Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan.zekos.patched has frozen my computer [Closed]


  • This topic is locked This topic is locked

#16
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,008 posts

I wasn't able to paste for some reason but I managed to paste these FRST scan logs this time.


Thank you, much easier to analyse. :)

Now

Please download Junkware Removal Tool to your desktop.
 

  • Shut down your protection software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right click JRT.exe and "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Next

Please download : ADWCleaner to your desktop  (use the Download Now @ BleepingComputer button)..

NOTE: If using Internet Explorer and get an alert that stops the program downloading, click on the warning and allow the download to complete.

Close all programs and click on the AdwCleaner icon. AdwCleaner will update itself and then open.

AdwCleaner.jpg

Click on Scan  and follow the prompts. It may appear not to be doing anything, please be patient and let it run unhindered. When the "Please uncheck elements you don't want to remove" appears just go ahead and click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy and paste back here. If a report doesn't appear, press the report button and Copy & Paste the contents on your next reply.

A copy of the report is also saved in the C:\AdwCleaner folder.

 

 

Finally in this post

 

Please run FRST again and post back the FRST.txt log it generates.

 

So when you return please post

  • Jrt.txt
  • AdwCleaner log
  • FRST.txt

  • 0

Advertisements


#17
Washetoo

Washetoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts

Jrt.txt, AdwCleaner log and FRST.txt below:

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.9.7 (06.15.2015:1)
OS: Windows 7 Home Premium x64
Ran by Steven on Mon 06/15/2015 at 16:52:22.13
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Tasks

Successfully deleted: [Task] C:\Windows\system32\tasks\PCDEventLauncherTask

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C9384CC4-10BA-4008-8F68-1BA0C82C3FC9}

 

~~~ Files

Successfully deleted: [File] C:\Users\Steven.Steven-PC\appdata\local\google\chrome\user data\default\local storage\hxxp_search.tb.ask.com_0.localstorage
Successfully deleted: [File] C:\Users\Steven.Steven-PC\appdata\local\google\chrome\user data\default\local storage\hxxp_search.tb.ask.com_0.localstorage-journal
Successfully deleted: [File] C:\Users\Steven.Steven-PC\appdata\local\google\chrome\user data\default\local storage\hxxps_static.olark.com_0.localstorage
Successfully deleted: [File] C:\Users\Steven.Steven-PC\appdata\local\google\chrome\user data\default\local storage\hxxps_static.olark.com_0.localstorage-journal

 

~~~ Folders

Successfully deleted: [Folder] C:\ProgramData\paretologic\regcure pro
Successfully deleted: [Folder] C:\ProgramData\pcdr
Successfully deleted: [Folder] C:\users\public\documents\downloaded installers
Successfully deleted: [Folder] C:\Users\Steven.Steven-PC\appdata\local\packageaware
Successfully deleted: [Folder] C:\Users\Steven.Steven-PC\appdata\local\slimware utilities inc
Successfully deleted: [Folder] C:\Users\Steven.Steven-PC\appdata\locallow\pcdr
Successfully deleted: [Folder] C:\Users\Steven.Steven-PC\AppData\Roaming\drivercure
Successfully deleted: [Folder] C:\Users\Steven.Steven-PC\AppData\Roaming\paretologic\regcure pro
Successfully deleted: [Folder] C:\Users\Steven.Steven-PC\AppData\Roaming\pcdr

 

~~~ Chrome

[C:\Users\Steven.Steven-PC\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Steven.Steven-PC\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\Steven.Steven-PC\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Steven.Steven-PC\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 06/15/2015 at 16:54:44.23
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

# AdwCleaner v4.206 - Logfile created 15/06/2015 at 17:04:18
# Updated 01/06/2015 by Xplode
# Database : 2015-05-31.5 [Local]
# Operating system : Windows 7 Home Premium  (x64)
# Username : Steven - STEVEN-PC
# Running from : C:\Users\Steven.Steven-PC\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\ParetoLogic

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ask.com
Key Deleted : HKCU\Software\ParetoLogic
Key Deleted : HKLM\SOFTWARE\ParetoLogic

***** [ Web browsers ] *****

-\\ Internet Explorer v8.0.7600.17267

-\\ Google Chrome v43.0.2357.81

*************************

AdwCleaner[R0].txt - [982 bytes] - [15/06/2015 17:02:10]
AdwCleaner[S0].txt - [871 bytes] - [15/06/2015 17:04:18]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [929  bytes] ##########

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:08-06-2015
Ran by Steven (administrator) on STEVEN-PC on 15-06-2015 17:07:48
Running from C:\Users\Steven.Steven-PC\Desktop
Loaded Profiles: Steven (Available Profiles: Steven)
Platform: Windows 7 Home Premium (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Stardock Corporation) C:\Program Files (x86)\Stardock\MyColors\VistaSrv.exe
() C:\Program Files (x86)\Stardock\MyColors\wbvista.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(McAfee, Inc.) C:\Program Files\McAfee\MSC\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.27.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.27.5\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Dell) C:\Users\Steven.Steven-PC\AppData\Local\Apps\2.0\ZTHCPYXZ.HDR\GCG5ADT7.AY7\dell..tion_0f612f649c4a10af_0005.0008_a4204ff54ae5d3ac\DellSystemDetect.exe
() C:\Program Files (x86)\LG Soft India\EasySetPackage\bin\EasySetPackage.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
(InstallShield Software Corporation) C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
() C:\Program Files (x86)\LG Soft India\EasySetPackage\bin\TestDDCCI.exe
(TODO: <Company name>) C:\Program Files (x86)\LG Soft India\EasySetPackage\bin\ESP64Proxy.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Alienware) C:\Program Files\Alienware\Command Center\AWCCServiceController.exe
(Alienware) C:\Program Files\Alienware\Command Center\DoorController.exe
(Alienware) C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe
(Alienware) C:\Program Files\Alienware\Command Center\AWCCApplicationWatcher32.exe
(Alienware) C:\Program Files\Alienware\Command Center\AWCCApplicationWatcher64.exe
(Alienware) C:\Program Files\Alienware\Command Center\ThermalController.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [] => [X]
HKLM\...\Run: [Command Center Controllers] => C:\Program Files\Alienware\Command Center\AWCCStartupOrchestrator.exe [12656 2012-06-18] (Alienware)
HKLM-x32\...\Run: [SiHBAWakeupUtility] => [X]
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-05-17] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [ISUSScheduler] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe [69632 2004-04-13] (InstallShield Software Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\896\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\WB: C:\Program Files (x86)\Stardock\MyColors\fast64.dll [X]
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-4029747782-3714501738-2995947912-1000\...\Run: [ISUSPM Startup] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe [196608 2004-04-17] (InstallShield Software Corporation)
HKU\S-1-5-21-4029747782-3714501738-2995947912-1000\...\Run: [DellSystemDetect] => C:\Users\Steven.Steven-PC\AppData\Local\Apps\2.0\ZTHCPYXZ.HDR\GCG5ADT7.AY7\dell..tion_0f612f649c4a10af_0005.0008_a4204ff54ae5d3ac\DellSystemDetect.exe [262720 2014-06-21] (Dell)
HKU\S-1-5-21-4029747782-3714501738-2995947912-1000\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-18\...\RunOnce: [{91120000-002F-0000-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\EasySetPackage.lnk [2014-06-14]
ShortcutTarget: EasySetPackage.lnk -> C:\Program Files (x86)\LG Soft India\EasySetPackage\bin\EasySetPackage.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Stardock MyColors.lnk [2014-06-14]
ShortcutTarget: Stardock MyColors.lnk -> C:\Program Files (x86)\Stardock\MyColors\SDDelayedLaunch.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-4029747782-3714501738-2995947912-1000\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/
HKU\S-1-5-21-4029747782-3714501738-2995947912-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-4029747782-3714501738-2995947912-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?...=EIE9HP&PC=UP50
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4029747782-3714501738-2995947912-1000 -> {61AB72F0-FF53-4C25-99D0-762F03A5DA1C} URL = http://www.bing.com/...rc=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4029747782-3714501738-2995947912-1000 -> {C9384CC4-10BA-4008-8F68-1BA0C82C3FC9} URL = https://search.yahoo...&p={searchTerms}
BHO: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2015-04-17] (McAfee, Inc.)
BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2015-04-17] (McAfee, Inc.)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2015-04-17] (McAfee, Inc.)
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2015-04-17] (McAfee, Inc.)
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab
DPF: HKLM-x32 {682C59F5-478C-4421-9070-AD170D143B77} http://www.dell.com/...t/Ode/pcd86.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2015-04-17] (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2015-04-17] (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2015-04-17] (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2015-04-17] (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll [2014-04-25] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll [2014-04-25] (McAfee, Inc.)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2013-03-02] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2013-03-02] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2013-03-02] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2013-03-02] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.254.251

FireFox:
========
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2014-04-25] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1204144.dll [2013-09-05] (Adobe Systems, Inc.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2014-04-25] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-15] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor
FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor [2014-05-04]
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor

Chrome:
=======
CHR Profile: C:\Users\Steven.Steven-PC\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Steven.Steven-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-03-25]
CHR Extension: (No Name) - C:\Users\Steven.Steven-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\aeljlhkkoipjimklndofjoafhpccdfjo [2015-03-25]
CHR Extension: (Google Docs) - C:\Users\Steven.Steven-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-25]
CHR Extension: (Google Drive) - C:\Users\Steven.Steven-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-03-25]
CHR Extension: (YouTube) - C:\Users\Steven.Steven-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-03-25]
CHR Extension: (Google Search) - C:\Users\Steven.Steven-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-03-28]
CHR Extension: (Google Sheets) - C:\Users\Steven.Steven-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-03-25]
CHR Extension: (No Name) - C:\Users\Steven.Steven-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2015-03-26]
CHR Extension: (Bookmark Manager) - C:\Users\Steven.Steven-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-04-21]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Steven.Steven-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-25]
CHR Extension: (Google Wallet) - C:\Users\Steven.Steven-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-27]
CHR Extension: (Gmail) - C:\Users\Steven.Steven-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-25]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2015-06-09]
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2015-06-09]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [154856 2015-06-04] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [603424 2014-09-04] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-08-20] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-06-20] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [189912 2014-06-20] (McAfee, Inc.)
S2 PEVSystemStart; C:\ComboFix\pev.3XE [256000 2011-06-26] () [File not signed]
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [66872 2012-08-03] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72128 2014-06-20] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S3 LGDDCDevice; C:\Windows\SysWOW64\LGI2CDriver.sys [16384 2009-12-22] (LG Soft India) [File not signed]
S3 LGII2CDevice; C:\Windows\SysWOW64\LGPII2CDriver.sys [19456 2009-12-22] (LG Soft India) [File not signed]
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2015-06-10] (Malwarebytes Corporation)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [181704 2014-06-20] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [313544 2014-06-20] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [523792 2014-06-20] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [786296 2014-06-20] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [445512 2014-08-20] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [96592 2014-08-20] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [348552 2014-06-20] (McAfee, Inc.)
R3 mio; C:\Windows\System32\DRIVERS\mio.sys [7680 2011-05-04] (Dell/Alienware)
R0 SI3132; C:\Windows\System32\DRIVERS\SI3132.sys [90664 2007-10-03] (Silicon Image, Inc)
R0 SiFilter; C:\Windows\System32\DRIVERS\SiWinAcc.sys [22056 2007-10-03] (Silicon Image, Inc)
R0 SiRemFil; C:\Windows\System32\DRIVERS\SiRemFil.sys [17448 2007-10-03] (Silicon Image, Inc)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-15 17:02 - 2015-06-15 17:04 - 00000000 ____D C:\AdwCleaner
2015-06-15 16:56 - 2015-06-15 16:49 - 02231296 _____ C:\Users\Steven.Steven-PC\Desktop\AdwCleaner.exe
2015-06-15 16:55 - 2015-06-15 16:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2015-06-15 16:54 - 2015-06-15 16:54 - 00002698 _____ C:\Users\Steven.Steven-PC\Desktop\JRT.txt
2015-06-15 16:52 - 2015-06-15 16:52 - 00000207 _____ C:\Windows\tweaking.com-regbackup-STEVEN-PC-Windows-7-Home-Premium-(64-bit).dat
2015-06-15 16:52 - 2015-06-15 16:52 - 00000000 ____D C:\RegBackup
2015-06-15 16:52 - 2015-06-15 16:45 - 02945429 _____ (Thisisu) C:\Users\Steven.Steven-PC\Desktop\JRT.exe
2015-06-14 20:17 - 2015-06-14 20:17 - 00000127 _____ C:\Users\Steven.Steven-PC\Desktop\ckfiles.txt
2015-06-14 19:55 - 2015-06-14 20:18 - 00000000 ____D C:\MGADiagToolOutput
2015-06-14 19:54 - 2015-06-14 19:54 - 00000000 ____D C:\ProgramData\Office Genuine Advantage
2015-06-14 19:51 - 2015-06-14 19:48 - 02031992 _____ (Microsoft Corporation) C:\Users\Steven.Steven-PC\Desktop\MGADiag.exe
2015-06-14 19:51 - 2015-06-14 19:47 - 00468480 _____ () C:\Users\Steven.Steven-PC\Desktop\CKScanner.exe
2015-06-14 08:25 - 2015-06-14 08:25 - 00004717 _____ C:\Users\Steven.Steven-PC\Desktop\RKreport_SCN_06142015_082525.log
2015-06-14 07:31 - 2015-06-14 08:20 - 00035064 _____ C:\Windows\system32\Drivers\TrueSight.sys
2015-06-14 07:31 - 2015-06-14 07:31 - 00000000 ____D C:\ProgramData\RogueKiller
2015-06-14 07:30 - 2015-06-14 07:28 - 17639160 _____ C:\Users\Steven.Steven-PC\Desktop\RogueKiller.exe
2015-06-13 21:53 - 2015-06-13 21:47 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\Steven.Steven-PC\Desktop\tdsskiller.exe
2015-06-12 21:22 - 2015-06-13 07:13 - 00000000 ___SD C:\ComboFix
2015-06-12 20:47 - 2015-06-12 20:47 - 00000000 ____D C:\Qoobox
2015-06-12 20:47 - 2011-06-26 01:45 - 00256000 _____ C:\Windows\PEV.exe
2015-06-12 20:47 - 2010-11-07 12:20 - 00208896 _____ C:\Windows\MBR.exe
2015-06-12 20:47 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-06-12 20:47 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-06-12 20:47 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-06-12 20:47 - 2000-08-30 19:00 - 00098816 _____ C:\Windows\sed.exe
2015-06-12 20:47 - 2000-08-30 19:00 - 00080412 _____ C:\Windows\grep.exe
2015-06-12 20:47 - 2000-08-30 19:00 - 00068096 _____ C:\Windows\zip.exe
2015-06-12 20:46 - 2015-06-12 20:46 - 00000000 ____D C:\Windows\erdnt
2015-06-12 20:44 - 2015-06-12 20:37 - 05628161 ____R (Swearware) C:\Users\Steven.Steven-PC\Desktop\ComboFix.exe
2015-06-10 19:11 - 2015-06-14 22:39 - 00030702 _____ C:\Users\Steven.Steven-PC\Desktop\Addition.txt
2015-06-10 19:10 - 2015-06-15 17:07 - 00017106 _____ C:\Users\Steven.Steven-PC\Desktop\FRST.txt
2015-06-10 19:09 - 2015-06-15 17:07 - 00000000 ____D C:\FRST
2015-06-10 19:09 - 2015-06-10 15:07 - 02108928 _____ (Farbar) C:\Users\Steven.Steven-PC\Desktop\FRST64.exe
2015-06-02 20:16 - 2015-06-02 20:16 - 00002156 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth.lnk
2015-05-18 20:32 - 2015-03-18 22:07 - 05503416 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-05-18 20:32 - 2015-03-18 21:57 - 03963320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-05-18 20:32 - 2015-03-18 21:57 - 03908024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-05-18 19:23 - 2015-05-18 19:23 - 00000000 ____D C:\Users\Steven.Steven-PC\AppData\Local\openvr

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-15 17:08 - 2012-05-08 17:21 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-06-15 17:06 - 2012-12-22 16:31 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-15 17:06 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-15 17:06 - 2009-07-13 23:51 - 00044324 _____ C:\Windows\setupact.log
2015-06-15 17:04 - 2012-05-04 20:14 - 01381150 _____ C:\Windows\WindowsUpdate.log
2015-06-15 17:04 - 2009-07-13 23:45 - 00019712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-06-15 17:04 - 2009-07-13 23:45 - 00019712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-06-15 16:55 - 2014-05-04 10:07 - 00001844 _____ C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk
2015-06-15 16:54 - 2009-07-14 00:13 - 00793298 _____ C:\Windows\system32\PerfStringBackup.INI
2015-06-15 16:53 - 2013-09-20 21:32 - 00000000 ____D C:\Users\Steven.Steven-PC\AppData\Roaming\ParetoLogic
2015-06-13 07:12 - 2012-05-05 22:03 - 00092658 _____ C:\Windows\PFRO.log
2015-06-12 20:46 - 2012-12-22 16:31 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-12 20:40 - 2009-07-14 00:08 - 00032616 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-06-10 18:56 - 2014-06-18 19:24 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-06-10 07:40 - 2014-06-14 08:56 - 00000000 ____D C:\Windows\pss
2015-06-09 19:42 - 2012-05-05 21:52 - 00000000 ____D C:\Program Files\Common Files\McAfee
2015-06-08 22:06 - 2012-05-04 17:49 - 00000000 ____D C:\Users\Steven.Steven-PC
2015-06-08 21:59 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF
2015-06-08 21:58 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\registration
2015-05-30 22:03 - 2015-03-25 19:40 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-05-18 22:06 - 2012-05-04 17:26 - 00000000 ____D C:\Users\Steven
2015-05-18 21:29 - 2012-05-09 03:00 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-05-18 21:29 - 2012-05-09 03:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2015-05-18 20:47 - 2013-07-13 03:01 - 00000000 ____D C:\Windows\system32\MRT
2015-05-18 20:47 - 2012-05-07 21:15 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-05-18 20:43 - 2012-05-06 17:49 - 140425016 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-05-18 20:42 - 2012-05-09 03:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-05-18 19:08 - 2012-05-05 22:31 - 00000000 ____D C:\Program Files (x86)\Steam

==================== Files in the root of some directories =======

2012-05-20 14:13 - 2012-05-20 14:13 - 0000104 _____ () C:\Users\Steven.Steven-PC\AppData\Local\fusioncache.dat
2012-05-05 19:46 - 2013-01-03 23:54 - 0007605 _____ () C:\Users\Steven.Steven-PC\AppData\Local\resmon.resmoncfg

Some files in TEMP:
====================
C:\Users\Steven.Steven-PC\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Steven.Steven-PC\AppData\Local\Temp\Quarantine.exe
C:\Users\Steven.Steven-PC\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-06-03 18:58

==================== End of log ============================


  • 0

#18
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,008 posts

Hello Washetoo,

You have Dell System Detect on your machine. It is vulnerable to attack see here. Please either uninstall it or immediately update your version if you have not already done so.

Next

Open notepad.

Please copy the contents of the code box below.

To do this highlight (click in the box and press Ctrl + A) the contents of the box and right click on it. Paste this into the open notepad. Save it to the Desktop as fixlist.txt.

Alternatively type the contents of the box into notepad and save it to your desktop as fixlist.txt.

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
 

HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [SiHBAWakeupUtility] => [X]
Winlogon\Notify\WB: C:\Program Files (x86)\Stardock\MyColors\fast64.dll [X]
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-18\...\RunOnce: [{91120000-002F-0000-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
C:\Users\Steven.Steven-PC\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Steven.Steven-PC\AppData\Local\Temp\Quarantine.exe
C:\Users\Steven.Steven-PC\AppData\Local\Temp\sqlite3.dll
CMD: ipconfig /flushdns
EmptyTemp:

This script is specifically written for the infection on this person's computer. It should NOT to be used on another machine. It may cause serious damage even to the point of rendering the computer unusable.

Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.


  • 0

#19
Washetoo

Washetoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts

I uninstalled Dell System Detect and ran FRST with fixlist.txt, the fix log follows:

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:08-06-2015
Ran by Steven at 2015-06-16 16:53:21 Run:1
Running from C:\Users\Steven.Steven-PC\Desktop
Loaded Profiles: Steven (Available Profiles: Steven)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [SiHBAWakeupUtility] => [X]
Winlogon\Notify\WB: C:\Program Files (x86)\Stardock\MyColors\fast64.dll [X]
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-18\...\RunOnce: [{91120000-002F-0000-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
C:\Users\Steven.Steven-PC\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Steven.Steven-PC\AppData\Local\Temp\Quarantine.exe
C:\Users\Steven.Steven-PC\AppData\Local\Temp\sqlite3.dll
CMD: ipconfig /flushdns
EmptyTemp:
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\SiHBAWakeupUtility => value removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB" => key removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoFolderOptions => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoControlPanel => value removed successfully
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\{91120000-002F-0000-0000-0000000FF1CE} => value removed successfully
C:\Users\Steven.Steven-PC\AppData\Local\Temp\dllnt_dump.dll => moved successfully.
C:\Users\Steven.Steven-PC\AppData\Local\Temp\Quarantine.exe => moved successfully.
C:\Users\Steven.Steven-PC\AppData\Local\Temp\sqlite3.dll => moved successfully.

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

EmptyTemp: => 1.1 GB temporary data Removed.


  • 0

#20
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,008 posts

Hello Washetoo,

 

Please download Farbar Service Scanner and run.
 

  • Make sure the following options are checked:

     
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Other Services
  • Press Scan
  • A log (FSS.txt) will be created in the same directory the tool is run.
  • Copy and paste the log back here.

 

Next

 

Please download Rkill by Grinler and save it to your desktop.

  • Link 1
  • Link 2
  • Link 3
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use the remaining link.
    • If the tool does not run from any of the links provided, please let me know.
  • When the scan is done Notepad will open with rKill log. Please copy and past that in your reply.

Note: rKill.txt log can also be found on your desktop.

 

 

When you return please post

  • FSS.txt
  • rKill.txt

  • 0

#21
Washetoo

Washetoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts

FSS.txt and rKill.txt below:

 

 

Farbar Service Scanner Version: 17-01-2015
Ran by Steven (administrator) on 16-06-2015 at 18:28:17
Running from "C:\Users\Steven.Steven-PC\Desktop"
Microsoft Windows 7 Home Premium   (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Policy:
========================

Action Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

 

 

Rkill 2.7.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingc...opic308364.html

Program started at: 06/16/2015 06:29:19 PM in x64 mode.
Windows Version: Windows 7 Home Premium

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Users\Steven.Steven-PC\Desktop\FSS.exe (PID: 3032) [UP-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 06/16/2015 06:31:12 PM
Execution time: 0 hours(s), 1 minute(s), and 53 seconds(s)


  • 0

#22
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,008 posts

Hello again Washetoo,

 

You appear to have both Windows Defender and McAfee enabled. You are likely getting conflict between the two. Actually McAfee turns off Windows Defender when it is installed so I am not sure how it is enabled now.

 

Please disable Windows Defender.

 

To disable Windows Defender go to Start and in the Search programs and files box, type Defender,

  • In the list that presents, click Windows Defender
  • Click Tools > Options
  • Click Administrator, select or clear the Use this program check box, and then click Save

 
If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

 

 

Next

 

Please run a free online scan with the ESET Online Scanner

Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.

Windows 8 & 8.1 users may face another warning from the Windows SmartScreen Protection - please click More information and Run.

Note: This scan works with Internet Explorer or Mozilla FireFox.

If using Mozilla Firefox you may need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

Disable your security programs.

  • Click the blue Run ESET Online Scanner box
  • Tick the box next to YES, I accept the Terms of Use
     then click on: Start
  • You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow/install to install. If your firewall asks whether you want to allow installation, say yes. If asked, click yes to allow the program to run on your computer.
  • Check "Enable detection of potentially unwanted applications"
  • Click on Start and say yes to allow the program to proceed.
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed click "List of found threats" and click again on Copy to clipboard. Open notepad and past in the clipboard list. Save it as ESET log somewhere that you can find .
  • After that click the button "Back"
  • Select and check Uninstall application on close and Delete quarantined files.
  • Then click on: Finish
  • Copy and paste the ESET log back here and tell me how your machine is now.

 

 


  • 0

#23
Washetoo

Washetoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts

Windows Defender already was disabled and McAfee scan and firewall were disabled.

 

I now ran msconfig and disabled all of the McAfee services.

 

I have been trying to run ESET Online Scanner but the computer locks up after a few minutes.  ESET doesn't even finish downloading the virus signature database before everything locks up.


  • 0

#24
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,008 posts

My guess is (might not be right... it's possible it is something else) that McAfee is interfering with ESET. Nowadays AVs are still working away deep down even when you disable them. You could try uninstalling McAfee and reinstalling it afterwards. That might be a good move anyway as you will likely fix corruption if there is any.

 

Up to you. If you don't want to do that we could try another online AV. :)


  • 0

#25
Washetoo

Washetoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts

The computer has been locking up ever since it was infected with the virus.  My assumption is that it is still locks up because of the virus but I'll go ahead and uninstall McAfee and try ESET again.

 

I uninstalled McAfee and ran ESET.  This time it reached 80% when downloading the virus signature database instead of 60% as before then it locked up the same as before.


  • 0

Advertisements


#26
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,008 posts

Hello Washetoo,

 

Let's make sure all the remnants of McAfee are gone and try again.

 

Download the McAfee removal tool from here and save the file to your desktop.

Close all McAfee Application windows you may have open, and double-click on MCPR.exe to start the removal tool.

Note: Windows Vista users will have to right-click on the file and select "Run as Administrator"

After the removal tool finishes, you should be prompted to restart your computer.
 
Once the computer restarts, your McAfee product should be completely uninstalled.

 

Try ESET again.

 

If it still won't work then tell me and we will try another AV.


  • 0

#27
Washetoo

Washetoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts

I ran MCPR.exe and completed the McAfee removal.  A few items were removed.

 

I had the same result as before when running ESET.  The computer locked up while ESET was downloading the virus signature database.


  • 0

#28
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,008 posts

Okay, let's try this one: :)

 

Please run a free on line scan with BitDefender Online Scanner

  • Click the green Start Scanner button
  • Click the green Scan Now button and wait a few seconds until a request appears from Bitdefender
  • Accept the plugin installation
  • Restart your browser in Administation mode if requested
  • Click the green Scan Now button again
  • Accept the eula agreement if asked
  • The scan should start. It will be relatively quick.
  • Click View report (note: this is not the green button - Free download  - just click on the words View report under the black button "Get QuickScan for your website")
  • Notepad will open with a log
  • Save to your desktop
  • Copy and paste the report aback here


  • 0

#29
Washetoo

Washetoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts

The BidDefender Scan Now button wouldn't do anything. I tried the scan three times and each time I could get no action by pressing the Scan Now button.  That's three computer restarts too because, as usual, the computer locked up after a few minutes.

 

I couldn't get the BitDefender link to work so I accessed the program through a search.  The website that I found was very different from the one that I can access with my clean computer using your link.  So the link is good but the infected computer can't use it.


Edited by Washetoo, 17 June 2015 - 09:22 PM.

  • 0

#30
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,008 posts

 

I tried the scan three times and each time I could get no action by pressing the Scan Now button.

 

Are you running as Admininstrator?

 

There is also the possibility that it is the browser you are using. Can you try with a different browser?

 

 

I couldn't get the BitDefender link to work so I accessed the program through a search.

 

You should tell me if you can't do anything. Going off and running a search could be exactly the wrong thing to do if your machine is infected.

 

 

The website that I found was very different from the one that I can access with my clean computer using your link.

 

So can you type the website address back here so I can see what it might be?


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP