Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google search redirected, unable to run Windscribe VPN or TDSSKiller

Malware

  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Once you decide you're good to go then:

 

Time to clean up:
If we used FRST to clean your PC:

right click on FRST.exe or FRST64.exe (whichever you used) and rename it to uninstall.exe.  Then right click on uninstall.exe and Run as Admin.

 
If we installed Speccy it needs to be uninstalled.  Process Explorer, VEW, AdwCleaner, JRT  and their logs and Speccy's log can just be deleted.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.  Flash is now the most malware targeted program so it must be kept up to date.  Be careful with Adobe.  They are fond of offering optional downloads like yahoo or Ask toolbars or that worthless McAfee Security Scan.  Go slow and uncheck the optional stuff.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program.  There is an exploit out there now that can use it to get on your PC.  For Adobe Reader:  Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript.  OK Close program.  It's the same for Foxit reader except you uncheck Enable Javascript Actions.


If you use Chrome/Firefox/Edge then get the Ublock Origin extension.  For IE go to adblockplus.org  and get the program.
If Chrome/Firefox is slow loading make sure it only has the current Java add-on.  Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. Close Chrome/Firefox/Skpe. Hit Optimize.   You can run it any time that Chrome/Firefox seems slow starting..

If you use Facebook you need FB Purity: http://www.fbpurity.com/
To prevent a relatively new phishing attack:  In Firefox, type:

about:config

in the URL box and hit Enter.  You should get a new page of options (if you get a notice about voiding the warranty just cancel the warning).  In the Search box put in

puny

You should only get 2 options:
"network.IDN_show_punycode"
We want it to say True but by default it is False so double click on it to toggle from False to True.
 "network.standard-url.punycode-host" Leave this one at default of Flase.
Close and restart firefox.

To test it you can go to:

https://www.xn--80ak6aa92e.com/

If the value is false you will see https://www.apple.cominstead of the correct value


If you are a Facebook user get the FB Purity extension for your browser:
http://www.fbpurity.com/
This will stop all of the suggested pages and ads so that Facebook loads much quicker.


Be warned:  If you use Limewire, utorrent or any of the other P2P programs you will probably be coming back to the Malware Removal forum.  If you must use P2P then submit any files you get to http://virustotal.combefore you open them.


If you have a router, log on to it today and change the default password!  If using a Wireless router you really should be using encryption on the link.  Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business.  See http://www.king5.com...0637284.htmlandhttp://www.seattlepi...ted-1344185.php for why encryption is important.  If you don't know how, visit the router maker's website.  They all have detailed step by step instructions or a wizard you can download.

Special note on Java.  Old Java versions should be removed after first clearing the Java Cache by following the instructions in:
http://www.java.com/...lugin_cache.xml
Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 25 or better.  These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE.  Get the latest version from Java.com.  They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download.  Just uncheck the garbage before the download (or install) starts.  If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.
Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it.  IF that is the case then go to Control Panel, Java, Security and slide it up to the highest level.  OK.


Recommended software: (I'm not saying you should download these just that if you have a need for a new program these are safe and work)  
Compression:  7-zip.  Avoid WinRar and WinZip as the free versions have adware.
Video Player:  VLC  Unlike Windows Medi Player it never seems to need extra files to work.
Photo organizer and editor:  Google's Picasa.  While it has been discontinued by Google you can still get it at:
http://techfilehippo...-free-download/
Office like free program:  Open Office: https://www.openoffice.org/download/
or
LibreOffice: https://www.libreoffice.org/
Free Anti-Virus:  Avast
Free Malware prevention:  MBAM: Free version at https://www.malwareb...m/mwb-download/
Can run with your anti-virus.
Paid Anti-Virus:  Kaspersky or BitDefender
Utilities:
Root Kit Detector:  MBAR: https://www.malwareb...om/antirootkit/
Process Explorer:  Show you what is running on the PC.  Like Task manager but better:  http://live.sysinter...com/procexp.exe
WhoCrashed: Why did your system crash?
http://www.resplendence.com/downloads
Then click on Download free home edition
where it says:
WhoCrashed 5.51
Comprehensible crash dump analysis tool
for Windows 10/8.1/8/7/Vista/XP/2012/2008/2003 (x86 and x64)
System Health:
Speccy:  
http://www.filehippo.com/download_speccy (Look in the upper right for the Download
Latest Version button  - Do NOT press the large Start Download button on the upper left!)  Decline CCleaner if offered.  Pay attention to SMART info on your hard drives and to temps.  If in doubt about temps try:
SpeedFan:  Try speedfan
http://www.filehippo...nload_speedfan/
Download, save and Install it (Win 7 or Vista right click and Run As Admin.) then run it.
Download Flash and Video.  To save flash video.  Works with Firefox.  https://addons.mozil...lash-and-video/

