Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

CPU usage rises to 99% with lrctmuaww.exe, kltmkbhdb.exe, and other li


  • This topic is locked This topic is locked

#16
ChiefLongToes

ChiefLongToes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Dear 1972 Vet,
I have done what you said. Thanks for your ongoing advice.
I did 'delete', and then I did Fix Host, Fix Proxy, and Fix DNS in that order. Below are the logs generated, from most recent at the top to older as the list goes down. I believe a separate log was generated after each "Fix ___" action.

Best,
Chief Long Toes

Most recent log (#6):
RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Ken [Admin rights]
Mode : DNSFix -- Date : 05/27/2013 09:42:09
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{0A08E8F1-BF8B-44BA-A5B2-69E83D6E760D} : NameServer (76.73.7.75,107.6.133.7) -> REPLACED ()
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{784BB939-4AFA-451B-B5C1-328F5996C10B} : NameServer (76.73.7.75,107.6.133.7) -> REPLACED ()
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963} : NameServer (76.73.7.75,107.6.133.7) -> REPLACED ()
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{0A08E8F1-BF8B-44BA-A5B2-69E83D6E760D} : NameServer (76.73.7.75,107.6.133.7) -> REPLACED ()
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{784BB939-4AFA-451B-B5C1-328F5996C10B} : NameServer (76.73.7.75,107.6.133.7) -> REPLACED ()
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963} : NameServer (76.73.7.75,107.6.133.7) -> REPLACED ()

¤¤¤ Driver : [NOT LOADED] ¤¤¤

Finished : << RKreport[6]_DN_05272013_02d0942.txt >>
RKreport[1]_S_05262013_02d2328.txt ; RKreport[2]_D_05272013_02d0940.txt ; RKreport[3]_S_05272013_02d0941.txt ; RKreport[4]_H_05272013_02d0941.txt ; RKreport[5]_PR_05272013_02d0942.txt ;
RKreport[6]_DN_05272013_02d0942.txt



Next most recent (#5):
RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Ken [Admin rights]
Mode : ProxyFix -- Date : 05/27/2013 09:42:03
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

Finished : << RKreport[5]_PR_05272013_02d0942.txt >>
RKreport[1]_S_05262013_02d2328.txt ; RKreport[2]_D_05272013_02d0940.txt ; RKreport[3]_S_05272013_02d0941.txt ; RKreport[4]_H_05272013_02d0941.txt ; RKreport[5]_PR_05272013_02d0942.txt


Next Most recent log (#4)
RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Ken [Admin rights]
Mode : HOSTSFix -- Date : 05/27/2013 09:41:45
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : Mal.Hosts ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost
192.157.56.28 www.google-analytics.com.
192.157.56.28 ad-emea.doubleclick.net.
192.157.56.28 www.statcounter.com.
93.115.241.27 www.google-analytics.com.
93.115.241.27 ad-emea.doubleclick.net.
93.115.241.27 www.statcounter.com.


¤¤¤ Reset HOSTS: ¤¤¤
127.0.0.1 localhost

Finished : << RKreport[4]_H_05272013_02d0941.txt >>
RKreport[1]_S_05262013_02d2328.txt ; RKreport[2]_D_05272013_02d0940.txt ; RKreport[3]_S_05272013_02d0941.txt ; RKreport[4]_H_05272013_02d0941.txt


Next Most recent log (#3):
RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Ken [Admin rights]
Mode : Scan -- Date : 05/27/2013 09:41:34
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{0A08E8F1-BF8B-44BA-A5B2-69E83D6E760D} : NameServer (76.73.7.75,107.6.133.7) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{784BB939-4AFA-451B-B5C1-328F5996C10B} : NameServer (76.73.7.75,107.6.133.7) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963} : NameServer (76.73.7.75,107.6.133.7) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{0A08E8F1-BF8B-44BA-A5B2-69E83D6E760D} : NameServer (76.73.7.75,107.6.133.7) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{784BB939-4AFA-451B-B5C1-328F5996C10B} : NameServer (76.73.7.75,107.6.133.7) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963} : NameServer (76.73.7.75,107.6.133.7) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : Mal.Hosts ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost
192.157.56.28 www.google-analytics.com.
192.157.56.28 ad-emea.doubleclick.net.
192.157.56.28 www.statcounter.com.
93.115.241.27 www.google-analytics.com.
93.115.241.27 ad-emea.doubleclick.net.
93.115.241.27 www.statcounter.com.


