Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bogus Anti-virus software redirect


  • Please log in to reply
13 replies to this topic

#1 The Dudeness

The Dudeness

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 31 January 2014 - 01:43 AM

Hello,

 

I run a Dell Inspirion 530, 32-bit os, Intel Core 2 Duo CPU

 

About 4 days ago(January 27th) I was playing a computer game called "Wartune" on my computer, I was also searching a wiki about the game and I had the wiki open for a few minutes when all of a sudden, the wiki window changes to a bougs AV software ad, I didn't take a picture, but I do have the link. I ran the link through virustotal right away and it said it was safe, ran the link again through recently and it looks bad. If needed, I can give it, don't want anyone clicking it.

 

I remember accidentally clicking an ad in a wiki about 5 days ago for a video game, got lead to a "404 page", ran that link through virustotal and it had a download attached to it, some kind of ".dll" file.

 

About 3 days ago, the computer wouldn't start up properly, got a 3 minute black screen as well before the computer started working.

 

Yesterday, I updated and ran rougekiller and it found some wierd crap in the drivers section.  I decided to go here instead of trying to fix it myself.

 

So far I have run

Rougekiller

MSE

TDSS

 

Thank you for taking a look at this and hope this can be figured out.



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:55 PM

Posted 31 January 2014 - 03:58 AM

Hey Dude -

Not sure why or in what order you ran those programs, but lets start at the beginning.

A few tools to look at your system, and then some basic removal tools -

Please download all listed tools to Desktop in the order listed, unless asked.
XP users should double click on tools to run them, while Vista, Win7/8 users Right click on the exe icon and select Run as administrator.
You may wish to print this page, and if you have any questions or problems, please post them.

Please use Copy and Paste for all logs -

 

First -

Download Screen317 Security Check and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Please post the contents of that document.
Note:: If a security program requests permission to access the Internet, allow it to do so.

 

Next -

Please download MiniToolBox to run it.
Checkmark following boxes:
* List content of Hosts
* List last 10 Event Viewer log
* List Installed Programs
* List Devices (do NOT change any settings here)
* List Users, Partitions and Memory size.

Click Go and post the result. (result.txt)

 

Next -

Please download and run RKill by Grinler.

A black DOS box will briefly flash and then disappear.
This is normal and indicates the tool ran successfully.

At most the tool will run for about 2 minutes

RKill logs will open, please post them back here.

 

Important: Do not reboot your computer until you complete the next step.

 

* Please download AdwCleaner by Xplode and save to your Desktop.
* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.

* Check the programs in the list, and either untick those you wish to keep, or post the R0.txt log back here.
* When done => Click on the Clean button (only once)
* Press OK when asked to close all programs and follow the onscreen prompts.
* Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
* After Auto rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
* Copy and paste the contents of that logfile in your next reply.
* A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

Next -

Download Malwarebytes' Anti-Malware Free (aka MBAM): to your desktop.
- Do not accept the Free Trial Version at this time -
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer if requested.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

 

Last -

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop
• Please double-click TFC.exe to run it.
• For Vista, Win 7 / 8 right-click on the file and choose Run As Administrator).
• It will close all programs when run, so make sure you have saved all your work before you begin.
• Click the Start button to begin the process.
• Once it's finished it may reboot your machine.
• If it does not, please manually reboot the machine yourself to ensure a complete clean.

 

Thank You -



#3 The Dudeness

The Dudeness
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 31 January 2014 - 04:49 AM

Hello and Thank you for the response Noknojon  Here is the Security Check Report

 

Results of screen317's Security Check version 0.99.79 
 Windows Vista Service Pack 2 x86 (UAC is enabled) 
 Internet Explorer 9 
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 WinPatrol
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 7 Update 25 
 Java version out of Date!
 Adobe Reader 10.1.7 Adobe Reader out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 WinPatrol winpatrol.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 BillP Studios WinPatrol WinPatrol.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````

 

 

------------------------------------------------------------------------------

Here's the MiniToolBox

 

MiniToolBox by Farbar  Version: 23-01-2014
Ran by Happy Family (ATTENTION: The logged in user is not administrator) on 31-01-2014 at 04:46:01
Running from "C:\Users\Happy Family\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P291LS6B"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************
========================= Hosts content: =================================

127.0.0.1       localhost

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/30/2014 03:03:00 AM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier2\security.cpp78800706e5

Error: (01/29/2014 03:38:54 AM) (Source: Application Hang) (User: )
Description: The program mbam.exe version 1.75.0.1 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 16354
Start Time: 01cf1cc5e449e200
Termination Time: 78