Avoid:  
Advanced System Care
SuperAntiSpyware
HitmanPro
Spybot S&D
Any P2P software especially if it comes from Conduit.
Registry Cleaners
Driver updating software.
PC fixing or Speed up software.
Running more than one anti-virus.
Seagate hard drives.  If you have one it's going to fail on you so backup your data now!
 


  • 0

Advertisements


#17
Syncmaster75

Syncmaster75

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts

Unfortunately when I ran the 'last 10 errors' scan again this morning the eap issue is still there:

 

Attached File  MTB.txt   7.9KB   189 downloads

 

I've gone through a lot of the advice on your last post - excellent stuff, I wasn't aware of some of the vulnerabilities you list and have made the changes under about:config as recommended. The latest update on Firefox has made Java obsolete so I've uninstalled it completely.  Speedyfox is very useful, certainly made the browser start up more quickly, thanks.


  • 0

#18
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

I am also seeing some complaints about Avast files.  Can you reinstall Avast to see if that fixes them?

 

Open an elevated Command Prompt and type:

sc  qc  eaphost

hit Enter.

 

On mine it says:

 

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: eaphost
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs -p
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Extensible Authentication Protocol
        DEPENDENCIES       : RPCSS
                           : KeyIso
        SERVICE_START_NAME : localSystem

 

 

 

 

 

 

Is that what yours says?  Pay special attention to the Start_Type

 

Now Type:

sc  query  eaphost

hit Enter

 

I get:

 

SERVICE_NAME: eaphost
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

 

 

 

 

Now do:

dir  %SystemRoot%\System32\WcnEapPeerProxy.dll

hit Enter

 

 Volume in drive C is Windows8_OS
 Volume Serial Number is C66E-CA3C

 Directory of C:\WINDOWS\System32

03/29/2018  11:33 PM            36,352 WcnEapPeerProxy.dll
               1 File(s)         36,352 bytes
               0 Dir(s)  448,524,472,320 bytes free

 

 

Does it give you an error?


  • 0

#19
Syncmaster75

Syncmaster75

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts

Hi,

 

I've run those commands and got the results below:

 

C:\WINDOWS\system32>sc  qc  eaphost
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: eaphost
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs -p
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Extensible Authentication Protocol
        DEPENDENCIES       : RPCSS
                           : KeyIso
        SERVICE_START_NAME : localSystem

C:\WINDOWS\system32>
C:\WINDOWS\system32>sc  query  eaphost

SERVICE_NAME: eaphost
        TYPE               : 30  WIN32
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:\WINDOWS\system32>C:\WINDOWS\system32>dir  %SystemRoot%\System32\WcnEapPeerProxy.dll
 Volume in drive C has no label.
 Volume Serial Number is 2A55-3251

 Directory of C:\WINDOWS\System32

12/04/2018  00:33            36,352 WcnEapPeerProxy.dll
               1 File(s)         36,352 bytes
               0 Dir(s)  681,382,809,600 bytes free

 

The current service state and type seem to be different on mine in response to the second command.

 

I'll also reinstall Avast and let you know if that clears those errors.


  • 0

#20
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Something is causing this eaphost file to start running.

 

Download Process Monitor https://live.sysinte...com/Procmon.exe
Save it to your desktop.  Run Process Monitor. by right click and Run As Admin.

As soon as it starts, File, then uncheck Capture Events.  Once it stops,
under Options, click Enable Boot Logging.  Close Process Monitor and reboot.

Open Process Monitor and it should tell you it has a boot log for you to look at.

 

Open it and then File, Save, All Events, Format: use default then OK.  It should save the file to logfile.pml which should be on your desktop.  Close Process Monitor. 

