Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

8.1 and Rkill


  • Please log in to reply
28 replies to this topic

#1 ummhasan

ummhasan

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:10:10 PM

Posted 05 November 2013 - 09:46 PM

Hello all,

 

Sadly, I thought I was done cleaning up malware when we all got brand new laptops (except me). They came with Windows 8 and my oldest daughter upgraded to 8.1 right away.

 

Stupidly, I trusted her to allow her to use her computer responsibily knowing that she has read the guides on how to avoid malware and how to be safe on the internet BUT....

 

She now has multiple PUPs being found (conduit, browseFox, snapdo, etc) which are actually hijackers i think. one of them seems to have infiltrated my entire network!

 

Of course, I'm kicking myself in the but for not putting all but my computer behind a second hidden router like I had planned but needless to say, I have a HUGE problem now with all brand new computers.

 

With that said, I downloaded RKill and got an error that my OS is not supported. Figures, Windows 8.1 is just out and compatibility is not allowing me to check it to run it in compatibility mode.

 

Any ideas or workarounds known?

 

Thanks in advance



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,065 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:10 PM

Posted 05 November 2013 - 09:53 PM

Hello I'm moving this to the Am I Infected forum from Win 8.
 
Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
    Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
     
    Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  • .
    .
    .
    ADW Cleaner
    Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
    <-insert any special instructions here for what to uncheck OR remove this line if there are none->
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • .
    .
    .
    thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
  • Last run ESET.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#3 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 39,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:10 PM

Posted 05 November 2013 - 11:19 PM

I will get Rkill fixed tomorrow.

#4 ummhasan

ummhasan
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:10:10 PM

Posted 06 November 2013 - 12:07 AM

Thanks Grinler, that's super fast! We all appreciate developers such as yourself!

 

boopme, thanks for taking on my problems again!

 

I sent a PM regarding a SAS scan that I had run prior to reading any replies not thinking it would be moved here. I was trying to fix the problem myself as to not bother anyone here again.

 

Anyway, below is my miniToolbox results. The others will follow.

 

(okay, for some reason nothing is pasting, i'm going to try another post)


MiniToolbox:

 

MiniToolBox by Farbar  Version: 13-07-2013
Ran by Fatimah (administrator) on 06-11-2013 at 00:00:15
Running from "C:\Users\Fatimah\Desktop"
Microsoft Windows 8.1  (X64)
Boot Mode: Network
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

 

========================= IP Configuration: ================================

Qualcomm Atheros AR956x Wireless Network Adapter = Wi-Fi (Connected)
Qualcomm Atheros AR8171/8175 PCI-E Gigabit Ethernet Controller (NDIS 6.30) = Ethernet (Media disconnected)

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Bluetooth Network Connection" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 12" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="ethernet_3" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled

popd
# End of IPv4 configuration

 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Fatimah_Gateway
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : hsd1.mi.comcast.net.

Wireless LAN adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 16-FD-52-C8-1A-F8
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Qualcomm Atheros AR8171/8175 PCI-E Gigabit Ethernet Controller (NDIS 6.30)
   Physical Address. . . . . . . . . : 30-65-EC-09-C3-97
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : hsd1.mi.comcast.net.
   Description . . . . . . . . . . . : Qualcomm Atheros AR956x Wireless Network Adapter
   Physical Address. . . . . . . . . : 24-FD-52-C8-1A-F8
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::48f0:cc44:f0e4:3cec%3(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.0.4(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, November 5, 2013 10:46:58 PM
   Lease Expires . . . . . . . . . . : Tuesday, November 12, 2013 10:46:57 PM
   Default Gateway . . . . . . . . . : 10.0.0.1
   DHCP Server . . . . . . . . . . . : 10.0.0.1
   DHCPv6 IAID . . . . . . . . . . . : 388300114
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-6D-6F-71-30-65-EC-09-C3-97
   DNS Servers . . . . . . . . . . . : 75.75.76.76
                                       75.75.75.75
   NetBIOS over Tcpip. . . . . . . . : Enabled
Server:  cdns02.comcast.net
Address:  75.75.76.76

Name:    google.com
Addresses:  2607:f8b0:4009:805::1002
   173.194.46.69
   173.194.46.64
   173.194.46.66
   173.194.46.65
   173.194.46.68
   173.194.46.71
   173.194.46.67
   173.194.46.70
   173.194.46.72
   173.194.46.73
   173.194.46.78

Pinging google.com [74.125.225.32] with 32 bytes of data:
Reply from 74.125.225.32: bytes=32 time=19ms TTL=55
Reply from 74.125.225.32: bytes=32 time=26ms TTL=55

Ping statistics for 74.125.225.32:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 26ms, Average = 22ms
Server:  cdns02.comcast.net
Address:  75.75.76.76

Name:    yahoo.com
Addresses:  98.138.253.109
   206.190.36.45
   98.139.183.24

Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Reply from 98.138.253.109: bytes=32 time=52ms TTL=47
Reply from 98.138.253.109: bytes=32 time=61ms TTL=47

Ping statistics for 98.138.253.109:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 52ms, Maximum = 61ms, Average = 56ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 12...16 fd 52 c8 1a f8 ......Microsoft Wi-Fi Direct Virtual Adapter
  4...30 65 ec 09 c3 97 ......Qualcomm Atheros AR8171/8175 PCI-E Gigabit Ethernet Controller (NDIS 6.30)
  3...24 fd 52 c8 1a f8 ......Qualcomm Atheros AR956x Wireless Network Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.0.1         10.0.0.4     25
         10.0.0.0    255.255.255.0         On-link          10.0.0.4    281
         10.0.0.4  255.255.255.255         On-link          10.0.0.4    281
       10.0.0.255  255.255.255.255         On-link          10.0.0.4    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link          10.0.0.4    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link          10.0.0.4    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  3    281 fe80::/64                On-link
  3    281 fe80::48f0:cc44:f0e4:3cec/128
                                    On-link
  1    306 ff00::/8                 On-link
  3    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [53760] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [68096] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [68096] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [64000] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [270848] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [21504] (Microsoft Corporation)
Catalog5 07 C:\WINDOWS\SysWOW64\wshbth.dll [51200] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\SysWOW64\mswsock.dll [270848] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWOW64\mswsock.dll [270848] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWOW64\mswsock.dll [270848] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWOW64\mswsock.dll [270848] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [270848] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [270848] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [270848] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [270848] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [270848] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [270848] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\SysWOW64\mswsock.dll [270848] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [67584] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [84480] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [338432] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [30208] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [63488] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [338432] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [338432] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [338432] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [338432] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [338432] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [338432] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [338432] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [338432] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [338432] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [338432] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [338432] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/05/2013 11:15:50 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: FATIMAH_GATEWAY)
Description: Activation of app DefaultBrowser_NOPUBLISHERID!Microsoft.InternetExplorer.Default failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (11/05/2013 09:56:43 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: FATIMAH_GATEWAY)
Description: Activation of app DefaultBrowser_NOPUBLISHERID!Microsoft.InternetExplorer.Default failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (11/05/2013 09:56:31 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: FATIMAH_GATEWAY)
Description: Activation of app DefaultBrowser_NOPUBLISHERID!Microsoft.InternetExplorer.Default failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

System errors:
=============
Error: (11/06/2013 00:00:18 AM) (Source: DCOM) (User: FATIMAH_GATEWAY)
Description: 1084WSearchUnavailable{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}

Error: (11/06/2013 00:00:18 AM) (Source: DCOM) (User: FATIMAH_GATEWAY)
Description: 1084WSearchUnavailable{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}

Error: (11/06/2013 00:00:16 AM) (Source: DCOM) (User: FATIMAH_GATEWAY)
Description: 1084WSearchUnavailable{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}

Error: (11/06/2013 00:00:16 AM) (Source: DCOM) (User: FATIMAH_GATEWAY)
Description: 1084WSearchUnavailable{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}

Error: (11/06/2013 00:00:16 AM) (Source: DCOM) (User: FATIMAH_GATEWAY)
Description: 1084WSearchUnavailable{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}

Error: (11/06/2013 00:00:16 AM) (Source: DCOM) (User: FATIMAH_GATEWAY)
Description: 1084WSearchUnavailable{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}

Error: (11/06/2013 00:00:16 AM) (Source: DCOM) (User: FATIMAH_GATEWAY)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (11/06/2013 00:00:04 AM) (Source: DCOM) (User: FATIMAH_GATEWAY)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (11/05/2013 11:59:56 PM) (Source: DCOM) (User: FATIMAH_GATEWAY)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (11/05/2013 11:58:42 PM) (Source: DCOM) (User: FATIMAH_GATEWAY)
Description: 1084WSearchUnavailable{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}

Microsoft Office Sessions:
=========================
Error: (11/05/2013 11:15:50 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: FATIMAH_GATEWAY)
Description: DefaultBrowser_NOPUBLISHERID!Microsoft.InternetExplorer.Default-2144927149

Error: (11/05/2013 09:56:43 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: FATIMAH_GATEWAY)
Description: DefaultBrowser_NOPUBLISHERID!Microsoft.InternetExplorer.Default-2144927149

Error: (11/05/2013 09:56:31 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: FATIMAH_GATEWAY)
Description: DefaultBrowser_NOPUBLISHERID!Microsoft.InternetExplorer.Default-2144927149

=========================== Installed Programs ============================

Adobe Flash Player 11 Plugin (Version: 11.9.900.117)
AMD Accelerated Video Transcoding (Version: 12.10.100.30313)
AMD Catalyst Install Manager (Version: 8.0.911.0)
AMD VISION Engine Control Center (Version: 2013.0313.13.41666)
Bejeweled 3 (Version: 2.2.0.98)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Graphics Previews Common (Version: 2013.0313.13.41666)
Catalyst Control Center InstallProxy (Version: 2013.0313.13.41666)
Catalyst Control Center Localization All (Version: 2013.0313.13.41666)
CCC Help Chinese Standard (Version: 2013.0313.0012.41666)
CCC Help Chinese Traditional (Version: 2013.0313.0012.41666)
CCC Help Czech (Version: 2013.0313.0012.41666)
CCC Help Danish (Version: 2013.0313.0012.41666)
CCC Help Dutch (Version: 2013.0313.0012.41666)
CCC Help English (Version: 2013.0313.0012.41666)
CCC Help Finnish (Version: 2013.0313.0012.41666)
CCC Help French (Version: 2013.0313.0012.41666)
CCC Help German (Version: 2013.0313.0012.41666)
CCC Help Greek (Version: 2013.0313.0012.41666)
CCC Help Hungarian (Version: 2013.0313.0012.41666)
CCC Help Italian (Version: 2013.0313.0012.41666)
CCC Help Japanese (Version: 2013.0313.0012.41666)
CCC Help Korean (Version: 2013.0313.0012.41666)
CCC Help Norwegian (Version: 2013.0313.0012.41666)
CCC Help Polish (Version: 2013.0313.0012.41666)
CCC Help Portuguese (Version: 2013.0313.0012.41666)
CCC Help Russian (Version: 2013.0313.0012.41666)
CCC Help Spanish (Version: 2013.0313.0012.41666)
CCC Help Swedish (Version: 2013.0313.0012.41666)
CCC Help Thai (Version: 2013.0313.0012.41666)
CCC Help Turkish (Version: 2013.0313.0012.41666)
ccc-utility64 (Version: 2013.0313.13.41666)
Cradle Of Egypt Collector's Edition (Version: 2.2.0.110)
Delicious: Emily's Childhood Memories Premium Edition (Version: 3.0.2.32)
Dora's World Adventure (Version: 2.2.0.95)
eBay Worldwide (Version: 2.4.0105)
Game Channels (Version: 8.1.0.17)
Gateway Device Fast-lane (Version: 1.00.3011)
Gateway Launch Manager (Version: 8.00.3003)
Gateway Power Management (Version: 7.00.3013)
Gateway Recovery Management (Version: 6.00.3016)
Google Earth Plug-in (Version: 7.1.1.1888)
Google Update Helper (Version: 1.3.21.165)
Identity Card (Version: 2.00.3005)
Jewel Match 3 (Version: 2.2.0.98)
Live Updater (Version: 2.00.3008)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft Office 365 Home Premium - en-us (Version: 15.0.4535.1511)
Microsoft SkyDrive (Version: 17.0.2015.0811)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mystery P.I. - Curious Case of Counterfeit Cove (Version: 2.2.0.98)
Nero BackItUp (Version: 12.5.5000)
Nero BackItUp 12 Essentials OEM.a01 (Version: 12.5.00500)
Nero BackItUp Help (CHM) (Version: 12.0.10000)
Nero ControlCenter (Version: 11.0.15600)
Nero ControlCenter Help (CHM) (Version: 12.0.7000)
Nero Core Components (Version: 11.0.20200)
Nero Launcher (Version: 12.2.7000)
Nero RescueAgent (Version: 12.0.3001)
Nero RescueAgent Help (CHM) (Version: 12.0.7000)
Nero Update (Version: 11.0.11800.31.0)
Norton Internet Security (Version: 20.4.0.40)
Norton Online Backup (Version: 2.2.3.51r2)
Norton Online Backup ARA (Version: 4.1.0.14)
OEM Application Profile (Version: 1.00.0000)
Office 15 Click-to-Run Extensibility Component (Version: 15.0.4535.1511)
Office 15 Click-to-Run Licensing Component (Version: 15.0.4535.1511)
Office 15 Click-to-Run Localization Component (Version: 15.0.4535.1511)
Peggle Nights (Version: 2.2.0.98)
Plants vs. Zombies - Game of the Year (Version: 2.2.0.98)
Prerequisite installer (Version: 12.0.0003)
Qualcomm Atheros Bluetooth Suite (64) (Version: 8.0.0.224)
Qualcomm Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (Version: 2.1.0.13)
Qualcomm Atheros WLAN and Bluetooth Client Installation Program (Version: 11.49)
Realtek High Definition Audio Driver (Version: 6.0.1.6865)
Soluto (Version: 1.3.1193.1)
SUPERAntiSpyware (Version: 5.6.1040)
Tales of Lagoona (Version: 2.2.0.110)
The Chronicles of Emerland Solitaire (Version: 3.0.2.32)
Unity Web Player (Version: )
Update Installer for WildTangent Games App
WildTangent Games (Version: 1.0.4.0)
WildTangent Games App (Version: 4.0.10.5)

========================= Memory info: ===================================

Percentage of memory in use: 31%
Total physical RAM: 3525 MB
Available physical RAM: 2409.84 MB
Total Pagefile: 4869 MB
Available Pagefile: 3915.38 MB
Total Virtual: 4095.88 MB
Available Virtual: 3976.14 MB

========================= Partitions: =====================================

1 Drive c: (Gateway) (Fixed) (Total:450.24 GB) (Free:420.49 GB) NTFS

========================= Users: ========================================

User accounts for \\FATIMAH_GATEWAY

Administrator            Fatimah                  Guest                   

**** End of log ****
 



#5 ummhasan

ummhasan
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:10:10 PM

Posted 06 November 2013 - 12:12 AM

JRT was ran yesterday before my post, here are the results:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 8.1 x64
Ran by Fatimah on Tue 11/05/2013 at 20:47:13.96
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{ae07101b-46d4-4a98-af68-0333ea26e113}
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\\Default
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\searchURL\\Default
Suspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?

    Value Name          Type                             Value Data                    
========================================================================================
    BackgroundContainer    REG_SZ    "C:\WINDOWS\SysWOW64\Rundll32.exe" "C:\Users\Fatimah\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\iminent
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\smartbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduitsearchscopes
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\crossrider
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\smartbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\iminent
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\iminent_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\iminent_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\smartbar_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\smartbar_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\searchthewebarp
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2383985
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}

 

~~~ Files

Successfully deleted: [File] "C:\Users\Fatimah\appdata\local\google\chrome\user data\default\local storage\http_app.mam.conduit.com_0.localstorage"
Successfully deleted: [File] "C:\Users\Fatimah\appdata\local\google\chrome\user data\default\local storage\http_app.mam.conduit.com_0.localstorage-journal"
Successfully deleted: [File] "C:\Users\Fatimah\appdata\local\google\chrome\user data\default\local storage\http_storage.conduit.com_0.localstorage"
Successfully deleted: [File] "C:\end"

 

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\boost_interprocess"
Successfully deleted: [Folder] "C:\ProgramData\conduit"
Successfully deleted: [Folder] "C:\Users\Fatimah\appdata\local\conduit"
Successfully deleted: [Folder] "C:\Users\Fatimah\appdata\local\cre"
Successfully deleted: [Folder] "C:\Users\Fatimah\appdata\locallow\conduit"
Successfully deleted: [Folder] "C:\Program Files (x86)\conduit"
Successfully deleted: [Folder] "C:\WINDOWS\syswow64\ai_recyclebin"

 

~~~ Chrome

Successfully deleted: [Folder] C:\Users\Fatimah\appdata\local\Google\Chrome\User Data\Default\Extensions\amfclgbdpgndipgoegfpkkgobahigbcl
Successfully deleted: [Folder] C:\Users\Fatimah\appdata\local\Google\Chrome\User Data\Default\Extensions\jidjhchcblhlapbcpheibgdjkajekhbh

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 11/05/2013 at 20:52:40.44
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

Although you didn't ask for it, since I have it waiting for a reply from me (before I read your reply and realized my post had been moved), below is the SAS report (although I still have taken no action regarding the threats it found - while I wait on a reply from you regarding that).

 

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/05/2013 at 11:22 PM

Application Version : 5.6.1040

Core Rules Database Version : 10873
Trace Rules Database Version: 8685

Scan type       : Complete Scan
Total Scan Time : 00:34:44

Operating System Information
 65 Edition 64-bit (Build 6.03.9600)
UAC Off - Administrator

Memory items scanned      : 409
Memory threats detected   : 0
Registry items scanned    : 69994
Registry threats detected : 0
File items scanned        : 45804
File threats detected     : 4

Trojan.Agent/Gen-Buzus
 C:\WINDOWS\SYSTEM32\OEM\FACTORY\OA3SFCS\WSHOW.EXE
 C:\WINDOWS\SYSTEM32\OEM\FACTORY\WSHOW.EXE

Trojan.Agent/Gen-Frauder
 C:\WINDOWS\SYSTEM32\OEM\FACTORY\SQUARE.EXE
 C:\WINDOWS\SYSTEM32\OEM\FACTORY\TIMER.EXE
 


Edited by ummhasan, 06 November 2013 - 12:18 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,065 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:10 PM

Posted 06 November 2013 - 10:21 AM

I replied to your PM.
Looks like some good hits in those scans.. We still need ESET and let me know how it's running.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#7 ummhasan

ummhasan
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:10:10 PM

Posted 06 November 2013 - 11:02 AM

Thanks for your reply! I had already tried to check the files at virus total but when I browse to the file, it shows nothing in the OEM folder. I have set the folder properties to show hidden files but I'm not seeing anything. I tried pasting the path but that didn't work either. I'm guessing it's a win 8.1 thing but I'm not sure.

I'll check the other sites today too and do the eset scanner. I didn't do the tdss scan because I will need to restart and I'm not sure what to do with the files sas found. I've still got the scanner open and am ruining in sa fe mode. SAS is awaiting my decision.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,065 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:10 PM

Posted 06 November 2013 - 11:33 AM

Well I am not certain what the first is but it does seem to be a windows file. ,, Don't remove either, close SAS Run ESET ..see if it sees them. we can run SAS again later.


How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#9 ummhasan

ummhasan
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:10:10 PM

Posted 06 November 2013 - 01:26 PM

I closed out the SAS scan and did try to check with some of the other file scanners but I can't see the factory folder so can't check them. My guess is that they are both FP's.

 

ESET scan results:

C:\Users\Fatimah\AppData\Local\Temp\tbOurW.dll a variant of Win32/Toolbar.Conduit.B application
 



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,065 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:10 PM

Posted 06 November 2013 - 02:27 PM

I would agree.. Looks like we got all the Conduit.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#11 ummhasan

ummhasan
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:10:10 PM

Posted 06 November 2013 - 02:38 PM

Sounds good then. I'll restart in normal mode and see how things are now.

#12 ummhasan

ummhasan
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:10:10 PM

Posted 06 November 2013 - 03:59 PM

Well after reboot, I was greeted with some errors. I took a screenshot but am not seeing the attachment option so, i'll just right what I see. hopefully you can understand it.

 

Window name: RunDLL

There was a problem starting

c:\users\Fatimah\AppData\local\Conduit\backgroundContainer\backgroundContainer.dll

The specified module could not be found.

Button: OK

 

I get two of them.

 

I'm guessing this is a good thing but obviously it needs to be addressed.



#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,065 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:10 PM

Posted 06 November 2013 - 04:11 PM

Its not unusual to receive such an error after using specialized fix tools.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message. --->>> backgroundContainer.dll
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#14 ummhasan

ummhasan
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:10:10 PM

Posted 06 November 2013 - 04:39 PM

Okay. That was my line of thinking. I've used autoruns before so I'm familiar with how to use it. I'll do that and get back with you later this evening.

#15 ummhasan

ummhasan
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:10:10 PM

Posted 07 November 2013 - 10:41 AM

okay, I found two registry entries and deleted them. I also noticed some other files noted as not found, I left them alone for now.

 

it seems conduit is gone but i'm going to rerun mbam, jrt, and sas to see if they find anything.

 

Thanks again for your time.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users