
• Click the box beside LOP Check and Purity Check
• Click the button. Do not change any settings unless otherwise told to do so.
• Let the scan run uninterrupted.
• When the scan completes, it will open two notepad windows, OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy the contents of these files, one at a time, and paste them into your reply. To do that:
• On the .txt file Menu Bar click Edit then click Select All. This will highlight the contents of the file. Then click Copy.
• Right-click inside the forum post window then click Paste. This will paste the contents of the .txt file in the in the post window.

Step-3.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. The new OTL.txt log
2. The new Extras.txt log

[godawgs]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.