Error: (01/29/2014 03:21:19 AM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 . Error code = 0x80070005

Error: (01/29/2014 02:15:18 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\QUA6G70I\LIKE[1].HTM> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog

Details:
 A device attached to the system is not functioning.   (0x8007001f)

Error: (01/28/2014 11:53:17 AM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (01/28/2014 11:49:30 AM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (01/28/2014 11:43:36 AM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (01/26/2014 07:46:01 PM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 9.0.8112.16526 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 2eec8
Start Time: 01cf1af5c012c8a7
Termination Time: 14

Error: (01/26/2014 03:11:53 AM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 9.0.8112.16526, time stamp 0x52855173, faulting module Flash32_11_9_900_170.ocx, version 11.9.900.170, time stamp 0x529b7962, exception code 0xc0000005, fault offset 0x001377cb,
process id 0x1da4c, application start time 0xiexplore.exe0.

Error: (01/20/2014 10:08:35 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 9.0.8112.16526, time stamp 0x52855173, faulting module Flash32_11_9_900_170.ocx, version 11.9.900.170, time stamp 0x529b7962, exception code 0xc0000005, fault offset 0x0016aa38,
process id 0x13cac, application start time 0xiexplore.exe0.

System errors:
=============
Error: (01/31/2014 04:33:12 AM) (Source: Print) (User: Family-PC)
Description: The document http://www.bleepingcomputer.com/forums/t/522696/bogus-anti-viru, owned by Happy Family, failed to print on printer Dell Photo AIO Printer 926 (Copy 1). Try to print the document again, or restart the print spooler.
Data type: LEMF. Size of the spool file in bytes: 3250407. Number of bytes printed: 0. Total number of pages in the document: 3. Number of pages printed: 2. Client computer: \\FAMILY-PC. Win32 error code returned by the print processor: http://www.bleepingcomputer.com/forums/t/522696/bogus-anti-viru0. http://www.bleepingcomputer.com/forums/t/522696/bogus-anti-viru1

Error: (01/28/2014 11:54:18 AM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (01/28/2014 11:54:10 AM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (01/28/2014 11:54:09 AM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (01/28/2014 11:54:07 AM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (01/28/2014 11:53:45 AM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (01/28/2014 11:53:45 AM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (01/28/2014 11:53:45 AM) (Source: Service Control Manager) (User: )
Description: AFD
DfsC
MpFilter
NetBIOS
netbt
nsiproxy
PSched
RasAcd
rdbss
Smb
spldr
tdx
Wanarpv6
ws2ifsl

Error: (01/28/2014 11:53:45 AM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (01/28/2014 11:53:45 AM) (Source: Service Control Manager) (User: )
Description: Network Location AwarenessNetwork Store Interface Service%%1068

Microsoft Office Sessions:
=========================
Error: (08/13/2010 02:18:12 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6535.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 29384 seconds with 300 seconds of active time.  This session ended with a crash.

Error: (04/09/2010 01:36:14 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 14502 seconds with 120 seconds of active time.  This session ended with a crash.

Error: (12/16/2009 01:11:03 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 10652 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (05/21/2009 11:47:02 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 37504 seconds with 180 seconds of active time.  This session ended with a crash.

Error: (02/06/2008 02:51:48 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 3302 seconds with 0 seconds of active time.  This session ended with a crash.

CodeIntegrity Errors:
===================================
  Date: 2013-11-18 22:24:37.952
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-11-18 22:24:37.655
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-11-18 22:24:37.297
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-11-18 22:24:37.000
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-11-18 22:24:23.865
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-11-18 22:24:23.584
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-11-18 22:24:23.272
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-11-18 22:24:22.960
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-11-18 22:24:22.570
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-11-18 22:24:22.274
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.

=========================== Installed Programs ============================

 Update for Microsoft Office 2007 (KB2508958)
926plv32 (Version: 1.0.0)
ABBYY FineReader 6.0 Sprint (Version: 6.00.1784.41616)
Adobe Flash Player 11 ActiveX (Version: 11.9.900.170)
Adobe Reader X (10.1.7) (Version: 10.1.7)
AIM 6
AOL Install (Version: 1.0.0)
AOL Uninstaller (Choose which Products to Remove)
ArcSoft PhotoImpression 6
CVE-2013-3893
Dell Automated PC TuneUp (Version: 1.0.3085)
Dell DataSafe Online (Version: 1.0.21)
Dell Getting Started Guide (Version: 1.00.0000)
Dell PC Fax
Dell Photo AIO Printer 926
Dell Support Center (Support Software) (Version: 2.2.08267)
Digital Line Detect (Version: 1.21)
DriveImage XML (Private Edition) (Version: 2.44.000)
GameTap (Version: Refer to GameTap:Help:About)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections 12.1.11.0 (Version: )
Internet Service Offers Launcher (Version: 1.00.0000)
Java 7 Update 25 (Version: 7.0.250)
Java Auto Updater (Version: 2.1.9.5)
Lexmark 2200 Series
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Security Client (Version: 4.4.0304.0)
Microsoft Security Essentials (Version: 4.4.304.0)
Modem Diagnostic Tool (Version: 1.0.17.8)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB941833) (Version: 4.20.9849.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Music, Photos & Videos Launcher (Version: 1.00.0000)
NetWaiting (Version: 2.5.44)
Product Documentation Launcher (Version: 1.00.0000)
QualxServ Service Agreement (Version: 1.11.0000)
Realtek High Definition Audio Driver
ResumeMaker Professional (Version: 14)
Rhapsody Player Engine (Version: 1.0.690)
Roxio Creator Audio (Version: 3.3.0)
Roxio Creator BDAV Plugin (Version: 3.3.0)
Roxio Creator Copy (Version: 3.3.0)
Roxio Creator Data (Version: 3.3.0)
Roxio Creator DE (Version: 3.3.0)
Roxio Creator Tools (Version: 3.3.0)
Roxio Express Labeler (Version: 2.1.0)
Roxio MyDVD DE (Version: 9.0.116)
Roxio Update Manager (Version: 3.0.0)
RTC Client API v1.2 (Version: 1.2.0000)
Sonic Activation Module (Version: 1.0)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
User's Guides
Windows Live Messenger (Version: 8.1.0178.00)
Windows Live Sign-in Assistant (Version: 4.100.313.1)
Windows Mobile Device Center (Version: 6.1.6965.0)
Windows Mobile Device Center Driver Update (Version: 6.1.6965.0)
WinPatrol (Version: 28.5.2013.0)

========================= Devices: ================================

Name: 6TO4 Adapter
Description: Microsoft 6to4 Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

Name: Microsoft ISATAP Adapter #4
Description: Microsoft ISATAP Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

Name: Microsoft ISATAP Adapter #8
Description: Microsoft ISATAP Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

Name: Microsoft ISATAP Adapter #10
Description: Microsoft ISATAP Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

========================= Memory info: ===================================

Percentage of memory in use: 75%
Total physical RAM: 2036.45 MB
Available physical RAM: 496.92 MB
Total Pagefile: 4312.18 MB
Available Pagefile: 2334.47 MB
Total Virtual: 2047.88 MB
Available Virtual: 1942.1 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:288.04 GB) (Free:210.5 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:3.88 GB) NTFS

========================= Users: ========================================

User accounts for \\FAMILY-PC

Administrator            Chris                    Guest                   
Happy Family            

**** End of log ****

---------------------------------------------------------------------------------------------------------------

 

 

Here is the RKill log

 

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/31/2014 04:50:18 AM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 01/31/2014 04:51:03 AM
Execution time: 0 hours(s), 0 minute(s), and 45 seconds(s)


Edited by The Dudeness, 31 January 2014 - 04:54 AM.


#4 The Dudeness

The Dudeness
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 31 January 2014 - 05:01 AM

Here is the AdwCleaner log

 

# AdwCleaner v3.018 - Report created 31/01/2014 at 04:57:20
# Updated 28/01/2014 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Administrator - FAMILY-PC
# Running from : C:\Users\Happy Family\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16526

*************************

AdwCleaner[R0].txt - [1041 octets] - [30/12/2013 11:42:31]
AdwCleaner[R1].txt - [778 octets] - [02/01/2014 16:45:51]
AdwCleaner[R2].txt - [896 octets] - [06/01/2014 14:13:31]
AdwCleaner[R3].txt - [1014 octets] - [17/01/2014 22:22:56]
AdwCleaner[R4].txt - [1135 octets] - [25/01/2014 03:22:49]
AdwCleaner[R5].txt - [1255 octets] - [28/01/2014 11:57:27]
AdwCleaner[R6].txt - [1375 octets] - [31/01/2014 04:56:39]
AdwCleaner[S0].txt - [1109 octets] - [30/12/2013 11:43:11]
AdwCleaner[S1].txt - [838 octets] - [02/01/2014 16:46:39]
AdwCleaner[S2].txt - [956 octets] - [06/01/2014 14:15:07]
AdwCleaner[S3].txt - [1075 octets] - [17/01/2014 22:23:58]
AdwCleaner[S4].txt - [1197 octets] - [25/01/2014 03:23:33]
AdwCleaner[S5].txt - [1317 octets] - [28/01/2014 11:58:18]
AdwCleaner[S6].txt - [1299 octets] - [31/01/2014 04:57:20]

########## EOF - \AdwCleaner\AdwCleaner[S6].txt - [1359 octets] ##########

 

-----------------------------------------------------------------------------------------------------------------

Here is the Malwarebytes log

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.31.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Administrator :: FAMILY-PC [administrator]

1/31/2014 5:04:15 AM
mbam-log-2014-01-31 (05-04-15).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 304466
Time elapsed: 12 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Edited by The Dudeness, 31 January 2014 - 05:23 AM.


#5 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:55 PM

Posted 31 January 2014 - 06:02 AM

Do you know the name only of the redirection site / problem ?

(Example : DealPly / ScorpionSaver / or a Windows type name)

 

Java 7 Update 25  Java version out of Date!
If you are going to install Java, please check for updates Java7 update51 is current

Please remove all outdated versions from Programs and Features.

 

AdwCleaner has been well used over the last few days.
Please open it and hit the Uninstall Button to remove the program and any infections in quarantine.
You can install a fresh version when / if required later.

 

Thanks -



#6 The Dudeness

The Dudeness
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 31 January 2014 - 09:27 AM

Hello,

 

The name of the redirection site is "zp-microdefender.nl" Hope that helps.  I've been hit by redirects like this a few times in the past, only when I'am on one of those wikis for games or some show. Maybe it's just coincidence. 

 

Thanks



#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:55 PM

Posted 31 January 2014 - 03:40 PM

Odd. as "zp-microdefender.nl"  draws a total blank in all searches.
But "np-microdefender.nl" draws one hit as a French site that Norton calls OK.

 

Personally, I would start dropping a few programs from Programs and Features that get little use, as you are using just a bit much for this computer.

Go - Start > Programs > Accessories > System Tools > Disk Cleanup and see if you can remove more junk from there.

 

You may have removed the problem, but lets have another look -

 

 

I would like you to use the ESET OnlineScanner -
This is best done with Internet Explorer, as it uses ActineX  with the scan
However alternate directions are left for those that will not use Internet Explorer.

Please read and follow How To Temporarily Disable Your Anti-virus during the scan.
1 / Hold down Control (Ctrl) key and click on This Link to open ESET OnlineScan in a new window.
2 / Click the ESETOnliner Scanner button.

3 / For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
3.1 - / Click on This Link to download theExternal ESET Smart Installer.
3.2 - / Save it to your desktop.

4 .Check "YES, I accept the Terms of Use."
5 .Click the Start button.
6 .Accept any security warnings from your browser.
7 .Under scan settings, check "Scan Archives" and "Remove found threats"
8 .Click Advanced settings and select the following:
* Scan potentially unwanted applications
* Scan for potentially unsafe applications
* Enable Anti-Stealth technology

9 .ESET will then download updates for itself, install itself, and begin scanning your computer.

Please be patient as this will take some time. Over 2 hours is not unusual for a first scan.
10 .When the scan completes, click List Threats
11 .Click Export, and save the file to your desktop using a unique name, such as ESETScan.
- Include the contents of this report in your next reply.
12 .Click the Back button.
13 .Click the Finish button.
* NOTE:Sometimes if ESET finds no infections it will not create a log.

 

Thanks -



#8 The Dudeness

The Dudeness
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 31 January 2014 - 06:21 PM

Thanks as usual for helping. This is the best forum I've ever seen in terms of helpful people.

 

I'll be runnig Eset in a few minutes.  That "zp-microdefender.nl" has seemed to vanished. I ran the link through virustotal and found some stuff about it.  It exists for sure. 

 

Are you allowed to open a safe "virustotal" analysis link, I think they use it here as well to scan stuff if I'am not mistaken

 

https://www.virustotal.com/en/url/bddcdfe152ad50cd5028f3ca022aabc79448608462b643d5f51304992dc13490/analysis/



#9 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:55 PM

Posted 31 January 2014 - 07:31 PM

Oh well -

The link to Virus Total is always good as  we do use it quite often.

I was just surprised by the variety of results that it returned ..............

 

Often you will just get a single hit, and that means it may be a false positive, but with almost half showing bad site, and half showing OK, it may show up in the ESET scan, since they detect it (from the results).



#10 The Dudeness

The Dudeness
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 31 January 2014 - 11:14 PM

Good Evening/Morning

 

I ran Eset with no luck. It didn't have a log to post either

It's amazing how much crud is out there. I remember the last 2 times getting redirects like it, it was always on a wiki page for a game/show.

 

 

Could it be a DNS redirect? It's quite odd that ad popped up out of no where.

Hopefully it just goes away, I only play computer games and pay my online stuff and try to keep it that way.

 

Thank you



#11 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:55 PM

Posted 01 February 2014 - 12:17 AM

Well there is a chance that MiniToolBox may alter it.
Checkmark following boxes:
* Flush DNS
* Report IE Proxy Settings
* Reset IE Proxy Settings
* Report FF Proxy Settings
* Reset FF Proxy Settings
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
Click Go and Copy / Paste the result. (result.txt)

 

You could also run Disk Check to see if it was altered

Run a Disk Check on your C: drive in Windows XP:
•Click Start and open My Computer
•Right-click on C: (or your hard drive letter) and select Properties
•Click on the Tools tab
•Under Error-checking click the Check Now... button
•Mark the 2 boxes next to Automatically fix file system errors and Scan for and attempt recovery of bad sectors
•Click on the Start button
•When the message box pops up, click the Schedule disk check button and Restart your computer
•Once your computer restarts it will check the drive, don't press any keys so that it is allowed to do so
This will take (on average) 1 to 2 hours depending on your system, so please let it finish.
DO NOT force a reboot once started a you will lose data and may damage the computer
NOTE - If this is a Laptop please plug it into a reliable power source, as batteries may fail.
The computer will reboot to normal mode once it has completed all 5 stages -

 

And then follow it with sfc /scannow

Run System File Check from an Elevated Command Prompt
1 Open Elevated Command Prompt as per directions
2 Type sfc /scannow and press Enter (note the space between c and / it must be there)
3 This should not take longer than 20 minutes to finish
4 NOTE : Do not touch the keyboard while this is running.

NOTE - If this is a Laptop please plug it into a reliable power source, as batteries may fail.

Do not reboot till this is complete, or it "Fully stalls" and will not continue.

 

See what your results are after these, and we may need to upgrade you to the Experts area.

But only if you are still having problems of some kind -



#12 The Dudeness

The Dudeness
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 01 February 2014 - 02:29 AM

MiniToolBox by Farbar  Version: 23-01-2014
Ran by Administrator (administrator) on 01-02-2014 at 02:28:13
Running from "C:\Users\Happy Family\Desktop"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

**** End of log ****

 

 

I also ran a Disc Check and it didn't find anything add, only took 1 hour and 30 minutes to complete.  Ran the sfc /scannow and it found no integrity violations.  Seems like everything is alright.:)

 

The only thing that worries me still was when I ran Roguekiller before I started getting help here. Found some things in the Driver Section called "fwsetmemleak" "fwsetmemtrace" and one other odd one.  Those must be traces of an old infection?  Would have to pull up a report to find the exact names.

 

Other than that, things seem to be working alright, I'll post if anything happens or acts up again.

 

Thank you kindly for your help.

 

-Dude


Edited by The Dudeness, 01 February 2014 - 04:48 AM.


#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:55 PM

Posted 01 February 2014 - 05:10 AM

No Problems -

Stay as is for a day or so, and we can upgrade it to Malware Removal Logs area if you have troubles.

 

I will keep it on watch for a week, so post back if there are any specific troubles at all -

 

Regards -

 

I will Google those problems you listed just for information -



#14 The Dudeness

The Dudeness
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 13 February 2014 - 11:12 PM

Hello,

 

I know it's been a week and 5  days, but I had something wierd happen last night(within the last 24 hours).

 

So, I'am online playing a computer game and all of a sudden my internet stops working, says it's "trying to ping the primary server" My computer keeps on sending bytes but nothing was being received for the 4 hours I was on trying to get it to work.  It was quite odd. I checked the event viewer and I saw a bunch of stuff saying "computer was denied by the DHCP server"  It went on for the rest of the night, didn't start working till I woke up 8-9 hours later.  I was going to ignore it, but thought it might be important to post.

 

I tried letting "windows diagnostic" fix it, but it had no success. It ended up fixing itself though.

 

Sorry if this post is a little late.

 

-Dude


Edited by The Dudeness, 13 February 2014 - 11:13 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users