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK6475GSX +++++
--- User ---
[MBR] e53f066e582225cab607d72a71b8bbc9
[BSP] a8936ce11f18d4f178bb4c27e2c2e297 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 594104 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1219799040 | Size: 14875 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3]_S_05272013_02d0941.txt >>
RKreport[1]_S_05262013_02d2328.txt ; RKreport[2]_D_05272013_02d0940.txt ; RKreport[3]_S_05272013_02d0941.txt


Last log of current series (#2):
RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Ken [Admin rights]
Mode : Remove -- Date : 05/27/2013 09:40:27
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : qsagopfmqosxptapojj (C:\Users\Ken\AppData\Roaming\qsagopfmqosxptapojj.exe) [-] -> DELETED
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{0A08E8F1-BF8B-44BA-A5B2-69E83D6E760D} : NameServer (76.73.7.75,107.6.133.7) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{784BB939-4AFA-451B-B5C1-328F5996C10B} : NameServer (76.73.7.75,107.6.133.7) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963} : NameServer (76.73.7.75,107.6.133.7) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{0A08E8F1-BF8B-44BA-A5B2-69E83D6E760D} : NameServer (76.73.7.75,107.6.133.7) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{784BB939-4AFA-451B-B5C1-328F5996C10B} : NameServer (76.73.7.75,107.6.133.7) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963} : NameServer (76.73.7.75,107.6.133.7) -> NOT REMOVED, USE DNSFIX
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-1452994874-67352799-3522771519-1000\$fb9a415d8a39a495eecb70163c6883ff\@ [-] --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$fb9a415d8a39a495eecb70163c6883ff\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-1452994874-67352799-3522771519-1000\$fb9a415d8a39a495eecb70163c6883ff\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$fb9a415d8a39a495eecb70163c6883ff\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-1452994874-67352799-3522771519-1000\$fb9a415d8a39a495eecb70163c6883ff\L --> REMOVED

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : Mal.Hosts|ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost
192.157.56.28 www.google-analytics.com.
192.157.56.28 ad-emea.doubleclick.net.
192.157.56.28 www.statcounter.com.
93.115.241.27 www.google-analytics.com.
93.115.241.27 ad-emea.doubleclick.net.
93.115.241.27 www.statcounter.com.


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK6475GSX +++++
--- User ---
[MBR] e53f066e582225cab607d72a71b8bbc9
[BSP] a8936ce11f18d4f178bb4c27e2c2e297 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 594104 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1219799040 | Size: 14875 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_05272013_02d0940.txt >>
RKreport[1]_S_05262013_02d2328.txt ; RKreport[2]_D_05272013_02d0940.txt


Log #1 was already posted in prior post
  • 0

Advertisements


#17
1972vet

1972vet

    Trusted Helper

  • Malware Removal
  • 99 posts
Great, thanks! Let's run an ESET scan now...

Please note that disabling your on board antivirus product is not necessary while you scan with ESET online scanner Here. Click the Run ESET Online Scanner button. Another window will open...here, please accept the agreement, then click the Start button.

When prompted, install the needed software to perform the scan . When it finishes with the install, make sure to check the box titled Scan archives (the Remove found threats box should already be checked by default).

Next, click the "Advanced Settings" link. Please make sure all boxes are checked except for "Use custom proxy settings". then click the Start button.

When it completes, use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log with your next reply, along with a description of any remaining problems. Thanks!
  • 0

#18
ChiefLongToes

ChiefLongToes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Ok, have done what you said and I may have a little issue here:
The scan is hung up at 99%
It took 3 hours to reach 99%, ok fair enough I suppose, but for 2 hours now it has been stuck at 99% and is not moving
The file it is working on is C:\Windows\winsxs\x86_wwf-system.workflow.runtime...\System.Workflow.Runtime.dll
I am wondering if the process is stuck or just moving slowly right now...

It has found some threats/infections; it says 270 files infected, and lists the items below as threats:
Win32/Simda.B trojan
Win32/CoinMinerAJ trojan
a variant of Win32/Kryptik.ATNV trojan
multiple threats

Should I repeat the ESET scan? Let it keep working? Any advice?

Chief Long Toes
  • 0

#19
ChiefLongToes

ChiefLongToes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Dear 1972 Vet, just FYI I let it run overnight and it did not move past 99%. Should I stop the scan? Restart it?