 

The problem is the file will be enormous and too large for the forum/  You will need to use a file sharing service like dropbox or one of the free services here: 

https://www.hongkiat...g-alternatives/

 

Some may require you to zip up the file first and you need to make sure that it is readable by anyome.  Try to use one that just let's you upload without installing a program.  Then post the URL for the file.


  • 0

#21
Syncmaster75

Syncmaster75

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts

I've run Process Monitor - maybe because I was looking through the log it generated 3 log files rather than 1 but I've put them all on Dropbox:

 

https://www.dropbox....ootlog.pml?dl=0

https://www.dropbox....tlog-1.pml?dl=0

https://www.dropbox....tlog-2.pml?dl=0

 


  • 0

#22
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Please make a new bootlog and this time don't do anything but save it and then close Process Monitor.  All three of these were corrupt.


  • 0

#23
Syncmaster75

Syncmaster75

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts

Apologies for the file corruption issue, not sure what Process Monitor is playing at on my machine but I've had to download it 3 times to get a version that saves files it can read. Hopefully the links below are OK, again 3 files were created every time I did the reboot and save - all of these open on my copy of Process Monitor.

https://www.dropbox....ootlog.pml?dl=0

https://www.dropbox....tlog-1.pml?dl=0

https://www.dropbox....tlog-2.pml?dl=0


  • 0

#24
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Got the first one to work.  Combing through to see what's going on but may take a while.


  • 0

#25
Syncmaster75

Syncmaster75

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts

Thanks for agreeing to look at these logs - with over 2 million entries to sift through I can well believe it could be a long process!


  • 0

Advertisements


#26
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Appears that Windows 10 boot is three times longer than win 7 so they broke the log into three parts so as not to run out of memory.

 

Not having much luck.  No errors showing associated with eaphost.  Can you check that eapsvc.dll is present?

From an elevated Command Prompt type:

dir  %systemroot%\system32\eapsvc.dll

  • 0

#27
Syncmaster75

Syncmaster75

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts

It's definitely there:

 

Microsoft Windows [Version 10.0.17134.81]
© 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>dir  %systemroot%\system32\eapsvc.dll
 Volume in drive C has no label.
 Volume Serial Number is 2A55-3251

 Directory of C:\WINDOWS\system32

12/04/2018  00:34           109,568 eapsvc.dll
               1 File(s)        109,568 bytes
               0 Dir(s)  665,967,345,664 bytes free

C:\WINDOWS\system32>


  • 0

#28
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Are we still getting the eaphost error?  (look in VEW)   I can't find any reference to it in the logs.  If you are still getting it then look at the times and compare them to when you rebooted, when you logged on, when you opened your browser.  Which are they closest to?  (logs may be in GMT so the hours may be off but the minutes should be right) 


  • 0

#29
Syncmaster75

Syncmaster75

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts

I still have the eaphost errors - I've attached the latest MiniToolBox 'last 10 errors' report below.

 

By doing a series of selective startups using msconfig i've determined that the reason the eap service is running on my machine is that it's getting triggered by the Windscribe VPN client service which runs with an automatic (delayed start) property. If I disable both the Windscribe service in msconfig and the client from startup using Task Manager then the eaphost service does not run (manual startup property). I can understand why a VPN service would trigger the eaphost service but don't know why it's generating these errors.

 

What is VEW? I assume it's some kind of monitoring / scanning program but I don't have it on my pc - if it's a more reliable way of detecting faults can you post a link? Thanks.

 

Attached File  MTB.txt   8.01KB   261 downloads

 

The error log also shows a couple of immersive control panel errors which may be related to having had all non-Microsoft services disabled under msconfig. I have now gone back to a normal startup with all services enabled. The Avast errors are also still there despite uninstalling it and re-installing from a fresh download link.

 


  • 0

#30
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Sorry about VEW.  Thought we'd used it before.  It works this way:

 


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.  (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)

 

MTB is probably good enough for our purposes.

 

Have you tried a complete reinstall of Windscribe?

 

Can you get Process Monitor to record the start of a windscribe session?


  • 0






Similar Topics


Also tagged with one or more of these keywords: Malware

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP