[Essexboy]

Are they all connecting through the same router ?

Is there a specific site you went to prior to noticing this that none of the other users visit ?

Could you run FRST please and I will remove it again..

The two hour time lag makes me wonder if there is a specific task hidden within your system I will check that out with silent runners after FRST has run

[Advertisements]

Yes, everything is connected to the same router. I visit the same websites every day as I always do, including before this current problem started a week ago. Mostly ebay, craigslist, yahoo, my company websites, etc. Never had a problem like this before that keeps coming back.

FRST scan attached

Attached Files

•  FRST.txt   40.6KB   123 downloads

[Lyanheart]

Yes, everything is connected to the same router. I visit the same websites every day as I always do, including before this current problem started a week ago. Mostly ebay, craigslist, yahoo, my company websites, etc. Never had a problem like this before that keeps coming back.

FRST scan attached

Attached Files

•  FRST.txt   40.6KB   123 downloads

[Essexboy]

The driver was created at 8:25 your time if that helps determine roughly what you were doing

Download the attached fixlist to the same location as FRST

Run FRST and press fix.

After the reboot then

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will receive a prompt:
  
  • Do you want to skip supplementary searches?
    click NO
• If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

[Lyanheart]

That fix did not work; still doing the same thing.
8:25am is probably an hour or so after the PC was turned on. Should not have been doing anything out of the ordinary at that time. I have attached the fixlog and then ran another FRST scan, also attached.
I can download silentrunner with Chrome (IE is the only browser that has the downloading problem) and run it if you wish to do that even if the FRST fix did not work.

Attached Files

•  Fixlog.txt   7.35KB   178 downloads
•  FRST.txt   38.1KB   122 downloads

[Essexboy]

Yes please continue with silent runners and I will rework the fix to remove the reparse points

[Essexboy]

I notice that google drive is synching .. I am wondering if it is returning via that

We will run combofix when silent runners has finished and that should fix the reparse parts

I will try and keep the programmes to run down to a minimum to reduce the delays in your work

[Lyanheart]

Working on silentrunner now... had to restart it due to an error message.

I uninstalled google drive and it is no longer in my list of programs in the windows conrol panel list, so I'm surprised something of it is still running.

[Essexboy]

So was I when I looked at the list of running processes. I will kill that as we progress

For combofix grab a fresh copy, just delete the current one from the desktop

Then whilst that is running I can peruse the silent runners log

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  [img width=426 height=293]http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png[/img]
  
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[Lyanheart]

I get an out-of-memory error each time I run silentrunners:


Is this what you say will keep happening and to keep trying?

[Essexboy]

OK go direct to combofix please I will check the error out

[Essexboy]

As an aside I have just been talking to another helper who is experiencing the same problem as this. The person he is helping also has google synch. So if you have no objection I will kill that once we have cleaned this round. I will also see if there is a way to delete the online backup that may be holding the infection

[Lyanheart]

Yes, kill google sync totally if it is part of the problem. As far as I know I don't use it for anything. I have some things synced with the google apps on my phone, but they should not have anything to do with software on the computer.

Combofix log attached. Can download normally again after it finished.

Attached Files

•  combofix log.txt   19.2KB   136 downloads

[Essexboy]

OK lets go for it

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
rcbonwqp

File:
c:\windows\system32\drivers\rcbonwqp.sys
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1237553287-1429794397-2156527687-1000Core.job
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1237553287-1429794397-2156527687-1000UA.job
c:\users\Ryan2011\AppData\Local\Google\Update\GoogleUpdate.exe

Folder::
c:\program files (x86)\Google\Drive
c:\programdata\Microsoft\Microsoft Antimalware

Registry::
[-HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[Lyanheart]

combofix log attached

Attached Files

•  combofix log.txt   38.79KB   179 downloads

[Essexboy]

A confirmatory run with OTL now just to confirm there are no remnants

Just a quick scan, it should not take long

Download OTL to your Desktop
Secondary link

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
  
  
• Select All Users
• Select LOP and Purity
• Under the Custom Scan box paste this in
  
  netsvcs
  c:\program files (x86)\Google\Desktop
  c:\program files\Google\Desktop
  dir "%systemdrive%\*" /S /A:L /C
  CREATERESTOREPOINT
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Attach both logs