Best,
Chief Long Toes
  • 0

#20
ChiefLongToes

ChiefLongToes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Dear 1972 Vet
Things seem a bit worse over here: my Internet connectivity has become strangely unstable. I don't know if these issues are due to my router/connection or are a result of running the ESET scan.

CLT
  • 0

#21
1972vet

1972vet

    Trusted Helper

  • Malware Removal
  • 99 posts

Dear 1972 Vet
Things seem a bit worse over here: my Internet connectivity has become strangely unstable. I don't know if these issues are due to my router/connection or are a result of running the ESET scan.

CLT

The scan may have hung due to fragmentation issues. Close everything down and reboot. Upon the system coming back up, close (exit from or disable) anything running in the system tray to free up resources and run a disk defrag. When that completes, reboot again...Try starting the ESET scanner now.
  • 0

#22
ChiefLongToes

ChiefLongToes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
OK have done!

ESET Log file:
C:\Users\Ken\AppData\Local\Temp\mbnylyydv.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\mhtgdqdig.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\mkjknnnys.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\mmefpvgpl.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\neiwynlqs.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\nqslrodrm.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\nyhcupusg.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\pktphaoxm.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\qcojmkrbw.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\qdlflsubr.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\qeopooghf.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\qqdqnrouf.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\qqfptpaky.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\qrpcxodet.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\qvqyyrxpx.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\raikhlsib.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\rcidllrid.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\rlxeshcvd.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\toxkuhlls.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\upidcnxhv.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\vatdflhyw.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\vkhfrqgvh.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\wenkmwdfi.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\wopffnmly.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\Local\Temp\xebmfsuqf.exe Win32/BitCoinMiner application cleaned by deleting - quarantined
C:\Users\Ken\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\7780dad6-6c1d7c71 a variant of Java/Exploit.Agent.OGA trojan cleaned by deleting - quarantined
C:\Users\Ken\AppData\Roaming\nMNtfaARw2l97e30p5ev.exe Win32/CoinMiner.AJ trojan cleaned by deleting - quarantined
C:\Users\Ken\AppData\Roaming\qsagopfmqosxptapojj.exe Win32/CoinMiner.AJ trojan cleaned by deleting - quarantined
  • 0

#23
1972vet

1972vet

    Trusted Helper

  • Malware Removal
  • 99 posts
Excellent! You can keep the ESET scanner on board if you like, and scan with it on occasion. You need only to open it and start the scan. ESET will then download the latest signature updates for you at that time. It's an excellent "second" scanner to keep handy.

Let's update your software now...Download FileHippo's Update Checker. Double-click the FHSetup.exe file to install it. When the install completes, you'll find the Update Checker shortcut on the desk top. Double-click on it and a scan begins with the results showing in your browser. Any software it finds to be out of date, will be presented in your browser. Just click on the download link provided there to download your software updates. Ignore the beta software unless you want that...during the scanner initialization, you can click the settings link, then click the results tab and check the box "Hide beta versions". After clicking the OK button, click the "Retry" link to continue the scan with those settings. Please remember to post back your results and let us know how the system behaves for you, and please detail for us any other issues you are having. Thanks!
  • 0

#24
ChiefLongToes

ChiefLongToes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
OK, working on that...
meanwhile, I have a folder labeled "RK quarantine"
What should I do with that? Delete it?
  • 0

#25
ChiefLongToes

ChiefLongToes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Dear 1972 Vet,

Regarding the FileHippo download, I have done that and updated my Adobe...however, I do not find a 'Retry' link as you mention, and it does not seem to produce a report I can share with you. But it is installed and working.

I have rebooted my machine several times and the dreaded blahblahblah*32 programs ARE (THANKFULLY) NO LONGER coming on to my CPU and running it at near 100% capacity, so it seems the mega-problem has been solved - thank you!
And, also very nice, all the web redirection crap that was dominating my computer - Ask.com, Chitka, etc. is also gone. It runs smooth and fast and clean once again. Thanks a million!

I am just not sure what to do with the RK quarantine file. Delete it?

Thank you so much, really incredible help.

Chief Long Toes
  • 0

Advertisements


#26
1972vet

1972vet

    Trusted Helper

  • Malware Removal
  • 99 posts
When using the FileHippo utility to scan for software updates, the only time you would find the "Retry" link to click on would be after you stop the scan by clicking on the "Settings" link during the initialization of the scanner when it first opens. Clicking the "Settings" link not only stops the scan but opens the settings box so you can make changes if you like. When you close that settings box, it's then that you will notice the "Retry" link available to click. At that point, just clicking the "Retry" link will allow the scan to continue.

You did good work ChiefLongToes! You can delete these now:
DDS utility, .txt file and the Attach.txt, AdwareCleaner and it's .txt file (found at the root of C:\), RogueKiller.exe, the RKQuarantine folder and the associated RKReports.

Now that your system is clean and running the way you expect, let's create a new restore point you can refer to should the need arise at some point in the future.

Please click "Start->All Programs->Accessories->System Tools->System Restore". In the new window, check the 'Create a restore point' in the right pane and click "Next". In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20130528_Clean) Click "Create" and reboot your computer.

To assist in the prevention of malicious software intrusion and infections, you can begin by reading "How to boost your malware defense and protect your PC"...

Please remember to keep antivirus software on board and always use it's real time protection feature. Run a complete system scan at least once a week...preferably in Safe mode.

A word of caution
Security vendors, in recent years, have partnered with "Ask.com" in providing the "Ask Toolbar" bundled with their download(s).

Although the toolbar is considered to be a Legitimate program, it is nonetheless questionable as to it's behavior. It is alleged to be spyware/adware as the behavior of this application tracks a user's history and sends "search" information to it's servers in order to provide a user with targeted search results, many of these results may also be for questionable web sites. In fairness, one should keep in mind, google does the same thing regarding search results.

This tracking is considered by many of us in the security field, to be offensive.

Some of the "Download links" that I may provide, may also contain this program bundled with it. If you choose not to use it, the bundled software will always contain an "Opt Out" measure via some checkbox. The user can check (or uncheck) this box to prevent the download.

If a user isn't cautious and may have mistakenly installed this program, it can easily be removed via the "Uninstall" string provided with the software. Detailed instructions how to remove the program can be found Here.

If your antivirus program is a licensed version that is about to expire, you can consider using one of these available free on the public domain:

Microsoft Security Essentials
AntiVir Personal Edition Classic
Avast! 4 Home Edition

Those of us in the online safety/security community have tried and tested these programs to determine their abilities. Having in mind, nothing is ever a guarantee regarding computer security, these programs nevertheless, combined with the rest of these recommendations are certain to have an impact in helping to keep your system running free and clear. I personally have been completely satisfied from having tested and used each one of those at one time or another.

Immunize your browser by installing Spywareblaster. What does it do?
  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially unwanted sites in Internet Explorer.
Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Web of Trust, (WOT,) warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an add-on available for both Firefox and IE.

Install the Winpatrol security monitor utility. WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. What I hear most from users is how much they like the startup control feature and it's ease of use. Need help understanding something about Winpatol? Here it is.

Windows Vista and Windows 7 have a software firewall built in and activated by default. This native firewall is a big improvement and is fine by itself. However, there are third party software Firewalls that offer a bit more configuration options.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason. I should also mention, if you choose to use a third party firewall, make certain the Windows firewall is turned off to prevent conflict issues.

...and please remember, you should have only one of these types of third party firewalls running on board:

Zone Alarm...Windows 2k/XP/Vista

Outpost Free

Comodo...I highly recommend this firewall, but it may just be best suited for advanced users.

Stay updated with the most recent Windows patches using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Keep your installed software up to date by downloading the free FileHippo Update Checker. Double-click the FHSetup.exe file to install it. When the install completes, you'll find the Update Checker shortcut on the desk top.

Double-click on it and a scan begins with the results showing in your browser. Any software it finds to be out of date, will be presented in your browser. Just click on the download link provided there to download your software updates. Ignore the beta software unless you want that...during the scanner initialization, you can click the settings link, then click the results tab and check the box "Hide beta versions". After clicking the OK button, click the "Retry" link to continue the scan with those settings.

Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. Please avoid using the "registry" cleaning feature of this utility unless you consider yourself an expert. Contrary to popular thought, the Windows Registry has no need of any "cleaning". I personally challenge anyone to show a substantial benefit from having used any of these "registry cleaning" programs. There is none. Any difference at all is so miniscule that it's nearly impossible to calculate.

On the flip side, rather than any benefit, there is the possibility of slicing out enough pieces of the registry to render things useless...and that includes the operating system.

By default, CCleaner will ask you if you want to backup what is removed, and I suggest you do just that. If you have already used this option and found that something no longer works properly, please find the backup that was created and use it to restore that particular item. Remember, using this to clean the disk is absolutely useful and beneficial. A novice needs only to use the disk cleaning feature...and avoid the registry cleaning aspect. It's not difficult...just don't bother to click the Registry button on the menu.

CCleaner is an excellent...and fast disk cleaning utility that can easily be configured to suit your needs. Often, users find a simple reboot resolves a quirky performance issue which can come about as a result of the collection of temp files while browsing the web...and if you configure CCleaner to run on start up, then your system could be kept running fast and clean with each new user session.

The Yahoo Toolbar is included by default during the installation of the CCleaner utility...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...last download link at the bottom of that page).

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files.

Don't forget to check your system's "defragmenter" settings. With Windows Vista, you have the option to set this as a scheduled event. It is best to have your system's "defrag" function scheduled for at least once a week.

So how did I get infected in the first place?
Regards, and Happy Surfing!
  • 0

#27
ChiefLongToes

ChiefLongToes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Dear 1972 Vet,
Sorry I haven't replied for a while. Things still seemed a bit off on my computer, and I didn't feel I could declare victory.
Now I can be more specific about the problem.
1.) Last week, the day after the big ESET clea, I received emails from two different friends that both arrived with all of the text underlined. I asked them about this, and understandably they said that while they did send me the emails, they did not send them with all of the text underlined. That was the first clue that made me thing all is not yet well with my computer.

2.) Next, one of those two friends received the following email using my name but not my actual email address:

--- On Sat, 6/1/13, Ken Schaefle <[email protected]> wrote:
From: Ken Schaefle <[email protected]>
Subject: Fwd: Fwd: HAVE A LOOK!!!!
To: [email protected]
Date: Saturday, June 1, 2013, 9:38 AM

hey. latest news http://www.servinkalamatas.gr/gy/

Sent from my Verizon Phone

I have not clicked on the link, and neither has he.
But I did not send this, and never before have I had anything generate spam emails in my name.
Could there still be something malicious on my computer?

Lastly, I could not complete your instructions to create a new clean restore point.
I tried to, but I could not find a way to choose the date and time I wanted to declare as a new point.
The computer seemed to have its own menu of available dates (old software update points) but I did not find a way to create a new date based on the recent cleaning.

Other than that, the original problem of CPU usage going to 99% has not recurred since the ESET cleaning.
Any observations/suggestions regarding the remaining problems would be appreciated.

Chief Long Toes
  • 0

#28
1972vet

1972vet

    Trusted Helper

  • Malware Removal
  • 99 posts

Dear 1972 Vet,
Sorry I haven't replied for a while. Things still seemed a bit off on my computer, and I didn't feel I could declare victory.
Now I can be more specific about the problem.
1.) Last week, the day after the big ESET clea, I received emails from two different friends that both arrived with all of the text underlined. I asked them about this, and understandably they said that while they did send me the emails, they did not send them with all of the text underlined. That was the first clue that made me thing all is not yet well with my computer.

2.) Next, one of those two friends received the following email using my name but not my actual email address:

--- On Sat, 6/1/13, Ken Schaefle <[email protected]> wrote:
From: Ken Schaefle <[email protected]>
Subject: Fwd: Fwd: HAVE A LOOK!!!!
To: [email protected]
Date: Saturday, June 1, 2013, 9:38 AM

hey. latest news http://www.servinkalamatas.gr/gy/

Sent from my Verizon Phone

I have not clicked on the link, and neither has he.
But I did not send this, and never before have I had anything generate spam emails in my name.
Could there still be something malicious on my computer?

Lastly, I could not complete your instructions to create a new clean restore point.
I tried to, but I could not find a way to choose the date and time I wanted to declare as a new point.
The computer seemed to have its own menu of available dates (old software update points) but I did not find a way to create a new date based on the recent cleaning.

Other than that, the original problem of CPU usage going to 99% has not recurred since the ESET cleaning.
Any observations/suggestions regarding the remaining problems would be appreciated.

Chief Long Toes

Your email account has been hacked...which can have nothing at all to do with the condition of your system. Anyone can hack an email account by guessing your password. Change the password and it should remedy that situation.

To create the "date" in your new restore point, you would simply type it into the "Restore point description" text box. There are no dates there to select. When you create the restore point, it uses the current date, but you can NAME it using the date format that I mentioned.
  • 0

#29
1972vet

1972vet

    Trusted Helper

  • Malware Removal
  • 99 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP